package com.cloudera.server.web.cmf;

import com.cloudera.cmf.model.DbAudit;
import com.cloudera.cmf.model.DbAuthRole;
import com.cloudera.cmf.model.DbAuthScope;
import com.cloudera.cmf.model.DbConfigContainerConfigProvider;
import com.cloudera.cmf.model.DbUser;
import com.cloudera.cmf.model.Enums;
import com.cloudera.cmf.persist.CmfEntityManager;
import com.cloudera.cmf.persist.DbAuditDao;
import com.cloudera.cmf.service.CommandUtils;
import com.cloudera.cmf.service.scm.ScmHandler;
import com.cloudera.cmf.service.scm.ScmParams;
import com.cloudera.cmf.user.UserRole;
import com.cloudera.server.cmf.FeatureManager;
import com.cloudera.server.cmf.OperationsManager;
import com.cloudera.server.web.common.CurrentUser;
import com.cloudera.server.web.common.I18n;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.HashMultimap;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.persistence.EntityManagerFactory;
import org.apache.commons.lang.exception.ExceptionUtils;
import org.hibernate.exception.ConstraintViolationException;
import org.joda.time.Duration;
import org.joda.time.Instant;
import org.python.google.common.collect.ImmutableList;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.dao.DataAccessException;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

/* loaded from: input_file:com/cloudera/server/web/cmf/CMFUserDetailsService.class */
public class CMFUserDetailsService implements UserDetailsService {
    private static final int numLastLoginsReturned = 2;
    private final EntityManagerFactory emf;
    private final OperationsManager om;
    private final FeatureManager fm;
    private static Logger LOG = LoggerFactory.getLogger(CMFUserDetailsService.class);

    /* loaded from: input_file:com/cloudera/server/web/cmf/CMFUserDetailsService$CMFUser.class */
    public static class CMFUser implements UserDetails {
        private static final long serialVersionUID = -6419034373518116930L;
        long salt;
        boolean isExternal;
        boolean isInternal;
        Map<AuthScope, ImmutableSet<UserRole>> scopedRoles;
        Map<AuthScope, ImmutableSet<GrantedAuthority>> scopedAuthorities;
        List<Instant> lastLogins;
        private User springFrameworkUser;

        /* loaded from: input_file:com/cloudera/server/web/cmf/CMFUserDetailsService$CMFUser$Builder.class */
        public static class Builder {
            private String username;
            private String passwordHash;
            private boolean enabled;
            private boolean accountNonExpired;
            private boolean credentialsNonExpired;
            private boolean accountNonLocked;
            private Map<AuthScope, ImmutableSet<GrantedAuthority>> authorities;
            private long salt;
            private boolean isExternal;
            private boolean isInternal;
            private Map<AuthScope, ImmutableSet<UserRole>> roles;
            private List<Instant> lastLogins;

            private Builder() {
                this.username = CommandUtils.CONFIG_TOP_LEVEL_DIR;
                this.passwordHash = CommandUtils.CONFIG_TOP_LEVEL_DIR;
                this.enabled = true;
                this.accountNonExpired = true;
                this.credentialsNonExpired = true;
                this.accountNonLocked = true;
                this.authorities = ImmutableMap.of();
                this.salt = -1L;
                this.isExternal = false;
                this.isInternal = false;
                this.roles = ImmutableMap.of();
                this.lastLogins = ImmutableList.of();
            }

            public Builder setUsername(String str) {
                this.username = str;
                return this;
            }

            public Builder setPasswordHash(String str) {
                this.passwordHash = str;
                return this;
            }

            public Builder setEnabled(boolean z) {
                this.enabled = z;
                return this;
            }

            public Builder setAccountNonExpired(boolean z) {
                this.accountNonExpired = z;
                return this;
            }

            public Builder setCredentialsNonExpired(boolean z) {
                this.credentialsNonExpired = z;
                return this;
            }

            public Builder setAccountNonLocked(boolean z) {
                this.accountNonLocked = z;
                return this;
            }

