package com.cloudera.nav.auth;

import com.cloudera.nav.auth.CommandRunner;
import com.cloudera.nav.auth.SamlUtils;
import com.cloudera.nav.auth.model.UserRole;
import com.cloudera.nav.persistence.relational.dao.RoleDAO;
import com.cloudera.nav.persistence.relational.dao.impl.RoleDAOImpl;
import com.cloudera.nav.server.NavOptions;
import com.cloudera.nav.server.SAMLOptions;
import com.google.common.base.Preconditions;
import com.google.common.base.Splitter;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import javax.sql.DataSource;
import org.opensaml.saml2.core.Attribute;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.saml.SAMLCredential;
import org.springframework.security.saml.userdetails.SAMLUserDetailsService;

/* loaded from: input_file:com/cloudera/nav/auth/SamlUserDetailsService.class */
public class SamlUserDetailsService implements SAMLUserDetailsService {
    private final NavOptions options;
    private final RoleDAO roleDAO;
    private static Logger LOG = LoggerFactory.getLogger(SamlUserDetailsService.class);

    @Autowired
    public SamlUserDetailsService(NavOptions navOptions, DataSource dataSource) {
        this.options = navOptions;
        this.roleDAO = new RoleDAOImpl(dataSource);
    }

    public Object loadUserBySAML(SAMLCredential sAMLCredential) throws UsernameNotFoundException {
        String attributeAsString;
        Collection<UserRole> emptyList;
        String value = sAMLCredential.getNameID().getValue();
        LOG.debug("SAML NameID: {}", value);
        Iterator it = sAMLCredential.getAttributes().iterator();
        while (it.hasNext()) {
            String name = ((Attribute) it.next()).getName();
            LOG.debug("SAML Attribute: {} = {}", name, sAMLCredential.getAttributeAsString(name));
        }
        SAMLOptions sAMLOptions = this.options.getSAMLOptions();
        SamlUtils.SAMLUserSource valueOf = SamlUtils.SAMLUserSource.valueOf(sAMLOptions.getSamlUserSource());
        switch (valueOf) {
            case NAMEID:
                attributeAsString = value;
                break;
            case ATTRIBUTE:
                String samlOidUser = sAMLOptions.getSamlOidUser();
                Attribute attribute = sAMLCredential.getAttribute(samlOidUser);
                if (attribute != null) {
                    attributeAsString = sAMLCredential.getAttributeAsString(attribute.getName());
                    break;
                } else {
                    LOG.warn("Could not find uid attribute '{}' in SAML Credential. User will not be authorized", samlOidUser);
                    return mapUser(value, Collections.emptyList());
                }
            default:
                LOG.warn("Unknown SAML User source: {}. User will not be authorized", valueOf.name());
                return mapUser(value, Collections.emptyList());
        }
        LOG.debug("SAML Credential: uid = {}", attributeAsString);
        SamlUtils.SAMLRoleMapper valueOf2 = SamlUtils.SAMLRoleMapper.valueOf(sAMLOptions.getSamlRoleMapper());
        switch (valueOf2) {
            case ATTRIBUTE:
                emptyList = mapRolesFromAttributes(sAMLCredential);
                break;
            case SCRIPT:
                emptyList = mapRolesFromScript(attributeAsString);
                break;
            default:
                emptyList = Collections.emptyList();
                LOG.warn("Unknown SAML Role mapper: {}. Users will not be authorized.", valueOf2.name());
                break;
        }
        return mapUser(attributeAsString, emptyList);
    }

    private Collection<UserRole> mapRolesFromAttributes(SAMLCredential sAMLCredential) {
        SAMLOptions sAMLOptions = this.options.getSAMLOptions();
        String str = "";
        Attribute attribute = sAMLCredential.getAttribute(sAMLOptions.getSamlOidRole());
        if (attribute != null) {
            str = sAMLCredential.getAttributeAsString(attribute.getName());
            LOG.debug("SAML Credential: role = {}", str);
        }
        ArrayList newArrayList = Lists.newArrayList(Splitter.on(',').trimResults().omitEmptyStrings().split(str));
        UserRole[] values = UserRole.values();
        List<String> samlRoleMap = sAMLOptions.getSamlRoleMap();
        ArrayList newArrayListWithExpectedSize = Lists.newArrayListWithExpectedSize(values.length);
        for (String str2 : samlRoleMap) {
            if (newArrayList.contains(str2)) {
                newArrayListWithExpectedSize.add(values[samlRoleMap.indexOf(str2)]);
            }
        }
        if (newArrayListWithExpectedSize.isEmpty()) {
            LOG.warn("SAML role mapping did not assign a role. User will not be authorized.");
        }
        return newArrayListWithExpectedSize;
    }

    private Collection<UserRole> mapRolesFromScript(String str) {
        CommandRunner.CommandResult runCommand = runCommand(ImmutableList.of(this.options.getSAMLOptions().getSamlRoleScript(), str));
        if (runCommand.exception != null) {
            LOG.error("SAML role mapper script failed. User will not be authorized:", runCommand.exception);
            return null;
        }
        Collection<UserRole> byCode = UserRole.getByCode(runCommand.retcode);
        if (byCode.isEmpty()) {
            LOG.warn("SAML roles mapper script did not assign a role ({}). User will not be authorized.", Integer.valueOf(runCommand.retcode));
        }
        return byCode;
    }

    private UserDetails mapUser(String str, Collection<UserRole> collection) {
        Preconditions.checkNotNull(str);
        HashSet newHashSet = Sets.newHashSet();
        LinkedList newLinkedList = Lists.newLinkedList();
        for (UserRole userRole : collection) {
            newLinkedList.add(this.roleDAO.getRole(userRole.getName()));
            newHashSet.addAll(userRole.getGrantedAuthorities());
        }
        NavigatorUser navigatorUser = new NavigatorUser(str, "", true, true, true, true, newHashSet);
        navigatorUser.setRoles(newLinkedList);
        return navigatorUser;
    }

    CommandRunner.CommandResult runCommand(List<String> list) {
        return CommandRunner.run(list);
    }
}
