package com.amazon.redshift.plugin;

import com.amazon.redshift.CredentialsHolder;
import com.amazon.redshift.IPlugin;
import com.amazon.redshift.RedshiftProperty;
import com.amazon.redshift.httpclient.log.IamCustomLogFactory;
import com.amazon.redshift.logger.RedshiftLogger;
import com.amazon.redshift.plugin.utils.RequestUtils;
import com.amazon.redshift.ssl.NonValidatingFactory;
import com.amazonaws.ClientConfiguration;
import com.amazonaws.SdkClientException;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.AnonymousAWSCredentials;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.amazonaws.services.securitytoken.model.AssumeRoleWithSAMLRequest;
import com.amazonaws.services.securitytoken.model.Credentials;
import com.amazonaws.util.StringUtils;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.LogFactory;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.client.LaxRedirectStrategy;
import org.w3c.dom.Document;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;

/* loaded from: input_file:com/amazon/redshift/plugin/SamlCredentialsProvider.class */
public abstract class SamlCredentialsProvider implements IPlugin {
    protected static final String KEY_IDP_HOST = "idp_host";
    private static final String KEY_IDP_PORT = "idp_port";
    private static final String KEY_DURATION = "duration";
    private static final String KEY_PREFERRED_ROLE = "preferred_role";
    private static final String KEY_SSL_INSECURE = "ssl_insecure";
    protected String m_userName;
    protected String m_password;
    protected String m_idpHost;
    protected int m_duration;
    protected String m_preferredRole;
    protected boolean m_sslInsecure;
    protected String m_dbUser;
    protected String m_dbGroups;
    protected String m_dbGroupsFilter;
    protected Boolean m_forceLowercase;
    protected Boolean m_autoCreate;
    protected String m_stsEndpoint;
    protected String m_region;
    protected RedshiftLogger m_log;
    private CredentialsHolder m_lastRefreshCredentials;
    private static final String LOG_PROPERTIES_FILE_NAME = "log-factory.properties";
    private static final String LOG_PROPERTIES_FILE_PATH = "META-INF/services/org.apache.commons.logging.LogFactory";
    private static Map<String, CredentialsHolder> m_cache = new HashMap();
    private static final Class<?> CUSTOM_LOG_FACTORY_CLASS = IamCustomLogFactory.class;
    private static final ClassLoader CONTEXT_CLASS_LOADER = new ClassLoader(SamlCredentialsProvider.class.getClassLoader()) { // from class: com.amazon.redshift.plugin.SamlCredentialsProvider.1
        @Override // java.lang.ClassLoader
        public Class<?> loadClass(String str) throws ClassNotFoundException {
            Class<?> loadClass = getParent().loadClass(str);
            return LogFactory.class.isAssignableFrom(loadClass) ? SamlCredentialsProvider.CUSTOM_LOG_FACTORY_CLASS : loadClass;
        }

        @Override // java.lang.ClassLoader
        public Enumeration<URL> getResources(String str) throws IOException {
            return "commons-logging.properties".equals(str) ? Collections.enumeration(Collections.emptyList()) : super.getResources(str);
        }

        @Override // java.lang.ClassLoader
        public URL getResource(String str) {
            return SamlCredentialsProvider.LOG_PROPERTIES_FILE_PATH.equals(str) ? SamlCredentialsProvider.class.getResource(SamlCredentialsProvider.LOG_PROPERTIES_FILE_NAME) : super.getResource(str);
        }
    };
    protected int m_idpPort = 443;
    protected Boolean m_disableCache = false;

    protected abstract String getSamlAssertion() throws IOException;

