package io.trino.server.security;

import com.google.common.base.Joiner;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import io.trino.server.InternalAuthenticationManager;
import io.trino.server.ServletSecurityUtils;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import javax.annotation.Priority;
import javax.inject.Inject;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;

@Priority(1000)
/* loaded from: input_file:io/trino/server/security/AuthenticationFilter.class */
public class AuthenticationFilter implements ContainerRequestFilter {
    private final List<Authenticator> authenticators;
    private final InternalAuthenticationManager internalAuthenticationManager;
    private final boolean insecureAuthenticationOverHttpAllowed;
    private final InsecureAuthenticator insecureAuthenticator;

    @Inject
    public AuthenticationFilter(List<Authenticator> list, InternalAuthenticationManager internalAuthenticationManager, SecurityConfig securityConfig, InsecureAuthenticator insecureAuthenticator) {
        this.authenticators = ImmutableList.copyOf((Collection) Objects.requireNonNull(list, "authenticators is null"));
        Preconditions.checkArgument(!list.isEmpty(), "authenticators is empty");
        this.internalAuthenticationManager = (InternalAuthenticationManager) Objects.requireNonNull(internalAuthenticationManager, "internalAuthenticationManager is null");
        this.insecureAuthenticationOverHttpAllowed = ((SecurityConfig) Objects.requireNonNull(securityConfig, "securityConfig is null")).isInsecureAuthenticationOverHttpAllowed();
        this.insecureAuthenticator = (InsecureAuthenticator) Objects.requireNonNull(insecureAuthenticator, "insecureAuthenticator is null");
    }

    public void filter(ContainerRequestContext containerRequestContext) {
        List<Authenticator> of;
        if (InternalAuthenticationManager.isInternalRequest(containerRequestContext)) {
            this.internalAuthenticationManager.handleInternalRequest(containerRequestContext);
            return;
        }
        if (containerRequestContext.getSecurityContext().isSecure()) {
            of = this.authenticators;
        } else {
            if (!this.insecureAuthenticationOverHttpAllowed) {
                throw new ForbiddenException("Authentication over HTTP is not enabled");
            }
            of = ImmutableList.of(this.insecureAuthenticator);
        }
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        LinkedHashSet linkedHashSet2 = new LinkedHashSet();
        Iterator<Authenticator> it = of.iterator();
        while (it.hasNext()) {
            try {
                ServletSecurityUtils.setAuthenticatedIdentity(containerRequestContext, it.next().authenticate(containerRequestContext));
                return;
            } catch (AuthenticationException e) {
                Stream filter = Stream.concat(Stream.of(e), Arrays.stream(e.getSuppressed())).filter(th -> {
                    return th instanceof AuthenticationException;
                });
                Class<AuthenticationException> cls = AuthenticationException.class;
                Objects.requireNonNull(AuthenticationException.class);
                filter.map((v1) -> {
                    return r1.cast(v1);
                }).forEach(authenticationException -> {
                    if (authenticationException.getMessage() != null) {
                        linkedHashSet.add(authenticationException.getMessage());
                    }
                    Optional<String> authenticateHeader = authenticationException.getAuthenticateHeader();
                    Objects.requireNonNull(linkedHashSet2);
                    authenticateHeader.ifPresent((v1) -> {
                        r1.add(v1);
                    });
                });
            }
        }
        if (linkedHashSet.isEmpty()) {
            linkedHashSet.add("Unauthorized");
        }
        ServletSecurityUtils.sendWwwAuthenticate(containerRequestContext, Joiner.on(" | ").join(linkedHashSet), linkedHashSet2);
    }
}
