package org.apache.impala.authentication.saml;

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import org.apache.impala.service.BackendConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/impala/authentication/saml/HiveSamlAuthTokenGenerator.class */
public class HiveSamlAuthTokenGenerator implements AuthTokenGenerator {
    private static final String USER = "u";
    private static final String SEPARATOR = "=";
    private static final String ATTR_SEPARATOR = ";";
    private static final String ID = "id";
    private static final String CREATE_TIME = "time";
    public static final String RELAY_STATE = "rs";
    private static final String SIGN = "sg";
    private static HiveSamlAuthTokenGenerator INSTANCE;
    private static final Logger LOG = LoggerFactory.getLogger(HiveSamlAuthTokenGenerator.class);
    private final SecureRandom rand = new SecureRandom();
    private final byte[] signatureSecret = Long.toString(this.rand.nextLong()).getBytes();
    private final long ttlMs = BackendConfig.INSTANCE.getSaml2CallbackTokenTtl();

    public static synchronized AuthTokenGenerator get() {
        if (INSTANCE != null) {
            return INSTANCE;
        }
        INSTANCE = new HiveSamlAuthTokenGenerator();
        return INSTANCE;
    }

    private HiveSamlAuthTokenGenerator() {
    }

    @Override // org.apache.impala.authentication.saml.AuthTokenGenerator
    public String get(String str, String str2) {
        String valueOf = String.valueOf(this.rand.nextLong());
        String valueOf2 = String.valueOf(System.currentTimeMillis());
        LOG.debug("Generating token for user {} with id {} and time {}", new Object[]{str, valueOf, valueOf2});
        return sign(getTokenStr(str, valueOf, valueOf2, str2));
    }

    private String getTokenStr(String str, String str2, String str3, String str4) {
        StringBuilder sb = new StringBuilder();
        sb.append(USER).append(SEPARATOR).append(str).append(ATTR_SEPARATOR);
        sb.append(ID).append(SEPARATOR).append(str2).append(ATTR_SEPARATOR);
        sb.append(CREATE_TIME).append(SEPARATOR).append(str3).append(ATTR_SEPARATOR);
        sb.append(RELAY_STATE).append(SEPARATOR).append(str4);
        return sb.toString();
    }

    private String getSign(String str) {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            messageDigest.update(str.getBytes());
            messageDigest.update(this.signatureSecret);
            return Base64.getEncoder().encodeToString(messageDigest.digest());
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    private String sign(String str) {
        return str + ATTR_SEPARATOR + SIGN + SEPARATOR + getSign(str);
    }

    @Override // org.apache.impala.authentication.saml.AuthTokenGenerator
    public String validate(String str) throws HttpSamlAuthenticationException {
        HashMap hashMap = new HashMap();
        if (!parse(str, hashMap)) {
            throw new HttpSamlAuthenticationException("Invalid token");
        }
        if (!signatureMatches((String) hashMap.get(SIGN), getSign(getTokenStr((String) hashMap.get(USER), (String) hashMap.get(ID), (String) hashMap.get(CREATE_TIME), (String) hashMap.get(RELAY_STATE))))) {
            throw new HttpSamlAuthenticationException("Token could not be verified");
        }
        if (isExpired(System.currentTimeMillis(), Long.parseLong((String) hashMap.get(CREATE_TIME)))) {
            throw new HttpSamlAuthenticationException("Token is expired");
        }
        return (String) hashMap.get(USER);
    }

    private boolean isExpired(long j, long j2) {
        return j >= j2 && j - j2 > this.ttlMs;
    }

    private boolean signatureMatches(String str, String str2) {
        return !MessageDigest.isEqual(str.getBytes(), str2.getBytes());
    }

    public static boolean parse(String str, Map<String, String> map) {
        String[] split = str.split(ATTR_SEPARATOR);
        if (split.length != 5) {
            return false;
        }
        for (String str2 : split) {
            String[] split2 = str2.split(SEPARATOR);
            if (split2.length != 2) {
                return false;
            }
            map.put(split2[0], split2[1]);
        }
        return map.containsKey(USER) && map.containsKey(CREATE_TIME) && map.containsKey(ID) && map.containsKey(SIGN) && map.containsKey(RELAY_STATE);
    }
}
