package com.cloudera.server.web.cmf;

import com.cloudera.cmf.model.DbAuthRole;
import com.cloudera.cmf.model.DbExternalMapping;
import com.cloudera.cmf.model.ExternalMappingType;
import com.cloudera.cmf.persist.CmfEntityManager;
import com.cloudera.cmf.service.scm.ScmParamTrackerStore;
import com.cloudera.cmf.user.UserRole;
import com.cloudera.server.web.cmf.CMFUserDetailsService;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Predicate;
import com.google.common.collect.HashMultimap;
import com.google.common.collect.ImmutableSet;
import java.util.Map;
import java.util.Set;
import javax.persistence.EntityManagerFactory;
import org.jvnet.libpam.PAM;
import org.jvnet.libpam.PAMException;
import org.jvnet.libpam.UnixUser;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;

/* loaded from: input_file:com/cloudera/server/web/cmf/CmfPamAuthenticationProvider.class */
public class CmfPamAuthenticationProvider implements CmfAuthenticationProvider, CmfUserLoader {
    static final Logger LOG = LoggerFactory.getLogger(CmfPamAuthenticationProvider.class);
    final String serviceName;
    EntityManagerFactory emf;
    UserMapper userMapper;
    PamUserProvider pamUserProvider;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/cloudera/server/web/cmf/CmfPamAuthenticationProvider$PamUser.class */
    public static class PamUser {
        private boolean isAuthenticated;
        private String username;
        private Set<String> groups;

        PamUser() {
        }

        public String getUsername() {
            return this.username;
        }

        public void setUsername(String str) {
            this.username = str;
        }

        public boolean isAuthenticated() {
            return this.isAuthenticated;
        }

        public void setAuthenticated(boolean z) {
            this.isAuthenticated = z;
        }

        public Set<String> getGroups() {
            return this.groups;
        }

        public void setGroups(Set<String> set) {
            this.groups = set;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/cloudera/server/web/cmf/CmfPamAuthenticationProvider$PamUserProvider.class */
    public static class PamUserProvider {
        String serviceName;
        PAM pam;

        PamUserProvider() {
        }

        public PamUserProvider(String str) throws PAMException {
            this.serviceName = str;
            this.pam = new PAM(str);
        }

        public PamUser authPamUser(String str, String str2) {
            PamUser pamUser = new PamUser();
            pamUser.setUsername(str);
            try {
                UnixUser authenticate = this.pam.authenticate(str, str2);
                pamUser.setAuthenticated(true);
                pamUser.setGroups(authenticate.getGroups());
                return pamUser;
            } catch (PAMException e) {
                CmfPamAuthenticationProvider.LOG.error("The authentication failed." + e);
                pamUser.setAuthenticated(false);
                return pamUser;
            }
        }

        public void disposePam() {
            this.pam.dispose();
        }

        public String getServiceName() {
            return this.serviceName;
        }
    }

    CmfPamAuthenticationProvider() {
        this.serviceName = "login";
    }

    public CmfPamAuthenticationProvider(String str) {
        Preconditions.checkNotNull(str);
        this.serviceName = str;
        LOG.info("Initializing PAM authentication");
        try {
            this.pamUserProvider = new PamUserProvider(str);
        } catch (PAMException e) {
            LOG.error("Unexpected exception when initializing PAM");
            throw new AuthenticationServiceException("Unexpected exception when initializing PAM", e);
        } catch (UnsatisfiedLinkError e2) {
            LOG.error("Unable to load library 'pam'");
            throw new AuthenticationServiceException("Unable to load library 'pam'", e2);
        }
    }

