package org.apache.druid.security.basic.authorization;

import com.fasterxml.jackson.annotation.JacksonInject;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.annotation.JsonTypeName;
import com.google.common.annotations.VisibleForTesting;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.TreeSet;
import javax.naming.InvalidNameException;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapName;
import org.apache.druid.java.util.common.IAE;
import org.apache.druid.java.util.common.RE;
import org.apache.druid.java.util.common.StringUtils;
import org.apache.druid.java.util.common.logger.Logger;
import org.apache.druid.security.basic.BasicAuthUtils;
import org.apache.druid.security.basic.authorization.db.cache.BasicAuthorizerCacheManager;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser;
import org.apache.druid.server.security.AuthenticationResult;

@JsonTypeName("ldap")
/* loaded from: input_file:org/apache/druid/security/basic/authorization/LDAPRoleProvider.class */
public class LDAPRoleProvider implements RoleProvider {
    private static final Logger LOG = new Logger(LDAPRoleProvider.class);
    private final BasicAuthorizerCacheManager cacheManager;
    private final String[] groupFilters;

    @JsonCreator
    public LDAPRoleProvider(@JacksonInject BasicAuthorizerCacheManager basicAuthorizerCacheManager, @JsonProperty("groupFilters") String[] strArr) {
        this.cacheManager = basicAuthorizerCacheManager;
        this.groupFilters = strArr;
    }

    @Override // org.apache.druid.security.basic.authorization.RoleProvider
    public Set<String> getRoles(String str, AuthenticationResult authenticationResult) {
        HashSet hashSet = new HashSet();
        Map<String, BasicAuthorizerGroupMapping> groupMappingMap = this.cacheManager.getGroupMappingMap(str);
        if (groupMappingMap == null) {
            throw new IAE("Could not load groupMappingMap for authorizer [%s]", new Object[]{str});
        }
        Map<String, BasicAuthorizerUser> userMap = this.cacheManager.getUserMap(str);
        if (userMap == null) {
            throw new IAE("Could not load userMap for authorizer [%s]", new Object[]{str});
        }
        SearchResult searchResult = (SearchResult) Optional.ofNullable(authenticationResult.getContext()).map(map -> {
            return map.get(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY);
        }).map(obj -> {
            if (obj instanceof SearchResult) {
                return (SearchResult) obj;
            }
            return null;
        }).orElse(null);
        if (searchResult != null) {
            try {
                Set<LdapName> groupsFromLdap = getGroupsFromLdap(searchResult);
                if (groupsFromLdap.isEmpty()) {
                    LOG.debug("User %s is not mapped to any groups", new Object[]{authenticationResult.getIdentity()});
                } else {
                    hashSet.addAll(getRoles(groupMappingMap, groupsFromLdap));
                }
            } catch (NamingException e) {
                LOG.error(e, "Exception in looking up groups for user %s", new Object[]{authenticationResult.getIdentity()});
            }
        }
        BasicAuthorizerUser basicAuthorizerUser = userMap.get(authenticationResult.getIdentity());
        if (basicAuthorizerUser != null) {
            hashSet.addAll(basicAuthorizerUser.getRoles());
        }
        return hashSet;
    }

    @Override // org.apache.druid.security.basic.authorization.RoleProvider
    public Map<String, BasicAuthorizerRole> getRoleMap(String str) {
        return this.cacheManager.getRoleMap(str);
    }

    @VisibleForTesting
    public Set<String> getRoles(Map<String, BasicAuthorizerGroupMapping> map, Set<LdapName> set) {
        HashSet hashSet = new HashSet();
        if (map.size() == 0) {
            return hashSet;
        }
        for (LdapName ldapName : set) {
            Iterator<Map.Entry<String, BasicAuthorizerGroupMapping>> it = map.entrySet().iterator();
            while (it.hasNext()) {
                BasicAuthorizerGroupMapping value = it.next().getValue();
                String groupPattern = value.getGroupPattern();
                try {
                    if (groupPattern.startsWith("*,")) {
                        if (ldapName.startsWith(new LdapName(groupPattern.substring(2)))) {
                            hashSet.addAll(value.getRoles());
                        }
                    } else if (groupPattern.endsWith(",*")) {
                        if (ldapName.endsWith(new LdapName(groupPattern.substring(0, groupPattern.length() - 2)))) {
                            hashSet.addAll(value.getRoles());
                        }
                    } else if (ldapName.equals(new LdapName(groupPattern))) {
                        hashSet.addAll(value.getRoles());
                    }
                } catch (InvalidNameException e) {
                    throw new RuntimeException(String.format(Locale.getDefault(), "Configuration problem - Invalid groupMapping '%s'", groupPattern));
                }
            }
        }
        return hashSet;
    }

    Set<LdapName> getGroupsFromLdap(SearchResult searchResult) throws NamingException {
        TreeSet treeSet = new TreeSet();
        Attribute attribute = searchResult.getAttributes().get("memberOf");
        if (attribute == null) {
            LOG.debug("No memberOf attributes", new Object[0]);
            return treeSet;
        }
        for (int i = 0; i < attribute.size(); i++) {
            String obj = attribute.get(i).toString();
            try {
                LdapName ldapName = new LdapName(obj);
                if (this.groupFilters == null) {
                    treeSet.add(ldapName);
                } else if (allowedLdapGroup(ldapName, new TreeSet(Arrays.asList(this.groupFilters)))) {
                    treeSet.add(ldapName);
                }
            } catch (InvalidNameException e) {
                LOG.debug("Invalid LDAP name: %s", new Object[]{obj});
            }
        }
        return treeSet;
    }

    boolean allowedLdapGroup(LdapName ldapName, Set<String> set) {
        for (String str : set) {
            try {
                if (str.startsWith("*,")) {
                    if (ldapName.startsWith(new LdapName(str.substring(2)))) {
                        return true;
                    }
                } else if (!str.endsWith(",*")) {
                    LOG.debug("Attempting exact filter %s", new Object[]{str});
                    if (ldapName.equals(new LdapName(str))) {
                        return true;
                    }
                } else if (ldapName.endsWith(new LdapName(str.substring(0, str.length() - 2)))) {
                    return true;
                }
            } catch (InvalidNameException e) {
                throw new RE(StringUtils.format("Configuration problem - Invalid groupFilter '%s'", new Object[]{str}), new Object[0]);
            }
        }
        return false;
    }
}
