package io.prestosql.server.ui;

import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Iterables;
import com.google.common.io.Resources;
import com.google.inject.Key;
import io.airlift.http.client.HttpUriBuilder;
import io.airlift.http.server.HttpServerInfo;
import io.airlift.node.NodeInfo;
import io.airlift.testing.Closeables;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.prestosql.client.OkHttpUtil;
import io.prestosql.server.security.PasswordAuthenticatorManager;
import io.prestosql.server.testing.TestingPrestoServer;
import io.prestosql.spi.security.AccessDeniedException;
import io.prestosql.spi.security.BasicPrincipal;
import io.prestosql.testing.assertions.Assert;
import java.io.Closeable;
import java.io.IOException;
import java.net.CookieManager;
import java.net.HttpCookie;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.Principal;
import java.time.ZonedDateTime;
import java.util.Date;
import java.util.Optional;
import okhttp3.FormBody;
import okhttp3.JavaNetCookieJar;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import org.assertj.core.api.Assertions;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;

@Test
/* loaded from: input_file:io/prestosql/server/ui/TestWebUi.class */
public class TestWebUi {
    private static final String TEST_USER = "test-user";
    private static final String TEST_PASSWORD = "test-password";
    private TestingPrestoServer server;
    private OkHttpClient client;
    private URI insecureUrl;
    private URI secureUrl;
    private static final String LOCALHOST_KEYSTORE = Resources.getResource("cert/localhost.pem").getPath();
    private static final ImmutableMap<String, String> SECURE_PROPERTIES = ImmutableMap.builder().put("http-server.https.enabled", "true").put("http-server.https.keystore.path", LOCALHOST_KEYSTORE).put("http-server.https.keystore.key", "").put("http-server.process-forwarded", "true").build();
    private static final String HMAC_KEY = Resources.getResource("hmac_key.txt").getPath();

    @BeforeClass
    public void setup() {
        this.server = TestingPrestoServer.builder().setProperties(SECURE_PROPERTIES).build();
        ((PasswordAuthenticatorManager) this.server.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticator(TestWebUi::authenticate);
        HttpServerInfo httpServerInfo = (HttpServerInfo) this.server.getInstance(Key.get(HttpServerInfo.class));
        this.insecureUrl = httpServerInfo.getHttpUri();
        this.secureUrl = httpServerInfo.getHttpsUri();
        OkHttpClient.Builder followRedirects = new OkHttpClient.Builder().followRedirects(false);
        OkHttpUtil.setupSsl(followRedirects, Optional.empty(), Optional.empty(), Optional.of(LOCALHOST_KEYSTORE), Optional.empty());
        this.client = followRedirects.build();
    }

    @AfterClass(alwaysRun = true)
    public void teardown() {
        Closeables.closeQuietly(new Closeable[]{this.server});
        this.server = null;
    }

    @Test
    public void testRootRedirect() throws Exception {
        testRootRedirect(this.insecureUrl);
        testRootRedirect(this.secureUrl);
    }

    private void testRootRedirect(URI uri) throws Exception {
        assertRedirect(this.client, HttpUriBuilder.uriBuilderFrom(uri).toString(), getUiLocation(uri));
    }

    @Test
    public void testLoggedOut() throws Exception {
        testLoggedOut(this.insecureUrl);
        testLoggedOut(this.secureUrl);
    }

    private void testLoggedOut(URI uri) throws Exception {
        assertRedirect(this.client, getUiLocation(uri), getLoginHtmlLocation(uri));
        assertRedirect(this.client, getLocation(uri, "/ui/query.html", "abc123"), getLocation(uri, "/ui/login.html", "/ui/query.html?abc123"), false);
        assertResponseCode(this.client, getValidApiLocation(uri), 401);
        assertOk(this.client, getValidAssetsLocation(uri));
        assertOk(this.client, getValidVendorLocation(uri));
    }

