package org.apache.atlas.web.security;

import java.util.List;
import java.util.Properties;
import javax.annotation.PostConstruct;
import org.apache.atlas.ApplicationProperties;
import org.apache.atlas.web.model.User;
import org.apache.commons.configuration.Configuration;
import org.apache.commons.configuration.ConfigurationConverter;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.ldap.core.support.LdapContextSource;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
import org.springframework.security.ldap.authentication.BindAuthenticator;
import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/lib/atlas-webapp-1.1.0.jar:org/apache/atlas/web/security/AtlasLdapAuthenticationProvider.class */
public class AtlasLdapAuthenticationProvider extends AtlasAbstractAuthenticationProvider {
    private static Logger LOG = LoggerFactory.getLogger((Class<?>) AtlasLdapAuthenticationProvider.class);
    private boolean isDebugEnabled = LOG.isDebugEnabled();
    private String ldapURL;
    private String ldapUserDNPattern;
    private String ldapGroupSearchBase;
    private String ldapGroupSearchFilter;
    private String ldapGroupRoleAttribute;
    private String ldapBindDN;
    private String ldapBindPassword;
    private String ldapDefaultRole;
    private String ldapUserSearchFilter;
    private String ldapReferral;
    private String ldapBase;
    private boolean groupsFromUGI;

    @PostConstruct
    public void setup() {
        setLdapProperties();
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        try {
            Authentication ldapBindAuthentication = getLdapBindAuthentication(authentication);
            if (ldapBindAuthentication != null && ldapBindAuthentication.isAuthenticated()) {
                return ldapBindAuthentication;
            }
            Authentication ldapAuthentication = getLdapAuthentication(ldapBindAuthentication);
            if (ldapAuthentication != null) {
                if (ldapAuthentication.isAuthenticated()) {
                    return ldapAuthentication;
                }
            }
            return ldapAuthentication;
        } catch (Exception e) {
            throw new AtlasAuthenticationException(e.getMessage(), e.getCause());
        }
    }

    private Authentication getLdapBindAuthentication(Authentication authentication) {
        String name;
        String obj;
        LdapAuthenticationProvider ldapAuthenticationProvider;
        try {
            if (this.isDebugEnabled) {
                LOG.debug("==> AtlasLdapAuthenticationProvider getLdapBindAuthentication");
            }
            name = authentication.getName();
            obj = authentication.getCredentials() != null ? authentication.getCredentials().toString() : "";
            LdapContextSource ldapContextSource = getLdapContextSource();
            DefaultLdapAuthoritiesPopulator defaultLdapAuthoritiesPopulator = getDefaultLdapAuthoritiesPopulator(ldapContextSource);
            if (this.ldapUserSearchFilter == null || this.ldapUserSearchFilter.trim().isEmpty()) {
                this.ldapUserSearchFilter = "(uid={0})";
            }
            FilterBasedLdapUserSearch filterBasedLdapUserSearch = new FilterBasedLdapUserSearch(this.ldapBase, this.ldapUserSearchFilter, ldapContextSource);
            filterBasedLdapUserSearch.setSearchSubtree(true);
            ldapAuthenticationProvider = new LdapAuthenticationProvider(getBindAuthenticator(filterBasedLdapUserSearch, ldapContextSource), defaultLdapAuthoritiesPopulator);
        } catch (Exception e) {
            LOG.error(" getLdapBindAuthentication LDAP Authentication Failed:", (Throwable) e);
        }
        if (name == null || obj == null || name.trim().isEmpty() || obj.trim().isEmpty()) {
            LOG.error("LDAP Authentication::userName or userPassword is null or empty for userName " + name);
            if (this.isDebugEnabled) {
                LOG.debug("<== AtlasLdapAuthenticationProvider getLdapBindAuthentication");
            }
            return authentication;
        }
        List<GrantedAuthority> authorities = getAuthorities(name);
        Authentication authenticate = ldapAuthenticationProvider.authenticate(new UsernamePasswordAuthenticationToken(new User(name, obj, authorities), obj, authorities));
        if (this.groupsFromUGI) {
            authenticate = getAuthenticationWithGrantedAuthorityFromUGI(authenticate);
        }
        return authenticate;
    }

