package com.amazon.redshift.plugin;

import com.amazon.redshift.RedshiftProperty;
import com.amazon.redshift.logger.LogLevel;
import com.amazon.redshift.logger.RedshiftLogger;
import com.amazonaws.SdkClientException;
import com.amazonaws.util.IOUtils;
import com.amazonaws.util.StringUtils;
import com.amazonaws.util.json.Jackson;
import com.fasterxml.jackson.databind.JsonNode;
import java.io.Closeable;
import java.io.IOException;
import java.nio.charset.Charset;
import java.security.GeneralSecurityException;
import java.util.ArrayList;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.util.EntityUtils;

/* loaded from: input_file:com/amazon/redshift/plugin/AzureCredentialsProvider.class */
public class AzureCredentialsProvider extends SamlCredentialsProvider {
    private static final String KEY_IDP_TENANT = "idp_tenant";
    private static final String KEY_CLIENT_SECRET = "client_secret";
    private static final String KEY_CLIENT_ID = "client_id";
    private String m_idpTenant;
    private String m_clientSecret;
    private String m_clientId;

    @Override // com.amazon.redshift.plugin.SamlCredentialsProvider
    protected String getSamlAssertion() throws IOException {
        if (StringUtils.isNullOrEmpty(this.m_idpTenant)) {
            throw new IOException("Missing required property: idp_tenant");
        }
        if (StringUtils.isNullOrEmpty(this.m_userName)) {
            throw new IOException("Missing required property: " + RedshiftProperty.UID.getName() + " or " + RedshiftProperty.USER.getName());
        }
        if (StringUtils.isNullOrEmpty(this.m_password)) {
            throw new IOException("Missing required property: " + RedshiftProperty.PWD.getName() + " or " + RedshiftProperty.PASSWORD.getName());
        }
        if (StringUtils.isNullOrEmpty(this.m_clientSecret)) {
            throw new IOException("Missing required property: client_secret");
        }
        if (StringUtils.isNullOrEmpty(this.m_clientId)) {
            throw new IOException("Missing required property: client_id");
        }
        return azureOauthBasedAuthentication();
    }

    @Override // com.amazon.redshift.plugin.SamlCredentialsProvider, com.amazon.redshift.IPlugin
    public void addParameter(String str, String str2) {
        if (RedshiftLogger.isEnable()) {
            this.m_log.logDebug("key: {0}", str);
        }
        if ("idp_tenant".equalsIgnoreCase(str)) {
            this.m_idpTenant = str2;
            return;
        }
        if (KEY_CLIENT_SECRET.equalsIgnoreCase(str)) {
            this.m_clientSecret = str2;
        } else if ("client_id".equalsIgnoreCase(str)) {
            this.m_clientId = str2;
        } else {
            super.addParameter(str, str2);
        }
    }

    @Override // com.amazon.redshift.plugin.SamlCredentialsProvider, com.amazon.redshift.IPlugin
    public String getPluginSpecificCacheKey() {
        return (this.m_idpTenant != null ? this.m_idpTenant : "") + (this.m_clientId != null ? this.m_clientId : "") + (this.m_clientSecret != null ? this.m_clientSecret : "");
    }

    private String azureOauthBasedAuthentication() throws IOException, SdkClientException {
        String str = "https://login.microsoftonline.com/" + this.m_idpTenant + "/oauth2/token";
        if (RedshiftLogger.isEnable()) {
            this.m_log.logDebug("uri: {0}", str);
        }
        validateURL(str);
        try {
            try {
                CloseableHttpClient httpClient = getHttpClient();
                HttpPost httpPost = new HttpPost(str);
                ArrayList arrayList = new ArrayList(7);
                arrayList.add(new BasicNameValuePair("grant_type", "password"));
                arrayList.add(new BasicNameValuePair("requested_token_type", "urn:ietf:params:oauth:token-type:saml2"));
                arrayList.add(new BasicNameValuePair("username", this.m_userName));
                arrayList.add(new BasicNameValuePair("password", this.m_password));
                arrayList.add(new BasicNameValuePair(KEY_CLIENT_SECRET, this.m_clientSecret));
                arrayList.add(new BasicNameValuePair("client_id", this.m_clientId));
                arrayList.add(new BasicNameValuePair("resource", this.m_clientId));
                httpPost.addHeader("Content-Type", "application/x-www-form-urlencoded");
                httpPost.addHeader("Accept", "application/json");
                httpPost.setEntity(new UrlEncodedFormEntity(arrayList, Charset.forName("UTF-8")));
                CloseableHttpResponse execute = httpClient.execute(httpPost);
                String entityUtils = EntityUtils.toString(execute.getEntity());
                JsonNode jsonNodeOf = Jackson.jsonNodeOf(entityUtils);
                if (execute.getStatusLine().getStatusCode() != 200) {
                    if (RedshiftLogger.isEnable()) {
                        this.m_log.log(LogLevel.DEBUG, "azureOauthBasedAuthentication https response: " + entityUtils, new Object[0]);
                    }
                    String str2 = "Authentication failed on the Azure server. Please check the tenant, user, password, client secret, and client id.";
                    JsonNode findValue = jsonNodeOf.findValue("error_description");
                    if (findValue != null && !StringUtils.isNullOrEmpty(findValue.textValue())) {
                        String replaceAll = findValue.textValue().replaceAll("\r\n", " ");
                        JsonNode findValue2 = jsonNodeOf.findValue("error");
                        str2 = (findValue2 == null || StringUtils.isNullOrEmpty(findValue2.textValue())) ? "Unexpected response: " + replaceAll : findValue2.textValue() + ": " + replaceAll;
                    }
                    throw new IOException(str2);
                }
                if (RedshiftLogger.isEnable()) {
                    this.m_log.log(LogLevel.DEBUG, "content:" + entityUtils.replaceAll(getRegexForJsonKey("access_token"), "$1***masked***\"").replaceAll(getRegexForJsonKey("refresh_token"), "$1***masked***\""), new Object[0]);
                }
                JsonNode findValue3 = jsonNodeOf.findValue("access_token");
                if (findValue3 == null) {
                    throw new IOException("Failed to find Azure access_token");
                }
                String textValue = findValue3.textValue();
                if (StringUtils.isNullOrEmpty(textValue)) {
                    throw new IOException("Invalid Azure access_token response");
                }
                String str3 = new String(Base64.encodeBase64(("<samlp:Response xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"><samlp:Status><samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/></samlp:Status>" + new String(Base64.decodeBase64(textValue), Charset.forName("UTF-8")) + "</samlp:Response>").getBytes()));
                IOUtils.closeQuietly(execute, (Log) null);
                IOUtils.closeQuietly(httpClient, (Log) null);
                return str3;
            } catch (GeneralSecurityException e) {
                throw new SdkClientException("Failed to create SSLContext", e);
            }
        } catch (Throwable th) {
            IOUtils.closeQuietly((Closeable) null, (Log) null);
            IOUtils.closeQuietly((Closeable) null, (Log) null);
            throw th;
        }
    }
}
