package io.trino.server.security.oauth2;

import com.nimbusds.jose.KeyLengthException;
import io.airlift.units.Duration;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.Jwts;
import io.trino.server.security.oauth2.OAuth2Client;
import io.trino.server.security.oauth2.TokenPairSerializer;
import java.net.URI;
import java.security.GeneralSecurityException;
import java.security.SecureRandom;
import java.time.Clock;
import java.time.Instant;
import java.time.ZoneId;
import java.time.ZonedDateTime;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Base64;
import java.util.Calendar;
import java.util.Date;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import org.assertj.core.api.Assertions;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;

/* loaded from: input_file:io/trino/server/security/oauth2/TestJweTokenSerializer.class */
public class TestJweTokenSerializer {

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/trino/server/security/oauth2/TestJweTokenSerializer$Oauth2ClientStub.class */
    public static class Oauth2ClientStub implements OAuth2Client {
        private final Map<String, Object> claims = (Map) Jwts.claims().subject("user").build();

        Oauth2ClientStub() {
        }

        public void load() {
        }

        public OAuth2Client.Request createAuthorizationRequest(String str, URI uri) {
            throw new UnsupportedOperationException("operation is not yet supported");
        }

        public OAuth2Client.Response getOAuth2Response(String str, URI uri, Optional<String> optional) {
            throw new UnsupportedOperationException("operation is not yet supported");
        }

        public Optional<Map<String, Object>> getClaims(String str) {
            return Optional.of(this.claims);
        }

        public OAuth2Client.Response refreshTokens(String str) {
            throw new UnsupportedOperationException("operation is not yet supported");
        }

        public Optional<URI> getLogoutEndpoint(Optional<String> optional, URI uri) {
            return Optional.empty();
        }
    }

    /* loaded from: input_file:io/trino/server/security/oauth2/TestJweTokenSerializer$TestingClock.class */
    private static class TestingClock extends Clock {
        private Instant currentTime = ZonedDateTime.of(2022, 5, 6, 10, 15, 0, 0, ZoneId.systemDefault()).toInstant();

        private TestingClock() {
        }

        @Override // java.time.Clock
        public ZoneId getZone() {
            return ZoneId.systemDefault();
        }

        @Override // java.time.Clock, java.time.InstantSource
        public Clock withZone(ZoneId zoneId) {
            return this;
        }

        @Override // java.time.Clock, java.time.InstantSource
        public Instant instant() {
            return this.currentTime;
        }

        public void advanceBy(Duration duration) {
            this.currentTime = this.currentTime.plus(duration.toMillis(), (TemporalUnit) ChronoUnit.MILLIS);
        }
    }

    @Test
    public void testSerialization() throws Exception {
        JweTokenSerializer jweTokenSerializer = tokenSerializer(Clock.systemUTC(), Duration.succinctDuration(5.0d, TimeUnit.SECONDS), randomEncodedSecret());
        Date time = new Calendar.Builder().setDate(2022, 6, 22).build().getTime();
        TokenPairSerializer.TokenPair deserialize = jweTokenSerializer.deserialize(jweTokenSerializer.serialize(TokenPairSerializer.TokenPair.withAccessAndRefreshTokens("access_token", time, "refresh_token")));
        Assertions.assertThat(deserialize.accessToken()).isEqualTo("access_token");
        Assertions.assertThat(deserialize.expiration()).isEqualTo(time);
        Assertions.assertThat(deserialize.refreshToken()).isEqualTo(Optional.of("refresh_token"));
    }

    @Test(dataProvider = "wrongSecretsProvider")
    public void testDeserializationWithWrongSecret(String str, String str2) {
        Assertions.assertThatThrownBy(() -> {
            assertRoundTrip(Optional.ofNullable(str), Optional.ofNullable(str2));
        }).isInstanceOf(RuntimeException.class).hasMessageContaining("decryption failed: Tag mismatch");
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider
    public Object[][] wrongSecretsProvider() {
        return new Object[]{new Object[]{randomEncodedSecret(), randomEncodedSecret()}, new Object[]{randomEncodedSecret(16), randomEncodedSecret(24)}, new Object[]{null, null}, new Object[]{null, randomEncodedSecret()}, new Object[]{randomEncodedSecret(), null}};
    }

    @Test
    public void testSerializationDeserializationRoundTripWithDifferentKeyLengths() throws Exception {
        for (int i : new int[]{16, 24, 32}) {
            String randomEncodedSecret = randomEncodedSecret(i);
            assertRoundTrip(randomEncodedSecret, randomEncodedSecret);
        }
    }

