package org.apache.hive.service.auth;

import java.util.ArrayList;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.ListIterator;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.security.sasl.AuthenticationException;
import org.apache.commons.configuration.tree.DefaultExpressionEngine;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.metrics2.sink.ganglia.AbstractGangliaSink;
import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
import org.apache.hive.service.ServiceUtils;
import org.apache.thrift.protocol.TMultiplexedProtocol;
import org.slf4j.Marker;

/* loaded from: input_file:org/apache/hive/service/auth/LdapAuthenticationProviderImpl.class */
public class LdapAuthenticationProviderImpl implements PasswdAuthenticationProvider {
    private static final Log LOG = LogFactory.getLog(LdapAuthenticationProviderImpl.class);
    private String ldapURL;
    private String baseDN;
    private String ldapDomain;
    private static List<String> groupBases;
    private static List<String> userBases;
    private static List<String> userFilter;
    private static List<String> groupFilter;
    private String customQuery;
    private static String guid_attr;
    private static String groupMembership_attr;
    private static String groupClass_attr;

    /* JADX INFO: Access modifiers changed from: package-private */
    public LdapAuthenticationProviderImpl() {
        init(new HiveConf());
    }

    protected void init(HiveConf hiveConf) {
        this.ldapURL = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_URL);
        this.baseDN = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_BASEDN);
        this.ldapDomain = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_DOMAIN);
        this.customQuery = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_CUSTOMLDAPQUERY);
        guid_attr = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GUIDKEY);
        groupBases = new ArrayList();
        userBases = new ArrayList();
        userFilter = new ArrayList();
        groupFilter = new ArrayList();
        String var = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPDNPATTERN);
        String var2 = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPFILTER);
        String var3 = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERDNPATTERN);
        String var4 = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERFILTER);
        groupMembership_attr = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPMEMBERSHIP_KEY);
        groupClass_attr = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPCLASS_KEY);
        if (var != null && var.trim().length() > 0) {
            String[] split = var.split(TMultiplexedProtocol.SEPARATOR);
            for (int i = 0; i < split.length; i++) {
                if (split[i].contains(",") && split[i].contains(AbstractGangliaSink.EQUAL)) {
                    groupBases.add(split[i]);
                } else {
                    LOG.warn("Unexpected format for " + HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPDNPATTERN + "..ignoring " + split[i]);
                }
            }
        } else if (this.baseDN != null) {
            groupBases.add(guid_attr + "=%s," + this.baseDN);
        }
        if (var2 != null && var2.trim().length() > 0) {
            String[] split2 = var2.split(",");
            for (int i2 = 0; i2 < split2.length; i2++) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Filtered group: " + split2[i2]);
                }
                groupFilter.add(split2[i2]);
            }
        }
        if (var3 != null && var3.trim().length() > 0) {
            String[] split3 = var3.split(TMultiplexedProtocol.SEPARATOR);
            for (int i3 = 0; i3 < split3.length; i3++) {
                if (split3[i3].contains(",") && split3[i3].contains(AbstractGangliaSink.EQUAL)) {
                    userBases.add(split3[i3]);
                } else {
                    LOG.warn("Unexpected format for " + HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERDNPATTERN + "..ignoring " + split3[i3]);
                }
            }
        } else if (this.baseDN != null) {
            userBases.add(guid_attr + "=%s," + this.baseDN);
        }
        if (var4 == null || var4.trim().length() <= 0) {
            return;
        }
        String[] split4 = var4.split(",");
        for (int i4 = 0; i4 < split4.length; i4++) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Filtered user: " + split4[i4]);
            }
            userFilter.add(split4[i4]);
        }
    }

