package org.openmetadata.service.security.auth;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.core.type.TypeReference;
import com.unboundid.ldap.sdk.Attribute;
import com.unboundid.ldap.sdk.BindResult;
import com.unboundid.ldap.sdk.Filter;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPConnectionOptions;
import com.unboundid.ldap.sdk.LDAPConnectionPool;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.ResultCode;
import com.unboundid.ldap.sdk.SearchRequest;
import com.unboundid.ldap.sdk.SearchResult;
import com.unboundid.ldap.sdk.SearchResultEntry;
import com.unboundid.ldap.sdk.SearchScope;
import com.unboundid.util.ssl.SSLUtil;
import freemarker.template.TemplateException;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.UUID;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.openmetadata.common.utils.CommonUtil;
import org.openmetadata.schema.TokenInterface;
import org.openmetadata.schema.api.teams.CreateUser;
import org.openmetadata.schema.auth.JWTAuthMechanism;
import org.openmetadata.schema.auth.LdapConfiguration;
import org.openmetadata.schema.auth.LoginRequest;
import org.openmetadata.schema.auth.RefreshToken;
import org.openmetadata.schema.auth.ServiceTokenType;
import org.openmetadata.schema.auth.TokenRefreshRequest;
import org.openmetadata.schema.auth.TokenType;
import org.openmetadata.schema.entity.teams.AuthenticationMechanism;
import org.openmetadata.schema.entity.teams.Role;
import org.openmetadata.schema.entity.teams.User;
import org.openmetadata.schema.services.connections.metadata.AuthProvider;
import org.openmetadata.schema.type.EntityReference;
import org.openmetadata.service.Entity;
import org.openmetadata.service.OpenMetadataApplicationConfig;
import org.openmetadata.service.auth.JwtResponse;
import org.openmetadata.service.exception.CatalogExceptionMessage;
import org.openmetadata.service.exception.CustomExceptionMessage;
import org.openmetadata.service.exception.EntityNotFoundException;
import org.openmetadata.service.exception.UnhandledServerException;
import org.openmetadata.service.jdbi3.RoleRepository;
import org.openmetadata.service.jdbi3.TokenRepository;
import org.openmetadata.service.jdbi3.UserRepository;
import org.openmetadata.service.security.AuthenticationException;
import org.openmetadata.service.security.JwtFilter;
import org.openmetadata.service.security.SecurityUtil;
import org.openmetadata.service.security.jwt.JWTTokenGenerator;
import org.openmetadata.service.util.EmailUtil;
import org.openmetadata.service.util.JsonUtils;
import org.openmetadata.service.util.LdapUtil;
import org.openmetadata.service.util.TokenUtil;
import org.openmetadata.service.util.UserUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.BeanUtils;
import org.springframework.util.CollectionUtils;

/* loaded from: input_file:org/openmetadata/service/security/auth/LdapAuthenticator.class */
public class LdapAuthenticator implements AuthenticatorHandler {
    private static final Logger LOG = LoggerFactory.getLogger(LdapAuthenticator.class);
    static final String LDAP_ERR_MSG = "[LDAP] Issue in creating a LookUp Connection ";
    private RoleRepository roleRepository;
    private UserRepository userRepository;
    private TokenRepository tokenRepository;
    private LoginAttemptCache loginAttemptCache;
    private LdapConfiguration ldapConfiguration;
    private LDAPConnectionPool ldapLookupConnectionPool;

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public void init(OpenMetadataApplicationConfig openMetadataApplicationConfig) {
        if (!openMetadataApplicationConfig.getAuthenticationConfiguration().getProvider().equals(AuthProvider.LDAP) || openMetadataApplicationConfig.getAuthenticationConfiguration().getLdapConfiguration() == null) {
            throw new IllegalStateException("Invalid or Missing Ldap Configuration.");
        }
        this.ldapLookupConnectionPool = getLdapConnectionPool(openMetadataApplicationConfig.getAuthenticationConfiguration().getLdapConfiguration());
        this.userRepository = (UserRepository) Entity.getEntityRepository(Entity.USER);
        this.roleRepository = (RoleRepository) Entity.getEntityRepository(Entity.ROLE);
        this.tokenRepository = Entity.getTokenRepository();
        this.ldapConfiguration = openMetadataApplicationConfig.getAuthenticationConfiguration().getLdapConfiguration();
        this.loginAttemptCache = new LoginAttemptCache();
    }

