package id.onyx.obdp.server.security.authentication.pam;

import com.google.inject.Inject;
import id.onyx.obdp.server.OBDPException;
import id.onyx.obdp.server.configuration.Configuration;
import id.onyx.obdp.server.orm.DBAccessorImpl;
import id.onyx.obdp.server.orm.entities.GroupEntity;
import id.onyx.obdp.server.orm.entities.MemberEntity;
import id.onyx.obdp.server.orm.entities.UserAuthenticationEntity;
import id.onyx.obdp.server.orm.entities.UserEntity;
import id.onyx.obdp.server.security.ClientSecurityType;
import id.onyx.obdp.server.security.authentication.AccountDisabledException;
import id.onyx.obdp.server.security.authentication.AmbariAuthenticationException;
import id.onyx.obdp.server.security.authentication.AmbariAuthenticationProvider;
import id.onyx.obdp.server.security.authentication.InvalidUsernamePasswordCombinationException;
import id.onyx.obdp.server.security.authentication.OBDPUserAuthentication;
import id.onyx.obdp.server.security.authentication.OBDPUserDetailsImpl;
import id.onyx.obdp.server.security.authentication.TooManyLoginFailuresException;
import id.onyx.obdp.server.security.authorization.GroupType;
import id.onyx.obdp.server.security.authorization.UserAuthenticationType;
import id.onyx.obdp.server.security.authorization.Users;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.apache.commons.lang.StringUtils;
import org.jvnet.libpam.PAM;
import org.jvnet.libpam.PAMException;
import org.jvnet.libpam.UnixUser;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;

/* loaded from: input_file:id/onyx/obdp/server/security/authentication/pam/AmbariPamAuthenticationProvider.class */
public class AmbariPamAuthenticationProvider extends AmbariAuthenticationProvider {
    private static final Logger LOG = LoggerFactory.getLogger(AmbariPamAuthenticationProvider.class);
    private final PamAuthenticationFactory pamAuthenticationFactory;

    @Inject
    public AmbariPamAuthenticationProvider(Users users, PamAuthenticationFactory pamAuthenticationFactory, Configuration configuration) {
        super(users, configuration);
        this.pamAuthenticationFactory = pamAuthenticationFactory;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        String userName;
        String authenticationKey;
        if (!isPamEnabled()) {
            return null;
        }
        if (authentication.getName() == null) {
            LOG.info("Authentication failed: no username provided");
            throw new InvalidUsernamePasswordCombinationException(Configuration.JDBC_IN_MEMORY_PASSWORD);
        }
        String trim = authentication.getName().trim();
        if (authentication.getCredentials() == null) {
            LOG.info("Authentication failed: no credentials provided: {}", trim);
            throw new InvalidUsernamePasswordCombinationException(trim);
        }
        Users users = getUsers();
        UserEntity userEntity = users.getUserEntity(trim);
        String valueOf = String.valueOf(authentication.getCredentials());
        if (userEntity == null) {
            userName = trim;
            authenticationKey = trim;
        } else {
            UserAuthenticationEntity authenticationEntity = getAuthenticationEntity(userEntity, UserAuthenticationType.PAM);
            userName = userEntity.getUserName();
            if (authenticationEntity == null) {
                authenticationKey = userEntity.getLocalUsername();
            } else {
                authenticationKey = authenticationEntity.getAuthenticationKey();
                if (StringUtils.isEmpty(authenticationKey)) {
                    authenticationKey = userEntity.getLocalUsername();
                }
            }
            if (StringUtils.isEmpty(authenticationKey)) {
                authenticationKey = userName;
            }
        }
        UnixUser performPAMAuthentication = performPAMAuthentication(userName, authenticationKey, valueOf);
        if (performPAMAuthentication == null) {
            LOG.debug(String.format("Authentication failed: password does not match stored value: %s", authenticationKey));
            throw new InvalidUsernamePasswordCombinationException(userName);
        }
        if (userEntity == null) {
            try {
                userEntity = users.createUser(userName, performPAMAuthentication.getUserName(), userName, true);
            } catch (OBDPException e) {
                LOG.error(String.format("Failed to add the user, %s: %s", userName, e.getLocalizedMessage()), e);
                throw new AmbariAuthenticationException(userName, "Unexpected error has occurred", false, e);
            }
        } else {
            try {
                users.validateLogin(userEntity, userName);
            } catch (AccountDisabledException | TooManyLoginFailuresException e2) {
                if (getConfiguration().showLockedOutUserMessage()) {
                    throw e2;
                }
                throw new InvalidUsernamePasswordCombinationException(trim, false, e2);
            }
        }
        if (getAuthenticationEntity(userEntity, UserAuthenticationType.PAM) == null) {
            try {
                users.addPamAuthentication(userEntity, performPAMAuthentication.getUserName());
            } catch (OBDPException e3) {
                LOG.error(String.format("Failed to add the PAM authentication method for %s: %s", userName, e3.getLocalizedMessage()), e3);
                throw new AmbariAuthenticationException(userName, "Unexpected error has occurred", false, e3);
            }
        }
        if (isAutoGroupCreationAllowed()) {
            synchronizeGroups(performPAMAuthentication, userEntity);
        }
        return new OBDPUserAuthentication(valueOf, new OBDPUserDetailsImpl(users.getUser(userEntity), null, users.getUserAuthorities(userEntity)), true);
    }

