package io.prestosql.server.security;

import com.google.common.base.MoreObjects;
import com.google.common.collect.ImmutableMap;
import com.google.common.io.Resources;
import com.google.inject.Key;
import io.airlift.http.client.HttpUriBuilder;
import io.airlift.http.server.HttpServerInfo;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.prestosql.client.OkHttpUtil;
import io.prestosql.plugin.base.security.AllowAllSystemAccessControl;
import io.prestosql.security.AccessControlManager;
import io.prestosql.server.testing.TestingPrestoServer;
import io.prestosql.spi.security.AccessDeniedException;
import io.prestosql.spi.security.BasicPrincipal;
import io.prestosql.spi.security.SystemSecurityContext;
import io.prestosql.testing.assertions.Assert;
import java.io.IOException;
import java.net.URI;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.Principal;
import java.time.ZonedDateTime;
import java.util.Date;
import java.util.Optional;
import okhttp3.Credentials;
import okhttp3.Headers;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;

@Test
/* loaded from: input_file:io/prestosql/server/security/TestResourceSecurity.class */
public class TestResourceSecurity {
    private static final String TEST_USER = "test-user";
    private static final String TEST_USER_LOGIN = "test-user@allowed";
    private static final String TEST_PASSWORD = "test-password";
    private static final String MANAGEMENT_USER = "management-user";
    private static final String MANAGEMENT_USER_LOGIN = "management-user@allowed";
    private static final String MANAGEMENT_PASSWORD = "management-password";
    private OkHttpClient client;
    private static final String LOCALHOST_KEYSTORE = Resources.getResource("cert/localhost.pem").getPath();
    private static final String ALLOWED_USER_MAPPING_PATTERN = "(.*)@allowed";
    private static final ImmutableMap<String, String> SECURE_PROPERTIES = ImmutableMap.builder().put("http-server.https.enabled", "true").put("http-server.https.keystore.path", LOCALHOST_KEYSTORE).put("http-server.https.keystore.key", "").put("http-server.process-forwarded", "true").put("http-server.authentication.insecure.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).build();
    private static final String HMAC_KEY = Resources.getResource("hmac_key.txt").getPath();

    /* loaded from: input_file:io/prestosql/server/security/TestResourceSecurity$TestSystemAccessControl.class */
    private static class TestSystemAccessControl extends AllowAllSystemAccessControl {
        private TestSystemAccessControl() {
        }

        public void checkCanReadSystemInformation(SystemSecurityContext systemSecurityContext) {
            if (systemSecurityContext.getIdentity().getUser().equals(TestResourceSecurity.MANAGEMENT_USER)) {
                return;
            }
            AccessDeniedException.denyReadSystemInformationAccess();
        }
    }

    @BeforeClass
    public void setup() {
        OkHttpClient.Builder followRedirects = new OkHttpClient.Builder().followRedirects(false);
        OkHttpUtil.setupSsl(followRedirects, Optional.empty(), Optional.empty(), Optional.empty(), Optional.of(LOCALHOST_KEYSTORE), Optional.empty(), Optional.empty());
        this.client = followRedirects.build();
    }

