package com.amazon.athena.jdbc.authentication;

import com.amazon.athena.jdbc.authentication.utils.AzureAdAuthUtils;
import com.amazon.athena.jdbc.configuration.ConnectionParameter;
import com.amazon.athena.jdbc.support.AuthenticationException;
import io.netty.handler.codec.http.HttpHeaders;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.Charset;
import java.util.ArrayList;
import java.util.Map;
import java.util.function.Supplier;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.util.EntityUtils;
import software.amazon.awssdk.auth.credentials.AwsCredentials;
import software.amazon.awssdk.core.internal.util.ChunkContentUtils;
import software.amazon.awssdk.protocols.jsoncore.JsonNode;
import software.amazon.awssdk.protocols.jsoncore.JsonNodeParser;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.lakeformation.LakeFormationClientBuilder;
import software.amazon.awssdk.services.lakeformation.model.AssumeDecoratedRoleWithSamlRequest;
import software.amazon.awssdk.services.sts.StsClientBuilder;
import software.amazon.awssdk.services.sts.model.AssumeRoleWithSamlRequest;
import software.amazon.awssdk.utils.StringUtils;

/* loaded from: input_file:com/amazon/athena/jdbc/authentication/AzureAdCredentialsProvider.class */
public class AzureAdCredentialsProvider extends SamlCredentialsProvider {
    private static final String URI_TEMPLATE = "https://login.microsoftonline.com/%s/oauth2/token";
    private final String username;
    private final String password;
    private final String tenantId;
    private final String clientSecret;
    private final String clientId;
    private final Supplier<CloseableHttpClient> httpClientFactory;

    /* loaded from: input_file:com/amazon/athena/jdbc/authentication/AzureAdCredentialsProvider$Builder.class */
    public static class Builder {
        private String username;
        private String password;
        private String tenantId;
        private String clientId;
        private String clientSecret;
        private String preferredRole;
        private Integer roleSessionDuration;
        private Region region;
        private boolean lakeFormationEnabled;
        private Supplier<CloseableHttpClient> httpClientFactory;
        private AssumeRoleWithSamlRequest.Builder assumeRoleWithSamlRequestFactory;
        private AssumeDecoratedRoleWithSamlRequest.Builder assumeDecoratedRoleWithSamlRequestFactory;
        private StsClientBuilder stsClientFactory;
        private LakeFormationClientBuilder lakeFormationClientFactory;
        private Map<ConnectionParameter<?>, String> parameters;

        public Builder username(String str) {
            this.username = str;
            return this;
        }

        public Builder password(String str) {
            this.password = str;
            return this;
        }

        public Builder tenantId(String str) {
            this.tenantId = str;
            return this;
        }

        public Builder clientId(String str) {
            this.clientId = str;
            return this;
        }

        public Builder clientSecret(String str) {
            this.clientSecret = str;
            return this;
        }

        public Builder preferredRole(String str) {
            this.preferredRole = str;
            return this;
        }

        public Builder roleSessionDuration(Integer num) {
            this.roleSessionDuration = num;
            return this;
        }

        public Builder region(Region region) {
            this.region = region;
            return this;
        }

        public Builder lakeFormationEnabled(boolean z) {
            this.lakeFormationEnabled = z;
            return this;
        }

        Builder httpClientFactory(Supplier<CloseableHttpClient> supplier) {
            this.httpClientFactory = supplier;
            return this;
        }

        Builder assumeRoleWithSamlRequestFactory(AssumeRoleWithSamlRequest.Builder builder) {
            this.assumeRoleWithSamlRequestFactory = builder;
            return this;
        }

        Builder assumeDecoratedRoleWithSamlRequestFactory(AssumeDecoratedRoleWithSamlRequest.Builder builder) {
            this.assumeDecoratedRoleWithSamlRequestFactory = builder;
            return this;
        }

        Builder stsClientBuilder(StsClientBuilder stsClientBuilder) {
            this.stsClientFactory = stsClientBuilder;
            return this;
        }

        Builder lakeFormationClientBuilder(LakeFormationClientBuilder lakeFormationClientBuilder) {
            this.lakeFormationClientFactory = lakeFormationClientBuilder;
            return this;
        }

        public Builder connectionParameters(Map<ConnectionParameter<?>, String> map) {
            this.parameters = map;
            return this;
        }

        public AzureAdCredentialsProvider build() {
            return new AzureAdCredentialsProvider(this.username, this.password, this.tenantId, this.clientId, this.clientSecret, this.preferredRole, this.roleSessionDuration, this.region, this.httpClientFactory, this.assumeRoleWithSamlRequestFactory, this.stsClientFactory, this.assumeDecoratedRoleWithSamlRequestFactory, this.lakeFormationClientFactory, this.lakeFormationEnabled, this.parameters);
        }
    }

    private AzureAdCredentialsProvider(String str, String str2, String str3, String str4, String str5, String str6, Integer num, Region region, Supplier<CloseableHttpClient> supplier, AssumeRoleWithSamlRequest.Builder builder, StsClientBuilder stsClientBuilder, AssumeDecoratedRoleWithSamlRequest.Builder builder2, LakeFormationClientBuilder lakeFormationClientBuilder, boolean z, Map<ConnectionParameter<?>, String> map) {
        super(builder, builder2, stsClientBuilder, lakeFormationClientBuilder, null, null, str6, num, region, z, map);
        this.username = str;
        this.password = str2;
        this.tenantId = str3;
        this.clientId = str4;
        this.clientSecret = str5;
        this.httpClientFactory = supplier == null ? () -> {
            return IdpCredentialsProvider.createHttpClient(map);
        } : supplier;
    }

