package io.trino.server.security.oauth2;

import com.google.common.collect.ImmutableMap;
import com.google.common.io.Resources;
import com.google.inject.Key;
import com.google.inject.TypeLiteral;
import io.airlift.http.client.HttpStatus;
import io.airlift.http.server.HttpServerConfig;
import io.airlift.http.server.HttpServerInfo;
import io.airlift.http.server.testing.TestingHttpServer;
import io.airlift.node.NodeInfo;
import io.trino.server.security.Authenticator;
import io.trino.server.security.oauth2.OAuth2ServerConfigProvider;
import io.trino.server.testing.TestingTrinoServer;
import io.trino.server.ui.OAuth2WebUiAuthenticationFilter;
import io.trino.server.ui.WebUiAuthenticationFilter;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.time.Instant;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import org.assertj.core.api.Assertions;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;

/* loaded from: input_file:io/trino/server/security/oauth2/TestOidcDiscovery.class */
public class TestOidcDiscovery {

    /* loaded from: input_file:io/trino/server/security/oauth2/TestOidcDiscovery$MetadataServer.class */
    public static class MetadataServer implements AutoCloseable {
        private final TestingHttpServer httpServer;

        public MetadataServer(Map<String, String> map) throws Exception {
            this(new MetadataServlet(map));
        }

        public MetadataServer(HttpServlet httpServlet) throws Exception {
            NodeInfo nodeInfo = new NodeInfo("test");
            HttpServerConfig httpPort = new HttpServerConfig().setHttpPort(0);
            this.httpServer = new TestingHttpServer(new HttpServerInfo(httpPort, nodeInfo), nodeInfo, httpPort, httpServlet, ImmutableMap.of());
            this.httpServer.start();
        }

        public URI getBaseUrl() {
            return this.httpServer.getBaseUrl();
        }

        @Override // java.lang.AutoCloseable
        public void close() throws Exception {
            this.httpServer.stop();
        }
    }

    /* loaded from: input_file:io/trino/server/security/oauth2/TestOidcDiscovery$MetadataServlet.class */
    public static class MetadataServlet extends HttpServlet {
        private final Map<String, String> responseMapping;

        public MetadataServlet(Map<String, String> map) {
            this.responseMapping = (Map) Objects.requireNonNull(map, "responseMapping is null");
        }

        protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
            String str = this.responseMapping.get(httpServletRequest.getPathInfo());
            if (str == null) {
                httpServletResponse.setStatus(404);
                return;
            }
            httpServletResponse.setHeader("Content-Type", "application/json");
            httpServletResponse.getWriter().write(Resources.toString(Resources.getResource(str), StandardCharsets.UTF_8).replaceAll("https://issuer.com", httpServletRequest.getRequestURL().toString().replace("/.well-known/openid-configuration", "")));
        }
    }

    /* loaded from: input_file:io/trino/server/security/oauth2/TestOidcDiscovery$MetadataServletWithStartup.class */
    public static class MetadataServletWithStartup extends MetadataServlet {
        private final Instant startTime;

        public MetadataServletWithStartup(Map<String, String> map, int i) {
            super(map);
            this.startTime = Instant.now().plusSeconds(i);
        }

        @Override // io.trino.server.security.oauth2.TestOidcDiscovery.MetadataServlet
        protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
            if (Instant.now().isBefore(this.startTime)) {
                httpServletResponse.setStatus(HttpStatus.TOO_MANY_REQUESTS.code());
            } else {
                super.doGet(httpServletRequest, httpServletResponse);
            }
        }
    }

