package io.trino.server.security;

import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.base.MoreObjects;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.hash.Hashing;
import com.google.common.io.Resources;
import com.google.inject.Inject;
import com.google.inject.Key;
import com.google.inject.Module;
import com.google.inject.multibindings.OptionalBinder;
import io.airlift.http.client.HttpUriBuilder;
import io.airlift.http.server.HttpServerConfig;
import io.airlift.http.server.HttpServerInfo;
import io.airlift.http.server.testing.TestingHttpServer;
import io.airlift.jaxrs.JaxrsBinder;
import io.airlift.node.NodeInfo;
import io.airlift.security.pem.PemReader;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.security.Keys;
import io.trino.client.OkHttpUtil;
import io.trino.client.ProtocolHeaders;
import io.trino.metadata.TestMetadataManager;
import io.trino.plugin.base.security.AllowAllSystemAccessControl;
import io.trino.security.AccessControl;
import io.trino.server.HttpRequestSessionContextFactory;
import io.trino.server.ProtocolConfig;
import io.trino.server.TestNodeStateManager;
import io.trino.server.protocol.PreparedStatementEncoder;
import io.trino.server.protocol.spooling.QueryDataEncoder;
import io.trino.server.security.ResourceSecurity;
import io.trino.server.security.jwt.JwtUtil;
import io.trino.server.security.oauth2.ChallengeFailedException;
import io.trino.server.security.oauth2.OAuth2Client;
import io.trino.server.security.oauth2.TokenPairSerializer;
import io.trino.server.testing.TestingTrinoServer;
import io.trino.server.ui.TestWebUi;
import io.trino.spi.security.AccessDeniedException;
import io.trino.spi.security.BasicPrincipal;
import io.trino.spi.security.Identity;
import io.trino.spi.security.PasswordAuthenticator;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.Response;
import java.io.File;
import java.io.IOException;
import java.net.CookieManager;
import java.net.HttpCookie;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.FileAttribute;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.time.Instant;
import java.time.ZonedDateTime;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Base64;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import okhttp3.Cookie;
import okhttp3.CookieJar;
import okhttp3.Credentials;
import okhttp3.Headers;
import okhttp3.HttpUrl;
import okhttp3.JavaNetCookieJar;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.ResponseBody;
import org.assertj.core.api.AbstractBooleanAssert;
import org.assertj.core.api.AbstractIntegerAssert;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.TestInstance;
import org.junit.jupiter.api.parallel.Execution;
import org.junit.jupiter.api.parallel.ExecutionMode;

@Execution(ExecutionMode.CONCURRENT)
@TestInstance(TestInstance.Lifecycle.PER_CLASS)
/* loaded from: input_file:io/trino/server/security/TestResourceSecurity.class */
public class TestResourceSecurity {
    private static final String TEST_USER = "test-user";
    private static final String TEST_USER_LOGIN = "test-user@allowed";
    private static final String TEST_PASSWORD = "test-password";
    private static final String TEST_PASSWORD2 = "test-password-2";
    private static final String MANAGEMENT_USER = "management-user";
    private static final String MANAGEMENT_USER_LOGIN = "management-user@allowed";
    private static final String MANAGEMENT_PASSWORD = "management-password";
    private static final String JWK_KEY_ID = "test-rsa";
    private static final String GROUPS_CLAIM = "groups";
    private static final String TRINO_AUDIENCE = "trino-client";
    private static final String ADDITIONAL_AUDIENCE = "https://external-service.com";
    private static final String UNTRUSTED_CLIENT_AUDIENCE = "https://untrusted.com";
    private static final PrivateKey JWK_PRIVATE_KEY;
    private static final PublicKey JWK_PUBLIC_KEY;
    private OkHttpClient client;
    private Path passwordConfigDummy;
    private static final String LOCALHOST_KEYSTORE = Resources.getResource("cert/localhost.pem").getPath();
    private static final String ALLOWED_USER_MAPPING_PATTERN = "(.*)@allowed";
    private static final ImmutableMap<String, String> SECURE_PROPERTIES = ImmutableMap.builder().put("http-server.https.enabled", "true").put("http-server.https.keystore.path", LOCALHOST_KEYSTORE).put("http-server.https.keystore.key", "").put("http-server.process-forwarded", "true").put("http-server.authentication.insecure.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).buildOrThrow();
    private static final String HMAC_KEY = Resources.getResource("hmac_key.txt").getPath();
    private static final ObjectMapper json = new ObjectMapper();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/trino/server/security/TestResourceSecurity$JwkServlet.class */
    public static class JwkServlet extends HttpServlet {
        private JwkServlet() {
        }

        protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
            httpServletResponse.getWriter().println(Resources.toString(Resources.getResource("jwk/jwk-public.json"), StandardCharsets.UTF_8));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/trino/server/security/TestResourceSecurity$OAuthBearer.class */
    public static class OAuthBearer {
        private final String state;
        private final String tokenServer;
        private final HttpCookie nonceCookie;

        public OAuthBearer(String str, String str2, HttpCookie httpCookie) {
            this.state = (String) Objects.requireNonNull(str, "state is null");
            this.tokenServer = (String) Objects.requireNonNull(str2, "tokenServer is null");
            this.nonceCookie = (HttpCookie) Objects.requireNonNull(httpCookie, "nonce is null");
        }

        public String getState() {
            return this.state;
        }

        public String getTokenServer() {
            return this.tokenServer;
        }

        public HttpCookie getNonceCookie() {
            return this.nonceCookie;
        }
    }

    @jakarta.ws.rs.Path("/")
    /* loaded from: input_file:io/trino/server/security/TestResourceSecurity$TestResource.class */
    public static class TestResource {
        private final HttpRequestSessionContextFactory sessionContextFactory;

        @Inject
        public TestResource(AccessControl accessControl) {
            this.sessionContextFactory = new HttpRequestSessionContextFactory(new PreparedStatementEncoder(new ProtocolConfig()), TestMetadataManager.createTestMetadataManager(), str -> {
                return ImmutableSet.of();
            }, accessControl, new ProtocolConfig(), QueryDataEncoder.EncoderSelector.noEncoder());
        }

        @ResourceSecurity(ResourceSecurity.AccessType.AUTHENTICATED_USER)
        @GET
        @jakarta.ws.rs.Path("/protocol/identity")
        public Response protocolIdentity(@Context HttpServletRequest httpServletRequest, @Context HttpHeaders httpHeaders) {
            return echoIdentity(httpServletRequest, httpHeaders);
        }

