package org.apache.nifi.ldap;

import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLContext;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.authentication.AuthenticationResponse;
import org.apache.nifi.authentication.LoginCredentials;
import org.apache.nifi.authentication.LoginIdentityProvider;
import org.apache.nifi.authentication.LoginIdentityProviderConfigurationContext;
import org.apache.nifi.authentication.LoginIdentityProviderInitializationContext;
import org.apache.nifi.authentication.exception.IdentityAccessException;
import org.apache.nifi.authentication.exception.InvalidLoginCredentialsException;
import org.apache.nifi.authentication.exception.ProviderCreationException;
import org.apache.nifi.authentication.exception.ProviderDestructionException;
import org.apache.nifi.configuration.NonComponentConfigurationContext;
import org.apache.nifi.ldap.tenants.LdapUserGroupProvider;
import org.apache.nifi.security.util.SslContextFactory;
import org.apache.nifi.security.util.StandardTlsConfiguration;
import org.apache.nifi.security.util.TlsException;
import org.apache.nifi.util.FormatUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.ldap.AuthenticationException;
import org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy;
import org.springframework.ldap.core.support.LdapContextSource;
import org.springframework.ldap.core.support.SimpleDirContextAuthenticationStrategy;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider;
import org.springframework.security.ldap.authentication.BindAuthenticator;
import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
import org.springframework.security.ldap.userdetails.LdapUserDetails;

/* loaded from: input_file:org/apache/nifi/ldap/LdapProvider.class */
public class LdapProvider implements LoginIdentityProvider {
    private static final Logger logger = LoggerFactory.getLogger(LdapProvider.class);
    private AbstractLdapAuthenticationProvider provider;
    private String issuer;
    private long expiration;
    private IdentityStrategy identityStrategy;

    public final void initialize(LoginIdentityProviderInitializationContext loginIdentityProviderInitializationContext) throws ProviderCreationException {
        this.issuer = getClass().getSimpleName();
    }

