package io.trino.server;

import com.google.common.hash.Hashing;
import io.airlift.http.client.HttpRequestFilter;
import io.airlift.http.client.Request;
import io.airlift.log.Logger;
import io.airlift.node.NodeInfo;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.security.Keys;
import io.trino.server.security.InternalPrincipal;
import io.trino.spi.security.Identity;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.time.ZonedDateTime;
import java.util.Date;
import java.util.Objects;
import java.util.Optional;
import javax.inject.Inject;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;

/* loaded from: input_file:io/trino/server/InternalAuthenticationManager.class */
public class InternalAuthenticationManager implements HttpRequestFilter {
    private static final Logger log = Logger.get(InternalAuthenticationManager.class);
    private static final String TRINO_INTERNAL_BEARER = "X-Trino-Internal-Bearer";
    private final Key hmac;
    private final String nodeId;

    @Inject
    public InternalAuthenticationManager(InternalCommunicationConfig internalCommunicationConfig, NodeInfo nodeInfo) {
        this(getSharedSecret(internalCommunicationConfig, nodeInfo), nodeInfo.getNodeId());
    }

    private static String getSharedSecret(InternalCommunicationConfig internalCommunicationConfig, NodeInfo nodeInfo) {
        Objects.requireNonNull(internalCommunicationConfig, "internalCommunicationConfig is null");
        Objects.requireNonNull(nodeInfo, "nodeInfo is null");
        if (!internalCommunicationConfig.isRequiredSharedSecretSet()) {
            throw new IllegalArgumentException("Shared secret is required when internal communications uses https");
        }
        Optional<String> sharedSecret = internalCommunicationConfig.getSharedSecret();
        Objects.requireNonNull(nodeInfo);
        return sharedSecret.orElseGet(nodeInfo::getEnvironment);
    }

    public InternalAuthenticationManager(String str, String str2) {
        Objects.requireNonNull(str, "sharedSecret is null");
        Objects.requireNonNull(str2, "nodeId is null");
        this.hmac = Keys.hmacShaKeyFor(Hashing.sha256().hashString(str, StandardCharsets.UTF_8).asBytes());
        this.nodeId = str2;
    }

    public static boolean isInternalRequest(ContainerRequestContext containerRequestContext) {
        return containerRequestContext.getHeaders().getFirst(TRINO_INTERNAL_BEARER) != null;
    }

    public void handleInternalRequest(ContainerRequestContext containerRequestContext) {
        try {
            ServletSecurityUtils.setAuthenticatedIdentity(containerRequestContext, Identity.forUser("<internal>").withPrincipal(new InternalPrincipal(parseJwt((String) containerRequestContext.getHeaders().getFirst(TRINO_INTERNAL_BEARER)))).build());
        } catch (JwtException e) {
            log.error(e, "Internal authentication failed");
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).type(MediaType.TEXT_PLAIN_TYPE.toString()).build());
        } catch (RuntimeException e2) {
            throw new RuntimeException("Authentication error", e2);
        }
    }

    public Request filterRequest(Request request) {
        return Request.Builder.fromRequest(request).addHeader(TRINO_INTERNAL_BEARER, generateJwt()).build();
    }

    private String generateJwt() {
        return Jwts.builder().signWith(this.hmac).setSubject(this.nodeId).setExpiration(Date.from(ZonedDateTime.now().plusMinutes(5L).toInstant())).compact();
    }

    private String parseJwt(String str) {
        return ((Claims) Jwts.parserBuilder().setSigningKey(this.hmac).build().parseClaimsJws(str).getBody()).getSubject();
    }
}