    private UnixUser performPAMAuthentication(String str, String str2, String str3) {
        PAM createInstance = this.pamAuthenticationFactory.createInstance(getConfiguration());
        if (createInstance == null) {
            LOG.error("Failed to authenticate the user using the PAM authentication method: unexpected error");
            throw new AmbariAuthenticationException(str, "Failed to authenticate the user using the PAM authentication method: unexpected error", false);
        }
        if (LOG.isDebugEnabled() && !str.equals(str2)) {
            LOG.debug("Authenticating Ambari user {} using the local username {}", str, str2);
        }
        try {
            try {
                UnixUser authenticate = createInstance.authenticate(str2, str3);
                createInstance.dispose();
                return authenticate;
            } catch (PAMException e) {
                LOG.debug(String.format("Authentication failed: password does not match stored value: %s", str2), e);
                throw new InvalidUsernamePasswordCombinationException(str, true, e);
            }
        } catch (Throwable th) {
            createInstance.dispose();
            throw th;
        }
    }

    public boolean supports(Class<?> cls) {
        return UsernamePasswordAuthenticationToken.class.isAssignableFrom(cls);
    }

    private boolean isPamEnabled() {
        return getConfiguration().getClientSecurityType() == ClientSecurityType.PAM;
    }

    private boolean isAutoGroupCreationAllowed() {
        return getConfiguration().getAutoGroupCreation().equals(DBAccessorImpl.TRUE);
    }

    private void synchronizeGroups(UnixUser unixUser, UserEntity userEntity) {
        LOG.debug("Synchronizing groups for PAM user: {}", unixUser.getUserName());
        Users users = getUsers();
        try {
            Set<String> convertToLowercase = convertToLowercase(unixUser.getGroups());
            for (String str : convertToLowercase) {
                GroupEntity groupEntity = users.getGroupEntity(str, GroupType.PAM);
                if (groupEntity == null) {
                    LOG.info("Synchronizing groups for {}, adding new PAM group: {}", userEntity.getUserName(), str);
                    groupEntity = users.createGroup(str, GroupType.PAM);
                }
                if (!users.isUserInGroup(userEntity, groupEntity)) {
                    LOG.info("Synchronizing groups for {}, adding user to PAM group: {}", userEntity.getUserName(), str);
                    users.addMemberToGroup(groupEntity, userEntity);
                }
            }
            Set<MemberEntity> memberEntities = userEntity.getMemberEntities();
            if (memberEntities != null) {
                ArrayList<GroupEntity> arrayList = new ArrayList();
                Iterator<MemberEntity> it = memberEntities.iterator();
                while (it.hasNext()) {
                    GroupEntity group = it.next().getGroup();
                    if (group.getGroupType() == GroupType.PAM && !convertToLowercase.contains(group.getGroupName())) {
                        arrayList.add(group);
                    }
                }
                for (GroupEntity groupEntity2 : arrayList) {
                    LOG.info("Synchronizing groups for {}, removing user from PAM group: {}", userEntity.getUserName(), groupEntity2.getGroupName());
                    users.removeMemberFromGroup(groupEntity2, userEntity);
                }
            }
        } catch (OBDPException e) {
            e.printStackTrace();
        }
    }

    private Set<String> convertToLowercase(Set<String> set) {
        HashSet hashSet = new HashSet();
        if (set != null) {
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                hashSet.add(it.next().toLowerCase());
            }
        }
        return hashSet;
    }
}
