package com.cloudera.nav.auth;

import com.cloudera.api.model.ApiAuthRoleRef;
import com.cloudera.nav.auth.model.UserRole;
import com.cloudera.nav.cm.CmApiClient;
import com.cloudera.nav.persistence.relational.dao.RoleDAO;
import com.cloudera.nav.persistence.relational.dao.impl.RoleDAOImpl;
import com.cloudera.nav.server.NavOptions;
import com.cloudera.nav.ssl.TrustManagerProvider;
import com.google.common.base.Preconditions;
import com.google.common.base.Throwables;
import com.google.common.collect.ImmutableList;
import java.io.IOException;
import java.util.Set;
import javax.sql.DataSource;
import javax.ws.rs.ClientErrorException;
import javax.ws.rs.NotAuthorizedException;
import org.apache.commons.io.IOUtils;
import org.apache.cxf.interceptor.Fault;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;

/* loaded from: input_file:com/cloudera/nav/auth/CmAuthenticationProvider.class */
public class CmAuthenticationProvider implements AuthenticationProvider {
    private static Logger LOG = LoggerFactory.getLogger(CmAuthenticationProvider.class);
    private NavOptions options;
    private RoleDAO roleDAO;
    private TrustManagerProvider trustManagerProvider;

    public CmAuthenticationProvider(NavOptions navOptions, DataSource dataSource, TrustManagerProvider trustManagerProvider) {
        this.options = navOptions;
        this.roleDAO = new RoleDAOImpl(dataSource);
        this.trustManagerProvider = trustManagerProvider;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        String name = authentication.getName();
        String obj = authentication.getCredentials().toString();
        String cmUrl = this.options.getCmUrl();
        try {
            if (!isValidCmUser(cmUrl, name, obj)) {
                throw new AuthenticationServiceException("CM authentication failed for user: " + name);
            }
            LOG.debug("User {} is a valid CM user with Navigator admin privilege.", name);
            NavigatorUser navigatorUser = new NavigatorUser(name, obj, true, true, true, true, UserRole.ROLE_FULL_ADMINISTRATOR.getGrantedAuthorities());
            navigatorUser.setRoles(ImmutableList.of(this.roleDAO.getRole(UserRole.ROLE_FULL_ADMINISTRATOR.getName())));
            return new UsernamePasswordAuthenticationToken(navigatorUser, obj, UserRole.ROLE_FULL_ADMINISTRATOR.getGrantedAuthorities());
        } catch (ClientErrorException e) {
            if ((e.getCause() instanceof Fault) && (e.getCause().getCause() instanceof IOException)) {
                throw new AuthenticationServiceException("Unable to connect to url: " + cmUrl, e);
            }
            throw e;
        } catch (IOException e2) {
            throw new AuthenticationServiceException("Unable to connect to url: " + cmUrl, e2);
        }
    }

    public boolean supports(Class<?> cls) {
        return cls == UsernamePasswordAuthenticationToken.class;
    }

    private boolean isValidCmUser(String str, String str2, String str3) throws IOException {
        Preconditions.checkState(str != null);
        CmApiClient cmApiClient = new CmApiClient(str, str2, str3, "", this.trustManagerProvider);
        try {
            try {
                Set<ApiAuthRoleRef> authRoles = cmApiClient.getUser(str2).getAuthRoles();
                if (authRoles != null) {
                    for (ApiAuthRoleRef apiAuthRoleRef : authRoles) {
                        LOG.debug("CM user {} has {} role.", str2, apiAuthRoleRef.getName());
                        if (apiAuthRoleRef.getName().equals("ROLE_ADMIN") || apiAuthRoleRef.getName().equals("ROLE_NAVIGATOR_ADMIN")) {
                            IOUtils.closeQuietly(cmApiClient);
                            return true;
                        }
                    }
                }
                IOUtils.closeQuietly(cmApiClient);
                return false;
            } catch (Exception e) {
                LOG.debug("Unknown error when calling CM api", e);
                throw Throwables.propagate(e);
            } catch (NotAuthorizedException e2) {
                LOG.debug("Authorization error when calling CM api", e2);
                IOUtils.closeQuietly(cmApiClient);
                return false;
            }
        } catch (Throwable th) {
            IOUtils.closeQuietly(cmApiClient);
            throw th;
        }
    }
}
