package io.trino.server.security.oauth2;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Strings;
import com.google.common.base.Verify;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Ordering;
import com.google.common.hash.Hashing;
import com.google.common.io.BaseEncoding;
import com.google.common.io.Resources;
import io.airlift.http.client.HttpClient;
import io.airlift.http.client.JsonResponseHandler;
import io.airlift.http.client.Request;
import io.airlift.json.JsonCodec;
import io.airlift.log.Logger;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SigningKeyResolver;
import io.jsonwebtoken.impl.DefaultClaims;
import io.jsonwebtoken.security.Keys;
import io.trino.server.security.oauth2.OAuth2Client;
import io.trino.server.ui.FormWebUiAuthenticationFilter;
import io.trino.server.ui.OAuth2WebUiInstalled;
import io.trino.server.ui.OAuthWebUiCookie;
import java.io.IOException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.security.SecureRandom;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Collection;
import java.util.Date;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Random;
import java.util.Set;
import java.util.stream.Stream;
import javax.inject.Inject;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;

/* loaded from: input_file:io/trino/server/security/oauth2/OAuth2Service.class */
public class OAuth2Service {
    public static final String REDIRECT_URI = "redirect_uri";
    public static final String STATE = "state";
    public static final String NONCE = "nonce";
    public static final String OPENID_SCOPE = "openid";
    private static final String STATE_AUDIENCE_UI = "trino_oauth_ui";
    private static final String FAILURE_REPLACEMENT_TEXT = "<!-- ERROR_MESSAGE -->";
    public static final String HANDLER_STATE_CLAIM = "handler_state";
    private final OAuth2Client client;
    private final SigningKeyResolver signingKeyResolver;
    private final String successHtml;
    private final String failureHtml;
    private final Set<String> scopes;
    private final TemporalAmount challengeTimeout;
    private final Key stateHmac;
    private final HttpClient httpClient;
    private final String issuer;
    private final String accessTokenIssuer;
    private final String clientId;
    private final Optional<URI> userinfoUri;
    private final Set<String> allowedAudiences;
    private final OAuth2TokenHandler tokenHandler;
    private final boolean webUiOAuthEnabled;
    private static final Logger LOG = Logger.get(OAuth2Service.class);
    private static final Random SECURE_RANDOM = new SecureRandom();
    private static final JsonResponseHandler<Map<String, Object>> USERINFO_RESPONSE_HANDLER = JsonResponseHandler.createJsonResponseHandler(JsonCodec.mapJsonCodec(String.class, Object.class));

    @Inject
    public OAuth2Service(OAuth2Client oAuth2Client, @ForOAuth2 SigningKeyResolver signingKeyResolver, @ForOAuth2 HttpClient httpClient, OAuth2Config oAuth2Config, OAuth2TokenHandler oAuth2TokenHandler, Optional<OAuth2WebUiInstalled> optional) throws IOException {
        this.client = (OAuth2Client) Objects.requireNonNull(oAuth2Client, "client is null");
        this.signingKeyResolver = (SigningKeyResolver) Objects.requireNonNull(signingKeyResolver, "signingKeyResolver is null");
        Objects.requireNonNull(oAuth2Config, "oauth2Config is null");
        this.successHtml = Resources.toString(Resources.getResource(getClass(), "/oauth2/success.html"), StandardCharsets.UTF_8);
        this.failureHtml = Resources.toString(Resources.getResource(getClass(), "/oauth2/failure.html"), StandardCharsets.UTF_8);
        Verify.verify(this.failureHtml.contains(FAILURE_REPLACEMENT_TEXT), "login.html does not contain the replacement text", new Object[0]);
        this.scopes = oAuth2Config.getScopes();
        this.challengeTimeout = Duration.ofMillis(oAuth2Config.getChallengeTimeout().toMillis());
        this.stateHmac = Keys.hmacShaKeyFor((byte[]) oAuth2Config.getStateKey().map(str -> {
            return Hashing.sha256().hashString(str, StandardCharsets.UTF_8).asBytes();
        }).orElseGet(() -> {
            return secureRandomBytes(32);
        }));
        this.httpClient = (HttpClient) Objects.requireNonNull(httpClient, "httpClient is null");
        this.issuer = oAuth2Config.getIssuer();
        this.accessTokenIssuer = oAuth2Config.getAccessTokenIssuer().orElse(this.issuer);
        this.clientId = oAuth2Config.getClientId();
        this.userinfoUri = oAuth2Config.getUserinfoUrl().map(str2 -> {
            return UriBuilder.fromUri(str2).build(new Object[0]);
        });
        this.allowedAudiences = ImmutableSet.builder().addAll(oAuth2Config.getAdditionalAudiences()).add(this.clientId).build();
        this.tokenHandler = (OAuth2TokenHandler) Objects.requireNonNull(oAuth2TokenHandler, "tokenHandler is null");
        this.webUiOAuthEnabled = ((Optional) Objects.requireNonNull(optional, "webUiOAuthEnabled is null")).isPresent();
    }

