package io.vertigo.account.plugins.identityprovider.ldap;

import io.vertigo.account.impl.account.AccountMapperHelper;
import io.vertigo.account.impl.identityprovider.IdentityProviderPlugin;
import io.vertigo.app.Home;
import io.vertigo.commons.codec.CodecManager;
import io.vertigo.core.component.Activeable;
import io.vertigo.dynamo.domain.metamodel.DtDefinition;
import io.vertigo.dynamo.domain.metamodel.DtField;
import io.vertigo.dynamo.domain.metamodel.FormatterException;
import io.vertigo.dynamo.domain.model.Entity;
import io.vertigo.dynamo.domain.model.URI;
import io.vertigo.dynamo.domain.util.DtObjectUtil;
import io.vertigo.dynamo.file.model.VFile;
import io.vertigo.dynamo.impl.file.model.StreamFile;
import io.vertigo.lang.Assertion;
import io.vertigo.lang.WrappedException;
import java.io.ByteArrayInputStream;
import java.io.Serializable;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Hashtable;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import javax.inject.Inject;
import javax.inject.Named;
import javax.naming.CommunicationException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:io/vertigo/account/plugins/identityprovider/ldap/LdapIdentityProviderPlugin.class */
public final class LdapIdentityProviderPlugin implements IdentityProviderPlugin, Activeable {
    private static final int MAX_ROWS = 500;
    private static final String LDAP_PHOTO_MIME_TYPE = "image/jpeg";
    private static final String PHOTO_RESERVED_FIELD = "photo";
    private static final Logger LOGGER = LogManager.getLogger(LdapIdentityProviderPlugin.class);
    private static final String DEFAULT_CONTEXT_FACTORY_CLASS_NAME = "com.sun.jndi.ldap.LdapCtxFactory";
    private static final String SIMPLE_AUTHENTICATION_MECHANISM_NAME = "simple";
    private static final String DEFAULT_REFERRAL = "follow";
    private final CodecManager codecManager;
    private final String ldapServer;
    private final String ldapAccountBaseDn;
    private final String ldapReaderLogin;
    private final String ldapReaderPassword;
    private final String ldapUserAuthAttribute;
    private final String userDtDefinitionName;
    private final String ldapUserAttributeMappingStr;
    private AccountMapperHelper<String, DtField> mapperHelper;

    @Inject
    public LdapIdentityProviderPlugin(@Named("ldapServerHost") String str, @Named("ldapServerPort") String str2, @Named("ldapAccountBaseDn") String str3, @Named("ldapReaderLogin") String str4, @Named("ldapReaderPassword") String str5, @Named("ldapUserAuthAttribute") String str6, @Named("userDtDefinitionName") String str7, @Named("ldapUserAttributeMapping") String str8, CodecManager codecManager) {
        Assertion.checkArgNotEmpty(str);
        Assertion.checkArgNotEmpty(str2);
        Assertion.checkArgNotEmpty(str3);
        Assertion.checkArgNotEmpty(str4);
        Assertion.checkNotNull(str5);
        Assertion.checkArgNotEmpty(str6);
        Assertion.checkArgNotEmpty(str7);
        Assertion.checkArgNotEmpty(str8);
        Assertion.checkNotNull(codecManager);
        this.ldapServer = str + ":" + str2;
        this.ldapAccountBaseDn = str3;
        this.ldapReaderLogin = str4;
        this.ldapReaderPassword = str5;
        this.ldapUserAuthAttribute = str6;
        this.userDtDefinitionName = str7;
        this.ldapUserAttributeMappingStr = str8;
        this.codecManager = codecManager;
    }

    public void start() {
        this.mapperHelper = new AccountMapperHelper(Home.getApp().getDefinitionSpace().resolve(this.userDtDefinitionName, DtDefinition.class), this.ldapUserAttributeMappingStr).withReservedDestField(PHOTO_RESERVED_FIELD).parseAttributeMapping();
    }

    public void stop() {
    }

    @Override // io.vertigo.account.impl.identityprovider.IdentityProviderPlugin
    public <E extends Entity> E getUserByAuthToken(String str) {
        LdapContext createLdapContext = createLdapContext(this.ldapReaderLogin, this.ldapReaderPassword);
        try {
            E e = (E) getUserByAuthToken(str, createLdapContext);
            closeLdapContext(createLdapContext);
            return e;
        } catch (Throwable th) {
            closeLdapContext(createLdapContext);
            throw th;
        }
    }

