package io.trino.server.security.oauth2;

import com.google.common.collect.ImmutableSet;
import io.trino.server.security.AbstractBearerAuthenticator;
import io.trino.server.security.AuthenticationException;
import io.trino.server.security.UserMapping;
import io.trino.server.security.UserMappingException;
import io.trino.spi.security.BasicPrincipal;
import io.trino.spi.security.Identity;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.UUID;
import javax.inject.Inject;
import javax.ws.rs.container.ContainerRequestContext;

/* loaded from: input_file:io/trino/server/security/oauth2/OAuth2Authenticator.class */
public class OAuth2Authenticator extends AbstractBearerAuthenticator {
    private final OAuth2Client client;
    private final String principalField;
    private final Optional<String> groupsField;
    private final UserMapping userMapping;

    @Inject
    public OAuth2Authenticator(OAuth2Client oAuth2Client, OAuth2Config oAuth2Config) {
        this.client = (OAuth2Client) Objects.requireNonNull(oAuth2Client, "service is null");
        this.principalField = oAuth2Config.getPrincipalField();
        this.groupsField = (Optional) Objects.requireNonNull(oAuth2Config.getGroupsField(), "groupsField is null");
        this.userMapping = UserMapping.createUserMapping(oAuth2Config.getUserMappingPattern(), oAuth2Config.getUserMappingFile());
    }

    @Override // io.trino.server.security.AbstractBearerAuthenticator
    protected Optional<Identity> createIdentity(String str) throws UserMappingException {
        Optional<Map<String, Object>> claims = this.client.getClaims(str);
        if (claims.isEmpty()) {
            return Optional.empty();
        }
        String str2 = (String) claims.get().get(this.principalField);
        Identity.Builder forUser = Identity.forUser(this.userMapping.mapUser(str2));
        forUser.withPrincipal(new BasicPrincipal(str2));
        this.groupsField.flatMap(str3 -> {
            return Optional.ofNullable((List) ((Map) claims.get()).get(str3));
        }).ifPresent(list -> {
            forUser.withGroups(ImmutableSet.copyOf(list));
        });
        return Optional.of(forUser.build());
    }

    @Override // io.trino.server.security.AbstractBearerAuthenticator
    protected AuthenticationException needAuthentication(ContainerRequestContext containerRequestContext, String str) {
        UUID randomUUID = UUID.randomUUID();
        return new AuthenticationException(str, String.format("Bearer x_redirect_server=\"%s\", x_token_server=\"%s\"", containerRequestContext.getUriInfo().getBaseUri().resolve(OAuth2TokenExchangeResource.getInitiateUri(randomUUID)), containerRequestContext.getUriInfo().getBaseUri().resolve(OAuth2TokenExchangeResource.getTokenUri(randomUUID))));
    }
}