    @Test
    public void testInsecureAuthenticatorHttp() throws Exception {
        TestingPrestoServer build = TestingPrestoServer.builder().setProperties(ImmutableMap.builder().put("http-server.authentication.insecure.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).build()).build();
        try {
            ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(new TestSystemAccessControl());
            assertInsecureAuthentication(((HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class))).getHttpUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testInsecureAuthenticatorHttps() throws Exception {
        TestingPrestoServer build = TestingPrestoServer.builder().setProperties(SECURE_PROPERTIES).build();
        try {
            ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(new TestSystemAccessControl());
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertInsecureAuthentication(httpServerInfo.getHttpUri());
            assertInsecureAuthentication(httpServerInfo.getHttpsUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testInsecureAuthenticatorHttpsOnly() throws Exception {
        TestingPrestoServer build = TestingPrestoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.allow-insecure-over-http", "false").build()).build();
        try {
            ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(new TestSystemAccessControl());
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertAuthenticationDisabled(httpServerInfo.getHttpUri());
            assertInsecureAuthentication(httpServerInfo.getHttpsUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testPasswordAuthenticator() throws Exception {
        TestingPrestoServer build = TestingPrestoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "password").put("http-server.authentication.password.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).build()).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticator(TestResourceSecurity::authenticate);
            ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(new TestSystemAccessControl());
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertAuthenticationDisabled(httpServerInfo.getHttpUri());
            assertPasswordAuthentication(httpServerInfo.getHttpsUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testPasswordAuthenticatorWithInsecureHttp() throws Exception {
        TestingPrestoServer build = TestingPrestoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "password").put("http-server.authentication.allow-insecure-over-http", "true").put("http-server.authentication.password.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).build()).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticator(TestResourceSecurity::authenticate);
            ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(new TestSystemAccessControl());
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertInsecureAuthentication(httpServerInfo.getHttpUri());
            assertPasswordAuthentication(httpServerInfo.getHttpsUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testFixedManagerAuthenticatorHttpInsecureEnabledOnly() throws Exception {
        TestingPrestoServer build = TestingPrestoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "password").put("http-server.authentication.allow-insecure-over-http", "true").put("http-server.authentication.password.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).put("management.user", MANAGEMENT_USER).build()).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticator(TestResourceSecurity::authenticate);
            ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(new TestSystemAccessControl());
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertFixedManagementUser(httpServerInfo.getHttpUri(), true);
            assertPasswordAuthentication(httpServerInfo.getHttpsUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testFixedManagerAuthenticatorHttpInsecureDisabledOnly() throws Exception {
        TestingPrestoServer build = TestingPrestoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "password").put("http-server.authentication.allow-insecure-over-http", "false").put("http-server.authentication.password.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).put("management.user", MANAGEMENT_USER).build()).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticator(TestResourceSecurity::authenticate);
            ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(new TestSystemAccessControl());
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertResponseCode(this.client, getPublicLocation(httpServerInfo.getHttpUri()), 200);
            assertResponseCode(this.client, getAuthorizedUserLocation(httpServerInfo.getHttpUri()), 403, TEST_USER_LOGIN, null);
            assertResponseCode(this.client, getManagementLocation(httpServerInfo.getHttpUri()), 200);
            assertResponseCode(this.client, getManagementLocation(httpServerInfo.getHttpUri()), 200, "unknown", "something");
            assertPasswordAuthentication(httpServerInfo.getHttpsUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testFixedManagerAuthenticatorHttps() throws Exception {
        TestingPrestoServer build = TestingPrestoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "password").put("http-server.authentication.allow-insecure-over-http", "true").put("management.user", MANAGEMENT_USER).put("management.user.https-enabled", "true").build()).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticator(TestResourceSecurity::authenticate);
            ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(new TestSystemAccessControl());
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertFixedManagementUser(httpServerInfo.getHttpUri(), true);
            assertFixedManagementUser(httpServerInfo.getHttpsUri(), false);
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testCertAuthenticator() throws Exception {
        TestingPrestoServer build = TestingPrestoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "certificate").put("http-server.https.truststore.path", LOCALHOST_KEYSTORE).put("http-server.https.truststore.key", "").build()).build();
        try {
            ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(new TestSystemAccessControl());
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertAuthenticationDisabled(httpServerInfo.getHttpUri());
            OkHttpClient.Builder newBuilder = this.client.newBuilder();
            OkHttpUtil.setupSsl(newBuilder, Optional.of(LOCALHOST_KEYSTORE), Optional.empty(), Optional.empty(), Optional.of(LOCALHOST_KEYSTORE), Optional.empty(), Optional.empty());
            assertAuthenticationAutomatic(httpServerInfo.getHttpsUri(), newBuilder.build());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testJwtAuthenticator() throws Exception {
        TestingPrestoServer build = TestingPrestoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "jwt").put("http-server.authentication.jwt.key-file", HMAC_KEY).build()).build();
        try {
            ((AccessControlManager) build.getInstance(Key.get(AccessControlManager.class))).addSystemAccessControl(new TestSystemAccessControl());
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertAuthenticationDisabled(httpServerInfo.getHttpUri());
            String compact = Jwts.builder().signWith(SignatureAlgorithm.HS256, Files.readString(Paths.get(HMAC_KEY, new String[0]))).setSubject(TEST_USER).setExpiration(Date.from(ZonedDateTime.now().plusMinutes(5L).toInstant())).compact();
            assertAuthenticationAutomatic(httpServerInfo.getHttpsUri(), this.client.newBuilder().authenticator((route, response) -> {
                return response.request().newBuilder().header("Authorization", "Bearer " + compact).build();
            }).build());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void assertInsecureAuthentication(URI uri) throws IOException {
        assertResponseCode(this.client, getManagementLocation(uri), 200, MANAGEMENT_USER_LOGIN, null);
        assertOk(this.client, getPublicLocation(uri));
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 401);
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 200, TEST_USER_LOGIN, null);
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 401, TEST_USER_LOGIN, "something");
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 401, "unknown", null);
        assertResponseCode(this.client, getManagementLocation(uri), 401);
        assertResponseCode(this.client, getManagementLocation(uri), 403, TEST_USER_LOGIN, null);
        assertResponseCode(this.client, getManagementLocation(uri), 401, TEST_USER_LOGIN, "something");
        assertResponseCode(this.client, getManagementLocation(uri), 401, "unknown", null);
        assertResponseCode(this.client, getManagementLocation(uri), 200, MANAGEMENT_USER_LOGIN, null);
        assertResponseCode(this.client, getManagementLocation(uri), 401, MANAGEMENT_USER_LOGIN, "something");
        assertResponseCode(this.client, getManagementLocation(uri), 401, MANAGEMENT_USER_LOGIN, MANAGEMENT_PASSWORD);
        assertResponseCode(this.client, getInternalLocation(uri), 403);
        assertResponseCode(this.client, getInternalLocation(uri), 403, TEST_USER_LOGIN, null);
        assertResponseCode(this.client, getInternalLocation(uri), 403, MANAGEMENT_USER_LOGIN, null);
    }