            public Builder setAuthorities(Map<AuthScope, ? extends Collection<GrantedAuthority>> map) {
                HashMap newHashMap = Maps.newHashMap();
                newHashMap.put(AuthScope.global(), ImmutableSet.of());
                for (Map.Entry<AuthScope, ? extends Collection<GrantedAuthority>> entry : map.entrySet()) {
                    if (entry.getValue() != null) {
                        newHashMap.put(entry.getKey(), ImmutableSet.copyOf(entry.getValue()));
                    }
                }
                this.authorities = ImmutableMap.copyOf(newHashMap);
                return this;
            }

            public Builder setSalt(long j) {
                this.salt = j;
                return this;
            }

            public Builder setIsExternal(boolean z) {
                this.isExternal = z;
                return this;
            }

            public Builder setIsInternal(boolean z) {
                this.isInternal = z;
                return this;
            }

            public Builder setRoles(Map<AuthScope, ? extends Collection<UserRole>> map) {
                HashMap newHashMap = Maps.newHashMap();
                newHashMap.put(AuthScope.global(), ImmutableSet.of());
                for (Map.Entry<AuthScope, ? extends Collection<UserRole>> entry : map.entrySet()) {
                    if (entry.getValue() != null) {
                        newHashMap.put(entry.getKey(), ImmutableSet.copyOf(entry.getValue()));
                    }
                }
                this.roles = ImmutableMap.copyOf(newHashMap);
                return this;
            }

            public Builder setLastNLogins(List<Instant> list) {
                this.lastLogins = list;
                return this;
            }

            public CMFUser build() {
                return new CMFUser(this);
            }
        }

        public CMFUser(Builder builder) {
            this.springFrameworkUser = new User(builder.username, builder.passwordHash, builder.enabled, builder.accountNonExpired, builder.credentialsNonExpired, builder.accountNonLocked, (Collection) builder.authorities.get(AuthScope.global()));
            this.salt = builder.salt;
            this.isExternal = builder.isExternal;
            this.isInternal = builder.isInternal;
            this.scopedRoles = builder.roles;
            this.scopedAuthorities = builder.authorities;
            this.lastLogins = builder.lastLogins;
        }

        public boolean isExternal() {
            return this.isExternal;
        }

        public boolean isInternal() {
            return this.isInternal;
        }

        public Map<AuthScope, ImmutableSet<UserRole>> getRoles() {
            return this.scopedRoles;
        }

        public Map<AuthScope, ImmutableSet<GrantedAuthority>> getScopedAuthorities() {
            return this.scopedAuthorities;
        }

        public long getSalt() {
            return this.salt;
        }

        public List<Instant> getLastNLogins() {
            return this.lastLogins;
        }

        public boolean equals(Object obj) {
            return super.equals(obj);
        }

        public int hashCode() {
            return super.hashCode();
        }

        public Collection<GrantedAuthority> getAuthorities() {
            return ImmutableSet.builder().addAll(internalGetScopedGrants(AuthScopeContext.get())).addAll(internalGetScopedGrants(AuthScope.global())).build();
        }

        public String getPassword() {
            return this.springFrameworkUser.getPassword();
        }

        public String getUsername() {
            return this.springFrameworkUser.getUsername();
        }

        public boolean isAccountNonExpired() {
            return this.springFrameworkUser.isAccountNonExpired();
        }

        public boolean isAccountNonLocked() {
            return this.springFrameworkUser.isAccountNonLocked();
        }

        public boolean isCredentialsNonExpired() {
            return this.springFrameworkUser.isAccountNonExpired();
        }

        public boolean isEnabled() {
            return this.springFrameworkUser.isEnabled();
        }

        public static Builder newBuilder() {
            return new Builder();
        }

        private Collection<GrantedAuthority> internalGetScopedGrants(AuthScope authScope) {
            ImmutableSet<GrantedAuthority> immutableSet = this.scopedAuthorities.get(authScope);
            return immutableSet == null ? Collections.emptyList() : immutableSet;
        }
    }

