package io.confluent.security.auth.provider.ldap;

import io.confluent.security.auth.metadata.PasswordVerifier;
import io.confluent.security.auth.provider.ldap.LdapConfig;
import java.io.Closeable;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.ServiceLoader;
import java.util.concurrent.atomic.AtomicInteger;
import javax.naming.CommunicationException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapContext;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.commons.lang3.StringUtils;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.errors.AuthenticationException;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.auth.AuthorizationIdProvider;
import org.apache.kafka.common.security.plain.PlainAuthenticateCallback;
import org.apache.kafka.common.security.plain.internals.PlainSaslServer;
import org.apache.kafka.common.utils.Utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/security/auth/provider/ldap/LdapAuthenticateCallbackHandler.class */
public class LdapAuthenticateCallbackHandler implements AuthorizationIdProvider, AuthenticateCallbackHandler, Closeable {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) LdapAuthenticateCallbackHandler.class);
    private static final String AUTH_FAILED_MESSAGE = "LDAP authentication failed";
    private static final String LDAP_CLOSED_MSG = "LDAP connection has been closed";
    private static final String LDAP_TIMEOUT_MSG = "LDAP response read timed out, timeout used";
    private volatile LdapConfig config;
    private volatile UserSearchMode userSearchMode;
    private volatile LdapContextCreator searchContextCreator;
    private volatile LdapContext context;
    private final AtomicInteger ldapSearchCounter = new AtomicInteger(0);
    private final SearchControls searchControls = new SearchControls();
    private final List<PasswordVerifier> passwordVerifiers = new ArrayList();

    /* loaded from: input_file:io/confluent/security/auth/provider/ldap/LdapAuthenticateCallbackHandler$DefaultPasswordVerifier.class */
    private static class DefaultPasswordVerifier implements PasswordVerifier {
        private DefaultPasswordVerifier() {
        }

        @Override // org.apache.kafka.common.Configurable
        public void configure(Map<String, ?> map) {
        }

        @Override // io.confluent.security.auth.metadata.PasswordVerifier
        public PasswordVerifier.Result verify(char[] cArr, char[] cArr2) {
            LdapAuthenticateCallbackHandler.log.debug("Verifying passwords using string comparison since no password verifier was found:");
            return Arrays.equals(cArr, cArr2) ? PasswordVerifier.Result.MATCH : PasswordVerifier.Result.MISMATCH;
        }

        @Override // java.io.Closeable, java.lang.AutoCloseable
        public void close() throws IOException {
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/security/auth/provider/ldap/LdapAuthenticateCallbackHandler$LdapUser.class */
    public static class LdapUser {
        final String dn;
        final byte[] password;
        final String principal;

        LdapUser(String str, byte[] bArr, String str2) {
            this.dn = str;
            this.password = bArr;
            this.principal = str2;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/confluent/security/auth/provider/ldap/LdapAuthenticateCallbackHandler$UserSearchMode.class */
    public enum UserSearchMode {
        DN_SEARCH,
        PASSWORD_SEARCH
    }

