package io.trino.server.security.oauth2;

import com.google.common.collect.ImmutableMap;
import com.google.common.io.Resources;
import io.airlift.json.JsonCodec;
import io.jsonwebtoken.impl.DefaultClaims;
import java.io.IOException;
import java.util.Map;
import java.util.Set;
import okhttp3.Request;
import okhttp3.Response;
import org.assertj.core.api.Assertions;

/* loaded from: input_file:io/trino/server/security/oauth2/TestOAuth2WebUiAuthenticationFilterWithOpaque.class */
public class TestOAuth2WebUiAuthenticationFilterWithOpaque extends BaseOAuth2WebUiAuthenticationFilterTest {
    @Override // io.trino.server.security.oauth2.BaseOAuth2WebUiAuthenticationFilterTest
    protected Map<String, String> getOAuth2Config(String str) {
        return ImmutableMap.builder().put("web-ui.enabled", "true").put("web-ui.authentication.type", "oauth2").put("http-server.https.enabled", "true").put("http-server.https.keystore.path", Resources.getResource("cert/localhost.pem").getPath()).put("http-server.https.keystore.key", "").put("http-server.authentication.oauth2.issuer", "https://localhost:4444/").put("http-server.authentication.oauth2.auth-url", str + "/oauth2/auth").put("http-server.authentication.oauth2.token-url", str + "/oauth2/token").put("http-server.authentication.oauth2.end-session-url", str + "/oauth2/sessions/logout").put("http-server.authentication.oauth2.jwks-url", str + "/.well-known/jwks.json").put("http-server.authentication.oauth2.userinfo-url", str + "/userinfo").put("http-server.authentication.oauth2.client-id", "trino-client").put("http-server.authentication.oauth2.client-secret", "trino-secret").put("http-server.authentication.oauth2.principal-field", "iss").put("http-server.authentication.oauth2.additional-audiences", "trusted-client").put("http-server.authentication.oauth2.max-clock-skew", "0s").put("http-server.authentication.oauth2.user-mapping.pattern", "(.*)(@.*)?").put("http-server.authentication.oauth2.oidc.discovery", "false").put("oauth2-jwk.http-client.trust-store-path", Resources.getResource("cert/localhost.pem").getPath()).buildOrThrow();
    }

    @Override // io.trino.server.security.oauth2.BaseOAuth2WebUiAuthenticationFilterTest
    protected TestingHydraIdentityProvider getHydraIdp() throws Exception {
        TestingHydraIdentityProvider testingHydraIdentityProvider = new TestingHydraIdentityProvider(TTL_ACCESS_TOKEN_IN_SECONDS, false, false);
        testingHydraIdentityProvider.start();
        return testingHydraIdentityProvider;
    }

    @Override // io.trino.server.security.oauth2.BaseOAuth2WebUiAuthenticationFilterTest
    protected void validateAccessToken(String str) {
        try {
            Response execute = this.httpClient.newCall(new Request.Builder().url("https://localhost:" + this.hydraIdP.getAuthPort() + "/userinfo").addHeader("Authorization", "Bearer " + str).build()).execute();
            try {
                Assertions.assertThat(execute.body()).isNotNull();
                DefaultClaims defaultClaims = new DefaultClaims((Map) JsonCodec.mapJsonCodec(String.class, Object.class).fromJson(execute.body().byteStream()));
                Assertions.assertThat(defaultClaims.getSubject()).isEqualTo("foo@bar.com");
                Assertions.assertThat(defaultClaims.get("aud")).isEqualTo(Set.of("trino-client"));
                if (execute != null) {
                    execute.close();
                }
            } finally {
            }
        } catch (IOException e) {
            Assertions.fail("Exception while calling /userinfo", e);
        }
    }
}