    @Test
    public void testSerializationFailsWithWrongKeySize() {
        for (int i : new int[]{8, 64, 128}) {
            String randomEncodedSecret = randomEncodedSecret(i);
            Assertions.assertThatThrownBy(() -> {
                assertRoundTrip(randomEncodedSecret, randomEncodedSecret);
            }).hasStackTraceContaining("Secret key size must be either 16, 24 or 32 bytes but was " + i);
        }
    }

    private void assertRoundTrip(String str, String str2) throws Exception {
        assertRoundTrip(Optional.of(str), Optional.of(str2));
    }

    private void assertRoundTrip(Optional<String> optional, Optional<String> optional2) throws Exception {
        JweTokenSerializer jweTokenSerializer = tokenSerializer(Clock.systemUTC(), Duration.succinctDuration(5.0d, TimeUnit.SECONDS), optional);
        JweTokenSerializer jweTokenSerializer2 = tokenSerializer(Clock.systemUTC(), Duration.succinctDuration(5.0d, TimeUnit.SECONDS), optional2);
        TokenPairSerializer.TokenPair withAccessAndRefreshTokens = TokenPairSerializer.TokenPair.withAccessAndRefreshTokens(randomEncodedSecret(), new Calendar.Builder().setDate(2023, 6, 22).build().getTime(), randomEncodedSecret());
        Assertions.assertThat(jweTokenSerializer2.deserialize(jweTokenSerializer.serialize(withAccessAndRefreshTokens))).isEqualTo(withAccessAndRefreshTokens);
    }

    @Test
    public void testTokenDeserializationAfterTimeoutButBeforeExpirationExtension() throws Exception {
        TestingClock testingClock = new TestingClock();
        JweTokenSerializer jweTokenSerializer = tokenSerializer(testingClock, Duration.succinctDuration(12.0d, TimeUnit.MINUTES), randomEncodedSecret());
        Date time = new Calendar.Builder().setDate(2022, 6, 22).build().getTime();
        String serialize = jweTokenSerializer.serialize(TokenPairSerializer.TokenPair.withAccessAndRefreshTokens("access_token", time, "refresh_token"));
        testingClock.advanceBy(Duration.succinctDuration(10.0d, TimeUnit.MINUTES));
        TokenPairSerializer.TokenPair deserialize = jweTokenSerializer.deserialize(serialize);
        Assertions.assertThat(deserialize.accessToken()).isEqualTo("access_token");
        Assertions.assertThat(deserialize.expiration()).isEqualTo(time);
        Assertions.assertThat(deserialize.refreshToken()).isEqualTo(Optional.of("refresh_token"));
    }

    @Test
    public void testTokenDeserializationAfterTimeoutAndExpirationExtension() throws Exception {
        TestingClock testingClock = new TestingClock();
        JweTokenSerializer jweTokenSerializer = tokenSerializer(testingClock, Duration.succinctDuration(12.0d, TimeUnit.MINUTES), randomEncodedSecret());
        String serialize = jweTokenSerializer.serialize(TokenPairSerializer.TokenPair.withAccessAndRefreshTokens("access_token", new Calendar.Builder().setDate(2022, 6, 22).build().getTime(), "refresh_token"));
        testingClock.advanceBy(Duration.succinctDuration(20.0d, TimeUnit.MINUTES));
        Assertions.assertThatThrownBy(() -> {
            jweTokenSerializer.deserialize(serialize);
        }).isExactlyInstanceOf(ExpiredJwtException.class);
    }

    @Test
    public void testTokenDeserializationWhenNonJWETokenIsPassed() throws Exception {
        TokenPairSerializer.TokenPair deserialize = tokenSerializer(new TestingClock(), Duration.succinctDuration(12.0d, TimeUnit.MINUTES), randomEncodedSecret()).deserialize("non_jwe_token");
        Assertions.assertThat(deserialize.accessToken()).isEqualTo("non_jwe_token");
        Assertions.assertThat(deserialize.refreshToken()).isEmpty();
    }

    private JweTokenSerializer tokenSerializer(Clock clock, Duration duration, String str) throws GeneralSecurityException, KeyLengthException {
        return tokenSerializer(clock, duration, Optional.of(str));
    }

    private JweTokenSerializer tokenSerializer(Clock clock, Duration duration, Optional<String> optional) throws GeneralSecurityException, KeyLengthException {
        RefreshTokensConfig refreshTokensConfig = new RefreshTokensConfig();
        Objects.requireNonNull(refreshTokensConfig);
        optional.ifPresent(refreshTokensConfig::setSecretKey);
        return new JweTokenSerializer(refreshTokensConfig, new Oauth2ClientStub(), "trino_coordinator_test_version", "trino_coordinator", "sub", clock, duration);
    }

    private static String randomEncodedSecret() {
        return randomEncodedSecret(24);
    }

    private static String randomEncodedSecret(int i) {
        byte[] bArr = new byte[i];
        new SecureRandom().nextBytes(bArr);
        return Base64.getEncoder().encodeToString(bArr);
    }
}
