package com.amazon.redshift.plugin;

import com.amazon.redshift.NativeTokenHolder;
import com.amazon.redshift.RedshiftProperty;
import com.amazon.redshift.logger.LogLevel;
import com.amazon.redshift.logger.RedshiftLogger;
import com.amazon.redshift.plugin.httpserver.RequestHandler;
import com.amazon.redshift.plugin.httpserver.Server;
import com.amazon.redshift.plugin.utils.RandomStateUtil;
import com.amazon.redshift.plugin.utils.ResponseUtils;
import com.amazonaws.services.ssooidc.AWSSSOOIDC;
import com.amazonaws.services.ssooidc.AWSSSOOIDCClientBuilder;
import com.amazonaws.services.ssooidc.model.AccessDeniedException;
import com.amazonaws.services.ssooidc.model.AuthorizationPendingException;
import com.amazonaws.services.ssooidc.model.CreateTokenRequest;
import com.amazonaws.services.ssooidc.model.CreateTokenResult;
import com.amazonaws.services.ssooidc.model.InternalServerException;
import com.amazonaws.services.ssooidc.model.RegisterClientRequest;
import com.amazonaws.services.ssooidc.model.RegisterClientResult;
import com.amazonaws.services.ssooidc.model.SlowDownException;
import com.amazonaws.util.StringUtils;
import java.awt.Desktop;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.time.Duration;
import java.util.Base64;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.function.Function;
import org.apache.http.NameValuePair;
import org.apache.http.client.utils.URIBuilder;

/* loaded from: input_file:com/amazon/redshift/plugin/BrowserIdcAuthPlugin.class */
public class BrowserIdcAuthPlugin extends CommonCredentialsProvider {
    public static final String KEY_IDC_RESPONSE_TIMEOUT = "idp_response_timeout";
    public static final String KEY_LISTEN_PORT = "listen_port";
    public static final String KEY_ISSUER_URL = "issuer_url";
    public static final String KEY_IDC_REGION = "idc_region";
    private static final String KEY_IDC_CLIENT_DISPLAY_NAME = "idc_client_display_name";
    public static final String OAUTH_CSRF_STATE_PARAMETER_NAME = "state";
    public static final String OAUTH_REDIRECT_PARAMETER_NAME = "redirect_uri";
    public static final String OAUTH_CLIENT_ID_PARAMETER_NAME = "client_id";
    public static final String OAUTH_RESPONSE_TYPE_PARAMETER_NAME = "response_type";
    public static final String OAUTH_GRANT_TYPE_PARAMETER_NAME = "grant_type";
    public static final String OAUTH_SCOPE_PARAMETER_NAME = "scopes";
    public static final String OAUTH_CODE_CHALLENGE_PARAMETER_NAME = "code_challenge";
    public static final String OAUTH_CHALLENGE_METHOD_PARAMETER_NAME = "code_challenge_method";
    protected String m_issuer_url;
    protected String m_idc_region;
    protected String m_redirect_uri;
    protected AWSSSOOIDC m_sdk_client;
    private static final String AUTH_CODE_PARAMETER_NAME = "code";
    private static final String CURRENT_INTERACTION_PROTOCOL = "https";
    private static final String OIDC_SUBDOMAIN = "oidc";
    private static final String AMAZON_COM_DOMAIN = "amazonaws.com";
    private static final String REDSHIFT_IDC_CONNECT_SCOPE = "redshift:connect";
    private static final String AUTH_CODE_GRANT_TYPE = "authorization_code";
    private static final String M_CLIENT_TYPE = "public";
    private static final String M_REDIRECT_URI = "http://127.0.0.1";
    private static final String AUTHORIZE_ENDPOINT = "/authorize";
    private static final String CHALLENGE_METHOD = "S256";
    private static final String SHA256_METHOD = "SHA-256";
    private static final Map<String, RegisterClientResult> m_register_client_cache = new HashMap();
    public final int CREATE_TOKEN_POLLING_INTERVAL = 1;
    public final int DEFAULT_IDC_TOKEN_EXPIRY_IN_SEC = 900;
    public final int CODE_VERIFIER_BYTE_LENGTH = 60;
    public final long MILLISECOND_MULTIPLIER = 1000;
    private int m_idc_response_timeout = 120;
    private int m_listen_port = 7890;
    private String m_idcClientDisplayName = RedshiftProperty.IDC_CLIENT_DISPLAY_NAME.getDefaultValue();

