package com.instaclustr.cassandra.ldap.auth;

import com.google.common.collect.Lists;
import com.instaclustr.cassandra.ldap.User;
import com.instaclustr.cassandra.ldap.configuration.LdapAuthenticatorConfiguration;
import com.instaclustr.cassandra.ldap.exception.NoSuchCredentialsException;
import com.instaclustr.cassandra.ldap.exception.NoSuchRoleException;
import java.nio.ByteBuffer;
import org.apache.cassandra.config.Schema;
import org.apache.cassandra.cql3.QueryOptions;
import org.apache.cassandra.cql3.QueryProcessor;
import org.apache.cassandra.cql3.UntypedResultSet;
import org.apache.cassandra.cql3.statements.SelectStatement;
import org.apache.cassandra.db.ConsistencyLevel;
import org.apache.cassandra.exceptions.RequestExecutionException;
import org.apache.cassandra.service.ClientState;
import org.apache.cassandra.service.QueryState;
import org.apache.cassandra.transport.messages.ResultMessage;
import org.apache.cassandra.utils.ByteBufferUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/instaclustr/cassandra/ldap/auth/CassandraRolePasswordRetriever.class */
public class CassandraRolePasswordRetriever implements HashedPasswordRetriever {
    private static final Logger logger = LoggerFactory.getLogger(CassandraRolePasswordRetriever.class);
    private SelectStatement authenticateStatement = prepare(String.format("SELECT %s FROM %s.%s WHERE role = ?", SALTED_HASH, "system_auth", "roles"));
    public static final String LEGACY_CREDENTIALS_TABLE = "credentials";
    private SelectStatement legacyAuthenticateStatement;
    private static final String SALTED_HASH = "salted_hash";
    private final ClientState clientState;

    public CassandraRolePasswordRetriever(ClientState clientState) {
        this.clientState = clientState;
        if (Schema.instance.getCFMetaData("system_auth", LEGACY_CREDENTIALS_TABLE) != null) {
            prepareLegacyAuthenticateStatement();
        }
    }

    @Override // com.instaclustr.cassandra.ldap.auth.HashedPasswordRetriever
    public String retrieveHashedPassword(User user) {
        try {
            ResultMessage.Rows execute = authenticationStatement().execute(QueryState.forInternalCalls(), QueryOptions.forInternalCalls(consistencyForRole(user.getUsername()), Lists.newArrayList(new ByteBuffer[]{ByteBufferUtil.bytes(user.getUsername())})), System.nanoTime());
            if (execute.result.isEmpty()) {
                throw new NoSuchRoleException();
            }
            UntypedResultSet create = UntypedResultSet.create(execute.result);
            if (create.one().has(SALTED_HASH)) {
                return create.one().getString(SALTED_HASH);
            }
            throw new NoSuchCredentialsException();
        } catch (NoSuchCredentialsException e) {
            logger.trace(String.format("User %s does not have password in the Cassandra database.", user.getUsername()));
            throw e;
        } catch (NoSuchRoleException e2) {
            logger.trace(String.format("User %s does not exist in the Cassandra database.", user.getUsername()));
            throw e2;
        } catch (RequestExecutionException e3) {
            logger.trace("Error performing internal authentication", e3);
            throw e3;
        }
    }

    private SelectStatement authenticationStatement() {
        if (Schema.instance.getCFMetaData("system_auth", LEGACY_CREDENTIALS_TABLE) == null) {
            return this.authenticateStatement;
        }
        if (this.legacyAuthenticateStatement == null) {
            prepareLegacyAuthenticateStatement();
        }
        return this.legacyAuthenticateStatement;
    }

    private SelectStatement prepare(String str) {
        return QueryProcessor.getStatement(str, this.clientState).statement;
    }

    private void prepareLegacyAuthenticateStatement() {
        this.legacyAuthenticateStatement = prepare(String.format("SELECT %s from %s.%s WHERE username = ?", SALTED_HASH, "system_auth", LEGACY_CREDENTIALS_TABLE));
    }

    private ConsistencyLevel consistencyForRole(String str) {
        return str.equals(LdapAuthenticatorConfiguration.DEFAULT_SUPERUSER_NAME) ? ConsistencyLevel.QUORUM : ConsistencyLevel.LOCAL_ONE;
    }
}