    private LDAPConnectionPool getLdapConnectionPool(LdapConfiguration ldapConfiguration) {
        LDAPConnectionPool lDAPConnectionPool;
        try {
            if (Boolean.TRUE.equals(ldapConfiguration.getSslEnabled())) {
                LDAPConnectionOptions lDAPConnectionOptions = new LDAPConnectionOptions();
                lDAPConnectionPool = new LDAPConnectionPool(new LDAPConnection(new SSLUtil(new LdapUtil().getLdapSSLConnection(ldapConfiguration, lDAPConnectionOptions)).createSSLSocketFactory(), lDAPConnectionOptions, ldapConfiguration.getHost(), ldapConfiguration.getPort().intValue(), ldapConfiguration.getDnAdminPrincipal(), ldapConfiguration.getDnAdminPassword()), ldapConfiguration.getMaxPoolSize().intValue());
            } else {
                lDAPConnectionPool = new LDAPConnectionPool(new LDAPConnection(ldapConfiguration.getHost(), ldapConfiguration.getPort().intValue(), ldapConfiguration.getDnAdminPrincipal(), ldapConfiguration.getDnAdminPassword()), ldapConfiguration.getMaxPoolSize().intValue());
            }
            return lDAPConnectionPool;
        } catch (LDAPException | GeneralSecurityException e) {
            LOG.error("[LDAP] Issue in creating a LookUp Connection", e);
            throw new IllegalStateException(LDAP_ERR_MSG, e);
        }
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public JwtResponse loginUser(LoginRequest loginRequest) throws IOException, TemplateException {
        checkIfLoginBlocked(loginRequest.getEmail());
        User lookUserInProvider = lookUserInProvider(loginRequest.getEmail());
        validatePassword(lookUserInProvider.getEmail(), lookUserInProvider, loginRequest.getPassword());
        return getJwtResponse(checkAndCreateUser(lookUserInProvider.getEmail(), lookUserInProvider.getName()), SecurityUtil.getLoginConfiguration().getJwtTokenExpiryTime().intValue());
    }

    private User checkAndCreateUser(String str, String str2) throws IOException {
        try {
            User byName = this.userRepository.getByName((UriInfo) null, str2, this.userRepository.getFields("id,name,email,roles"));
            getRoleForLdap(byName, Boolean.TRUE);
            return byName;
        } catch (EntityNotFoundException e) {
            return this.userRepository.create(null, getUserForLdap(str, str2));
        } catch (LDAPException e2) {
            LOG.error("An error occurs when reassigning roles for an LDAP user({}): {}", new Object[]{str2, e2.getMessage(), e2});
            throw new UnhandledServerException(e2.getMessage());
        }
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public void checkIfLoginBlocked(String str) {
        if (this.loginAttemptCache.isLoginBlocked(str)) {
            throw new AuthenticationException(CatalogExceptionMessage.MAX_FAILED_LOGIN_ATTEMPT);
        }
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public void recordFailedLoginAttempt(String str, User user) throws TemplateException, IOException {
        this.loginAttemptCache.recordFailedLogin(str);
        if (this.loginAttemptCache.getUserFailedLoginCount(str) == SecurityUtil.getLoginConfiguration().getMaxLoginFailAttempts().intValue()) {
            EmailUtil.sendAccountStatus(user, "Multiple Failed Login Attempts.", String.format("Someone is tried accessing your account. Login is Blocked for %s seconds.", SecurityUtil.getLoginConfiguration().getAccessBlockTime()));
        }
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public void validatePassword(String str, User user, String str2) throws TemplateException, IOException {
        BindResult bindResult = null;
        try {
            bindResult = this.ldapLookupConnectionPool.bind(user.getName(), str2);
            if (Objects.equals(bindResult.getResultCode().getName(), ResultCode.SUCCESS.getName())) {
                return;
            }
        } catch (Exception e) {
            if (bindResult != null && Objects.equals(bindResult.getResultCode().getName(), ResultCode.INVALID_CREDENTIALS.getName())) {
                recordFailedLoginAttempt(str, user);
                throw new CustomExceptionMessage(Response.Status.UNAUTHORIZED, CatalogExceptionMessage.INVALID_USER_OR_PASSWORD, CatalogExceptionMessage.INVALID_EMAIL_PASSWORD);
            }
        }
        if (bindResult == null) {
            throw new CustomExceptionMessage(Response.Status.INTERNAL_SERVER_ERROR, CatalogExceptionMessage.INVALID_USER_OR_PASSWORD, CatalogExceptionMessage.INVALID_EMAIL_PASSWORD);
        }
        throw new CustomExceptionMessage(Response.Status.INTERNAL_SERVER_ERROR, CatalogExceptionMessage.INVALID_USER_OR_PASSWORD, bindResult.getResultCode().getName());
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public User lookUserInProvider(String str) {
        try {
            SearchResult search = this.ldapLookupConnectionPool.search(new SearchRequest(this.ldapConfiguration.getUserBaseDN(), SearchScope.SUB, Filter.createEqualityFilter(this.ldapConfiguration.getMailAttributeName(), str), new String[]{this.ldapConfiguration.getMailAttributeName()}));
            if (search.getSearchEntries().size() != 1) {
                if (search.getSearchEntries().size() > 1) {
                    throw new CustomExceptionMessage(Response.Status.INTERNAL_SERVER_ERROR, CatalogExceptionMessage.MULTIPLE_EMAIL_ENTRIES, CatalogExceptionMessage.MULTIPLE_EMAIL_ENTRIES);
                }
                throw new CustomExceptionMessage(Response.Status.INTERNAL_SERVER_ERROR, CatalogExceptionMessage.MULTIPLE_EMAIL_ENTRIES, CatalogExceptionMessage.INVALID_EMAIL_PASSWORD);
            }
            SearchResultEntry searchResultEntry = (SearchResultEntry) search.getSearchEntries().get(0);
            String dn = searchResultEntry.getDN();
            Attribute attribute = searchResultEntry.getAttribute(this.ldapConfiguration.getMailAttributeName());
            if (CommonUtil.nullOrEmpty(dn) || attribute == null) {
                throw new CustomExceptionMessage(Response.Status.FORBIDDEN, CatalogExceptionMessage.INVALID_USER_OR_PASSWORD, CatalogExceptionMessage.LDAP_MISSING_ATTR);
            }
            return getUserForLdap(str).withName(dn.toLowerCase());
        } catch (LDAPException e) {
            throw new CustomExceptionMessage(Response.Status.INTERNAL_SERVER_ERROR, "LDAP_ERROR", e.getMessage());
        }
    }

