package org.apache.hive.service.auth.ldap;

import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import javax.naming.NamingException;
import javax.security.sasl.AuthenticationException;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hive.com.google.common.annotations.VisibleForTesting;
import org.apache.hive.com.google.common.base.Joiner;
import org.apache.hive.org.slf4j.Logger;
import org.apache.hive.org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hive/service/auth/ldap/GroupFilterFactory.class */
public final class GroupFilterFactory implements FilterFactory {

    @VisibleForTesting
    /* loaded from: input_file:org/apache/hive/service/auth/ldap/GroupFilterFactory$GroupMembershipKeyFilter.class */
    static final class GroupMembershipKeyFilter implements Filter {
        private static final Logger LOG = LoggerFactory.getLogger((Class<?>) GroupMembershipKeyFilter.class);
        private final Set<String> groupFilter = new HashSet();

        GroupMembershipKeyFilter(Collection<String> collection) {
            this.groupFilter.addAll(collection);
        }

        @Override // org.apache.hive.service.auth.ldap.Filter
        public void apply(DirSearch dirSearch, String str) throws AuthenticationException {
            LOG.info("Authenticating user '{}' using {}", str, GroupMembershipKeyFilter.class.getSimpleName());
            try {
                String findUserDn = dirSearch.findUserDn(str);
                List<String> findGroupsForUser = dirSearch.findGroupsForUser(findUserDn);
                LOG.debug("User {} member of : {}", findUserDn, findGroupsForUser);
                for (String str2 : findGroupsForUser) {
                    if (this.groupFilter.contains(LdapUtils.getShortName(str2))) {
                        LOG.debug("GroupMembershipKeyFilter passes: user '{}' is a member of '{}' group", str, str2);
                        LOG.info("Authentication succeeded based on group membership");
                        return;
                    }
                }
                LOG.info("Authentication failed based on user membership");
                throw new AuthenticationException("Authentication failed: User not a member of specified list");
            } catch (NamingException e) {
                throw new AuthenticationException("LDAP Authentication failed for user", e);
            }
        }
    }

    @VisibleForTesting
    /* loaded from: input_file:org/apache/hive/service/auth/ldap/GroupFilterFactory$UserMembershipKeyFilter.class */
    static final class UserMembershipKeyFilter implements Filter {
        private static final Logger LOG = LoggerFactory.getLogger((Class<?>) UserMembershipKeyFilter.class);
        private final Collection<String> groupFilter;

        UserMembershipKeyFilter(Collection<String> collection) {
            this.groupFilter = collection;
        }

        @Override // org.apache.hive.service.auth.ldap.Filter
        public void apply(DirSearch dirSearch, String str) throws AuthenticationException {
            LOG.info("Authenticating user '{}' using {}", str, UserMembershipKeyFilter.class.getSimpleName());
            ArrayList<String> arrayList = new ArrayList();
            for (String str2 : this.groupFilter) {
                try {
                    arrayList.add(dirSearch.findGroupDn(str2));
                } catch (NamingException e) {
                    LOG.warn("Cannot find DN for group", e);
                    LOG.debug("Cannot find DN for group " + str2, e);
                }
            }
            if (arrayList.isEmpty()) {
                LOG.debug(String.format("No DN(s) has been found for any of group(s): %s", Joiner.on(',').join((Iterable<?>) this.groupFilter)));
                throw new AuthenticationException("No DN(s) has been found for any of specified group(s)");
            }
            for (String str3 : arrayList) {
                try {
                } catch (NamingException e2) {
                    LOG.warn("Cannot match user and group", e2);
                    if (LOG.isDebugEnabled()) {
                        LOG.debug(String.format("Cannot match user '%s' and group '%s'", str, str3), e2);
                    }
                }
                if (dirSearch.isUserMemberOfGroup(str, str3)) {
                    LOG.debug("UserMembershipKeyFilter passes: user '{}' is a member of '{}' group", str, str3);
                    LOG.info("Authentication succeeded based on user membership");
                    return;
                }
                continue;
            }
            throw new AuthenticationException(String.format("Authentication failed: User '%s' is not a member of listed groups", str));
        }
    }

    @Override // org.apache.hive.service.auth.ldap.FilterFactory
    public Filter getInstance(HiveConf hiveConf) {
        Collection stringCollection = hiveConf.getStringCollection(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPFILTER.varname);
        if (stringCollection.isEmpty()) {
            return null;
        }
        return hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERMEMBERSHIP_KEY) == null ? new GroupMembershipKeyFilter(stringCollection) : new UserMembershipKeyFilter(stringCollection);
    }
}
