package com.cloudera.server.web.cmf;

import com.cloudera.cmf.service.CommandUtils;
import com.cloudera.cmf.service.scm.ScmParamTrackerStore;
import com.cloudera.server.web.cmf.CMFUserDetailsService;
import com.google.common.base.Preconditions;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import javax.persistence.EntityManagerFactory;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.MessageSource;
import org.springframework.context.MessageSourceAware;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.ldap.core.support.BaseLdapPathContextSource;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
import org.springframework.security.ldap.LdapUtils;
import org.springframework.security.ldap.SpringSecurityLdapTemplate;
import org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider;
import org.springframework.security.ldap.authentication.BindAuthenticator;
import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider;
import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;

/* loaded from: input_file:com/cloudera/server/web/cmf/CmfLdapAuthenticationProvider.class */
public class CmfLdapAuthenticationProvider implements CmfAuthenticationProvider, MessageSourceAware, CmfUserLoader {
    private static Logger LOG = LoggerFactory.getLogger(CmfLdapAuthenticationProvider.class);
    private AbstractLdapAuthenticationProvider ldapAuthProvider;
    private CmfLdapUserDetailsContextMapper ctxMapper = new CmfLdapUserDetailsContextMapper();
    private CmfBindAuthenticator bindAuth;
    private DefaultLdapAuthoritiesPopulator populator;

    /* loaded from: input_file:com/cloudera/server/web/cmf/CmfLdapAuthenticationProvider$CmfBindAuthenticator.class */
    private static class CmfBindAuthenticator extends BindAuthenticator {
        private SpringSecurityLdapTemplate ldapTemplate;

        CmfBindAuthenticator(BaseLdapPathContextSource baseLdapPathContextSource) {
            super(baseLdapPathContextSource);
            this.ldapTemplate = new SpringSecurityLdapTemplate(getContextSource());
        }

        public DirContextOperations getUser(String str) {
            DirContextOperations dirContextOperations = null;
            Iterator it = getUserDns(str).iterator();
            while (it.hasNext()) {
                dirContextOperations = this.ldapTemplate.lookupContext((String) it.next());
                if (dirContextOperations != null) {
                    break;
                }
            }
            if (dirContextOperations == null && getUserSearch() != null) {
                dirContextOperations = getUserSearch().searchForUser(str);
            }
            return dirContextOperations;
        }
    }

    /* loaded from: input_file:com/cloudera/server/web/cmf/CmfLdapAuthenticationProvider$LdapAuthUtils.class */
    static class LdapAuthUtils {
        LdapAuthUtils() {
        }

        static String combineAndVerifyUrls(List<String> list) {
            StringBuilder sb = new StringBuilder();
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                String trim = it.next().trim();
                if (!StringUtils.isBlank(trim)) {
                    LdapUtils.parseRootDnFromUrl(trim);
                    if (sb.length() > 0) {
                        sb.append(" ");
                    }
                    sb.append(trim);
                }
            }
            return sb.toString();
        }

        static DefaultSpringSecurityContextSource buildLdapSecurityContextSource(List<String> list, String str, String str2, String str3) {
            DefaultSpringSecurityContextSource defaultSpringSecurityContextSource = new DefaultSpringSecurityContextSource(list, str.replaceAll(" ", "%20"));
            if (!StringUtils.isEmpty(str2)) {
                defaultSpringSecurityContextSource.setUserDn(str2);
            }
            if (!StringUtils.isEmpty(str3)) {
                defaultSpringSecurityContextSource.setPassword(str3);
            }
            defaultSpringSecurityContextSource.setBase((String) null);
            defaultSpringSecurityContextSource.afterPropertiesSet();
            return defaultSpringSecurityContextSource;
        }
    }

    public CmfLdapAuthenticationProvider(String str, List<String> list) {
        this.ldapAuthProvider = new ActiveDirectoryLdapAuthenticationProvider(str, LdapAuthUtils.combineAndVerifyUrls(list));
        this.ldapAuthProvider.setUserDetailsContextMapper(this.ctxMapper);
    }