    @Override // com.amazon.redshift.IPlugin
    public void addParameter(String str, String str2) {
        if (RedshiftLogger.isEnable()) {
            this.m_log.logDebug("key: {0}", str);
        }
        if (RedshiftProperty.UID.getName().equalsIgnoreCase(str) || RedshiftProperty.USER.getName().equalsIgnoreCase(str)) {
            this.m_userName = str2;
            return;
        }
        if (RedshiftProperty.PWD.getName().equalsIgnoreCase(str) || RedshiftProperty.PASSWORD.getName().equalsIgnoreCase(str)) {
            this.m_password = str2;
            return;
        }
        if (KEY_IDP_HOST.equalsIgnoreCase(str)) {
            this.m_idpHost = str2;
            return;
        }
        if (KEY_IDP_PORT.equalsIgnoreCase(str)) {
            this.m_idpPort = Integer.parseInt(str2);
            return;
        }
        if (KEY_DURATION.equalsIgnoreCase(str)) {
            this.m_duration = Integer.parseInt(str2);
            return;
        }
        if (KEY_PREFERRED_ROLE.equalsIgnoreCase(str)) {
            this.m_preferredRole = str2;
            return;
        }
        if (KEY_SSL_INSECURE.equalsIgnoreCase(str)) {
            this.m_sslInsecure = Boolean.parseBoolean(str2);
            return;
        }
        if (RedshiftProperty.DB_USER.getName().equalsIgnoreCase(str)) {
            this.m_dbUser = str2;
            return;
        }
        if (RedshiftProperty.DB_GROUPS.getName().equalsIgnoreCase(str)) {
            this.m_dbGroups = str2;
            return;
        }
        if (RedshiftProperty.DB_GROUPS_FILTER.getName().equalsIgnoreCase(str)) {
            this.m_dbGroupsFilter = str2;
            return;
        }
        if (RedshiftProperty.FORCE_LOWERCASE.getName().equalsIgnoreCase(str)) {
            this.m_forceLowercase = Boolean.valueOf(str2);
            return;
        }
        if (RedshiftProperty.USER_AUTOCREATE.getName().equalsIgnoreCase(str)) {
            this.m_autoCreate = Boolean.valueOf(str2);
            return;
        }
        if (RedshiftProperty.AWS_REGION.getName().equalsIgnoreCase(str)) {
            this.m_region = str2;
        } else if (RedshiftProperty.STS_ENDPOINT_URL.getName().equalsIgnoreCase(str)) {
            this.m_stsEndpoint = str2;
        } else if (RedshiftProperty.IAM_DISABLE_CACHE.getName().equalsIgnoreCase(str)) {
            this.m_disableCache = Boolean.valueOf(str2);
        }
    }

    @Override // com.amazon.redshift.IPlugin
    public void setLogger(RedshiftLogger redshiftLogger) {
        this.m_log = redshiftLogger;
    }

    /* renamed from: getCredentials, reason: merged with bridge method [inline-methods] */
    public CredentialsHolder m70getCredentials() {
        CredentialsHolder credentialsHolder = null;
        if (!this.m_disableCache.booleanValue()) {
            credentialsHolder = m_cache.get(getCacheKey());
        }
        if (credentialsHolder == null || credentialsHolder.isExpired()) {
            if (RedshiftLogger.isEnable()) {
                this.m_log.logInfo("SAML getCredentials NOT from cache", new Object[0]);
            }
            synchronized (this) {
                refresh();
                if (this.m_disableCache.booleanValue()) {
                    credentialsHolder = this.m_lastRefreshCredentials;
                    this.m_lastRefreshCredentials = null;
                }
            }
        } else {
            credentialsHolder.setRefresh(false);
            if (RedshiftLogger.isEnable()) {
                this.m_log.logInfo("SAML getCredentials from cache", new Object[0]);
            }
        }
        if (!this.m_disableCache.booleanValue()) {
            credentialsHolder = m_cache.get(getCacheKey());
        }
        if (!StringUtils.isNullOrEmpty(this.m_dbUser)) {
            credentialsHolder.getThisMetadata().setDbUser(this.m_dbUser);
        }
        if (credentialsHolder == null) {
            throw new SdkClientException("Unable to load AWS credentials from ADFS");
        }
        if (RedshiftLogger.isEnable()) {
            this.m_log.logInfo(new Date() + ": Using entry for SamlCredentialsProvider.getCredentials cache with expiration " + credentialsHolder.getExpiration(), new Object[0]);
        }
        return credentialsHolder;
    }

