package io.trino.plugin.password.ldap;

import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import io.airlift.log.Logger;
import io.trino.plugin.base.ssl.SslUtils;
import io.trino.plugin.password.jndi.JndiUtils;
import io.trino.spi.security.AccessDeniedException;
import java.io.File;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import javax.inject.Inject;
import javax.naming.AuthenticationException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.net.ssl.SSLContext;

/* loaded from: input_file:io/trino/plugin/password/ldap/JdkLdapAuthenticatorClient.class */
public class JdkLdapAuthenticatorClient implements LdapAuthenticatorClient {
    private static final Logger log = Logger.get(JdkLdapAuthenticatorClient.class);
    private final Map<String, String> basicEnvironment;
    private final Optional<SSLContext> sslContext;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/trino/plugin/password/ldap/JdkLdapAuthenticatorClient$CloseableContext.class */
    public static class CloseableContext implements AutoCloseable {
        private final DirContext context;

        public CloseableContext(DirContext dirContext) {
            this.context = (DirContext) Objects.requireNonNull(dirContext, "context is null");
        }

        public NamingEnumeration<SearchResult> search(String str, String str2, SearchControls searchControls) throws NamingException {
            return this.context.search(str, str2, searchControls);
        }

        @Override // java.lang.AutoCloseable
        public void close() throws NamingException {
            this.context.close();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/trino/plugin/password/ldap/JdkLdapAuthenticatorClient$CloseableSearchResults.class */
    public static class CloseableSearchResults implements AutoCloseable {
        private final NamingEnumeration<SearchResult> searchResults;

        public CloseableSearchResults(NamingEnumeration<SearchResult> namingEnumeration) {
            this.searchResults = (NamingEnumeration) Objects.requireNonNull(namingEnumeration, "searchResults is null");
        }

        public SearchResult next() throws NamingException {
            return (SearchResult) this.searchResults.next();
        }

        public boolean hasMore() throws NamingException {
            return this.searchResults.hasMore();
        }

        @Override // java.lang.AutoCloseable
        public void close() throws NamingException {
            this.searchResults.close();
        }
    }

    @Inject
    public JdkLdapAuthenticatorClient(LdapConfig ldapConfig) {
        String str = (String) Objects.requireNonNull(ldapConfig.getLdapUrl(), "ldapUrl is null");
        if (str.startsWith("ldap://")) {
            log.warn("Passwords will be sent in the clear to the LDAP server. Please consider using SSL to connect.");
        }
        ImmutableMap.Builder builder = ImmutableMap.builder();
        builder.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory").put("java.naming.provider.url", str).put("java.naming.referral", ldapConfig.isIgnoreReferrals() ? "ignore" : "follow");
        ldapConfig.getLdapConnectionTimeout().map((v0) -> {
            return v0.toMillis();
        }).map((v0) -> {
            return String.valueOf(v0);
        }).ifPresent(str2 -> {
            builder.put("com.sun.jndi.ldap.connect.timeout", str2);
        });
        ldapConfig.getLdapReadTimeout().map((v0) -> {
            return v0.toMillis();
        }).map((v0) -> {
            return String.valueOf(v0);
        }).ifPresent(str3 -> {
            builder.put("com.sun.jndi.ldap.read.timeout", str3);
        });
        this.basicEnvironment = builder.buildOrThrow();
        this.sslContext = createSslContext(ldapConfig.getKeystorePath(), ldapConfig.getKeystorePassword(), ldapConfig.getTrustStorePath(), ldapConfig.getTruststorePassword());
    }

    @Override // io.trino.plugin.password.ldap.LdapAuthenticatorClient
    public void validatePassword(String str, String str2) throws NamingException {
        createUserDirContext(str, str2).close();
    }

    @Override // io.trino.plugin.password.ldap.LdapAuthenticatorClient
    public boolean isGroupMember(String str, String str2, String str3, String str4) throws NamingException {
        CloseableContext createUserDirContext = createUserDirContext(str3, str4);
        try {
            CloseableSearchResults searchContext = searchContext(str, str2, createUserDirContext);
            try {
                boolean hasMore = searchContext.hasMore();
                if (searchContext != null) {
                    searchContext.close();
                }
                if (createUserDirContext != null) {
                    createUserDirContext.close();
                }
                return hasMore;
            } finally {
            }
        } catch (Throwable th) {
            if (createUserDirContext != null) {
                try {
                    createUserDirContext.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Override // io.trino.plugin.password.ldap.LdapAuthenticatorClient
    public Set<String> lookupUserDistinguishedNames(String str, String str2, String str3, String str4) throws NamingException {
        CloseableContext createUserDirContext = createUserDirContext(str3, str4);
        try {
            CloseableSearchResults searchContext = searchContext(str, str2, createUserDirContext);
            try {
                ImmutableSet.Builder builder = ImmutableSet.builder();
                while (searchContext.hasMore()) {
                    builder.add(searchContext.next().getNameInNamespace());
                }
                ImmutableSet build = builder.build();
                if (searchContext != null) {
                    searchContext.close();
                }
                if (createUserDirContext != null) {
                    createUserDirContext.close();
                }
                return build;
            } finally {
            }
        } catch (Throwable th) {
            if (createUserDirContext != null) {
                try {
                    createUserDirContext.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static CloseableSearchResults searchContext(String str, String str2, CloseableContext closeableContext) throws NamingException {
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        return new CloseableSearchResults(closeableContext.search(str, str2, searchControls));
    }

    private CloseableContext createUserDirContext(String str, String str2) throws NamingException {
        try {
            DirContext createDirContext = JndiUtils.createDirContext(createEnvironment(str, str2));
            log.debug("Password validation successful for user DN [%s]", new Object[]{str});
            return new CloseableContext(createDirContext);
        } catch (AuthenticationException e) {
            log.debug("Password validation failed for user DN [%s]: %s", new Object[]{str, e.getMessage()});
            throw new AccessDeniedException("Invalid credentials");
        }
    }

    private Map<String, String> createEnvironment(String str, String str2) {
        ImmutableMap.Builder put = ImmutableMap.builder().putAll(this.basicEnvironment).put("java.naming.security.authentication", "simple").put("java.naming.security.principal", str).put("java.naming.security.credentials", str2);
        this.sslContext.ifPresent(sSLContext -> {
            LdapSslSocketFactory.setSslContextForCurrentThread(sSLContext);
            put.put("java.naming.ldap.factory.socket", LdapSslSocketFactory.class.getName());
        });
        return put.buildOrThrow();
    }

    private static Optional<SSLContext> createSslContext(Optional<File> optional, Optional<String> optional2, Optional<File> optional3, Optional<String> optional4) {
        if (optional.isEmpty() && optional3.isEmpty()) {
            return Optional.empty();
        }
        try {
            return Optional.of(SslUtils.createSSLContext(optional, optional2, optional3, optional4));
        } catch (IOException | GeneralSecurityException e) {
            throw new RuntimeException(e);
        }
    }
}
