package com.github.alanger.shiroext.realm.activedirectory;

import com.github.alanger.shiroext.realm.AttributeProvider;
import java.net.URI;
import java.net.URISyntaxException;
import java.text.MessageFormat;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import javax.naming.CompositeName;
import javax.naming.InvalidNameException;
import javax.naming.NameParser;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.PartialResultException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapContext;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.ldap.AbstractLdapRealm;
import org.apache.shiro.realm.ldap.LdapContextFactory;
import org.apache.shiro.realm.ldap.LdapUtils;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/github/alanger/shiroext/realm/activedirectory/ActiveDirectoryRealm.class */
public class ActiveDirectoryRealm extends AbstractLdapRealm implements AttributeProvider {
    private static Logger log = LoggerFactory.getLogger((Class<?>) ActiveDirectoryRealm.class);
    private static final String DELIMETER = ",";
    private LdapContextFactory ldapContextFactory;
    private String userAttributes = "displayName, distinguishedName, memberOf, mail, title, department, telephoneNumber";
    private String roleNameAttribute = "memberOf";
    private String roleName = "CN";
    protected boolean roleNested = false;
    protected boolean roleShortName = true;
    protected String commonRole = null;
    protected String roleBase = "";
    protected String roleSearch = "(&(objectClass=group)(member={0}))";
    protected boolean adCompat = false;
    private boolean named = false;
    private long sizeLimit = 0;
    private int timeLimit = 0;
    private Map<String, String> groupRolesMap = new LinkedHashMap();
    private String roleWhiteList;
    private String roleBlackList;
    private String userWhiteList;
    private String userBlackList;
    private String userPrefix;

    public ActiveDirectoryRealm() {
        this.searchFilter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName={0}))";
    }

    public void setUserAttributes(String str) {
        this.userAttributes = str;
    }

    protected String[] getUserAttributesArray() {
        String[] strArr = new String[0];
        if (this.userAttributes != null) {
            strArr = this.userAttributes.replaceAll("\\s+", "").split(DELIMETER);
        }
        return strArr;
    }

    public String getUrl() {
        return this.url;
    }

    public String getPrincipalSuffix() {
        return this.principalSuffix;
    }

    public String getRoleNameAttribute() {
        return this.roleNameAttribute;
    }

    public void setRoleNameAttribute(String str) {
        this.roleNameAttribute = str;
    }

    public String getRoleName() {
        return this.roleName;
    }

    public void setRoleName(String str) {
        this.roleName = str;
    }

    public boolean getRoleNested() {
        return this.roleNested;
    }

    public void setRoleNested(boolean z) {
        this.roleNested = z;
    }

    public boolean getRoleShortName() {
        return this.roleShortName;
    }

    public void setRoleShortName(boolean z) {
        this.roleShortName = z;
    }

    public String getCommonRole() {
        return this.commonRole;
    }

    public void setCommonRole(String str) {
        this.commonRole = str;
    }

    public String getRoleBase() {
        return this.roleBase;
    }

    public void setRoleBase(String str) {
        this.roleBase = str;
    }

    public String getRoleSearch() {
        return this.roleSearch;
    }

    public void setRoleSearch(String str) {
        this.roleSearch = str;
    }

    public boolean getAdCompat() {
        return this.adCompat;
    }

    public void setAdCompat(boolean z) {
        this.adCompat = z;
    }

    public boolean getNamed() {
        return this.named;
    }

    public void setNamed(boolean z) {
        this.named = z;
    }

    public long getSizeLimit() {
        return this.sizeLimit;
    }

    public void setSizeLimit(long j) {
        this.sizeLimit = j;
    }

    public int getTimeLimit() {
        return this.timeLimit;
    }

    public void setTimeLimit(int i) {
        this.timeLimit = i;
    }

    public void setGroupRolesMap(Map<String, String> map) {
        this.groupRolesMap.putAll(map);
    }

    public Map<String, String> getGroupRolesMap() {
        return this.groupRolesMap;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.shiro.realm.ldap.AbstractLdapRealm, org.apache.shiro.realm.AuthorizingRealm, org.apache.shiro.realm.AuthenticatingRealm
    public void onInit() {
        initContextFactory();
        super.onInit();
    }