    @Override // com.amazon.redshift.plugin.CommonCredentialsProvider
    protected NativeTokenHolder getAuthToken() throws IOException {
        return getIdcToken();
    }

    protected NativeTokenHolder getIdcToken() throws IOException {
        try {
            checkRequiredParameters();
            this.m_sdk_client = (AWSSSOOIDC) AWSSSOOIDCClientBuilder.standard().withRegion(this.m_idc_region).build();
            this.m_redirect_uri = "http://127.0.0.1:" + this.m_listen_port;
            RegisterClientResult registerClientResult = getRegisterClientResult();
            String generateCodeVerifier = generateCodeVerifier();
            return processCreateTokenResult(fetchTokenResult(registerClientResult, fetchAuthorizationCode(generateCodeChallenge(generateCodeVerifier), registerClientResult), generateCodeVerifier));
        } catch (InternalPluginException | URISyntaxException e) {
            if (RedshiftLogger.isEnable()) {
                this.m_log.log(LogLevel.ERROR, e, "InternalPluginException in getIdcToken", new Object[0]);
            }
            throw new IOException(e.getMessage(), e);
        }
    }

    private void checkRequiredParameters() throws InternalPluginException {
        if (StringUtils.isNullOrEmpty(this.m_issuer_url)) {
            this.m_log.logDebug("IdC authentication failed: issuer_url needs to be provided in connection params", new Object[0]);
            throw new InternalPluginException("IdC authentication failed: The issuer URL must be included in the connection parameters.");
        }
        if (StringUtils.isNullOrEmpty(this.m_idc_region)) {
            this.m_log.logDebug("IdC authentication failed: idc_region needs to be provided in connection params", new Object[0]);
            throw new InternalPluginException("IdC authentication failed: The IdC region must be included in the connection parameters.");
        }
    }

    @Override // com.amazon.redshift.plugin.CommonCredentialsProvider, com.amazon.redshift.INativePlugin
    public void addParameter(String str, String str2) {
        boolean z = -1;
        switch (str.hashCode()) {
            case -1297661845:
                if (str.equals(KEY_IDC_REGION)) {
                    z = true;
                    break;
                }
                break;
            case -942824531:
                if (str.equals("idp_response_timeout")) {
                    z = 4;
                    break;
                }
                break;
            case 823966661:
                if (str.equals(KEY_IDC_CLIENT_DISPLAY_NAME)) {
                    z = 3;
                    break;
                }
                break;
            case 1331349497:
                if (str.equals("listen_port")) {
                    z = 2;
                    break;
                }
                break;
            case 1460298473:
                if (str.equals(KEY_ISSUER_URL)) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                this.m_issuer_url = str2;
                if (RedshiftLogger.isEnable()) {
                    this.m_log.logDebug("Setting issuer_url: {0}", this.m_issuer_url);
                    return;
                }
                return;
            case true:
                this.m_idc_region = str2;
                if (RedshiftLogger.isEnable()) {
                    this.m_log.logDebug("Setting idc_region: {0}", this.m_idc_region);
                    return;
                }
                return;
            case true:
                this.m_listen_port = Integer.parseInt(str2);
                if (RedshiftLogger.isEnable()) {
                    this.m_log.logDebug("Setting listen_port: {0}", Integer.valueOf(this.m_listen_port));
                    return;
                }
                return;
            case true:
                if (!StringUtils.isNullOrEmpty(str2)) {
                    this.m_idcClientDisplayName = str2;
                }
                if (RedshiftLogger.isEnable()) {
                    this.m_log.logDebug("Setting idc_client_display_name: {0}", this.m_idcClientDisplayName);
                    return;
                }
                return;
            case true:
                if (StringUtils.isNullOrEmpty(str2)) {
                    return;
                }
                int parseInt = Integer.parseInt(str2);
                if (parseInt <= 10) {
                    if (RedshiftLogger.isEnable()) {
                        this.m_log.logDebug("Setting default idc_response_timeout={0}; provided value={1}", Integer.valueOf(this.m_idc_response_timeout), Integer.valueOf(parseInt));
                        return;
                    }
                    return;
                } else {
                    this.m_idc_response_timeout = parseInt;
                    if (RedshiftLogger.isEnable()) {
                        this.m_log.logDebug("Setting idc_response_timeout={0}", Integer.valueOf(this.m_idc_response_timeout));
                        return;
                    }
                    return;
                }
            default:
                super.addParameter(str, str2);
                return;
        }
    }

