package com.cloudera.server.web.cmf;

import com.cloudera.cmf.CommandRunner;
import com.cloudera.cmf.model.DbAuthRole;
import com.cloudera.cmf.model.DbExternalMapping;
import com.cloudera.cmf.model.ExternalMappingType;
import com.cloudera.cmf.persist.CmfEntityManager;
import com.cloudera.cmf.service.CommandUtils;
import com.cloudera.cmf.service.hue.HueLoadBalancerRoleHandler;
import com.cloudera.cmf.service.scm.ScmParamTrackerStore;
import com.cloudera.cmf.service.scm.ScmParams;
import com.cloudera.cmf.user.UserRole;
import com.cloudera.parcel.ParcelIdentity;
import com.cloudera.server.cmf.OperationsManager;
import com.cloudera.server.web.cmf.CMFUserDetailsService;
import com.cloudera.server.web.cmf.CmfExternalScriptAuthenticationProvider;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Predicate;
import com.google.common.collect.HashMultimap;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.persistence.EntityManagerFactory;
import org.opensaml.saml2.core.Attribute;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.saml.SAMLCredential;
import org.springframework.security.saml.userdetails.SAMLUserDetailsService;

/* loaded from: input_file:com/cloudera/server/web/cmf/CMFSAMLUserDetailsService.class */
public class CMFSAMLUserDetailsService implements SAMLUserDetailsService {
    private final EntityManagerFactory emf;
    private final OperationsManager om;
    private final ScmParamTrackerStore spts;
    private static Logger LOG = LoggerFactory.getLogger(CMFSAMLUserDetailsService.class);

    /* renamed from: com.cloudera.server.web.cmf.CMFSAMLUserDetailsService$3, reason: invalid class name */
    /* loaded from: input_file:com/cloudera/server/web/cmf/CMFSAMLUserDetailsService$3.class */
    static /* synthetic */ class AnonymousClass3 {
        static final /* synthetic */ int[] $SwitchMap$com$cloudera$cmf$service$scm$ScmParams$SAMLUserSource;
        static final /* synthetic */ int[] $SwitchMap$com$cloudera$cmf$service$scm$ScmParams$SAMLRoleMapper = new int[ScmParams.SAMLRoleMapper.values().length];

        static {
            try {
                $SwitchMap$com$cloudera$cmf$service$scm$ScmParams$SAMLRoleMapper[ScmParams.SAMLRoleMapper.ATTRIBUTE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$cloudera$cmf$service$scm$ScmParams$SAMLRoleMapper[ScmParams.SAMLRoleMapper.SCRIPT.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            $SwitchMap$com$cloudera$cmf$service$scm$ScmParams$SAMLUserSource = new int[ScmParams.SAMLUserSource.values().length];
            try {
                $SwitchMap$com$cloudera$cmf$service$scm$ScmParams$SAMLUserSource[ScmParams.SAMLUserSource.NAMEID.ordinal()] = 1;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$com$cloudera$cmf$service$scm$ScmParams$SAMLUserSource[ScmParams.SAMLUserSource.ATTRIBUTE.ordinal()] = 2;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    @Autowired
    public CMFSAMLUserDetailsService(EntityManagerFactory entityManagerFactory, OperationsManager operationsManager, ScmParamTrackerStore scmParamTrackerStore) {
        this.emf = entityManagerFactory;
        this.om = operationsManager;
        this.spts = scmParamTrackerStore;
    }

    public Object loadUserBySAML(SAMLCredential sAMLCredential) throws UsernameNotFoundException {
        String attributeAsString;
        Map<AuthScope, Set<UserRole>> map;
        String value = sAMLCredential.getNameID().getValue();
        LOG.debug("SAML NameID: {}", value);
        for (Attribute attribute : sAMLCredential.getAttributes()) {
            ArrayList newArrayList = Lists.newArrayList();
            for (String str : sAMLCredential.getAttributeAsStringArray(attribute.getName())) {
                if (str != null) {
                    newArrayList.add(str);
                }
            }
            LOG.debug("SAML Attribute: {} = {}", attribute.getName(), newArrayList.toString());
        }
        ScmParams.SAMLUserSource sAMLUserSource = (ScmParams.SAMLUserSource) this.spts.get(ScmParams.SAML_USER_SOURCE);
        switch (AnonymousClass3.$SwitchMap$com$cloudera$cmf$service$scm$ScmParams$SAMLUserSource[sAMLUserSource.ordinal()]) {
            case 1:
                attributeAsString = value;
                break;
            case HueLoadBalancerRoleHandler.HUE_LOAD_BALANCER_SUGGESTED_MAX /* 2 */:
                String str2 = (String) this.spts.get(ScmParams.SAML_OID_USER);
                Attribute attribute2 = sAMLCredential.getAttribute(str2);
                if (attribute2 == null) {
                    LOG.warn("Could not find uid attribute '{}' in SAML Credential. User will not be authorized", str2);
                    return mapUser(value, null);
                }
                attributeAsString = sAMLCredential.getAttributeAsString(attribute2.getName());
                break;
            default:
                LOG.warn("Unknown SAML User source: {}. User will not be authorized", sAMLUserSource.name());
                return mapUser(value, null);
        }
        LOG.debug("SAML Credential: uid = {}", attributeAsString);
        ScmParams.SAMLRoleMapper sAMLRoleMapper = (ScmParams.SAMLRoleMapper) this.spts.get(ScmParams.SAML_ROLE_MAPPER);
        switch (AnonymousClass3.$SwitchMap$com$cloudera$cmf$service$scm$ScmParams$SAMLRoleMapper[sAMLRoleMapper.ordinal()]) {
            case 1:
                map = mapRoleFromAttributes(sAMLCredential);
                break;
            case HueLoadBalancerRoleHandler.HUE_LOAD_BALANCER_SUGGESTED_MAX /* 2 */:
                map = mapRoleFromScript(attributeAsString);
                break;
            default:
                map = null;
                LOG.warn("Unknown SAML Role mapper: {}. Users will not be authorized.", sAMLRoleMapper.name());
                break;
        }
        return mapUser(attributeAsString, map);
    }

