package io.prestosql.queryeditorui.security;

import com.google.common.base.Strings;
import com.google.common.hash.Hashing;
import com.google.inject.Inject;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.prestosql.queryeditorui.QueryEditorConfig;
import io.prestosql.server.security.PasswordAuthenticatorManager;
import io.prestosql.server.security.WebUIAuthenticator;
import io.prestosql.spi.security.AccessDeniedException;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.time.ZonedDateTime;
import java.util.Arrays;
import java.util.Date;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.function.Function;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;

/* loaded from: input_file:io/prestosql/queryeditorui/security/UiAuthenticator.class */
public class UiAuthenticator implements WebUIAuthenticator {
    private static final String PRESTO_UI_AUDIENCE = "presto-ui";
    private static final String PRESTO_UI_COOKIE = "Presto-UI-Token";
    public static final String LOGIN_FORM = "/ui/login.html";
    public static final URI LOGIN_FORM_URI = URI.create(LOGIN_FORM);
    public static final String DISABLED_LOCATION = "/ui/disabled.html";
    public static final URI DISABLED_LOCATION_URI = URI.create(DISABLED_LOCATION);
    public static final String UI_LOCATION = "/ui/";
    private static final URI UI_LOCATION_URI = URI.create(UI_LOCATION);
    private PasswordAuthenticatorManager passwordAuthenticatorManager;
    private final Function<String, String> jwtParser;
    private final Function<String, String> jwtGenerator;
    private final QueryEditorConfig config;

    @Inject
    public UiAuthenticator(QueryEditorConfig queryEditorConfig, PasswordAuthenticatorManager passwordAuthenticatorManager) throws NoSuchAlgorithmException {
        byte[] bArr;
        if (queryEditorConfig.getSharedSecret().isPresent()) {
            bArr = Hashing.sha256().hashString(queryEditorConfig.getSharedSecret().get(), StandardCharsets.UTF_8).asBytes();
        } else {
            bArr = new byte[32];
            SecureRandom.getInstance("SHA1PRNG").nextBytes(bArr);
        }
        this.config = queryEditorConfig;
        byte[] bArr2 = bArr;
        this.jwtParser = str -> {
            return parseJwt(bArr2, str);
        };
        long roundTo = queryEditorConfig.getSessionTimeout().roundTo(TimeUnit.NANOSECONDS);
        byte[] bArr3 = bArr;
        this.jwtGenerator = str2 -> {
            return generateJwt(bArr3, str2, roundTo);
        };
        this.passwordAuthenticatorManager = (PasswordAuthenticatorManager) Objects.requireNonNull(passwordAuthenticatorManager, "passwordAuthenticatorManager is null");
    }

    public static URI buildLoginFormURI(URI uri) {
        UriBuilder uri2 = UriBuilder.fromUri(uri).uri(LOGIN_FORM_URI);
        String path = uri.getPath();
        if (!path.startsWith("/ui")) {
            return uri2.build(new Object[0]);
        }
        if (!Strings.isNullOrEmpty(uri.getQuery())) {
            path = path + "?" + uri.getQuery();
        }
        if (path.equals("/ui") || path.equals(UI_LOCATION)) {
            return uri2.build(new Object[0]);
        }
        try {
            uri2.uri(new URI(null, null, null, path, null));
        } catch (URISyntaxException e) {
        }
        return uri2.build(new Object[0]);
    }

    public static Response.ResponseBuilder redirectFromSuccessfulLoginResponse(String str) {
        URI uri = UI_LOCATION_URI;
        String emptyToNull = Strings.emptyToNull(str);
        if (emptyToNull != null) {
            try {
                uri = new URI(emptyToNull);
            } catch (URISyntaxException e) {
            }
        }
        return Response.seeOther(uri);
    }

    @Override // io.prestosql.server.security.WebUIAuthenticator
    public Optional<NewCookie> checkLoginCredentials(String str, String str2, boolean z) {
        return isValidCredential(str, str2, z) ? Optional.of(createAuthenticationCookie(str, z)) : Optional.empty();
    }

    private boolean isValidCredential(String str, String str2, boolean z) {
        if (str == null) {
            return false;
        }
        if (!z) {
            return this.config.isAllowInsecureOverHttp() && str2 == null;
        }
        try {
            this.passwordAuthenticatorManager.getAuthenticator().createAuthenticatedPrincipal(str, str2);
            return true;
        } catch (RuntimeException e) {
            return false;
        } catch (AccessDeniedException e2) {
            return false;
        }
    }

    @Override // io.prestosql.server.security.WebUIAuthenticator
    public Optional<String> getAuthenticatedUsername(HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        Cookie cookie = cookies == null ? null : (Cookie) Arrays.stream(cookies).filter(cookie2 -> {
            return PRESTO_UI_COOKIE.equals(cookie2.getName());
        }).findFirst().orElse(null);
        if (cookie == null) {
            return Optional.empty();
        }
        try {
            return Optional.of(this.jwtParser.apply(cookie.getValue()));
        } catch (JwtException e) {
            return Optional.empty();
        } catch (RuntimeException e2) {
            throw new RuntimeException("Authentication error", e2);
        }
    }

    private NewCookie createAuthenticationCookie(String str, boolean z) {
        return new NewCookie(PRESTO_UI_COOKIE, this.jwtGenerator.apply(str), "/", (String) null, 1, (String) null, -1, (Date) null, z, true);
    }

    public static NewCookie getDeleteCookie(boolean z) {
        return new NewCookie(PRESTO_UI_COOKIE, "delete", "/", (String) null, 1, (String) null, 0, (Date) null, z, true);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String generateJwt(byte[] bArr, String str, long j) {
        return Jwts.builder().signWith(SignatureAlgorithm.HS256, bArr).setSubject(str).setExpiration(Date.from(ZonedDateTime.now().plusNanos(j).toInstant())).setAudience(PRESTO_UI_AUDIENCE).compact();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String parseJwt(byte[] bArr, String str) {
        return ((Claims) Jwts.parser().setSigningKey(bArr).requireAudience(PRESTO_UI_AUDIENCE).parseClaimsJws(str).getBody()).getSubject();
    }
}