    /* JADX WARN: Finally extract failed */
    @Override // org.apache.hive.service.auth.PasswdAuthenticationProvider
    public void Authenticate(String str, String str2) throws AuthenticationException {
        String findUserDNByPattern;
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.provider.url", this.ldapURL);
        if (!hasDomain(str) && this.ldapDomain != null) {
            str = str + "@" + this.ldapDomain;
        }
        if (str2 == null || str2.isEmpty() || str2.getBytes()[0] == 0) {
            throw new AuthenticationException("Error validating LDAP user: a null or blank password has been provided");
        }
        hashtable.put("java.naming.security.authentication", PseudoAuthenticationHandler.TYPE);
        hashtable.put("java.naming.security.credentials", str2);
        InitialDirContext initialDirContext = null;
        NamingException namingException = null;
        if (isDN(str) || hasDomain(str) || userBases.size() <= 0) {
            hashtable.put("java.naming.security.principal", str);
            LOG.debug("Connecting using principal " + str + " at url " + this.ldapURL);
            try {
                initialDirContext = new InitialDirContext(hashtable);
            } catch (NamingException e) {
                namingException = e;
            }
        } else {
            ListIterator<String> listIterator = userBases.listIterator();
            while (listIterator.hasNext()) {
                try {
                    String replaceAll = listIterator.next().replaceAll("%s", str);
                    hashtable.put("java.naming.security.principal", replaceAll);
                    LOG.debug("Connecting using DN " + replaceAll + " at url " + this.ldapURL);
                    initialDirContext = new InitialDirContext(hashtable);
                    break;
                } catch (NamingException e2) {
                    namingException = e2;
                }
            }
        }
        if (initialDirContext == null) {
            LOG.debug("Could not connect to the LDAP Server:Authentication failed for " + str);
            throw new AuthenticationException("LDAP Authentication failed for user", namingException);
        }
        LOG.debug("Connected using principal=" + str + " at url=" + this.ldapURL);
        try {
            try {
                String extractName = (isDN(str) || hasDomain(str)) ? extractName(str) : str;
                if (this.customQuery != null) {
                    List<String> executeLDAPQuery = executeLDAPQuery(initialDirContext, this.customQuery, this.baseDN);
                    if (executeLDAPQuery != null) {
                        for (String str3 : executeLDAPQuery) {
                            LOG.info("<queried user=" + str3.split(",", 2)[0].split(AbstractGangliaSink.EQUAL, 2)[1] + ",user=" + str + ">");
                            if (str3.split(",", 2)[0].split(AbstractGangliaSink.EQUAL, 2)[1].equalsIgnoreCase(str) || str3.equalsIgnoreCase(str)) {
                                LOG.info("Authentication succeeded based on result set from LDAP query");
                                if (initialDirContext != null) {
                                    try {
                                        initialDirContext.close();
                                    } catch (Exception e3) {
                                        LOG.warn("Exception when closing LDAP context:" + e3.getMessage());
                                        return;
                                    }
                                }
                                return;
                            }
                        }
                    }
                    LOG.info("Authentication failed based on result set from custom LDAP query");
                    throw new AuthenticationException("Authentication failed: LDAP query from property returned no data");
                }
                if (userBases.size() <= 0) {
                    LOG.info("Simple password authentication succeeded");
                    if (initialDirContext != null) {
                        try {
                            initialDirContext.close();
                        } catch (Exception e4) {
                            LOG.warn("Exception when closing LDAP context:" + e4.getMessage());
                            return;
                        }
                    }
                    return;
                }
                if (isDN(str)) {
                    findUserDNByPattern = findUserDNByDN(initialDirContext, str);
                } else {
                    findUserDNByPattern = 0 == 0 ? findUserDNByPattern(initialDirContext, extractName) : null;
                    if (findUserDNByPattern == null) {
                        findUserDNByPattern = findUserDNByName(initialDirContext, extractName);
                    }
                }
                if (findUserDNByPattern == null) {
                    throw new AuthenticationException("Authentication failed: User search failed");
                }
                if (userFilter.size() > 0) {
                    LOG.info("Authenticating user " + str + " using user filter");
                    if (findUserDNByPattern != null) {
                        LOG.info("User filter partially satisfied");
                    }
                    boolean z = false;
                    Iterator<String> it = userFilter.iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        if (it.next().equalsIgnoreCase(extractName)) {
                            LOG.debug("User filter entirely satisfied");
                            z = true;
                            break;
                        }
                    }
                    if (!z) {
                        LOG.info("Authentication failed based on user membership");
                        throw new AuthenticationException("Authentication failed: User not a member of specified list");
                    }
                }
                if (groupFilter.size() <= 0) {
                    LOG.info("Authentication succeeded using ldap user search");
                    if (initialDirContext != null) {
                        try {
                            initialDirContext.close();
                        } catch (Exception e5) {
                            LOG.warn("Exception when closing LDAP context:" + e5.getMessage());
                            return;
                        }
                    }
                    return;
                }
                LOG.debug("Authenticating user " + str + " using group membership");
                List<String> groupsForUser = getGroupsForUser(initialDirContext, findUserDNByPattern);
                if (LOG.isDebugEnabled()) {
                    LOG.debug("User member of :");
                    prettyPrint(groupsForUser);
                }
                if (groupsForUser != null) {
                    Iterator<String> it2 = groupsForUser.iterator();
                    while (it2.hasNext()) {
                        if (groupFilter.contains(it2.next().split(",")[0].split(AbstractGangliaSink.EQUAL)[1])) {
                            LOG.info("Authentication succeeded based on group membership");
                            if (initialDirContext != null) {
                                try {
                                    initialDirContext.close();
                                } catch (Exception e6) {
                                    LOG.warn("Exception when closing LDAP context:" + e6.getMessage());
                                    return;
                                }
                            }
                            return;
                        }
                    }
                }
                LOG.debug("Authentication failed: User is not a member of configured groups");
                throw new AuthenticationException("Authentication failed: User not a member of listed groups");
            } catch (NamingException e7) {
                throw new AuthenticationException("LDAP Authentication failed for user", e7);
            }
        } catch (Throwable th) {
            if (initialDirContext != null) {
                try {
                    initialDirContext.close();
                } catch (Exception e8) {
                    LOG.warn("Exception when closing LDAP context:" + e8.getMessage());
                    throw th;
                }
            }
            throw th;
        }
    }

