package com.facebook.presto.password;

import com.facebook.presto.password.jndi.JndiUtils;
import com.facebook.presto.spi.security.AccessDeniedException;
import com.facebook.presto.spi.security.BasicPrincipal;
import com.facebook.presto.spi.security.PasswordAuthenticator;
import com.google.common.base.MoreObjects;
import com.google.common.base.Preconditions;
import com.google.common.base.Throwables;
import com.google.common.base.VerifyException;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.ImmutableMap;
import com.google.common.util.concurrent.UncheckedExecutionException;
import io.airlift.log.Logger;
import java.security.Principal;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import javax.inject.Inject;
import javax.naming.AuthenticationException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;

/* loaded from: input_file:com/facebook/presto/password/LdapAuthenticator.class */
public class LdapAuthenticator implements PasswordAuthenticator {
    private static final Logger log = Logger.get(LdapAuthenticator.class);
    private final String userBindSearchPattern;
    private final Optional<String> groupAuthorizationSearchPattern;
    private final Optional<String> userBaseDistinguishedName;
    private final Map<String, String> basicEnvironment;
    private final LoadingCache<Credentials, Principal> authenticationCache;

    /* loaded from: input_file:com/facebook/presto/password/LdapAuthenticator$Credentials.class */
    private static class Credentials {
        private final String user;
        private final String password;

        private Credentials(String str, String str2) {
            this.user = (String) Objects.requireNonNull(str);
            this.password = (String) Objects.requireNonNull(str2);
        }

        public String getUser() {
            return this.user;
        }

        public String getPassword() {
            return this.password;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            Credentials credentials = (Credentials) obj;
            return Objects.equals(this.user, credentials.user) && Objects.equals(this.password, credentials.password);
        }

        public int hashCode() {
            return Objects.hash(this.user, this.password);
        }

        public String toString() {
            return MoreObjects.toStringHelper(this).add("user", this.user).add("password", this.password).toString();
        }
    }

    @Inject
    public LdapAuthenticator(LdapConfig ldapConfig) {
        String str = (String) Objects.requireNonNull(ldapConfig.getLdapUrl(), "ldapUrl is null");
        this.userBindSearchPattern = (String) Objects.requireNonNull(ldapConfig.getUserBindSearchPattern(), "userBindSearchPattern is null");
        this.groupAuthorizationSearchPattern = Optional.ofNullable(ldapConfig.getGroupAuthorizationSearchPattern());
        this.userBaseDistinguishedName = Optional.ofNullable(ldapConfig.getUserBaseDistinguishedName());
        if (this.groupAuthorizationSearchPattern.isPresent()) {
            Preconditions.checkState(this.userBaseDistinguishedName.isPresent(), "Base distinguished name (DN) for user is null");
        }
        ImmutableMap build = ImmutableMap.builder().put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory").put("java.naming.provider.url", str).build();
        checkEnvironment(build);
        this.basicEnvironment = build;
        this.authenticationCache = CacheBuilder.newBuilder().expireAfterWrite(ldapConfig.getLdapCacheTtl().toMillis(), TimeUnit.MILLISECONDS).build(CacheLoader.from(this::authenticate));
    }

    public Principal createAuthenticatedPrincipal(String str, String str2) {
        try {
            return (Principal) this.authenticationCache.getUnchecked(new Credentials(str, str2));
        } catch (UncheckedExecutionException e) {
            Throwables.throwIfInstanceOf(e.getCause(), AccessDeniedException.class);
            throw e;
        }
    }

    private Principal authenticate(Credentials credentials) {
        return authenticate(credentials.getUser(), credentials.getPassword());
    }

    private Principal authenticate(String str, String str2) {
        DirContext dirContext = null;
        try {
            try {
                try {
                    dirContext = JndiUtils.createDirContext(createEnvironment(str, str2));
                    checkForGroupMembership(str, dirContext);
                    log.debug("Authentication successful for user [%s]", new Object[]{str});
                    BasicPrincipal basicPrincipal = new BasicPrincipal(str);
                    if (dirContext != null) {
                        closeContext(dirContext);
                    }
                    return basicPrincipal;
                } catch (NamingException e) {
                    log.debug(e, "Authentication error for user [%s]", new Object[]{str});
                    throw new RuntimeException("Authentication error");
                }
            } catch (AuthenticationException e2) {
                log.debug("Authentication failed for user [%s]: %s", new Object[]{str, e2.getMessage()});
                throw new AccessDeniedException("Invalid credentials");
            }
        } catch (Throwable th) {
            if (dirContext != null) {
                closeContext(dirContext);
            }
            throw th;
        }
    }

    private Map<String, String> createEnvironment(String str, String str2) {
        return ImmutableMap.builder().putAll(this.basicEnvironment).put("java.naming.security.authentication", "simple").put("java.naming.security.principal", createPrincipal(str)).put("java.naming.security.credentials", str2).build();
    }

    private String createPrincipal(String str) {
        return replaceUser(this.userBindSearchPattern, str);
    }

    private void checkForGroupMembership(String str, DirContext dirContext) {
        if (this.groupAuthorizationSearchPattern.isPresent()) {
            String orElseThrow = this.userBaseDistinguishedName.orElseThrow(VerifyException::new);
            String replaceUser = replaceUser(this.groupAuthorizationSearchPattern.get(), str);
            SearchControls searchControls = new SearchControls();
            searchControls.setSearchScope(2);
            try {
                NamingEnumeration search = dirContext.search(orElseThrow, replaceUser, searchControls);
                boolean hasMoreElements = search.hasMoreElements();
                search.close();
                if (hasMoreElements) {
                    return;
                }
                String format = String.format("User [%s] not a member of the authorized group", str);
                log.debug(format);
                throw new AccessDeniedException(format);
            } catch (NamingException e) {
                log.debug("Authentication error for user [%s]: %s", new Object[]{str, e.getMessage()});
                throw new RuntimeException("Authentication error");
            }
        }
    }

    private static String replaceUser(String str, String str2) {
        return str.replaceAll("\\$\\{USER}", str2);
    }

    private static void checkEnvironment(Map<String, String> map) {
        try {
            closeContext(JndiUtils.createDirContext(map));
        } catch (NamingException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    private static void closeContext(DirContext dirContext) {
        try {
            dirContext.close();
        } catch (NamingException e) {
        }
    }
}