    public static Builder builder() {
        return new Builder();
    }

    @Override // com.amazon.athena.jdbc.authentication.SamlCredentialsProvider
    protected String getSamlAssertion() {
        return AzureAdAuthUtils.wrapAndEncodeAssertion(AzureAdAuthUtils.extractAzureAdSamlAssertion(fetchSamlAssertion(createSamlRequest(constructAzureAdEndpoint()))));
    }

    private URI constructAzureAdEndpoint() {
        try {
            return new URI(String.format(URI_TEMPLATE, this.tenantId));
        } catch (URISyntaxException e) {
            throw new IllegalArgumentException(String.format("Could not construct an AzureAD endpoint from the provided tenant ID (\"%s\"), the URL \"%s\" is invalid", this.tenantId, String.format(URI_TEMPLATE, this.tenantId)), e);
        }
    }

    private HttpPost createSamlRequest(URI uri) {
        HttpPost httpPost = new HttpPost(uri);
        ArrayList arrayList = new ArrayList(7);
        arrayList.add(new BasicNameValuePair("grant_type", "password"));
        arrayList.add(new BasicNameValuePair("requested_token_type", "urn:ietf:params:oauth:token-type:saml2"));
        arrayList.add(new BasicNameValuePair("username", this.username));
        arrayList.add(new BasicNameValuePair("password", this.password));
        arrayList.add(new BasicNameValuePair("client_secret", this.clientSecret));
        arrayList.add(new BasicNameValuePair("client_id", this.clientId));
        arrayList.add(new BasicNameValuePair("resource", this.clientId));
        httpPost.addHeader("Content-Type", "application/x-www-form-urlencoded");
        httpPost.addHeader("Accept", HttpHeaders.Values.APPLICATION_JSON);
        httpPost.setEntity(new UrlEncodedFormEntity(arrayList, Charset.forName("UTF-8")));
        return httpPost;
    }

    private String fetchSamlAssertion(HttpPost httpPost) {
        try {
            CloseableHttpClient closeableHttpClient = this.httpClientFactory.get();
            Throwable th = null;
            try {
                CloseableHttpResponse execute = closeableHttpClient.execute((HttpUriRequest) httpPost);
                Throwable th2 = null;
                try {
                    try {
                        String extractResponseBody = extractResponseBody(execute);
                        if (execute.getStatusLine().getStatusCode() != 200) {
                            AzureAdAuthUtils.throwOnBadAzureAdSamlResponse(extractResponseBody);
                        }
                        if (execute != null) {
                            if (0 != 0) {
                                try {
                                    execute.close();
                                } catch (Throwable th3) {
                                    th2.addSuppressed(th3);
                                }
                            } else {
                                execute.close();
                            }
                        }
                        return extractResponseBody;
                    } finally {
                    }
                } catch (Throwable th4) {
                    if (execute != null) {
                        if (th2 != null) {
                            try {
                                execute.close();
                            } catch (Throwable th5) {
                                th2.addSuppressed(th5);
                            }
                        } else {
                            execute.close();
                        }
                    }
                    throw th4;
                }
            } finally {
                if (closeableHttpClient != null) {
                    if (0 != 0) {
                        try {
                            closeableHttpClient.close();
                        } catch (Throwable th6) {
                            th.addSuppressed(th6);
                        }
                    } else {
                        closeableHttpClient.close();
                    }
                }
            }
        } catch (IOException e) {
            throw new AuthenticationException("Unable to obtain a SAML assertion from Azure AD", e);
        }
    }

    private void validateSamlResponse(CloseableHttpResponse closeableHttpResponse) {
        if (closeableHttpResponse.getStatusLine().getStatusCode() != 200) {
            JsonNode parse = JsonNodeParser.create().parse(extractResponseBody(closeableHttpResponse));
            String str = (String) parse.field("error_description").map((v0) -> {
                return v0.text();
            }).orElse("");
            if (StringUtils.isEmpty(str)) {
                throw new AuthenticationException(String.format("Unexpected error while requesting SAML assertion from Azure AD (HTTP response status code %s)", Integer.valueOf(closeableHttpResponse.getStatusLine().getStatusCode())));
            }
            String replaceAll = str.replaceAll(ChunkContentUtils.CRLF, " ");
            String str2 = (String) parse.field("error").map((v0) -> {
                return v0.text();
            }).orElse("");
            if (!StringUtils.isEmpty(str2)) {
                throw new AuthenticationException(str2 + " -- " + replaceAll);
            }
            throw new AuthenticationException("Unexpected response -- " + replaceAll);
        }
    }

    private static String extractResponseBody(CloseableHttpResponse closeableHttpResponse) {
        try {
            return EntityUtils.toString(closeableHttpResponse.getEntity());
        } catch (IOException e) {
            throw new AuthenticationException("An error occurred while processing the response from Azure AD", e);
        }
    }

    @Override // com.amazon.athena.jdbc.authentication.SamlCredentialsProvider, software.amazon.awssdk.auth.credentials.AwsCredentialsProvider
    public /* bridge */ /* synthetic */ AwsCredentials resolveCredentials() {
        return super.resolveCredentials();
    }
}
