package org.graylog2.security.realm;

import java.io.IOException;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.directory.api.ldap.model.cursor.CursorException;
import org.apache.directory.api.ldap.model.exception.LdapException;
import org.apache.directory.ldap.client.api.LdapConnection;
import org.apache.directory.ldap.client.api.LdapConnectionConfig;
import org.apache.directory.ldap.client.api.LdapNetworkConnection;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAccount;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
import org.apache.shiro.realm.AuthenticatingRealm;
import org.graylog2.security.TrustAllX509TrustManager;
import org.graylog2.security.ldap.LdapConnector;
import org.graylog2.security.ldap.LdapEntry;
import org.graylog2.security.ldap.LdapSettings;
import org.graylog2.security.ldap.LdapSettingsService;
import org.graylog2.users.UserService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/graylog2/security/realm/LdapUserAuthenticator.class */
public class LdapUserAuthenticator extends AuthenticatingRealm {
    private static final Logger log = LoggerFactory.getLogger(LdapUserAuthenticator.class);
    private final LdapConnector ldapConnector;
    private final AtomicReference<LdapSettings> settings;
    private final UserService userService;

    public LdapUserAuthenticator(LdapConnector ldapConnector, LdapSettingsService ldapSettingsService, UserService userService) {
        this.ldapConnector = ldapConnector;
        this.userService = userService;
        setAuthenticationTokenClass(UsernamePasswordToken.class);
        setCredentialsMatcher(new AllowAllCredentialsMatcher());
        this.settings = new AtomicReference<>(ldapSettingsService.load());
    }

    @Override // org.apache.shiro.realm.AuthenticatingRealm
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) authenticationToken;
        LdapConnectionConfig ldapConnectionConfig = new LdapConnectionConfig();
        LdapSettings ldapSettings = this.settings.get();
        if (ldapSettings == null || !ldapSettings.isEnabled()) {
            log.trace("LDAP is disabled, skipping");
            return null;
        }
        ldapConnectionConfig.setLdapHost(ldapSettings.getUri().getHost());
        ldapConnectionConfig.setLdapPort(ldapSettings.getUri().getPort());
        ldapConnectionConfig.setUseSsl(ldapSettings.getUri().getScheme().startsWith("ldaps"));
        ldapConnectionConfig.setUseTls(ldapSettings.isUseStartTls());
        if (ldapSettings.isTrustAllCertificates()) {
            ldapConnectionConfig.setTrustManagers(new TrustAllX509TrustManager());
        }
        ldapConnectionConfig.setName(ldapSettings.getSystemUserName());
        ldapConnectionConfig.setCredentials(ldapSettings.getSystemPassword());
        String valueOf = String.valueOf(usernamePasswordToken.getPrincipal());
        LdapConnection ldapConnection = null;
        try {
            try {
                LdapNetworkConnection connect = this.ldapConnector.connect(ldapConnectionConfig);
                String valueOf2 = String.valueOf(usernamePasswordToken.getPassword());
                LdapEntry search = this.ldapConnector.search(connect, ldapSettings.getSearchBase(), ldapSettings.getSearchPattern(), valueOf, ldapSettings.isActiveDirectory());
                if (search == null) {
                    log.debug("User {} not found in LDAP", valueOf);
                    if (connect != null) {
                        try {
                            connect.close();
                        } catch (IOException e) {
                            log.error("Unable to close LDAP connection", (Throwable) e);
                        }
                    }
                    return null;
                }
                if (!this.ldapConnector.authenticate(connect, search.getDn(), valueOf2)) {
                    log.info("Invalid credentials for user {} (DN {})", valueOf, search.getDn());
                    if (connect != null) {
                        try {
                            connect.close();
                        } catch (IOException e2) {
                            log.error("Unable to close LDAP connection", (Throwable) e2);
                        }
                    }
                    return null;
                }
                if (this.userService.syncFromLdapEntry(search, ldapSettings, valueOf) != null) {
                    if (connect != null) {
                        try {
                            connect.close();
                        } catch (IOException e3) {
                            log.error("Unable to close LDAP connection", (Throwable) e3);
                        }
                    }
                    return new SimpleAccount(valueOf, (Object) null, "ldap realm");
                }
                log.error("Unable to sync LDAP user {}", search.getDn());
                if (connect != null) {
                    try {
                        connect.close();
                    } catch (IOException e4) {
                        log.error("Unable to close LDAP connection", (Throwable) e4);
                    }
                }
                return null;
            } catch (Throwable th) {
                if (0 != 0) {
                    try {
                        ldapConnection.close();
                    } catch (IOException e5) {
                        log.error("Unable to close LDAP connection", (Throwable) e5);
                    }
                }
                throw th;
            }
        } catch (CursorException e6) {
            log.error("Unable to read LDAP entry", (Throwable) e6);
            if (0 != 0) {
                try {
                    ldapConnection.close();
                } catch (IOException e7) {
                    log.error("Unable to close LDAP connection", (Throwable) e7);
                }
            }
            return null;
        } catch (LdapException e8) {
            log.error("LDAP error", (Throwable) e8);
            if (0 != 0) {
                try {
                    ldapConnection.close();
                } catch (IOException e9) {
                    log.error("Unable to close LDAP connection", (Throwable) e9);
                }
            }
            return null;
        }
    }

    public boolean isEnabled() {
        return this.settings.get().isEnabled();
    }

    public void applySettings(LdapSettings ldapSettings) {
        this.settings.set(ldapSettings);
    }
}