    protected RegisterClientResult getRegisterClientResult() throws IOException {
        String str = this.m_issuer_url + ":" + this.m_idc_region + ":" + this.m_listen_port;
        RegisterClientResult registerClientResult = m_register_client_cache.get(str);
        if (isCachedRegisterClientResultValid(registerClientResult)) {
            if (RedshiftLogger.isEnable()) {
                this.m_log.logDebug("Using cached register client result", new Object[0]);
                this.m_log.logDebug("Cached register client secret expiry is {0}", registerClientResult.getClientSecretExpiresAt());
            }
            return registerClientResult;
        }
        RegisterClientRequest registerClientRequest = new RegisterClientRequest();
        registerClientRequest.withClientName(this.m_idcClientDisplayName);
        registerClientRequest.withClientType(M_CLIENT_TYPE);
        registerClientRequest.withScopes(new String[]{REDSHIFT_IDC_CONNECT_SCOPE});
        registerClientRequest.withIssuerUrl(this.m_issuer_url);
        registerClientRequest.withRedirectUris(new String[]{this.m_redirect_uri});
        registerClientRequest.withGrantTypes(new String[]{AUTH_CODE_GRANT_TYPE});
        try {
            RegisterClientResult registerClient = this.m_sdk_client.registerClient(registerClientRequest);
            if (RedshiftLogger.isEnable() && registerClient.getSdkHttpMetadata() != null) {
                this.m_log.logDebug("registerClient response code: {0}", Integer.valueOf(registerClient.getSdkHttpMetadata().getHttpStatusCode()));
            }
            m_register_client_cache.put(str, registerClient);
            if (RedshiftLogger.isEnable()) {
                this.m_log.logDebug("Cached register client secret expiry is {0}", registerClient.getClientSecretExpiresAt());
            }
            return registerClient;
        } catch (Exception e) {
            if (RedshiftLogger.isEnable()) {
                this.m_log.log(LogLevel.ERROR, e, "Error: Unexpected register client error;", new Object[0]);
            }
            throw new IOException("IdC registerClient failed : There was an error during the request.", e);
        } catch (InternalServerException e2) {
            if (RedshiftLogger.isEnable()) {
                this.m_log.log(LogLevel.ERROR, e2, "Error: Unexpected server error while registering client;", new Object[0]);
            }
            throw new IOException("IdC authentication failed : An error occurred during the request.", e2);
        }
    }

    protected String generateCodeVerifier() {
        byte[] bArr = new byte[60];
        new SecureRandom().nextBytes(bArr);
        return Base64.getUrlEncoder().withoutPadding().encodeToString(bArr);
    }

    protected String generateCodeChallenge(String str) {
        return Base64.getUrlEncoder().withoutPadding().encodeToString(sha256(str.getBytes(StandardCharsets.US_ASCII)));
    }

