package com.facebook.presto.server.security;

import com.facebook.presto.server.security.util.jndi.JndiUtils;
import com.facebook.presto.tests.TestGroups;
import com.google.common.base.CharMatcher;
import com.google.common.base.MoreObjects;
import com.google.common.base.Preconditions;
import com.google.common.base.Splitter;
import com.google.common.base.Strings;
import com.google.common.base.Throwables;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.ImmutableMap;
import com.mysql.jdbc.NonRegisteringDriver;
import io.airlift.log.Logger;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import java.util.Base64;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import javax.annotation.Nonnull;
import javax.inject.Inject;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.servlet.http.HttpServletRequest;

/* loaded from: input_file:com/facebook/presto/server/security/LdapAuthenticator.class */
public class LdapAuthenticator implements Authenticator {
    private static final Logger log = Logger.get((Class<?>) LdapAuthenticator.class);
    private static final String BASIC_AUTHENTICATION_PREFIX = "Basic ";
    private static final String LDAP_CONTEXT_FACTORY = "com.sun.jndi.ldap.LdapCtxFactory";
    private final String ldapUrl;
    private final String userBindSearchPattern;
    private final Optional<String> groupAuthorizationSearchPattern;
    private final Optional<String> userBaseDistinguishedName;
    private final Map<String, String> basicEnvironment;
    private final LoadingCache<Credentials, Principal> authenticationCache;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/facebook/presto/server/security/LdapAuthenticator$Credentials.class */
    public static class Credentials {
        private final String user;
        private final String password;

        private Credentials(String str, String str2) {
            this.user = (String) Objects.requireNonNull(str);
            this.password = (String) Objects.requireNonNull(str2);
        }

        public String getUser() {
            return this.user;
        }

        public String getPassword() {
            return this.password;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            Credentials credentials = (Credentials) obj;
            return Objects.equals(this.user, credentials.user) && Objects.equals(this.password, credentials.password);
        }

        public int hashCode() {
            return Objects.hash(this.user, this.password);
        }

        public String toString() {
            return MoreObjects.toStringHelper(this).add("user", this.user).add(NonRegisteringDriver.PASSWORD_PROPERTY_KEY, this.password).toString();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/facebook/presto/server/security/LdapAuthenticator$LdapPrincipal.class */
    public static final class LdapPrincipal implements Principal {
        private final String name;

        private LdapPrincipal(String str) {
            this.name = (String) Objects.requireNonNull(str, "name is null");
        }

        @Override // java.security.Principal
        public String getName() {
            return this.name;
        }

        @Override // java.security.Principal
        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            return Objects.equals(this.name, ((LdapPrincipal) obj).name);
        }

        @Override // java.security.Principal
        public int hashCode() {
            return Objects.hash(this.name);
        }

        @Override // java.security.Principal
        public String toString() {
            return this.name;
        }
    }

    @Inject
    public LdapAuthenticator(LdapConfig ldapConfig) {
        this.ldapUrl = (String) Objects.requireNonNull(ldapConfig.getLdapUrl(), "ldapUrl is null");
        this.userBindSearchPattern = (String) Objects.requireNonNull(ldapConfig.getUserBindSearchPattern(), "userBindSearchPattern is null");
        this.groupAuthorizationSearchPattern = Optional.ofNullable(ldapConfig.getGroupAuthorizationSearchPattern());
        this.userBaseDistinguishedName = Optional.ofNullable(ldapConfig.getUserBaseDistinguishedName());
        if (this.groupAuthorizationSearchPattern.isPresent()) {
            Preconditions.checkState(this.userBaseDistinguishedName.isPresent(), "Base distinguished name (DN) for user is null");
        }
        ImmutableMap build = ImmutableMap.builder().put("java.naming.factory.initial", LDAP_CONTEXT_FACTORY).put("java.naming.provider.url", this.ldapUrl).build();
        checkEnvironment(build);
        this.basicEnvironment = build;
        this.authenticationCache = CacheBuilder.newBuilder().expireAfterWrite(ldapConfig.getLdapCacheTtl().toMillis(), TimeUnit.MILLISECONDS).build(new CacheLoader<Credentials, Principal>() { // from class: com.facebook.presto.server.security.LdapAuthenticator.1
            @Override // com.google.common.cache.CacheLoader
            public Principal load(@Nonnull Credentials credentials) throws AuthenticationException {
                return LdapAuthenticator.this.authenticate(credentials.getUser(), credentials.getPassword());
            }
        });
    }

    private static void checkEnvironment(Map<String, String> map) {
        try {
            closeContext(createDirContext(map));
        } catch (NamingException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    private static InitialDirContext createDirContext(Map<String, String> map) throws NamingException {
        return JndiUtils.getInitialDirContext(map);
    }

    private static void closeContext(InitialDirContext initialDirContext) {
        if (initialDirContext != null) {
            try {
                initialDirContext.close();
            } catch (NamingException e) {
            }
        }
    }

