package org.apache.cassandra.auth;

import com.google.common.util.concurrent.UncheckedExecutionException;
import com.google.common.util.concurrent.Uninterruptibles;
import com.instaclustr.cassandra.ldap.AbstractLDAPAuthenticator;
import com.instaclustr.cassandra.ldap.User;
import com.instaclustr.cassandra.ldap.auth.DefaultLDAPServer;
import com.instaclustr.cassandra.ldap.auth.LDAPPasswordRetriever;
import com.instaclustr.cassandra.ldap.auth.LegacyCassandraRolePasswordRetriever;
import com.instaclustr.cassandra.ldap.auth.LegacySystemAuthRoles;
import com.instaclustr.cassandra.ldap.cache.CredentialsLoadingFunction;
import com.instaclustr.cassandra.ldap.conf.LdapAuthenticatorConfiguration;
import com.instaclustr.cassandra.ldap.exception.LDAPAuthFailedException;
import com.instaclustr.cassandra.ldap.utils.ServiceUtils;
import java.util.concurrent.TimeUnit;
import java.util.function.Function;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.exceptions.AuthenticationException;
import org.apache.cassandra.exceptions.ConfigurationException;
import org.apache.cassandra.service.ClientState;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/cassandra/auth/LegacyCassandraLDAPAuthenticator.class */
public abstract class LegacyCassandraLDAPAuthenticator extends AbstractLDAPAuthenticator {
    private static final Logger logger = LoggerFactory.getLogger(LegacyCassandraLDAPAuthenticator.class);
    private CredentialsLoadingFunction credentialsLoadingFunction;

    public void setup() {
        if (!CassandraAuthorizer.class.isAssignableFrom(DatabaseDescriptor.getAuthorizer().getClass())) {
            throw new ConfigurationException(String.format("%s only works with %s", LegacyCassandraLDAPAuthenticator.class.getCanonicalName(), CassandraAuthorizer.class.getCanonicalName()));
        }
        this.clientState = ClientState.forInternalCalls();
        this.systemAuthRoles = new LegacySystemAuthRoles();
        this.systemAuthRoles.setClientState(this.clientState);
        LegacyCassandraRolePasswordRetriever legacyCassandraRolePasswordRetriever = new LegacyCassandraRolePasswordRetriever();
        legacyCassandraRolePasswordRetriever.init(this.clientState);
        LDAPPasswordRetriever lDAPPasswordRetriever = (LDAPPasswordRetriever) ServiceUtils.getService(LDAPPasswordRetriever.class, DefaultLDAPServer.class);
        try {
            lDAPPasswordRetriever.init(this.clientState, hasher, this.properties);
        } catch (ConfigurationException e) {
            logger.warn(String.format("Not possible to connect to LDAP server as user %s.", this.properties.getProperty(LdapAuthenticatorConfiguration.LDAP_DN)), e);
        }
        String property = System.getProperty(LdapAuthenticatorConfiguration.CASSANDRA_LDAP_ADMIN_USER, "cassandra");
        while (!this.systemAuthRoles.hasAdminRole(property)) {
            try {
                throw new IllegalStateException("Waiting for " + property + " role!");
            } catch (Exception e2) {
                logger.debug("Waiting for cassandra role, sleeping for 5 seconds and trying again ...");
                Uninterruptibles.sleepUninterruptibly(5L, TimeUnit.SECONDS);
            }
        }
        this.clientState.login(new AuthenticatedUser(property));
        legacyCassandraRolePasswordRetriever.getClass();
        Function function = legacyCassandraRolePasswordRetriever::retrieveHashedPassword;
        lDAPPasswordRetriever.getClass();
        this.credentialsLoadingFunction = new CredentialsLoadingFunction(function, lDAPPasswordRetriever::retrieveHashedPassword, this.properties.getProperty(LdapAuthenticatorConfiguration.NAMING_ATTRIBUTE_PROP));
        logger.info("{} was initialised", LegacyCassandraLDAPAuthenticator.class.getName());
    }

    @Override // com.instaclustr.cassandra.ldap.AbstractLDAPAuthenticator
    public AuthenticatedUser authenticate(String str, String str2) {
        try {
            User user = new User(str, str2);
            String apply = this.credentialsLoadingFunction.apply(user);
            if (apply == null) {
                return null;
            }
            if (!hasher.checkPasswords(str2, apply) && user.getLdapDN() == null) {
                throw new AuthenticationException("invalid username/password");
            }
            String username = user.getLdapDN() == null ? user.getUsername() : user.getLdapDN();
            if (user.getLdapDN() != null) {
                this.systemAuthRoles.createRole(user.getLdapDN(), false);
            } else if (user.getUsername().startsWith(this.properties.getProperty(LdapAuthenticatorConfiguration.NAMING_ATTRIBUTE_PROP))) {
                this.systemAuthRoles.createRole(user.getUsername(), false);
            }
            return new AuthenticatedUser(username);
        } catch (AuthenticationException e) {
            throw e;
        } catch (Exception e2) {
            logger.error("ERROR", e2);
            throw new AuthenticationException(String.format("Could not authenticate: %s", e2.getMessage()));
        } catch (UncheckedExecutionException e3) {
            if (!(e3.getCause() instanceof LDAPAuthFailedException)) {
                throw e3;
            }
            LDAPAuthFailedException lDAPAuthFailedException = (LDAPAuthFailedException) e3.getCause();
            logger.warn("Failed login for {}, reason was {}", str, e3.getMessage());
            throw new AuthenticationException(String.format("Failed to authenticate with directory server, user may not exist: %s", lDAPAuthFailedException.getMessage()));
        }
    }
}
