package _ss_com.streamsets.datacollector.http;

import _ss_com.com.google.common.annotations.VisibleForTesting;
import _ss_com.streamsets.datacollector.util.Configuration;
import _ss_org.apache.commons.configuration2.tree.DefaultExpressionEngineSymbols;
import _ss_org.apache.commons.lang3.StringUtils;
import _ss_org.apache.http.cookie.ClientCookie;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import org.eclipse.jetty.jaas.callback.ObjectCallback;
import org.eclipse.jetty.jaas.spi.AbstractLoginModule;
import org.eclipse.jetty.jaas.spi.UserInfo;
import org.eclipse.jetty.util.security.Credential;
import org.ldaptive.BindConnectionInitializer;
import org.ldaptive.Connection;
import org.ldaptive.ConnectionConfig;
import org.ldaptive.DefaultConnectionFactory;
import org.ldaptive.LdapAttribute;
import org.ldaptive.LdapEntry;
import org.ldaptive.LdapException;
import org.ldaptive.ReturnAttributes;
import org.ldaptive.SearchOperation;
import org.ldaptive.SearchRequest;
import org.ldaptive.SearchScope;
import org.ldaptive.auth.AuthenticationRequest;
import org.ldaptive.auth.AuthenticationResponse;
import org.ldaptive.auth.Authenticator;
import org.ldaptive.auth.BindAuthenticationHandler;
import org.ldaptive.auth.SearchDnResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:_ss_com/streamsets/datacollector/http/LdapLoginModule.class */
public class LdapLoginModule extends AbstractLoginModule {
    private static final Logger LOG = LoggerFactory.getLogger(LdapLoginModule.class);
    private String _hostname;
    private int _port;
    private String _bindDn;
    private String _bindPassword;
    private String _userBaseDn;
    private String _roleBaseDn;
    private static final String filterFormat = "(&(objectClass=%s)%s)";
    private static final String DN = "{dn}";
    private static final String USER = "{user}";
    private ConnectionConfig connConfig;
    private Connection conn;
    private String _userObjectClass = "inetOrgPerson";
    private String _userRdnAttribute = "uid";
    private String _userIdAttribute = "cn";
    private String _userPasswordAttribute = "userPassword";
    private String _roleObjectClass = "groupOfUniqueNames";
    private String _roleMemberAttribute = "uniqueMember";
    private String _roleNameAttribute = "roleName";
    private boolean _forceBindingLogin = false;
    private boolean _useLdaps = false;
    private boolean _useStarttls = false;
    private String _userFilter = "%s={user}";
    private String _roleFilter = "%s={dn})";

    @Override // org.eclipse.jetty.jaas.spi.AbstractLoginModule
    public UserInfo getUserInfo(String str) throws Exception {
        LdapEntry entryWithCredential = getEntryWithCredential(str);
        if (entryWithCredential == null) {
            return null;
        }
        return new UserInfo(str, Credential.getCredential(convertCredentialLdapToJetty(getUserCredential(entryWithCredential))), getUserRoles(str, entryWithCredential.getDn()));
    }

    private LdapEntry getEntryWithCredential(String str) throws LdapException {
        if (StringUtils.isBlank(this._userObjectClass) || StringUtils.isBlank(this._userIdAttribute) || StringUtils.isBlank(this._userBaseDn) || StringUtils.isBlank(this._userPasswordAttribute)) {
            LOG.error("Failed to get user because at least one of the following is null : [_userObjectClass, _userIdAttribute, _userBaseDn, _userPasswordAttribute ]");
            return null;
        }
        String buildFilter = buildFilter(this._userFilter, this._userObjectClass, this._userIdAttribute);
        if (buildFilter.contains(USER)) {
            buildFilter = buildFilter.replace(USER, str);
        }
        LOG.debug("Searching user using the filter {} on user baseDn {}", buildFilter, this._userBaseDn);
        SearchRequest searchRequest = new SearchRequest(this._userBaseDn, buildFilter, this._userPasswordAttribute);
        searchRequest.setSearchScope(SearchScope.SUBTREE);
        searchRequest.setSizeLimit(1L);
        try {
            LdapEntry entry = new SearchOperation(this.conn).execute(searchRequest).getResult().getEntry();
            LOG.info("Found user?: {}", Boolean.valueOf(entry != null));
            return entry;
        } catch (LdapException e) {
            LOG.error("{}", e.toString(), e);
            return null;
        }
    }

