package io.prestosql.plugin.password.ldap;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.CharMatcher;
import com.google.common.base.Preconditions;
import com.google.common.base.Throwables;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.ImmutableMap;
import com.google.common.util.concurrent.UncheckedExecutionException;
import io.airlift.log.Logger;
import io.airlift.security.pem.PemReader;
import io.prestosql.plugin.password.Credential;
import io.prestosql.plugin.password.jndi.JndiUtils;
import io.prestosql.spi.classloader.ThreadContextClassLoader;
import io.prestosql.spi.security.AccessDeniedException;
import io.prestosql.spi.security.BasicPrincipal;
import io.prestosql.spi.security.PasswordAuthenticator;
import java.io.File;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.Principal;
import java.util.Arrays;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import javax.inject.Inject;
import javax.naming.AuthenticationException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:io/prestosql/plugin/password/ldap/LdapAuthenticator.class */
public class LdapAuthenticator implements PasswordAuthenticator {
    private static final Logger log = Logger.get(LdapAuthenticator.class);
    private static final CharMatcher SPECIAL_CHARACTERS = CharMatcher.anyOf(",=+<>#;*()\"\\��");
    private static final CharMatcher WHITESPACE = CharMatcher.anyOf(" \r");
    private final Optional<String> userBindSearchPattern;
    private final Optional<String> groupAuthorizationSearchPattern;
    private final Optional<String> userBaseDistinguishedName;
    private final Optional<String> bindDistinguishedName;
    private final Optional<String> bindPassword;
    private final Map<String, String> basicEnvironment;
    private final LoadingCache<Credential, Principal> authenticationCache;
    private final Optional<SSLContext> sslContext;

    @Inject
    public LdapAuthenticator(LdapConfig ldapConfig) {
        String str = (String) Objects.requireNonNull(ldapConfig.getLdapUrl(), "ldapUrl is null");
        this.userBindSearchPattern = Optional.ofNullable(ldapConfig.getUserBindSearchPattern());
        this.groupAuthorizationSearchPattern = Optional.ofNullable(ldapConfig.getGroupAuthorizationSearchPattern());
        this.userBaseDistinguishedName = Optional.ofNullable(ldapConfig.getUserBaseDistinguishedName());
        this.bindDistinguishedName = Optional.ofNullable(ldapConfig.getBindDistingushedName());
        this.bindPassword = Optional.ofNullable(ldapConfig.getBindPassword());
        Preconditions.checkArgument(this.groupAuthorizationSearchPattern.isEmpty() || this.userBaseDistinguishedName.isPresent(), "Base distinguished name (DN) for user must be provided");
        Preconditions.checkArgument(this.bindDistinguishedName.isPresent() == this.bindPassword.isPresent(), "Both bind distinguished name and bind password must be provided together");
        Preconditions.checkArgument(this.bindDistinguishedName.isEmpty() || this.groupAuthorizationSearchPattern.isPresent(), "Group authorization search pattern must be provided when bind distinguished name is used");
        Preconditions.checkArgument(this.bindDistinguishedName.isPresent() || this.userBindSearchPattern.isPresent(), "Either user bind search pattern or bind distinguished name must be provided");
        if (str.startsWith("ldap://")) {
            log.warn("Passwords will be sent in the clear to the LDAP server. Please consider using SSL to connect.");
        }
        this.basicEnvironment = ImmutableMap.builder().put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory").put("java.naming.provider.url", str).put("java.naming.referral", ldapConfig.isIgnoreReferrals() ? "ignore" : "follow").build();
        this.authenticationCache = CacheBuilder.newBuilder().expireAfterWrite(ldapConfig.getLdapCacheTtl().toMillis(), TimeUnit.MILLISECONDS).build(CacheLoader.from(this.bindDistinguishedName.isPresent() ? this::authenticateWithBindDistinguishedName : this::authenticateWithUserBind));
        this.sslContext = Optional.ofNullable(ldapConfig.getTrustCertificate()).map(LdapAuthenticator::createSslContext);
    }

    public Principal createAuthenticatedPrincipal(String str, String str2) {
        try {
            ThreadContextClassLoader threadContextClassLoader = new ThreadContextClassLoader(getClass().getClassLoader());
            try {
                Principal principal = (Principal) this.authenticationCache.getUnchecked(new Credential(str, str2));
                threadContextClassLoader.close();
                return principal;
            } finally {
            }
        } catch (UncheckedExecutionException e) {
            Throwables.throwIfInstanceOf(e.getCause(), AccessDeniedException.class);
            throw e;
        }
    }

    private Principal authenticateWithUserBind(Credential credential) {
        String user = credential.getUser();
        if (containsSpecialCharacters(user)) {
            throw new AccessDeniedException("Username contains a special LDAP character");
        }
        try {
            String createUserDistinguishedName = createUserDistinguishedName(user);
            if (this.groupAuthorizationSearchPattern.isPresent()) {
                checkGroupMembership(user, createUserDistinguishedName, credential.getPassword());
            } else {
                validatePassword(createUserDistinguishedName, credential.getPassword());
            }
            log.debug("Authentication successful for user [%s]", new Object[]{user});
            return new BasicPrincipal(user);
        } catch (NamingException e) {
            log.debug(e, "Authentication failed for user [%s], %s", new Object[]{user, e.getMessage()});
            throw new RuntimeException("Authentication error");
        }
    }

