package com.netflix.spinnaker.fiat.roles.ldap;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.Iterables;
import com.netflix.spinnaker.fiat.config.LdapConfig;
import com.netflix.spinnaker.fiat.model.resources.Role;
import com.netflix.spinnaker.fiat.permissions.ExternalUser;
import com.netflix.spinnaker.fiat.roles.BaseUserRolesProvider;
import java.text.MessageFormat;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.naming.InvalidNameException;
import javax.naming.Name;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.dao.IncorrectResultSizeDataAccessException;
import org.springframework.ldap.control.PagedResultsCookie;
import org.springframework.ldap.control.PagedResultsDirContextProcessor;
import org.springframework.ldap.core.AttributesMapper;
import org.springframework.ldap.core.ContextMapper;
import org.springframework.ldap.core.DirContextAdapter;
import org.springframework.ldap.core.DistinguishedName;
import org.springframework.ldap.support.LdapEncoder;
import org.springframework.ldap.support.LdapNameBuilder;
import org.springframework.security.ldap.LdapUtils;
import org.springframework.security.ldap.SpringSecurityLdapTemplate;
import org.springframework.stereotype.Component;

@ConditionalOnProperty(value = {"auth.group-membership.service"}, havingValue = "ldap")
@Component
/* loaded from: input_file:com/netflix/spinnaker/fiat/roles/ldap/LdapUserRolesProvider.class */
public class LdapUserRolesProvider extends BaseUserRolesProvider {
    private static final Logger log = LoggerFactory.getLogger(LdapUserRolesProvider.class);

    @Autowired
    private SpringSecurityLdapTemplate ldapTemplate;
    private LdapConfig.ConfigProps configProps;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/netflix/spinnaker/fiat/roles/ldap/LdapUserRolesProvider$UserDNMapper.class */
    public class UserDNMapper implements ContextMapper<Pair<String, String>> {
        UserDNMapper() {
        }

        /* renamed from: mapFromContext, reason: merged with bridge method [inline-methods] */
        public Pair<String, String> m1mapFromContext(Object obj) {
            DirContextAdapter dirContextAdapter = (DirContextAdapter) obj;
            String lowerCase = LdapNameBuilder.newInstance(LdapUtils.parseRootDnFromUrl(LdapUserRolesProvider.this.configProps.getUrl())).add(dirContextAdapter.getDn()).build().toString().toLowerCase();
            String lowerCase2 = dirContextAdapter.getStringAttribute(LdapUserRolesProvider.this.configProps.getUserIdAttribute()).toLowerCase();
            LdapUserRolesProvider.log.trace("Fetched user DN {} for user id {}", lowerCase, lowerCase2);
            return Pair.of(lowerCase, lowerCase2);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/netflix/spinnaker/fiat/roles/ldap/LdapUserRolesProvider$UserGroupMapper.class */
    public class UserGroupMapper implements AttributesMapper<List<Pair<String, Role>>> {
        UserGroupMapper() {
        }

        /* renamed from: mapFromAttributes, reason: merged with bridge method [inline-methods] */
        public List<Pair<String, Role>> m2mapFromAttributes(Attributes attributes) throws NamingException {
            String obj = attributes.get(LdapUserRolesProvider.this.configProps.getGroupRoleAttributes()).get().toString();
            Role source = new Role(obj).setSource(Role.Source.LDAP);
            ArrayList arrayList = new ArrayList();
            LdapUserRolesProvider.log.debug("Parsing out members of the LDAP group {} using attributes {}", obj, LdapUserRolesProvider.this.configProps.getGroupUserAttributes());
            NamingEnumeration all = attributes.get(LdapUserRolesProvider.this.configProps.getGroupUserAttributes()).getAll();
            while (all.hasMore()) {
                try {
                    String user = getUser(all.next().toString());
                    arrayList.add(Pair.of(user, source));
                    LdapUserRolesProvider.log.trace("Found user {} for the ldap group {}", user, obj);
                } catch (ParseException e) {
                    e.printStackTrace();
                }
            }
            LdapUserRolesProvider.log.debug("Found following member role pairs for the group {}: {}", obj, arrayList);
            return arrayList;
        }

        private String getUser(String str) throws ParseException {
            return LdapUserRolesProvider.this.configProps.isEnableDnBasedMultiLoad() ? str.toLowerCase() : String.valueOf(LdapUserRolesProvider.this.configProps.getUserDnPattern().parse(str)[0]);
        }
    }