    private LdapContextFactory initContextFactory() {
        if (this.ldapContextFactory == null) {
            if (log.isDebugEnabled()) {
                log.debug("No LdapContextFactory specified - creating a default instance.");
            }
            ActiveDirectoryLdapContextFactory activeDirectoryLdapContextFactory = new ActiveDirectoryLdapContextFactory();
            activeDirectoryLdapContextFactory.setPrincipalSuffix(getPrincipalSuffix());
            activeDirectoryLdapContextFactory.setUrl(getUrl());
            activeDirectoryLdapContextFactory.setSystemUsername(getSystemUsername());
            activeDirectoryLdapContextFactory.setSystemPassword(getSystemPassword());
            setLdapContextFactory(activeDirectoryLdapContextFactory);
        }
        return this.ldapContextFactory;
    }

    public LdapContextFactory getLdapContextFactory() {
        return this.ldapContextFactory;
    }

    @Override // org.apache.shiro.realm.ldap.AbstractLdapRealm
    public void setLdapContextFactory(LdapContextFactory ldapContextFactory) {
        this.ldapContextFactory = ldapContextFactory;
        super.setLdapContextFactory(ldapContextFactory);
    }

    public String getSystemUsername() {
        return this.systemUsername;
    }

    public String getSystemPassword() {
        return this.systemPassword;
    }

    public String getRoleWhiteList() {
        return this.roleWhiteList;
    }

    public void setRoleWhiteList(String str) {
        this.roleWhiteList = str;
    }

    public String getRoleBlackList() {
        return this.roleBlackList;
    }

    public void setRoleBlackList(String str) {
        this.roleBlackList = str;
    }

    private boolean isRoleBlackOrWhite(String str) {
        return this.roleWhiteList != null ? str.matches(this.roleWhiteList) : this.roleBlackList == null || !str.matches(this.roleBlackList);
    }

    public String getUserWhiteList() {
        return this.userWhiteList;
    }

    public void setUserWhiteList(String str) {
        this.userWhiteList = str;
    }

    public String getUserBlackList() {
        return this.userBlackList;
    }

    public void setUserBlackList(String str) {
        this.userBlackList = str;
    }

    private boolean isUserBlackOrWhite(String str) {
        return this.userWhiteList != null ? str.matches(this.userWhiteList) : this.userBlackList == null || !str.matches(this.userBlackList);
    }

    public String getUserPrefix() {
        return this.userPrefix;
    }

    public void setUserPrefix(String str) {
        this.userPrefix = str;
    }

    private boolean isValidPrincipalName(String str) {
        if (str == null) {
            return false;
        }
        if (!StringUtils.hasLength(str) || !str.contains("@")) {
            if (StringUtils.hasLength(str)) {
                return isUserBlackOrWhite(str);
            }
            return false;
        }
        String trim = str.split("@")[0].trim();
        if (StringUtils.hasLength(trim)) {
            return isUserBlackOrWhite(trim);
        }
        return false;
    }

    private String withoutPrefix(String str) {
        return (getUserPrefix() == null || str == null) ? str : str.startsWith(getUserPrefix()) ? str.replaceFirst(getUserPrefix(), "") : str;
    }

    private String withoutDomain(String str) {
        String str2 = null;
        if (str != null && str.indexOf("\\") != -1) {
            String[] split = str.split("\\\\");
            str = split.length == 2 ? split[1] : null;
            str2 = split.length == 2 ? split[0] : null;
        }
        if (str != null && str.indexOf("@") != -1) {
            String[] split2 = str.split("@");
            str = split2.length == 2 ? split2[0] : null;
            str2 = split2.length == 2 ? split2[1] : null;
        }
        String withoutPrefix = withoutPrefix(str);
        if (log.isTraceEnabled()) {
            log.trace("withOutDomain username: {}, domain: {}: ", withoutPrefix, str2);
        }
        if (!getNamed() && str2 != null && !str2.equalsIgnoreCase(getName())) {
            return null;
        }
        if (!getNamed() || (str2 != null && str2.equalsIgnoreCase(getName()))) {
            return withoutPrefix;
        }
        return null;
    }