    protected String fetchAuthorizationCode(String str, RegisterClientResult registerClientResult) throws IOException, URISyntaxException {
        final String generateRandomState = RandomStateUtil.generateRandomState();
        RequestHandler requestHandler = new RequestHandler(new Function<List<NameValuePair>, Object>() { // from class: com.amazon.redshift.plugin.BrowserIdcAuthPlugin.1
            @Override // java.util.function.Function
            public Object apply(List<NameValuePair> list) {
                String findParameter = ResponseUtils.findParameter("state", list);
                if (!generateRandomState.equals(findParameter)) {
                    String str2 = "Incoming state " + findParameter + " does not match the outgoing state " + generateRandomState;
                    BrowserIdcAuthPlugin.this.m_log.log(LogLevel.DEBUG, str2, new Object[0]);
                    return new InternalPluginException(str2);
                }
                String findParameter2 = ResponseUtils.findParameter("code", list);
                if (!StringUtils.isNullOrEmpty(findParameter2)) {
                    return findParameter2;
                }
                BrowserIdcAuthPlugin.this.m_log.log(LogLevel.DEBUG, "No valid code found", new Object[0]);
                return new InternalPluginException("No valid code found");
            }
        });
        Server server = new Server(this.m_listen_port, requestHandler, Duration.ofSeconds(this.m_idc_response_timeout), this.m_log);
        try {
            server.listen();
            if (RedshiftLogger.isEnable()) {
                this.m_log.log(LogLevel.DEBUG, String.format("Listening for connection on port %d", Integer.valueOf(this.m_listen_port)), new Object[0]);
            }
            openBrowser(generateRandomState, str, registerClientResult);
            server.waitForResult();
            Object result = requestHandler.getResult();
            if (result instanceof InternalPluginException) {
                if (RedshiftLogger.isEnable()) {
                    this.m_log.logDebug("Error occurred while fetching authorization code: {0}", result);
                }
                throw ((InternalPluginException) result);
            }
            if (result instanceof String) {
                if (RedshiftLogger.isEnable()) {
                    this.m_log.log(LogLevel.DEBUG, "Got authorization code of length={0}", Integer.valueOf(((String) result).length()));
                }
                return (String) result;
            }
            if (RedshiftLogger.isEnable()) {
                this.m_log.logDebug("result: {0}", result);
            }
            throw new InternalPluginException("Error fetching authentication code from browser. Failed to login during timeout.");
        } catch (IOException | URISyntaxException e) {
            if (RedshiftLogger.isEnable()) {
                this.m_log.logError(e);
            }
            server.stop();
            throw e;
        }
    }

    protected CreateTokenResult fetchTokenResult(RegisterClientResult registerClientResult, String str, String str2) throws IOException {
        long currentTimeMillis = System.currentTimeMillis() + (this.m_idc_response_timeout * 1000);
        while (System.currentTimeMillis() < currentTimeMillis) {
            try {
                CreateTokenResult createTokenResult = getCreateTokenResult(registerClientResult.getClientId(), registerClientResult.getClientSecret(), str, AUTH_CODE_GRANT_TYPE, str2, this.m_redirect_uri);
                if (RedshiftLogger.isEnable() && registerClientResult.getSdkHttpMetadata() != null) {
                    this.m_log.logDebug("createToken response code: {0}", Integer.valueOf(createTokenResult.getSdkHttpMetadata().getHttpStatusCode()));
                }
                if (createTokenResult != null && createTokenResult.getAccessToken() != null) {
                    return createTokenResult;
                }
                if (RedshiftLogger.isEnable()) {
                    this.m_log.logError("Failed to fetch an IdC access token", new Object[0]);
                }
                throw new IOException("IdC authentication failed : The credential token couldn't be fetched.");
                break;
            } catch (AccessDeniedException e) {
                if (RedshiftLogger.isEnable()) {
                    this.m_log.log(LogLevel.ERROR, e, "Error: Access denied, please ensure app assignment is done for the user;", new Object[0]);
                }
                throw new IOException("IdC authentication failed : You don't have sufficient permission to perform the action. Please ensure app assignment is done for the user.", e);
            } catch (InternalServerException e2) {
                if (RedshiftLogger.isEnable()) {
                    this.m_log.log(LogLevel.ERROR, e2, "Error: Server error in creating token;", new Object[0]);
                }
                throw new IOException("IdC authentication failed : An error occurred during the request.", e2);
            } catch (SlowDownException e3) {
                if (RedshiftLogger.isEnable()) {
                    this.m_log.log(LogLevel.ERROR, e3, "Error: Too frequent createToken requests made by client;", new Object[0]);
                }
                throw new IOException("IdC authentication failed : Requests to the IdC service are too frequent.", e3);
            } catch (Exception e4) {
                if (RedshiftLogger.isEnable()) {
                    this.m_log.log(LogLevel.ERROR, e4, "Error: Unexpected error in create token;", new Object[0]);
                }
                throw new IOException("IdC createToken failed : There was an error during the request.", e4);
            } catch (AuthorizationPendingException e5) {
                if (RedshiftLogger.isEnable()) {
                    this.m_log.logDebug("Browser authorization pending from user", new Object[0]);
                }
                try {
                    Thread.sleep(1 * 1000);
                } catch (InterruptedException e6) {
                    if (RedshiftLogger.isEnable()) {
                        this.m_log.log(LogLevel.ERROR, e6, "Thread interrupted during sleep", new Object[0]);
                    }
                }
            }
        }
        if (RedshiftLogger.isEnable()) {
            this.m_log.logError("Error: Request timed out while waiting for user authentication in the browser", new Object[0]);
        }
        throw new IOException("IdC authentication failed : The request timed out. Authentication wasn't completed.");
    }