    @Test(dataProvider = "staticConfiguration")
    public void testStaticConfiguration(Optional<String> optional, Optional<String> optional2) throws Exception {
        MetadataServer metadataServer = new MetadataServer((Map<String, String>) ImmutableMap.of("/jwks.json", "jwk/jwk-public.json"));
        try {
            URI baseUrl = metadataServer.getBaseUrl();
            Objects.requireNonNull(baseUrl);
            Optional<U> map = optional.map(baseUrl::resolve);
            Objects.requireNonNull(baseUrl);
            Optional<U> map2 = optional2.map(baseUrl::resolve);
            ImmutableMap.Builder put = ImmutableMap.builder().put("http-server.authentication.oauth2.issuer", metadataServer.getBaseUrl().toString()).put("http-server.authentication.oauth2.oidc.discovery", "false").put("http-server.authentication.oauth2.auth-url", baseUrl.resolve("/connect/authorize").toString()).put("http-server.authentication.oauth2.token-url", baseUrl.resolve("/connect/token").toString()).put("http-server.authentication.oauth2.jwks-url", baseUrl.resolve("/jwks.json").toString()).put("http-server.authentication.oauth2.end-session-url", baseUrl.resolve("/connect/logout").toString());
            map.map((v0) -> {
                return v0.toString();
            }).ifPresent(str -> {
                put.put("http-server.authentication.oauth2.access-token-issuer", str);
            });
            map2.map((v0) -> {
                return v0.toString();
            }).ifPresent(str2 -> {
                put.put("http-server.authentication.oauth2.userinfo-url", str2);
            });
            TestingTrinoServer createServer = createServer(put.buildOrThrow());
            try {
                Objects.requireNonNull(baseUrl);
                Optional map3 = map.map(baseUrl::resolve);
                Objects.requireNonNull(baseUrl);
                assertConfiguration(createServer, baseUrl, map3, map2.map(baseUrl::resolve));
                if (createServer != null) {
                    createServer.close();
                }
                metadataServer.close();
            } finally {
            }
        } catch (Throwable th) {
            try {
                metadataServer.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider(name = "staticConfiguration")
    public static Object[][] staticConfiguration() {
        return new Object[]{new Object[]{Optional.empty(), Optional.empty()}, new Object[]{Optional.of("/access-token-issuer"), Optional.of("/userinfo")}};
    }

    @Test(dataProvider = "oidcDiscovery")
    public void testOidcDiscovery(String str, Optional<String> optional, Optional<String> optional2) throws Exception {
        MetadataServer metadataServer = new MetadataServer((Map<String, String>) ImmutableMap.builder().put("/.well-known/openid-configuration", "oidc/" + str).put("/jwks.json", "jwk/jwk-public.json").buildOrThrow());
        try {
            TestingTrinoServer createServer = createServer(ImmutableMap.builder().put("http-server.authentication.oauth2.issuer", metadataServer.getBaseUrl().toString()).put("http-server.authentication.oauth2.oidc.discovery", "true").buildOrThrow());
            try {
                URI baseUrl = metadataServer.getBaseUrl();
                Objects.requireNonNull(baseUrl);
                Optional<U> map = optional.map(baseUrl::resolve);
                Objects.requireNonNull(baseUrl);
                assertConfiguration(createServer, baseUrl, map, optional2.map(baseUrl::resolve));
                if (createServer != null) {
                    createServer.close();
                }
                metadataServer.close();
            } finally {
            }
        } catch (Throwable th) {
            try {
                metadataServer.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider(name = "oidcDiscovery")
    public static Object[][] oidcDiscovery() {
        return new Object[]{new Object[]{"openid-configuration.json", Optional.empty(), Optional.of("/connect/userinfo")}, new Object[]{"openid-configuration-without-userinfo.json", Optional.empty(), Optional.empty()}, new Object[]{"openid-configuration-with-access-token-issuer.json", Optional.of("http://access-token-issuer.com/adfs/services/trust"), Optional.of("/connect/userinfo")}};
    }

    @Test
    public void testIssuerCheck() {
        Assertions.assertThatThrownBy(() -> {
            MetadataServer metadataServer = new MetadataServer((Map<String, String>) ImmutableMap.builder().put("/.well-known/openid-configuration", "oidc/openid-configuration-invalid-issuer.json").put("/jwks.json", "jwk/jwk-public.json").buildOrThrow());
            try {
                TestingTrinoServer createServer = createServer(ImmutableMap.builder().put("http-server.authentication.oauth2.issuer", metadataServer.getBaseUrl().toString()).put("http-server.authentication.oauth2.oidc.discovery", "true").buildOrThrow());
                try {
                    ((OAuth2ServerConfigProvider) createServer.getInstance(Key.get(OAuth2ServerConfigProvider.class))).get();
                    if (createServer != null) {
                        createServer.close();
                    }
                    metadataServer.close();
                } finally {
                }
            } catch (Throwable th) {
                try {
                    metadataServer.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }).hasMessageContaining("Invalid response from OpenID Metadata endpoint. The value of the \"issuer\" claim in Metadata document different than the Issuer URL used for the Configuration Request.");
    }