    public void refresh() {
        String str;
        String str2;
        Thread currentThread = Thread.currentThread();
        ClassLoader contextClassLoader = currentThread.getContextClassLoader();
        Thread.currentThread().setContextClassLoader(CONTEXT_CLASS_LOADER);
        try {
            try {
                try {
                    try {
                        try {
                            try {
                                Pattern compile = Pattern.compile("arn:aws[-a-z]*:iam::\\d*:saml-provider/\\S+");
                                Pattern compile2 = Pattern.compile("arn:aws[-a-z]*:iam::\\d*:role/\\S+");
                                String samlAssertion = getSamlAssertion();
                                if (RedshiftLogger.isEnable()) {
                                    this.m_log.logDebug(String.format("SAML assertion: %s", samlAssertion), new Object[0]);
                                }
                                Document parse = parse(Base64.decodeBase64(samlAssertion));
                                NodeList nodeList = (NodeList) XPathFactory.newInstance().newXPath().compile("//*[local-name()='Attribute'][@Name='https://aws.amazon.com/SAML/Attributes/Role']/*[local-name()='AttributeValue']/text()").evaluate(parse, XPathConstants.NODESET);
                                HashMap hashMap = new HashMap();
                                if (nodeList != null) {
                                    for (int i = 0; i < nodeList.getLength(); i++) {
                                        String[] split = nodeList.item(i).getNodeValue().split(",");
                                        if (split.length >= 2) {
                                            String str3 = null;
                                            String str4 = null;
                                            for (String str5 : split) {
                                                Matcher matcher = compile.matcher(str5);
                                                if (matcher.find()) {
                                                    str3 = matcher.group(0);
                                                } else {
                                                    Matcher matcher2 = compile2.matcher(str5);
                                                    if (matcher2.find()) {
                                                        str4 = matcher2.group(0);
                                                    }
                                                }
                                            }
                                            if (!StringUtils.isNullOrEmpty(str4) && !StringUtils.isNullOrEmpty(str3)) {
                                                hashMap.put(str4, str3);
                                            }
                                        }
                                    }
                                }
                                if (hashMap.isEmpty()) {
                                    throw new SdkClientException("No role found in SamlAssertion: " + samlAssertion);
                                }
                                if (this.m_preferredRole != null) {
                                    str = this.m_preferredRole;
                                    str2 = (String) hashMap.get(this.m_preferredRole);
                                    if (str2 == null) {
                                        throw new SdkClientException("Preferred role not found in SamlAssertion: " + samlAssertion);
                                    }
                                } else {
                                    Map.Entry entry = (Map.Entry) hashMap.entrySet().iterator().next();
                                    str = (String) entry.getKey();
                                    str2 = (String) entry.getValue();
                                }
                                AssumeRoleWithSAMLRequest assumeRoleWithSAMLRequest = new AssumeRoleWithSAMLRequest();
                                assumeRoleWithSAMLRequest.setSAMLAssertion(samlAssertion);
                                assumeRoleWithSAMLRequest.setRoleArn(str);
                                assumeRoleWithSAMLRequest.setPrincipalArn(str2);
                                if (this.m_duration > 0) {
                                    assumeRoleWithSAMLRequest.setDurationSeconds(Integer.valueOf(this.m_duration));
                                }
                                AWSStaticCredentialsProvider aWSStaticCredentialsProvider = new AWSStaticCredentialsProvider(new AnonymousAWSCredentials());
                                AWSSecurityTokenServiceClientBuilder standard = AWSSecurityTokenServiceClientBuilder.standard();
                                standard.withClientConfiguration((ClientConfiguration) null);
                                Credentials credentials = RequestUtils.buildSts(this.m_stsEndpoint, this.m_region, standard, aWSStaticCredentialsProvider, this.m_log).assumeRoleWithSAML(assumeRoleWithSAMLRequest).getCredentials();
                                CredentialsHolder newInstance = CredentialsHolder.newInstance(new BasicSessionCredentials(credentials.getAccessKeyId(), credentials.getSecretAccessKey(), credentials.getSessionToken()), credentials.getExpiration());
                                newInstance.setMetadata(readMetadata(parse));
                                newInstance.setRefresh(true);
                                if (this.m_disableCache.booleanValue()) {
                                    this.m_lastRefreshCredentials = newInstance;
                                } else {
                                    m_cache.put(getCacheKey(), newInstance);
                                }
                            } catch (XPathExpressionException e) {
                                if (RedshiftLogger.isEnable()) {
                                    this.m_log.logError(e);
                                }
                                throw new SdkClientException("SAML error: " + e.getMessage(), e);
                            }
                        } catch (ParserConfigurationException e2) {
                            if (RedshiftLogger.isEnable()) {
                                this.m_log.logError(e2);
                            }
                            throw new SdkClientException("SAML error: " + e2.getMessage(), e2);
                        }
                    } catch (SAXException e3) {
                        if (RedshiftLogger.isEnable()) {
                            this.m_log.logError(e3);
                        }
                        throw new SdkClientException("SAML error: " + e3.getMessage(), e3);
                    }
                } catch (Exception e4) {
                    if (RedshiftLogger.isEnable()) {
                        this.m_log.logError(e4);
                    }
                    throw new SdkClientException("SAML error: " + e4.getMessage(), e4);
                }
            } catch (IOException e5) {
                if (RedshiftLogger.isEnable()) {
                    this.m_log.logError(e5);
                }
                throw new SdkClientException("SAML error: " + e5.getMessage(), e5);
            }
        } finally {
            currentThread.setContextClassLoader(contextClassLoader);
        }
    }