    private User getUserForLdap(String str) {
        String str2 = str.split("@")[0];
        return UserUtil.getUser(str2, new CreateUser().withName(str2).withEmail(str).withIsBot(false)).withIsEmailVerified(false).withAuthenticationMechanism((AuthenticationMechanism) null);
    }

    private User getUserForLdap(String str, String str2) {
        User withAuthenticationMechanism = UserUtil.getUser(str2, new CreateUser().withName(str2).withEmail(str).withIsBot(false)).withIsEmailVerified(false).withAuthenticationMechanism((AuthenticationMechanism) null);
        try {
            getRoleForLdap(withAuthenticationMechanism, false);
        } catch (LDAPException | JsonProcessingException e) {
            LOG.error("Failed to assign roles from LDAP to OpenMetadata for the user {} due to {}", withAuthenticationMechanism.getName(), e.getMessage());
        }
        return withAuthenticationMechanism;
    }

    private void getRoleForLdap(User user, Boolean bool) throws LDAPException, JsonProcessingException {
        try {
            SearchResult search = this.ldapLookupConnectionPool.search(new SearchRequest(this.ldapConfiguration.getGroupBaseDN(), SearchScope.SUB, Filter.createANDFilter(new Filter[]{Filter.createEqualityFilter(this.ldapConfiguration.getGroupAttributeName(), this.ldapConfiguration.getGroupAttributeValue()), Filter.createEqualityFilter(this.ldapConfiguration.getGroupMemberAttributeName(), user.getName())}), new String[]{this.ldapConfiguration.getAllAttributeName()}));
            if (CollectionUtils.isEmpty(search.getSearchEntries())) {
                if (Boolean.TRUE.equals(bool)) {
                    user.setRoles(getReassignRoles(user, new ArrayList(0), Boolean.FALSE));
                    UserUtil.addOrUpdateUser(user);
                    return;
                }
                return;
            }
            Map map = (Map) JsonUtils.readValue(this.ldapConfiguration.getAuthRolesMapping(), new TypeReference<Map<String, List<String>>>() { // from class: org.openmetadata.service.security.auth.LdapAuthenticator.1
            });
            ArrayList arrayList = new ArrayList();
            boolean booleanValue = Boolean.FALSE.booleanValue();
            Iterator it = search.getSearchEntries().iterator();
            while (it.hasNext()) {
                String dn = ((SearchResultEntry) it.next()).getDN();
                if (map.containsKey(dn) && !CollectionUtils.isEmpty((Collection) map.get(dn))) {
                    for (String str : (List) map.get(dn)) {
                        if (this.ldapConfiguration.getRoleAdminName().equals(str)) {
                            booleanValue = Boolean.TRUE.booleanValue();
                        } else {
                            try {
                                Role byName = this.roleRepository.getByName(null, str, this.roleRepository.getFields("id,name"));
                                EntityReference entityReference = new EntityReference();
                                BeanUtils.copyProperties(byName, entityReference);
                                entityReference.setType(Entity.ROLE);
                                arrayList.add(entityReference);
                            } catch (EntityNotFoundException e) {
                                LOG.error("Role {} does not exist in OM Database", str);
                            }
                        }
                    }
                }
            }
            user.setRoles(getReassignRoles(user, new ArrayList(((LinkedHashMap) arrayList.stream().collect(Collectors.toMap((v0) -> {
                return v0.getName();
            }, Function.identity(), (entityReference2, entityReference3) -> {
                return entityReference2;
            }, LinkedHashMap::new))).values()), Boolean.valueOf(booleanValue)));
            if (Boolean.TRUE.equals(bool)) {
                UserUtil.addOrUpdateUser(user);
            }
        } catch (Exception e2) {
            LOG.warn("Failed to get user's groups from LDAP server using the DN of the user {} due to {}", user.getName(), e2.getMessage());
        }
    }

