package io.trino.server.security;

import com.google.inject.Inject;
import io.trino.security.AccessControl;
import io.trino.server.HttpRequestSessionContextFactory;
import io.trino.server.InternalAuthenticationManager;
import io.trino.server.ServletSecurityUtils;
import io.trino.server.security.ResourceSecurity;
import io.trino.server.ui.WebUiAuthenticationFilter;
import io.trino.spi.StandardErrorCode;
import io.trino.spi.TrinoException;
import io.trino.spi.security.AccessDeniedException;
import io.trino.spi.security.Identity;
import jakarta.annotation.Priority;
import jakarta.ws.rs.ForbiddenException;
import jakarta.ws.rs.ServiceUnavailableException;
import jakarta.ws.rs.container.ContainerRequestContext;
import jakarta.ws.rs.container.ContainerRequestFilter;
import jakarta.ws.rs.container.ContainerResponseContext;
import jakarta.ws.rs.container.ContainerResponseFilter;
import jakarta.ws.rs.container.DynamicFeature;
import jakarta.ws.rs.container.ResourceInfo;
import jakarta.ws.rs.core.FeatureContext;
import java.util.Objects;
import java.util.Optional;

/* loaded from: input_file:io/trino/server/security/ResourceSecurityDynamicFeature.class */
public class ResourceSecurityDynamicFeature implements DynamicFeature {
    private final ResourceAccessType resourceAccessType;
    private final AuthenticationFilter authenticationFilter;
    private final WebUiAuthenticationFilter webUiAuthenticationFilter;
    private final InternalAuthenticationManager internalAuthenticationManager;
    private final AccessControl accessControl;
    private final HttpRequestSessionContextFactory sessionContextFactory;
    private final Optional<String> fixedManagementUser;
    private final boolean fixedManagementUserForHttps;

    @Priority(1000)
    /* loaded from: input_file:io/trino/server/security/ResourceSecurityDynamicFeature$DisposeIdentityResponseFilter.class */
    private static class DisposeIdentityResponseFilter implements ContainerResponseFilter {
        private DisposeIdentityResponseFilter() {
        }

        public void filter(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) {
            ServletSecurityUtils.authenticatedIdentity(containerRequestContext).ifPresent((v0) -> {
                v0.destroy();
            });
        }
    }

    @Priority(1000)
    /* loaded from: input_file:io/trino/server/security/ResourceSecurityDynamicFeature$InternalOnlyRequestFilter.class */
    private static class InternalOnlyRequestFilter implements ContainerRequestFilter {
        private final InternalAuthenticationManager internalAuthenticationManager;

        @Inject
        public InternalOnlyRequestFilter(InternalAuthenticationManager internalAuthenticationManager) {
            this.internalAuthenticationManager = (InternalAuthenticationManager) Objects.requireNonNull(internalAuthenticationManager, "internalAuthenticationManager is null");
        }

        public void filter(ContainerRequestContext containerRequestContext) {
            if (!InternalAuthenticationManager.isInternalRequest(containerRequestContext)) {
                throw new ForbiddenException("Internal only resource");
            }
            this.internalAuthenticationManager.handleInternalRequest(containerRequestContext);
        }
    }

    @Priority(1000)
    /* loaded from: input_file:io/trino/server/security/ResourceSecurityDynamicFeature$ManagementAuthenticationFilter.class */
    private static class ManagementAuthenticationFilter implements ContainerRequestFilter {
        private final AuthenticationFilter fallbackAuthenticationFilter;
        private final Optional<String> fixedManagementUser;
        private final boolean fixedManagementUserForHttps;

        public ManagementAuthenticationFilter(Optional<String> optional, boolean z, AuthenticationFilter authenticationFilter) {
            this.fixedManagementUser = (Optional) Objects.requireNonNull(optional, "fixedManagementUser is null");
            this.fixedManagementUserForHttps = z;
            this.fallbackAuthenticationFilter = (AuthenticationFilter) Objects.requireNonNull(authenticationFilter, "fallbackAuthenticationFilter is null");
        }

        public void filter(ContainerRequestContext containerRequestContext) {
            if (!this.fixedManagementUser.isPresent() || (!this.fixedManagementUserForHttps && containerRequestContext.getSecurityContext().isSecure())) {
                this.fallbackAuthenticationFilter.filter(containerRequestContext);
            } else {
                ServletSecurityUtils.setAuthenticatedIdentity(containerRequestContext, this.fixedManagementUser.get());
            }
        }
    }