    @Autowired
    public void setConfigProps(LdapConfig.ConfigProps configProps) {
        this.configProps = configProps;
        super.setProviderCacheConfig(configProps.getCache());
    }

    protected List<Role> loadRolesForUser(ExternalUser externalUser) {
        String id = externalUser.getId();
        log.debug("loadRoles for user " + id);
        if (StringUtils.isEmpty(this.configProps.getGroupSearchBase())) {
            return new ArrayList();
        }
        String userFullDn = getUserFullDn(id);
        if (userFullDn == null) {
            log.debug("fullUserDn is null for {}", id);
            return new ArrayList();
        }
        String[] strArr = {userFullDn, id};
        if (log.isDebugEnabled()) {
            log.debug("Searching for groups using \ngroupSearchBase: " + this.configProps.getGroupSearchBase() + "\ngroupSearchFilter: " + this.configProps.getGroupSearchFilter() + "\nparams: " + StringUtils.join(strArr, " :: ") + "\ngroupRoleAttributes: " + this.configProps.getGroupRoleAttributes());
        }
        Set searchForSingleAttributeValues = this.ldapTemplate.searchForSingleAttributeValues(this.configProps.getGroupSearchBase(), this.configProps.getGroupSearchFilter(), strArr, this.configProps.getGroupRoleAttributes());
        log.debug("Got roles for user " + id + ": " + searchForSingleAttributeValues);
        return (List) searchForSingleAttributeValues.stream().map(str -> {
            return new Role(str).setSource(Role.Source.LDAP);
        }).collect(Collectors.toList());
    }

    protected Map<String, Collection<Role>> loadRolesForUsers(Collection<ExternalUser> collection) {
        if (StringUtils.isEmpty(this.configProps.getGroupSearchBase())) {
            return (Map) collection.stream().collect(Collectors.toMap((v0) -> {
                return v0.getId();
            }, externalUser -> {
                return new ArrayList();
            }));
        }
        if (collection.size() <= this.configProps.getThresholdToUseGroupMembership() || !StringUtils.isNotEmpty(this.configProps.getGroupUserAttributes())) {
            log.info("Querying individual groups memberships for {} users", Integer.valueOf(collection.size()));
            return (Map) collection.stream().map(externalUser2 -> {
                return new ExternalUser().setId(externalUser2.getId()).setExternalRoles(loadRoles(externalUser2));
            }).collect(Collectors.toMap((v0) -> {
                return v0.getId();
            }, (v0) -> {
                return v0.getExternalRoles();
            }));
        }
        log.info("Querying all groups to get a mapping of user to its roles.");
        if (this.configProps.isEnableDnBasedMultiLoad()) {
            return multiLoadDnBasedRoles(collection);
        }
        Set set = (Set) collection.stream().map((v0) -> {
            return v0.getId();
        }).collect(Collectors.toSet());
        return (Map) this.ldapTemplate.search(this.configProps.getGroupSearchBase(), MessageFormat.format(this.configProps.getGroupSearchFilter(), "*", "*"), new UserGroupMapper()).stream().flatMap((v0) -> {
            return v0.stream();
        }).filter(pair -> {
            return set.contains(pair.getKey());
        }).collect(Collectors.groupingBy((v0) -> {
            return v0.getKey();
        }, Collectors.mapping((v0) -> {
            return v0.getValue();
        }, Collectors.toCollection(ArrayList::new))));
    }

