package org.openmetadata.service.security.saml;

import com.onelogin.saml2.Auth;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.openmetadata.common.utils.CommonUtil;
import org.openmetadata.schema.api.security.AuthorizerConfiguration;
import org.openmetadata.schema.auth.JWTAuthMechanism;
import org.openmetadata.schema.auth.ServiceTokenType;
import org.openmetadata.schema.entity.teams.User;
import org.openmetadata.schema.type.Include;
import org.openmetadata.service.Entity;
import org.openmetadata.service.security.jwt.JWTTokenGenerator;
import org.openmetadata.service.util.UserUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@WebServlet({"/api/v1/saml/acs"})
/* loaded from: input_file:org/openmetadata/service/security/saml/SamlAssertionConsumerServlet.class */
public class SamlAssertionConsumerServlet extends HttpServlet {
    private static final Logger LOG = LoggerFactory.getLogger(SamlAssertionConsumerServlet.class);
    private Set<String> admins;

    public SamlAssertionConsumerServlet(AuthorizerConfiguration authorizerConfiguration) {
        this.admins = authorizerConfiguration.getAdminPrincipals();
    }

    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            handleResponse(httpServletRequest, httpServletResponse);
        } catch (Exception e) {
            LOG.error("[SamlAssertionConsumerServlet] Exception :" + e.getMessage());
        }
    }

    private void handleResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        String str;
        JWTAuthMechanism generateJWTToken;
        Auth auth = new Auth(SamlSettingsHolder.getInstance().getSaml2Settings(), httpServletRequest, httpServletResponse);
        auth.processResponse();
        if (!auth.isAuthenticated()) {
            LOG.error("[SAML ACS] Not Authenticated");
            httpServletResponse.sendError(403, "UnAuthenticated");
        }
        if (!auth.getErrors().isEmpty()) {
            String lastErrorReason = auth.getLastErrorReason();
            if (lastErrorReason == null || lastErrorReason.isEmpty()) {
                return;
            }
            LOG.error("[SAML ACS]" + lastErrorReason);
            httpServletResponse.sendError(500, lastErrorReason);
            return;
        }
        String nameId = auth.getNameId();
        String str2 = nameId;
        if (nameId.contains("@")) {
            str = nameId.split("@")[0];
        } else {
            str = nameId;
            str2 = String.format("%s@%s", str, SamlSettingsHolder.getInstance().getDomain());
        }
        try {
            User user = (User) Entity.getEntityByName(Entity.USER, str, "id,roles", Include.NON_DELETED);
            generateJWTToken = JWTTokenGenerator.getInstance().generateJWTToken(str, UserUtil.getRoleListFromUser(user), !CommonUtil.nullOrEmpty(user.getIsAdmin()) && user.getIsAdmin().booleanValue(), user.getEmail(), SamlSettingsHolder.getInstance().getTokenValidity(), false, ServiceTokenType.OM_USER);
        } catch (Exception e) {
            LOG.error("[SAML ACS] User not found: " + str);
            generateJWTToken = JWTTokenGenerator.getInstance().generateJWTToken(str, new HashSet(), this.admins.contains(str), str2, SamlSettingsHolder.getInstance().getTokenValidity(), false, ServiceTokenType.OM_USER);
        }
        httpServletResponse.sendRedirect(SamlSettingsHolder.getInstance().getRelayState() + "?id_token=" + generateJWTToken.getJWTToken() + "&email=" + nameId + "&name=" + str);
    }
}