    public String getUserCredential(LdapEntry ldapEntry) {
        String str = null;
        if (ldapEntry != null) {
            LdapAttribute attribute = ldapEntry.getAttribute(this._userPasswordAttribute);
            if (attribute == null) {
                LOG.error("Failed to receive user password from LDAP server. Possibly userPasswordAttribute is wrong");
                return null;
            }
            str = new String(attribute.getBinaryValue(), StandardCharsets.UTF_8);
        }
        return str;
    }

    private List<String> getUserRoles(String str, String str2) {
        String replace;
        ArrayList arrayList = new ArrayList();
        if (StringUtils.isBlank(this._roleBaseDn) || StringUtils.isBlank(this._roleObjectClass) || StringUtils.isBlank(this._roleNameAttribute) || StringUtils.isBlank(this._roleMemberAttribute)) {
            LOG.debug("Failed to get roles because at least one of the following is null : [_roleBaseDn, _roleObjectClass, _roleNameAttribute, _roleMemberAttribute ]");
            return arrayList;
        }
        String buildFilter = buildFilter(this._roleFilter, this._roleObjectClass, this._roleMemberAttribute);
        if (this._roleFilter.contains(DN)) {
            replace = buildFilter.replace(DN, str2.replace("\\", "\\\\\\"));
        } else {
            if (!this._roleFilter.contains(USER)) {
                LOG.error("roleFilter contains invalid filter {}. Check the roleFilter option");
                return arrayList;
            }
            replace = buildFilter.replace(USER, str);
        }
        LOG.debug("Searching roles using the filter {} on role baseDn {}", replace, this._roleBaseDn);
        SearchRequest searchRequest = new SearchRequest(this._roleBaseDn, replace, this._roleNameAttribute);
        searchRequest.setSearchScope(SearchScope.SUBTREE);
        try {
            Collection<LdapEntry> entries = new SearchOperation(this.conn).execute(searchRequest).getResult().getEntries();
            LOG.info("Found roles?: {}", Boolean.valueOf((entries == null || entries.isEmpty()) ? false : true));
            if (entries != null) {
                Iterator<LdapEntry> it = entries.iterator();
                while (it.hasNext()) {
                    arrayList.add(it.next().getAttribute().getStringValue());
                }
            }
        } catch (LdapException e) {
            LOG.error(e.getMessage(), e);
        }
        LOG.info("Found roles: {}", arrayList);
        return arrayList;
    }

    @VisibleForTesting
    static String buildFilter(String str, String str2, String str3) {
        if (!str.startsWith(DefaultExpressionEngineSymbols.DEFAULT_INDEX_START)) {
            str = DefaultExpressionEngineSymbols.DEFAULT_INDEX_START + str;
        }
        if (!str.endsWith(DefaultExpressionEngineSymbols.DEFAULT_INDEX_END)) {
            str = str + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END;
        }
        return String.format(filterFormat, str2, String.format(str, str3));
    }

    @Override // org.eclipse.jetty.jaas.spi.AbstractLoginModule
    public boolean login() throws LoginException {
        try {
            if (getCallbackHandler() == null) {
                throw new LoginException("No callback handler");
            }
            if (this.conn == null) {
                return false;
            }
            NameCallback[] configureCallbacks = configureCallbacks();
            getCallbackHandler().handle(configureCallbacks);
            String name = configureCallbacks[0].getName();
            Object object = ((ObjectCallback) configureCallbacks[1]).getObject();
            if (name == null || object == null) {
                setAuthenticated(false);
                return isAuthenticated();
            }
            if ((object instanceof String) && ((String) object).isEmpty()) {
                LOG.info("Ignoring login request for user {} as the password is empty.", name);
                setAuthenticated(false);
                return isAuthenticated();
            }
            if (this._forceBindingLogin) {
                return bindingLogin(name, object);
            }
            UserInfo userInfo = getUserInfo(name);
            if (userInfo == null) {
                setAuthenticated(false);
                return false;
            }
            AbstractLoginModule.JAASUserInfo jAASUserInfo = new AbstractLoginModule.JAASUserInfo(userInfo);
            jAASUserInfo.fetchRoles();
            setCurrentUser(jAASUserInfo);
            return object instanceof String ? credentialLogin(Credential.getCredential((String) object)) : credentialLogin(object);
        } catch (IOException e) {
            LOG.error("IO Error performing login", e);
            return false;
        } catch (UnsupportedCallbackException e2) {
            throw new LoginException("Error obtaining callback information.");
        } catch (Exception e3) {
            LOG.error("IO Error performing login", e3);
            return false;
        }
    }