    @Test
    public void testLogIn() throws Exception {
        testLogIn(this.insecureUrl);
        testLogIn(this.secureUrl);
    }

    private void testLogIn(URI uri) throws Exception {
        CookieManager cookieManager = new CookieManager();
        OkHttpClient build = this.client.newBuilder().cookieJar(new JavaNetCookieJar(cookieManager)).build();
        String string = assertOk(build, getLoginHtmlLocation(uri)).body().string();
        Assertions.assertThat(string).contains(new CharSequence[]{"action=\"/ui/login\""});
        Assertions.assertThat(string).contains(new CharSequence[]{"method=\"post\""});
        logIn(uri, build);
        HttpCookie httpCookie = (HttpCookie) Iterables.getOnlyElement(cookieManager.getCookieStore().getCookies());
        Assert.assertEquals(httpCookie.getPath(), "/ui");
        Assert.assertEquals(httpCookie.getDomain(), uri.getHost());
        Assert.assertEquals(httpCookie.getMaxAge(), -1L);
        org.testng.Assert.assertTrue(httpCookie.isHttpOnly());
        assertOk(build, getUiLocation(uri));
        assertOk(build, getValidApiLocation(uri));
        assertResponseCode(build, getLocation(uri, "/ui/unknown"), 404);
        assertResponseCode(build, getLocation(uri, "/ui/api/unknown"), 404);
        assertRedirect(build, getLogoutLocation(uri), getLoginHtmlLocation(uri), false);
        Assertions.assertThat(cookieManager.getCookieStore().getCookies()).isEmpty();
    }

    @Test
    public void testFailedLogin() throws Exception {
        testFailedLogin(this.insecureUrl, Optional.empty(), Optional.empty());
        testFailedLogin(this.insecureUrl, Optional.empty(), Optional.of(TEST_PASSWORD));
        testFailedLogin(this.insecureUrl, Optional.empty(), Optional.of("unknown"));
        testFailedLogin(this.secureUrl, Optional.empty(), Optional.empty());
        testFailedLogin(this.secureUrl, Optional.empty(), Optional.of(TEST_PASSWORD));
        testFailedLogin(this.secureUrl, Optional.empty(), Optional.of("unknown"));
        testFailedLogin(this.secureUrl, Optional.of(TEST_USER), Optional.of("unknown"));
        testFailedLogin(this.secureUrl, Optional.of("unknown"), Optional.of(TEST_PASSWORD));
        testFailedLogin(this.secureUrl, Optional.of(TEST_USER), Optional.empty());
        testFailedLogin(this.secureUrl, Optional.empty(), Optional.of(TEST_PASSWORD));
    }

    private void testFailedLogin(URI uri, Optional<String> optional, Optional<String> optional2) throws IOException {
        CookieManager cookieManager = new CookieManager();
        OkHttpClient build = this.client.newBuilder().cookieJar(new JavaNetCookieJar(cookieManager)).build();
        FormBody.Builder builder = new FormBody.Builder();
        optional.ifPresent(str -> {
            builder.add("username", str);
        });
        optional2.ifPresent(str2 -> {
            builder.add("password", str2);
        });
        Response execute = build.newCall(new Request.Builder().url(getLoginLocation(uri)).post(builder.build()).build()).execute();
        Assert.assertEquals(execute.code(), 303);
        Assert.assertEquals(execute.header("Location"), getLoginHtmlLocation(uri));
        org.testng.Assert.assertTrue(cookieManager.getCookieStore().getCookies().isEmpty());
    }

    @Test
    public void testWorkerResource() throws Exception {
        testWorkerResource(this.insecureUrl);
        testWorkerResource(this.secureUrl);
    }

    private void testWorkerResource(URI uri) throws Exception {
        OkHttpClient build = this.client.newBuilder().cookieJar(new JavaNetCookieJar(new CookieManager())).build();
        logIn(uri, build);
        String nodeId = ((NodeInfo) this.server.getInstance(Key.get(NodeInfo.class))).getNodeId();
        assertOk(build, getLocation(uri, "/ui/api/worker/" + nodeId + "/status"));
        assertOk(build, getLocation(uri, "/ui/api/worker/" + nodeId + "/thread"));
    }

    private static void logIn(URI uri, OkHttpClient okHttpClient) throws IOException {
        FormBody.Builder add = new FormBody.Builder().add("username", TEST_USER);
        if (uri.getScheme().equals("https")) {
            add.add("password", TEST_PASSWORD);
        }
        Response execute = okHttpClient.newCall(new Request.Builder().url(getLoginLocation(uri)).post(add.build()).build()).execute();
        Assert.assertEquals(execute.code(), 303);
        Assert.assertEquals(execute.header("Location"), getUiLocation(uri));
    }

