package org.apache.nifi.ldap;

import java.io.IOException;
import java.security.KeyManagementException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.authentication.AuthenticationResponse;
import org.apache.nifi.authentication.LoginCredentials;
import org.apache.nifi.authentication.LoginIdentityProvider;
import org.apache.nifi.authentication.LoginIdentityProviderConfigurationContext;
import org.apache.nifi.authentication.LoginIdentityProviderInitializationContext;
import org.apache.nifi.authentication.exception.IdentityAccessException;
import org.apache.nifi.authentication.exception.InvalidLoginCredentialsException;
import org.apache.nifi.authorization.exception.ProviderCreationException;
import org.apache.nifi.authorization.exception.ProviderDestructionException;
import org.apache.nifi.security.util.SslContextFactory;
import org.apache.nifi.util.FormatUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.ldap.AuthenticationException;
import org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy;
import org.springframework.ldap.core.support.LdapContextSource;
import org.springframework.ldap.core.support.SimpleDirContextAuthenticationStrategy;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider;
import org.springframework.security.ldap.authentication.BindAuthenticator;
import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
import org.springframework.security.ldap.userdetails.LdapUserDetails;

/* loaded from: input_file:org/apache/nifi/ldap/LdapProvider.class */
public class LdapProvider implements LoginIdentityProvider {
    private static final Logger logger = LoggerFactory.getLogger(LdapProvider.class);
    private AbstractLdapAuthenticationProvider provider;
    private String issuer;
    private long expiration;

    public final void initialize(LoginIdentityProviderInitializationContext loginIdentityProviderInitializationContext) throws ProviderCreationException {
        this.issuer = getClass().getSimpleName();
    }

    public final void onConfigured(LoginIdentityProviderConfigurationContext loginIdentityProviderConfigurationContext) throws ProviderCreationException {
        SslContextFactory.ClientAuth valueOf;
        String property = loginIdentityProviderConfigurationContext.getProperty("Authentication Expiration");
        if (StringUtils.isBlank(property)) {
            throw new ProviderCreationException("The Authentication Expiration must be specified.");
        }
        try {
            this.expiration = FormatUtils.getTimeDuration(property, TimeUnit.MILLISECONDS);
            LdapContextSource ldapContextSource = new LdapContextSource();
            HashMap hashMap = new HashMap();
            setTimeout(loginIdentityProviderConfigurationContext, hashMap, "Connect Timeout", "com.sun.jndi.ldap.connect.timeout");
            setTimeout(loginIdentityProviderConfigurationContext, hashMap, "Read Timeout", "com.sun.jndi.ldap.read.timeout");
            if (!hashMap.isEmpty()) {
                ldapContextSource.setBaseEnvironmentProperties(hashMap);
            }
            String property2 = loginIdentityProviderConfigurationContext.getProperty("Authentication Strategy");
            try {
                LdapAuthenticationStrategy valueOf2 = LdapAuthenticationStrategy.valueOf(property2);
                switch (valueOf2) {
                    case ANONYMOUS:
                        ldapContextSource.setAnonymousReadOnly(true);
                        break;
                    default:
                        String property3 = loginIdentityProviderConfigurationContext.getProperty("Manager DN");
                        String property4 = loginIdentityProviderConfigurationContext.getProperty("Manager Password");
                        ldapContextSource.setUserDn(property3);
                        ldapContextSource.setPassword(property4);
                        switch (valueOf2) {
                            case SIMPLE:
                                ldapContextSource.setAuthenticationStrategy(new SimpleDirContextAuthenticationStrategy());
                                break;
                            case START_TLS:
                                DefaultTlsDirContextAuthenticationStrategy defaultTlsDirContextAuthenticationStrategy = new DefaultTlsDirContextAuthenticationStrategy();
                                String property5 = loginIdentityProviderConfigurationContext.getProperty("TLS - Shutdown Gracefully");
                                if (StringUtils.isNotBlank(property5)) {
                                    defaultTlsDirContextAuthenticationStrategy.setShutdownTlsGracefully(Boolean.TRUE.toString().equalsIgnoreCase(property5));
                                }
                                String property6 = loginIdentityProviderConfigurationContext.getProperty("TLS - Keystore");
                                String property7 = loginIdentityProviderConfigurationContext.getProperty("TLS - Keystore Password");
                                String property8 = loginIdentityProviderConfigurationContext.getProperty("TLS - Keystore Type");
                                String property9 = loginIdentityProviderConfigurationContext.getProperty("TLS - Truststore");
                                String property10 = loginIdentityProviderConfigurationContext.getProperty("TLS - Truststore Password");
                                String property11 = loginIdentityProviderConfigurationContext.getProperty("TLS - Truststore Type");
                                String property12 = loginIdentityProviderConfigurationContext.getProperty("TLS - Client Auth");
                                String property13 = loginIdentityProviderConfigurationContext.getProperty("TLS - Protocol");
                                if (StringUtils.isBlank(property12)) {
                                    valueOf = SslContextFactory.ClientAuth.NONE;
                                } else {
                                    try {
                                        valueOf = SslContextFactory.ClientAuth.valueOf(property12);
                                    } catch (IllegalArgumentException e) {
                                        throw new ProviderCreationException(String.format("Unrecognized client auth '%s'. Possible values are [%s]", property12, StringUtils.join(SslContextFactory.ClientAuth.values(), ", ")));
                                    }
                                }
                                if (StringUtils.isBlank(property13)) {
                                    throw new ProviderCreationException("TLS - Protocol must be specified.");
                                }
                                try {
                                    defaultTlsDirContextAuthenticationStrategy.setSslSocketFactory((StringUtils.isBlank(property6) ? SslContextFactory.createTrustSslContext(property9, property10.toCharArray(), property11, property13) : StringUtils.isBlank(property9) ? SslContextFactory.createSslContext(property6, property7.toCharArray(), property8, property13) : SslContextFactory.createSslContext(property6, property7.toCharArray(), property8, property9, property10.toCharArray(), property11, valueOf, property13)).getSocketFactory());
                                    ldapContextSource.setAuthenticationStrategy(defaultTlsDirContextAuthenticationStrategy);
                                    break;
                                } catch (IOException | KeyManagementException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e2) {
                                    throw new ProviderCreationException(e2.getMessage(), e2);
                                }
                        }
                }
                String property14 = loginIdentityProviderConfigurationContext.getProperty("Referral Strategy");
                try {
                    ldapContextSource.setReferral(ReferralStrategy.valueOf(property14).toString());
                    String property15 = loginIdentityProviderConfigurationContext.getProperty("Url");
                    if (StringUtils.isBlank(property15)) {
                        throw new ProviderCreationException("LDAP identity provider 'Url' must be specified.");
                    }
                    ldapContextSource.setUrl(property15);
                    String property16 = loginIdentityProviderConfigurationContext.getProperty("User Search Base");
                    String property17 = loginIdentityProviderConfigurationContext.getProperty("User Search Filter");
                    if (StringUtils.isBlank(property16) || StringUtils.isBlank(property17)) {
                        throw new ProviderCreationException("LDAP identity provider 'User Search Base' and 'User Search Filter' must be specified.");
                    }
                    FilterBasedLdapUserSearch filterBasedLdapUserSearch = new FilterBasedLdapUserSearch(property16, property17, ldapContextSource);
                    BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource);
                    bindAuthenticator.setUserSearch(filterBasedLdapUserSearch);
                    try {
                        ldapContextSource.afterPropertiesSet();
                        bindAuthenticator.afterPropertiesSet();
                        this.provider = new LdapAuthenticationProvider(bindAuthenticator);
                    } catch (Exception e3) {
                        throw new ProviderCreationException(e3.getMessage(), e3);
                    }
                } catch (IllegalArgumentException e4) {
                    throw new ProviderCreationException(String.format("Unrecognized referral strategy '%s'. Possible values are [%s]", property14, StringUtils.join(ReferralStrategy.values(), ", ")));
                }
            } catch (IllegalArgumentException e5) {
                throw new ProviderCreationException(String.format("Unrecognized authentication strategy '%s'. Possible values are [%s]", property2, StringUtils.join(LdapAuthenticationStrategy.values(), ", ")));
            }
        } catch (IllegalArgumentException e6) {
            throw new ProviderCreationException(String.format("The Expiration Duration '%s' is not a valid time duration", property));
        }
    }

