package org.apache.druid.security.basic.authentication.validator;

import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.annotation.JsonTypeName;
import com.google.common.annotations.VisibleForTesting;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Properties;
import java.util.concurrent.locks.ReentrantLock;
import javax.annotation.Nullable;
import javax.naming.AuthenticationException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapName;
import org.apache.druid.java.util.common.StringUtils;
import org.apache.druid.java.util.common.logger.Logger;
import org.apache.druid.metadata.PasswordProvider;
import org.apache.druid.security.basic.BasicAuthLDAPConfig;
import org.apache.druid.security.basic.BasicAuthUtils;
import org.apache.druid.security.basic.BasicSecurityAuthenticationException;
import org.apache.druid.security.basic.BasicSecuritySSLSocketFactory;
import org.apache.druid.security.basic.authentication.LdapUserPrincipal;
import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials;
import org.apache.druid.server.security.AuthenticationResult;

@JsonTypeName("ldap")
/* loaded from: input_file:org/apache/druid/security/basic/authentication/validator/LDAPCredentialsValidator.class */
public class LDAPCredentialsValidator implements CredentialsValidator {
    private static final Logger LOG = new Logger(LDAPCredentialsValidator.class);
    private static final ReentrantLock LOCK = new ReentrantLock();
    private final LruBlockCache cache;
    private final BasicAuthLDAPConfig ldapConfig;

    @Nullable
    private final Properties overrideProperties;

    /* loaded from: input_file:org/apache/druid/security/basic/authentication/validator/LDAPCredentialsValidator$LruBlockCache.class */
    public static class LruBlockCache extends LinkedHashMap<String, LdapUserPrincipal> {
        private static final long serialVersionUID = 7509410739092012261L;
        private final int cacheSize;
        private final int duration;
        private final int maxDuration;

        public LruBlockCache(int i, int i2, int i3) {
            super(16, 0.75f, true);
            this.cacheSize = i;
            this.duration = i2;
            this.maxDuration = i3;
        }

        @Override // java.util.LinkedHashMap
        protected boolean removeEldestEntry(Map.Entry<String, LdapUserPrincipal> entry) {
            return size() > this.cacheSize;
        }

        @Nullable
        LdapUserPrincipal getOrExpire(String str) {
            try {
                LDAPCredentialsValidator.LOCK.lock();
                LdapUserPrincipal ldapUserPrincipal = get(str);
                if (ldapUserPrincipal == null) {
                    LDAPCredentialsValidator.LOCK.unlock();
                    return null;
                }
                if (!ldapUserPrincipal.isExpired(this.duration, this.maxDuration)) {
                    LDAPCredentialsValidator.LOCK.unlock();
                    return ldapUserPrincipal;
                }
                remove(str);
                LDAPCredentialsValidator.LOCK.unlock();
                return null;
            } catch (Throwable th) {
                LDAPCredentialsValidator.LOCK.unlock();
                throw th;
            }
        }

        @Override // java.util.HashMap, java.util.AbstractMap, java.util.Map
        public LdapUserPrincipal put(String str, LdapUserPrincipal ldapUserPrincipal) {
            try {
                LDAPCredentialsValidator.LOCK.lock();
                LdapUserPrincipal ldapUserPrincipal2 = (LdapUserPrincipal) super.put((LruBlockCache) str, (String) ldapUserPrincipal);
                LDAPCredentialsValidator.LOCK.unlock();
                return ldapUserPrincipal2;
            } catch (Throwable th) {
                LDAPCredentialsValidator.LOCK.unlock();
                throw th;
            }
        }
    }

    @JsonCreator
    public LDAPCredentialsValidator(@JsonProperty("url") String str, @JsonProperty("bindUser") String str2, @JsonProperty("bindPassword") PasswordProvider passwordProvider, @JsonProperty("baseDn") String str3, @JsonProperty("userSearch") String str4, @JsonProperty("userAttribute") String str5, @JsonProperty("credentialIterations") Integer num, @JsonProperty("credentialVerifyDuration") Integer num2, @JsonProperty("credentialMaxDuration") Integer num3, @JsonProperty("credentialCacheSize") Integer num4) {
        this.ldapConfig = new BasicAuthLDAPConfig(str, str2, passwordProvider, str3, str4, str5, num == null ? BasicAuthUtils.DEFAULT_KEY_ITERATIONS : num.intValue(), Integer.valueOf(num2 == null ? BasicAuthUtils.DEFAULT_CREDENTIAL_VERIFY_DURATION_SECONDS : num2.intValue()), Integer.valueOf(num3 == null ? BasicAuthUtils.DEFAULT_CREDENTIAL_MAX_DURATION_SECONDS : num3.intValue()), Integer.valueOf(num4 == null ? 100 : num4.intValue()));
        this.cache = new LruBlockCache(this.ldapConfig.getCredentialCacheSize().intValue(), this.ldapConfig.getCredentialVerifyDuration().intValue(), this.ldapConfig.getCredentialMaxDuration().intValue());
        this.overrideProperties = null;
    }