        @ResourceSecurity(ResourceSecurity.AccessType.WEB_UI)
        @GET
        @jakarta.ws.rs.Path("/ui/api/identity")
        public Response webUiIdentity(@Context HttpServletRequest httpServletRequest, @Context HttpHeaders httpHeaders) {
            return echoIdentity(httpServletRequest, httpHeaders);
        }

        public Response echoIdentity(HttpServletRequest httpServletRequest, HttpHeaders httpHeaders) {
            Identity extractAuthorizedIdentity = this.sessionContextFactory.extractAuthorizedIdentity(httpServletRequest, httpHeaders);
            return Response.ok().header("user", extractAuthorizedIdentity.getUser()).header("principal", extractAuthorizedIdentity.getPrincipal().map((v0) -> {
                return v0.getName();
            }).orElse(null)).header(TestResourceSecurity.GROUPS_CLAIM, toHeader(extractAuthorizedIdentity.getGroups())).build();
        }

        public static String toHeader(Set<String> set) {
            return (String) set.stream().sorted().collect(Collectors.joining(","));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/trino/server/security/TestResourceSecurity$TestSystemAccessControl.class */
    public static class TestSystemAccessControl extends AllowAllSystemAccessControl {
        public static final TestSystemAccessControl WITH_IMPERSONATION = new TestSystemAccessControl(false);
        public static final TestSystemAccessControl NO_IMPERSONATION = new TestSystemAccessControl(true);
        private final boolean allowImpersonation;

        private TestSystemAccessControl(boolean z) {
            this.allowImpersonation = z;
        }

        public void checkCanImpersonateUser(Identity identity, String str) {
            if (this.allowImpersonation) {
                return;
            }
            AccessDeniedException.denyImpersonateUser(identity.getUser(), str);
        }

        public void checkCanReadSystemInformation(Identity identity) {
            if (identity.getUser().equals(TestResourceSecurity.MANAGEMENT_USER)) {
                return;
            }
            AccessDeniedException.denyReadSystemInformationAccess();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/trino/server/security/TestResourceSecurity$TokenDTO.class */
    public static class TokenDTO {

        @JsonProperty
        String token;

        private TokenDTO() {
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/trino/server/security/TestResourceSecurity$TokenServer.class */
    public static class TokenServer implements AutoCloseable {
        private static final String REFRESH_TOKEN = "REFRESH_TOKEN";
        private final Optional<String> principalField;
        private final String accessToken;
        private final String issuer = TestWebUi.TOKEN_ISSUER;
        private final String clientId = "clientID";
        private final Date tokenExpiration = Date.from(ZonedDateTime.now().plusMinutes(5).toInstant());
        private final JwtParser jwtParser = JwtUtil.newJwtParserBuilder().verifyWith(TestResourceSecurity.JWK_PUBLIC_KEY).build();
        private final TestingHttpServer jwkServer = TestResourceSecurity.createTestingJwkServer();

        public TokenServer(Optional<String> optional) throws Exception {
            this.principalField = (Optional) Objects.requireNonNull(optional, "principalField is null");
            this.jwkServer.start();
            this.accessToken = issueAccessToken(Optional.empty());
        }

        @Override // java.lang.AutoCloseable
        public void close() throws Exception {
            this.jwkServer.stop();
        }

        public OAuth2Client getOAuth2Client() {
            return new OAuth2Client() { // from class: io.trino.server.security.TestResourceSecurity.TokenServer.1
                public void load() {
                }

                public OAuth2Client.Request createAuthorizationRequest(String str, URI uri) {
                    return new OAuth2Client.Request(URI.create("http://example.com/authorize?" + str), Optional.of(UUID.randomUUID().toString()));
                }

                public OAuth2Client.Response getOAuth2Response(String str, URI uri, Optional<String> optional) {
                    if ("TEST_CODE".equals(str)) {
                        return new OAuth2Client.Response(TokenServer.this.accessToken, Instant.now().plus(5L, (TemporalUnit) ChronoUnit.MINUTES), Optional.of(TokenServer.this.issueIdToken(optional.map(TestResourceSecurity::hashNonce))), Optional.of(TokenServer.REFRESH_TOKEN));
                    }
                    throw new IllegalArgumentException("Expected TEST_CODE");
                }

                public Optional<Map<String, Object>> getClaims(String str) {
                    return Optional.of((Map) TokenServer.this.jwtParser.parseSignedClaims(str).getPayload());
                }

                public OAuth2Client.Response refreshTokens(String str) throws ChallengeFailedException {
                    throw new UnsupportedOperationException("refresh tokens not supported");
                }

                public Optional<URI> getLogoutEndpoint(Optional<String> optional, URI uri) {
                    return Optional.empty();
                }
            };
        }

        public String getIssuer() {
            return TestWebUi.TOKEN_ISSUER;
        }

        public String getJwksUrl() {
            return this.jwkServer.getBaseUrl().toString();
        }

        public String getClientId() {
            return "clientID";
        }

        public String getClientSecret() {
            return "clientSecret";
        }

        public String getAccessToken() {
            return this.accessToken;
        }

        public String getRefreshToken() {
            return REFRESH_TOKEN;
        }

        public String issueAccessToken(Optional<Set<String>> optional) {
            JwtBuilder expiration = ((JwtBuilder) ((JwtBuilder) JwtUtil.newJwtBuilder().signWith(TestResourceSecurity.JWK_PRIVATE_KEY).header().keyId(TestResourceSecurity.JWK_KEY_ID).and()).issuer(TestWebUi.TOKEN_ISSUER).audience().add("clientID").and()).expiration(this.tokenExpiration);
            if (this.principalField.isPresent()) {
                expiration.claim(this.principalField.get(), TestResourceSecurity.TEST_USER);
            } else {
                expiration.subject(TestResourceSecurity.TEST_USER);
            }
            optional.ifPresent(set -> {
                expiration.claim(TestResourceSecurity.GROUPS_CLAIM, set);
            });
            return expiration.compact();
        }

        private String issueIdToken(Optional<String> optional) {
            JwtBuilder expiration = ((JwtBuilder) ((JwtBuilder) JwtUtil.newJwtBuilder().signWith(TestResourceSecurity.JWK_PRIVATE_KEY).header().keyId(TestResourceSecurity.JWK_KEY_ID).and()).issuer(TestWebUi.TOKEN_ISSUER).audience().add("clientID").and()).expiration(this.tokenExpiration);
            if (this.principalField.isPresent()) {
                expiration.claim(this.principalField.get(), TestResourceSecurity.TEST_USER);
            } else {
                expiration.subject(TestResourceSecurity.TEST_USER);
            }
            optional.ifPresent(str -> {
                expiration.claim("nonce", str);
            });
            return expiration.compact();
        }
    }

    @BeforeAll
    public void setup() throws IOException {
        OkHttpClient.Builder followRedirects = new OkHttpClient.Builder().followRedirects(false);
        OkHttpUtil.setupSsl(followRedirects, Optional.empty(), Optional.empty(), Optional.empty(), false, Optional.of(LOCALHOST_KEYSTORE), Optional.empty(), Optional.empty(), false);
        this.client = followRedirects.build();
        this.passwordConfigDummy = Files.createTempFile("passwordConfigDummy", "", new FileAttribute[0]);
        this.passwordConfigDummy.toFile().deleteOnExit();
    }

