package keywhiz.auth.ldap;

import com.google.common.base.Strings;
import com.google.common.base.Throwables;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import com.unboundid.ldap.sdk.Filter;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.ResultCode;
import com.unboundid.ldap.sdk.SearchRequest;
import com.unboundid.ldap.sdk.SearchResult;
import com.unboundid.ldap.sdk.SearchResultEntry;
import com.unboundid.ldap.sdk.SearchScope;
import io.dropwizard.auth.basic.BasicCredentials;
import io.dropwizard.java8.auth.Authenticator;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Optional;
import java.util.Set;
import javax.ws.rs.ForbiddenException;
import keywhiz.auth.User;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:keywhiz/auth/ldap/LdapAuthenticator.class */
public class LdapAuthenticator implements Authenticator<BasicCredentials, User> {
    private static final Logger logger = LoggerFactory.getLogger(LdapAuthenticator.class);
    private final LdapConnectionFactory connectionFactory;
    private final LdapLookupConfig config;

    public LdapAuthenticator(LdapConnectionFactory ldapConnectionFactory, LdapLookupConfig ldapLookupConfig) {
        this.connectionFactory = ldapConnectionFactory;
        this.config = ldapLookupConfig;
    }

    @Override // io.dropwizard.java8.auth.Authenticator
    public Optional<User> authenticate(BasicCredentials basicCredentials) {
        String username;
        User user = null;
        try {
            username = basicCredentials.getUsername();
        } catch (LDAPException e) {
            if (e.getResultCode() != ResultCode.INVALID_CREDENTIALS) {
                logger.error("Error connecting to LDAP", (Throwable) e);
                throw Throwables.propagate(e);
            }
        }
        if (!User.isSanitizedUsername(username)) {
            logger.info("Username: {} must match pattern: {}", username, User.USERNAME_PATTERN);
            return Optional.empty();
        }
        String dnFromUsername = dnFromUsername(username);
        String password = basicCredentials.getPassword();
        if (Strings.isNullOrEmpty(password)) {
            logger.info("No password for user provided");
            return Optional.empty();
        }
        this.connectionFactory.getLDAPConnection(dnFromUsername, password).close();
        ImmutableSet<String> requiredRoles = this.config.getRequiredRoles();
        if (!requiredRoles.isEmpty()) {
            Set<String> rolesFromDN = rolesFromDN(dnFromUsername);
            boolean z = false;
            Iterator<String> it = requiredRoles.iterator();
            while (it.hasNext()) {
                if (rolesFromDN.contains(it.next())) {
                    z = true;
                }
            }
            if (!z) {
                logger.warn("User {} not in one of required LDAP roles: [{}].", username, requiredRoles);
                throw new ForbiddenException();
            }
        }
        user = User.named(username);
        return Optional.ofNullable(user);
    }

    private String dnFromUsername(String str) throws LDAPException {
        SearchRequest searchRequest = new SearchRequest(this.config.getUserBaseDN(), SearchScope.SUB, String.format("(%s=%s)", this.config.getUserAttribute(), str), new String[0]);
        LDAPConnection lDAPConnection = this.connectionFactory.getLDAPConnection();
        try {
            SearchResult search = lDAPConnection.search(searchRequest);
            if (search.getEntryCount() == 0) {
                throw new LDAPException(ResultCode.INVALID_CREDENTIALS);
            }
            String dn = search.getSearchEntries().get(0).getDN();
            lDAPConnection.close();
            return dn;
        } catch (Throwable th) {
            lDAPConnection.close();
            throw th;
        }
    }

    private Set<String> rolesFromDN(String str) throws LDAPException {
        SearchRequest searchRequest = new SearchRequest(this.config.getRoleBaseDN(), SearchScope.SUB, Filter.createEqualityFilter("uniqueMember", str), new String[0]);
        LinkedHashSet newLinkedHashSet = Sets.newLinkedHashSet();
        LDAPConnection lDAPConnection = this.connectionFactory.getLDAPConnection();
        try {
            for (SearchResultEntry searchResultEntry : lDAPConnection.search(searchRequest).getSearchEntries()) {
                RDN[] rDNs = new X500Name(searchResultEntry.getDN()).getRDNs(BCStyle.CN);
                if (rDNs.length == 0) {
                    logger.error("Could not create X500 Name for role:" + searchResultEntry.getDN());
                } else {
                    newLinkedHashSet.add(IETFUtils.valueToString(rDNs[0].getFirst().getValue()));
                }
            }
            return newLinkedHashSet;
        } finally {
            lDAPConnection.close();
        }
    }
}