    @VisibleForTesting
    public LDAPCredentialsValidator(BasicAuthLDAPConfig basicAuthLDAPConfig, LruBlockCache lruBlockCache, Properties properties) {
        this.ldapConfig = basicAuthLDAPConfig;
        this.cache = lruBlockCache;
        this.overrideProperties = properties;
    }

    Properties bindProperties(BasicAuthLDAPConfig basicAuthLDAPConfig) {
        Properties commonProperties = commonProperties(basicAuthLDAPConfig);
        commonProperties.put("java.naming.security.principal", basicAuthLDAPConfig.getBindUser());
        commonProperties.put("java.naming.security.credentials", basicAuthLDAPConfig.getBindPassword().getPassword());
        return commonProperties;
    }

    Properties userProperties(BasicAuthLDAPConfig basicAuthLDAPConfig, LdapName ldapName, char[] cArr) {
        Properties commonProperties = commonProperties(basicAuthLDAPConfig);
        commonProperties.put("java.naming.security.principal", ldapName.toString());
        commonProperties.put("java.naming.security.credentials", String.valueOf(cArr));
        return commonProperties;
    }

    Properties commonProperties(BasicAuthLDAPConfig basicAuthLDAPConfig) {
        Properties properties = new Properties();
        properties.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        properties.put("java.naming.provider.url", basicAuthLDAPConfig.getUrl());
        properties.put("java.naming.security.authentication", "simple");
        if (StringUtils.toLowerCase(basicAuthLDAPConfig.getUrl()).startsWith("ldaps://")) {
            properties.put("java.naming.security.protocol", "ssl");
            properties.put("java.naming.ldap.factory.socket", BasicSecuritySSLSocketFactory.class.getName());
        }
        if (null != this.overrideProperties) {
            properties.putAll(this.overrideProperties);
        }
        return properties;
    }

    @Override // org.apache.druid.security.basic.authentication.validator.CredentialsValidator
    public AuthenticationResult validateCredentials(String str, String str2, String str3, char[] cArr) {
        HashMap hashMap = new HashMap();
        LdapUserPrincipal orExpire = this.cache.getOrExpire(str3);
        if (orExpire != null && orExpire.hasSameCredentials(cArr)) {
            hashMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, orExpire.getSearchResult());
            return new AuthenticationResult(str3, str2, str, hashMap);
        }
        ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
        try {
            try {
                Thread.currentThread().setContextClassLoader(getClass().getClassLoader());
                InitialDirContext initialDirContext = new InitialDirContext(bindProperties(this.ldapConfig));
                try {
                    SearchResult ldapUserObject = getLdapUserObject(this.ldapConfig, initialDirContext, str3);
                    if (ldapUserObject == null) {
                        LOG.debug("User not found: %s", new Object[]{str3});
                        Thread.currentThread().setContextClassLoader(contextClassLoader);
                        return null;
                    }
                    LdapName ldapName = new LdapName(ldapUserObject.getNameInNamespace());
                    try {
                        initialDirContext.close();
                    } catch (Exception e) {
                    }
                    Thread.currentThread().setContextClassLoader(contextClassLoader);
                    if (!validatePassword(this.ldapConfig, ldapName, cArr)) {
                        LOG.debug("Password incorrect for LDAP user %s", new Object[]{str3});
                        throw new BasicSecurityAuthenticationException("User LDAP authentication failed.", new Object[0]);
                    }
                    byte[] generateSalt = BasicAuthUtils.generateSalt();
                    this.cache.put(str3, new LdapUserPrincipal(str3, new BasicAuthenticatorCredentials(generateSalt, BasicAuthUtils.hashPassword(cArr, generateSalt, this.ldapConfig.getCredentialIterations()), this.ldapConfig.getCredentialIterations()), ldapUserObject));
                    hashMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, ldapUserObject);
                    return new AuthenticationResult(str3, str2, str, hashMap);
                } finally {
                    try {
                        initialDirContext.close();
                    } catch (Exception e2) {
                    }
                }
            } catch (NamingException e3) {
                LOG.error(e3, "Exception during user lookup", new Object[0]);
                Thread.currentThread().setContextClassLoader(contextClassLoader);
                return null;
            }
        } catch (Throwable th) {
            Thread.currentThread().setContextClassLoader(contextClassLoader);
            throw th;
        }
    }

