package org.apache.ambari.server.security.authorization;

import com.google.inject.Inject;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import org.apache.ambari.server.configuration.Configuration;
import org.apache.ambari.server.ldap.service.AmbariLdapConfigurationProvider;
import org.apache.ambari.server.orm.DBAccessorImpl;
import org.apache.ambari.server.orm.entities.UserAuthenticationEntity;
import org.apache.ambari.server.orm.entities.UserEntity;
import org.apache.ambari.server.security.ClientSecurityType;
import org.apache.ambari.server.security.authentication.AccountDisabledException;
import org.apache.ambari.server.security.authentication.AmbariAuthenticationProvider;
import org.apache.ambari.server.security.authentication.AmbariUserAuthentication;
import org.apache.ambari.server.security.authentication.AmbariUserDetailsImpl;
import org.apache.ambari.server.security.authentication.InvalidUsernamePasswordCombinationException;
import org.apache.ambari.server.security.authentication.TooManyLoginFailuresException;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.dao.IncorrectResultSizeDataAccessException;
import org.springframework.ldap.CommunicationException;
import org.springframework.ldap.core.support.LdapContextSource;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
import org.springframework.security.ldap.search.LdapUserSearch;
import org.springframework.security.ldap.userdetails.LdapUserDetails;

/* loaded from: input_file:org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.class */
public class AmbariLdapAuthenticationProvider extends AmbariAuthenticationProvider {
    private static final String SYSTEM_PROPERTY_DISABLE_ENDPOINT_IDENTIFICATION = "com.sun.jndi.ldap.object.disableEndpointIdentification";
    private static Logger LOG = LoggerFactory.getLogger(AmbariLdapAuthenticationProvider.class);
    final AmbariLdapConfigurationProvider ldapConfigurationProvider;
    private AmbariLdapAuthoritiesPopulator authoritiesPopulator;
    private ThreadLocal<LdapServerProperties> ldapServerProperties;
    private ThreadLocal<LdapAuthenticationProvider> providerThreadLocal;
    private ThreadLocal<String> ldapUserSearchFilterThreadLocal;

    @Inject
    public AmbariLdapAuthenticationProvider(Users users, Configuration configuration, AmbariLdapConfigurationProvider ambariLdapConfigurationProvider, AmbariLdapAuthoritiesPopulator ambariLdapAuthoritiesPopulator) {
        super(users, configuration);
        this.ldapServerProperties = new ThreadLocal<>();
        this.providerThreadLocal = new ThreadLocal<>();
        this.ldapUserSearchFilterThreadLocal = new ThreadLocal<>();
        this.ldapConfigurationProvider = ambariLdapConfigurationProvider;
        this.authoritiesPopulator = ambariLdapAuthoritiesPopulator;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        if (!isLdapEnabled()) {
            return null;
        }
        if (authentication.getName() == null) {
            LOG.info("Authentication failed: no username provided");
            throw new InvalidUsernamePasswordCombinationException(Configuration.JDBC_IN_MEMORY_PASSWORD);
        }
        String trim = authentication.getName().trim();
        if (authentication.getCredentials() == null) {
            LOG.info("Authentication failed: no credentials provided: {}", trim);
            throw new InvalidUsernamePasswordCombinationException(trim);
        }
        try {
            UserEntity userEntity = getUserEntity(loadLdapAuthenticationProvider(trim).authenticate(authentication));
            if (userEntity == null) {
                LOG.debug("user not found ('{}')", trim);
                throw new InvalidUsernamePasswordCombinationException(trim);
            }
            Users users = getUsers();
            try {
                users.validateLogin(userEntity, trim);
                return new AmbariUserAuthentication(null, new AmbariUserDetailsImpl(users.getUser(userEntity), null, users.getUserAuthorities(userEntity)), true);
            } catch (AccountDisabledException | TooManyLoginFailuresException e) {
                if (getConfiguration().showLockedOutUserMessage()) {
                    throw e;
                }
                throw new InvalidUsernamePasswordCombinationException(trim, false, e);
            }
        } catch (IncorrectResultSizeDataAccessException e2) {
            throw new DuplicateLdapUserFoundAuthenticationException(this.ldapConfigurationProvider.m156get().isLdapAlternateUserSearchEnabled() ? String.format("Login Failed: Please append your domain to your username and try again.  Example: %s@domain", trim) : "Login Failed: More than one user with that username found, please work with your Ambari Administrator to adjust your LDAP configuration");
        } catch (AuthenticationException e3) {
            LOG.debug("Got exception during LDAP authentication attempt", e3);
            Throwable cause = e3.getCause();
            if (cause != null && cause != e3) {
                if (cause instanceof CommunicationException) {
                    if (LOG.isDebugEnabled()) {
                        LOG.warn("Failed to communicate with the LDAP server: " + cause.getMessage(), e3);
                    } else {
                        LOG.warn("Failed to communicate with the LDAP server: " + cause.getMessage());
                    }
                } else if (cause instanceof org.springframework.ldap.AuthenticationException) {
                    LOG.warn("Looks like LDAP manager credentials (that are used for connecting to LDAP server) are invalid.", e3);
                }
            }
            throw new InvalidUsernamePasswordCombinationException(trim, e3);
        }
    }

    public boolean supports(Class<?> cls) {
        return UsernamePasswordAuthenticationToken.class.isAssignableFrom(cls);
    }