    private Map<String, Collection<Role>> multiLoadDnBasedRoles(Collection<ExternalUser> collection) {
        Map<String, String> userDNs = getUserDNs((Set) collection.stream().map(externalUser -> {
            return externalUser.getId().toLowerCase();
        }).collect(Collectors.toSet()));
        Map<String, Collection<Role>> doMultiLoadRolesPaginated = this.configProps.isEnablePagingForGroupMembershipQueries() ? doMultiLoadRolesPaginated(userDNs.keySet()) : doMultiLoadRoles(userDNs.keySet());
        HashMap hashMap = new HashMap();
        doMultiLoadRolesPaginated.keySet().forEach(str -> {
            hashMap.merge((String) userDNs.get(str), (Collection) doMultiLoadRolesPaginated.get(str), (collection2, collection3) -> {
                return new ArrayList(new HashSet<Role>() { // from class: com.netflix.spinnaker.fiat.roles.ldap.LdapUserRolesProvider.1
                    {
                        addAll(collection2);
                        addAll(collection3);
                    }
                });
            });
        });
        collection.forEach(externalUser2 -> {
            hashMap.putIfAbsent(externalUser2.getId(), new ArrayList());
        });
        return hashMap;
    }

    @VisibleForTesting
    String getUserFullDn(String str) {
        String obj;
        DistinguishedName distinguishedName = new DistinguishedName(LdapUtils.parseRootDnFromUrl(this.configProps.getUrl()));
        log.debug("Root DN: " + distinguishedName.toString());
        String[] strArr = {LdapEncoder.nameEncode(str)};
        if (StringUtils.isEmpty(this.configProps.getUserSearchFilter())) {
            obj = this.configProps.getUserDnPattern().format(strArr);
        } else {
            try {
                obj = this.ldapTemplate.searchForSingleEntry(this.configProps.getUserSearchBase(), this.configProps.getUserSearchFilter(), strArr).getDn().toString();
            } catch (IncorrectResultSizeDataAccessException e) {
                log.error("Unable to find a single user entry for {}", str, e);
                return null;
            }
        }
        DistinguishedName distinguishedName2 = new DistinguishedName(obj);
        log.debug("User portion: " + distinguishedName2.toString());
        try {
            Name addAll = distinguishedName.addAll(distinguishedName2);
            log.debug("Full user DN: " + addAll.toString());
            return addAll.toString();
        } catch (InvalidNameException e2) {
            log.error("Could not assemble full userDn", e2);
            return null;
        }
    }

    @VisibleForTesting
    Map<String, String> getUserDNs(Collection<String> collection) {
        log.info("Loading distinguished names for {} users", Integer.valueOf(collection.size()));
        log.debug("Fetching distinguished names for the following users: {}", collection);
        HashMap hashMap = new HashMap();
        UserDNMapper userDNMapper = new UserDNMapper();
        if (StringUtils.isNotEmpty(this.configProps.getUserSearchFilter())) {
            log.debug("Fetching user DNs from LDAP since user search filter is set to {}", this.configProps.getUserSearchFilter());
            Iterables.partition(collection, this.configProps.getLoadUserDNsBatchSize()).forEach(list -> {
                log.debug("Processing the following batch of users: {}", list);
                String format = String.format("(|%s)", String.join("", (List) list.stream().map(str -> {
                    return MessageFormat.format(this.configProps.getUserSearchFilter(), str);
                }).collect(Collectors.toList())));
                log.trace("LDAP query filter used for fetching the DNs: {}", format);
                List search = this.ldapTemplate.search(this.configProps.getUserSearchBase(), format, userDNMapper);
                log.trace("Fetched the following user id DN pairs from LDAP: {}", search);
                search.forEach(pair -> {
                    hashMap.put((String) pair.getKey(), (String) pair.getValue());
                });
            });
        } else {
            log.debug("Building user DN from LDAP since user search filter is empty");
            collection.forEach(str -> {
                hashMap.put(getUserFullDn(str), str);
            });
        }
        log.debug("Loaded {} user DNs", Integer.valueOf(hashMap.size()));
        return hashMap;
    }

