package id.onyx.obdp.server.security.authentication.kerberos;

import com.google.inject.Provider;
import id.onyx.obdp.server.configuration.Configuration;
import id.onyx.obdp.server.orm.entities.GroupEntity;
import id.onyx.obdp.server.orm.entities.MemberEntity;
import id.onyx.obdp.server.orm.entities.UserEntity;
import id.onyx.obdp.server.security.authentication.AccountDisabledException;
import id.onyx.obdp.server.security.authentication.InvalidUsernamePasswordCombinationException;
import id.onyx.obdp.server.security.authentication.OBDPUserDetailsImpl;
import id.onyx.obdp.server.security.authentication.TooManyLoginFailuresException;
import id.onyx.obdp.server.security.authentication.tproxy.AmbariTProxyConfiguration;
import id.onyx.obdp.server.security.authentication.tproxy.TrustedProxyAuthenticationDetails;
import id.onyx.obdp.server.security.authentication.tproxy.TrustedProxyAuthenticationNotAllowedException;
import id.onyx.obdp.server.security.authorization.User;
import id.onyx.obdp.server.security.authorization.Users;
import jakarta.inject.Inject;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:id/onyx/obdp/server/security/authentication/kerberos/OBDPProxiedUserDetailsService.class */
public class OBDPProxiedUserDetailsService implements UserDetailsService {
    private static final Logger LOG = LoggerFactory.getLogger(OBDPProxiedUserDetailsService.class);
    private static final Pattern IP_ADDRESS_PATTERN = Pattern.compile("^(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}$");
    private static final Pattern IP_ADDRESS_RANGE_PATTERN = Pattern.compile("^((?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3})/(\\d{1,2})$");

    @Inject
    private Provider<AmbariTProxyConfiguration> obdpTProxyConfigurationProvider;
    private final Configuration configuration;
    private final Users users;

    OBDPProxiedUserDetailsService(Configuration configuration, Users users) {
        this.configuration = configuration;
        this.users = users;
    }

    public UserDetails loadUserByUsername(String str) throws UsernameNotFoundException {
        return loadProxiedUser(str, null, null);
    }

    public UserDetails loadProxiedUser(String str, String str2, TrustedProxyAuthenticationDetails trustedProxyAuthenticationDetails) throws AuthenticationException {
        LOG.info("Proxy user {} specified {} as proxied user.", str2, str);
        if (StringUtils.isEmpty(str)) {
            LOG.warn("No proxied username was specified.");
            throw new UsernameNotFoundException("No proxied username was specified.");
        }
        if (trustedProxyAuthenticationDetails == null) {
            LOG.warn("Trusted proxy details have not been provided.");
            throw new TrustedProxyAuthenticationNotAllowedException("Trusted proxy details have not been provided.");
        }
        AmbariTProxyConfiguration ambariTProxyConfiguration = (AmbariTProxyConfiguration) this.obdpTProxyConfigurationProvider.get();
        if (!ambariTProxyConfiguration.isEnabled()) {
            LOG.warn("Trusted proxy support is not enabled.");
            throw new TrustedProxyAuthenticationNotAllowedException("Trusted proxy support is not enabled.");
        }
        if (!validateHost(ambariTProxyConfiguration, str2, trustedProxyAuthenticationDetails.getRemoteAddress())) {
            String format = String.format("Trusted proxy is not allowed for %s -> %s: host match not found.", str2, str);
            LOG.warn(format);
            throw new TrustedProxyAuthenticationNotAllowedException(format);
        }
        if (!validateUser(ambariTProxyConfiguration, str2, str)) {
            String format2 = String.format("Trusted proxy is not allowed for %s -> %s: user match not found.", str2, str);
            LOG.warn(format2);
            throw new TrustedProxyAuthenticationNotAllowedException(format2);
        }
        UserEntity userEntity = this.users.getUserEntity(str);
        if (userEntity == null) {
            String format3 = String.format("Failed to find an account for the proxied user, %s.", str);
            LOG.warn(format3);
            throw new UsernameNotFoundException(format3);
        }
        if (validateGroup(ambariTProxyConfiguration, str2, userEntity)) {
            return createUserDetails(userEntity);
        }
        String format4 = String.format("Trusted proxy is not allowed for %s -> %s: group match not found.", str2, str);
        LOG.warn(format4);
        throw new TrustedProxyAuthenticationNotAllowedException(format4);
    }