    @Priority(2000)
    /* loaded from: input_file:io/trino/server/security/ResourceSecurityDynamicFeature$ManagementAuthorizationFilter.class */
    private static class ManagementAuthorizationFilter implements ContainerRequestFilter {
        private final AccessControl accessControl;
        private final HttpRequestSessionContextFactory sessionContextFactory;
        private final boolean read;

        public ManagementAuthorizationFilter(AccessControl accessControl, HttpRequestSessionContextFactory httpRequestSessionContextFactory, boolean z) {
            this.accessControl = (AccessControl) Objects.requireNonNull(accessControl, "accessControl is null");
            this.sessionContextFactory = (HttpRequestSessionContextFactory) Objects.requireNonNull(httpRequestSessionContextFactory, "sessionContextFactory is null");
            this.read = z;
        }

        public void filter(ContainerRequestContext containerRequestContext) {
            if (containerRequestContext.getSecurityContext().getUserPrincipal() instanceof InternalPrincipal) {
                return;
            }
            try {
                Identity extractAuthorizedIdentity = this.sessionContextFactory.extractAuthorizedIdentity(ServletSecurityUtils.authenticatedIdentity(containerRequestContext), containerRequestContext.getHeaders());
                if (this.read) {
                    this.accessControl.checkCanReadSystemInformation(extractAuthorizedIdentity);
                } else {
                    this.accessControl.checkCanWriteSystemInformation(extractAuthorizedIdentity);
                }
            } catch (TrinoException e) {
                if (!StandardErrorCode.SERVER_STARTING_UP.toErrorCode().equals(e.getErrorCode())) {
                    throw e;
                }
                throw new ServiceUnavailableException(e.getMessage());
            } catch (AccessDeniedException e2) {
                throw new ForbiddenException("Management only resource");
            }
        }
    }

    @Inject
    public ResourceSecurityDynamicFeature(ResourceAccessType resourceAccessType, AuthenticationFilter authenticationFilter, WebUiAuthenticationFilter webUiAuthenticationFilter, InternalAuthenticationManager internalAuthenticationManager, AccessControl accessControl, HttpRequestSessionContextFactory httpRequestSessionContextFactory, SecurityConfig securityConfig) {
        this.resourceAccessType = (ResourceAccessType) Objects.requireNonNull(resourceAccessType, "resourceAccessType is null");
        this.authenticationFilter = (AuthenticationFilter) Objects.requireNonNull(authenticationFilter, "authenticationFilter is null");
        this.webUiAuthenticationFilter = (WebUiAuthenticationFilter) Objects.requireNonNull(webUiAuthenticationFilter, "webUiAuthenticationFilter is null");
        this.internalAuthenticationManager = (InternalAuthenticationManager) Objects.requireNonNull(internalAuthenticationManager, "internalAuthenticationManager is null");
        this.accessControl = (AccessControl) Objects.requireNonNull(accessControl, "accessControl is null");
        this.sessionContextFactory = (HttpRequestSessionContextFactory) Objects.requireNonNull(httpRequestSessionContextFactory, "sessionContextFactory is null");
        this.fixedManagementUser = securityConfig.getFixedManagementUser();
        this.fixedManagementUserForHttps = securityConfig.isFixedManagementUserForHttps();
    }

    public void configure(ResourceInfo resourceInfo, FeatureContext featureContext) {
        ResourceSecurity.AccessType accessType = this.resourceAccessType.getAccessType(resourceInfo);
        switch (accessType) {
            case PUBLIC:
                return;
            case WEB_UI:
                featureContext.register(this.webUiAuthenticationFilter);
                featureContext.register(new DisposeIdentityResponseFilter());
                return;
            case AUTHENTICATED_USER:
                featureContext.register(this.authenticationFilter);
                featureContext.register(new DisposeIdentityResponseFilter());
                return;
            case MANAGEMENT_READ:
            case MANAGEMENT_WRITE:
                featureContext.register(new ManagementAuthenticationFilter(this.fixedManagementUser, this.fixedManagementUserForHttps, this.authenticationFilter));
                featureContext.register(new ManagementAuthorizationFilter(this.accessControl, this.sessionContextFactory, accessType == ResourceSecurity.AccessType.MANAGEMENT_READ));
                featureContext.register(new DisposeIdentityResponseFilter());
                return;
            case INTERNAL_ONLY:
                featureContext.register(new InternalOnlyRequestFilter(this.internalAuthenticationManager));
                return;
            default:
                throw new IllegalArgumentException("Unknown mode: " + String.valueOf(accessType));
        }
    }
}
