package fathom.realm.ldap;

import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.typesafe.config.Config;
import com.unboundid.ldap.sdk.Attribute;
import com.unboundid.ldap.sdk.DereferencePolicy;
import com.unboundid.ldap.sdk.ExtendedResult;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.LDAPSearchException;
import com.unboundid.ldap.sdk.ResultCode;
import com.unboundid.ldap.sdk.SearchRequest;
import com.unboundid.ldap.sdk.SearchResult;
import com.unboundid.ldap.sdk.SearchResultEntry;
import com.unboundid.ldap.sdk.SearchScope;
import com.unboundid.ldap.sdk.SimpleBindRequest;
import com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest;
import com.unboundid.util.ssl.SSLUtil;
import com.unboundid.util.ssl.TrustAllTrustManager;
import fathom.authc.StandardCredentials;
import fathom.realm.Account;
import fathom.realm.CachingRealm;
import fathom.utils.Util;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.GeneralSecurityException;
import java.util.Arrays;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:fathom-security-ldap-0.8.0.jar:fathom/realm/ldap/LdapRealm.class */
public class LdapRealm extends CachingRealm {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) LdapRealm.class);
    protected String ldapUrl;
    protected String ldapUsername;
    protected String ldapPassword;
    protected String ldapBindPattern;
    protected String accountBase;
    protected String accountPattern;
    protected String groupBase;
    protected String groupMemberPattern;
    protected String nameMapping;
    protected String emailMapping;
    protected List<String> adminGroups;

    public static final String escapeLDAPSearchFilter(String str) {
        StringBuilder sb = new StringBuilder();
        for (int i = 0; i < str.length(); i++) {
            char charAt = str.charAt(i);
            switch (charAt) {
                case 0:
                    sb.append("\\00");
                    break;
                case '(':
                    sb.append("\\28");
                    break;
                case ')':
                    sb.append("\\29");
                    break;
                case '*':
                    sb.append("\\2a");
                    break;
                case '\\':
                    sb.append("\\5c");
                    break;
                default:
                    sb.append(charAt);
                    break;
            }
        }
        return sb.toString();
    }

    @Override // fathom.realm.CachingRealm, fathom.realm.Realm
    public void setup(Config config) {
        super.setup(config);
        this.ldapUrl = Strings.emptyToNull(config.getString("url"));
        Preconditions.checkNotNull(this.ldapUrl, "The LDAP 'url' setting may not be null nor empty!");
        this.ldapUsername = "";
        if (config.hasPath("username")) {
            this.ldapUsername = config.getString("username");
        }
        this.ldapPassword = "";
        if (config.hasPath("password")) {
            this.ldapPassword = config.getString("password");
        }
        this.ldapBindPattern = "";
        if (config.hasPath("bindPattern")) {
            this.ldapBindPattern = config.getString("bindPattern");
        }
        this.accountBase = "";
        if (config.hasPath("accountBase")) {
            this.accountBase = config.getString("accountBase");
        }
        this.accountPattern = "(&(objectClass=person)(sAMAccountName=${username}))";
        if (config.hasPath("accountPattern")) {
            this.accountPattern = config.getString("accountPattern");
        }
        if (config.hasPath("nameMapping")) {
            this.nameMapping = config.getString("nameMapping");
        }
        if (config.hasPath("emailMapping")) {
            this.emailMapping = config.getString("emailMapping");
        }
        this.groupBase = "";
        if (config.hasPath("groupBase")) {
            config.getString("groupBase");
        }
        this.groupMemberPattern = "(&(objectClass=group)(member=${dn}))";
        if (config.hasPath("groupMemberPattern")) {
            this.groupMemberPattern = config.getString("groupMemberPattern");
        }
        if (config.hasPath("adminGroups")) {
            this.adminGroups = config.getStringList("adminGroups");
        }
    }

    @Override // fathom.realm.Realm
    public void start() {
        log.debug("Realm '{}' configuration:", getRealmName());
        Util.logSetting(log, "url", this.ldapUrl);
        Util.logSetting(log, "username", this.ldapUsername);
        Util.logSetting(log, "password", this.ldapPassword);
        Util.logSetting(log, "bindPattern", this.ldapBindPattern);
        Util.logSetting(log, "accountBase", this.accountBase);
        Util.logSetting(log, "accountPattern", this.accountPattern);
        Util.logSetting(log, "nameMapping", this.nameMapping);
        Util.logSetting(log, "emailMapping", this.emailMapping);
        Util.logSetting(log, "groupBase", this.groupBase);
        Util.logSetting(log, "groupMemberPattern", this.groupMemberPattern);
        Util.logSetting(log, "adminGroups", this.adminGroups);
        super.logCacheSettings(log);
    }