    @Nullable
    SearchResult getLdapUserObject(BasicAuthLDAPConfig basicAuthLDAPConfig, DirContext dirContext, String str) {
        try {
            SearchControls searchControls = new SearchControls();
            searchControls.setSearchScope(2);
            searchControls.setReturningAttributes(new String[]{basicAuthLDAPConfig.getUserAttribute(), "memberOf"});
            NamingEnumeration search = dirContext.search(basicAuthLDAPConfig.getBaseDn(), StringUtils.format(basicAuthLDAPConfig.getUserSearch(), new Object[]{encodeForLDAP(str, true)}), searchControls);
            try {
                if (!search.hasMore()) {
                    return null;
                }
                SearchResult searchResult = (SearchResult) search.next();
                search.close();
                return searchResult;
            } finally {
                search.close();
            }
        } catch (NamingException e) {
            LOG.debug(e, "Unable to find user '%s'", new Object[]{str});
            return null;
        }
    }

    boolean validatePassword(BasicAuthLDAPConfig basicAuthLDAPConfig, LdapName ldapName, char[] cArr) {
        InitialDirContext initialDirContext = null;
        ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
        try {
            try {
                Thread.currentThread().setContextClassLoader(getClass().getClassLoader());
                initialDirContext = new InitialDirContext(userProperties(basicAuthLDAPConfig, ldapName, cArr));
                if (initialDirContext != null) {
                    try {
                        initialDirContext.close();
                    } catch (Exception e) {
                        LOG.warn("Exception closing LDAP context", new Object[0]);
                    }
                }
                Thread.currentThread().setContextClassLoader(contextClassLoader);
                return true;
            } catch (Throwable th) {
                if (initialDirContext != null) {
                    try {
                        initialDirContext.close();
                    } catch (Exception e2) {
                        LOG.warn("Exception closing LDAP context", new Object[0]);
                        Thread.currentThread().setContextClassLoader(contextClassLoader);
                        throw th;
                    }
                }
                Thread.currentThread().setContextClassLoader(contextClassLoader);
                throw th;
            }
        } catch (AuthenticationException e3) {
            if (initialDirContext != null) {
                try {
                    initialDirContext.close();
                } catch (Exception e4) {
                    LOG.warn("Exception closing LDAP context", new Object[0]);
                    Thread.currentThread().setContextClassLoader(contextClassLoader);
                    return false;
                }
            }
            Thread.currentThread().setContextClassLoader(contextClassLoader);
            return false;
        } catch (NamingException e5) {
            LOG.error(e5, "Exception during LDAP authentication username[%s]", new Object[]{ldapName.toString()});
            if (initialDirContext != null) {
                try {
                    initialDirContext.close();
                } catch (Exception e6) {
                    LOG.warn("Exception closing LDAP context", new Object[0]);
                    Thread.currentThread().setContextClassLoader(contextClassLoader);
                    return false;
                }
            }
            Thread.currentThread().setContextClassLoader(contextClassLoader);
            return false;
        }
    }

    public static String encodeForLDAP(String str, boolean z) {
        if (str == null) {
            return null;
        }
        StringBuilder sb = new StringBuilder();
        for (int i = 0; i < str.length(); i++) {
            char charAt = str.charAt(i);
            switch (charAt) {
                case 0:
                    sb.append("\\00");
                    break;
                case '(':
                    sb.append("\\28");
                    break;
                case ')':
                    sb.append("\\29");
                    break;
                case '*':
                    if (z) {
                        sb.append("\\2a");
                        break;
                    } else {
                        sb.append(charAt);
                        break;
                    }
                case '/':
                    sb.append("\\2f");
                    break;
                case '\\':
                    sb.append("\\5c");
                    break;
                default:
                    sb.append(charAt);
                    break;
            }
        }
        return sb.toString();
    }
}
