package io.trino.server.ui;

import com.google.common.base.MoreObjects;
import com.google.common.collect.ImmutableSet;
import io.airlift.log.Logger;
import io.trino.server.ServletSecurityUtils;
import io.trino.server.security.UserMapping;
import io.trino.server.security.UserMappingException;
import io.trino.server.security.oauth2.ChallengeFailedException;
import io.trino.server.security.oauth2.ForRefreshTokens;
import io.trino.server.security.oauth2.OAuth2CallbackResource;
import io.trino.server.security.oauth2.OAuth2Client;
import io.trino.server.security.oauth2.OAuth2Config;
import io.trino.server.security.oauth2.OAuth2Service;
import io.trino.server.security.oauth2.TokenPairSerializer;
import io.trino.spi.security.BasicPrincipal;
import io.trino.spi.security.Identity;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import javax.inject.Inject;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;

/* loaded from: input_file:io/trino/server/ui/OAuth2WebUiAuthenticationFilter.class */
public class OAuth2WebUiAuthenticationFilter implements WebUiAuthenticationFilter {
    private static final Logger LOG = Logger.get(OAuth2WebUiAuthenticationFilter.class);
    private final String principalField;
    private final OAuth2Service service;
    private final OAuth2Client client;
    private final TokenPairSerializer tokenPairSerializer;
    private final Optional<Duration> tokenExpiration;
    private final UserMapping userMapping;
    private final Optional<String> groupsField;

    @Inject
    public OAuth2WebUiAuthenticationFilter(OAuth2Service oAuth2Service, OAuth2Client oAuth2Client, TokenPairSerializer tokenPairSerializer, @ForRefreshTokens Optional<Duration> optional, OAuth2Config oAuth2Config) {
        this.service = (OAuth2Service) Objects.requireNonNull(oAuth2Service, "service is null");
        this.client = (OAuth2Client) Objects.requireNonNull(oAuth2Client, "client is null");
        this.tokenPairSerializer = (TokenPairSerializer) Objects.requireNonNull(tokenPairSerializer, "tokenPairSerializer is null");
        this.tokenExpiration = (Optional) Objects.requireNonNull(optional, "tokenExpiration is null");
        this.userMapping = UserMapping.createUserMapping(oAuth2Config.getUserMappingPattern(), oAuth2Config.getUserMappingFile());
        this.principalField = oAuth2Config.getPrincipalField();
        this.groupsField = (Optional) Objects.requireNonNull(oAuth2Config.getGroupsField(), "groupsField is null");
    }

    public void filter(ContainerRequestContext containerRequestContext) {
        String path = containerRequestContext.getUriInfo().getRequestUri().getPath();
        if (path.equals("/ui/disabled.html")) {
            return;
        }
        if (!containerRequestContext.getSecurityContext().isSecure()) {
            if (path.startsWith("/ui/api/")) {
                ServletSecurityUtils.sendWwwAuthenticate(containerRequestContext, "Unauthorized", ImmutableSet.of("Trino-Form-Login"));
                return;
            } else {
                containerRequestContext.abortWith(Response.seeOther(FormWebUiAuthenticationFilter.DISABLED_LOCATION_URI).build());
                return;
            }
        }
        Optional<TokenPairSerializer.TokenPair> tokenPair = getTokenPair(containerRequestContext);
        Optional<U> flatMap = tokenPair.filter(this::tokenNotExpired).flatMap(this::getAccessTokenClaims);
        if (flatMap.isEmpty()) {
            needAuthentication(containerRequestContext, tokenPair);
            return;
        }
        try {
            Object obj = ((Map) flatMap.get()).get(this.principalField);
            if (!isValidPrincipal(obj)) {
                LOG.debug("Invalid principal field: %s. Expected principal to be non-empty", new Object[]{this.principalField});
                ServletSecurityUtils.sendErrorMessage(containerRequestContext, Response.Status.UNAUTHORIZED, "Unauthorized");
                return;
            }
            String str = (String) obj;
            Identity.Builder forUser = Identity.forUser(this.userMapping.mapUser(str));
            forUser.withPrincipal(new BasicPrincipal(str));
            this.groupsField.flatMap(str2 -> {
                return Optional.ofNullable((List) ((Map) flatMap.get()).get(str2));
            }).ifPresent(list -> {
                forUser.withGroups(ImmutableSet.copyOf(list));
            });
            ServletSecurityUtils.setAuthenticatedIdentity(containerRequestContext, forUser.build());
        } catch (UserMappingException e) {
            ServletSecurityUtils.sendErrorMessage(containerRequestContext, Response.Status.UNAUTHORIZED, (String) MoreObjects.firstNonNull(e.getMessage(), "Unauthorized"));
        }
    }