    @Override // com.amazon.redshift.IPlugin
    public String getPluginSpecificCacheKey() {
        return "";
    }

    private String getCacheKey() {
        return this.m_userName + this.m_password + this.m_idpHost + this.m_idpPort + this.m_duration + this.m_preferredRole + getPluginSpecificCacheKey();
    }

    private CredentialsHolder.IamMetadata readMetadata(Document document) throws XPathExpressionException {
        CredentialsHolder.IamMetadata iamMetadata = new CredentialsHolder.IamMetadata();
        XPath newXPath = XPathFactory.newInstance().newXPath();
        List<String> GetSAMLAttributeValues = GetSAMLAttributeValues(newXPath, document, "https://redshift.amazon.com/SAML/Attributes/AllowDbUserOverride");
        if (!GetSAMLAttributeValues.isEmpty()) {
            iamMetadata.setAllowDbUserOverride(Boolean.valueOf(GetSAMLAttributeValues.get(0)).booleanValue());
        }
        List<String> GetSAMLAttributeValues2 = GetSAMLAttributeValues(newXPath, document, "https://redshift.amazon.com/SAML/Attributes/DbUser");
        if (GetSAMLAttributeValues2.isEmpty()) {
            List<String> GetSAMLAttributeValues3 = GetSAMLAttributeValues(newXPath, document, "https://aws.amazon.com/SAML/Attributes/RoleSessionName");
            if (!GetSAMLAttributeValues3.isEmpty()) {
                iamMetadata.setSamlDbUser(GetSAMLAttributeValues3.get(0));
            }
        } else {
            iamMetadata.setSamlDbUser(GetSAMLAttributeValues2.get(0));
        }
        List<String> GetSAMLAttributeValues4 = GetSAMLAttributeValues(newXPath, document, "https://redshift.amazon.com/SAML/Attributes/AutoCreate");
        if (!GetSAMLAttributeValues4.isEmpty()) {
            iamMetadata.setAutoCreate(Boolean.valueOf(GetSAMLAttributeValues4.get(0)));
        }
        List<String> GetSAMLAttributeValues5 = GetSAMLAttributeValues(newXPath, document, "https://redshift.amazon.com/SAML/Attributes/DbGroups");
        if (!GetSAMLAttributeValues5.isEmpty()) {
            List<String> filterOutGroups = filterOutGroups(GetSAMLAttributeValues5);
            if (!filterOutGroups.isEmpty()) {
                StringBuilder sb = new StringBuilder();
                for (String str : filterOutGroups) {
                    if (sb.length() > 0) {
                        sb.append(',');
                    }
                    sb.append(str);
                }
                iamMetadata.setDbGroups(sb.toString());
            }
        }
        List<String> GetSAMLAttributeValues6 = GetSAMLAttributeValues(newXPath, document, "https://redshift.amazon.com/SAML/Attributes/ForceLowercase");
        if (!GetSAMLAttributeValues6.isEmpty()) {
            iamMetadata.setForceLowercase(Boolean.valueOf(GetSAMLAttributeValues6.get(0)).booleanValue());
        }
        return iamMetadata;
    }

    private List<String> filterOutGroups(List<String> list) {
        if (this.m_dbGroupsFilter == null) {
            return list;
        }
        Pattern compile = Pattern.compile(this.m_dbGroupsFilter);
        ArrayList arrayList = new ArrayList();
        for (String str : list) {
            this.m_log.logDebug("Check group {0} with regexp {1}", str, this.m_dbGroupsFilter);
            if (!compile.matcher(str).matches()) {
                this.m_log.logDebug("Add {0} to dbgroups", str);
                arrayList.add(str);
            }
        }
        return arrayList;
    }