    @Test
    public void testInsecureAuthenticatorHttp() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.of("http-server.authentication.insecure.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN)).setSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION).build();
        try {
            assertInsecureAuthentication(((HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class))).getHttpUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testInsecureAuthenticatorHttps() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(SECURE_PROPERTIES).setSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION).build();
        try {
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertInsecureAuthentication(httpServerInfo.getHttpUri());
            assertInsecureAuthentication(httpServerInfo.getHttpsUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testInsecureAuthenticatorHttpsOnly() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.allow-insecure-over-http", "false").buildOrThrow()).setSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION).build();
        try {
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertAuthenticationDisabled(httpServerInfo.getHttpUri());
            assertInsecureAuthentication(httpServerInfo.getHttpsUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testPasswordAuthenticator() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("password-authenticator.config-files", this.passwordConfigDummy.toString()).put("http-server.authentication.type", "password").put("http-server.authentication.password.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).buildOrThrow()).setSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticators(new PasswordAuthenticator[]{TestResourceSecurity::authenticate});
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertAuthenticationDisabled(httpServerInfo.getHttpUri());
            assertPasswordAuthentication(httpServerInfo.getHttpsUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testMultiplePasswordAuthenticators() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("password-authenticator.config-files", this.passwordConfigDummy.toString()).put("http-server.authentication.type", "password").put("http-server.authentication.password.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).buildOrThrow()).setSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticators(new PasswordAuthenticator[]{TestResourceSecurity::authenticate, TestResourceSecurity::authenticate2});
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertAuthenticationDisabled(httpServerInfo.getHttpUri());
            assertPasswordAuthentication(httpServerInfo.getHttpsUri(), TEST_PASSWORD, TEST_PASSWORD2);
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testMultiplePasswordAuthenticatorsMessages() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("password-authenticator.config-files", this.passwordConfigDummy.toString()).put("http-server.authentication.type", "password").put("http-server.authentication.password.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).buildOrThrow()).setSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticators(new PasswordAuthenticator[]{TestResourceSecurity::authenticate, TestResourceSecurity::authenticate2});
            okhttp3.Response execute = this.client.newCall(new Request.Builder().url(getAuthorizedUserLocation(((HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class))).getHttpsUri())).headers(Headers.of(new String[]{"Authorization", Credentials.basic(TEST_USER_LOGIN, "wrong_password")})).build()).execute();
            try {
                Assertions.assertThat(((ResponseBody) Objects.requireNonNull(execute.body())).string()).isEqualTo("Access Denied: Invalid credentials | Access Denied: Invalid credentials2");
                if (execute != null) {
                    execute.close();
                }
                if (build != null) {
                    build.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testPasswordAuthenticatorUserMapping() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("password-authenticator.config-files", this.passwordConfigDummy.toString()).put("http-server.authentication.type", "password").put("http-server.authentication.password.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).buildOrThrow()).setAdditionalModule(binder -> {
            JaxrsBinder.jaxrsBinder(binder).bind(TestResource.class);
        }).setSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticators(new PasswordAuthenticator[]{TestResourceSecurity::authenticate});
            okhttp3.Response execute = this.client.newCall(new Request.Builder().url(getLocation(((HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class))).getHttpsUri(), "/protocol/identity")).addHeader("Authorization", Credentials.basic(TEST_USER_LOGIN, TEST_PASSWORD)).addHeader("X-Trino-User", TEST_USER_LOGIN).build()).execute();
            try {
                Assertions.assertThat(execute.code()).isEqualTo(TestNodeStateManager.GRACE_PERIOD_MILLIS);
                Assertions.assertThat(execute.header("user")).isEqualTo(TEST_USER);
                Assertions.assertThat(execute.header("principal")).isEqualTo(TEST_USER_LOGIN);
                if (execute != null) {
                    execute.close();
                }
                if (build != null) {
                    build.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testPasswordAuthenticatorWithInsecureHttp() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("password-authenticator.config-files", this.passwordConfigDummy.toString()).put("http-server.authentication.type", "password").put("http-server.authentication.allow-insecure-over-http", "true").put("http-server.authentication.password.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).buildOrThrow()).setSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticators(new PasswordAuthenticator[]{TestResourceSecurity::authenticate});
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertInsecureAuthentication(httpServerInfo.getHttpUri());
            assertPasswordAuthentication(httpServerInfo.getHttpsUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testFixedManagerAuthenticatorHttpInsecureEnabledOnly() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("password-authenticator.config-files", this.passwordConfigDummy.toString()).put("http-server.authentication.type", "password").put("http-server.authentication.allow-insecure-over-http", "true").put("http-server.authentication.password.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).put("management.user", MANAGEMENT_USER).buildOrThrow()).setSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticators(new PasswordAuthenticator[]{TestResourceSecurity::authenticate});
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertFixedManagementUser(httpServerInfo.getHttpUri(), true);
            assertPasswordAuthentication(httpServerInfo.getHttpsUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testFixedManagerAuthenticatorHttpInsecureDisabledOnly() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("password-authenticator.config-files", this.passwordConfigDummy.toString()).put("http-server.authentication.type", "password").put("http-server.authentication.allow-insecure-over-http", "false").put("http-server.authentication.password.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).put("management.user", MANAGEMENT_USER).buildOrThrow()).setSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticators(new PasswordAuthenticator[]{TestResourceSecurity::authenticate});
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertResponseCode(this.client, getPublicLocation(httpServerInfo.getHttpUri()), TestNodeStateManager.GRACE_PERIOD_MILLIS);
            assertResponseCode(this.client, getAuthorizedUserLocation(httpServerInfo.getHttpUri()), 403, TEST_USER_LOGIN, null);
            assertResponseCode(this.client, getManagementLocation(httpServerInfo.getHttpUri()), TestNodeStateManager.GRACE_PERIOD_MILLIS);
            assertResponseCode(this.client, getManagementLocation(httpServerInfo.getHttpUri()), TestNodeStateManager.GRACE_PERIOD_MILLIS, "unknown", "something");
            assertPasswordAuthentication(httpServerInfo.getHttpsUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testFixedManagerAuthenticatorHttps() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("password-authenticator.config-files", this.passwordConfigDummy.toString()).put("http-server.authentication.type", "password").put("http-server.authentication.allow-insecure-over-http", "true").put("management.user", MANAGEMENT_USER).put("management.user.https-enabled", "true").buildOrThrow()).setSystemAccessControl(TestSystemAccessControl.WITH_IMPERSONATION).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticators(new PasswordAuthenticator[]{TestResourceSecurity::authenticate});
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertFixedManagementUser(httpServerInfo.getHttpUri(), true);
            assertFixedManagementUser(httpServerInfo.getHttpsUri(), false);
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testCertAuthenticator() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "certificate").put("http-server.https.truststore.path", LOCALHOST_KEYSTORE).put("http-server.https.truststore.key", "").buildOrThrow()).setSystemAccessControl(TestSystemAccessControl.NO_IMPERSONATION).build();
        try {
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertAuthenticationDisabled(httpServerInfo.getHttpUri());
            OkHttpClient.Builder newBuilder = this.client.newBuilder();
            OkHttpUtil.setupSsl(newBuilder, Optional.of(LOCALHOST_KEYSTORE), Optional.empty(), Optional.empty(), false, Optional.of(LOCALHOST_KEYSTORE), Optional.empty(), Optional.empty(), false);
            assertAuthenticationAutomatic(httpServerInfo.getHttpsUri(), newBuilder.build());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testJwtAuthenticator() throws Exception {
        verifyJwtAuthenticator(Optional.empty(), Optional.empty());
        verifyJwtAuthenticator(Optional.of("custom-principal"), Optional.empty());
        verifyJwtAuthenticator(Optional.empty(), Optional.of(TRINO_AUDIENCE));
        verifyJwtAuthenticator(Optional.empty(), Optional.of(ImmutableList.of(TRINO_AUDIENCE, ADDITIONAL_AUDIENCE)));
    }

