package org.apache.impala.authentication.saml;

import java.util.HashMap;
import java.util.Optional;
import org.apache.impala.analysis.SqlParserSymbols;
import org.apache.impala.common.InternalException;
import org.apache.impala.service.BackendConfig;
import org.pac4j.core.credentials.extractor.BearerAuthExtractor;
import org.pac4j.core.exception.http.RedirectionAction;
import org.pac4j.core.exception.http.RedirectionActionHelper;
import org.pac4j.core.exception.http.WithLocationAction;
import org.pac4j.saml.client.SAML2Client;
import org.pac4j.saml.config.SAML2Configuration;
import org.pac4j.saml.credentials.SAML2Credentials;
import org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/impala/authentication/saml/ImpalaSamlClient.class */
public class ImpalaSamlClient extends SAML2Client {
    private static final Logger LOG = LoggerFactory.getLogger(ImpalaSamlClient.class);
    private static ImpalaSamlClient INSTANCE;
    private final HiveSamlGroupNameFilter groupNameFilter;
    private final HiveSamlHttpServlet samlHttpServlet;

    private ImpalaSamlClient() throws Exception {
        super(getSamlConfig());
        RedirectionActionHelper.setUseModernHttpCodes(false);
        setCallbackUrl(getCallBackUrl());
        setName(ImpalaSamlClient.class.getSimpleName());
        setStateGenerator(HiveSamlRelayStateStore.get());
        this.groupNameFilter = new HiveSamlGroupNameFilter();
        this.samlHttpServlet = new HiveSamlHttpServlet(this);
        init();
    }

    private static String getCallBackUrl() throws Exception {
        return BackendConfig.INSTANCE.getSaml2SpCallbackUrl();
    }

    public static synchronized ImpalaSamlClient get() throws InternalException {
        if (INSTANCE != null) {
            return INSTANCE;
        }
        try {
            INSTANCE = new ImpalaSamlClient();
            return INSTANCE;
        } catch (Exception e) {
            throw new InternalException("Could not instantiate SAML2.0 client", e);
        }
    }

    private static SAML2Configuration getSamlConfig() throws Exception {
        BackendConfig backendConfig = BackendConfig.INSTANCE;
        LOG.info("keystore path: " + backendConfig.getSaml2KeystorePath());
        SAML2Configuration sAML2Configuration = new SAML2Configuration(backendConfig.getSaml2KeystorePath(), backendConfig.getSaml2KeystorePassword(), backendConfig.getSaml2PrivateKeyPassword(), backendConfig.getSaml2IdpMetadata());
        sAML2Configuration.setAuthnRequestBindingType("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
        sAML2Configuration.setResponseBindingType("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        sAML2Configuration.setServiceProviderEntityId(backendConfig.getSaml2SpEntityId());
        sAML2Configuration.setWantsAssertionsSigned(backendConfig.getSaml2WantAsserationsSigned());
        sAML2Configuration.setAuthnRequestSigned(backendConfig.getSaml2SignRequest());
        sAML2Configuration.setAllSignatureValidationDisabled(backendConfig.getSaml2EETestMode());
        return sAML2Configuration;
    }

    public void setRedirect(WrappedWebContext wrappedWebContext) throws InternalException {
        Optional<String> requestHeader = wrappedWebContext.getRequestHeader(HiveSamlUtils.SSO_TOKEN_RESPONSE_PORT);
        if (requestHeader == null || !requestHeader.isPresent()) {
            throw new InternalException("No response port specified");
        }
        LOG.debug("Request has response port set as {}", requestHeader);
        Optional redirectionAction = getRedirectionAction(wrappedWebContext);
        if (redirectionAction == null || !redirectionAction.isPresent()) {
            throw new InternalException("Could not get the redirect response");
        }
        wrappedWebContext.setResponseStatusCode(((RedirectionAction) redirectionAction.get()).getCode());
        wrappedWebContext.setResponseHeader("Location", ((WithLocationAction) redirectionAction.get()).getLocation());
    }

    public void validateAuthnResponse(WrappedWebContext wrappedWebContext) throws InternalException {
        this.samlHttpServlet.doPost(wrappedWebContext);
        wrappedWebContext.setResponseStatusCode(SqlParserSymbols.KW_THEN);
    }

    public String validateAuthnResponseInner(WrappedWebContext wrappedWebContext) throws HttpSamlAuthenticationException {
        try {
            Optional extract = new SAML2CredentialsExtractor(this).extract(wrappedWebContext);
            if (!extract.isPresent()) {
                throw new HttpSamlAuthenticationException("Credentials could not be extracted");
            }
            String value = ((SAML2Credentials) extract.get()).getNameId().getValue();
            if (this.groupNameFilter.apply(((SAML2Credentials) extract.get()).getAttributes())) {
                return value;
            }
            LOG.warn("Could not match any groups for the nameid {}", value);
            throw new HttpSamlNoGroupsMatchedException("None of the configured groups match for the user");
        } catch (Exception e) {
            throw new HttpSamlAuthenticationException("Could not validate the SAML response", e);
        }
    }

    public String validateBearer(WrappedWebContext wrappedWebContext) throws InternalException {
        LOG.info(wrappedWebContext.getRequestAsJsonString());
        try {
            return doSamlAuth(wrappedWebContext);
        } catch (HttpSamlAuthenticationException e) {
            throw new InternalException("SAML2 bearer validation failed", e);
        }
    }

    private String doSamlAuth(WrappedWebContext wrappedWebContext) throws HttpSamlAuthenticationException {
        String str = (String) new BearerAuthExtractor().extract(wrappedWebContext).map((v0) -> {
            return v0.getToken();
        }).orElse(null);
        if (str == null) {
            throw new HttpSamlAuthenticationException("No token found");
        }
        Optional<String> requestHeader = wrappedWebContext.getRequestHeader(HiveSamlUtils.SSO_CLIENT_IDENTIFIER);
        if (requestHeader == null || !requestHeader.isPresent()) {
            throw new HttpSamlAuthenticationException("Client identifier not found.");
        }
        String validate = HiveSamlAuthTokenGenerator.get().validate(str);
        HashMap hashMap = new HashMap();
        if (HiveSamlAuthTokenGenerator.parse(str, hashMap)) {
            if (!HiveSamlRelayStateStore.get().validateClientIdentifier((String) hashMap.get(HiveSamlAuthTokenGenerator.RELAY_STATE), requestHeader.get())) {
                throw new HttpSamlAuthenticationException("Code verifier could not be validated");
            }
        }
        return validate;
    }
}