    protected CreateTokenResult getCreateTokenResult(String str, String str2, String str3, String str4, String str5, String str6) {
        CreateTokenRequest createTokenRequest = new CreateTokenRequest();
        createTokenRequest.withClientId(str);
        createTokenRequest.withClientSecret(str2);
        createTokenRequest.withCode(str3);
        createTokenRequest.withGrantType(str4);
        createTokenRequest.withCodeVerifier(str5);
        createTokenRequest.withRedirectUri(str6);
        return this.m_sdk_client.createToken(createTokenRequest);
    }

    protected NativeTokenHolder processCreateTokenResult(CreateTokenResult createTokenResult) throws IOException {
        String accessToken = createTokenResult.getAccessToken();
        if (StringUtils.isNullOrEmpty(accessToken)) {
            throw new InternalPluginException("Returned access token is null or empty.");
        }
        int i = 900;
        if (createTokenResult.getExpiresIn() != null && createTokenResult.getExpiresIn().intValue() > 0) {
            i = createTokenResult.getExpiresIn().intValue();
        }
        Date date = new Date(System.currentTimeMillis() + (i * 1000));
        if (RedshiftLogger.isEnable()) {
            this.m_log.logDebug("Access token expires at {0}", date);
        }
        return NativeTokenHolder.newInstance(accessToken, date);
    }

    protected void openBrowser(String str, String str2, RegisterClientResult registerClientResult) throws URISyntaxException, IOException {
        URI build = new URIBuilder().setScheme(CURRENT_INTERACTION_PROTOCOL).setHost(createIdcHost(this.m_idc_region)).setPath(AUTHORIZE_ENDPOINT).addParameter("response_type", "code").addParameter("client_id", registerClientResult.getClientId()).addParameter("redirect_uri", this.m_redirect_uri).addParameter(OAUTH_SCOPE_PARAMETER_NAME, REDSHIFT_IDC_CONNECT_SCOPE).addParameter("state", str).addParameter(OAUTH_CODE_CHALLENGE_PARAMETER_NAME, str2).addParameter(OAUTH_CHALLENGE_METHOD_PARAMETER_NAME, CHALLENGE_METHOD).build();
        validateURL(build.toString());
        if (Desktop.isDesktopSupported() && Desktop.getDesktop().isSupported(Desktop.Action.BROWSE)) {
            Desktop.getDesktop().browse(build);
        } else {
            this.m_log.log(LogLevel.ERROR, "Unable to open the browser. Desktop environment is not supported", new Object[0]);
        }
        if (RedshiftLogger.isEnable()) {
            this.m_log.log(LogLevel.DEBUG, String.format("Authorization code request URI: \n%s", build.toString()), new Object[0]);
        }
    }

    private String createIdcHost(String str) {
        return "oidc." + this.m_idc_region + "." + AMAZON_COM_DOMAIN;
    }

    private byte[] sha256(byte[] bArr) {
        try {
            return MessageDigest.getInstance(SHA256_METHOD).digest(bArr);
        } catch (NoSuchAlgorithmException e) {
            if (!RedshiftLogger.isEnable()) {
                return null;
            }
            this.m_log.log(LogLevel.ERROR, e, "Thread interrupted during sleep", new Object[0]);
            return null;
        }
    }

    private boolean isCachedRegisterClientResultValid(RegisterClientResult registerClientResult) {
        return (registerClientResult == null || registerClientResult.getClientSecretExpiresAt() == null || System.currentTimeMillis() >= registerClientResult.getClientSecretExpiresAt().longValue() * 1000) ? false : true;
    }
}
