package org.apache.hive.service.auth.saml;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Splitter;
import java.io.IOException;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.hive.conf.HiveConf;
import org.pac4j.core.context.JEEContext;
import org.pac4j.core.exception.http.RedirectionAction;
import org.pac4j.core.exception.http.WithLocationAction;
import org.pac4j.saml.client.SAML2Client;
import org.pac4j.saml.config.SAML2Configuration;
import org.pac4j.saml.credentials.SAML2Credentials;
import org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hive/service/auth/saml/HiveSaml2Client.class */
public class HiveSaml2Client extends SAML2Client {
    private static final Logger LOG = LoggerFactory.getLogger(HiveSaml2Client.class);
    private static HiveSaml2Client INSTANCE;
    private final HiveSamlGroupNameFilter groupNameFilter;

    private HiveSaml2Client(HiveConf hiveConf) throws Exception {
        super(getSamlConfig(hiveConf));
        setCallbackUrl(getCallBackUrl(hiveConf));
        setName(HiveSaml2Client.class.getSimpleName());
        setStateGenerator(HiveSamlRelayStateStore.get());
        this.groupNameFilter = new HiveSamlGroupNameFilter(hiveConf);
        init();
    }

    private static String getCallBackUrl(HiveConf hiveConf) throws Exception {
        return HiveSamlUtils.getCallBackUri(hiveConf).toString();
    }

    public static synchronized HiveSaml2Client get(HiveConf hiveConf) throws HttpSamlAuthenticationException {
        if (INSTANCE != null) {
            return INSTANCE;
        }
        try {
            INSTANCE = new HiveSaml2Client(hiveConf);
            return INSTANCE;
        } catch (Exception e) {
            throw new HttpSamlAuthenticationException("Could not instantiate SAML2.0 client", e);
        }
    }

    private static SAML2Configuration getSamlConfig(HiveConf hiveConf) throws Exception {
        SAML2Configuration sAML2Configuration = new SAML2Configuration(hiveConf.get(HiveConf.ConfVars.HIVE_SERVER2_SAML_KEYSTORE_PATH.varname), String.valueOf(hiveConf.getPassword(HiveConf.ConfVars.HIVE_SERVER2_SAML_KEYSTORE_PASSWORD.varname)), String.valueOf(hiveConf.getPassword(HiveConf.ConfVars.HIVE_SERVER2_SAML_PRIVATE_KEY_PASSWORD.varname)), hiveConf.get(HiveConf.ConfVars.HIVE_SERVER2_SAML_IDP_METADATA.varname));
        sAML2Configuration.setAuthnRequestBindingType("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
        sAML2Configuration.setResponseBindingType("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        sAML2Configuration.setForceAuth(hiveConf.getBoolean(HiveConf.ConfVars.HIVE_SERVER2_SAML_FORCE_AUTH.varname, false));
        sAML2Configuration.setMaximumAuthenticationLifetime((int) hiveConf.getTimeVar(HiveConf.ConfVars.HIVE_SERVER2_SAML_AUTHENTICATION_LIFETIME, TimeUnit.SECONDS));
        if (!hiveConf.get(HiveConf.ConfVars.HIVE_SERVER2_SAML_ACS_INDEX.varname, "").isEmpty()) {
            sAML2Configuration.setAssertionConsumerServiceIndex(hiveConf.getIntVar(HiveConf.ConfVars.HIVE_SERVER2_SAML_ACS_INDEX));
        }
        String str = hiveConf.get(HiveConf.ConfVars.HIVE_SERVER2_SAML_BLACKLISTED_SIGNATURE_ALGORITHMS.varname, "");
        if (!str.isEmpty()) {
            LOG.info("List of disallowed signature algorithms: " + str);
            sAML2Configuration.setBlackListedSignatureSigningAlgorithms(Splitter.on(',').splitToList(str));
        }
        sAML2Configuration.setServiceProviderEntityId(hiveConf.get(HiveConf.ConfVars.HIVE_SERVER2_SAML_SP_ID.varname, getCallBackUrl(hiveConf)));
        sAML2Configuration.setWantsAssertionsSigned(hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_SAML_WANT_ASSERTIONS_SIGNED));
        sAML2Configuration.setAuthnRequestSigned(hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_SAML_SIGN_REQUESTS));
        return sAML2Configuration;
    }

    @VisibleForTesting
    public static synchronized void shutdown() {
        INSTANCE = null;
        HiveSamlAuthTokenGenerator.shutdown();
    }

    public void setRedirect(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws HttpSamlAuthenticationException {
        LOG.debug("Request has response port set as {}", Integer.valueOf(HiveSamlUtils.validateSamlResponsePort(httpServletRequest)));
        Optional redirectionAction = getRedirectionAction(new JEEContext(httpServletRequest, httpServletResponse));
        if (!redirectionAction.isPresent()) {
            throw new HttpSamlAuthenticationException("Could not get the redirect response");
        }
        httpServletResponse.setStatus(((RedirectionAction) redirectionAction.get()).getCode());
        WithLocationAction withLocationAction = (WithLocationAction) redirectionAction.get();
        try {
            LOG.debug("Sending a redirect response to location = {}", withLocationAction.getLocation());
            httpServletResponse.sendRedirect(withLocationAction.getLocation());
        } catch (IOException e) {
            throw new HttpSamlAuthenticationException(e);
        }
    }

    public String validate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws HttpSamlAuthenticationException {
        try {
            Optional extract = new SAML2CredentialsExtractor(this).extract(new JEEContext(httpServletRequest, httpServletResponse));
            if (!extract.isPresent()) {
                throw new HttpSamlAuthenticationException("Credentials could not be extracted");
            }
            String value = ((SAML2Credentials) extract.get()).getNameId().getValue();
            if (this.groupNameFilter.apply(((SAML2Credentials) extract.get()).getAttributes())) {
                return value;
            }
            LOG.warn("Could not match any groups for the nameid {}", value);
            throw new HttpSamlNoGroupsMatchedException("None of the configured groups match for the user");
        } catch (Exception e) {
            throw new HttpSamlAuthenticationException("Could not validate the SAML response", e);
        }
    }
}