    public Response startOAuth2Challenge(UriInfo uriInfo) {
        return startOAuth2Challenge(uriInfo.getBaseUri().resolve(OAuth2CallbackResource.CALLBACK_ENDPOINT), Optional.empty());
    }

    public Response startOAuth2Challenge(UriInfo uriInfo, String str) {
        return startOAuth2Challenge(uriInfo.getBaseUri().resolve(OAuth2CallbackResource.CALLBACK_ENDPOINT), Optional.of(str));
    }

    public Response startOAuth2Challenge(URI uri, String str) {
        return startOAuth2Challenge(uri, Optional.of(str));
    }

    private Response startOAuth2Challenge(URI uri, Optional<String> optional) {
        Instant plus = Instant.now().plus(this.challengeTimeout);
        String compact = Jwts.builder().signWith(this.stateHmac).setAudience(STATE_AUDIENCE_UI).claim(HANDLER_STATE_CLAIM, optional.orElse(null)).setExpiration(Date.from(plus)).compact();
        Optional of = this.scopes.contains(OPENID_SCOPE) ? Optional.of(randomNonce()) : Optional.empty();
        Response.ResponseBuilder seeOther = Response.seeOther(this.client.getAuthorizationUri(compact, uri, of.map(OAuth2Service::hashNonce)));
        of.ifPresent(str -> {
            seeOther.cookie(new NewCookie[]{NonceCookie.create(str, plus)});
        });
        return seeOther.build();
    }

    public Response handleOAuth2Error(String str, String str2, String str3, String str4) {
        try {
            Optional.ofNullable((String) parseState(str).get(HANDLER_STATE_CLAIM, String.class)).ifPresent(str5 -> {
                this.tokenHandler.setTokenExchangeError(str5, String.format("Authentication response could not be verified: error=%s, errorDescription=%s, errorUri=%s", str2, str3, str3));
            });
            LOG.debug("OAuth server returned an error: error=%s, error_description=%s, error_uri=%s, state=%s", new Object[]{str2, str3, str4, str});
            return Response.ok().entity(getCallbackErrorHtml(str2)).cookie(new NewCookie[]{NonceCookie.delete()}).build();
        } catch (ChallengeFailedException | RuntimeException e) {
            LOG.debug(e, "Authentication response could not be verified invalid state: state=%s", new Object[]{str});
            return Response.status(Response.Status.BAD_REQUEST).entity(getInternalFailureHtml("Authentication response could not be verified")).cookie(new NewCookie[]{NonceCookie.delete()}).build();
        }
    }