    @Override // fathom.realm.Realm
    public void stop() {
    }

    @Override // fathom.realm.StandardCredentialsRealm
    public Account authenticate(StandardCredentials standardCredentials) {
        String simpleUsername = getSimpleUsername(standardCredentials.getUsername());
        String password = standardCredentials.getPassword();
        return hasAccount(simpleUsername) ? super.authenticate(new StandardCredentials(simpleUsername, password)) : authenticate(simpleUsername, password);
    }

    @Override // fathom.realm.StandardCredentialsRealm
    public Account authenticate(String str, String str2) {
        Account account;
        LDAPConnection ldapConnection = getLdapConnection();
        if (ldapConnection == null) {
            return null;
        }
        try {
            boolean z = false;
            if (!Strings.isNullOrEmpty(this.ldapBindPattern)) {
                try {
                    ldapConnection.bind(this.ldapBindPattern.replace("${username}", escapeLDAPSearchFilter(str)), str2);
                    z = true;
                } catch (LDAPException e) {
                    ldapConnection.close();
                    return null;
                }
            }
            SearchResult doSearch = doSearch(ldapConnection, this.accountBase, this.accountPattern.replace("${username}", escapeLDAPSearchFilter(str)));
            if (doSearch != null && doSearch.getEntryCount() == 1) {
                SearchResultEntry searchResultEntry = doSearch.getSearchEntries().get(0);
                String dn = searchResultEntry.getDN();
                if (z || isAuthenticated(ldapConnection, dn, str2)) {
                    log.debug("Authentication succeeded for '{}' against '{}'", str, getRealmName());
                    synchronized (this) {
                        account = new Account(str, new StandardCredentials(str, str2));
                        setAccountRoles(ldapConnection, searchResultEntry, account);
                        setAccountAttributes(searchResultEntry, account);
                        cacheAccount(account);
                    }
                    return account;
                }
                log.debug("Authentication failed for '{}' against '{}'", str, getRealmName());
            } else if (doSearch == null || doSearch.getSearchEntries().size() == 0) {
                log.debug("No account found for '{}' in '{}'", str, getRealmName());
            }
            ldapConnection.close();
            return null;
        } finally {
            ldapConnection.close();
        }
    }

    private LDAPConnection getLdapConnection() {
        LDAPConnection lDAPConnection;
        try {
            URI uri = new URI(this.ldapUrl);
            String host = uri.getHost();
            int port = uri.getPort();
            if (uri.getScheme().equalsIgnoreCase("ldaps")) {
                lDAPConnection = new LDAPConnection(new SSLUtil(new TrustAllTrustManager()).createSSLSocketFactory());
                if (port == -1) {
                    port = 636;
                }
            } else {
                if (!uri.getScheme().equalsIgnoreCase("ldap") && !uri.getScheme().equalsIgnoreCase("ldap+tls")) {
                    log.error("Unsupported LDAP URL scheme: " + uri.getScheme());
                    return null;
                }
                lDAPConnection = new LDAPConnection();
                if (port == -1) {
                    port = 389;
                }
            }
            lDAPConnection.connect(host, port);
            if (uri.getScheme().equalsIgnoreCase("ldap+tls")) {
                ExtendedResult processExtendedOperation = lDAPConnection.processExtendedOperation(new StartTLSExtendedRequest(new SSLUtil(new TrustAllTrustManager()).createSSLContext()));
                if (processExtendedOperation.getResultCode() != ResultCode.SUCCESS) {
                    throw new LDAPException(processExtendedOperation.getResultCode());
                }
            }
            if (Strings.isNullOrEmpty(this.ldapUsername) && Strings.isNullOrEmpty(this.ldapPassword)) {
                lDAPConnection.bind(new SimpleBindRequest());
            } else {
                lDAPConnection.bind(new SimpleBindRequest(this.ldapUsername, this.ldapPassword));
            }
            return lDAPConnection;
        } catch (LDAPException e) {
            if (Strings.isNullOrEmpty(e.getDiagnosticMessage())) {
                log.error("Error connecting to LDAP server", (Throwable) e);
                return null;
            }
            log.error(e.getDiagnosticMessage());
            return null;
        } catch (URISyntaxException e2) {
            log.error("Bad LDAP URL, should be in the form: ldap(s|+tls)://<server>:<port>", (Throwable) e2);
            return null;
        } catch (GeneralSecurityException e3) {
            log.error("Unable to create SSL Connection", (Throwable) e3);
            return null;
        }
    }