    private List<EntityReference> getReassignRoles(User user, List<EntityReference> list, Boolean bool) {
        Set authReassignRoles = this.ldapConfiguration.getAuthReassignRoles();
        if (authReassignRoles.contains(this.ldapConfiguration.getAllAttributeName())) {
            user.setIsAdmin(bool);
        } else {
            if (!CollectionUtils.isEmpty(list)) {
                for (int size = list.size() - 1; size >= 0; size--) {
                    if (!authReassignRoles.contains(list.get(size).getName())) {
                        list.remove(size);
                    }
                }
            }
            List<EntityReference> roles = user.getRoles();
            if (!CollectionUtils.isEmpty(roles)) {
                for (EntityReference entityReference : roles) {
                    if (!authReassignRoles.contains(entityReference.getName())) {
                        list.add(entityReference);
                    }
                }
            }
            if (authReassignRoles.contains(this.ldapConfiguration.getRoleAdminName())) {
                user.setIsAdmin(bool);
            }
        }
        return list;
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public RefreshToken createRefreshTokenForLogin(UUID uuid) {
        this.tokenRepository.deleteTokenByUserAndType(uuid, TokenType.REFRESH_TOKEN.toString());
        TokenInterface refreshTokenForLDAP = TokenUtil.getRefreshTokenForLDAP(uuid, UUID.randomUUID());
        this.tokenRepository.insertToken(refreshTokenForLDAP);
        return refreshTokenForLDAP;
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public JwtResponse getNewAccessToken(TokenRefreshRequest tokenRefreshRequest) {
        if (CommonUtil.nullOrEmpty(tokenRefreshRequest.getRefreshToken())) {
            throw new BadRequestException("Token Cannot be Null or Empty String");
        }
        User user = this.userRepository.get(null, this.tokenRepository.findByToken(tokenRefreshRequest.getRefreshToken()).getUserId(), this.userRepository.getFieldsWithUserAuth("*"));
        if (user.getIsBot() != null && user.getIsBot().booleanValue()) {
            throw new IllegalArgumentException("User are only allowed to login");
        }
        RefreshToken validateAndReturnNewRefresh = validateAndReturnNewRefresh(user.getId(), tokenRefreshRequest);
        JWTAuthMechanism generateJWTToken = JWTTokenGenerator.getInstance().generateJWTToken(user.getName(), UserUtil.getRoleListFromUser(user), !CommonUtil.nullOrEmpty(user.getIsAdmin()) && user.getIsAdmin().booleanValue(), user.getEmail(), SecurityUtil.getLoginConfiguration().getJwtTokenExpiryTime().intValue(), false, ServiceTokenType.OM_USER);
        JwtResponse jwtResponse = new JwtResponse();
        jwtResponse.setTokenType(JwtFilter.TOKEN_PREFIX);
        jwtResponse.setAccessToken(generateJWTToken.getJWTToken());
        jwtResponse.setRefreshToken(validateAndReturnNewRefresh.getToken().toString());
        jwtResponse.setExpiryDuration(generateJWTToken.getJWTTokenExpiresAt());
        return jwtResponse;
    }

    public RefreshToken validateAndReturnNewRefresh(UUID uuid, TokenRefreshRequest tokenRefreshRequest) {
        String refreshToken = tokenRefreshRequest.getRefreshToken();
        RefreshToken findByToken = this.tokenRepository.findByToken(refreshToken);
        if (findByToken.getExpiryDate().compareTo(Long.valueOf(Instant.now().toEpochMilli())) < 0) {
            throw new CustomExceptionMessage(Response.Status.BAD_REQUEST, CatalogExceptionMessage.PASSWORD_RESET_TOKEN_EXPIRED, "Expired token. Please login again : " + findByToken.getToken().toString());
        }
        this.tokenRepository.deleteToken(refreshToken);
        TokenInterface refreshTokenForLDAP = TokenUtil.getRefreshTokenForLDAP(uuid, UUID.randomUUID());
        this.tokenRepository.insertToken(refreshTokenForLDAP);
        return refreshTokenForLDAP;
    }
}