    private void verifyJwtAuthenticator(Optional<String> optional, Optional<Object> optional2) throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "jwt").put("http-server.authentication.jwt.key-file", HMAC_KEY).put("http-server.authentication.jwt.principal-field", optional.orElse("sub")).put("http-server.authentication.jwt.required-audience", TRINO_AUDIENCE).buildOrThrow()).setSystemAccessControl(TestSystemAccessControl.NO_IMPERSONATION).build();
        try {
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertAuthenticationDisabled(httpServerInfo.getHttpUri());
            JwtBuilder expiration = JwtUtil.newJwtBuilder().signWith(Keys.hmacShaKeyFor(Base64.getDecoder().decode(Files.readString(Paths.get(HMAC_KEY, new String[0])).trim()))).expiration(Date.from(ZonedDateTime.now().plusMinutes(5L).toInstant()));
            if (optional.isPresent()) {
                expiration.claim(optional.get(), TEST_USER);
            } else {
                expiration.subject(TEST_USER);
            }
            if (optional2.isPresent()) {
                expiration.claim("aud", optional2.get());
            } else {
                expiration.claim("aud", TRINO_AUDIENCE);
            }
            String compact = expiration.compact();
            assertAuthenticationAutomatic(httpServerInfo.getHttpsUri(), this.client.newBuilder().authenticator((route, response) -> {
                return response.request().newBuilder().header("Authorization", "Bearer " + compact).build();
            }).build());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testJwtWithJwkAuthenticator() throws Exception {
        TestingHttpServer createTestingJwkServer = createTestingJwkServer();
        createTestingJwkServer.start();
        try {
            TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "jwt").put("http-server.authentication.jwt.key-file", createTestingJwkServer.getBaseUrl().toString()).buildOrThrow()).setSystemAccessControl(TestSystemAccessControl.NO_IMPERSONATION).build();
            try {
                HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
                assertAuthenticationDisabled(httpServerInfo.getHttpUri());
                String compact = ((JwtBuilder) JwtUtil.newJwtBuilder().signWith(JWK_PRIVATE_KEY).header().keyId(JWK_KEY_ID).and()).subject(TEST_USER).expiration(Date.from(ZonedDateTime.now().plusMinutes(5L).toInstant())).compact();
                assertAuthenticationAutomatic(httpServerInfo.getHttpsUri(), this.client.newBuilder().authenticator((route, response) -> {
                    return response.request().newBuilder().header("Authorization", "Bearer " + compact).build();
                }).build());
                if (build != null) {
                    build.close();
                }
            } finally {
            }
        } finally {
            createTestingJwkServer.stop();
        }
    }

    @Test
    public void testJwtAuthenticatorWithInvalidAudience() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "jwt").put("http-server.authentication.jwt.key-file", HMAC_KEY).put("http-server.authentication.jwt.required-audience", TRINO_AUDIENCE).buildOrThrow()).setSystemAccessControl(TestSystemAccessControl.NO_IMPERSONATION).build();
        try {
            assertResponseCode(this.client.newBuilder().build(), getAuthorizedUserLocation(((HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class))).getHttpsUri()), 401, Headers.of(new String[]{"Authorization", "Bearer " + JwtUtil.newJwtBuilder().signWith(Keys.hmacShaKeyFor(Base64.getDecoder().decode(Files.readString(Paths.get(HMAC_KEY, new String[0])).trim()))).expiration(Date.from(ZonedDateTime.now().plusMinutes(5L).toInstant())).claim("aud", ImmutableList.of(ADDITIONAL_AUDIENCE, UNTRUSTED_CLIENT_AUDIENCE)).compact()}));
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testJwtAuthenticatorWithNoRequiredAudience() throws Exception {
        verifyJwtAuthenticatorWithoutRequiredAudience(Optional.empty());
        verifyJwtAuthenticatorWithoutRequiredAudience(Optional.of(ImmutableList.of(TRINO_AUDIENCE, ADDITIONAL_AUDIENCE)));
    }

    private void verifyJwtAuthenticatorWithoutRequiredAudience(Optional<Object> optional) throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "jwt").put("http-server.authentication.jwt.key-file", HMAC_KEY).buildOrThrow()).setSystemAccessControl(TestSystemAccessControl.NO_IMPERSONATION).build();
        try {
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            assertAuthenticationDisabled(httpServerInfo.getHttpUri());
            JwtBuilder subject = JwtUtil.newJwtBuilder().signWith(Keys.hmacShaKeyFor(Base64.getDecoder().decode(Files.readString(Paths.get(HMAC_KEY, new String[0])).trim()))).expiration(Date.from(ZonedDateTime.now().plusMinutes(5L).toInstant())).subject(TEST_USER);
            if (optional.isPresent()) {
                subject.claim("aud", optional.get());
            }
            String compact = subject.compact();
            assertAuthenticationAutomatic(httpServerInfo.getHttpsUri(), this.client.newBuilder().authenticator((route, response) -> {
                return response.request().newBuilder().header("Authorization", "Bearer " + compact).build();
            }).build());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testOAuth2Authenticator() throws Exception {
        verifyOAuth2Authenticator(true, false, Optional.empty());
        verifyOAuth2Authenticator(false, false, Optional.empty());
        verifyOAuth2Authenticator(true, false, Optional.of("custom-principal"));
        verifyOAuth2Authenticator(false, false, Optional.of("custom-principal"));
        verifyOAuth2Authenticator(false, true, Optional.empty());
    }