    boolean validateGroup(AmbariTProxyConfiguration ambariTProxyConfiguration, String str, UserEntity userEntity) {
        String allowedGroups = ambariTProxyConfiguration.getAllowedGroups(str);
        if (!StringUtils.isNotEmpty(allowedGroups)) {
            return false;
        }
        Set set = (Set) Arrays.stream(allowedGroups.split("\\s*,\\s*")).map(str2 -> {
            return str2.trim().toLowerCase();
        }).collect(Collectors.toSet());
        if (set.contains("*")) {
            return true;
        }
        Set<MemberEntity> memberEntities = userEntity.getMemberEntities();
        if (memberEntities == null) {
            return false;
        }
        Iterator<MemberEntity> it = memberEntities.iterator();
        while (it.hasNext()) {
            GroupEntity group = it.next().getGroup();
            if (group != null) {
                String groupName = group.getGroupName();
                if (StringUtils.isNotEmpty(groupName) && set.contains(groupName.toLowerCase())) {
                    return true;
                }
            }
        }
        return false;
    }

    boolean validateUser(AmbariTProxyConfiguration ambariTProxyConfiguration, String str, String str2) {
        String allowedUsers = ambariTProxyConfiguration.getAllowedUsers(str);
        if (!StringUtils.isNotEmpty(allowedUsers)) {
            return false;
        }
        for (String str3 : allowedUsers.split("\\s*,\\s*")) {
            if ("*".equals(str3) || str3.equalsIgnoreCase(str2)) {
                return true;
            }
        }
        return false;
    }

    boolean validateHost(AmbariTProxyConfiguration ambariTProxyConfiguration, String str, String str2) {
        String allowedHosts = ambariTProxyConfiguration.getAllowedHosts(str);
        if (!StringUtils.isNotEmpty(allowedHosts)) {
            return false;
        }
        Set<String> set = (Set) Arrays.stream(allowedHosts.split("\\s*,\\s*")).map(str3 -> {
            return str3.trim().toLowerCase();
        }).collect(Collectors.toSet());
        if (set.contains("*")) {
            return true;
        }
        for (String str4 : set) {
            if (isIPAddress(str4)) {
                if (str4.equals(str2)) {
                    return true;
                }
            } else if (isIPAddressRange(str4)) {
                if (isInIpAddressRange(str4, str2)) {
                    return true;
                }
            } else if (matchesHostname(str4, str2)) {
                return true;
            }
        }
        return false;
    }

    boolean matchesHostname(String str, String str2) {
        try {
            String ipAddress = getIpAddress(str);
            if (StringUtils.isNotEmpty(ipAddress)) {
                return ipAddress.equals(str2);
            }
            return false;
        } catch (Throwable th) {
            LOG.warn("Invalid hostname in host specification, skipping: " + str, th);
            return false;
        }
    }

    String getIpAddress(String str) throws UnknownHostException {
        InetAddress byName = InetAddress.getByName(str);
        if (byName == null) {
            return null;
        }
        return byName.getHostAddress();
    }

    boolean isInIpAddressRange(String str, String str2) {
        Matcher matcher = IP_ADDRESS_RANGE_PATTERN.matcher(str);
        if (!matcher.matches() || matcher.groupCount() != 2) {
            return false;
        }
        try {
            String group = matcher.group(1);
            String group2 = matcher.group(2);
            int ipAddressToInt = ipAddressToInt(group);
            int ipAddressToInt2 = ipAddressToInt(str2);
            int intValue = (-1) << (32 - Integer.valueOf(group2).intValue());
            return (ipAddressToInt & intValue) == (ipAddressToInt2 & intValue);
        } catch (Throwable th) {
            LOG.warn("Invalid CIDR in host specification, skipping: " + str, th);
            return false;
        }
    }

    private int ipAddressToInt(String str) throws UnknownHostException {
        byte[] address = InetAddress.getByName(str).getAddress();
        return ((address[0] & 255) << 24) | ((address[1] & 255) << 16) | ((address[2] & 255) << 8) | ((address[3] & 255) << 0);
    }

    private boolean isIPAddressRange(String str) {
        return IP_ADDRESS_RANGE_PATTERN.matcher(str).matches();
    }

    private boolean isIPAddress(String str) {
        return IP_ADDRESS_PATTERN.matcher(str).matches();
    }

    private UserDetails createUserDetails(UserEntity userEntity) {
        String userName = userEntity.getUserName();
        try {
            this.users.validateLogin(userEntity, userName);
            return new OBDPUserDetailsImpl(new User(userEntity), null, this.users.getUserAuthorities(userEntity));
        } catch (AccountDisabledException | TooManyLoginFailuresException e) {
            if (this.configuration.showLockedOutUserMessage()) {
                throw e;
            }
            throw new InvalidUsernamePasswordCombinationException(userName, false, e);
        }
    }
}