    public CmfLdapAuthenticationProvider(List<String> list, String str, String str2, String str3, String str4, String str5, String str6, String str7) {
        DefaultSpringSecurityContextSource buildLdapSecurityContextSource = LdapAuthUtils.buildLdapSecurityContextSource(list, str4, str, str2);
        this.bindAuth = new CmfBindAuthenticator(buildLdapSecurityContextSource);
        if (!StringUtils.isEmpty(str4) && !StringUtils.isEmpty(str5)) {
            this.bindAuth.setUserSearch(new FilterBasedLdapUserSearch(str4, str5, buildLdapSecurityContextSource));
        }
        if (!StringUtils.isEmpty(str3)) {
            this.bindAuth.setUserDnPatterns(new String[]{str3});
        }
        this.populator = new DefaultLdapAuthoritiesPopulator(buildLdapSecurityContextSource, str6 != null ? str6 : CommandUtils.CONFIG_TOP_LEVEL_DIR);
        this.populator.setIgnorePartialResultException(true);
        if (!StringUtils.isEmpty(str7)) {
            this.populator.setGroupSearchFilter(str7);
        }
        this.populator.setSearchSubtree(true);
        this.populator.setConvertToUpperCase(false);
        this.populator.setRolePrefix(CommandUtils.CONFIG_TOP_LEVEL_DIR);
        this.ldapAuthProvider = new LdapAuthenticationProvider(this.bindAuth, this.populator);
        this.ldapAuthProvider.setUserDetailsContextMapper(this.ctxMapper);
    }

    @Override // com.cloudera.server.web.cmf.CmfUserLoader
    public UserDetailsAndGroups loadUserByUsername(String str) {
        DirContextOperations user = this.bindAuth.getUser(str);
        Collection<? extends GrantedAuthority> grantedAuthorities = this.populator.getGrantedAuthorities(user, str);
        LOG.debug("Loaded groups: " + grantedAuthorities);
        return new UserDetailsAndGroups(this.ctxMapper.mapUserFromContext(user, str, grantedAuthorities), grantedAuthorities);
    }

    @Override // com.cloudera.server.web.cmf.CmfAuthenticationProvider
    public void initialize(EntityManagerFactory entityManagerFactory, UserMapper userMapper, ScmParamTrackerStore scmParamTrackerStore) {
        this.ctxMapper.initialize(entityManagerFactory, userMapper, scmParamTrackerStore);
    }

    @Override // com.cloudera.server.web.cmf.CmfAuthenticationProvider
    /* renamed from: authenticate */
    public CmfUsernamePasswordAuthenticationToken mo1814authenticate(Authentication authentication) throws AuthenticationException {
        String obj = authentication.getPrincipal().toString();
        if (obj.startsWith("__cloudera_internal_user__")) {
            throw new AuthenticationServiceException("Internal Management Users cannot be externally authenticated.");
        }
        try {
            Authentication authenticate = this.ldapAuthProvider.authenticate(authentication);
            Object principal = authenticate.getPrincipal();
            Preconditions.checkState(principal instanceof CMFUserDetailsService.CMFUser);
            CmfUsernamePasswordAuthenticationToken cmfUsernamePasswordAuthenticationToken = new CmfUsernamePasswordAuthenticationToken((CMFUserDetailsService.CMFUser) principal);
            cmfUsernamePasswordAuthenticationToken.setDetails(authenticate.getDetails());
            return cmfUsernamePasswordAuthenticationToken;
        } catch (AuthenticationException e) {
            LOG.info("LDAP/AD authentication failure for {}", obj);
            LOG.error("LDAP/AD authentication failed", e);
            throw e;
        } catch (Exception e2) {
            LOG.error("LDAP/AD authentication failed", e2);
            throw new AuthenticationServiceException("Failed to sign in. See server log for more details.", e2);
        }
    }

    public boolean supports(Class<?> cls) {
        return this.ldapAuthProvider.supports(cls);
    }

    public void setMessageSource(MessageSource messageSource) {
        this.ldapAuthProvider.setMessageSource(messageSource);
    }
}