    @Override // org.apache.shiro.realm.ldap.AbstractLdapRealm, org.apache.shiro.realm.AuthenticatingRealm
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        try {
            log.trace("doGetAuthenticationInfo token: {}", authenticationToken);
            return queryForAuthenticationInfo(authenticationToken, getLdapContextFactory());
        } catch (javax.naming.AuthenticationException e) {
            if (log.isTraceEnabled()) {
                log.trace("doGetAuthenticationInfo {} {}", "LDAP authentication failed.", e.toString());
            }
            throw new AuthenticationException("LDAP authentication failed.", e);
        } catch (NamingException e2) {
            throw new AuthenticationException("LDAP naming error while attempting to authenticate user.", e2);
        }
    }

    protected AuthenticationInfo doGetAuthenticationInfo(String str, String str2) throws AuthenticationException {
        return doGetAuthenticationInfo(new UsernamePasswordToken(str, str2));
    }

    @Override // org.apache.shiro.realm.ldap.AbstractLdapRealm
    protected AuthenticationInfo queryForAuthenticationInfo(AuthenticationToken authenticationToken, LdapContextFactory ldapContextFactory) throws NamingException {
        UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) authenticationToken;
        String withoutDomain = withoutDomain(usernamePasswordToken.getUsername());
        if (!isValidPrincipalName(withoutDomain)) {
            return null;
        }
        LdapContext ldapContext = null;
        try {
            ldapContext = ldapContextFactory.getLdapContext((Object) withoutDomain, (Object) String.valueOf(usernamePasswordToken.getPassword()));
            LdapUtils.closeContext(ldapContext);
            return buildAuthenticationInfo(withoutDomain, usernamePasswordToken.getPassword());
        } catch (Throwable th) {
            LdapUtils.closeContext(ldapContext);
            throw th;
        }
    }

    protected AuthenticationInfo buildAuthenticationInfo(String str, char[] cArr) {
        if (getUserPrefix() != null) {
            str = getUserPrefix() + str;
        }
        return new SimpleAuthenticationInfo(str, cArr, getName());
    }

    @Override // org.apache.shiro.realm.ldap.AbstractLdapRealm, org.apache.shiro.realm.AuthorizingRealm
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        try {
            log.trace("doGetAuthorizationInfo: {}", principalCollection);
            return queryForAuthorizationInfo(principalCollection, getLdapContextFactory());
        } catch (NamingException e) {
            throw new AuthorizationException("LDAP naming error while attempting to retrieve authorization for user [" + principalCollection + "].", e);
        }
    }

    @Override // org.apache.shiro.realm.ldap.AbstractLdapRealm
    protected AuthorizationInfo queryForAuthorizationInfo(PrincipalCollection principalCollection, LdapContextFactory ldapContextFactory) throws NamingException {
        Collections.emptySet();
        String withoutPrefix = withoutPrefix((String) getAvailablePrincipal(principalCollection));
        if (!isValidPrincipalName(withoutPrefix)) {
            return null;
        }
        LdapContext systemLdapContext = ldapContextFactory.getSystemLdapContext();
        try {
            Set<String> roleNamesForUser = getRoleNamesForUser(withoutPrefix, systemLdapContext);
            LdapUtils.closeContext(systemLdapContext);
            return buildAuthorizationInfo(roleNamesForUser);
        } catch (Throwable th) {
            LdapUtils.closeContext(systemLdapContext);
            throw th;
        }
    }

    private final AuthorizationInfo buildAuthorizationInfo(Set<String> set) {
        return new SimpleAuthorizationInfo(set);
    }