    @Test
    public void testStopOnClientError() {
        Assertions.assertThatThrownBy(() -> {
            MetadataServer metadataServer = new MetadataServer((Map<String, String>) ImmutableMap.of());
            try {
                TestingTrinoServer createServer = createServer(ImmutableMap.builder().put("http-server.authentication.oauth2.issuer", metadataServer.getBaseUrl().toString()).put("http-server.authentication.oauth2.oidc.discovery", "true").buildOrThrow());
                try {
                    ((OAuth2ServerConfigProvider) createServer.getInstance(Key.get(OAuth2ServerConfigProvider.class))).get();
                    if (createServer != null) {
                        createServer.close();
                    }
                    metadataServer.close();
                } finally {
                }
            } catch (Throwable th) {
                try {
                    metadataServer.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }).hasMessageContaining("Invalid response from OpenID Metadata endpoint. Expected response code to be 200, but was 404");
    }

    @Test
    public void testOidcDiscoveryRetrying() throws Exception {
        MetadataServer metadataServer = new MetadataServer(new MetadataServletWithStartup(ImmutableMap.builder().put("/.well-known/openid-configuration", "oidc/openid-configuration.json").put("/jwks.json", "jwk/jwk-public.json").buildOrThrow(), 5));
        try {
            TestingTrinoServer createServer = createServer(ImmutableMap.builder().put("http-server.authentication.oauth2.issuer", metadataServer.getBaseUrl().toString()).put("http-server.authentication.oauth2.oidc.discovery", "true").put("http-server.authentication.oauth2.oidc.discovery.timeout", "10s").buildOrThrow());
            try {
                URI baseUrl = metadataServer.getBaseUrl();
                assertConfiguration(createServer, baseUrl, Optional.empty(), Optional.of(baseUrl.resolve("/connect/userinfo")));
                if (createServer != null) {
                    createServer.close();
                }
                metadataServer.close();
            } finally {
            }
        } catch (Throwable th) {
            try {
                metadataServer.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Test
    public void testOidcDiscoveryTimesOut() {
        Assertions.assertThatThrownBy(() -> {
            MetadataServer metadataServer = new MetadataServer(new MetadataServletWithStartup(ImmutableMap.builder().put("/.well-known/openid-configuration", "oidc/openid-configuration.json").put("/jwks.json", "jwk/jwk-public.json").buildOrThrow(), 10));
            try {
                TestingTrinoServer createServer = createServer(ImmutableMap.builder().put("http-server.authentication.oauth2.issuer", metadataServer.getBaseUrl().toString()).put("http-server.authentication.oauth2.oidc.discovery", "true").put("http-server.authentication.oauth2.oidc.discovery.timeout", "5s").buildOrThrow());
                try {
                    ((OAuth2ServerConfigProvider) createServer.getInstance(Key.get(OAuth2ServerConfigProvider.class))).get();
                    if (createServer != null) {
                        createServer.close();
                    }
                    metadataServer.close();
                } finally {
                }
            } catch (Throwable th) {
                try {
                    metadataServer.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }).hasMessageContaining("Invalid response from OpenID Metadata endpoint: 429");
    }