    private void setTimeout(LoginIdentityProviderConfigurationContext loginIdentityProviderConfigurationContext, Map<String, Object> map, String str, String str2) {
        String property = loginIdentityProviderConfigurationContext.getProperty(str);
        if (StringUtils.isNotBlank(property)) {
            try {
                map.put(str2, Long.valueOf(FormatUtils.getTimeDuration(property, TimeUnit.MILLISECONDS)).toString());
            } catch (IllegalArgumentException e) {
                throw new ProviderCreationException(String.format("The %s '%s' is not a valid time duration", str, property));
            }
        }
    }

    public final AuthenticationResponse authenticate(LoginCredentials loginCredentials) throws InvalidLoginCredentialsException, IdentityAccessException {
        if (this.provider == null) {
            throw new IdentityAccessException("The LDAP authentication provider is not initialized.");
        }
        try {
            try {
                Authentication authenticate = this.provider.authenticate(new UsernamePasswordAuthenticationToken(loginCredentials.getUsername(), loginCredentials.getPassword()));
                return authenticate.getPrincipal() instanceof LdapUserDetails ? new AuthenticationResponse(((LdapUserDetails) authenticate.getPrincipal()).getDn(), loginCredentials.getUsername(), this.expiration, this.issuer) : new AuthenticationResponse(authenticate.getName(), loginCredentials.getUsername(), this.expiration, this.issuer);
            } catch (BadCredentialsException | UsernameNotFoundException | AuthenticationException e) {
                throw new InvalidLoginCredentialsException(e.getMessage(), e);
            }
        } catch (Exception e2) {
            if (e2.getCause() instanceof AuthenticationException) {
                throw new InvalidLoginCredentialsException(e2.getMessage(), e2);
            }
            logger.error(e2.getMessage());
            if (logger.isDebugEnabled()) {
                logger.debug("", e2);
            }
            throw new IdentityAccessException("Unable to validate the supplied credentials. Please contact the system administrator.", e2);
        }
    }

    public final void preDestruction() throws ProviderDestructionException {
    }
}