    protected final Set<String> getRoleNamesForUser(String str, LdapContext ldapContext) throws NamingException {
        log.trace("getRoleNamesForUser username: {}", str);
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        if (!isValidPrincipalName(str)) {
            return linkedHashSet;
        }
        if (StringUtils.hasLength(this.commonRole)) {
            linkedHashSet.add(this.commonRole);
        }
        Collection<String> collection = getAttributesForUser(str, ldapContext).get(this.roleNameAttribute);
        if (collection != null) {
            if (getRoleNested()) {
                LinkedHashSet linkedHashSet2 = new LinkedHashSet(collection);
                loop0: while (true) {
                    LinkedHashSet<Object> linkedHashSet3 = linkedHashSet2;
                    if (linkedHashSet3.isEmpty()) {
                        break;
                    }
                    LinkedHashSet linkedHashSet4 = new LinkedHashSet();
                    for (Object obj : linkedHashSet3) {
                        if (log.isTraceEnabled()) {
                            log.trace("Perform a nested group search with base {} and filter {}", this.roleBase, MessageFormat.format(this.roleSearch, obj));
                        }
                        NamingEnumeration<SearchResult> search = search(ldapContext, this.roleBase, this.roleSearch, new Object[]{obj}, new String[]{this.roleName});
                        while (search.hasMore()) {
                            try {
                                try {
                                    SearchResult searchResult = (SearchResult) search.next();
                                    if (searchResult.getAttributes() != null) {
                                        String distinguishedName = getDistinguishedName(ldapContext, this.roleBase, searchResult);
                                        if (distinguishedName != null && !collection.contains(distinguishedName)) {
                                            collection.add(distinguishedName);
                                            linkedHashSet4.add(distinguishedName);
                                            if (log.isTraceEnabled()) {
                                                log.trace("  Found nested role {}", distinguishedName);
                                            }
                                        }
                                    }
                                } catch (PartialResultException e) {
                                    if (!this.adCompat) {
                                        throw e;
                                    }
                                    search.close();
                                }
                            } catch (Throwable th) {
                                search.close();
                                throw th;
                            }
                        }
                        search.close();
                    }
                    linkedHashSet2 = linkedHashSet4;
                }
            }
            if (getRoleShortName()) {
                collection = getRoleShortNamesByAttribute(collection, this.roleName);
            }
            if (log.isTraceEnabled()) {
                log.debug("Groups found for user [{}]: {}", str, collection);
            }
            linkedHashSet.addAll(getRoleNamesForGroups(collection));
            if (this.roleBlackList != null || this.roleWhiteList != null) {
                filterRoleBlackOrWhite(linkedHashSet);
            }
        }
        return linkedHashSet;
    }

    protected void filterRoleBlackOrWhite(Collection<String> collection) {
        collection.removeIf(str -> {
            return !isRoleBlackOrWhite(str);
        });
    }

    protected NamingEnumeration<SearchResult> search(DirContext dirContext, String str, String str2, Object[] objArr, String[] strArr) throws NamingException {
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(strArr);
        searchControls.setCountLimit(this.sizeLimit);
        searchControls.setTimeLimit(this.timeLimit);
        return dirContext.search(str, str2, objArr, searchControls);
    }

    private Map<String, Collection<String>> getAttributesForUser(String str, DirContext dirContext) throws NamingException {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        NamingEnumeration<SearchResult> search = search(dirContext, this.searchBase, this.searchFilter, new Object[]{str}, getUserAttributesArray());
        if (search != null) {
            try {
                try {
                    if (search.hasMoreElements()) {
                        SearchResult searchResult = (SearchResult) search.next();
                        if (log.isTraceEnabled()) {
                            log.debug("Retrieving attributes for user {}", searchResult.getName());
                        }
                        Attributes attributes = searchResult.getAttributes();
                        if (attributes != null) {
                            NamingEnumeration all = attributes.getAll();
                            while (all.hasMore()) {
                                Attribute attribute = (Attribute) all.next();
                                String id = attribute.getID();
                                Collection<String> allAttributeValues = LdapUtils.getAllAttributeValues(attribute);
                                if (log.isTraceEnabled()) {
                                    log.debug("Ldap user attribute: {} = {} ", id, allAttributeValues);
                                }
                                linkedHashMap.put(id, allAttributeValues);
                            }
                        }
                    }
                } catch (PartialResultException e) {
                    if (!this.adCompat) {
                        throw e;
                    }
                    if (search != null) {
                        search.close();
                    }
                }
            } catch (Throwable th) {
                if (search != null) {
                    search.close();
                }
                throw th;
            }
        }
        if (search != null) {
            search.close();
        }
        return linkedHashMap;
    }

