package org.apache.nifi.registry.security.ldap;

import java.io.IOException;
import java.security.KeyManagementException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLContext;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.registry.security.authentication.AuthenticationRequest;
import org.apache.nifi.registry.security.authentication.AuthenticationResponse;
import org.apache.nifi.registry.security.authentication.BasicAuthIdentityProvider;
import org.apache.nifi.registry.security.authentication.IdentityProvider;
import org.apache.nifi.registry.security.authentication.IdentityProviderConfigurationContext;
import org.apache.nifi.registry.security.authentication.exception.IdentityAccessException;
import org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException;
import org.apache.nifi.registry.security.exception.SecurityProviderCreationException;
import org.apache.nifi.registry.security.exception.SecurityProviderDestructionException;
import org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider;
import org.apache.nifi.registry.security.util.SslContextFactory;
import org.apache.nifi.registry.util.FormatUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.ldap.AuthenticationException;
import org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy;
import org.springframework.ldap.core.support.LdapContextSource;
import org.springframework.ldap.core.support.SimpleDirContextAuthenticationStrategy;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider;
import org.springframework.security.ldap.authentication.BindAuthenticator;
import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
import org.springframework.security.ldap.userdetails.LdapUserDetails;

/* loaded from: input_file:WEB-INF/lib/nifi-registry-framework-1.15.1.jar:org/apache/nifi/registry/security/ldap/LdapIdentityProvider.class */
public class LdapIdentityProvider extends BasicAuthIdentityProvider implements IdentityProvider {
    private static final Logger logger = LoggerFactory.getLogger(LdapIdentityProvider.class);
    private static final String issuer = LdapIdentityProvider.class.getSimpleName();
    private AbstractLdapAuthenticationProvider ldapAuthenticationProvider;
    private long expiration;
    private IdentityStrategy identityStrategy;