    protected boolean credentialLogin(Object obj) throws LoginException {
        boolean checkCredential = getCurrentUser().checkCredential(obj);
        setAuthenticated(checkCredential);
        if (!checkCredential) {
            LOG.warn("Authentication failed - Possibly the user password is wrong");
        }
        return isAuthenticated();
    }

    public boolean bindingLogin(String str, Object obj) throws Exception {
        if (StringUtils.isBlank(this._userObjectClass) || StringUtils.isBlank(this._userIdAttribute) || StringUtils.isBlank(this._userBaseDn)) {
            LOG.error("Failed to get user because at least one of the following is null : [_userObjectClass, _userIdAttribute, _userBaseDn ]");
            return false;
        }
        LdapEntry authenticate = authenticate(str, obj);
        if (authenticate == null) {
            return false;
        }
        String dn = authenticate.getDn();
        if (dn == null) {
            LOG.error("userDn is found null for the user {}", str);
            return false;
        }
        AbstractLoginModule.JAASUserInfo jAASUserInfo = new AbstractLoginModule.JAASUserInfo(new UserInfo(str, Credential.getCredential(""), getUserRoles(str, dn)));
        jAASUserInfo.fetchRoles();
        setCurrentUser(jAASUserInfo);
        setAuthenticated(true);
        return true;
    }

    private LdapEntry authenticate(String str, Object obj) {
        try {
            SearchDnResolver searchDnResolver = new SearchDnResolver(new DefaultConnectionFactory(this.connConfig));
            searchDnResolver.setBaseDn(this._userBaseDn);
            searchDnResolver.setSubtreeSearch(true);
            String buildFilter = buildFilter(this._userFilter, this._userObjectClass, this._userIdAttribute);
            LOG.debug("Searching a user with filter {} where user is {}", buildFilter, str);
            searchDnResolver.setUserFilter(buildFilter);
            Authenticator authenticator = new Authenticator(searchDnResolver, new BindAuthenticationHandler(new DefaultConnectionFactory(this.connConfig)));
            AuthenticationRequest authenticationRequest = new AuthenticationRequest();
            authenticationRequest.setUser(str);
            if (obj instanceof char[]) {
                authenticationRequest.setCredential(new org.ldaptive.Credential(new String((char[]) obj)));
            } else {
                if (!(obj instanceof String)) {
                    LOG.error("Unexpected type for password '{}'", obj != null ? obj.getClass() : "NULL");
                    return null;
                }
                authenticationRequest.setCredential(new org.ldaptive.Credential((String) obj));
            }
            authenticationRequest.setReturnAttributes(ReturnAttributes.ALL.value());
            LOG.debug("Retrieved authenticator from factory: {}", authenticator);
            LOG.debug("Retrieved authentication request from factory: {}", authenticationRequest);
            AuthenticationResponse authenticate = authenticator.authenticate(authenticationRequest);
            LOG.info("Found user?: {}", authenticate.getResult());
            if (authenticate.getResult().booleanValue()) {
                return authenticate.getLdapEntry();
            }
            LOG.error("Result code: {} - {}", authenticate.getResultCode(), authenticate.getMessage());
            return null;
        } catch (LdapException e) {
            LOG.warn(e.getMessage());
            return null;
        }
    }