    private Principal authenticateWithBindDistinguishedName(Credential credential) {
        String user = credential.getUser();
        if (containsSpecialCharacters(user)) {
            throw new AccessDeniedException("Username contains a special LDAP character");
        }
        try {
            validatePassword(validateGroupMembership(user, this.bindDistinguishedName.get(), this.bindPassword.get()), credential.getPassword());
            log.debug("Authentication successful for user [%s]", new Object[]{user});
            return new BasicPrincipal(credential.getUser());
        } catch (NamingException e) {
            log.debug(e, "Authentication failed for user [%s], %s", new Object[]{user, e.getMessage()});
            throw new RuntimeException("Authentication error");
        }
    }

    private String createUserDistinguishedName(String str) {
        return replaceUser(this.userBindSearchPattern.get(), str);
    }

    private String validateGroupMembership(String str, String str2, String str3) throws NamingException {
        DirContext createUserDirContext = createUserDirContext(str2, str3);
        try {
            String validateGroupMembership = validateGroupMembership(str, createUserDirContext);
            createUserDirContext.close();
            return validateGroupMembership;
        } catch (Throwable th) {
            createUserDirContext.close();
            throw th;
        }
    }

    /* JADX WARN: Finally extract failed */
    private void checkGroupMembership(String str, String str2, String str3) throws NamingException {
        DirContext createUserDirContext = createUserDirContext(str2, str3);
        try {
            NamingEnumeration<SearchResult> searchGroupMembership = searchGroupMembership(str, createUserDirContext);
            try {
                if (searchGroupMembership.hasMore()) {
                    searchGroupMembership.close();
                } else {
                    String format = String.format("User [%s] not a member of an authorized group", str);
                    log.debug(format);
                    throw new AccessDeniedException(format);
                }
            } catch (Throwable th) {
                searchGroupMembership.close();
                throw th;
            }
        } finally {
            createUserDirContext.close();
        }
    }

    @VisibleForTesting
    static boolean containsSpecialCharacters(String str) {
        if (WHITESPACE.indexIn(str) == 0 || WHITESPACE.lastIndexIn(str) == str.length() - 1) {
            return true;
        }
        return SPECIAL_CHARACTERS.matchesAnyOf(str);
    }

    private String validateGroupMembership(String str, DirContext dirContext) throws NamingException {
        NamingEnumeration<SearchResult> searchGroupMembership = searchGroupMembership(str, dirContext);
        try {
            if (!searchGroupMembership.hasMore()) {
                String format = String.format("User [%s] not a member of an authorized group", str);
                log.debug(format);
                throw new AccessDeniedException(format);
            }
            String nameInNamespace = ((SearchResult) searchGroupMembership.next()).getNameInNamespace();
            while (searchGroupMembership.hasMore()) {
                String nameInNamespace2 = ((SearchResult) searchGroupMembership.next()).getNameInNamespace();
                if (!nameInNamespace.equals(nameInNamespace2)) {
                    log.debug("Multiple group membership results for user [%s] with different distinguished names: [%s], [%s]", new Object[]{str, nameInNamespace, nameInNamespace2});
                    throw new AccessDeniedException(String.format("Multiple group membership results for user [%s] with different distinguished names", str));
                }
            }
            log.debug("Group membership validated for user [%s]", new Object[]{str});
            searchGroupMembership.close();
            return nameInNamespace;
        } catch (Throwable th) {
            searchGroupMembership.close();
            throw th;
        }
    }

    private NamingEnumeration<SearchResult> searchGroupMembership(String str, DirContext dirContext) throws NamingException {
        String str2 = this.userBaseDistinguishedName.get();
        String replaceUser = replaceUser(this.groupAuthorizationSearchPattern.get(), str);
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        return dirContext.search(str2, replaceUser, searchControls);
    }

    private void validatePassword(String str, String str2) throws NamingException {
        createUserDirContext(str, str2).close();
    }

    private DirContext createUserDirContext(String str, String str2) throws NamingException {
        try {
            DirContext createDirContext = JndiUtils.createDirContext(createEnvironment(str, str2));
            log.debug("Password validation successful for user DN [%s]", new Object[]{str});
            return createDirContext;
        } catch (AuthenticationException e) {
            log.debug("Password validation failed for user DN [%s]: %s", new Object[]{str, e.getMessage()});
            throw new AccessDeniedException("Invalid credentials");
        }
    }

    private Map<String, String> createEnvironment(String str, String str2) {
        ImmutableMap.Builder put = ImmutableMap.builder().putAll(this.basicEnvironment).put("java.naming.security.authentication", "simple").put("java.naming.security.principal", str).put("java.naming.security.credentials", str2);
        this.sslContext.ifPresent(sSLContext -> {
            LdapSslSocketFactory.setSslContextForCurrentThread(sSLContext);
            put.put("java.naming.ldap.factory.socket", LdapSslSocketFactory.class.getName());
        });
        return put.build();
    }

    private static String replaceUser(String str, String str2) {
        return str.replace("${USER}", str2);
    }

    private static SSLContext createSslContext(File file) {
        try {
            KeyStore loadTrustStore = PemReader.loadTrustStore(file);
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(loadTrustStore);
            TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
            if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
                throw new RuntimeException("Unexpected default trust managers:" + Arrays.toString(trustManagers));
            }
            SSLContext sSLContext = SSLContext.getInstance("SSL");
            sSLContext.init(null, trustManagers, null);
            return sSLContext;
        } catch (IOException | GeneralSecurityException e) {
            throw new RuntimeException(e);
        }
    }
}