    @Test
    public void testDisabled() throws Exception {
        TestingPrestoServer build = TestingPrestoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("web-ui.enabled", "false").build()).build();
        try {
            ((PasswordAuthenticatorManager) build.getInstance(Key.get(PasswordAuthenticatorManager.class))).setAuthenticator(TestWebUi::authenticate);
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            testDisabled(httpServerInfo.getHttpUri());
            testDisabled(httpServerInfo.getHttpsUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void testDisabled(URI uri) throws Exception {
        assertRedirect(this.client, getUiLocation(uri), getDisabledLocation(uri));
        assertRedirect(this.client, getLocation(uri, "/ui/query.html", "abc123"), getDisabledLocation(uri));
        assertResponseCode(this.client, getValidApiLocation(uri), 401);
        assertRedirect(this.client, getLoginLocation(uri), getDisabledLocation(uri));
        assertRedirect(this.client, getLogoutLocation(uri), getDisabledLocation(uri));
        assertOk(this.client, getValidAssetsLocation(uri));
        assertOk(this.client, getValidVendorLocation(uri));
    }

    @Test
    public void testNoPasswordAuthenticator() throws Exception {
        TestingPrestoServer build = TestingPrestoServer.builder().setProperties(SECURE_PROPERTIES).build();
        try {
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            testLogIn(httpServerInfo.getHttpUri());
            testNoPasswordAuthenticator(httpServerInfo.getHttpsUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void testNoPasswordAuthenticator(URI uri) throws Exception {
        assertRedirect(this.client, getUiLocation(uri), getDisabledLocation(uri), false);
        assertRedirect(this.client, getLocation(uri, "/ui/query.html", "abc123"), getDisabledLocation(uri), false);
        assertResponseCode(this.client, getValidApiLocation(uri), 401);
        assertRedirect(this.client, getLoginLocation(uri), getDisabledLocation(uri), false);
        assertRedirect(this.client, getLogoutLocation(uri), getDisabledLocation(uri), false);
        assertOk(this.client, getValidAssetsLocation(uri));
        assertOk(this.client, getValidVendorLocation(uri));
    }

    @Test
    public void testFixedAuthenticator() throws Exception {
        TestingPrestoServer build = TestingPrestoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("web-ui.authentication.type", "fixed").put("web-ui.user", TEST_USER).build()).build();
        try {
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            testAlwaysAuthorized(httpServerInfo.getHttpUri(), this.client);
            testAlwaysAuthorized(httpServerInfo.getHttpsUri(), this.client);
            testFixedAuthenticator(httpServerInfo.getHttpUri());
            testFixedAuthenticator(httpServerInfo.getHttpsUri());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void testFixedAuthenticator(URI uri) throws Exception {
        assertOk(this.client, getUiLocation(uri));
        assertOk(this.client, getValidApiLocation(uri));
        assertResponseCode(this.client, getLocation(uri, "/ui/unknown"), 404);
        assertResponseCode(this.client, getLocation(uri, "/ui/api/unknown"), 404);
    }

    @Test
    public void testCertAuthenticator() throws Exception {
        TestingPrestoServer build = TestingPrestoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("web-ui.authentication.type", "certificate").put("http-server.https.truststore.path", LOCALHOST_KEYSTORE).put("http-server.https.truststore.key", "").build()).build();
        try {
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            testLogIn(httpServerInfo.getHttpUri());
            testNeverAuthorized(httpServerInfo.getHttpsUri(), this.client);
            OkHttpClient.Builder newBuilder = this.client.newBuilder();
            OkHttpUtil.setupSsl(newBuilder, Optional.of(LOCALHOST_KEYSTORE), Optional.empty(), Optional.of(LOCALHOST_KEYSTORE), Optional.empty());
            testAlwaysAuthorized(httpServerInfo.getHttpsUri(), newBuilder.build());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testJwtAuthenticator() throws Exception {
        TestingPrestoServer build = TestingPrestoServer.builder().setProperties(ImmutableMap.builder().putAll(SECURE_PROPERTIES).put("web-ui.authentication.type", "jwt").put("http-server.authentication.jwt.key-file", HMAC_KEY).build()).build();
        try {
            HttpServerInfo httpServerInfo = (HttpServerInfo) build.getInstance(Key.get(HttpServerInfo.class));
            testLogIn(httpServerInfo.getHttpUri());
            testNeverAuthorized(httpServerInfo.getHttpsUri(), this.client);
            String compact = Jwts.builder().signWith(SignatureAlgorithm.HS256, new String(Files.readAllBytes(Paths.get(HMAC_KEY, new String[0])), StandardCharsets.UTF_8)).setSubject(TEST_USER).setExpiration(Date.from(ZonedDateTime.now().plusMinutes(5L).toInstant())).compact();
            testAlwaysAuthorized(httpServerInfo.getHttpsUri(), this.client.newBuilder().authenticator((route, response) -> {
                return response.request().newBuilder().header("Authorization", "Bearer " + compact).build();
            }).build());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static void testAlwaysAuthorized(URI uri, OkHttpClient okHttpClient) throws IOException {
        assertOk(okHttpClient, getUiLocation(uri));
        assertOk(okHttpClient, getValidApiLocation(uri));
        assertRedirect(okHttpClient, getLoginHtmlLocation(uri), getUiLocation(uri), false);
        assertRedirect(okHttpClient, getLoginLocation(uri), getUiLocation(uri), false);
        assertRedirect(okHttpClient, getLogoutLocation(uri), getUiLocation(uri), false);
        assertResponseCode(okHttpClient, getLocation(uri, "/ui/unknown"), 404);
        assertResponseCode(okHttpClient, getLocation(uri, "/ui/api/unknown"), 404);
    }