    private void verifyOAuth2Authenticator(boolean z, boolean z2, Optional<String> optional) throws Exception {
        CookieManager cookieManager = new CookieManager();
        OkHttpClient build = this.client.newBuilder().cookieJar(new JavaNetCookieJar(cookieManager)).build();
        TokenServer tokenServer = new TokenServer(optional);
        try {
            TestingTrinoServer build2 = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("web-ui.enabled", String.valueOf(z)).put("http-server.authentication.type", "oauth2").putAll(getOAuth2Properties(tokenServer)).put("http-server.authentication.oauth2.principal-field", optional.orElse("sub")).put("http-server.authentication.oauth2.refresh-tokens", String.valueOf(z2)).buildOrThrow()).setAdditionalModule(oauth2Module(tokenServer)).setSystemAccessControl(TestSystemAccessControl.NO_IMPERSONATION).build();
            try {
                HttpServerInfo httpServerInfo = (HttpServerInfo) build2.getInstance(Key.get(HttpServerInfo.class));
                assertAuthenticationDisabled(httpServerInfo.getHttpUri());
                URI httpsUri = httpServerInfo.getHttpsUri();
                assertOk(build, getPublicLocation(httpsUri));
                assertAuthenticateOAuth2Bearer(build, getManagementLocation(httpsUri), "http://example.com/authorize");
                OAuthBearer assertAuthenticateOAuth2Bearer = assertAuthenticateOAuth2Bearer(build, getAuthorizedUserLocation(httpsUri), "http://example.com/authorize");
                assertResponseCode(build, getInternalLocation(httpsUri), 403);
                assertOk(build, HttpUriBuilder.uriBuilderFrom(httpsUri).replacePath("/oauth2/callback/").addParameter("code", new String[]{"TEST_CODE"}).addParameter("state", new String[]{assertAuthenticateOAuth2Bearer.getState()}).toString());
                if (z2) {
                    TokenPairSerializer.TokenPair deserialize = ((TokenPairSerializer) build2.getInstance(Key.get(TokenPairSerializer.class))).deserialize(getOauthToken(build, assertAuthenticateOAuth2Bearer.getTokenServer()));
                    Assertions.assertThat(deserialize.accessToken()).isEqualTo(tokenServer.getAccessToken());
                    Assertions.assertThat(deserialize.refreshToken()).isEqualTo(Optional.of(tokenServer.getRefreshToken()));
                } else {
                    Assertions.assertThat(getOauthToken(build, assertAuthenticateOAuth2Bearer.getTokenServer())).isEqualTo(tokenServer.getAccessToken());
                }
                if (z) {
                    HttpCookie cookie = getCookie(cookieManager, "__Secure-Trino-OAuth2-Token");
                    Assertions.assertThat(cookie.getValue()).isEqualTo(tokenServer.getAccessToken());
                    Assertions.assertThat(cookie.getPath()).isEqualTo("/ui/");
                    Assertions.assertThat(cookie.getDomain()).isEqualTo(httpsUri.getHost());
                    Assertions.assertThat(cookie.getMaxAge() > 0 && cookie.getMaxAge() < TimeUnit.MINUTES.toSeconds(5L)).isTrue();
                    Assertions.assertThat(cookie.isHttpOnly()).isTrue();
                    HttpCookie cookie2 = getCookie(cookieManager, "__Secure-Trino-ID-Token");
                    Assertions.assertThat(cookie2.getValue()).isEqualTo(tokenServer.issueIdToken(Optional.of(hashNonce(assertAuthenticateOAuth2Bearer.getNonceCookie().getValue()))));
                    Assertions.assertThat(cookie2.getPath()).isEqualTo("/ui/");
                    Assertions.assertThat(cookie2.getDomain()).isEqualTo(httpsUri.getHost());
                    Assertions.assertThat(cookie2.getMaxAge() > 0 && cookie.getMaxAge() < TimeUnit.MINUTES.toSeconds(5L)).isTrue();
                    Assertions.assertThat(cookie2.isHttpOnly()).isTrue();
                    cookieManager.getCookieStore().removeAll();
                } else {
                    List<HttpCookie> cookies = cookieManager.getCookieStore().getCookies();
                    ((AbstractBooleanAssert) Assertions.assertThat(cookies.isEmpty()).describedAs("Expected no cookies when webUi is not enabled, but got: " + String.valueOf(cookies), new Object[0])).isTrue();
                }
                assertAuthenticationAutomatic(httpServerInfo.getHttpsUri(), build.newBuilder().authenticator((route, response) -> {
                    return response.request().newBuilder().header("Authorization", "Bearer " + getOauthToken(build, assertAuthenticateOAuth2Bearer.getTokenServer())).build();
                }).build());
                assertErrorCodeIsEncoded(build, httpsUri, assertAuthenticateOAuth2Bearer(build, getManagementLocation(httpsUri), "http://example.com/authorize"));
                if (build2 != null) {
                    build2.close();
                }
                tokenServer.close();
            } finally {
            }
        } catch (Throwable th) {
            try {
                tokenServer.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private static void assertErrorCodeIsEncoded(OkHttpClient okHttpClient, URI uri, OAuthBearer oAuthBearer) throws IOException {
        okhttp3.Response execute = okHttpClient.newCall(new Request.Builder().url(HttpUriBuilder.uriBuilderFrom(uri).replacePath("/oauth2/callback/").addParameter("error", new String[]{"<script>alert(\"I love xss\")</script>"}).addParameter("state", new String[]{oAuthBearer.getState()}).toString()).build()).execute();
        try {
            Assertions.assertThat(((ResponseBody) Objects.requireNonNull(execute.body())).string()).doesNotContain(new CharSequence[]{"<script>alert(\"I love xss\")</script>"}).contains(new CharSequence[]{"%3Cscript%3Ealert%28%22I+love+xss%22%29%3C%2Fscript%3E"});
            if (execute != null) {
                execute.close();
            }
        } catch (Throwable th) {
            if (execute != null) {
                try {
                    execute.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static OAuthBearer assertAuthenticateOAuth2Bearer(OkHttpClient okHttpClient, String str, String str2) throws IOException {
        okhttp3.Response execute = okHttpClient.newCall(new Request.Builder().url(str).build()).execute();
        try {
            ((AbstractIntegerAssert) Assertions.assertThat(execute.code()).describedAs(str, new Object[0])).isEqualTo(401);
            String header = execute.header("WWW-Authenticate");
            Assertions.assertThat(header).isNotNull();
            Pattern compile = Pattern.compile("Bearer x_redirect_server=\"(https://127.0.0.1:[0-9]+/oauth2/token/initiate/.+)\", x_token_server=\"(https://127.0.0.1:[0-9]+/oauth2/token/.+)\"");
            Matcher matcher = compile.matcher(header);
            ((AbstractBooleanAssert) Assertions.assertThat(matcher.matches()).describedAs(String.format("Invalid authentication header.\nExpected: %s\nPattern: %s", header, compile), new Object[0])).isTrue();
            String group = matcher.group(1);
            String group2 = matcher.group(2);
            if (execute != null) {
                execute.close();
            }
            Request build = new Request.Builder().url(group).build();
            execute = okHttpClient.newCall(build).execute();
            try {
                Assertions.assertThat(execute.code()).isEqualTo(303);
                String header2 = execute.header("Location");
                Assertions.assertThat(header2).isNotNull();
                Pattern compile2 = Pattern.compile(String.format("%s\\?(.+)", str2));
                Matcher matcher2 = compile2.matcher(header2);
                ((AbstractBooleanAssert) Assertions.assertThat(matcher2.matches()).describedAs(String.format("Invalid location header.\nExpected: %s\nPattern: %s", str2, compile2), new Object[0])).isTrue();
                HttpCookie httpCookie = HttpCookie.parse((String) Objects.requireNonNull(execute.header("Set-Cookie"))).get(0);
                httpCookie.setDomain(build.url().host());
                OAuthBearer oAuthBearer = new OAuthBearer(matcher2.group(1), group2, httpCookie);
                if (execute != null) {
                    execute.close();
                }
                return oAuthBearer;
            } finally {
            }
        } finally {
        }
    }