    private void assertPasswordAuthentication(URI uri) throws IOException {
        assertOk(this.client, getPublicLocation(uri));
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 401);
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 401, TEST_USER_LOGIN, null);
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 401, TEST_USER_LOGIN, "invalid");
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 200, TEST_USER_LOGIN, TEST_PASSWORD);
        assertResponseCode(this.client, getManagementLocation(uri), 401);
        assertResponseCode(this.client, getManagementLocation(uri), 401, TEST_USER_LOGIN, null);
        assertResponseCode(this.client, getManagementLocation(uri), 401, TEST_USER_LOGIN, "invalid");
        assertResponseCode(this.client, getManagementLocation(uri), 403, TEST_USER_LOGIN, TEST_PASSWORD);
        assertResponseCode(this.client, getManagementLocation(uri), 401, MANAGEMENT_USER_LOGIN, null);
        assertResponseCode(this.client, getManagementLocation(uri), 401, MANAGEMENT_USER_LOGIN, "invalid");
        assertResponseCode(this.client, getManagementLocation(uri), 200, MANAGEMENT_USER_LOGIN, MANAGEMENT_PASSWORD);
        assertResponseCode(this.client, getInternalLocation(uri), 403);
        assertResponseCode(this.client, getInternalLocation(uri), 403, TEST_USER_LOGIN, TEST_PASSWORD);
    }

    private static void assertAuthenticationAutomatic(URI uri, OkHttpClient okHttpClient) throws IOException {
        assertResponseCode(okHttpClient, getPublicLocation(uri), 200);
        assertResponseCode(okHttpClient, getAuthorizedUserLocation(uri), 200);
        assertResponseCode(okHttpClient, getManagementLocation(uri), 403);
        assertResponseCode(okHttpClient, getManagementLocation(uri), 200, Headers.of(new String[]{"X-Presto-User", MANAGEMENT_USER}));
        assertResponseCode(okHttpClient, getInternalLocation(uri), 403);
    }