    public Response finishOAuth2Challenge(String str, String str2, URI uri, Optional<String> optional) {
        try {
            Optional ofNullable = Optional.ofNullable((String) parseState(str).get(HANDLER_STATE_CLAIM, String.class));
            try {
                OAuth2Client.OAuth2Response oAuth2Response = this.client.getOAuth2Response(str2, uri);
                Instant determineExpiration = determineExpiration(oAuth2Response.getValidUntil(), validateAndParseOAuth2Response(oAuth2Response, optional).orElseThrow(() -> {
                    return new ChallengeFailedException("invalid access token");
                }).getExpiration());
                if (ofNullable.isEmpty()) {
                    return Response.seeOther(URI.create(FormWebUiAuthenticationFilter.UI_LOCATION)).cookie(new NewCookie[]{OAuthWebUiCookie.create(oAuth2Response.getAccessToken(), determineExpiration), NonceCookie.delete()}).build();
                }
                this.tokenHandler.setAccessToken((String) ofNullable.get(), oAuth2Response.getAccessToken());
                Response.ResponseBuilder ok = Response.ok(getSuccessHtml());
                if (this.webUiOAuthEnabled) {
                    ok.cookie(new NewCookie[]{OAuthWebUiCookie.create(oAuth2Response.getAccessToken(), determineExpiration)});
                }
                return ok.cookie(new NewCookie[]{NonceCookie.delete()}).build();
            } catch (ChallengeFailedException | RuntimeException e) {
                LOG.debug(e, "Authentication response could not be verified: state=%s", new Object[]{str});
                ofNullable.ifPresent(str3 -> {
                    this.tokenHandler.setTokenExchangeError(str3, String.format("Authentication response could not be verified: state=%s", str3));
                });
                return Response.status(Response.Status.BAD_REQUEST).cookie(new NewCookie[]{NonceCookie.delete()}).entity(getInternalFailureHtml("Authentication response could not be verified")).build();
            }
        } catch (ChallengeFailedException | RuntimeException e2) {
            LOG.debug(e2, "Authentication response could not be verified invalid state: state=%s", new Object[]{str});
            return Response.status(Response.Status.BAD_REQUEST).entity(getInternalFailureHtml("Authentication response could not be verified")).cookie(new NewCookie[]{NonceCookie.delete()}).build();
        }
    }

    private static Instant determineExpiration(Optional<Instant> optional, Date date) throws ChallengeFailedException {
        if (optional.isPresent()) {
            return date != null ? (Instant) Ordering.natural().min(optional.get(), date.toInstant()) : optional.get();
        }
        if (date != null) {
            return date.toInstant();
        }
        throw new ChallengeFailedException("no valid expiration date");
    }

    private Claims parseState(String str) throws ChallengeFailedException {
        try {
            return (Claims) Jwts.parserBuilder().setSigningKey(this.stateHmac).requireAudience(STATE_AUDIENCE_UI).build().parseClaimsJws(str).getBody();
        } catch (RuntimeException e) {
            throw new ChallengeFailedException("State validation failed", e);
        }
    }

    private Optional<Claims> validateAndParseOAuth2Response(OAuth2Client.OAuth2Response oAuth2Response, Optional<String> optional) throws ChallengeFailedException {
        validateIdTokenAndNonce(oAuth2Response, optional);
        return internalConvertTokenToClaims(oAuth2Response.getAccessToken());
    }

    private void validateIdTokenAndNonce(OAuth2Client.OAuth2Response oAuth2Response, Optional<String> optional) throws ChallengeFailedException {
        if (optional.isPresent() && oAuth2Response.getIdToken().isPresent()) {
            validateAudience((Claims) Jwts.parserBuilder().setSigningKeyResolver(this.signingKeyResolver).requireIssuer(this.issuer).require(NONCE, hashNonce(optional.get())).build().parseClaimsJws(oAuth2Response.getIdToken().get()).getBody(), false);
        } else if (optional.isPresent() != oAuth2Response.getIdToken().isPresent()) {
            throw new ChallengeFailedException("Cannot validate nonce parameter");
        }
    }

    public Optional<Map<String, Object>> convertTokenToClaims(String str) throws ChallengeFailedException {
        return internalConvertTokenToClaims(str).map(claims -> {
            return claims;
        });
    }