    private Optional<TokenPairSerializer.TokenPair> getTokenPair(ContainerRequestContext containerRequestContext) {
        try {
            Optional<String> read = OAuthWebUiCookie.read((Cookie) containerRequestContext.getCookies().get(OAuthWebUiCookie.OAUTH2_COOKIE));
            TokenPairSerializer tokenPairSerializer = this.tokenPairSerializer;
            Objects.requireNonNull(tokenPairSerializer);
            return read.map(tokenPairSerializer::deserialize);
        } catch (Exception e) {
            LOG.debug(e, "Exception occurred during token pair deserialization");
            return Optional.empty();
        }
    }

    private boolean tokenNotExpired(TokenPairSerializer.TokenPair tokenPair) {
        return tokenPair.getExpiration().after(Date.from(Instant.now()));
    }

    private Optional<Map<String, Object>> getAccessTokenClaims(TokenPairSerializer.TokenPair tokenPair) {
        return this.client.getClaims(tokenPair.getAccessToken());
    }

    private void needAuthentication(ContainerRequestContext containerRequestContext, Optional<TokenPairSerializer.TokenPair> optional) {
        Optional<U> flatMap = optional.flatMap((v0) -> {
            return v0.getRefreshToken();
        });
        if (flatMap.isPresent()) {
            try {
                redirectForNewToken(containerRequestContext, (String) flatMap.get());
                return;
            } catch (Exception e) {
                LOG.debug(e, "Tokens refresh challenge has failed");
            }
        }
        handleAuthenticationFailure(containerRequestContext);
    }

    private void redirectForNewToken(ContainerRequestContext containerRequestContext, String str) throws ChallengeFailedException {
        OAuth2Client.Response refreshTokens = this.client.refreshTokens(str);
        containerRequestContext.abortWith(Response.seeOther(containerRequestContext.getUriInfo().getRequestUri()).cookie(new NewCookie[]{OAuthWebUiCookie.create(this.tokenPairSerializer.serialize(TokenPairSerializer.TokenPair.fromOAuth2Response(refreshTokens)), (Instant) this.tokenExpiration.map(duration -> {
            return Instant.now().plus((TemporalAmount) duration);
        }).orElse(refreshTokens.getExpiration()))}).build());
    }

    private void handleAuthenticationFailure(ContainerRequestContext containerRequestContext) {
        if (containerRequestContext.getUriInfo().getRequestUri().getPath().startsWith("/ui/api/")) {
            ServletSecurityUtils.sendWwwAuthenticate(containerRequestContext, "Unauthorized", ImmutableSet.of("Trino-Form-Login"));
        } else {
            startOAuth2Challenge(containerRequestContext);
        }
    }

    private void startOAuth2Challenge(ContainerRequestContext containerRequestContext) {
        containerRequestContext.abortWith(this.service.startOAuth2Challenge(containerRequestContext.getUriInfo().getBaseUri().resolve(OAuth2CallbackResource.CALLBACK_ENDPOINT), Optional.empty()));
    }

    private static boolean isValidPrincipal(Object obj) {
        return (obj instanceof String) && !((String) obj).isEmpty();
    }
}