    @Autowired
    public CMFUserDetailsService(EntityManagerFactory entityManagerFactory, OperationsManager operationsManager, FeatureManager featureManager) {
        this.emf = entityManagerFactory;
        this.om = operationsManager;
        this.fm = featureManager;
    }

    public UserDetails addRoleToCurrentUser(CmfEntityManager cmfEntityManager, DbAuthRole dbAuthRole) throws UsernameNotFoundException, DataAccessException {
        DbUser loggedInUser = CurrentUser.getLoggedInUser(cmfEntityManager);
        if (loggedInUser == null) {
            throw new UsernameNotFoundException("User not found");
        }
        String passwordHash = loggedInUser.getPasswordHash();
        long longValue = loggedInUser.getPasswordSalt().longValue();
        boolean booleanValue = loggedInUser.getPasswordLogin().booleanValue();
        boolean isInternal = loggedInUser.isInternal();
        HashMap newHashMap = Maps.newHashMap(CurrentUser.getUserPrivileges());
        newHashMap.putAll(getRoles((Set<DbAuthRole>) ImmutableSet.of(dbAuthRole)));
        dbAuthRole.addUser(loggedInUser);
        LOG.info(String.format("Promoting cluster creator user %s to granular cluster admin.", loggedInUser.getName()));
        return CMFUser.newBuilder().setUsername(loggedInUser.getName()).setPasswordHash(passwordHash).setAuthorities(getAuthorities(newHashMap)).setSalt(longValue).setIsExternal(booleanValue).setIsInternal(isInternal).setRoles(newHashMap).setLastNLogins(Lists.newArrayList()).build();
    }

    public UserDetails loadUserByUsername(String str) throws UsernameNotFoundException, DataAccessException {
        checkCreateFirstUser(str);
        CmfEntityManager cmfEntityManager = new CmfEntityManager(this.emf);
        try {
            cmfEntityManager.beginForRollbackAndReadonly();
            DbUser findUserByName = cmfEntityManager.findUserByName(str);
            if (findUserByName == null) {
                throw new UsernameNotFoundException("User " + str + " not found");
            }
            String passwordHash = findUserByName.getPasswordHash();
            long longValue = findUserByName.getPasswordSalt().longValue();
            boolean z = !findUserByName.getPasswordLogin().booleanValue();
            boolean isInternal = findUserByName.isInternal();
            if (!findUserByName.hasRole(UserRole.ROLE_ADMIN) && !findUserByName.hasRole(UserRole.ROLE_USER)) {
                Iterator it = findUserByName.getImmutableAuthRole().iterator();
                while (it.hasNext()) {
                    if (!this.fm.hasFeature(UserRole.valueOf(((DbAuthRole) it.next()).getEffectiveUserRoleName()).getFeature())) {
                        String t = I18n.t("message.requireBasicUserRoleUpgradeOrRoleChange");
                        LOG.warn(t);
                        throw new AuthenticationServiceException(t);
                    }
                }
            }
            List<Instant> of = ImmutableList.of();
            if (!isInternal && isLastLoginEnabled(cmfEntityManager)) {
                of = getLastNLogins(findUserByName, cmfEntityManager);
            }
            Map<AuthScope, Set<UserRole>> roles = getRoles(findUserByName);
            CMFUser build = CMFUser.newBuilder().setUsername(str).setPasswordHash(passwordHash).setAuthorities(getAuthorities(roles)).setSalt(longValue).setIsExternal(z).setIsInternal(isInternal).setRoles(roles).setLastNLogins(of).build();
            cmfEntityManager.close();
            return build;
        } catch (Throwable th) {
            cmfEntityManager.close();
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    public void checkCreateFirstUser(String str) {
        internalCheckCreateFirstUser(str, true);
    }

