package io.prestosql.server.ui;

import com.google.common.base.MoreObjects;
import com.google.common.base.Strings;
import com.google.common.hash.Hashing;
import com.google.common.io.ByteStreams;
import io.airlift.http.client.HttpUriBuilder;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.prestosql.server.HttpRequestSessionContext;
import io.prestosql.server.ServletSecurityUtils;
import io.prestosql.server.security.AuthenticationException;
import io.prestosql.server.security.Authenticator;
import io.prestosql.server.security.PasswordAuthenticatorManager;
import io.prestosql.spi.security.AccessDeniedException;
import io.prestosql.spi.security.BasicPrincipal;
import io.prestosql.spi.security.Identity;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import java.security.SecureRandom;
import java.time.ZonedDateTime;
import java.util.Arrays;
import java.util.Date;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.function.Function;
import javax.inject.Inject;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletInputStream;
import javax.servlet.ServletRequest;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:io/prestosql/server/ui/FormWebUiAuthenticationManager.class */
public class FormWebUiAuthenticationManager implements WebUiAuthenticationManager {
    private static final String PRESTO_UI_AUDIENCE = "presto-ui";
    private static final String PRESTO_UI_COOKIE = "Presto-UI-Token";
    private static final String LOGIN_FORM = "/ui/login.html";
    private static final String DISABLED_LOCATION = "/ui/disabled.html";
    private static final String UI_LOCATION = "/ui/";
    private final Function<String, String> jwtParser;
    private final Function<String, String> jwtGenerator;
    private final PasswordAuthenticatorManager passwordAuthenticatorManager;
    private final Optional<Authenticator> authenticator;

    @Inject
    public FormWebUiAuthenticationManager(FormWebUiConfig formWebUiConfig, PasswordAuthenticatorManager passwordAuthenticatorManager, @ForWebUi Optional<Authenticator> optional) {
        byte[] bArr;
        if (formWebUiConfig.getSharedSecret().isPresent()) {
            bArr = Hashing.sha256().hashString(formWebUiConfig.getSharedSecret().get(), StandardCharsets.UTF_8).asBytes();
        } else {
            bArr = new byte[32];
            new SecureRandom().nextBytes(bArr);
        }
        byte[] bArr2 = bArr;
        this.jwtParser = str -> {
            return parseJwt(bArr2, str);
        };
        long roundTo = formWebUiConfig.getSessionTimeout().roundTo(TimeUnit.NANOSECONDS);
        byte[] bArr3 = bArr;
        this.jwtGenerator = str2 -> {
            return generateJwt(bArr3, str2, roundTo);
        };
        this.passwordAuthenticatorManager = (PasswordAuthenticatorManager) Objects.requireNonNull(passwordAuthenticatorManager, "passwordAuthenticatorManager is null");
        this.authenticator = (Optional) Objects.requireNonNull(optional, "authenticator is null");
    }

    @Override // io.prestosql.server.ui.WebUiAuthenticationManager
    public void handleUiRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (httpServletRequest.getPathInfo() == null || httpServletRequest.getPathInfo().equals("/")) {
            sendRedirect(httpServletResponse, getUiLocation(httpServletRequest));
            return;
        }
        if (isPublic(httpServletRequest)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        if (this.authenticator.isPresent() && httpServletRequest.isSecure()) {
            handleProtocolLoginRequest(this.authenticator.get(), httpServletRequest, httpServletResponse, filterChain);
            return;
        }
        if (httpServletRequest.getPathInfo().equals("/ui/login")) {
            handleFormLoginRequest(httpServletRequest, httpServletResponse);
            return;
        }
        if (httpServletRequest.getPathInfo().equals("/ui/logout")) {
            handleLogoutRequest(httpServletRequest, httpServletResponse);
            return;
        }
        Optional<String> authenticatedUsername = getAuthenticatedUsername(httpServletRequest);
        if (authenticatedUsername.isPresent()) {
            if (httpServletRequest.getPathInfo().equals(LOGIN_FORM)) {
                sendRedirectFromSuccessfulLogin(httpServletRequest, httpServletResponse, httpServletRequest.getQueryString());
                return;
            } else {
                filterChain.doFilter(withUsername(httpServletRequest, authenticatedUsername.get()), httpServletResponse);
                return;
            }
        }
        getAuthenticationCookie(httpServletRequest).ifPresent(cookie -> {
            httpServletResponse.addCookie(getDeleteCookie(httpServletRequest));
        });
        ServletInputStream inputStream = httpServletRequest.getInputStream();
        try {
            ByteStreams.exhaust(inputStream);
            if (inputStream != null) {
                inputStream.close();
            }
            if (httpServletRequest.getPathInfo().startsWith("/ui/api/")) {
                httpServletResponse.setHeader("WWW-Authenticate", "Presto-Form-Login");
                httpServletResponse.setStatus(401);
            } else if (!isAuthenticationEnabled(httpServletRequest)) {
                sendRedirect(httpServletResponse, getRedirectLocation(httpServletRequest, DISABLED_LOCATION));
            } else if (httpServletRequest.getPathInfo().equals(LOGIN_FORM)) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
            } else {
                sendRedirect(httpServletResponse, getRedirectLocation(httpServletRequest, LOGIN_FORM, encodeCurrentLocationForLoginRedirect(httpServletRequest)));
            }
        } catch (Throwable th) {
            if (inputStream != null) {
                try {
                    inputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static String encodeCurrentLocationForLoginRedirect(HttpServletRequest httpServletRequest) {
        String pathInfo = httpServletRequest.getPathInfo();
        if (!Strings.isNullOrEmpty(httpServletRequest.getQueryString())) {
            pathInfo = pathInfo + "?" + httpServletRequest.getQueryString();
        }
        if (pathInfo.equals("/ui") || pathInfo.equals(UI_LOCATION)) {
            return null;
        }
        return pathInfo;
    }