    public final void onConfigured(LoginIdentityProviderConfigurationContext loginIdentityProviderConfigurationContext) throws ProviderCreationException {
        String property = loginIdentityProviderConfigurationContext.getProperty("Authentication Expiration");
        if (StringUtils.isBlank(property)) {
            throw new ProviderCreationException("The Authentication Expiration must be specified.");
        }
        try {
            this.expiration = FormatUtils.getTimeDuration(property, TimeUnit.MILLISECONDS);
            LdapContextSource ldapContextSource = new LdapContextSource();
            HashMap hashMap = new HashMap();
            setTimeout(loginIdentityProviderConfigurationContext, hashMap, LdapUserGroupProvider.PROP_CONNECT_TIMEOUT, "com.sun.jndi.ldap.connect.timeout");
            setTimeout(loginIdentityProviderConfigurationContext, hashMap, LdapUserGroupProvider.PROP_READ_TIMEOUT, "com.sun.jndi.ldap.read.timeout");
            String property2 = loginIdentityProviderConfigurationContext.getProperty(LdapUserGroupProvider.PROP_AUTHENTICATION_STRATEGY);
            try {
                LdapAuthenticationStrategy valueOf = LdapAuthenticationStrategy.valueOf(property2);
                switch (valueOf) {
                    case ANONYMOUS:
                        ldapContextSource.setAnonymousReadOnly(true);
                        break;
                    default:
                        String property3 = loginIdentityProviderConfigurationContext.getProperty(LdapUserGroupProvider.PROP_MANAGER_DN);
                        String property4 = loginIdentityProviderConfigurationContext.getProperty(LdapUserGroupProvider.PROP_MANAGER_PASSWORD);
                        ldapContextSource.setUserDn(property3);
                        ldapContextSource.setPassword(property4);
                        switch (valueOf) {
                            case SIMPLE:
                                ldapContextSource.setAuthenticationStrategy(new SimpleDirContextAuthenticationStrategy());
                                break;
                            case LDAPS:
                                ldapContextSource.setAuthenticationStrategy(new SimpleDirContextAuthenticationStrategy());
                                hashMap.put("java.naming.security.protocol", "ssl");
                                SSLContext configuredSslContext = getConfiguredSslContext(loginIdentityProviderConfigurationContext);
                                if (configuredSslContext != null) {
                                    LdapsSocketFactory.initialize(configuredSslContext.getSocketFactory());
                                    hashMap.put("java.naming.ldap.factory.socket", LdapsSocketFactory.class.getName());
                                    break;
                                }
                                break;
                            case START_TLS:
                                DefaultTlsDirContextAuthenticationStrategy defaultTlsDirContextAuthenticationStrategy = new DefaultTlsDirContextAuthenticationStrategy();
                                String property5 = loginIdentityProviderConfigurationContext.getProperty("TLS - Shutdown Gracefully");
                                if (StringUtils.isNotBlank(property5)) {
                                    defaultTlsDirContextAuthenticationStrategy.setShutdownTlsGracefully(Boolean.TRUE.toString().equalsIgnoreCase(property5));
                                }
                                SSLContext configuredSslContext2 = getConfiguredSslContext(loginIdentityProviderConfigurationContext);
                                if (configuredSslContext2 != null) {
                                    defaultTlsDirContextAuthenticationStrategy.setSslSocketFactory(configuredSslContext2.getSocketFactory());
                                }
                                ldapContextSource.setAuthenticationStrategy(defaultTlsDirContextAuthenticationStrategy);
                                break;
                        }
                }
                String property6 = loginIdentityProviderConfigurationContext.getProperty(LdapUserGroupProvider.PROP_REFERRAL_STRATEGY);
                try {
                    ldapContextSource.setReferral(ReferralStrategy.valueOf(property6).getValue());
                    String property7 = loginIdentityProviderConfigurationContext.getProperty(LdapUserGroupProvider.PROP_URL);
                    if (StringUtils.isBlank(property7)) {
                        throw new ProviderCreationException("LDAP identity provider 'Url' must be specified.");
                    }
                    ldapContextSource.setUrls(StringUtils.split(property7));
                    String property8 = loginIdentityProviderConfigurationContext.getProperty(LdapUserGroupProvider.PROP_USER_SEARCH_BASE);
                    String property9 = loginIdentityProviderConfigurationContext.getProperty(LdapUserGroupProvider.PROP_USER_SEARCH_FILTER);
                    if (StringUtils.isBlank(property8) || StringUtils.isBlank(property9)) {
                        throw new ProviderCreationException("LDAP identity provider 'User Search Base' and 'User Search Filter' must be specified.");
                    }
                    FilterBasedLdapUserSearch filterBasedLdapUserSearch = new FilterBasedLdapUserSearch(property8, property9, ldapContextSource);
                    BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource);
                    bindAuthenticator.setUserSearch(filterBasedLdapUserSearch);
                    String property10 = loginIdentityProviderConfigurationContext.getProperty("Identity Strategy");
                    if (StringUtils.isBlank(property10)) {
                        logger.info(String.format("Identity Strategy is not configured, defaulting strategy to %s.", IdentityStrategy.USE_DN));
                        this.identityStrategy = IdentityStrategy.USE_DN;
                    } else {
                        try {
                            this.identityStrategy = IdentityStrategy.valueOf(property10);
                        } catch (IllegalArgumentException e) {
                            throw new ProviderCreationException(String.format("Unrecognized identity strategy '%s'. Possible values are [%s]", property10, StringUtils.join(IdentityStrategy.values(), ", ")));
                        }
                    }
                    if (!hashMap.isEmpty()) {
                        ldapContextSource.setBaseEnvironmentProperties(hashMap);
                    }
                    try {
                        ldapContextSource.afterPropertiesSet();
                        bindAuthenticator.afterPropertiesSet();
                        this.provider = new LdapAuthenticationProvider(bindAuthenticator);
                    } catch (Exception e2) {
                        throw new ProviderCreationException(e2.getMessage(), e2);
                    }
                } catch (IllegalArgumentException e3) {
                    throw new ProviderCreationException(String.format("Unrecognized referral strategy '%s'. Possible values are [%s]", property6, StringUtils.join(ReferralStrategy.values(), ", ")));
                }
            } catch (IllegalArgumentException e4) {
                throw new ProviderCreationException(String.format("Unrecognized authentication strategy '%s'. Possible values are [%s]", property2, StringUtils.join(LdapAuthenticationStrategy.values(), ", ")));
            }
        } catch (IllegalArgumentException e5) {
            throw new ProviderCreationException(String.format("The Expiration Duration '%s' is not a valid time duration", property));
        }
    }