    @Test
    public void testOAuth2Groups() throws Exception {
        testOAuth2Groups(Optional.empty());
        testOAuth2Groups(Optional.of(ImmutableSet.of()));
        testOAuth2Groups(Optional.of(ImmutableSet.of("admin", "public")));
    }

    private void testOAuth2Groups(Optional<Set<String>> optional) throws Exception {
        TokenServer tokenServer = new TokenServer(Optional.empty());
        try {
            TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("web-ui.enabled", "true").put("http-server.authentication.type", "oauth2").putAll(getOAuth2Properties(tokenServer)).put("deprecated.http-server.authentication.oauth2.groups-field", GROUPS_CLAIM).buildOrThrow()).setAdditionalModule(oauth2Module(tokenServer)).setSystemAccessControl(TestSystemAccessControl.NO_IMPERSONATION).build();
            try {
                final HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
                final String issueAccessToken = tokenServer.issueAccessToken(optional);
                OkHttpClient build2 = this.client.newBuilder().authenticator((route, response) -> {
                    return response.request().newBuilder().header("Authorization", "Bearer " + issueAccessToken).build();
                }).build();
                assertAuthenticationAutomatic(httpServerInfo.getHttpsUri(), build2);
                okhttp3.Response execute = build2.newCall(new Request.Builder().url(getLocation(httpServerInfo.getHttpsUri(), "/protocol/identity")).build()).execute();
                try {
                    Assertions.assertThat(execute.code()).isEqualTo(TestNodeStateManager.GRACE_PERIOD_MILLIS);
                    Assertions.assertThat(execute.header("user")).isEqualTo(TEST_USER);
                    Assertions.assertThat(execute.header("principal")).isEqualTo(TEST_USER);
                    Assertions.assertThat(execute.header(GROUPS_CLAIM)).isEqualTo((String) optional.map(TestResource::toHeader).orElse(""));
                    if (execute != null) {
                        execute.close();
                    }
                    execute = this.client.newBuilder().cookieJar(new CookieJar(this) { // from class: io.trino.server.security.TestResourceSecurity.1
                        public void saveFromResponse(HttpUrl httpUrl, List<Cookie> list) {
                        }

                        public List<Cookie> loadForRequest(HttpUrl httpUrl) {
                            return ImmutableList.of(new Cookie.Builder().domain(httpServerInfo.getHttpsUri().getHost()).path("/ui/").name("__Secure-Trino-OAuth2-Token").value(issueAccessToken).httpOnly().secure().build());
                        }
                    }).build().newCall(new Request.Builder().url(getLocation(httpServerInfo.getHttpsUri(), "/ui/api/identity")).build()).execute();
                    try {
                        Assertions.assertThat(execute.code()).isEqualTo(TestNodeStateManager.GRACE_PERIOD_MILLIS);
                        Assertions.assertThat(execute.header("user")).isEqualTo(TEST_USER);
                        Assertions.assertThat(execute.header("principal")).isEqualTo(TEST_USER);
                        Assertions.assertThat(execute.header(GROUPS_CLAIM)).isEqualTo((String) optional.map(TestResource::toHeader).orElse(""));
                        if (execute != null) {
                            execute.close();
                        }
                        if (build != null) {
                            build.close();
                        }
                        tokenServer.close();
                    } finally {
                    }
                } finally {
                }
            } finally {
            }
        } catch (Throwable th) {
            try {
                tokenServer.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Test
    public void testJwtAndOAuth2AuthenticatorsSeparation() throws Exception {
        testJwtAndOAuth2AuthenticatorsSeparation("jwt,oauth2");
        testJwtAndOAuth2AuthenticatorsSeparation("oauth2,jwt");
    }