    private void assertAuthenticationDisabled(URI uri) throws IOException {
        assertOk(this.client, getPublicLocation(uri));
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 403);
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 403, "unknown", null);
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 403, "unknown", "something");
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 403, TEST_USER_LOGIN, TEST_PASSWORD);
        assertResponseCode(this.client, getManagementLocation(uri), 403);
        assertResponseCode(this.client, getManagementLocation(uri), 403, "unknown", null);
        assertResponseCode(this.client, getManagementLocation(uri), 403, "unknown", "something");
        assertResponseCode(this.client, getManagementLocation(uri), 403, TEST_USER_LOGIN, TEST_PASSWORD);
        assertResponseCode(this.client, getInternalLocation(uri), 403);
        assertResponseCode(this.client, getInternalLocation(uri), 403, "unknown", null);
        assertResponseCode(this.client, getInternalLocation(uri), 403, "unknown", "something");
        assertResponseCode(this.client, getInternalLocation(uri), 403, TEST_USER_LOGIN, TEST_PASSWORD);
    }

    private void assertFixedManagementUser(URI uri, boolean z) throws IOException {
        assertResponseCode(this.client, getPublicLocation(uri), 200);
        if (z) {
            assertResponseCode(this.client, getAuthorizedUserLocation(uri), 200, TEST_USER_LOGIN, null);
            assertResponseCode(this.client, getAuthorizedUserLocation(uri), 401, "unknown", null);
        } else {
            assertResponseCode(this.client, getAuthorizedUserLocation(uri), 200, TEST_USER_LOGIN, TEST_PASSWORD);
        }
        assertResponseCode(this.client, getManagementLocation(uri), 200);
        assertResponseCode(this.client, getManagementLocation(uri), 200, "unknown", "something");
    }

    private static void assertOk(OkHttpClient okHttpClient, String str) throws IOException {
        assertResponseCode(okHttpClient, str, 200, null, null);
    }

    private static void assertResponseCode(OkHttpClient okHttpClient, String str, int i) throws IOException {
        assertResponseCode(okHttpClient, str, i, null, null);
    }

    private static void assertResponseCode(OkHttpClient okHttpClient, String str, int i, String str2, String str3) throws IOException {
        assertResponseCode(okHttpClient, str, i, Headers.of(new String[]{"Authorization", Credentials.basic((String) MoreObjects.firstNonNull(str2, ""), (String) MoreObjects.firstNonNull(str3, ""))}));
    }

    private static void assertResponseCode(OkHttpClient okHttpClient, String str, int i, Headers headers) throws IOException {
        Response execute = okHttpClient.newCall(new Request.Builder().url(str).headers(headers).build()).execute();
        try {
            Assert.assertEquals(execute.code(), i, str);
            if (execute != null) {
                execute.close();
            }
        } catch (Throwable th) {
            if (execute != null) {
                try {
                    execute.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static String getInternalLocation(URI uri) {
        return getLocation(uri, "/v1/task");
    }

    private static String getManagementLocation(URI uri) {
        return getLocation(uri, "/v1/node");
    }

    private static String getAuthorizedUserLocation(URI uri) {
        return getLocation(uri, "/v1/query");
    }

    private static String getPublicLocation(URI uri) {
        return getLocation(uri, "/v1/info");
    }

    private static String getLocation(URI uri, String str) {
        return HttpUriBuilder.uriBuilderFrom(uri).replacePath(str).toString();
    }

    private static Principal authenticate(String str, String str2) {
        if ((TEST_USER_LOGIN.equals(str) && TEST_PASSWORD.equals(str2)) || (MANAGEMENT_USER_LOGIN.equals(str) && MANAGEMENT_PASSWORD.equals(str2))) {
            return new BasicPrincipal(str);
        }
        throw new AccessDeniedException("Invalid credentials");
    }
}