    private boolean hasDomain(String str) {
        return ServiceUtils.indexOfDomainMatch(str) > 0;
    }

    private static void prettyPrint(List<String> list) {
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            LOG.debug("    " + it.next());
        }
    }

    private static void prettyPrint(Attributes attributes) {
        NamingEnumeration all = attributes.getAll();
        while (all.hasMore()) {
            try {
                Attribute attribute = (Attribute) all.next();
                NamingEnumeration all2 = attribute.getAll();
                String str = "";
                while (all2.hasMore()) {
                    str = str + all2.next() + Marker.ANY_NON_NULL_MARKER;
                }
                LOG.debug(attribute.getID() + ":::" + str);
            } catch (Exception e) {
                System.out.println("Error occurred when reading ldap data:" + e.getMessage());
                return;
            }
        }
    }

    public static String findGroupDNByName(DirContext dirContext, String str, String str2) throws NamingException {
        List<String> findDNByName = findDNByName(dirContext, str, "(&(objectClass=" + groupClass_attr + ")(" + guid_attr + AbstractGangliaSink.EQUAL + str2 + "))", 2);
        if (findDNByName == null) {
            return null;
        }
        if (findDNByName.size() <= 1) {
            return findDNByName.get(0);
        }
        LOG.info("Matched multiple groups for the group: " + str2 + ",returning null");
        return null;
    }

    public static String findGroupDNByPattern(DirContext dirContext, String str) throws NamingException {
        return findDNByPattern(dirContext, str, groupBases);
    }

    public static String findDNByPattern(DirContext dirContext, String str, List<String> list) throws NamingException {
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(new String[0]);
        for (String str2 : list) {
            NamingEnumeration search = dirContext.search(str2.split(",", 2)[1], DefaultExpressionEngine.DEFAULT_INDEX_START + str2.substring(0, str2.indexOf(",")).replaceAll("%s", str) + DefaultExpressionEngine.DEFAULT_INDEX_END, searchControls);
            if (search.hasMoreElements()) {
                SearchResult searchResult = (SearchResult) search.nextElement();
                if (!search.hasMoreElements()) {
                    return searchResult.getNameInNamespace();
                }
                LOG.warn("Matched multiple entities for the name: " + str);
                return null;
            }
        }
        return null;
    }

    public static String findUserDNByName(DirContext dirContext, String str) throws NamingException {
        if (userBases.size() == 0) {
            return null;
        }
        ListIterator<String> listIterator = userBases.listIterator();
        for (String str2 : new String[]{"(|(uid=" + str + ")(sAMAccountName=" + str + ")))", "(|(cn=*" + str + "*)))"}) {
            String str3 = "(&(|(objectClass=person)(objectClass=user)(objectClass=inetOrgPerson))" + str2;
            while (listIterator.hasNext()) {
                List<String> findDNByName = findDNByName(dirContext, listIterator.next().split(",", 2)[1], str3, 2);
                if (findDNByName != null) {
                    if (findDNByName == null || findDNByName.size() <= 1) {
                        return findDNByName.get(0);
                    }
                    LOG.info("Matched multiple users for the user: " + str + ",returning null");
                    return null;
                }
            }
        }
        return null;
    }

