package org.apache.doris.ldap;

import com.google.common.base.Strings;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import org.apache.doris.analysis.TablePattern;
import org.apache.doris.analysis.UserIdentity;
import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.InfoSchemaDb;
import org.apache.doris.cluster.ClusterNamespace;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.DdlException;
import org.apache.doris.common.LdapConfig;
import org.apache.doris.mysql.privilege.Auth;
import org.apache.doris.mysql.privilege.PrivBitSet;
import org.apache.doris.mysql.privilege.Privilege;
import org.apache.doris.mysql.privilege.Role;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:org/apache/doris/ldap/LdapManager.class */
public class LdapManager {
    private static final Logger LOG = LogManager.getLogger(LdapManager.class);
    public static final String LDAP_DEFAULT_ROLE = "ldapDefaultRole";
    private final LdapClient ldapClient = new LdapClient();
    private final Map<String, LdapUserInfo> ldapUserInfoCache = Maps.newHashMap();
    private final ReentrantReadWriteLock lock = new ReentrantReadWriteLock();
    private volatile long lastTimestamp = System.currentTimeMillis();

    private void readLock() {
        this.lock.readLock().lock();
    }

    private void readUnlock() {
        this.lock.readLock().unlock();
    }

    private void writeLock() {
        this.lock.writeLock().lock();
    }

    private void writeUnlock() {
        this.lock.writeLock().unlock();
    }

    public LdapUserInfo getUserInfo(String str) {
        if (!checkParam(str)) {
            return null;
        }
        LdapUserInfo userInfoFromCache = getUserInfoFromCache(str);
        if (userInfoFromCache != null && !userInfoFromCache.checkTimeout()) {
            return userInfoFromCache;
        }
        try {
            return getUserInfoAndUpdateCache(str);
        } catch (DdlException e) {
            LOG.warn("getUserInfo for {} failed", str, e);
            return null;
        }
    }

    public boolean doesUserExist(String str) {
        if (!checkParam(str)) {
            return false;
        }
        LdapUserInfo userInfo = getUserInfo(str);
        return !Objects.isNull(userInfo) && userInfo.isExists();
    }

    public boolean checkUserPasswd(String str, String str2) {
        String nameFromFullName = ClusterNamespace.getNameFromFullName(str);
        if (!LdapConfig.ldap_authentication_enabled || Strings.isNullOrEmpty(nameFromFullName) || Objects.isNull(str2)) {
            return false;
        }
        LdapUserInfo userInfo = getUserInfo(str);
        if (Objects.isNull(userInfo) || !userInfo.isExists()) {
            return false;
        }
        if (userInfo.isSetPasswd() && userInfo.getPasswd().equals(str2)) {
            return true;
        }
        if (!this.ldapClient.checkPassword(nameFromFullName, str2)) {
            return false;
        }
        updatePasswd(userInfo, str2);
        return true;
    }

    public boolean checkUserPasswd(String str, String str2, String str3, List<UserIdentity> list) {
        if (!checkUserPasswd(str, str2)) {
            return false;
        }
        list.addAll(Env.getCurrentEnv().getAuth().getUserIdentityForLdap(str, str3));
        return true;
    }

    public Set<Role> getUserRoles(String str) {
        LdapUserInfo userInfo = getUserInfo(str);
        return userInfo == null ? Collections.emptySet() : userInfo.getPaloRoles();
    }

    private boolean checkParam(String str) {
        return (!LdapConfig.ldap_authentication_enabled || Strings.isNullOrEmpty(str) || str.equalsIgnoreCase("root") || str.equalsIgnoreCase(Auth.ADMIN_USER)) ? false : true;
    }

    private LdapUserInfo getUserInfoAndUpdateCache(String str) throws DdlException {
        String clusterNameFromFullName = ClusterNamespace.getClusterNameFromFullName(str);
        String nameFromFullName = ClusterNamespace.getNameFromFullName(str);
        if (Strings.isNullOrEmpty(nameFromFullName)) {
            return null;
        }
        if (!this.ldapClient.doesUserExist(nameFromFullName)) {
            return makeUserNotExists(str);
        }
        checkTimeoutCleanCache();
        LdapUserInfo ldapUserInfo = new LdapUserInfo(str, false, "", getLdapGroupsRoles(nameFromFullName, clusterNameFromFullName));
        writeLock();
        try {
            this.ldapUserInfoCache.put(ldapUserInfo.getUserName(), ldapUserInfo);
            writeUnlock();
            return ldapUserInfo;
        } catch (Throwable th) {
            writeUnlock();
            throw th;
        }
    }

    private void updatePasswd(LdapUserInfo ldapUserInfo, String str) {
        LdapUserInfo cloneWithPasswd = ldapUserInfo.cloneWithPasswd(str);
        writeLock();
        try {
            this.ldapUserInfoCache.put(cloneWithPasswd.getUserName(), cloneWithPasswd);
            writeUnlock();
        } catch (Throwable th) {
            writeUnlock();
            throw th;
        }
    }

    private LdapUserInfo makeUserNotExists(String str) {
        writeLock();
        try {
            return this.ldapUserInfoCache.put(str, new LdapUserInfo(str));
        } finally {
            writeUnlock();
        }
    }

    private void checkTimeoutCleanCache() {
        long currentTimeMillis = System.currentTimeMillis() - ((((LdapConfig.ldap_cache_timeout_day * 24) * 60) * 60) * 1000);
        if (this.lastTimestamp < currentTimeMillis) {
            writeLock();
            try {
                if (this.lastTimestamp < currentTimeMillis) {
                    this.ldapUserInfoCache.clear();
                    this.lastTimestamp = System.currentTimeMillis();
                }
            } finally {
                writeUnlock();
            }
        }
    }

    private LdapUserInfo getUserInfoFromCache(String str) {
        readLock();
        try {
            return this.ldapUserInfoCache.get(str);
        } finally {
            readUnlock();
        }
    }

    private Set<Role> getLdapGroupsRoles(String str, String str2) throws DdlException {
        List<String> groups = this.ldapClient.getGroups(str);
        HashSet newHashSet = Sets.newHashSet();
        Iterator<String> it = groups.iterator();
        while (it.hasNext()) {
            String fullName = ClusterNamespace.getFullName(str2, it.next());
            if (Env.getCurrentEnv().getAuth().doesRoleExist(fullName)) {
                newHashSet.add(Env.getCurrentEnv().getAuth().getRoleByName(fullName));
            }
        }
        LOG.debug("get user:{} ldap groups:{} and doris roles:{}", str, groups, newHashSet);
        Role role = new Role(LDAP_DEFAULT_ROLE);
        grantDefaultPrivToTempUser(role, str2);
        newHashSet.add(role);
        return newHashSet;
    }

    public void refresh(boolean z, String str) {
        writeLock();
        try {
            if (z) {
                this.ldapUserInfoCache.clear();
                this.lastTimestamp = System.currentTimeMillis();
                LOG.info("refreshed all ldap info.");
            } else {
                this.ldapUserInfoCache.remove(str);
                LOG.info("refreshed ldap info for " + str);
            }
        } finally {
            writeUnlock();
        }
    }

    public static void grantDefaultPrivToTempUser(Role role, String str) throws DdlException {
        TablePattern tablePattern = new TablePattern(InfoSchemaDb.DATABASE_NAME, "*");
        try {
            tablePattern.analyze(str);
        } catch (AnalysisException e) {
            LOG.warn("should not happen.", e);
        }
        role.merge(new Role(role.getRoleName(), tablePattern, PrivBitSet.of(Privilege.SELECT_PRIV)));
    }
}
