package com.cloudera.nav.auth;

import com.cloudera.nav.AuditLogger;
import com.cloudera.nav.audit.AuditEventType;
import com.cloudera.nav.audit.AuditMessage;
import com.cloudera.nav.audit.message.model.AuditDetailMessage;
import com.cloudera.nav.server.NavOptions;
import com.cloudera.nav.ssl.TrustManagerProvider;
import com.google.common.base.Optional;
import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import java.util.LinkedList;
import javax.inject.Inject;
import javax.sql.DataSource;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.saml.SAMLAuthenticationProvider;
import org.springframework.security.saml.SAMLAuthenticationToken;
import org.springframework.security.web.authentication.WebAuthenticationDetails;

/* loaded from: input_file:com/cloudera/nav/auth/DelegatingNavAuthProvider.class */
public class DelegatingNavAuthProvider implements AuthenticationProvider {
    private static final Logger LOG = LoggerFactory.getLogger(DelegatingNavAuthProvider.class);
    private ProviderManager providerManager;

    @Inject
    private NavOptions navOptions;

    @Inject
    private DataSource dataSource;

    @Inject
    private SAMLAuthenticationProvider samlAuthenticationProvider;

    @Inject
    TrustManagerProvider trustManagerProvider;

    public synchronized Authentication authenticate(Authentication authentication) throws AuthenticationException {
        try {
            if (this.providerManager == null) {
                this.providerManager = getProviderManager();
            }
            Authentication authenticate = this.providerManager.authenticate(authentication);
            generateAudit(authentication, true);
            return authenticate;
        } catch (AuthenticationException e) {
            generateAudit(authentication, false);
            throw e;
        } catch (Exception e2) {
            LOG.error("External Authentication Service threw exception during authentication process.", e2);
            throw new AuthenticationServiceException("External Authentication Service threw exception during authentication process.", e2);
        }
    }

    private void generateAudit(Authentication authentication, boolean z) {
        String str = (String) authentication.getPrincipal();
        Optional<String> ipAddress = getIpAddress(authentication);
        if (!ipAddress.isPresent() || Strings.emptyToNull(str) == null) {
            return;
        }
        AuditMessage auditMessage = new AuditMessage(AuditEventType.AUTHENTICATION, z ? "authenticationSuccess" : "authenticationFailed", "", "", (String) ipAddress.get(), (AuditDetailMessage) null, String.valueOf(z));
        auditMessage.setUsername(str);
        AuditLogger.log(auditMessage);
    }

    private Optional<String> getIpAddress(Authentication authentication) {
        WebAuthenticationDetails webAuthenticationDetails = (WebAuthenticationDetails) authentication.getDetails();
        return Optional.fromNullable(webAuthenticationDetails != null ? webAuthenticationDetails.getRemoteAddress() : null);
    }

    private ProviderManager getProviderManager() {
        LinkedList newLinkedList = Lists.newLinkedList();
        NavOptions.AuthBackendOrder authBackendOrder = this.navOptions.getAuthBackendOrder();
        CmAuthenticationProvider cmAuthenticationProvider = new CmAuthenticationProvider(this.navOptions, this.dataSource, this.trustManagerProvider);
        if (NavOptions.AuthBackendOrder.CM_ONLY.equals(authBackendOrder)) {
            newLinkedList.add(cmAuthenticationProvider);
        } else if (NavOptions.AuthBackendOrder.EXTERNAL_ONLY.equals(authBackendOrder)) {
            newLinkedList.add(getExternalAuthProvider());
        } else if (NavOptions.AuthBackendOrder.EXTERNAL_THEN_CM.equals(authBackendOrder)) {
            newLinkedList.add(getExternalAuthProvider());
            newLinkedList.add(cmAuthenticationProvider);
        } else {
            if (!NavOptions.AuthBackendOrder.CM_THEN_EXTERNAL.equals(authBackendOrder)) {
                throw new AuthenticationServiceException("Invalid authentication order: " + authBackendOrder);
            }
            newLinkedList.add(cmAuthenticationProvider);
            newLinkedList.add(getExternalAuthProvider());
        }
        return new ProviderManager(newLinkedList);
    }

    private AuthenticationProvider getExternalAuthProvider() {
        NavOptions.ExternalAuthType externalAuthType = this.navOptions.getExternalAuthType();
        if (NavOptions.ExternalAuthType.LDAP.equals(externalAuthType)) {
            return new LdapAuthenticationProvider(this.navOptions, this.dataSource);
        }
        if (NavOptions.ExternalAuthType.ACTIVE_DIRECTORY.equals(externalAuthType)) {
            return new ActiveDirectoryAuthenticationProvider(this.navOptions, this.dataSource);
        }
        if (NavOptions.ExternalAuthType.SAML.equals(externalAuthType)) {
            return this.samlAuthenticationProvider;
        }
        throw new AuthenticationServiceException("Invalid external authentication type: " + externalAuthType);
    }

    public boolean supports(Class<?> cls) {
        return cls == UsernamePasswordAuthenticationToken.class || cls == SAMLAuthenticationToken.class;
    }
}