    private void testJwtAndOAuth2AuthenticatorsSeparation(String str) throws Exception {
        TestingHttpServer createTestingJwkServer = createTestingJwkServer();
        createTestingJwkServer.start();
        TokenServer tokenServer = new TokenServer(Optional.of("preferred_username"));
        try {
            TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", str).put("http-server.authentication.jwt.key-file", createTestingJwkServer.getBaseUrl().toString()).put("http-server.authentication.jwt.principal-field", "sub").putAll(getOAuth2Properties(tokenServer)).put("http-server.authentication.oauth2.principal-field", "preferred_username").put("web-ui.enabled", "true").buildOrThrow()).setAdditionalModule(oauth2Module(tokenServer)).setSystemAccessControl(TestSystemAccessControl.NO_IMPERSONATION).build();
            try {
                HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
                assertAuthenticationDisabled(httpServerInfo.getHttpUri());
                assertAuthenticationAutomatic(httpServerInfo.getHttpsUri(), this.client.newBuilder().authenticator((route, response) -> {
                    return response.request().newBuilder().header("Authorization", "Bearer " + tokenServer.getAccessToken()).build();
                }).build());
                String compact = ((JwtBuilder) JwtUtil.newJwtBuilder().signWith(JWK_PRIVATE_KEY).header().keyId(JWK_KEY_ID).and()).subject(TEST_USER).expiration(Date.from(ZonedDateTime.now().plusMinutes(5L).toInstant())).compact();
                assertAuthenticationAutomatic(httpServerInfo.getHttpsUri(), this.client.newBuilder().authenticator((route2, response2) -> {
                    return response2.request().newBuilder().header("Authorization", "Bearer " + compact).build();
                }).build());
                if (build != null) {
                    build.close();
                }
                tokenServer.close();
            } finally {
            }
        } catch (Throwable th) {
            try {
                tokenServer.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Test
    public void testJwtWithRefreshTokensForOAuth2Enabled() throws Exception {
        TestingHttpServer createTestingJwkServer = createTestingJwkServer();
        createTestingJwkServer.start();
        TokenServer tokenServer = new TokenServer(Optional.empty());
        try {
            TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("http-server.authentication.type", "oauth2,jwt").put("http-server.authentication.jwt.key-file", createTestingJwkServer.getBaseUrl().toString()).putAll(ImmutableMap.builder().putAll(getOAuth2Properties(tokenServer)).put("http-server.authentication.oauth2.refresh-tokens", "true").buildOrThrow()).put("web-ui.enabled", "true").buildOrThrow()).setAdditionalModule(oauth2Module(tokenServer)).setSystemAccessControl(TestSystemAccessControl.NO_IMPERSONATION).build();
            try {
                HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
                assertAuthenticationDisabled(httpServerInfo.getHttpUri());
                String compact = ((JwtBuilder) JwtUtil.newJwtBuilder().signWith(JWK_PRIVATE_KEY).header().keyId(JWK_KEY_ID).and()).subject(TEST_USER).expiration(Date.from(ZonedDateTime.now().plusMinutes(5L).toInstant())).compact();
                assertAuthenticationAutomatic(httpServerInfo.getHttpsUri(), this.client.newBuilder().authenticator((route, response) -> {
                    return response.request().newBuilder().header("Authorization", "Bearer " + compact).build();
                }).build());
                if (build != null) {
                    build.close();
                }
                tokenServer.close();
            } finally {
            }
        } catch (Throwable th) {
            try {
                tokenServer.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Test
    public void testResourceSecurityImpersonation() throws Exception {
        TestingTrinoServer build = TestingTrinoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("password-authenticator.config-files", this.passwordConfigDummy.toString()).put("http-server.authentication.type", "password").put("http-server.authentication.password.user-mapping.pattern", ALLOWED_USER_MAPPING_PATTERN).buildOrThrow()).setAdditionalModule(binder -> {
            JaxrsBinder.jaxrsBinder(binder).bind(TestResource.class);
        }).setSystemAccessControl(TestSystemAccessControl.NO_IMPERSONATION).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticators(new PasswordAuthenticator[]{TestResourceSecurity::authenticate});
            okhttp3.Response execute = this.client.newCall(new Request.Builder().url(getLocation(((HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class))).getHttpsUri(), "/protocol/identity")).addHeader("Authorization", Credentials.basic(TEST_USER_LOGIN, TEST_PASSWORD)).addHeader("X-Trino-Original-User", TEST_USER_LOGIN).addHeader("X-Trino-User", "impersonated-user").build()).execute();
            try {
                Assertions.assertThat(execute.code()).isEqualTo(TestNodeStateManager.GRACE_PERIOD_MILLIS);
                Assertions.assertThat(execute.header("user")).isEqualTo("impersonated-user");
                Assertions.assertThat(execute.header("principal")).isEqualTo(TEST_USER_LOGIN);
                if (execute != null) {
                    execute.close();
                }
                if (build != null) {
                    build.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static Module oauth2Module(TokenServer tokenServer) {
        return binder -> {
            JaxrsBinder.jaxrsBinder(binder).bind(TestResource.class);
            OptionalBinder.newOptionalBinder(binder, OAuth2Client.class).setBinding().toInstance(tokenServer.getOAuth2Client());
        };
    }

    private static Map<String, String> getOAuth2Properties(TokenServer tokenServer) {
        return ImmutableMap.builder().put("http-server.authentication.oauth2.issuer", tokenServer.getIssuer()).put("http-server.authentication.oauth2.jwks-url", tokenServer.getJwksUrl()).put("http-server.authentication.oauth2.state-key", "test-state-key").put("http-server.authentication.oauth2.auth-url", tokenServer.getIssuer()).put("http-server.authentication.oauth2.token-url", tokenServer.getIssuer()).put("http-server.authentication.oauth2.client-id", tokenServer.getClientId()).put("http-server.authentication.oauth2.client-secret", tokenServer.getClientSecret()).put("http-server.authentication.oauth2.oidc.discovery", "false").buildOrThrow();
    }

    private static String getOauthToken(OkHttpClient okHttpClient, String str) throws IOException {
        okhttp3.Response execute = okHttpClient.newCall(new Request.Builder().url(str).build()).execute();
        try {
            String str2 = ((TokenDTO) json.readValue(((ResponseBody) Objects.requireNonNull(execute.body())).string(), TokenDTO.class)).token;
            if (execute != null) {
                execute.close();
            }
            return str2;
        } catch (Throwable th) {
            if (execute != null) {
                try {
                    execute.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void assertInsecureAuthentication(URI uri) throws IOException {
        assertResponseCode(this.client, getManagementLocation(uri), TestNodeStateManager.GRACE_PERIOD_MILLIS, MANAGEMENT_USER_LOGIN, null);
        assertOk(this.client, getPublicLocation(uri));
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 401);
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), TestNodeStateManager.GRACE_PERIOD_MILLIS, TEST_USER_LOGIN, null);
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 401, TEST_USER_LOGIN, "something");
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 401, "unknown", null);
        assertResponseCode(this.client, getManagementLocation(uri), 401);
        assertResponseCode(this.client, getManagementLocation(uri), 403, TEST_USER_LOGIN, null);
        assertResponseCode(this.client, getManagementLocation(uri), 401, TEST_USER_LOGIN, "something");
        assertResponseCode(this.client, getManagementLocation(uri), 401, "unknown", null);
        assertResponseCode(this.client, getManagementLocation(uri), TestNodeStateManager.GRACE_PERIOD_MILLIS, MANAGEMENT_USER_LOGIN, null);
        assertResponseCode(this.client, getManagementLocation(uri), 401, MANAGEMENT_USER_LOGIN, "something");
        assertResponseCode(this.client, getManagementLocation(uri), 401, MANAGEMENT_USER_LOGIN, MANAGEMENT_PASSWORD);
        assertResponseCode(this.client, getInternalLocation(uri), 403);
        assertResponseCode(this.client, getInternalLocation(uri), 403, TEST_USER_LOGIN, null);
        assertResponseCode(this.client, getInternalLocation(uri), 403, MANAGEMENT_USER_LOGIN, null);
    }

    private void assertPasswordAuthentication(URI uri) throws IOException {
        assertPasswordAuthentication(uri, TEST_PASSWORD);
    }

    private void assertPasswordAuthentication(URI uri, String... strArr) throws IOException {
        assertOk(this.client, getPublicLocation(uri));
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 401);
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 401, TEST_USER_LOGIN, null);
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 401, TEST_USER_LOGIN, "invalid");
        for (String str : strArr) {
            assertResponseCode(this.client, getAuthorizedUserLocation(uri), TestNodeStateManager.GRACE_PERIOD_MILLIS, TEST_USER_LOGIN, str);
        }
        assertResponseCode(this.client, getManagementLocation(uri), 401);
        assertResponseCode(this.client, getManagementLocation(uri), 401, TEST_USER_LOGIN, null);
        assertResponseCode(this.client, getManagementLocation(uri), 401, TEST_USER_LOGIN, "invalid");
        for (String str2 : strArr) {
            assertResponseCode(this.client, getManagementLocation(uri), 403, TEST_USER_LOGIN, str2);
        }
        assertResponseCode(this.client, getManagementLocation(uri), 401, MANAGEMENT_USER_LOGIN, null);
        assertResponseCode(this.client, getManagementLocation(uri), 401, MANAGEMENT_USER_LOGIN, "invalid");
        assertResponseCode(this.client, getManagementLocation(uri), TestNodeStateManager.GRACE_PERIOD_MILLIS, MANAGEMENT_USER_LOGIN, MANAGEMENT_PASSWORD);
        assertResponseCode(this.client, getInternalLocation(uri), 403);
        for (String str3 : strArr) {
            assertResponseCode(this.client, getInternalLocation(uri), 403, TEST_USER_LOGIN, str3);
        }
    }