    private Optional<Claims> internalConvertTokenToClaims(String str) throws ChallengeFailedException {
        if (!this.userinfoUri.isPresent()) {
            Claims claims = (Claims) Jwts.parserBuilder().setSigningKeyResolver(this.signingKeyResolver).requireIssuer(this.accessTokenIssuer).build().parseClaimsJws(str).getBody();
            validateAudience(claims, true);
            return Optional.of(claims);
        }
        try {
            DefaultClaims defaultClaims = new DefaultClaims((Map) this.httpClient.execute(Request.builder().setMethod("POST").addHeader("Authorization", "Bearer " + str).setUri(this.userinfoUri.get()).build(), USERINFO_RESPONSE_HANDLER));
            validateAudience(defaultClaims, true);
            return Optional.of(defaultClaims);
        } catch (RuntimeException e) {
            LOG.error(e, "Received bad response from userinfo endpoint");
            return Optional.empty();
        }
    }

    private void validateAudience(Claims claims, boolean z) throws ChallengeFailedException {
        Set<String> of;
        Object obj = claims.get("aud");
        if (!z) {
            of = Set.of(this.clientId);
        } else {
            if (obj == null) {
                return;
            }
            if ((obj instanceof Collection) && ((Collection) obj).isEmpty()) {
                return;
            } else {
                of = this.allowedAudiences;
            }
        }
        if (obj instanceof String) {
            if (!of.contains((String) obj)) {
                throw new ChallengeFailedException(String.format("Invalid Audience: %s. Allowed audiences: %s", obj, this.allowedAudiences));
            }
        } else {
            if (!(obj instanceof Collection)) {
                throw new ChallengeFailedException(String.format("Invalid Audience: %s", obj));
            }
            Stream stream = ((Collection) obj).stream();
            Class<String> cls = String.class;
            Objects.requireNonNull(String.class);
            Stream map = stream.map(cls::cast);
            Set<String> set = of;
            Objects.requireNonNull(set);
            if (map.noneMatch((v1) -> {
                return r1.contains(v1);
            })) {
                throw new ChallengeFailedException(String.format("Invalid Audience: %s. Allowed audiences: %s", obj, this.allowedAudiences));
            }
        }
    }

    public String getSuccessHtml() {
        return this.successHtml;
    }

    public String getCallbackErrorHtml(String str) {
        return this.failureHtml.replace(FAILURE_REPLACEMENT_TEXT, getOAuth2ErrorMessage(str));
    }

    public String getInternalFailureHtml(String str) {
        return this.failureHtml.replace(FAILURE_REPLACEMENT_TEXT, Strings.nullToEmpty(str));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static byte[] secureRandomBytes(int i) {
        byte[] bArr = new byte[i];
        SECURE_RANDOM.nextBytes(bArr);
        return bArr;
    }

    private static String getOAuth2ErrorMessage(String str) {
        boolean z = -1;
        switch (str.hashCode()) {
            case -2054838772:
                if (str.equals("server_error")) {
                    z = 2;
                    break;
                }
                break;
            case -1307356897:
                if (str.equals("temporarily_unavailable")) {
                    z = 3;
                    break;
                }
                break;
            case -444618026:
                if (str.equals("access_denied")) {
                    z = false;
                    break;
                }
                break;
            case 1330404726:
                if (str.equals("unauthorized_client")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return "OAuth2 server denied the login";
            case true:
                return "OAuth2 server does not allow request from this Trino server";
            case true:
                return "OAuth2 server had a failure";
            case true:
                return "OAuth2 server is temporarily unavailable";
            default:
                return "OAuth2 unknown error code: " + str;
        }
    }

    private static String randomNonce() {
        return BaseEncoding.base64Url().encode(secureRandomBytes(18));
    }

    @VisibleForTesting
    public static String hashNonce(String str) {
        return Hashing.sha256().hashString(str, StandardCharsets.UTF_8).toString();
    }
}
