package io.trino.plugin.password.ldap;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.CharMatcher;
import com.google.common.base.Preconditions;
import com.google.common.base.Throwables;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.collect.Iterables;
import com.google.common.util.concurrent.UncheckedExecutionException;
import com.google.inject.Inject;
import io.airlift.log.Logger;
import io.trino.collect.cache.NonKeyEvictableLoadingCache;
import io.trino.collect.cache.SafeCaches;
import io.trino.plugin.password.Credential;
import io.trino.spi.classloader.ThreadContextClassLoader;
import io.trino.spi.security.AccessDeniedException;
import io.trino.spi.security.BasicPrincipal;
import io.trino.spi.security.PasswordAuthenticator;
import java.security.Principal;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.naming.NamingException;

/* loaded from: input_file:io/trino/plugin/password/ldap/LdapAuthenticator.class */
public class LdapAuthenticator implements PasswordAuthenticator {
    private static final Logger log = Logger.get(LdapAuthenticator.class);
    private static final CharMatcher SPECIAL_CHARACTERS = CharMatcher.anyOf(",=+<>#;*()\"\\��");
    private static final CharMatcher WHITESPACE = CharMatcher.anyOf(" \r");
    private final LdapAuthenticatorClient client;
    private final List<String> userBindSearchPatterns;
    private final Optional<String> groupAuthorizationSearchPattern;
    private final Optional<String> userBaseDistinguishedName;
    private final Optional<String> bindDistinguishedName;
    private final Optional<String> bindPassword;
    private final NonKeyEvictableLoadingCache<Credential, Principal> authenticationCache;

    @Inject
    public LdapAuthenticator(LdapAuthenticatorClient ldapAuthenticatorClient, LdapAuthenticatorConfig ldapAuthenticatorConfig) {
        this.client = (LdapAuthenticatorClient) Objects.requireNonNull(ldapAuthenticatorClient, "client is null");
        this.userBindSearchPatterns = ldapAuthenticatorConfig.getUserBindSearchPatterns();
        this.groupAuthorizationSearchPattern = Optional.ofNullable(ldapAuthenticatorConfig.getGroupAuthorizationSearchPattern());
        this.userBaseDistinguishedName = Optional.ofNullable(ldapAuthenticatorConfig.getUserBaseDistinguishedName());
        this.bindDistinguishedName = Optional.ofNullable(ldapAuthenticatorConfig.getBindDistingushedName());
        this.bindPassword = Optional.ofNullable(ldapAuthenticatorConfig.getBindPassword());
        Preconditions.checkArgument(this.groupAuthorizationSearchPattern.isEmpty() || this.userBaseDistinguishedName.isPresent(), "Base distinguished name (DN) for user must be provided");
        Preconditions.checkArgument(this.bindDistinguishedName.isPresent() == this.bindPassword.isPresent(), "Both bind distinguished name and bind password must be provided together");
        Preconditions.checkArgument(this.bindDistinguishedName.isEmpty() || this.groupAuthorizationSearchPattern.isPresent(), "Group authorization search pattern must be provided when bind distinguished name is used");
        Preconditions.checkArgument(this.bindDistinguishedName.isPresent() || !this.userBindSearchPatterns.isEmpty(), "Either user bind search pattern or bind distinguished name must be provided");
        this.authenticationCache = SafeCaches.buildNonEvictableCacheWithWeakInvalidateAll(CacheBuilder.newBuilder().expireAfterWrite(ldapAuthenticatorConfig.getLdapCacheTtl().toMillis(), TimeUnit.MILLISECONDS), CacheLoader.from(this.bindDistinguishedName.isPresent() ? this::authenticateWithBindDistinguishedName : this::authenticateWithUserBind));
    }