    @Override // org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
    public void configure(Map<String, ?> map, String str, List<AppConfigurationEntry> list) {
        if (!PlainSaslServer.PLAIN_MECHANISM.equals(str)) {
            throw new ConfigException("SASL mechanism not supported: " + str);
        }
        this.config = new LdapConfig(map);
        if (this.config.userPasswordAttribute != null) {
            this.userSearchMode = UserSearchMode.PASSWORD_SEARCH;
        } else {
            this.userSearchMode = UserSearchMode.DN_SEARCH;
        }
        if (this.config.userNameAttribute == null || this.config.userNameAttribute.isEmpty()) {
            throw new ConfigException("User name attribute not specified");
        }
        this.searchContextCreator = new LdapContextCreator(this.config);
        if (this.userSearchMode == UserSearchMode.DN_SEARCH) {
            this.searchControls.setReturningAttributes(new String[]{this.config.userNameAttribute});
        } else {
            this.searchControls.setReturningAttributes(new String[]{this.config.userNameAttribute, this.config.userPasswordAttribute});
            Iterator it = ServiceLoader.load(PasswordVerifier.class).iterator();
            while (it.hasNext()) {
                this.passwordVerifiers.add((PasswordVerifier) it.next());
            }
            this.passwordVerifiers.add(new DefaultPasswordVerifier());
            this.passwordVerifiers.forEach(passwordVerifier -> {
                passwordVerifier.configure(map);
            });
        }
        this.searchControls.setSearchScope(this.config.userSearchScope);
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        boolean authenticateUsingPasswordSearch;
        NameCallback nameCallback = null;
        PlainAuthenticateCallback plainAuthenticateCallback = null;
        for (Callback callback : callbackArr) {
            if (callback instanceof NameCallback) {
                nameCallback = (NameCallback) callback;
            } else {
                if (!(callback instanceof PlainAuthenticateCallback)) {
                    throw new UnsupportedCallbackException(callback);
                }
                plainAuthenticateCallback = (PlainAuthenticateCallback) callback;
            }
        }
        String username = username(nameCallback);
        char[] password = password(plainAuthenticateCallback);
        try {
            LdapUser ldapUser = ldapUser(username);
            switch (this.userSearchMode) {
                case DN_SEARCH:
                    authenticateUsingPasswordSearch = authenticateUsingSimpleBind(ldapUser.dn, password);
                    break;
                case PASSWORD_SEARCH:
                    authenticateUsingPasswordSearch = authenticateUsingPasswordSearch(username, password);
                    break;
                default:
                    throw new IllegalStateException("Unknown search mode " + this.userSearchMode);
            }
            if (this.config.principalMappingMode.equals(LdapPrincipalMapping.LDAP.name)) {
                nameCallback.setName(ldapUser.principal);
            } else {
                nameCallback.setName(username);
            }
            plainAuthenticateCallback.authenticated(authenticateUsingPasswordSearch);
        } catch (AuthenticationException e) {
            plainAuthenticateCallback.authenticated(false);
        }
    }

    private String username(NameCallback nameCallback) {
        String str = null;
        if (nameCallback != null) {
            str = nameCallback.getDefaultName();
        }
        if (str == null || str.isEmpty()) {
            throw new AuthenticationException("User name not specified");
        }
        return str;
    }

    private char[] password(PlainAuthenticateCallback plainAuthenticateCallback) {
        char[] cArr = null;
        if (plainAuthenticateCallback != null) {
            cArr = plainAuthenticateCallback.password();
        }
        if (cArr == null || cArr.length == 0) {
            throw new AuthenticationException("Password not specified");
        }
        return cArr;
    }

    private boolean authenticateUsingSimpleBind(String str, char[] cArr) {
        Hashtable hashtable = new Hashtable(this.config.ldapContextEnvironment);
        hashtable.put("java.naming.security.authentication", "simple");
        hashtable.put("java.naming.security.principal", str);
        hashtable.put("java.naming.security.credentials", new String(cArr));
        try {
            new InitialDirContext(hashtable).close();
            return true;
        } catch (NamingException e) {
            if (e instanceof CommunicationException) {
                log.warn("LDAP bind failed for user DN {}", str, e);
                return false;
            }
            log.trace("LDAP bind failed for user DN {} with specified password", str, e);
            return false;
        }
    }

    private boolean authenticateUsingPasswordSearch(String str, char[] cArr) {
        LdapUser ldapUser = ldapUser(str);
        new NameCallback("Name: ").setName(str);
        new String(ldapUser.password, StandardCharsets.UTF_8).toCharArray();
        Iterator<PasswordVerifier> it = this.passwordVerifiers.iterator();
        while (it.hasNext()) {
            switch (it.next().verify(r0, cArr)) {
                case MATCH:
                    return true;
                case MISMATCH:
                    return false;
            }
        }
        return false;
    }