    private static void testNeverAuthorized(URI uri, OkHttpClient okHttpClient) throws IOException {
        assertResponseCode(okHttpClient, getUiLocation(uri), 401);
        assertResponseCode(okHttpClient, getValidApiLocation(uri), 401);
        assertResponseCode(okHttpClient, getLoginLocation(uri), 401);
        assertResponseCode(okHttpClient, getLogoutLocation(uri), 401);
        assertResponseCode(okHttpClient, getLocation(uri, "/ui/unknown"), 401);
        assertResponseCode(okHttpClient, getLocation(uri, "/ui/api/unknown"), 401);
    }

    private static Response assertOk(OkHttpClient okHttpClient, String str) throws IOException {
        return assertResponseCode(okHttpClient, str, 200);
    }

    private static void assertRedirect(OkHttpClient okHttpClient, String str, String str2) throws IOException {
        assertRedirect(okHttpClient, str, str2, true);
    }

    private static void assertRedirect(OkHttpClient okHttpClient, String str, String str2, boolean z) throws IOException {
        Response execute = okHttpClient.newCall(new Request.Builder().url(str).build()).execute();
        try {
            Assert.assertEquals(execute.code(), 303);
            Assert.assertEquals(execute.header("Location"), str2);
            if (execute != null) {
                execute.close();
            }
            if (z) {
                Response execute2 = okHttpClient.newCall(new Request.Builder().url(str).header("X-Forwarded-Proto", "test").header("X-Forwarded-Host", "my-load-balancer.local").header("X-Forwarded-Port", "123").build()).execute();
                try {
                    Assert.assertEquals(execute2.code(), 303);
                    Assert.assertEquals(execute2.header("Location"), HttpUriBuilder.uriBuilderFrom(URI.create(str2)).scheme("test").host("my-load-balancer.local").port(123).toString());
                    if (execute2 != null) {
                        execute2.close();
                    }
                    Response execute3 = okHttpClient.newCall(new Request.Builder().url(str).header("X-Forwarded-Proto", "test").header("X-Forwarded-Host", "my-load-balancer.local:123").build()).execute();
                    try {
                        Assert.assertEquals(execute3.code(), 303);
                        Assert.assertEquals(execute3.header("Location"), HttpUriBuilder.uriBuilderFrom(URI.create(str2)).scheme("test").host("my-load-balancer.local").port(123).toString());
                        if (execute3 != null) {
                            execute3.close();
                        }
                        Response execute4 = okHttpClient.newCall(new Request.Builder().url(str).header("X-Forwarded-Proto", "test").header("X-Forwarded-Port", "123").build()).execute();
                        try {
                            Assert.assertEquals(execute4.code(), 303);
                            Assert.assertEquals(execute4.header("Location"), HttpUriBuilder.uriBuilderFrom(URI.create(str2)).scheme("test").port(123).toString());
                            if (execute4 != null) {
                                execute4.close();
                            }
                            Response execute5 = okHttpClient.newCall(new Request.Builder().url(str).header("X-Forwarded-Proto", "test").build()).execute();
                            try {
                                Assert.assertEquals(execute5.code(), 303);
                                Assert.assertEquals(execute5.header("Location"), HttpUriBuilder.uriBuilderFrom(URI.create(str2)).scheme("test").toString());
                                if (execute5 != null) {
                                    execute5.close();
                                }
                                Response execute6 = okHttpClient.newCall(new Request.Builder().url(str).header("X-Forwarded-Host", "my-load-balancer.local").header("X-Forwarded-Port", "123").build()).execute();
                                try {
                                    Assert.assertEquals(execute6.code(), 303);
                                    Assert.assertEquals(execute6.header("Location"), HttpUriBuilder.uriBuilderFrom(URI.create(str2)).host("my-load-balancer.local").port(123).toString());
                                    if (execute6 != null) {
                                        execute6.close();
                                    }
                                    Response execute7 = okHttpClient.newCall(new Request.Builder().url(str).header("X-Forwarded-Host", "my-load-balancer.local:123").build()).execute();
                                    try {
                                        Assert.assertEquals(execute7.code(), 303);
                                        Assert.assertEquals(execute7.header("Location"), HttpUriBuilder.uriBuilderFrom(URI.create(str2)).host("my-load-balancer.local").port(123).toString());
