package com.netflix.spinnaker.fiat.roles.ldap;

import com.netflix.spinnaker.fiat.config.LdapConfig;
import com.netflix.spinnaker.fiat.model.resources.Role;
import com.netflix.spinnaker.fiat.permissions.ExternalUser;
import com.netflix.spinnaker.fiat.roles.UserRolesProvider;
import java.text.MessageFormat;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.naming.InvalidNameException;
import javax.naming.Name;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.dao.IncorrectResultSizeDataAccessException;
import org.springframework.ldap.core.AttributesMapper;
import org.springframework.ldap.core.DistinguishedName;
import org.springframework.ldap.support.LdapEncoder;
import org.springframework.security.ldap.LdapUtils;
import org.springframework.security.ldap.SpringSecurityLdapTemplate;
import org.springframework.stereotype.Component;

@ConditionalOnProperty(value = {"auth.group-membership.service"}, havingValue = "ldap")
@Component
/* loaded from: input_file:com/netflix/spinnaker/fiat/roles/ldap/LdapUserRolesProvider.class */
public class LdapUserRolesProvider implements UserRolesProvider {
    private static final Logger log = LoggerFactory.getLogger(LdapUserRolesProvider.class);

    @Autowired
    private SpringSecurityLdapTemplate ldapTemplate;

    @Autowired
    private LdapConfig.ConfigProps configProps;

    /* loaded from: input_file:com/netflix/spinnaker/fiat/roles/ldap/LdapUserRolesProvider$UserGroupMapper.class */
    private class UserGroupMapper implements AttributesMapper<List<Pair<String, Role>>> {
        private UserGroupMapper() {
        }

        /* renamed from: mapFromAttributes, reason: merged with bridge method [inline-methods] */
        public List<Pair<String, Role>> m1mapFromAttributes(Attributes attributes) throws NamingException {
            Role source = new Role(attributes.get(LdapUserRolesProvider.this.configProps.getGroupRoleAttributes()).get().toString()).setSource(Role.Source.LDAP);
            ArrayList arrayList = new ArrayList();
            NamingEnumeration all = attributes.get(LdapUserRolesProvider.this.configProps.getGroupUserAttributes()).getAll();
            while (all.hasMore()) {
                try {
                    arrayList.add(Pair.of(String.valueOf(LdapUserRolesProvider.this.configProps.getUserDnPattern().parse(all.next().toString())[0]), source));
                } catch (ParseException e) {
                    e.printStackTrace();
                }
            }
            return arrayList;
        }
    }

    public List<Role> loadRoles(ExternalUser externalUser) {
        String id = externalUser.getId();
        log.debug("loadRoles for user " + id);
        if (StringUtils.isEmpty(this.configProps.getGroupSearchBase())) {
            return new ArrayList();
        }
        String userFullDn = getUserFullDn(id);
        if (userFullDn == null) {
            log.debug("fullUserDn is null for {}", id);
            return new ArrayList();
        }
        String[] strArr = {userFullDn, id};
        if (log.isDebugEnabled()) {
            log.debug("Searching for groups using \ngroupSearchBase: " + this.configProps.getGroupSearchBase() + "\ngroupSearchFilter: " + this.configProps.getGroupSearchFilter() + "\nparams: " + StringUtils.join(strArr, " :: ") + "\ngroupRoleAttributes: " + this.configProps.getGroupRoleAttributes());
        }
        Set searchForSingleAttributeValues = this.ldapTemplate.searchForSingleAttributeValues(this.configProps.getGroupSearchBase(), this.configProps.getGroupSearchFilter(), strArr, this.configProps.getGroupRoleAttributes());
        log.debug("Got roles for user " + id + ": " + searchForSingleAttributeValues);
        return (List) searchForSingleAttributeValues.stream().map(str -> {
            return new Role(str).setSource(Role.Source.LDAP);
        }).collect(Collectors.toList());
    }

    public Map<String, Collection<Role>> multiLoadRoles(Collection<ExternalUser> collection) {
        if (StringUtils.isEmpty(this.configProps.getGroupSearchBase())) {
            return new HashMap();
        }
        if (collection.size() <= this.configProps.getThresholdToUseGroupMembership() || !StringUtils.isNotEmpty(this.configProps.getGroupUserAttributes())) {
            return (Map) collection.stream().map(externalUser -> {
                return new ExternalUser().setId(externalUser.getId()).setExternalRoles(loadRoles(externalUser));
            }).collect(Collectors.toMap((v0) -> {
                return v0.getId();
            }, (v0) -> {
                return v0.getExternalRoles();
            }));
        }
        Set set = (Set) collection.stream().map((v0) -> {
            return v0.getId();
        }).collect(Collectors.toSet());
        return (Map) this.ldapTemplate.search(this.configProps.getGroupSearchBase(), MessageFormat.format(this.configProps.getGroupSearchFilter(), "*", "*"), new UserGroupMapper()).stream().flatMap((v0) -> {
            return v0.stream();
        }).filter(pair -> {
            return set.contains(pair.getKey());
        }).collect(Collectors.groupingBy((v0) -> {
            return v0.getKey();
        }, Collectors.mapping((v0) -> {
            return v0.getValue();
        }, Collectors.toCollection(ArrayList::new))));
    }

    private String getUserFullDn(String str) {
        String obj;
        DistinguishedName distinguishedName = new DistinguishedName(LdapUtils.parseRootDnFromUrl(this.configProps.getUrl()));
        log.debug("Root DN: " + distinguishedName.toString());
        String[] strArr = {LdapEncoder.nameEncode(str)};
        if (StringUtils.isEmpty(this.configProps.getUserSearchFilter())) {
            obj = this.configProps.getUserDnPattern().format(strArr);
        } else {
            try {
                obj = this.ldapTemplate.searchForSingleEntry(this.configProps.getUserSearchBase(), this.configProps.getUserSearchFilter(), strArr).getDn().toString();
            } catch (IncorrectResultSizeDataAccessException e) {
                log.error("Unable to find a single user entry", e);
                return null;
            }
        }
        DistinguishedName distinguishedName2 = new DistinguishedName(obj);
        log.debug("User portion: " + distinguishedName2.toString());
        try {
            Name addAll = distinguishedName.addAll(distinguishedName2);
            log.debug("Full user DN: " + addAll.toString());
            return addAll.toString();
        } catch (InvalidNameException e2) {
            log.error("Could not assemble full userDn", e2);
            return null;
        }
    }

    public LdapUserRolesProvider setLdapTemplate(SpringSecurityLdapTemplate springSecurityLdapTemplate) {
        this.ldapTemplate = springSecurityLdapTemplate;
        return this;
    }

    public LdapUserRolesProvider setConfigProps(LdapConfig.ConfigProps configProps) {
        this.configProps = configProps;
        return this;
    }
}