    private Authentication getLdapAuthentication(Authentication authentication) {
        LdapAuthenticationProvider ldapAuthenticationProvider;
        if (this.isDebugEnabled) {
            LOG.debug("==> AtlasLdapAuthenticationProvider getLdapAuthentication");
        }
        try {
            String name = authentication.getName();
            String obj = authentication.getCredentials() != null ? authentication.getCredentials().toString() : "";
            DefaultSpringSecurityContextSource defaultSpringSecurityContextSource = new DefaultSpringSecurityContextSource(this.ldapURL);
            defaultSpringSecurityContextSource.setCacheEnvironmentProperties(false);
            defaultSpringSecurityContextSource.setAnonymousReadOnly(true);
            BindAuthenticator bindAuthenticator = new BindAuthenticator(defaultSpringSecurityContextSource);
            bindAuthenticator.setUserDnPatterns(this.ldapUserDNPattern.split(CommonConfigurationKeys.NFS_EXPORTS_ALLOWED_HOSTS_SEPARATOR));
            if (StringUtils.isEmpty(this.ldapGroupSearchBase) || StringUtils.isEmpty(this.ldapGroupSearchFilter)) {
                ldapAuthenticationProvider = new LdapAuthenticationProvider(bindAuthenticator);
            } else {
                DefaultLdapAuthoritiesPopulator defaultLdapAuthoritiesPopulator = new DefaultLdapAuthoritiesPopulator(defaultSpringSecurityContextSource, this.ldapGroupSearchBase);
                defaultLdapAuthoritiesPopulator.setGroupRoleAttribute(this.ldapGroupRoleAttribute);
                defaultLdapAuthoritiesPopulator.setGroupSearchFilter(this.ldapGroupSearchFilter);
                defaultLdapAuthoritiesPopulator.setIgnorePartialResultException(true);
                ldapAuthenticationProvider = new LdapAuthenticationProvider(bindAuthenticator, defaultLdapAuthoritiesPopulator);
            }
            if (name == null || obj == null || name.trim().isEmpty() || obj.trim().isEmpty()) {
                return authentication;
            }
            List<GrantedAuthority> authorities = getAuthorities(name);
            authentication = ldapAuthenticationProvider.authenticate(new UsernamePasswordAuthenticationToken(new User(name, obj, authorities), obj, authorities));
            if (this.groupsFromUGI) {
                authentication = getAuthenticationWithGrantedAuthorityFromUGI(authentication);
            }
            return authentication;
        } catch (Exception e) {
            LOG.error("getLdapAuthentication LDAP Authentication Failed:", (Throwable) e);
            if (this.isDebugEnabled) {
                LOG.debug("<== AtlasLdapAuthenticationProvider getLdapAuthentication");
            }
            return authentication;
        }
    }

    private void setLdapProperties() {
        try {
            Configuration configuration = ApplicationProperties.get();
            Properties properties = ConfigurationConverter.getProperties(configuration.subset(AtlasAuthenticationProvider.LDAP_AUTH_METHOD));
            this.ldapURL = properties.getProperty("url");
            this.ldapUserDNPattern = properties.getProperty("userDNpattern");
            this.ldapGroupSearchBase = properties.getProperty("groupSearchBase");
            this.ldapGroupSearchFilter = properties.getProperty("groupSearchFilter");
            this.ldapGroupRoleAttribute = properties.getProperty("groupRoleAttribute");
            this.ldapBindDN = properties.getProperty("bind.dn");
            this.ldapBindPassword = properties.getProperty("bind.password");
            this.ldapDefaultRole = properties.getProperty("default.role");
            this.ldapUserSearchFilter = properties.getProperty("user.searchfilter");
            this.ldapReferral = properties.getProperty("referral");
            this.ldapBase = properties.getProperty("base.dn");
            this.groupsFromUGI = configuration.getBoolean("atlas.authentication.method.ldap.ugi-groups", true);
            if (LOG.isDebugEnabled()) {
                LOG.debug("AtlasLdapAuthenticationProvider{ldapURL='" + this.ldapURL + "', ldapUserDNPattern='" + this.ldapUserDNPattern + "', ldapGroupSearchBase='" + this.ldapGroupSearchBase + "', ldapGroupSearchFilter='" + this.ldapGroupSearchFilter + "', ldapGroupRoleAttribute='" + this.ldapGroupRoleAttribute + "', ldapBindDN='" + this.ldapBindDN + "', ldapDefaultRole='" + this.ldapDefaultRole + "', ldapUserSearchFilter='" + this.ldapUserSearchFilter + "', ldapReferral='" + this.ldapReferral + "', ldapBase='" + this.ldapBase + "', groupsFromUGI=" + this.groupsFromUGI + '}');
            }
        } catch (Exception e) {
            LOG.error("Exception while setLdapProperties", (Throwable) e);
        }
    }

    private LdapContextSource getLdapContextSource() throws Exception {
        DefaultSpringSecurityContextSource defaultSpringSecurityContextSource = new DefaultSpringSecurityContextSource(this.ldapURL);
        defaultSpringSecurityContextSource.setUserDn(this.ldapBindDN);
        defaultSpringSecurityContextSource.setPassword(this.ldapBindPassword);
        defaultSpringSecurityContextSource.setReferral(this.ldapReferral);
        defaultSpringSecurityContextSource.setCacheEnvironmentProperties(false);
        defaultSpringSecurityContextSource.setAnonymousReadOnly(false);
        defaultSpringSecurityContextSource.setPooled(true);
        defaultSpringSecurityContextSource.afterPropertiesSet();
        return defaultSpringSecurityContextSource;
    }

    private DefaultLdapAuthoritiesPopulator getDefaultLdapAuthoritiesPopulator(LdapContextSource ldapContextSource) {
        DefaultLdapAuthoritiesPopulator defaultLdapAuthoritiesPopulator = new DefaultLdapAuthoritiesPopulator(ldapContextSource, this.ldapGroupSearchBase);
        defaultLdapAuthoritiesPopulator.setGroupRoleAttribute(this.ldapGroupRoleAttribute);
        defaultLdapAuthoritiesPopulator.setGroupSearchFilter(this.ldapGroupSearchFilter);
        defaultLdapAuthoritiesPopulator.setIgnorePartialResultException(true);
        return defaultLdapAuthoritiesPopulator;
    }

    private BindAuthenticator getBindAuthenticator(FilterBasedLdapUserSearch filterBasedLdapUserSearch, LdapContextSource ldapContextSource) throws Exception {
        BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource);
        bindAuthenticator.setUserSearch(filterBasedLdapUserSearch);
        bindAuthenticator.setUserDnPatterns(new String[]{this.ldapUserDNPattern});
        bindAuthenticator.afterPropertiesSet();
        return bindAuthenticator;
    }
}
