package com.instaclustr.cassandra.ldap;

import com.google.common.util.concurrent.UncheckedExecutionException;
import com.instaclustr.cassandra.ldap.auth.CassandraRolePasswordRetriever;
import com.instaclustr.cassandra.ldap.auth.LDAPServer;
import com.instaclustr.cassandra.ldap.cache.CredentialsCache;
import com.instaclustr.cassandra.ldap.cache.CredentialsCacheLoadingFunction;
import com.instaclustr.cassandra.ldap.cassandra.SystemAuthRolesHelper;
import com.instaclustr.cassandra.ldap.configuration.LdapAuthenticatorConfiguration;
import com.instaclustr.cassandra.ldap.exception.LDAPAuthFailedException;
import com.instaclustr.cassandra.ldap.hash.HasherImpl;
import java.net.InetAddress;
import java.util.Collections;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.function.Function;
import org.apache.cassandra.auth.AuthenticatedUser;
import org.apache.cassandra.auth.CassandraAuthorizer;
import org.apache.cassandra.auth.IAuthenticator;
import org.apache.cassandra.auth.IResource;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.exceptions.AuthenticationException;
import org.apache.cassandra.exceptions.ConfigurationException;
import org.apache.cassandra.service.ClientState;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/instaclustr/cassandra/ldap/LDAPAuthenticator.class */
public class LDAPAuthenticator implements IAuthenticator {
    private static final Logger logger = LoggerFactory.getLogger(LDAPAuthenticator.class);
    private Properties properties;
    private SystemAuthRolesHelper systemAuthRolesHelper;
    private HasherImpl hashUtils;
    private CredentialsCache cache;

    public boolean requireAuthentication() {
        return true;
    }

    public Set<? extends IResource> protectedResources() {
        return Collections.emptySet();
    }

    public void validateConfiguration() throws ConfigurationException {
        this.properties = new LdapAuthenticatorConfiguration().parseProperties();
    }

    public void setup() {
        if (!CassandraAuthorizer.class.isAssignableFrom(DatabaseDescriptor.getAuthorizer().getClass())) {
            throw new ConfigurationException(String.format("%s only works with %s", LDAPAuthenticator.class.getCanonicalName(), CassandraAuthorizer.class.getCanonicalName()));
        }
        ClientState forInternalCalls = ClientState.forInternalCalls();
        this.hashUtils = new HasherImpl();
        this.systemAuthRolesHelper = new SystemAuthRolesHelper(forInternalCalls, this.properties);
        this.systemAuthRolesHelper.waitUntilCassandraRoleIsInitialised();
        forInternalCalls.login(new AuthenticatedUser(LdapAuthenticatorConfiguration.DEFAULT_SUPERUSER_NAME));
        LDAPServer lDAPServer = new LDAPServer(forInternalCalls, this.hashUtils, this.properties);
        try {
            lDAPServer.setup();
            this.systemAuthRolesHelper.createServiceDNIfNotExist();
        } catch (ConfigurationException e) {
            logger.warn(String.format("Not possible to connect to LDAP server as user %s.", this.properties.getProperty(LdapAuthenticatorConfiguration.LDAP_DN)));
        }
        CassandraRolePasswordRetriever cassandraRolePasswordRetriever = new CassandraRolePasswordRetriever(forInternalCalls);
        cassandraRolePasswordRetriever.getClass();
        Function function = cassandraRolePasswordRetriever::retrieveHashedPassword;
        lDAPServer.getClass();
        this.cache = new CredentialsCache(new CredentialsCacheLoadingFunction(function, lDAPServer::retrieveHashedPassword), Boolean.parseBoolean(this.properties.getProperty(LdapAuthenticatorConfiguration.CASSANDRA_AUTH_CACHE_ENABLED_PROP)));
    }

    public AuthenticatedUser authenticate(String str, String str2) throws AuthenticationException {
        try {
            User user = new User(str, str2);
            String str3 = (String) this.cache.get(user);
            if (str3 == null) {
                return null;
            }
            if (!this.hashUtils.checkPasswords(str2, str3)) {
                this.cache.invalidate(user);
                this.cache.get(user);
            }
            if (user.getLdapDN() != null && user.getLdapDN().equals(this.properties.getProperty(LdapAuthenticatorConfiguration.LDAP_DN))) {
                this.systemAuthRolesHelper.createServiceDNIfNotExist();
            } else if (user.getLdapDN() != null && !this.systemAuthRolesHelper.roleExists(user.getLdapDN())) {
                logger.info("DN {} doesn't exist in {}.{}, creating new user", new Object[]{user.getLdapDN(), "system_auth", "roles"});
                this.systemAuthRolesHelper.createRole(user.getLdapDN());
            }
            return new AuthenticatedUser(user.getLdapDN() == null ? user.getUsername() : user.getLdapDN());
        } catch (LDAPAuthFailedException | ExecutionException e) {
            throw new SecurityException(String.format("Could not authenticate to the LDAP directory: %s", e.getMessage()), e);
        } catch (UncheckedExecutionException e2) {
            if (!(e2.getCause() instanceof LDAPAuthFailedException)) {
                throw e2;
            }
            LDAPAuthFailedException lDAPAuthFailedException = (LDAPAuthFailedException) e2.getCause();
            logger.warn("Failed login for {}, reason was {}", str, e2.getMessage());
            throw new AuthenticationException(String.format("Failed to authenticate with directory server, user may not exist: %s", lDAPAuthFailedException.getMessage()));
        }
    }

    public IAuthenticator.SaslNegotiator newSaslNegotiator(InetAddress inetAddress) {
        return new PlainTextSaslAuthenticator(this);
    }

    public AuthenticatedUser legacyAuthenticate(Map<String, String> map) throws AuthenticationException {
        String str = map.get(LdapAuthenticatorConfiguration.LDAP_DN);
        if (str == null) {
            throw new AuthenticationException(String.format("Required key '%s' is missing", LdapAuthenticatorConfiguration.LDAP_DN));
        }
        String str2 = map.get(LdapAuthenticatorConfiguration.PASSWORD_KEY);
        if (str2 == null) {
            throw new AuthenticationException(String.format("Required key '%s' is missing for provided username %s", LdapAuthenticatorConfiguration.PASSWORD_KEY, str));
        }
        return authenticate(str, str2);
    }
}