    public final void onConfigured(IdentityProviderConfigurationContext identityProviderConfigurationContext) throws SecurityProviderCreationException {
        String property = identityProviderConfigurationContext.getProperty("Authentication Expiration");
        if (StringUtils.isBlank(property)) {
            throw new SecurityProviderCreationException("The Authentication Expiration must be specified.");
        }
        try {
            this.expiration = FormatUtils.getTimeDuration(property, TimeUnit.MILLISECONDS);
            LdapContextSource ldapContextSource = new LdapContextSource();
            HashMap hashMap = new HashMap();
            setTimeout(identityProviderConfigurationContext, hashMap, LdapUserGroupProvider.PROP_CONNECT_TIMEOUT, "com.sun.jndi.ldap.connect.timeout");
            setTimeout(identityProviderConfigurationContext, hashMap, LdapUserGroupProvider.PROP_READ_TIMEOUT, "com.sun.jndi.ldap.read.timeout");
            String property2 = identityProviderConfigurationContext.getProperty(LdapUserGroupProvider.PROP_AUTHENTICATION_STRATEGY);
            try {
                LdapAuthenticationStrategy valueOf = LdapAuthenticationStrategy.valueOf(property2);
                switch (valueOf) {
                    case ANONYMOUS:
                        ldapContextSource.setAnonymousReadOnly(true);
                        break;
                    default:
                        String property3 = identityProviderConfigurationContext.getProperty(LdapUserGroupProvider.PROP_MANAGER_DN);
                        String property4 = identityProviderConfigurationContext.getProperty(LdapUserGroupProvider.PROP_MANAGER_PASSWORD);
                        ldapContextSource.setUserDn(property3);
                        ldapContextSource.setPassword(property4);
                        switch (valueOf) {
                            case SIMPLE:
                                ldapContextSource.setAuthenticationStrategy(new SimpleDirContextAuthenticationStrategy());
                                break;
                            case LDAPS:
                                ldapContextSource.setAuthenticationStrategy(new SimpleDirContextAuthenticationStrategy());
                                hashMap.put("java.naming.security.protocol", "ssl");
                                SSLContext configuredSslContext = getConfiguredSslContext(identityProviderConfigurationContext);
                                if (configuredSslContext != null) {
                                    LdapsSocketFactory.initialize(configuredSslContext.getSocketFactory());
                                    hashMap.put("java.naming.ldap.factory.socket", LdapsSocketFactory.class.getName());
                                    break;
                                }
                                break;
                            case START_TLS:
                                DefaultTlsDirContextAuthenticationStrategy defaultTlsDirContextAuthenticationStrategy = new DefaultTlsDirContextAuthenticationStrategy();
                                String property5 = identityProviderConfigurationContext.getProperty("TLS - Shutdown Gracefully");
                                if (StringUtils.isNotBlank(property5)) {
                                    defaultTlsDirContextAuthenticationStrategy.setShutdownTlsGracefully(Boolean.TRUE.toString().equalsIgnoreCase(property5));
                                }
                                SSLContext configuredSslContext2 = getConfiguredSslContext(identityProviderConfigurationContext);
                                if (configuredSslContext2 != null) {
                                    defaultTlsDirContextAuthenticationStrategy.setSslSocketFactory(configuredSslContext2.getSocketFactory());
                                }
                                ldapContextSource.setAuthenticationStrategy(defaultTlsDirContextAuthenticationStrategy);
                                break;
                        }
                }
                String property6 = identityProviderConfigurationContext.getProperty(LdapUserGroupProvider.PROP_REFERRAL_STRATEGY);
                try {
                    ldapContextSource.setReferral(ReferralStrategy.valueOf(property6).getValue());
                    String property7 = identityProviderConfigurationContext.getProperty(LdapUserGroupProvider.PROP_URL);
                    if (StringUtils.isBlank(property7)) {
                        throw new SecurityProviderCreationException("LDAP identity provider 'Url' must be specified.");
                    }
                    ldapContextSource.setUrls(StringUtils.split(property7));
                    String property8 = identityProviderConfigurationContext.getProperty(LdapUserGroupProvider.PROP_USER_SEARCH_BASE);
                    String property9 = identityProviderConfigurationContext.getProperty(LdapUserGroupProvider.PROP_USER_SEARCH_FILTER);
                    if (StringUtils.isBlank(property8) || StringUtils.isBlank(property9)) {
                        throw new SecurityProviderCreationException("LDAP identity provider 'User Search Base' and 'User Search Filter' must be specified.");
                    }
                    FilterBasedLdapUserSearch filterBasedLdapUserSearch = new FilterBasedLdapUserSearch(property8, property9, ldapContextSource);
                    BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource);
                    bindAuthenticator.setUserSearch(filterBasedLdapUserSearch);
                    String property10 = identityProviderConfigurationContext.getProperty("Identity Strategy");
                    if (StringUtils.isBlank(property10)) {
                        logger.info(String.format("Identity Strategy is not configured, defaulting strategy to %s.", IdentityStrategy.USE_DN));
                        this.identityStrategy = IdentityStrategy.USE_DN;
                    } else {
                        try {
                            this.identityStrategy = IdentityStrategy.valueOf(property10);
                        } catch (IllegalArgumentException e) {
                            throw new SecurityProviderCreationException(String.format("Unrecognized identity strategy '%s'. Possible values are [%s]", property10, StringUtils.join(IdentityStrategy.values(), ", ")));
                        }
                    }
                    if (!hashMap.isEmpty()) {
                        ldapContextSource.setBaseEnvironmentProperties(hashMap);
                    }
                    try {
                        ldapContextSource.afterPropertiesSet();
                        bindAuthenticator.afterPropertiesSet();
                        this.ldapAuthenticationProvider = new LdapAuthenticationProvider(bindAuthenticator);
                    } catch (Exception e2) {
                        throw new SecurityProviderCreationException(e2.getMessage(), e2);
                    }
                } catch (IllegalArgumentException e3) {
                    throw new SecurityProviderCreationException(String.format("Unrecognized referral strategy '%s'. Possible values are [%s]", property6, StringUtils.join(ReferralStrategy.values(), ", ")));
                }
            } catch (IllegalArgumentException e4) {
                throw new SecurityProviderCreationException(String.format("Unrecognized authentication strategy '%s'. Possible values are [%s]", property2, StringUtils.join(LdapAuthenticationStrategy.values(), ", ")));
            }
        } catch (IllegalArgumentException e5) {
            throw new SecurityProviderCreationException(String.format("The Expiration Duration '%s' is not a valid time duration", property));
        }
    }

