package org.apache.kylin.rest.security;

import com.google.common.base.Preconditions;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Locale;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.kylin.common.KylinConfig;
import org.apache.kylin.common.exception.KylinException;
import org.apache.kylin.common.exception.ServerErrorCode;
import org.apache.kylin.common.exception.code.ErrorCodeServer;
import org.apache.kylin.common.msg.MsgPicker;
import org.apache.kylin.metadata.epoch.EpochManager;
import org.apache.kylin.metadata.user.ManagedUser;
import org.apache.kylin.metadata.user.NKylinUserManager;
import org.apache.kylin.rest.service.MaintenanceModeSupporter;
import org.apache.kylin.rest.service.UserService;
import org.apache.kylin.tool.restclient.RestClient;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

/* loaded from: input_file:org/apache/kylin/rest/security/LimitLoginAuthenticationProvider.class */
public class LimitLoginAuthenticationProvider extends DaoAuthenticationProvider {
    private static final Logger limitLoginLogger = LoggerFactory.getLogger(LimitLoginAuthenticationProvider.class);

    @Autowired
    @Qualifier("userService")
    UserService userService;

    @Autowired(required = false)
    @Qualifier("maintenanceModeService")
    MaintenanceModeSupporter maintenanceModeService;
    private ConcurrentHashMap<String, RestClient> clientMap = new ConcurrentHashMap<>();

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        try {
            MessageDigest.getInstance("MD5").reset();
            ManagedUser managedUser = null;
            String str = null;
            try {
                if (authentication instanceof UsernamePasswordAuthenticationToken) {
                    str = (String) authentication.getPrincipal();
                }
                if (str != null) {
                    managedUser = NKylinUserManager.getInstance(KylinConfig.getInstanceFromEnv()).get(str);
                    if (managedUser != null) {
                        str = managedUser.getUsername();
                        authentication = new UsernamePasswordAuthenticationToken(str, authentication.getCredentials());
                    } else {
                        managedUser = (ManagedUser) this.userService.loadUserByUsername(str);
                    }
                    Preconditions.checkNotNull(managedUser);
                }
                updateUserLockStatus(managedUser, str);
                Authentication authenticate = super.authenticate(authentication);
                if (managedUser != null && managedUser.getWrongTime() > 0 && !this.maintenanceModeService.isMaintenanceMode()) {
                    managedUser.clearAuthenticateFailedRecord();
                    updateUser(managedUser);
                }
                SecurityContextHolder.getContext().setAuthentication(authenticate);
                return authenticate;
            } catch (BadCredentialsException e) {
                authenticateFail(managedUser, str);
                if (managedUser == null || !managedUser.isLocked()) {
                    limitLoginLogger.error(ErrorCodeServer.USER_LOGIN_FAILED.getMsg(new Object[0]));
                    throw new BadCredentialsException(ErrorCodeServer.USER_LOGIN_FAILED.getMsg(new Object[0]));
                }
                if (UserLockRuleUtil.isLockedPermanently(managedUser)) {
                    buildBadCredentialsException(str, e);
                }
                String userBeLocked = MsgPicker.getMsg().getUserBeLocked(UserLockRuleUtil.getLockDurationSeconds(managedUser));
                limitLoginLogger.error(userBeLocked, new KylinException(ServerErrorCode.USER_LOCKED, e));
                throw new BadCredentialsException(userBeLocked, new KylinException(ServerErrorCode.USER_LOCKED, e));
            } catch (IllegalArgumentException e2) {
                throw new BadCredentialsException(ErrorCodeServer.USER_LOGIN_FAILED.getMsg(new Object[0]));
            } catch (UsernameNotFoundException e3) {
                throw new BadCredentialsException(ErrorCodeServer.USER_LOGIN_FAILED.getMsg(new Object[0]), new KylinException(ErrorCodeServer.USER_LOGIN_FAILED, new Object[0]));
            }
        } catch (NoSuchAlgorithmException e4) {
            throw new RuntimeException("Failed to init Message Digest ", e4);
        }
    }

    private void buildBadCredentialsException(String str, BadCredentialsException badCredentialsException) {
        String format = String.format(Locale.ROOT, MsgPicker.getMsg().getUserInPermanentlyLockedStatus(), str);
        limitLoginLogger.error(format, new KylinException(ServerErrorCode.USER_LOCKED, badCredentialsException));
        throw new BadCredentialsException(format, new KylinException(ServerErrorCode.USER_LOCKED, badCredentialsException));
    }

    private void authenticateFail(ManagedUser managedUser, String str) {
        if (str == null || managedUser == null) {
            return;
        }
        managedUser.authenticateFail();
        updateUser(managedUser);
    }

    private void updateUser(ManagedUser managedUser) {
        EpochManager epochManager = EpochManager.getInstance();
        try {
            if (epochManager.checkEpochOwner("_global")) {
                this.userService.updateUser(managedUser);
                return;
            }
            try {
                String str = epochManager.getEpochOwner("_global").split("\\|")[0];
                if (this.clientMap.get(str) == null) {
                    this.clientMap.clear();
                    this.clientMap.put(str, new RestClient(str));
                }
                this.clientMap.get(str).updateUser(managedUser);
            } catch (Exception e) {
                this.logger.error("Failed to update user throw restclient", e);
            }
        } catch (Exception e2) {
            this.logger.error("Get global epoch owner failed, update locally.", e2);
        }
    }

    private void updateUserLockStatus(ManagedUser managedUser, String str) {
        if (managedUser == null || !managedUser.isLocked()) {
            return;
        }
        if (UserLockRuleUtil.isLockedPermanently(managedUser)) {
            buildLockedException(str);
        }
        long currentTimeMillis = System.currentTimeMillis() - managedUser.getLockedTime();
        if (UserLockRuleUtil.isLockDurationEnded(managedUser, currentTimeMillis)) {
            managedUser.setLocked(false);
            updateUser(managedUser);
        } else {
            throw new LockedException(String.format(Locale.ROOT, MsgPicker.getMsg().getUserInLockedStatus(UserLockRuleUtil.getLockLeftSeconds(managedUser, currentTimeMillis), UserLockRuleUtil.getLockDurationSeconds(managedUser.getWrongTime() + 1)), str));
        }
    }

    private void buildLockedException(String str) {
        throw new LockedException(String.format(Locale.ROOT, MsgPicker.getMsg().getUserInPermanentlyLockedStatus(), str));
    }

    public boolean supports(Class<?> cls) {
        return cls.equals(UsernamePasswordAuthenticationToken.class);
    }
}