    @VisibleForTesting
    Map<String, Collection<Role>> doMultiLoadRoles(Collection<String> collection) {
        log.info("Multi-loading LDAP roles for {} users", Integer.valueOf(collection.size()));
        log.debug("Multi-loading LDAP roles for following users: {}", collection);
        Map<String, Collection<Role>> map = (Map) this.ldapTemplate.search(this.configProps.getGroupSearchBase(), MessageFormat.format(this.configProps.getGroupSearchFilter(), "*", "*"), new UserGroupMapper()).stream().flatMap((v0) -> {
            return v0.stream();
        }).filter(pair -> {
            return collection.contains(pair.getKey());
        }).collect(Collectors.groupingBy((v0) -> {
            return v0.getKey();
        }, Collectors.mapping((v0) -> {
            return v0.getValue();
        }, Collectors.toCollection(ArrayList::new))));
        log.trace("Loaded the following {} user role mappings: {}", Integer.valueOf(map.size()), map);
        log.info("Multi-loaded roles for {} users", Integer.valueOf(map.size()));
        return map;
    }

    @VisibleForTesting
    Map<String, Collection<Role>> doMultiLoadRolesPaginated(Collection<String> collection) {
        log.info("Multi-loading LDAP roles for {} users having pagination enabled with a page size of {}", Integer.valueOf(collection.size()), Integer.valueOf(this.configProps.getPageSizeForGroupMembershipQueries()));
        log.debug("Multi-loading LDAP roles for following users using pagination: {}", collection);
        PagedResultsDirContextProcessor pagedResultsDirContextProcessor = getPagedResultsDirContextProcessor(this.configProps.getPageSizeForGroupMembershipQueries());
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        int i = 1;
        HashMap hashMap = new HashMap();
        do {
            log.debug("Processing page {} when querying ldap groups", Integer.valueOf(i));
            Map map = (Map) this.ldapTemplate.search(this.configProps.getGroupSearchBase(), MessageFormat.format(this.configProps.getGroupSearchFilter(), "*", "*"), searchControls, new UserGroupMapper(), pagedResultsDirContextProcessor).stream().flatMap((v0) -> {
                return v0.stream();
            }).filter(pair -> {
                return collection.contains(pair.getKey());
            }).collect(Collectors.groupingBy((v0) -> {
                return v0.getKey();
            }, Collectors.mapping((v0) -> {
                return v0.getValue();
            }, Collectors.toCollection(ArrayList::new))));
            log.trace("Loaded the following {} user role mappings in page {}: {}", new Object[]{Integer.valueOf(map.size()), Integer.valueOf(i), map});
            map.forEach((str, collection2) -> {
                ((Collection) hashMap.computeIfAbsent(str, str -> {
                    return new ArrayList();
                })).addAll(collection2);
            });
            i++;
        } while (pagedResultsDirContextProcessor.hasMore());
        log.trace("Loaded the following {} user role mappings: {}", Integer.valueOf(hashMap.size()), hashMap);
        log.info("Multi-loaded roles for {} users using pagination", Integer.valueOf(hashMap.size()));
        return hashMap;
    }

    @VisibleForTesting
    PagedResultsDirContextProcessor getPagedResultsDirContextProcessor(int i) {
        return new PagedResultsDirContextProcessor(i, (PagedResultsCookie) null);
    }

    public LdapUserRolesProvider setLdapTemplate(SpringSecurityLdapTemplate springSecurityLdapTemplate) {
        this.ldapTemplate = springSecurityLdapTemplate;
        return this;
    }
}