    @VisibleForTesting
    void invalidateCache() {
        this.authenticationCache.invalidateAll();
    }

    public Principal createAuthenticatedPrincipal(String str, String str2) {
        try {
            ThreadContextClassLoader threadContextClassLoader = new ThreadContextClassLoader(getClass().getClassLoader());
            try {
                Principal principal = (Principal) this.authenticationCache.getUnchecked(new Credential(str, str2));
                threadContextClassLoader.close();
                return principal;
            } finally {
            }
        } catch (UncheckedExecutionException e) {
            Throwables.throwIfInstanceOf(e.getCause(), AccessDeniedException.class);
            throw e;
        }
    }

    private Principal authenticateWithUserBind(Credential credential) {
        String user = credential.getUser();
        if (containsSpecialCharacters(user)) {
            throw new AccessDeniedException("Username contains a special LDAP character");
        }
        NamingException runtimeException = new RuntimeException();
        Iterator<String> it = this.userBindSearchPatterns.iterator();
        while (it.hasNext()) {
            try {
                String replaceUser = replaceUser(it.next(), user);
                if (!this.groupAuthorizationSearchPattern.isPresent()) {
                    this.client.validatePassword(replaceUser, credential.getPassword());
                } else if (!this.client.isGroupMember(this.userBaseDistinguishedName.orElseThrow(), replaceUser(this.groupAuthorizationSearchPattern.get(), user), replaceUser, credential.getPassword())) {
                    String format = String.format("User [%s] not a member of an authorized group", user);
                    log.debug("%s", new Object[]{format});
                    throw new AccessDeniedException(format);
                }
                log.debug("Authentication successful for user [%s]", new Object[]{user});
                return new BasicPrincipal(user);
            } catch (NamingException | AccessDeniedException e) {
                runtimeException = e;
            }
        }
        log.debug(runtimeException, "Authentication failed for user [%s], %s", new Object[]{user, runtimeException.getMessage()});
        if (runtimeException instanceof AccessDeniedException) {
            throw ((AccessDeniedException) runtimeException);
        }
        throw new RuntimeException("Authentication error");
    }

    private Principal authenticateWithBindDistinguishedName(Credential credential) {
        String user = credential.getUser();
        if (containsSpecialCharacters(user)) {
            throw new AccessDeniedException("Username contains a special LDAP character");
        }
        try {
            this.client.validatePassword(lookupUserDistinguishedName(user), credential.getPassword());
            log.debug("Authentication successful for user [%s]", new Object[]{user});
            return new BasicPrincipal(credential.getUser());
        } catch (NamingException e) {
            log.debug(e, "Authentication failed for user [%s], %s", new Object[]{user, e.getMessage()});
            throw new RuntimeException("Authentication error");
        }
    }

    @VisibleForTesting
    static boolean containsSpecialCharacters(String str) {
        if (WHITESPACE.indexIn(str) == 0 || WHITESPACE.lastIndexIn(str) == str.length() - 1) {
            return true;
        }
        return SPECIAL_CHARACTERS.matchesAnyOf(str);
    }

    private String lookupUserDistinguishedName(String str) throws NamingException {
        Set<String> lookupUserDistinguishedNames = this.client.lookupUserDistinguishedNames(this.userBaseDistinguishedName.orElseThrow(), replaceUser(this.groupAuthorizationSearchPattern.orElseThrow(), str), this.bindDistinguishedName.orElseThrow(), this.bindPassword.orElseThrow());
        if (lookupUserDistinguishedNames.isEmpty()) {
            String format = String.format("User [%s] not a member of an authorized group", str);
            log.debug("%s", new Object[]{format});
            throw new AccessDeniedException(format);
        }
        if (lookupUserDistinguishedNames.size() <= 1) {
            return (String) Iterables.getOnlyElement(lookupUserDistinguishedNames);
        }
        String format2 = String.format("Multiple group membership results for user [%s]: %s", str, lookupUserDistinguishedNames);
        log.debug("%s", new Object[]{format2});
        throw new AccessDeniedException(format2);
    }

    private static String replaceUser(String str, String str2) {
        return str.replace("${USER}", str2);
    }
}