    public AuthenticationResponse authenticate(AuthenticationRequest authenticationRequest) throws InvalidCredentialsException, IdentityAccessException {
        if (authenticationRequest == null || StringUtils.isEmpty(authenticationRequest.getUsername())) {
            logger.debug("Call to authenticate method with null or empty authenticationRequest, returning null without attempting to authenticate");
            return null;
        }
        if (this.ldapAuthenticationProvider == null) {
            throw new IdentityAccessException("The LDAP authentication provider is not initialized.");
        }
        try {
            try {
                String username = authenticationRequest.getUsername();
                Object credentials = authenticationRequest.getCredentials();
                String str = (credentials == null || !(credentials instanceof String)) ? null : (String) credentials;
                UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(username, credentials);
                Authentication authenticate = this.ldapAuthenticationProvider.authenticate(usernamePasswordAuthenticationToken);
                logger.debug("Created authentication token: {}", usernamePasswordAuthenticationToken.toString());
                if (!IdentityStrategy.USE_DN.equals(this.identityStrategy)) {
                    return new AuthenticationResponse(authenticate.getName(), username, this.expiration, issuer);
                }
                if (authenticate.getPrincipal() instanceof LdapUserDetails) {
                    return new AuthenticationResponse(((LdapUserDetails) authenticate.getPrincipal()).getDn(), username, this.expiration, issuer);
                }
                logger.warn(String.format("Unable to determine user DN for %s, using username.", authenticate.getName()));
                return new AuthenticationResponse(authenticate.getName(), username, this.expiration, issuer);
            } catch (AuthenticationException | BadCredentialsException | UsernameNotFoundException e) {
                throw new InvalidCredentialsException(e.getMessage(), e);
            }
        } catch (Exception e2) {
            if (e2.getCause() instanceof AuthenticationException) {
                throw new InvalidCredentialsException(e2.getMessage(), e2);
            }
            logger.error(e2.getMessage());
            if (logger.isDebugEnabled()) {
                logger.debug("", e2);
            }
            throw new IdentityAccessException("Unable to validate the supplied credentials. Please contact the system administrator.", e2);
        }
    }

    public final void preDestruction() throws SecurityProviderDestructionException {
    }

    private void setTimeout(IdentityProviderConfigurationContext identityProviderConfigurationContext, Map<String, Object> map, String str, String str2) {
        String property = identityProviderConfigurationContext.getProperty(str);
        if (StringUtils.isNotBlank(property)) {
            try {
                map.put(str2, Long.valueOf(FormatUtils.getTimeDuration(property, TimeUnit.MILLISECONDS)).toString());
            } catch (IllegalArgumentException e) {
                throw new SecurityProviderCreationException(String.format("The %s '%s' is not a valid time duration", str, property));
            }
        }
    }

    private SSLContext getConfiguredSslContext(IdentityProviderConfigurationContext identityProviderConfigurationContext) {
        SslContextFactory.ClientAuth valueOf;
        SSLContext createSslContext;
        String property = identityProviderConfigurationContext.getProperty("TLS - Keystore");
        String property2 = identityProviderConfigurationContext.getProperty("TLS - Keystore Password");
        String property3 = identityProviderConfigurationContext.getProperty("TLS - Keystore Type");
        String property4 = identityProviderConfigurationContext.getProperty("TLS - Truststore");
        String property5 = identityProviderConfigurationContext.getProperty("TLS - Truststore Password");
        String property6 = identityProviderConfigurationContext.getProperty("TLS - Truststore Type");
        String property7 = identityProviderConfigurationContext.getProperty("TLS - Client Auth");
        String property8 = identityProviderConfigurationContext.getProperty("TLS - Protocol");
        try {
            if (StringUtils.isBlank(property) && StringUtils.isBlank(property4)) {
                createSslContext = null;
            } else {
                if (StringUtils.isBlank(property8)) {
                    throw new SecurityProviderCreationException("TLS - Protocol must be specified.");
                }
                if (StringUtils.isBlank(property)) {
                    createSslContext = SslContextFactory.createTrustSslContext(property4, property5.toCharArray(), property6, property8);
                } else if (StringUtils.isBlank(property4)) {
                    createSslContext = SslContextFactory.createSslContext(property, property2.toCharArray(), property3, property8);
                } else {
                    if (StringUtils.isBlank(property7)) {
                        valueOf = SslContextFactory.ClientAuth.NONE;
                    } else {
                        try {
                            valueOf = SslContextFactory.ClientAuth.valueOf(property7);
                        } catch (IllegalArgumentException e) {
                            throw new SecurityProviderCreationException(String.format("Unrecognized client auth '%s'. Possible values are [%s]", property7, StringUtils.join(SslContextFactory.ClientAuth.values(), ", ")));
                        }
                    }
                    createSslContext = SslContextFactory.createSslContext(property, property2.toCharArray(), property3, property4, property5.toCharArray(), property6, valueOf, property8);
                }
            }
            return createSslContext;
        } catch (IOException | KeyManagementException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e2) {
            throw new SecurityProviderCreationException(e2.getMessage(), e2);
        }
    }
}