                                        if (execute7 != null) {
                                            execute7.close();
                                        }
                                        execute5 = okHttpClient.newCall(new Request.Builder().url(str).header("X-Forwarded-Host", "my-load-balancer.local").build()).execute();
                                        try {
                                            Assert.assertEquals(execute5.code(), 303);
                                            Assert.assertEquals(execute5.header("Location"), HttpUriBuilder.uriBuilderFrom(URI.create(str2)).host("my-load-balancer.local").defaultPort().toString());
                                            if (execute5 != null) {
                                                execute5.close();
                                            }
                                        } finally {
                                        }
                                    } finally {
                                    }
                                } finally {
                                    if (execute6 != null) {
                                        try {
                                            execute6.close();
                                        } catch (Throwable th) {
                                            th.addSuppressed(th);
                                        }
                                    }
                                }
                            } finally {
                                if (execute5 != null) {
                                    try {
                                        execute5.close();
                                    } catch (Throwable th2) {
                                        th.addSuppressed(th2);
                                    }
                                }
                            }
                        } finally {
                            if (execute4 != null) {
                                try {
                                    execute4.close();
                                } catch (Throwable th3) {
                                    th.addSuppressed(th3);
                                }
                            }
                        }
                    } finally {
                        if (execute3 != null) {
                            try {
                                execute3.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        }
                    }
                } finally {
                    if (execute2 != null) {
                        try {
                            execute2.close();
                        } catch (Throwable th5) {
                            th.addSuppressed(th5);
                        }
                    }
                }
            }
        } finally {
            if (execute != null) {
                try {
                    execute.close();
                } catch (Throwable th6) {
                    th.addSuppressed(th6);
                }
            }
        }
    }

    private static Response assertResponseCode(OkHttpClient okHttpClient, String str, int i) throws IOException {
        Response execute = okHttpClient.newCall(new Request.Builder().url(str).build()).execute();
        Assert.assertEquals(execute.code(), i);
        return execute;
    }

    private static Principal authenticate(String str, String str2) {
        if (TEST_USER.equals(str) && TEST_PASSWORD.equals(str2)) {
            return new BasicPrincipal(str);
        }
        throw new AccessDeniedException("Invalid credentials");
    }

    private static String getUiLocation(URI uri) {
        return getLocation(uri, "/ui/");
    }

    private static String getLoginHtmlLocation(URI uri) {
        return getLocation(uri, "/ui/login.html");
    }

    private static String getLoginLocation(URI uri) {
        return getLocation(uri, "/ui/login");
    }

    private static String getLogoutLocation(URI uri) {
        return getLocation(uri, "/ui/logout");
    }

    private static String getDisabledLocation(URI uri) {
        return getLocation(uri, "/ui/disabled.html");
    }

    private static String getValidApiLocation(URI uri) {
        return getLocation(uri, "/ui/api/cluster");
    }

    private static String getValidAssetsLocation(URI uri) {
        return getLocation(uri, "/ui/assets/favicon.ico");
    }

    private static String getValidVendorLocation(URI uri) {
        return getLocation(uri, "/ui/vendor/bootstrap/css/bootstrap.css");
    }

    private static String getLocation(URI uri, String str) {
        return HttpUriBuilder.uriBuilderFrom(uri).replacePath(str).toString();
    }

    private static String getLocation(URI uri, String str, String str2) {
        return HttpUriBuilder.uriBuilderFrom(uri).replacePath(str).replaceParameter(str2, new String[0]).toString();
    }
}