    LdapAuthenticationProvider loadLdapAuthenticationProvider(String str) {
        boolean reloadLdapServerProperties = reloadLdapServerProperties();
        String ldapUserSearchFilter = getLdapUserSearchFilter(str);
        if (reloadLdapServerProperties || !ldapUserSearchFilter.equals(this.ldapUserSearchFilterThreadLocal.get())) {
            LOG.info("Either LDAP Properties or user search filter changed - rebuilding Context");
            LdapContextSource ldapContextSource = new LdapContextSource();
            List<String> ldapUrls = this.ldapServerProperties.get().getLdapUrls();
            ldapContextSource.setUrls((String[]) ldapUrls.toArray(new String[ldapUrls.size()]));
            ldapContextSource.setBase(this.ldapServerProperties.get().getBaseDN());
            if (!this.ldapServerProperties.get().isAnonymousBind()) {
                ldapContextSource.setUserDn(this.ldapServerProperties.get().getManagerDn());
                ldapContextSource.setPassword(this.ldapServerProperties.get().getManagerPassword());
            }
            if (this.ldapServerProperties.get().isUseSsl() && this.ldapServerProperties.get().isDisableEndpointIdentification()) {
                System.setProperty(SYSTEM_PROPERTY_DISABLE_ENDPOINT_IDENTIFICATION, DBAccessorImpl.TRUE);
                LOG.info("Disabled endpoint identification");
            } else {
                System.clearProperty(SYSTEM_PROPERTY_DISABLE_ENDPOINT_IDENTIFICATION);
                LOG.info("Removed endpoint identification disabling");
            }
            try {
                ldapContextSource.afterPropertiesSet();
                LdapUserSearch filterBasedLdapUserSearch = new FilterBasedLdapUserSearch(this.ldapServerProperties.get().getUserSearchBase(), ldapUserSearchFilter, ldapContextSource);
                AmbariLdapBindAuthenticator ambariLdapBindAuthenticator = new AmbariLdapBindAuthenticator(ldapContextSource, this.ldapConfigurationProvider.m156get());
                ambariLdapBindAuthenticator.setUserSearch(filterBasedLdapUserSearch);
                this.providerThreadLocal.set(new LdapAuthenticationProvider(ambariLdapBindAuthenticator, this.authoritiesPopulator));
            } catch (Exception e) {
                LOG.error("LDAP Context Source not loaded ", e);
                throw new UsernameNotFoundException("LDAP Context Source not loaded", e);
            }
        }
        this.ldapUserSearchFilterThreadLocal.set(ldapUserSearchFilter);
        return this.providerThreadLocal.get();
    }

    boolean isLdapEnabled() {
        return getConfiguration().getClientSecurityType() == ClientSecurityType.LDAP;
    }

    private boolean reloadLdapServerProperties() {
        LdapServerProperties ldapServerProperties = this.ldapConfigurationProvider.m156get().getLdapServerProperties();
        if (ldapServerProperties.equals(this.ldapServerProperties.get())) {
            return false;
        }
        LOG.info("Reloading properties");
        this.ldapServerProperties.set(ldapServerProperties);
        return true;
    }

    private String getLdapUserSearchFilter(String str) {
        return this.ldapServerProperties.get().getUserSearchFilter(this.ldapConfigurationProvider.m156get().isLdapAlternateUserSearchEnabled() && AmbariLdapUtils.isUserPrincipalNameFormat(str));
    }

    private UserEntity getUserEntity(Authentication authentication) {
        UserEntity userEntity = null;
        String userDN = getUserDN(authentication);
        if (!StringUtils.isEmpty(userDN)) {
            userEntity = getUserEntityForDN(userDN);
        }
        if (userEntity == null) {
            userEntity = getUsers().getUserEntity(AuthorizationHelper.resolveLoginAliasToUserName(authentication.getName()));
            if (userEntity != null) {
                Collection<UserAuthenticationEntity> authenticationEntities = getAuthenticationEntities(userEntity, UserAuthenticationType.LDAP);
                userEntity = null;
                if (!CollectionUtils.isEmpty(authenticationEntities)) {
                    Iterator<UserAuthenticationEntity> it = authenticationEntities.iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        if (StringUtils.isEmpty(it.next().getAuthenticationKey())) {
                            userEntity = userEntity;
                            break;
                        }
                    }
                }
            }
        }
        return userEntity;
    }

    private UserEntity getUserEntityForDN(String str) {
        Collection<UserAuthenticationEntity> authenticationEntities = getAuthenticationEntities(UserAuthenticationType.LDAP, StringUtils.lowerCase(str));
        if (authenticationEntities == null || authenticationEntities.size() != 1) {
            return null;
        }
        return authenticationEntities.iterator().next().getUser();
    }

    private String getUserDN(Authentication authentication) {
        Object principal = authentication == null ? null : authentication.getPrincipal();
        if (principal instanceof LdapUserDetails) {
            return ((LdapUserDetails) principal).getDn();
        }
        return null;
    }
}