    @Test
    public void testIgnoringUserinfoUrl() throws Exception {
        MetadataServer metadataServer = new MetadataServer((Map<String, String>) ImmutableMap.builder().put("/.well-known/openid-configuration", "oidc/openid-configuration.json").put("/jwks.json", "jwk/jwk-public.json").buildOrThrow());
        try {
            TestingTrinoServer createServer = createServer(ImmutableMap.builder().put("http-server.authentication.oauth2.issuer", metadataServer.getBaseUrl().toString()).put("http-server.authentication.oauth2.oidc.discovery", "true").put("http-server.authentication.oauth2.oidc.use-userinfo-endpoint", "false").buildOrThrow());
            try {
                assertConfiguration(createServer, metadataServer.getBaseUrl(), Optional.empty(), Optional.empty());
                if (createServer != null) {
                    createServer.close();
                }
                metadataServer.close();
            } finally {
            }
        } catch (Throwable th) {
            try {
                metadataServer.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Test
    public void testBackwardCompatibility() throws Exception {
        MetadataServer metadataServer = new MetadataServer((Map<String, String>) ImmutableMap.builder().put("/.well-known/openid-configuration", "oidc/openid-configuration-with-access-token-issuer.json").put("/jwks.json", "jwk/jwk-public.json").buildOrThrow());
        try {
            URI baseUrl = metadataServer.getBaseUrl();
            URI resolve = baseUrl.resolve("/custom-authorize");
            URI resolve2 = baseUrl.resolve("/custom-token");
            URI resolve3 = baseUrl.resolve("/custom-jwks.json");
            String uri = baseUrl.resolve("/custom-access-token-issuer").toString();
            URI resolve4 = baseUrl.resolve("/custom-userinfo-url");
            TestingTrinoServer createServer = createServer(ImmutableMap.builder().put("http-server.authentication.oauth2.issuer", baseUrl.toString()).put("http-server.authentication.oauth2.oidc.discovery", "true").put("http-server.authentication.oauth2.auth-url", resolve.toString()).put("http-server.authentication.oauth2.token-url", resolve2.toString()).put("http-server.authentication.oauth2.jwks-url", resolve3.toString()).put("http-server.authentication.oauth2.access-token-issuer", uri).put("http-server.authentication.oauth2.userinfo-url", resolve4.toString()).buildOrThrow());
            try {
                assertComponents(createServer);
                OAuth2ServerConfigProvider.OAuth2ServerConfig oAuth2ServerConfig = ((OAuth2ServerConfigProvider) createServer.getInstance(Key.get(OAuth2ServerConfigProvider.class))).get();
                Assertions.assertThat(oAuth2ServerConfig.accessTokenIssuer()).isEqualTo(Optional.of(uri));
                Assertions.assertThat(oAuth2ServerConfig.authUrl()).isEqualTo(resolve);
                Assertions.assertThat(oAuth2ServerConfig.tokenUrl()).isEqualTo(resolve2);
                Assertions.assertThat(oAuth2ServerConfig.jwksUrl()).isEqualTo(resolve3);
                Assertions.assertThat(oAuth2ServerConfig.userinfoUrl()).isEqualTo(Optional.of(resolve4));
                if (createServer != null) {
                    createServer.close();
                }
                metadataServer.close();
            } finally {
            }
        } catch (Throwable th) {
            try {
                metadataServer.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private static void assertConfiguration(TestingTrinoServer testingTrinoServer, URI uri, Optional<URI> optional, Optional<URI> optional2) {
        assertComponents(testingTrinoServer);
        OAuth2ServerConfigProvider.OAuth2ServerConfig oAuth2ServerConfig = ((OAuth2ServerConfigProvider) testingTrinoServer.getInstance(Key.get(OAuth2ServerConfigProvider.class))).get();
        Assertions.assertThat(oAuth2ServerConfig.accessTokenIssuer()).isEqualTo(optional.map((v0) -> {
            return v0.toString();
        }));
        Assertions.assertThat(oAuth2ServerConfig.authUrl()).isEqualTo(uri.resolve("/connect/authorize"));
        Assertions.assertThat(oAuth2ServerConfig.tokenUrl()).isEqualTo(uri.resolve("/connect/token"));
        Assertions.assertThat(oAuth2ServerConfig.jwksUrl()).isEqualTo(uri.resolve("/jwks.json"));
        Assertions.assertThat(oAuth2ServerConfig.userinfoUrl()).isEqualTo(optional2);
    }

    private static void assertComponents(TestingTrinoServer testingTrinoServer) {
        List list = (List) testingTrinoServer.getInstance(Key.get(new TypeLiteral<List<Authenticator>>() { // from class: io.trino.server.security.oauth2.TestOidcDiscovery.1
        }));
        Assertions.assertThat(list).hasSize(1);
        Assertions.assertThat((Authenticator) list.get(0)).isInstanceOf(OAuth2Authenticator.class);
        Assertions.assertThat((WebUiAuthenticationFilter) testingTrinoServer.getInstance(Key.get(WebUiAuthenticationFilter.class))).isInstanceOf(OAuth2WebUiAuthenticationFilter.class);
        ((OAuth2Client) testingTrinoServer.getInstance(Key.get(OAuth2Client.class))).load();
    }

    private static TestingTrinoServer createServer(Map<String, String> map) {
        return TestingTrinoServer.builder().setProperties(ImmutableMap.builder().put("http-server.https.enabled", "true").put("http-server.https.keystore.path", Resources.getResource("cert/localhost.pem").getPath()).put("http-server.https.keystore.key", "").put("http-server.process-forwarded", "true").put("http-server.authentication.allow-insecure-over-http", "true").put("http-server.authentication.type", "oauth2").put("http-server.authentication.oauth2.client-id", "another-consumer").put("http-server.authentication.oauth2.client-secret", "consumer-secret").putAll(map).buildOrThrow()).build();
    }
}