    private static void handleProtocolLoginRequest(Authenticator authenticator, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        try {
            Identity authenticate = authenticator.authenticate(httpServletRequest);
            if (redirectFormLoginToUi(httpServletRequest, httpServletResponse)) {
                return;
            }
            ServletSecurityUtils.withAuthenticatedIdentity(filterChain, httpServletRequest, httpServletResponse, authenticate);
        } catch (AuthenticationException e) {
            ServletSecurityUtils.skipRequestBody(httpServletRequest);
            e.getAuthenticateHeader().ifPresent(str -> {
                httpServletResponse.addHeader("WWW-Authenticate", str);
            });
            ServletSecurityUtils.sendErrorMessage(httpServletResponse, 401, (String) MoreObjects.firstNonNull(e.getMessage(), "Unauthorized"));
        }
    }

    public static boolean redirectFormLoginToUi(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!httpServletRequest.getPathInfo().equals(LOGIN_FORM) && !httpServletRequest.getPathInfo().equals("/ui/login") && !httpServletRequest.getPathInfo().equals("/ui/logout")) {
            return false;
        }
        sendRedirect(httpServletResponse, getRedirectLocation(httpServletRequest, UI_LOCATION));
        return true;
    }

    private void handleFormLoginRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!isAuthenticationEnabled(httpServletRequest)) {
            sendRedirect(httpServletResponse, getRedirectLocation(httpServletRequest, DISABLED_LOCATION));
            return;
        }
        Optional<String> checkLoginCredentials = checkLoginCredentials(httpServletRequest);
        if (!checkLoginCredentials.isPresent()) {
            sendRedirect(httpServletResponse, getLoginFormLocation(httpServletRequest));
        } else {
            httpServletResponse.addCookie(createAuthenticationCookie(httpServletRequest, checkLoginCredentials.get()));
            sendRedirectFromSuccessfulLogin(httpServletRequest, httpServletResponse, httpServletRequest.getParameter("redirectPath"));
        }
    }

    private static void sendRedirectFromSuccessfulLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        try {
            URI uri = new URI((String) MoreObjects.firstNonNull(Strings.emptyToNull(str), UI_LOCATION));
            sendRedirect(httpServletResponse, getRedirectLocation(httpServletRequest, uri.getPath(), uri.getQuery()));
        } catch (URISyntaxException e) {
            sendRedirect(httpServletResponse, UI_LOCATION);
        }
    }

    private Optional<String> checkLoginCredentials(HttpServletRequest httpServletRequest) {
        String emptyToNull = Strings.emptyToNull(httpServletRequest.getParameter("username"));
        if (emptyToNull == null) {
            return Optional.empty();
        }
        if (!httpServletRequest.isSecure()) {
            return Optional.of(emptyToNull);
        }
        try {
            this.passwordAuthenticatorManager.getAuthenticator().createAuthenticatedPrincipal(emptyToNull, Strings.emptyToNull(httpServletRequest.getParameter("password")));
            return Optional.of(emptyToNull);
        } catch (AccessDeniedException e) {
            return Optional.empty();
        }
    }

    private void handleLogoutRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        httpServletResponse.addCookie(getDeleteCookie(httpServletRequest));
        if (isAuthenticationEnabled(httpServletRequest)) {
            sendRedirect(httpServletResponse, getLoginFormLocation(httpServletRequest));
        } else {
            sendRedirect(httpServletResponse, getRedirectLocation(httpServletRequest, DISABLED_LOCATION));
        }
    }