    private Map<AuthScope, Set<UserRole>> mapRoleFromAttributes(SAMLCredential sAMLCredential) {
        String str;
        Attribute attribute = sAMLCredential.getAttribute((String) this.spts.get(ScmParams.SAML_OID_ROLE));
        if (attribute != null) {
            str = sAMLCredential.getAttributeAsString(attribute.getName());
            LOG.debug("SAML Credential: role = {}", str);
        } else {
            str = CommandUtils.CONFIG_TOP_LEVEL_DIR;
        }
        final String str2 = str;
        return fetchMappings(new Predicate<DbExternalMapping>() { // from class: com.cloudera.server.web.cmf.CMFSAMLUserDetailsService.1
            public boolean apply(DbExternalMapping dbExternalMapping) {
                return dbExternalMapping.getExternalMappingType() == ExternalMappingType.SAML_ATTRIBUTE && str2.equalsIgnoreCase(dbExternalMapping.getCode());
            }
        });
    }

    private Map<AuthScope, Set<UserRole>> mapRoleFromScript(String str) {
        CommandRunner.CommandResult runCommand = runCommand(ImmutableList.of((String) this.spts.get(ScmParams.SAML_ROLE_SCRIPT), str));
        if (runCommand.exception != null) {
            LOG.error("SAML role mapper script failed. User will not be authorized:", runCommand.exception);
            return Maps.newHashMap();
        }
        final int doProperConversion = CmfExternalScriptAuthenticationProvider.AuthScript.doProperConversion(runCommand);
        return fetchMappings(new Predicate<DbExternalMapping>() { // from class: com.cloudera.server.web.cmf.CMFSAMLUserDetailsService.2
            public boolean apply(DbExternalMapping dbExternalMapping) {
                if (dbExternalMapping.getExternalMappingType() != ExternalMappingType.SAML_SCRIPT) {
                    return false;
                }
                try {
                    return doProperConversion == Integer.parseInt(dbExternalMapping.getCode());
                } catch (NumberFormatException e) {
                    CMFSAMLUserDetailsService.LOG.warn(String.format("Invalid value %s in DB for external mapping of type %s", dbExternalMapping.getCode(), dbExternalMapping.getExternalMappingType()));
                    return false;
                }
            }
        });
    }

    private UserDetails mapUser(String str, Map<AuthScope, Set<UserRole>> map) {
        Preconditions.checkNotNull(str);
        return (map == null || map.isEmpty()) ? CMFUserDetailsService.CMFUser.newBuilder().setUsername(str).setPasswordHash(ParcelIdentity.SEP).setAuthorities(ImmutableMap.of()).setSalt(0L).setIsExternal(true).build() : new UserMapper(this.emf, this.om).mapUser(str, map);
    }

    @VisibleForTesting
    CommandRunner.CommandResult runCommand(List<String> list) {
        return CommandRunner.run(list);
    }

    @VisibleForTesting
    CmfEntityManager getCmfEntityManager() {
        return new CmfEntityManager(this.emf);
    }

    private Map<AuthScope, Set<UserRole>> fetchMappings(Predicate<DbExternalMapping> predicate) {
        HashMultimap create = HashMultimap.create();
        CmfEntityManager cmfEntityManager = getCmfEntityManager();
        try {
            try {
                try {
                    cmfEntityManager.beginForRollbackAndReadonly();
                    for (DbExternalMapping dbExternalMapping : cmfEntityManager.findAllExternalMappings()) {
                        if (predicate.apply(dbExternalMapping)) {
                            for (Map.Entry<AuthScope, Set<UserRole>> entry : CMFUserDetailsService.getRoles((Set<DbAuthRole>) dbExternalMapping.getImmutableAuthRole()).entrySet()) {
                                create.putAll(entry.getKey(), entry.getValue());
                            }
                        }
                    }
                    LOG.warn("SAML role mapping did not assign a role. User will not be authorized.");
                    return create.asMap();
                } catch (Exception e) {
                    cmfEntityManager.rollback();
                    throw new AuthenticationServiceException("Authentication failed. Please try again.", e);
                }
            } catch (AuthenticationServiceException e2) {
                cmfEntityManager.rollback();
                throw e2;
            }
        } finally {
            cmfEntityManager.close();
        }
    }
}