    private static void assertAuthenticationAutomatic(URI uri, OkHttpClient okHttpClient) throws IOException {
        assertResponseCode(okHttpClient, getPublicLocation(uri), TestNodeStateManager.GRACE_PERIOD_MILLIS);
        assertResponseCode(okHttpClient, getAuthorizedUserLocation(uri), TestNodeStateManager.GRACE_PERIOD_MILLIS);
        assertResponseCode(okHttpClient, getManagementLocation(uri), 403);
        assertResponseCode(okHttpClient, getManagementLocation(uri), TestNodeStateManager.GRACE_PERIOD_MILLIS, Headers.of(new String[]{ProtocolHeaders.TRINO_HEADERS.requestUser(), MANAGEMENT_USER}));
        assertResponseCode(okHttpClient, getInternalLocation(uri), 403);
    }

    private void assertAuthenticationDisabled(URI uri) throws IOException {
        assertOk(this.client, getPublicLocation(uri));
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 403);
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 403, "unknown", null);
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 403, "unknown", "something");
        assertResponseCode(this.client, getAuthorizedUserLocation(uri), 403, TEST_USER_LOGIN, TEST_PASSWORD);
        assertResponseCode(this.client, getManagementLocation(uri), 403);
        assertResponseCode(this.client, getManagementLocation(uri), 403, "unknown", null);
        assertResponseCode(this.client, getManagementLocation(uri), 403, "unknown", "something");
        assertResponseCode(this.client, getManagementLocation(uri), 403, TEST_USER_LOGIN, TEST_PASSWORD);
        assertResponseCode(this.client, getInternalLocation(uri), 403);
        assertResponseCode(this.client, getInternalLocation(uri), 403, "unknown", null);
        assertResponseCode(this.client, getInternalLocation(uri), 403, "unknown", "something");
        assertResponseCode(this.client, getInternalLocation(uri), 403, TEST_USER_LOGIN, TEST_PASSWORD);
    }

    private void assertFixedManagementUser(URI uri, boolean z) throws IOException {
        assertResponseCode(this.client, getPublicLocation(uri), TestNodeStateManager.GRACE_PERIOD_MILLIS);
        if (z) {
            assertResponseCode(this.client, getAuthorizedUserLocation(uri), TestNodeStateManager.GRACE_PERIOD_MILLIS, TEST_USER_LOGIN, null);
            assertResponseCode(this.client, getAuthorizedUserLocation(uri), 401, "unknown", null);
        } else {
            assertResponseCode(this.client, getAuthorizedUserLocation(uri), TestNodeStateManager.GRACE_PERIOD_MILLIS, TEST_USER_LOGIN, TEST_PASSWORD);
        }
        assertResponseCode(this.client, getManagementLocation(uri), TestNodeStateManager.GRACE_PERIOD_MILLIS);
        assertResponseCode(this.client, getManagementLocation(uri), TestNodeStateManager.GRACE_PERIOD_MILLIS, "unknown", "something");
    }

    private static void assertOk(OkHttpClient okHttpClient, String str) throws IOException {
        assertResponseCode(okHttpClient, str, TestNodeStateManager.GRACE_PERIOD_MILLIS, null, null);
    }

    private static void assertResponseCode(OkHttpClient okHttpClient, String str, int i) throws IOException {
        assertResponseCode(okHttpClient, str, i, null, null);
    }

    private static void assertResponseCode(OkHttpClient okHttpClient, String str, int i, String str2, String str3) throws IOException {
        assertResponseCode(okHttpClient, str, i, Headers.of(new String[]{"Authorization", Credentials.basic((String) MoreObjects.firstNonNull(str2, ""), (String) MoreObjects.firstNonNull(str3, ""))}));
    }

    private static void assertResponseCode(OkHttpClient okHttpClient, String str, int i, Headers headers) throws IOException {
        okhttp3.Response execute = okHttpClient.newCall(new Request.Builder().url(str).headers(headers).build()).execute();
        try {
            ((AbstractIntegerAssert) Assertions.assertThat(execute.code()).describedAs(str, new Object[0])).isEqualTo(i);
            if (execute != null) {
                execute.close();
            }
        } catch (Throwable th) {
            if (execute != null) {
                try {
                    execute.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static String getInternalLocation(URI uri) {
        return getLocation(uri, "/v1/task");
    }

    private static String getManagementLocation(URI uri) {
        return getLocation(uri, "/v1/node");
    }

    private static String getAuthorizedUserLocation(URI uri) {
        return getLocation(uri, "/v1/query");
    }

    private static String getPublicLocation(URI uri) {
        return getLocation(uri, "/v1/info");
    }

    private static String getLocation(URI uri, String str) {
        return HttpUriBuilder.uriBuilderFrom(uri).replacePath(str).toString();
    }

    private static Principal authenticate(String str, String str2) {
        if ((TEST_USER_LOGIN.equals(str) && TEST_PASSWORD.equals(str2)) || (MANAGEMENT_USER_LOGIN.equals(str) && MANAGEMENT_PASSWORD.equals(str2))) {
            return new BasicPrincipal(str);
        }
        throw new AccessDeniedException("Invalid credentials");
    }

    private static Principal authenticate2(String str, String str2) {
        if ((TEST_USER_LOGIN.equals(str) && TEST_PASSWORD2.equals(str2)) || (MANAGEMENT_USER_LOGIN.equals(str) && MANAGEMENT_PASSWORD.equals(str2))) {
            return new BasicPrincipal(str);
        }
        throw new AccessDeniedException("Invalid credentials2");
    }

    private static HttpCookie getCookie(CookieManager cookieManager, String str) {
        return cookieManager.getCookieStore().getCookies().stream().filter(httpCookie -> {
            return httpCookie.getName().equals(str);
        }).findFirst().orElseThrow();
    }

    private static String hashNonce(String str) {
        return Hashing.sha256().hashString(str, StandardCharsets.UTF_8).toString();
    }

    private static TestingHttpServer createTestingJwkServer() throws IOException {
        NodeInfo nodeInfo = new NodeInfo("test");
        HttpServerConfig httpPort = new HttpServerConfig().setHttpPort(0);
        return new TestingHttpServer(new HttpServerInfo(httpPort, nodeInfo), nodeInfo, httpPort, new JwkServlet());
    }

    static {
        try {
            JWK_PRIVATE_KEY = PemReader.loadPrivateKey(new File(Resources.getResource("jwk/jwk-rsa-private.pem").toURI()), Optional.empty());
            JWK_PUBLIC_KEY = PemReader.loadPublicKey(new File(Resources.getResource("jwk/jwk-rsa-public.pem").getPath()));
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}
