package org.graylog2.security.realm;

import java.io.IOException;
import javax.inject.Inject;
import org.apache.directory.api.ldap.model.cursor.CursorException;
import org.apache.directory.api.ldap.model.exception.LdapException;
import org.apache.directory.ldap.client.api.LdapConnectionConfig;
import org.apache.directory.ldap.client.api.LdapNetworkConnection;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAccount;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
import org.apache.shiro.realm.AuthenticatingRealm;
import org.graylog2.security.TrustAllX509TrustManager;
import org.graylog2.security.ldap.LdapConnector;
import org.graylog2.security.ldap.LdapSettingsService;
import org.graylog2.shared.security.ldap.LdapEntry;
import org.graylog2.shared.security.ldap.LdapSettings;
import org.graylog2.shared.users.UserService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/graylog2/security/realm/LdapUserAuthenticator.class */
public class LdapUserAuthenticator extends AuthenticatingRealm {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) LdapUserAuthenticator.class);
    private final LdapConnector ldapConnector;
    private final LdapSettingsService ldapSettingsService;
    private final UserService userService;

    @Inject
    public LdapUserAuthenticator(LdapConnector ldapConnector, LdapSettingsService ldapSettingsService, UserService userService) {
        this.ldapConnector = ldapConnector;
        this.userService = userService;
        this.ldapSettingsService = ldapSettingsService;
        setAuthenticationTokenClass(UsernamePasswordToken.class);
        setCredentialsMatcher(new AllowAllCredentialsMatcher());
    }

    @Override // org.apache.shiro.realm.AuthenticatingRealm
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) authenticationToken;
        LdapConnectionConfig ldapConnectionConfig = new LdapConnectionConfig();
        LdapSettings load = this.ldapSettingsService.load();
        if (load == null || !load.isEnabled()) {
            LOG.trace("LDAP is disabled, skipping");
            return null;
        }
        ldapConnectionConfig.setLdapHost(load.getUri().getHost());
        ldapConnectionConfig.setLdapPort(load.getUri().getPort());
        ldapConnectionConfig.setUseSsl(load.getUri().getScheme().startsWith("ldaps"));
        ldapConnectionConfig.setUseTls(load.isUseStartTls());
        if (load.isTrustAllCertificates()) {
            ldapConnectionConfig.setTrustManagers(new TrustAllX509TrustManager());
        }
        ldapConnectionConfig.setName(load.getSystemUserName());
        ldapConnectionConfig.setCredentials(load.getSystemPassword());
        String str = (String) usernamePasswordToken.getPrincipal();
        AutoCloseable autoCloseable = null;
        try {
            try {
                LdapNetworkConnection connect = this.ldapConnector.connect(ldapConnectionConfig);
                if (null == connect) {
                    LOG.error("Couldn't connect to LDAP directory");
                    if (connect != null) {
                        try {
                            connect.close();
                        } catch (IOException e) {
                            LOG.error("Unable to close LDAP connection", (Throwable) e);
                        }
                    }
                    return null;
                }
                String valueOf = String.valueOf(usernamePasswordToken.getPassword());
                LdapEntry search = this.ldapConnector.search(connect, load.getSearchBase(), load.getSearchPattern(), str, load.isActiveDirectory(), load.getGroupSearchBase(), load.getGroupIdAttribute(), load.getGroupSearchPattern());
                if (search == null) {
                    LOG.debug("User {} not found in LDAP", str);
                    if (connect != null) {
                        try {
                            connect.close();
                        } catch (IOException e2) {
                            LOG.error("Unable to close LDAP connection", (Throwable) e2);
                        }
                    }
                    return null;
                }
                if (!this.ldapConnector.authenticate(connect, search.getDn(), valueOf)) {
                    LOG.info("Invalid credentials for user {} (DN {})", str, search.getDn());
                    if (connect != null) {
                        try {
                            connect.close();
                        } catch (IOException e3) {
                            LOG.error("Unable to close LDAP connection", (Throwable) e3);
                        }
                    }
                    return null;
                }
                if (this.userService.syncFromLdapEntry(search, load, str) != null) {
                    if (connect != null) {
                        try {
                            connect.close();
                        } catch (IOException e4) {
                            LOG.error("Unable to close LDAP connection", (Throwable) e4);
                        }
                    }
                    return new SimpleAccount(str, (Object) null, "ldap realm");
                }
                LOG.error("Unable to sync LDAP user {} (DN {})", search.getBindPrincipal(), search.getDn());
                if (connect != null) {
                    try {
                        connect.close();
                    } catch (IOException e5) {
                        LOG.error("Unable to close LDAP connection", (Throwable) e5);
                    }
                }
                return null;
            } catch (Throwable th) {
                if (0 != 0) {
                    try {
                        autoCloseable.close();
                    } catch (IOException e6) {
                        LOG.error("Unable to close LDAP connection", (Throwable) e6);
                    }
                }
                throw th;
            }
        } catch (CursorException e7) {
            LOG.error("Unable to read LDAP entry", (Throwable) e7);
            if (0 != 0) {
                try {
                    autoCloseable.close();
                } catch (IOException e8) {
                    LOG.error("Unable to close LDAP connection", (Throwable) e8);
                }
            }
            return null;
        } catch (LdapException e9) {
            LOG.error("LDAP error", (Throwable) e9);
            if (0 != 0) {
                try {
                    autoCloseable.close();
                } catch (IOException e10) {
                    LOG.error("Unable to close LDAP connection", (Throwable) e10);
                }
            }
            return null;
        }
    }

    public boolean isEnabled() {
        return this.ldapSettingsService.load().isEnabled();
    }
}