    private void internalCheckCreateFirstUser(String str, boolean z) {
        CmfEntityManager cmfEntityManager = new CmfEntityManager(this.emf);
        try {
            try {
                cmfEntityManager.begin();
                if (cmfEntityManager.isUsersEmpty()) {
                    if (!str.equals("admin")) {
                        throw new UsernameNotFoundException("First user should be admin");
                    }
                    LOG.info("First user 'admin' logging in.");
                    DbConfigContainerConfigProvider scmConfigProvider = cmfEntityManager.getScmConfigProvider();
                    String str2 = (String) ScmHandler.getScmConfigValue(ScmParams.PASSWORD_HASH, scmConfigProvider);
                    Long l = (Long) ScmHandler.getScmConfigValue(ScmParams.PASSWORD_SALT, scmConfigProvider);
                    this.om.assignUserRoles(cmfEntityManager, (str2 == null || l == null) ? this.om.addUser(cmfEntityManager, str, str) : this.om.addUser(cmfEntityManager, str, str2, l, true), ImmutableSet.of(UserRole.ROLE_ADMIN));
                }
                cmfEntityManager.commit();
                if (cmfEntityManager != null) {
                    cmfEntityManager.close();
                }
            } catch (RuntimeException e) {
                cmfEntityManager.rollback();
                if (z) {
                    Iterator it = ExceptionUtils.getThrowableList(e).iterator();
                    while (it.hasNext()) {
                        if (((Throwable) it.next()) instanceof ConstraintViolationException) {
                            cmfEntityManager.close();
                            CmfEntityManager cmfEntityManager2 = null;
                            internalCheckCreateFirstUser(str, false);
                            if (0 != 0) {
                                cmfEntityManager2.close();
                                return;
                            }
                            return;
                        }
                    }
                }
                throw e;
            }
        } catch (Throwable th) {
            if (cmfEntityManager != null) {
                cmfEntityManager.close();
            }
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static Map<AuthScope, Set<UserRole>> getRoles(DbUser dbUser) {
        return getRoles((Set<DbAuthRole>) dbUser.getImmutableAuthRole());
    }

    public static Map<AuthScope, Set<UserRole>> getRoles(Set<DbAuthRole> set) {
        HashMultimap create = HashMultimap.create();
        for (DbAuthRole dbAuthRole : set) {
            if (dbAuthRole.isGlobal()) {
                create.put(AuthScope.global(), UserRole.valueOf(dbAuthRole.getEffectiveUserRoleName()));
            } else {
                for (DbAuthScope dbAuthScope : dbAuthRole.getScopes()) {
                    UserRole valueOf = UserRole.valueOf(dbAuthRole.getEffectiveUserRoleName());
                    if (dbAuthScope.getCluster() == null) {
                        create.put(AuthScope.global(), valueOf);
                    } else {
                        create.put(AuthScope.cluster(dbAuthScope.getCluster().getName()), valueOf);
                    }
                }
            }
        }
        return create.asMap();
    }

    protected static Map<AuthScope, ? extends Collection<GrantedAuthority>> getAuthorities(Map<AuthScope, Set<UserRole>> map) {
        HashMultimap create = HashMultimap.create();
        for (Map.Entry<AuthScope, Set<UserRole>> entry : map.entrySet()) {
            Iterator<UserRole> it = entry.getValue().iterator();
            while (it.hasNext()) {
                create.putAll(entry.getKey(), createAuthoritySet(it.next().auth));
            }
        }
        return create.asMap();
    }

    public static List<Instant> getLastNLogins(DbUser dbUser, CmfEntityManager cmfEntityManager) {
        List audits = cmfEntityManager.getAuditDao().getAudits(DbAuditDao.AuditParams.builder().setUser(dbUser).setAuditType(Enums.AuditType.AUTHENTICATION).setAllowed(true).setLimit(2).setStartTime(new Instant().minus(Duration.standardDays(90L)).getMillis()).build());
        ArrayList newArrayList = Lists.newArrayList();
        Iterator it = audits.iterator();
        while (it.hasNext()) {
            newArrayList.add(((DbAudit) it.next()).getCreatedInstant());
        }
        return newArrayList;
    }

    public static boolean isAuthorized(Collection<? extends GrantedAuthority> collection) {
        return isAuthorized((Set<String>) AuthorityUtils.authorityListToSet(collection));
    }

    private static boolean isAuthorized(Set<String> set) {
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            if ("ROLE_USER".equals(it.next())) {
                return true;
            }
        }
        return false;
    }

    @VisibleForTesting
    public static Set<GrantedAuthority> createAuthoritySet(Iterable<String> iterable) {
        ImmutableSet.Builder builder = ImmutableSet.builder();
        Iterator<String> it = iterable.iterator();
        while (it.hasNext()) {
            builder.add(new SimpleGrantedAuthority(it.next()));
        }
        return builder.build();
    }

    private boolean isLastLoginEnabled(CmfEntityManager cmfEntityManager) {
        return ((Boolean) ScmHandler.getScmConfigValue(ScmParams.ENABLED_LAST_LOGIN, cmfEntityManager.getScmConfigProvider())).booleanValue();
    }
}