    private static Document parse(byte[] bArr) throws IOException, SAXException, ParserConfigurationException {
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        newInstance.setXIncludeAware(false);
        newInstance.setExpandEntityReferences(false);
        newInstance.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
        newInstance.setFeature("http://xml.org/sax/features/external-general-entities", false);
        return newInstance.newDocumentBuilder().parse(new ByteArrayInputStream(bArr));
    }

    private static List<String> GetSAMLAttributeValues(XPath xPath, Document document, String str) throws XPathExpressionException {
        NodeList nodeList = (NodeList) xPath.compile(String.format("//Attribute[@Name='%s']/AttributeValue/text()", str)).evaluate(document, XPathConstants.NODESET);
        if (null == nodeList || nodeList.getLength() == 0) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList(nodeList.getLength());
        for (int i = 0; i < nodeList.getLength(); i++) {
            arrayList.add(nodeList.item(i).getNodeValue());
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CloseableHttpClient getHttpClient() throws GeneralSecurityException {
        HttpClientBuilder useSystemProperties = HttpClients.custom().setDefaultRequestConfig(RequestConfig.custom().setSocketTimeout(60000).setConnectTimeout(60000).setExpectContinueEnabled(false).setCookieSpec("standard").build()).setRedirectStrategy(new LaxRedirectStrategy()).useSystemProperties();
        if (this.m_sslInsecure) {
            SSLContext sSLContext = SSLContext.getInstance("TLSv1.2");
            sSLContext.init(null, new TrustManager[]{new NonValidatingFactory.NonValidatingTM()}, null);
            useSystemProperties.setSSLSocketFactory(new SSLConnectionSocketFactory(sSLContext.getSocketFactory(), new NoopHostnameVerifier()));
        }
        return useSystemProperties.build();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public List<String> getInputTagsfromHTML(String str) {
        HashSet hashSet = new HashSet();
        ArrayList arrayList = new ArrayList();
        Matcher matcher = Pattern.compile("<input(.+?)/>", 32).matcher(str);
        while (matcher.find()) {
            String group = matcher.group(0);
            String lowerCase = getValueByKey(group, "name").toLowerCase();
            if (!lowerCase.isEmpty() && hashSet.add(lowerCase)) {
                arrayList.add(group);
            }
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getFormAction(String str) {
        Matcher matcher = Pattern.compile("<form.*?action=\"([^\"]+)\"").matcher(str);
        if (matcher.find()) {
            return escapeHtmlEntity(matcher.group(1));
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getValueByKey(String str, String str2) {
        Matcher matcher = Pattern.compile("(" + Pattern.quote(str2) + ")\\s*=\\s*\"(.*?)\"").matcher(str);
        return matcher.find() ? escapeHtmlEntity(matcher.group(2)) : "";
    }

    protected String escapeHtmlEntity(String str) {
        StringBuilder sb = new StringBuilder(str.length());
        int i = 0;
        int length = str.length();
        while (i < length) {
            char charAt = str.charAt(i);
            if (charAt != '&') {
                sb.append(charAt);
                i++;
            } else if (str.startsWith("&amp;", i)) {
                sb.append('&');
                i += 5;
            } else if (str.startsWith("&apos;", i)) {
                sb.append('\'');
                i += 6;
            } else if (str.startsWith("&quot;", i)) {
                sb.append('\"');
                i += 6;
            } else if (str.startsWith("&lt;", i)) {
                sb.append('<');
                i += 4;
            } else if (str.startsWith("&gt;", i)) {
                sb.append('>');
                i += 4;
            } else {
                sb.append(charAt);
                i++;
            }
        }
        return sb.toString();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkRequiredParameters() throws IOException {
        if (StringUtils.isNullOrEmpty(this.m_userName)) {
            throw new IOException("Missing required property: " + RedshiftProperty.USER.getName());
        }
        if (StringUtils.isNullOrEmpty(this.m_password)) {
            throw new IOException("Missing required property: " + RedshiftProperty.PASSWORD.getName());
        }
        if (StringUtils.isNullOrEmpty(this.m_idpHost)) {
            throw new IOException("Missing required property: idp_host");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isText(String str) {
        return "text".equals(getValueByKey(str, "type"));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isPassword(String str) {
        return "password".equals(getValueByKey(str, "type"));
    }
}