    private Optional<String> getAuthenticatedUsername(HttpServletRequest httpServletRequest) {
        Optional<Cookie> authenticationCookie = getAuthenticationCookie(httpServletRequest);
        if (!authenticationCookie.isPresent()) {
            return Optional.empty();
        }
        try {
            return Optional.of(this.jwtParser.apply(authenticationCookie.get().getValue()));
        } catch (JwtException e) {
            return Optional.empty();
        } catch (RuntimeException e2) {
            throw new RuntimeException("Authentication error", e2);
        }
    }

    private static ServletRequest withUsername(HttpServletRequest httpServletRequest, String str) {
        Objects.requireNonNull(str, "username is null");
        final BasicPrincipal basicPrincipal = new BasicPrincipal(str);
        httpServletRequest.setAttribute(HttpRequestSessionContext.AUTHENTICATED_IDENTITY, Identity.forUser(str).withPrincipal(basicPrincipal).build());
        return new HttpServletRequestWrapper(httpServletRequest) { // from class: io.prestosql.server.ui.FormWebUiAuthenticationManager.1
            public Principal getUserPrincipal() {
                return basicPrincipal;
            }
        };
    }

    private Cookie createAuthenticationCookie(HttpServletRequest httpServletRequest, String str) {
        Cookie cookie = new Cookie(PRESTO_UI_COOKIE, this.jwtGenerator.apply(str));
        cookie.setSecure(httpServletRequest.isSecure());
        cookie.setHttpOnly(true);
        cookie.setPath("/ui");
        return cookie;
    }

    private Cookie getDeleteCookie(HttpServletRequest httpServletRequest) {
        Cookie cookie = new Cookie(PRESTO_UI_COOKIE, "delete");
        cookie.setMaxAge(0);
        cookie.setSecure(httpServletRequest.isSecure());
        cookie.setHttpOnly(true);
        return cookie;
    }

    private static Optional<Cookie> getAuthenticationCookie(HttpServletRequest httpServletRequest) {
        return Arrays.stream((Cookie[]) MoreObjects.firstNonNull(httpServletRequest.getCookies(), new Cookie[0])).filter(cookie -> {
            return cookie.getName().equals(PRESTO_UI_COOKIE);
        }).findFirst();
    }

    private static boolean isPublic(HttpServletRequest httpServletRequest) {
        String pathInfo = httpServletRequest.getPathInfo();
        return pathInfo.equals(DISABLED_LOCATION) || pathInfo.startsWith("/ui/vendor") || pathInfo.startsWith("/ui/assets");
    }

    private static void sendRedirect(HttpServletResponse httpServletResponse, String str) {
        httpServletResponse.setHeader("Location", str);
        httpServletResponse.setStatus(303);
    }

    private static String getLoginFormLocation(HttpServletRequest httpServletRequest) {
        return getRedirectLocation(httpServletRequest, LOGIN_FORM);
    }

    private static String getUiLocation(HttpServletRequest httpServletRequest) {
        return getRedirectLocation(httpServletRequest, UI_LOCATION);
    }

    private static String getRedirectLocation(HttpServletRequest httpServletRequest, String str) {
        return getRedirectLocation(httpServletRequest, str, null);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String getRedirectLocation(HttpServletRequest httpServletRequest, String str, String str2) {
        HttpUriBuilder replacePath = HttpUriBuilder.uriBuilder().scheme(httpServletRequest.getScheme()).host(httpServletRequest.getServerName()).port(httpServletRequest.getServerPort()).replacePath(str);
        if (str2 != null) {
            replacePath.addParameter(str2, new String[0]);
        }
        return replacePath.toString();
    }

    private boolean isAuthenticationEnabled(HttpServletRequest httpServletRequest) {
        return !httpServletRequest.isSecure() || this.passwordAuthenticatorManager.isLoaded() || this.authenticator.isPresent();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String generateJwt(byte[] bArr, String str, long j) {
        return Jwts.builder().signWith(SignatureAlgorithm.HS256, bArr).setSubject(str).setExpiration(Date.from(ZonedDateTime.now().plusNanos(j).toInstant())).setAudience(PRESTO_UI_AUDIENCE).compact();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String parseJwt(byte[] bArr, String str) {
        return ((Claims) Jwts.parser().setSigningKey(bArr).requireAudience(PRESTO_UI_AUDIENCE).parseClaimsJws(str).getBody()).getSubject();
    }

    public static boolean redirectAllFormLoginToUi(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!httpServletRequest.getPathInfo().equals(LOGIN_FORM) && !httpServletRequest.getPathInfo().equals("/ui/login") && !httpServletRequest.getPathInfo().equals("/ui/logout")) {
            return false;
        }
        sendRedirect(httpServletResponse, getRedirectLocation(httpServletRequest, UI_LOCATION));
        return true;
    }
}