    @Override // com.github.alanger.shiroext.realm.AttributeProvider
    public Map<String, Object> getAttributesForUser(String str) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        String withoutDomain = withoutDomain(str);
        if (!isValidPrincipalName(withoutDomain)) {
            return linkedHashMap;
        }
        DirContext dirContext = null;
        try {
            try {
                dirContext = getLdapContextFactory().getSystemLdapContext();
                linkedHashMap.putAll(getAttributesForUser(withoutDomain, dirContext));
                LdapUtils.closeContext(dirContext);
            } catch (NamingException e) {
                log.error("Failure load attributes for user " + withoutDomain + " from realm " + getName(), e);
                LdapUtils.closeContext(dirContext);
            }
            return linkedHashMap;
        } catch (Throwable th) {
            LdapUtils.closeContext(dirContext);
            throw th;
        }
    }

    public static final Collection<String> getRoleShortNamesByAttribute(Collection<String> collection, String str) {
        LinkedHashSet linkedHashSet = new LinkedHashSet(collection.size());
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            String[] split = it.next().split(DELIMETER);
            if (split != null && split.length > 0) {
                for (String str2 : split) {
                    String[] split2 = str2.split("=");
                    if (split2 != null && split2.length == 2 && split2[0].trim().equalsIgnoreCase(str)) {
                        linkedHashSet.add(split2[1].trim());
                    }
                }
            }
        }
        return linkedHashSet;
    }

    private final Collection<String> getRoleNamesForGroups(Collection<String> collection) {
        LinkedHashSet linkedHashSet = new LinkedHashSet(collection.size());
        if (this.groupRolesMap == null || this.groupRolesMap.size() <= 0) {
            linkedHashSet.addAll(collection);
        } else {
            for (String str : collection) {
                String str2 = this.groupRolesMap.get(str);
                if (str2 != null) {
                    for (String str3 : str2.split(DELIMETER)) {
                        if (log.isDebugEnabled()) {
                            log.debug("User is member of group [{}] so adding role [{}]", str, str3);
                        }
                        linkedHashSet.add(str3);
                    }
                }
            }
        }
        return linkedHashSet;
    }

    private final String getAttributeValue(Attribute attribute) throws NamingException {
        Object obj;
        if (attribute == null || (obj = attribute.get()) == null) {
            return null;
        }
        return obj instanceof byte[] ? new String((byte[]) obj) : obj.toString();
    }

    protected final String getAttributeValue(String str, Attributes attributes) throws NamingException {
        Attribute attribute;
        if (log.isTraceEnabled()) {
            log.trace("  retrieving attribute {}", str);
        }
        if (str == null || attributes == null || (attribute = attributes.get(str)) == null) {
            return null;
        }
        return getAttributeValue(attribute);
    }

    protected String getDistinguishedName(DirContext dirContext, String str, SearchResult searchResult) throws NamingException {
        String name = searchResult.getName();
        if (searchResult.isRelative()) {
            if (log.isTraceEnabled()) {
                log.trace("  search returned relative name: {}", name);
            }
            NameParser nameParser = dirContext.getNameParser("");
            return nameParser.parse(dirContext.getNameInNamespace()).addAll(nameParser.parse(str)).addAll(nameParser.parse(new CompositeName(name).get(0))).toString();
        }
        if (log.isTraceEnabled()) {
            log.trace("  search returned absolute name: {}", name);
        }
        try {
            NameParser nameParser2 = dirContext.getNameParser("");
            String path = new URI(name).getPath();
            if (path.length() < 1) {
                throw new InvalidNameException("Search returned unparseable absolute name: " + name);
            }
            return nameParser2.parse(path.substring(1)).toString();
        } catch (URISyntaxException e) {
            throw new InvalidNameException("Search returned unparseable absolute name: " + name);
        }
    }
}