    @Override // org.eclipse.jetty.jaas.spi.AbstractLoginModule
    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        String format;
        super.initialize(subject, callbackHandler, map, map2);
        LOG.debug("Initializing Ldap configuration");
        this._hostname = (String) map2.get("hostname");
        this._port = Integer.parseInt((String) map2.get(ClientCookie.PORT_ATTR));
        this._bindDn = (String) map2.get("bindDn");
        this._bindPassword = (String) map2.get("bindPassword");
        this._userBaseDn = (String) map2.get("userBaseDn");
        this._roleBaseDn = (String) map2.get("roleBaseDn");
        if (map2.containsKey("forceBindingLogin")) {
            this._forceBindingLogin = Boolean.parseBoolean((String) map2.get("forceBindingLogin"));
        }
        if (map2.containsKey("useLdaps")) {
            this._useLdaps = Boolean.parseBoolean((String) map2.get("useLdaps"));
        }
        if (map2.containsKey("useStartTLS")) {
            this._useStarttls = Boolean.parseBoolean((String) map2.get("useStartTLS"));
        }
        this._userObjectClass = getOption(map2, "userObjectClass", this._userObjectClass);
        this._userRdnAttribute = getOption(map2, "userRdnAttribute", this._userRdnAttribute);
        this._userIdAttribute = getOption(map2, "userIdAttribute", this._userIdAttribute);
        this._userPasswordAttribute = getOption(map2, "userPasswordAttribute", this._userPasswordAttribute);
        this._roleObjectClass = getOption(map2, "roleObjectClass", this._roleObjectClass);
        this._roleMemberAttribute = getOption(map2, "roleMemberAttribute", this._roleMemberAttribute);
        this._roleNameAttribute = getOption(map2, "roleNameAttribute", this._roleNameAttribute);
        this._userFilter = getOption(map2, "userFilter", this._userFilter);
        this._roleFilter = getOption(map2, "roleFilter", this._roleFilter);
        if (Configuration.FileRef.isValueMyRef(this._bindPassword)) {
            this._bindPassword = new Configuration.FileRef(this._bindPassword).getValue();
            if (this._bindPassword != null) {
                this._bindPassword = this._bindPassword.trim();
            }
        }
        if (this._useStarttls) {
            format = String.format("ldap://%s:%s", this._hostname, Integer.valueOf(this._port));
        } else {
            Object[] objArr = new Object[3];
            objArr[0] = this._useLdaps ? "ldaps" : WebServerTask.LDAP;
            objArr[1] = this._hostname;
            objArr[2] = Integer.valueOf(this._port);
            format = String.format("%s://%s:%s", objArr);
        }
        LOG.info("Accessing LDAP Server: {} startTLS: {}", format, Boolean.valueOf(this._useStarttls));
        this.connConfig = new ConnectionConfig(format);
        this.connConfig.setUseStartTLS(this._useStarttls);
        this.connConfig.setConnectionInitializer(new BindConnectionInitializer(this._bindDn, new org.ldaptive.Credential(this._bindPassword)));
        this.conn = DefaultConnectionFactory.getConnection(this.connConfig);
        try {
            this.conn.open();
        } catch (LdapException e) {
            LOG.error("Failed to establish connection to the LDAP server {}. {}", format, e);
        }
    }

    @Override // org.eclipse.jetty.jaas.spi.AbstractLoginModule
    public boolean commit() throws LoginException {
        if (this.conn != null && this.conn.isOpen()) {
            this.conn.close();
        }
        return super.commit();
    }

    @Override // org.eclipse.jetty.jaas.spi.AbstractLoginModule
    public boolean abort() throws LoginException {
        if (this.conn != null && this.conn.isOpen()) {
            this.conn.close();
        }
        return super.abort();
    }

    private String getOption(Map<String, ?> map, String str, String str2) {
        Object obj = map.get(str);
        return obj == null ? str2 : (String) obj;
    }

    public static String convertCredentialLdapToJetty(String str) {
        return str == null ? str : "{MD5}".startsWith(str.toUpperCase(Locale.ENGLISH)) ? "MD5:" + str.substring("{MD5}".length(), str.length()) : "{CRYPT}".startsWith(str.toUpperCase(Locale.ENGLISH)) ? "CRYPT:" + str.substring("{CRYPT}".length(), str.length()) : str;
    }
}
