package org.openmetadata.service.security.auth;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.unboundid.ldap.sdk.Attribute;
import com.unboundid.ldap.sdk.BindResult;
import com.unboundid.ldap.sdk.Filter;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPConnectionOptions;
import com.unboundid.ldap.sdk.LDAPConnectionPool;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.ResultCode;
import com.unboundid.ldap.sdk.SearchRequest;
import com.unboundid.ldap.sdk.SearchResult;
import com.unboundid.ldap.sdk.SearchResultEntry;
import com.unboundid.ldap.sdk.SearchScope;
import com.unboundid.util.ssl.SSLUtil;
import freemarker.template.TemplateException;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.Objects;
import java.util.UUID;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.jdbi.v3.core.Jdbi;
import org.openmetadata.common.utils.CommonUtil;
import org.openmetadata.schema.TokenInterface;
import org.openmetadata.schema.api.configuration.LoginConfiguration;
import org.openmetadata.schema.auth.LdapConfiguration;
import org.openmetadata.schema.auth.LoginRequest;
import org.openmetadata.schema.auth.RefreshToken;
import org.openmetadata.schema.auth.TokenType;
import org.openmetadata.schema.entity.teams.AuthenticationMechanism;
import org.openmetadata.schema.entity.teams.User;
import org.openmetadata.service.OpenMetadataApplicationConfig;
import org.openmetadata.service.auth.JwtResponse;
import org.openmetadata.service.exception.CatalogExceptionMessage;
import org.openmetadata.service.exception.CustomExceptionMessage;
import org.openmetadata.service.exception.EntityNotFoundException;
import org.openmetadata.service.jdbi3.CollectionDAO;
import org.openmetadata.service.jdbi3.TokenRepository;
import org.openmetadata.service.jdbi3.UserRepository;
import org.openmetadata.service.security.AuthenticationException;
import org.openmetadata.service.util.EmailUtil;
import org.openmetadata.service.util.LdapUtil;
import org.openmetadata.service.util.TokenUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/openmetadata/service/security/auth/LdapAuthenticator.class */
public class LdapAuthenticator implements AuthenticatorHandler {
    private static final Logger LOG = LoggerFactory.getLogger(LdapAuthenticator.class);
    static final String LDAP_ERR_MSG = "[LDAP] Issue in creating a LookUp Connection SSL";
    private UserRepository userRepository;
    private TokenRepository tokenRepository;
    private LoginAttemptCache loginAttemptCache;
    private LdapConfiguration ldapConfiguration;
    private LDAPConnectionPool ldapLookupConnectionPool;
    private LoginConfiguration loginConfiguration;

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public void init(OpenMetadataApplicationConfig openMetadataApplicationConfig, Jdbi jdbi) {
        if (!openMetadataApplicationConfig.getAuthenticationConfiguration().getProvider().equals("ldap") || openMetadataApplicationConfig.getAuthenticationConfiguration().getLdapConfiguration() == null) {
            throw new IllegalStateException("Invalid or Missing Ldap Configuration.");
        }
        this.ldapLookupConnectionPool = getLdapConnectionPool(openMetadataApplicationConfig.getAuthenticationConfiguration().getLdapConfiguration());
        this.userRepository = new UserRepository((CollectionDAO) jdbi.onDemand(CollectionDAO.class));
        this.tokenRepository = new TokenRepository((CollectionDAO) jdbi.onDemand(CollectionDAO.class));
        this.ldapConfiguration = openMetadataApplicationConfig.getAuthenticationConfiguration().getLdapConfiguration();
        this.loginAttemptCache = new LoginAttemptCache(openMetadataApplicationConfig);
        this.loginConfiguration = openMetadataApplicationConfig.getApplicationConfiguration().getLoginConfig();
    }

    private LDAPConnectionPool getLdapConnectionPool(LdapConfiguration ldapConfiguration) {
        try {
            if (!ldapConfiguration.getSslEnabled().booleanValue()) {
                try {
                    LDAPConnection lDAPConnection = new LDAPConnection(ldapConfiguration.getHost(), ldapConfiguration.getPort().intValue(), ldapConfiguration.getDnAdminPrincipal(), ldapConfiguration.getDnAdminPassword());
                    try {
                        LDAPConnectionPool lDAPConnectionPool = new LDAPConnectionPool(lDAPConnection, ldapConfiguration.getMaxPoolSize().intValue());
                        lDAPConnection.close();
                        return lDAPConnectionPool;
                    } catch (Throwable th) {
                        try {
                            lDAPConnection.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                        throw th;
                    }
                } catch (LDAPException e) {
                    LOG.error("[LDAP] Issue in creating a LookUp Connection", e);
                    throw new IllegalStateException("[LDAP] Issue in creating a LookUp Connection", e);
                }
            }
            LDAPConnectionOptions lDAPConnectionOptions = new LDAPConnectionOptions();
            try {
                LDAPConnection lDAPConnection2 = new LDAPConnection(new SSLUtil(new LdapUtil().getLdapSSLConnection(ldapConfiguration, lDAPConnectionOptions)).createSSLSocketFactory(), lDAPConnectionOptions, ldapConfiguration.getHost(), ldapConfiguration.getPort().intValue(), ldapConfiguration.getDnAdminPrincipal(), ldapConfiguration.getDnAdminPassword());
                try {
                    LDAPConnectionPool lDAPConnectionPool2 = new LDAPConnectionPool(lDAPConnection2, ldapConfiguration.getMaxPoolSize().intValue());
                    lDAPConnection2.close();
                    return lDAPConnectionPool2;
                } catch (Throwable th3) {
                    try {
                        lDAPConnection2.close();
                    } catch (Throwable th4) {
                        th3.addSuppressed(th4);
                    }
                    throw th3;
                }
            } catch (GeneralSecurityException e2) {
                LOG.error(LDAP_ERR_MSG, e2);
                throw new IllegalStateException(LDAP_ERR_MSG, e2);
            }
        } catch (LDAPException e3) {
            throw new IllegalStateException(LDAP_ERR_MSG, e3);
        }
        throw new IllegalStateException(LDAP_ERR_MSG, e3);
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public JwtResponse loginUser(LoginRequest loginRequest) throws IOException, TemplateException {
        checkIfLoginBlocked(loginRequest.getEmail());
        validatePassword(lookUserInProvider(loginRequest.getEmail()), loginRequest.getPassword());
        return getJwtResponse(checkAndCreateUser(loginRequest.getEmail()), this.loginConfiguration.getJwtTokenExpiryTime().intValue());
    }

