package org.apache.atlas.web.security;

import java.util.List;
import java.util.Properties;
import javax.annotation.PostConstruct;
import org.apache.atlas.ApplicationProperties;
import org.apache.atlas.web.model.User;
import org.apache.commons.configuration.Configuration;
import org.apache.commons.configuration.ConfigurationConverter;
import org.apache.http.cookie.ClientCookie;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
import org.springframework.security.ldap.authentication.BindAuthenticator;
import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider;
import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/lib/atlas-webapp-1.1.0.jar:org/apache/atlas/web/security/AtlasADAuthenticationProvider.class */
public class AtlasADAuthenticationProvider extends AtlasAbstractAuthenticationProvider {
    private static Logger LOG = LoggerFactory.getLogger((Class<?>) AtlasADAuthenticationProvider.class);
    private String adURL;
    private String adDomain;
    private String adBindDN;
    private String adBindPassword;
    private String adUserSearchFilter;
    private String adBase;
    private String adReferral;
    private String adDefaultRole;
    private boolean groupsFromUGI;

    @PostConstruct
    public void setup() {
        setADProperties();
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public Authentication authenticate(Authentication authentication) {
        Authentication aDBindAuthentication = getADBindAuthentication(authentication);
        if (aDBindAuthentication != null && aDBindAuthentication.isAuthenticated()) {
            return aDBindAuthentication;
        }
        Authentication aDAuthentication = getADAuthentication(authentication);
        if ((aDAuthentication == null || !aDAuthentication.isAuthenticated()) && aDAuthentication == null) {
            throw new AtlasAuthenticationException("AD Authentication Failed");
        }
        return aDAuthentication;
    }

    private Authentication getADBindAuthentication(Authentication authentication) {
        try {
            String name = authentication.getName();
            String obj = authentication.getCredentials() != null ? authentication.getCredentials().toString() : "";
            DefaultSpringSecurityContextSource defaultSpringSecurityContextSource = new DefaultSpringSecurityContextSource(this.adURL);
            defaultSpringSecurityContextSource.setUserDn(this.adBindDN);
            defaultSpringSecurityContextSource.setPassword(this.adBindPassword);
            defaultSpringSecurityContextSource.setReferral(this.adReferral);
            defaultSpringSecurityContextSource.setCacheEnvironmentProperties(true);
            defaultSpringSecurityContextSource.setAnonymousReadOnly(false);
            defaultSpringSecurityContextSource.setPooled(true);
            defaultSpringSecurityContextSource.afterPropertiesSet();
            FilterBasedLdapUserSearch filterBasedLdapUserSearch = new FilterBasedLdapUserSearch(this.adBase, this.adUserSearchFilter, defaultSpringSecurityContextSource);
            filterBasedLdapUserSearch.setSearchSubtree(true);
            BindAuthenticator bindAuthenticator = new BindAuthenticator(defaultSpringSecurityContextSource);
            bindAuthenticator.setUserSearch(filterBasedLdapUserSearch);
            bindAuthenticator.afterPropertiesSet();
            LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(bindAuthenticator);
            if (name == null || obj == null || name.trim().isEmpty() || obj.trim().isEmpty()) {
                LOG.error("AD Authentication Failed userName or userPassword is null or empty");
                return null;
            }
            List<GrantedAuthority> authorities = getAuthorities(name);
            Authentication authenticate = ldapAuthenticationProvider.authenticate(new UsernamePasswordAuthenticationToken(new User(name, obj, authorities), obj, authorities));
            if (this.groupsFromUGI) {
                authenticate = getAuthenticationWithGrantedAuthorityFromUGI(authenticate);
            }
            return authenticate;
        } catch (Exception e) {
            LOG.error("AD Authentication Failed:", (Throwable) e);
            return null;
        }
    }

    private Authentication getADAuthentication(Authentication authentication) {
        try {
            String name = authentication.getName();
            String obj = authentication.getCredentials() != null ? authentication.getCredentials().toString() : "";
            ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider = new ActiveDirectoryLdapAuthenticationProvider(this.adDomain, this.adURL);
            activeDirectoryLdapAuthenticationProvider.setConvertSubErrorCodesToExceptions(true);
            activeDirectoryLdapAuthenticationProvider.setUseAuthenticationRequestCredentials(true);
            activeDirectoryLdapAuthenticationProvider.setSearchFilter(this.adUserSearchFilter);
            if (name == null || obj == null || name.trim().isEmpty() || obj.trim().isEmpty()) {
                LOG.error("AD Authentication Failed userName or userPassword is null or empty");
                return null;
            }
            List<GrantedAuthority> authorities = getAuthorities(name);
            Authentication authenticate = activeDirectoryLdapAuthenticationProvider.authenticate(new UsernamePasswordAuthenticationToken(new User(name, obj, authorities), obj, authorities));
            if (this.groupsFromUGI) {
                authenticate = getAuthenticationWithGrantedAuthorityFromUGI(authenticate);
            }
            return authenticate;
        } catch (Exception e) {
            LOG.error("AD Authentication Failed:", (Throwable) e);
            return null;
        }
    }

    private void setADProperties() {
        try {
            Configuration configuration = ApplicationProperties.get();
            Properties properties = ConfigurationConverter.getProperties(configuration.subset("atlas.authentication.method.ldap.ad"));
            this.adDomain = properties.getProperty(ClientCookie.DOMAIN_ATTR);
            this.adURL = properties.getProperty("url");
            this.adBindDN = properties.getProperty("bind.dn");
            this.adBindPassword = properties.getProperty("bind.password");
            this.adUserSearchFilter = properties.getProperty("user.searchfilter");
            if (this.adUserSearchFilter == null || this.adUserSearchFilter.trim().isEmpty()) {
                this.adUserSearchFilter = "(sAMAccountName={0})";
            }
            this.adBase = properties.getProperty("base.dn");
            this.adReferral = properties.getProperty("referral");
            this.adDefaultRole = properties.getProperty("default.role");
            this.groupsFromUGI = configuration.getBoolean("atlas.authentication.method.ldap.ugi-groups", true);
            if (LOG.isDebugEnabled()) {
                LOG.debug("AtlasADAuthenticationProvider{adURL='" + this.adURL + "', adDomain='" + this.adDomain + "', adBindDN='" + this.adBindDN + "', adUserSearchFilter='" + this.adUserSearchFilter + "', adBase='" + this.adBase + "', adReferral='" + this.adReferral + "', adDefaultRole='" + this.adDefaultRole + "', groupsFromUGI=" + this.groupsFromUGI + '}');
            }
        } catch (Exception e) {
            LOG.error("Exception while setADProperties", (Throwable) e);
        }
    }
}