    public static String findUserDNByDN(DirContext dirContext, String str) throws NamingException {
        List<String> findDNByName;
        if (!isDN(str) || (findDNByName = findDNByName(dirContext, extractBaseDN(str), "(&(|(objectClass=person)(objectClass=user)(objectClass=inetOrgPerson))(" + str.substring(0, str.indexOf(",")) + "))", 2)) == null) {
            return null;
        }
        if (findDNByName.size() <= 1) {
            return findDNByName.get(0);
        }
        LOG.info("Matched multiple users for the user: " + str + ",returning null");
        return null;
    }

    public static List<String> findDNByName(DirContext dirContext, String str, String str2, int i) throws NamingException {
        ArrayList arrayList = null;
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(new String[0]);
        if (i > 0) {
            searchControls.setCountLimit(i);
        }
        NamingEnumeration search = dirContext.search(str, str2, searchControls);
        while (search.hasMoreElements()) {
            String nameInNamespace = ((SearchResult) search.nextElement()).getNameInNamespace();
            if (arrayList == null) {
                arrayList = new ArrayList();
            }
            arrayList.add(nameInNamespace);
        }
        return arrayList;
    }

    public static String findUserDNByPattern(DirContext dirContext, String str) throws NamingException {
        return findDNByPattern(dirContext, str, userBases);
    }

    public static List<String> getGroupsForUser(DirContext dirContext, String str) throws NamingException {
        ArrayList arrayList = new ArrayList();
        String str2 = "(&(objectClass=" + groupClass_attr + ")(|(" + groupMembership_attr + AbstractGangliaSink.EQUAL + str + ")(" + groupMembership_attr + AbstractGangliaSink.EQUAL + extractName(str) + ")))";
        SearchControls searchControls = new SearchControls();
        LOG.debug("getGroupsForUser:searchFilter=" + str2);
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(new String[0]);
        ListIterator<String> listIterator = groupBases.listIterator();
        while (listIterator.hasNext()) {
            try {
                String str3 = listIterator.next().split(",", 2)[1];
                LOG.debug("Searching for groups under " + str3);
                NamingEnumeration search = dirContext.search(str3, str2, searchControls);
                while (search.hasMoreElements()) {
                    SearchResult searchResult = (SearchResult) search.nextElement();
                    LOG.debug("Found Group:" + searchResult.getNameInNamespace());
                    arrayList.add(searchResult.getNameInNamespace());
                }
            } catch (NamingException e) {
                LOG.warn("Exception searching for user groups", e);
            }
        }
        return arrayList;
    }

    public static List<String> executeLDAPQuery(DirContext dirContext, String str, String str2) throws NamingException {
        if (str2 == null) {
            return null;
        }
        SearchControls searchControls = new SearchControls();
        ArrayList arrayList = new ArrayList();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(new String[0]);
        LOG.info("Using a user specified LDAP query for adjudication:" + str + ",baseDN=" + str2);
        NamingEnumeration search = dirContext.search(str2, str, searchControls);
        while (search.hasMoreElements()) {
            arrayList.add(((SearchResult) search.nextElement()).getNameInNamespace());
            LOG.debug("LDAPAtn:executeLDAPQuery()::Return set size " + ((String) arrayList.get(arrayList.size() - 1)));
        }
        return arrayList;
    }

    public static boolean isDN(String str) {
        return str.indexOf(AbstractGangliaSink.EQUAL) > -1;
    }

    public static String extractName(String str) {
        int indexOfDomainMatch = ServiceUtils.indexOfDomainMatch(str);
        return indexOfDomainMatch > 0 ? str.substring(0, indexOfDomainMatch) : str.indexOf(AbstractGangliaSink.EQUAL) > -1 ? str.substring(str.indexOf(AbstractGangliaSink.EQUAL) + 1, str.indexOf(",")) : str;
    }

    public static String extractBaseDN(String str) {
        if (str.indexOf(",") > -1) {
            return str.substring(str.indexOf(",") + 1);
        }
        return null;
    }
}