    private User checkAndCreateUser(String str) throws IOException {
        try {
            return this.userRepository.getByName((UriInfo) null, str.split("@")[0], this.userRepository.getFields("id,name,email"));
        } catch (EntityNotFoundException e) {
            return this.userRepository.create(null, getUserForLdap(str));
        }
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public void checkIfLoginBlocked(String str) {
        if (this.loginAttemptCache.isLoginBlocked(str)) {
            throw new AuthenticationException(CatalogExceptionMessage.MAX_FAILED_LOGIN_ATTEMPT);
        }
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public void recordFailedLoginAttempt(User user) throws TemplateException, IOException {
        this.loginAttemptCache.recordFailedLogin(user.getName());
        if (this.loginAttemptCache.getUserFailedLoginCount(user.getName()) == this.loginConfiguration.getMaxLoginFailAttempts().intValue()) {
            EmailUtil.getInstance().sendAccountStatus(user, "Multiple Failed Login Attempts.", String.format("Someone is tried accessing your account. Login is Blocked for %s minutes.", this.loginConfiguration.getAccessBlockTime()));
        }
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public void validatePassword(User user, String str) throws TemplateException, IOException {
        BindResult bindResult = null;
        try {
            bindResult = this.ldapLookupConnectionPool.bind(user.getName(), str);
            if (Objects.equals(bindResult.getResultCode().getName(), ResultCode.SUCCESS.getName())) {
                return;
            }
        } catch (Exception e) {
            if (bindResult != null && Objects.equals(bindResult.getResultCode().getName(), ResultCode.INVALID_CREDENTIALS.getName())) {
                recordFailedLoginAttempt(user);
                throw new CustomExceptionMessage(Response.Status.UNAUTHORIZED, CatalogExceptionMessage.INVALID_EMAIL_PASSWORD);
            }
        }
        if (bindResult == null) {
            throw new CustomExceptionMessage(Response.Status.INTERNAL_SERVER_ERROR, CatalogExceptionMessage.INVALID_EMAIL_PASSWORD);
        }
        throw new CustomExceptionMessage(Response.Status.INTERNAL_SERVER_ERROR, bindResult.getResultCode().getName());
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public User lookUserInProvider(String str) {
        try {
            SearchResult search = this.ldapLookupConnectionPool.search(new SearchRequest(this.ldapConfiguration.getUserBaseDN(), SearchScope.SUB, Filter.create(String.format("%s=%s", this.ldapConfiguration.getMailAttributeName(), str)), new String[]{this.ldapConfiguration.getMailAttributeName()}));
            if (search.getSearchEntries().size() != 1) {
                if (search.getSearchEntries().size() > 1) {
                    throw new CustomExceptionMessage(Response.Status.INTERNAL_SERVER_ERROR, CatalogExceptionMessage.MULTIPLE_EMAIl_ENTRIES);
                }
                throw new CustomExceptionMessage(Response.Status.INTERNAL_SERVER_ERROR, CatalogExceptionMessage.INVALID_EMAIL_PASSWORD);
            }
            SearchResultEntry searchResultEntry = (SearchResultEntry) search.getSearchEntries().get(0);
            String dn = searchResultEntry.getDN();
            Attribute attribute = searchResultEntry.getAttribute(this.ldapConfiguration.getMailAttributeName());
            if (CommonUtil.nullOrEmpty(dn) || attribute == null) {
                throw new CustomExceptionMessage(Response.Status.FORBIDDEN, CatalogExceptionMessage.LDAP_MISSING_ATTR);
            }
            return getUserForLdap(str).withName(dn);
        } catch (LDAPException e) {
            throw new CustomExceptionMessage(Response.Status.INTERNAL_SERVER_ERROR, e.getMessage());
        }
    }

    private User getUserForLdap(String str) {
        String str2 = str.split("@")[0];
        return new User().withId(UUID.randomUUID()).withName(str2).withFullyQualifiedName(str2).withEmail(str).withIsBot(false).withUpdatedBy(str2).withUpdatedAt(Long.valueOf(System.currentTimeMillis())).withIsEmailVerified(false).withAuthenticationMechanism((AuthenticationMechanism) null);
    }

    @Override // org.openmetadata.service.security.auth.AuthenticatorHandler
    public RefreshToken createRefreshTokenForLogin(UUID uuid) throws JsonProcessingException {
        this.tokenRepository.deleteTokenByUserAndType(uuid.toString(), TokenType.REFRESH_TOKEN.toString());
        TokenInterface refreshToken = TokenUtil.getRefreshToken(uuid, UUID.randomUUID());
        this.tokenRepository.insertToken(refreshToken);
        return refreshToken;
    }
}