    @Override // com.facebook.presto.server.security.Authenticator
    public Principal authenticate(HttpServletRequest httpServletRequest) throws AuthenticationException {
        String header = httpServletRequest.getHeader("Authorization");
        if (Strings.nullToEmpty(header).startsWith(BASIC_AUTHENTICATION_PREFIX)) {
            return getPrincipal(getCredentials(header.substring(BASIC_AUTHENTICATION_PREFIX.length()).trim()));
        }
        throw needAuthentication(null);
    }

    private Principal getPrincipal(Credentials credentials) throws AuthenticationException {
        try {
            return this.authenticationCache.get(credentials);
        } catch (ExecutionException e) {
            Throwable cause = e.getCause();
            if (cause != null) {
                Throwables.throwIfInstanceOf(cause, AuthenticationException.class);
            }
            throw new RuntimeException(cause);
        }
    }

    private static AuthenticationException needAuthentication(String str) throws AuthenticationException {
        return new AuthenticationException(str, "Basic realm=\"presto\"");
    }

    private static Credentials getCredentials(String str) throws AuthenticationException {
        List<String> splitToList = Splitter.on(':').limit(2).splitToList(decodeCredentials(str));
        if (splitToList.size() != 2 || splitToList.stream().anyMatch((v0) -> {
            return v0.isEmpty();
        })) {
            throw new AuthenticationException("Malformed decoded credentials");
        }
        return new Credentials(splitToList.get(0), splitToList.get(1));
    }

    private static String decodeCredentials(String str) throws AuthenticationException {
        try {
            return new String(Base64.getDecoder().decode(str), StandardCharsets.UTF_8);
        } catch (IllegalArgumentException e) {
            throw new AuthenticationException("Invalid base64 encoded credentials");
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Principal authenticate(String str, String str2) throws AuthenticationException {
        DirContext dirContext = null;
        try {
            try {
                dirContext = createDirContext(createEnvironment(str, str2));
                checkForGroupMembership(str, dirContext);
                log.debug("Authentication successful for user [%s]", str);
                LdapPrincipal ldapPrincipal = new LdapPrincipal(str);
                closeContext(dirContext);
                return ldapPrincipal;
            } catch (NamingException e) {
                log.debug("Authentication failed for user [%s]: %s", str, e.getMessage());
                throw new AuthenticationException("Authentication failed");
            } catch (javax.naming.AuthenticationException e2) {
                log.debug("Authentication failed for user [%s]: %s", str, e2.getMessage());
                throw needAuthentication("Invalid credentials: " + CharMatcher.javaIsoControl().removeFrom(e2.getMessage()));
            }
        } catch (Throwable th) {
            closeContext(dirContext);
            throw th;
        }
    }

    private Map<String, String> createEnvironment(String str, String str2) {
        return ImmutableMap.builder().putAll(this.basicEnvironment).put("java.naming.security.authentication", TestGroups.SIMPLE).put("java.naming.security.principal", createPrincipal(str)).put("java.naming.security.credentials", str2).build();
    }

    private String createPrincipal(String str) {
        return replaceUser(this.userBindSearchPattern, str);
    }

    private String replaceUser(String str, String str2) {
        return str.replaceAll("\\$\\{USER\\}", str2);
    }

    private void checkForGroupMembership(String str, DirContext dirContext) throws AuthenticationException {
        if (this.groupAuthorizationSearchPattern.isPresent()) {
            String replaceUser = replaceUser(this.groupAuthorizationSearchPattern.get(), str);
            SearchControls searchControls = new SearchControls();
            searchControls.setSearchScope(2);
            NamingEnumeration namingEnumeration = null;
            try {
                try {
                    namingEnumeration = dirContext.search(this.userBaseDistinguishedName.get(), replaceUser, searchControls);
                    boolean hasMoreElements = namingEnumeration.hasMoreElements();
                    if (namingEnumeration != null) {
                        try {
                            namingEnumeration.close();
                        } catch (NamingException e) {
                        }
                    }
                    if (hasMoreElements) {
                        return;
                    }
                    String format = String.format("User [%s] not a member of the authorized group", str);
                    log.debug("Group check failed. %s", format);
                    throw needAuthentication(format);
                } catch (NamingException e2) {
                    log.debug("Authentication failed for user [%s]: %s", str, e2.getMessage());
                    throw new AuthenticationException("Authentication failed");
                }
            } catch (Throwable th) {
                if (namingEnumeration != null) {
                    try {
                        namingEnumeration.close();
                    } catch (NamingException e3) {
                    }
                }
                throw th;
            }
        }
    }
}
