package io.prestosql.server;

import com.google.common.hash.Hashing;
import io.airlift.http.client.HttpRequestFilter;
import io.airlift.http.client.Request;
import io.airlift.log.Logger;
import io.airlift.node.NodeInfo;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.prestosql.server.security.InternalPrincipal;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import java.time.ZonedDateTime;
import java.util.Date;
import java.util.Objects;
import java.util.Optional;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;

/* loaded from: input_file:io/prestosql/server/InternalAuthenticationManager.class */
public class InternalAuthenticationManager implements HttpRequestFilter {
    private static final Logger log = Logger.get(InternalAuthenticationManager.class);
    private static final String PRESTO_INTERNAL_BEARER = "X-Presto-Internal-Bearer";
    private final byte[] hmac;
    private final String nodeId;

    @Inject
    public InternalAuthenticationManager(InternalCommunicationConfig internalCommunicationConfig, NodeInfo nodeInfo) {
        this(getSharedSecret(internalCommunicationConfig, nodeInfo), nodeInfo.getNodeId());
    }

    private static String getSharedSecret(InternalCommunicationConfig internalCommunicationConfig, NodeInfo nodeInfo) {
        Objects.requireNonNull(internalCommunicationConfig, "internalCommunicationConfig is null");
        Objects.requireNonNull(nodeInfo, "nodeInfo is null");
        if (!internalCommunicationConfig.isRequiredSharedSecretSet()) {
            throw new IllegalArgumentException("Shared secret is required when internal communications uses https");
        }
        Optional<String> sharedSecret = internalCommunicationConfig.getSharedSecret();
        nodeInfo.getClass();
        return sharedSecret.orElseGet(nodeInfo::getEnvironment);
    }

    public InternalAuthenticationManager(String str, String str2) {
        Objects.requireNonNull(str, "sharedSecret is null");
        Objects.requireNonNull(str2, "nodeId is null");
        this.hmac = Hashing.sha256().hashString(str, StandardCharsets.UTF_8).asBytes();
        this.nodeId = str2;
    }

    public boolean isInternalRequest(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getHeader(PRESTO_INTERNAL_BEARER) != null;
    }

    public Principal authenticateInternalRequest(HttpServletRequest httpServletRequest) {
        try {
            return new InternalPrincipal(parseJwt(httpServletRequest.getHeader(PRESTO_INTERNAL_BEARER)));
        } catch (RuntimeException e) {
            throw new RuntimeException("Authentication error", e);
        } catch (JwtException e2) {
            log.error(e2, "Internal authentication failed");
            return null;
        }
    }

    public Request filterRequest(Request request) {
        return Request.Builder.fromRequest(request).addHeader(PRESTO_INTERNAL_BEARER, generateJwt()).build();
    }

    private String generateJwt() {
        return Jwts.builder().signWith(SignatureAlgorithm.HS256, this.hmac).setSubject(this.nodeId).setExpiration(Date.from(ZonedDateTime.now().plusMinutes(5L).toInstant())).compact();
    }

    private String parseJwt(String str) {
        return ((Claims) Jwts.parser().setSigningKey(this.hmac).parseClaimsJws(str).getBody()).getSubject();
    }
}