    private void setTimeout(LoginIdentityProviderConfigurationContext loginIdentityProviderConfigurationContext, Map<String, Object> map, String str, String str2) {
        String property = loginIdentityProviderConfigurationContext.getProperty(str);
        if (StringUtils.isNotBlank(property)) {
            try {
                map.put(str2, String.valueOf((long) FormatUtils.getPreciseTimeDuration(property, TimeUnit.MILLISECONDS)));
            } catch (IllegalArgumentException e) {
                throw new ProviderCreationException(String.format("The %s '%s' is not a valid time duration", str, property));
            }
        }
    }

    public static SSLContext getConfiguredSslContext(NonComponentConfigurationContext nonComponentConfigurationContext) {
        try {
            return SslContextFactory.createSslContext(new StandardTlsConfiguration(nonComponentConfigurationContext.getProperty("TLS - Keystore"), nonComponentConfigurationContext.getProperty("TLS - Keystore Password"), (String) null, nonComponentConfigurationContext.getProperty("TLS - Keystore Type"), nonComponentConfigurationContext.getProperty("TLS - Truststore"), nonComponentConfigurationContext.getProperty("TLS - Truststore Password"), nonComponentConfigurationContext.getProperty("TLS - Truststore Type"), nonComponentConfigurationContext.getProperty("TLS - Protocol")));
        } catch (TlsException e) {
            logger.error("Encountered an error configuring TLS for LDAP identity provider: {}", e.getLocalizedMessage());
            throw new ProviderCreationException("Error configuring TLS for LDAP identity provider", e);
        }
    }

    public final AuthenticationResponse authenticate(LoginCredentials loginCredentials) throws InvalidLoginCredentialsException, IdentityAccessException {
        if (this.provider == null) {
            throw new IdentityAccessException("The LDAP authentication provider is not initialized.");
        }
        try {
            try {
                Authentication authenticate = this.provider.authenticate(new UsernamePasswordAuthenticationToken(loginCredentials.getUsername(), loginCredentials.getPassword()));
                if (!IdentityStrategy.USE_DN.equals(this.identityStrategy)) {
                    return new AuthenticationResponse(authenticate.getName(), loginCredentials.getUsername(), this.expiration, this.issuer);
                }
                if (authenticate.getPrincipal() instanceof LdapUserDetails) {
                    return new AuthenticationResponse(((LdapUserDetails) authenticate.getPrincipal()).getDn(), loginCredentials.getUsername(), this.expiration, this.issuer);
                }
                logger.warn(String.format("Unable to determine user DN for %s, using username.", authenticate.getName()));
                return new AuthenticationResponse(authenticate.getName(), loginCredentials.getUsername(), this.expiration, this.issuer);
            } catch (BadCredentialsException | UsernameNotFoundException | AuthenticationException e) {
                throw new InvalidLoginCredentialsException(e.getMessage(), e);
            }
        } catch (Exception e2) {
            if (e2.getCause() instanceof AuthenticationException) {
                throw new InvalidLoginCredentialsException(e2.getMessage(), e2);
            }
            logger.error(e2.getMessage());
            if (logger.isDebugEnabled()) {
                logger.debug("", e2);
            }
            throw new IdentityAccessException("Unable to validate the supplied credentials. Please contact the system administrator.", e2);
        }
    }

    public final void preDestruction() throws ProviderDestructionException {
    }
}