    @Override // org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
    public void close() {
        if (this.context != null) {
            try {
                this.context.close();
            } catch (NamingException e) {
                log.error("Failed to close LDAP context", e);
            }
        }
        this.passwordVerifiers.forEach(passwordVerifier -> {
            Utils.closeQuietly(passwordVerifier, "passwordVerifier");
        });
    }

    private LdapUser ldapUser(String str) {
        LdapUser ldapUser = (LdapUser) Subject.doAs(this.searchContextCreator.subject(), () -> {
            return searchForLdapUser(str);
        });
        if (ldapUser == null) {
            throw new AuthenticationException(AUTH_FAILED_MESSAGE);
        }
        return ldapUser;
    }

    private LdapUser searchForLdapUser(String str) {
        boolean z = this.context != null;
        String str2 = log.isDebugEnabled() ? this + " Thread:" + Thread.currentThread().getName() + " user:" + str + " searchCounter:" + this.ldapSearchCounter.getAndIncrement() + StringUtils.SPACE : "";
        if (!z) {
            try {
                log.debug("Searching for user with null LDAP context: Must create new context. {}", str2);
                this.context = this.searchContextCreator.createLdapContext();
            } catch (IOException | NamingException | LdapException e) {
                log.error("Failed to obtain user DN for {}. {} {}", str, this.context, str2, e);
                throw new AuthenticationException(AUTH_FAILED_MESSAGE);
            }
        }
        try {
            return ldapSearch(this.context, str);
        } catch (IOException | NamingException e2) {
            if (!shouldMakeNewLdapContext(e2)) {
                throw e2;
            }
            log.warn("Caught exception searching for LDAP User. {} {}", this.context, str2, e2);
            if (!z) {
                return null;
            }
            log.warn("Creating and using new ldapContext. {}", str2);
            this.context = this.searchContextCreator.createLdapContext();
            return ldapSearch(this.context, str);
        }
    }

    private boolean shouldMakeNewLdapContext(Exception exc) {
        String message;
        if (exc instanceof CommunicationException) {
            return true;
        }
        if (!(exc instanceof NamingException) || (message = exc.getMessage()) == null) {
            return false;
        }
        return message.contains(LDAP_CLOSED_MSG) || message.contains(LDAP_TIMEOUT_MSG);
    }

    private LdapUser ldapSearch(LdapContext ldapContext, String str) throws IOException, NamingException {
        log.trace("Searching for user {} with base {} filter {}: [Thread {}]", str, this.config.userSearchBase, this.config.userDnSearchFilter, Long.valueOf(Thread.currentThread().getId()));
        NamingEnumeration search = ldapContext.search(this.config.userSearchBase, this.config.userDnSearchFilter, new Object[]{str}, this.searchControls);
        if (!search.hasMore()) {
            log.trace("User not found {} [Thread {}]", str, Long.valueOf(Thread.currentThread().getId()));
            return null;
        }
        SearchResult searchResult = (SearchResult) search.next();
        if (search.hasMore()) {
            log.trace("Search found multiple entries for user {} with base {} filter {}: [Thread {}]", str, this.config.userSearchBase, this.config.userDnSearchFilter, Long.valueOf(Thread.currentThread().getId()));
            log.error("Found multiple user entries with user name {}", str);
            return null;
        }
        Attribute attribute = searchResult.getAttributes().get(this.config.userNameAttribute);
        if (attribute == null) {
            log.trace("User name attribute not found in search result [Thread {}]", Long.valueOf(Thread.currentThread().getId()));
            return null;
        }
        String attributeValue = LdapGroupManager.attributeValue(attribute.get(), this.config.userNameAttributePattern, "", "user name in LDAP Records", LdapConfig.SearchMode.USERS);
        if (attributeValue == null) {
            log.trace("Found null user {} with base {} filter {} [Thread {}]", str, this.config.userSearchBase, this.config.userDnSearchFilter, Long.valueOf(Thread.currentThread().getId()));
            return null;
        }
        String nameInNamespace = searchResult.getNameInNamespace();
        log.trace("Found user {} with base {} filter {}: {} [Thread {}]", str, this.config.userSearchBase, this.config.userDnSearchFilter, nameInNamespace, Long.valueOf(Thread.currentThread().getId()));
        return new LdapUser(nameInNamespace, this.userSearchMode == UserSearchMode.DN_SEARCH ? null : (byte[]) searchResult.getAttributes().get(this.config.userPasswordAttribute).get(), attributeValue);
    }

    public String toString() {
        return getClass().getSimpleName() + "@" + Integer.toHexString(hashCode());
    }
}
