package org.apache.hadoop.security.authentication.server;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Hashtable;
import java.util.Properties;
import javax.naming.NamingException;
import javax.naming.directory.InitialDirContext;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.StartTlsRequest;
import javax.naming.ldap.StartTlsResponse;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSession;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.util.StringUtils;
import org.apache.http.HttpStatus;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
@InterfaceStability.Evolving
/* loaded from: input_file:WEB-INF/lib/hadoop-auth-3.0.0-alpha2.jar:org/apache/hadoop/security/authentication/server/LdapAuthenticationHandler.class */
public class LdapAuthenticationHandler implements AuthenticationHandler {
    private static Logger logger = LoggerFactory.getLogger((Class<?>) LdapAuthenticationHandler.class);
    public static final String TYPE = "ldap";
    public static final String SECURITY_AUTHENTICATION = "simple";
    public static final String PROVIDER_URL = "ldap.providerurl";
    public static final String BASE_DN = "ldap.basedn";
    public static final String LDAP_BIND_DOMAIN = "ldap.binddomain";
    public static final String ENABLE_START_TLS = "ldap.enablestarttls";
    private String ldapDomain;
    private String baseDN;
    private String providerUrl;
    private Boolean enableStartTls;
    private Boolean disableHostNameVerification;

    @VisibleForTesting
    public void setEnableStartTls(Boolean bool) {
        this.enableStartTls = bool;
    }

    @VisibleForTesting
    public void setDisableHostNameVerification(Boolean bool) {
        this.disableHostNameVerification = bool;
    }

    @Override // org.apache.hadoop.security.authentication.server.AuthenticationHandler
    public String getType() {
        return TYPE;
    }

    @Override // org.apache.hadoop.security.authentication.server.AuthenticationHandler
    public void init(Properties properties) throws ServletException {
        this.baseDN = properties.getProperty(BASE_DN);
        this.providerUrl = properties.getProperty(PROVIDER_URL);
        this.ldapDomain = properties.getProperty(LDAP_BIND_DOMAIN);
        this.enableStartTls = Boolean.valueOf(properties.getProperty(ENABLE_START_TLS, "false"));
        Preconditions.checkNotNull(this.providerUrl, "The LDAP URI can not be null");
        Preconditions.checkArgument((this.baseDN == null) ^ (this.ldapDomain == null), "Either LDAP base DN or LDAP domain value needs to be specified");
        if (this.enableStartTls.booleanValue()) {
            Preconditions.checkArgument(!this.providerUrl.toLowerCase().startsWith("ldaps"), "Can not use ldaps and StartTLS option at the same time");
        }
    }

    @Override // org.apache.hadoop.security.authentication.server.AuthenticationHandler
    public void destroy() {
    }

    @Override // org.apache.hadoop.security.authentication.server.AuthenticationHandler
    public boolean managementOperation(AuthenticationToken authenticationToken, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, AuthenticationException {
        return true;
    }

    @Override // org.apache.hadoop.security.authentication.server.AuthenticationHandler
    public AuthenticationToken authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, AuthenticationException {
        AuthenticationToken authenticationToken = null;
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null || !AuthenticationHandlerUtil.matchAuthScheme("Basic", header)) {
            httpServletResponse.setHeader("WWW-Authenticate", "Basic");
            httpServletResponse.setStatus(HttpStatus.SC_UNAUTHORIZED);
            if (header == null) {
                logger.trace("Basic auth starting");
            } else {
                logger.warn("'Authorization' does not start with 'Basic' :  {}", header);
            }
        } else {
            String[] split = new String(new Base64(0).decode(header.substring("Basic".length()).trim()), StandardCharsets.UTF_8).split(":", 2);
            if (split.length == 2) {
                authenticationToken = authenticateUser(split[0], split[1]);
                httpServletResponse.setStatus(200);
            }
        }
        return authenticationToken;
    }

    private AuthenticationToken authenticateUser(String str, String str2) throws AuthenticationException {
        if (str == null || str.isEmpty()) {
            throw new AuthenticationException("Error validating LDAP user: a null or blank username has been provided");
        }
        if (!hasDomain(str) && this.ldapDomain != null) {
            str = str + "@" + this.ldapDomain;
        }
        if (str2 == null || str2.isEmpty() || str2.getBytes(StandardCharsets.UTF_8)[0] == 0) {
            throw new AuthenticationException("Error validating LDAP user: a null or blank password has been provided");
        }
        String str3 = this.baseDN == null ? str : "uid=" + str + StringUtils.COMMA_STR + this.baseDN;
        if (this.enableStartTls.booleanValue()) {
            authenticateWithTlsExtension(str3, str2);
        } else {
            authenticateWithoutTlsExtension(str3, str2);
        }
        return new AuthenticationToken(str, str, TYPE);
    }

    private void authenticateWithTlsExtension(String str, String str2) throws AuthenticationException {
        LdapContext ldapContext = null;
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.provider.url", this.providerUrl);
        try {
            try {
                ldapContext = new InitialLdapContext(hashtable, (Control[]) null);
                StartTlsResponse extendedOperation = ldapContext.extendedOperation(new StartTlsRequest());
                if (this.disableHostNameVerification.booleanValue()) {
                    extendedOperation.setHostnameVerifier(new HostnameVerifier() { // from class: org.apache.hadoop.security.authentication.server.LdapAuthenticationHandler.1
                        @Override // javax.net.ssl.HostnameVerifier
                        public boolean verify(String str3, SSLSession sSLSession) {
                            return true;
                        }
                    });
                }
                extendedOperation.negotiate();
                ldapContext.addToEnvironment("java.naming.security.authentication", "simple");
                ldapContext.addToEnvironment("java.naming.security.principal", str);
                ldapContext.addToEnvironment("java.naming.security.credentials", str2);
                ldapContext.lookup(str);
                logger.debug("Authentication successful for {}", str);
                if (ldapContext != null) {
                    try {
                        ldapContext.close();
                    } catch (NamingException e) {
                    }
                }
            } catch (NamingException | IOException e2) {
                throw new AuthenticationException("Error validating LDAP user", e2);
            }
        } catch (Throwable th) {
            if (ldapContext != null) {
                try {
                    ldapContext.close();
                } catch (NamingException e3) {
                }
            }
            throw th;
        }
    }

    private void authenticateWithoutTlsExtension(String str, String str2) throws AuthenticationException {
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.provider.url", this.providerUrl);
        hashtable.put("java.naming.security.authentication", "simple");
        hashtable.put("java.naming.security.principal", str);
        hashtable.put("java.naming.security.credentials", str2);
        try {
            new InitialDirContext(hashtable).close();
            logger.debug("Authentication successful for {}", str);
        } catch (NamingException e) {
            throw new AuthenticationException("Error validating LDAP user", e);
        }
    }

    private static boolean hasDomain(String str) {
        return indexOfDomainMatch(str) > 0;
    }

    private static int indexOfDomainMatch(String str) {
        if (str == null) {
            return -1;
        }
        int indexOf = str.indexOf(47);
        int indexOf2 = str.indexOf(64);
        int min = Math.min(indexOf, indexOf2);
        if (min == -1) {
            min = Math.max(indexOf, indexOf2);
        }
        return min;
    }
}