    @Override // com.cloudera.server.web.cmf.CmfAuthenticationProvider
    /* renamed from: authenticate */
    public CmfUsernamePasswordAuthenticationToken mo1814authenticate(Authentication authentication) throws AuthenticationException {
        Preconditions.checkNotNull(this.userMapper);
        String valueOf = String.valueOf(authentication.getPrincipal());
        String valueOf2 = String.valueOf(authentication.getCredentials());
        if (valueOf.startsWith("__cloudera_internal_user__")) {
            throw new AuthenticationServiceException("Internal Management Users cannot be externally authenticated.");
        }
        PamUser authPamUser = this.pamUserProvider.authPamUser(valueOf, valueOf2);
        if (!authPamUser.isAuthenticated()) {
            throw new AuthenticationServiceException("Authentication failed, wrong username or password.");
        }
        Set<String> groups = authPamUser.getGroups();
        LOG.info("PAM Authentication passed.");
        try {
            CmfUsernamePasswordAuthenticationToken cmfUsernamePasswordAuthenticationToken = new CmfUsernamePasswordAuthenticationToken(mapUserToRoles(valueOf, groups));
            cmfUsernamePasswordAuthenticationToken.setDetails(authentication.getDetails());
            return cmfUsernamePasswordAuthenticationToken;
        } catch (Exception e) {
            LOG.error("Problem with CMFUser initialization in PAM");
            throw e;
        }
    }

    @Override // com.cloudera.server.web.cmf.CmfUserLoader
    public UserDetailsAndGroups loadUserByUsername(String str) {
        try {
            try {
                CMFUserDetailsService.CMFUser mapUserToRoles = mapUserToRoles(str, new UnixUser(str).getGroups());
                return new UserDetailsAndGroups(mapUserToRoles, mapUserToRoles.getAuthorities());
            } catch (Exception e) {
                LOG.error("Problem with CMFUser initialization in PAM", e);
                throw e;
            }
        } catch (PAMException e2) {
            LOG.error("Bad unix user in pam.", e2);
            return new UserDetailsAndGroups(mapUserToRoles(str, ImmutableSet.of()), null);
        }
    }

    private CMFUserDetailsService.CMFUser mapUserToRoles(String str, final Set<String> set) {
        return this.userMapper.mapUser(str, fetchMappings(new Predicate<DbExternalMapping>() { // from class: com.cloudera.server.web.cmf.CmfPamAuthenticationProvider.1
            public boolean apply(DbExternalMapping dbExternalMapping) {
                return dbExternalMapping.getExternalMappingType() == ExternalMappingType.LDAP && set.contains(dbExternalMapping.getCode());
            }
        }));
    }

    @Override // com.cloudera.server.web.cmf.CmfAuthenticationProvider
    public void initialize(EntityManagerFactory entityManagerFactory, UserMapper userMapper, ScmParamTrackerStore scmParamTrackerStore) {
        this.emf = entityManagerFactory;
        this.userMapper = userMapper;
    }

    public boolean supports(Class<?> cls) {
        return UsernamePasswordAuthenticationToken.class.isAssignableFrom(cls);
    }

    protected Map<AuthScope, Set<UserRole>> fetchMappings(Predicate<DbExternalMapping> predicate) {
        HashMultimap create = HashMultimap.create();
        CmfEntityManager cmfEntityManager = getCmfEntityManager();
        try {
            try {
                try {
                    cmfEntityManager.beginForRollbackAndReadonly();
                    for (DbExternalMapping dbExternalMapping : cmfEntityManager.findAllExternalMappings()) {
                        if (predicate.apply(dbExternalMapping)) {
                            for (Map.Entry<AuthScope, Set<UserRole>> entry : CMFUserDetailsService.getRoles((Set<DbAuthRole>) dbExternalMapping.getImmutableAuthRole()).entrySet()) {
                                create.putAll(entry.getKey(), entry.getValue());
                            }
                        }
                    }
                    if (create.size() == 0) {
                        LOG.warn("PAM role mapping did not assign a role. User will not be authorized.");
                    }
                    return create.asMap();
                } catch (Exception e) {
                    cmfEntityManager.rollback();
                    throw new AuthenticationServiceException("Authentication failed. Please try again.", e);
                }
            } catch (AuthenticationServiceException e2) {
                cmfEntityManager.rollback();
                throw e2;
            }
        } finally {
            cmfEntityManager.close();
        }
    }

    @VisibleForTesting
    CmfEntityManager getCmfEntityManager() {
        return new CmfEntityManager(this.emf);
    }
}