    private boolean isAuthenticated(LDAPConnection lDAPConnection, String str, String str2) {
        try {
            lDAPConnection.bind(str, str2);
            return true;
        } catch (LDAPException e) {
            if (Strings.isNullOrEmpty(e.getDiagnosticMessage())) {
                log.error("Error authenticating user", (Throwable) e);
                return false;
            }
            log.error(e.getDiagnosticMessage());
            return false;
        }
    }

    private SearchResult doSearch(LDAPConnection lDAPConnection, String str, String str2) {
        try {
            return lDAPConnection.search(str, SearchScope.SUB, str2, new String[0]);
        } catch (LDAPSearchException e) {
            if (Strings.isNullOrEmpty(e.getDiagnosticMessage())) {
                log.error("Problem searching LDAP", (Throwable) e);
                return null;
            }
            log.error(e.getDiagnosticMessage());
            return null;
        }
    }

    private SearchResult doSearch(LDAPConnection lDAPConnection, String str, boolean z, String str2, List<String> list) {
        try {
            SearchRequest searchRequest = new SearchRequest(str, SearchScope.SUB, str2, new String[0]);
            if (z) {
                searchRequest.setDerefPolicy(DereferencePolicy.SEARCHING);
            }
            if (list != null) {
                searchRequest.setAttributes(list);
            }
            return lDAPConnection.search(searchRequest);
        } catch (LDAPException e) {
            if (Strings.isNullOrEmpty(e.getDiagnosticMessage())) {
                log.error("Problem searching LDAP", (Throwable) e);
                return null;
            }
            log.error(e.getDiagnosticMessage());
            return null;
        }
    }

    private void setAccountRoles(LDAPConnection lDAPConnection, SearchResultEntry searchResultEntry, Account account) {
        String replace = this.groupMemberPattern.replace("${dn}", escapeLDAPSearchFilter(searchResultEntry.getDN())).replace("${username}", escapeLDAPSearchFilter(account.getUsername()));
        for (Attribute attribute : searchResultEntry.getAttributes()) {
            replace = replace.replace("${" + attribute.getName() + "}", escapeLDAPSearchFilter(attribute.getValue()));
        }
        SearchResult doSearch = doSearch(lDAPConnection, this.groupBase, true, replace, Arrays.asList("cn"));
        if (doSearch == null || doSearch.getEntryCount() <= 0) {
            return;
        }
        for (int i = 0; i < doSearch.getEntryCount(); i++) {
            account.getAuthorizations().addRole(doSearch.getSearchEntries().get(i).getAttribute("cn").getValue());
        }
    }

    private void setAccountAttributes(SearchResultEntry searchResultEntry, Account account) {
        setAdminAttribute(account);
        if (!Strings.isNullOrEmpty(this.nameMapping)) {
            if (this.nameMapping.contains("${")) {
                String str = this.nameMapping;
                for (Attribute attribute : searchResultEntry.getAttributes()) {
                    str = str.replace("${" + attribute.getName() + "}", attribute.getValue());
                }
                account.setName(str);
            } else {
                Attribute attribute2 = searchResultEntry.getAttribute(this.nameMapping);
                if (attribute2 != null && attribute2.hasValue()) {
                    account.setName(attribute2.getValue());
                }
            }
        }
        if (Strings.isNullOrEmpty(this.emailMapping)) {
            return;
        }
        if (!this.emailMapping.contains("${")) {
            Attribute attribute3 = searchResultEntry.getAttribute(this.emailMapping);
            if (attribute3 == null || !attribute3.hasValue()) {
                return;
            }
            account.addEmailAddress(attribute3.getValue());
            return;
        }
        String str2 = this.emailMapping;
        for (Attribute attribute4 : searchResultEntry.getAttributes()) {
            str2 = str2.replace("${" + attribute4.getName() + "}", attribute4.getValue());
        }
        account.addEmailAddress(str2);
    }

    private void setAdminAttribute(Account account) {
        if (this.adminGroups != null) {
            for (String str : this.adminGroups) {
                if (str.startsWith("@") && account.getUsername().equalsIgnoreCase(str.substring(1))) {
                    account.getAuthorizations().addPermission("*");
                } else if (account.hasRole(str)) {
                    account.getAuthorizations().addPermission("*");
                }
            }
        }
    }

    private String getSimpleUsername(String str) {
        int lastIndexOf = str.lastIndexOf(92);
        if (lastIndexOf > -1) {
            str = str.substring(lastIndexOf + 1);
        }
        return str;
    }
}