    @Override // io.vertigo.account.impl.identityprovider.IdentityProviderPlugin
    public long getUsersCount() {
        throw new UnsupportedOperationException("Can't count all account from LDAP : anti-spooffing protections");
    }

    @Override // io.vertigo.account.impl.identityprovider.IdentityProviderPlugin
    public <E extends Entity> List<E> getAllUsers() {
        LdapContext createLdapContext = createLdapContext(this.ldapReaderLogin, this.ldapReaderPassword);
        try {
            return searchUser("(cn=*)", MAX_ROWS, createLdapContext);
        } finally {
            closeLdapContext(createLdapContext);
        }
    }

    @Override // io.vertigo.account.impl.identityprovider.IdentityProviderPlugin
    public <E extends Entity> Optional<VFile> getPhoto(URI<E> uri) {
        LdapContext createLdapContext = createLdapContext(this.ldapReaderLogin, this.ldapReaderPassword);
        try {
            Optional<VFile> parseOptionalVFile = parseOptionalVFile(getLdapAttributes(uri.getId(), Collections.singleton(this.mapperHelper.getReservedSourceAttribute(PHOTO_RESERVED_FIELD)), createLdapContext));
            closeLdapContext(createLdapContext);
            return parseOptionalVFile;
        } catch (Throwable th) {
            closeLdapContext(createLdapContext);
            throw th;
        }
    }

    private Entity getUserByAuthToken(String str, LdapContext ldapContext) {
        List<Attributes> searchLdapAttributes = searchLdapAttributes(this.ldapAccountBaseDn, "(&(" + this.ldapUserAuthAttribute + "=" + protectLdap(str) + "))", 2, this.mapperHelper.sourceAttributes(), ldapContext);
        Assertion.checkState(!searchLdapAttributes.isEmpty(), "Can't found any user with authToken : {0}", new Object[]{this.ldapUserAuthAttribute});
        Assertion.checkState(searchLdapAttributes.size() == 1, "Too many user with same authToken ({0} shoud be unique)", new Object[]{this.ldapUserAuthAttribute});
        return parseUser(searchLdapAttributes.get(0));
    }

    private <E extends Entity> List<E> searchUser(String str, int i, LdapContext ldapContext) {
        return (List) searchLdapAttributes(this.ldapAccountBaseDn, str, i, this.mapperHelper.sourceAttributes(), ldapContext).stream().map(this::parseUser).collect(Collectors.toList());
    }

    private Attributes getLdapAttributes(Serializable serializable, Set<String> set, LdapContext ldapContext) {
        List<Attributes> searchLdapAttributes = searchLdapAttributes(this.ldapAccountBaseDn, "(" + this.mapperHelper.getSourceIdField() + "=" + serializable + ")", 2, set, ldapContext);
        Assertion.checkState(!searchLdapAttributes.isEmpty(), "Can't found any user with id : {0}", new Object[]{serializable});
        Assertion.checkState(searchLdapAttributes.size() == 1, "Too many user with same id ({0} shoud be unique)", new Object[]{serializable});
        return searchLdapAttributes.get(0);
    }

    private Optional<VFile> parseOptionalVFile(Attributes attributes) {
        String parseNullableAttribute = parseNullableAttribute(this.mapperHelper.getReservedSourceAttribute(PHOTO_RESERVED_FIELD), attributes);
        return parseNullableAttribute == null ? Optional.empty() : Optional.of(base64toVFile("photo-" + parseAttribute(this.mapperHelper.getSourceIdField(), attributes), parseNullableAttribute));
    }

    private static String parseAttribute(String str, Attributes attributes) {
        try {
            return String.valueOf(attributes.get(str).get());
        } catch (NamingException e) {
            throw WrappedException.wrap(e, "Ldap attribute {0} not found or empty", new Object[]{str});
        }
    }

    private static String parseNullableAttribute(String str, Attributes attributes) {
        Attribute attribute;
        if (str == null || (attribute = attributes.get(str)) == null) {
            return null;
        }
        try {
            Object obj = attribute.get();
            Assertion.checkNotNull(obj);
            return String.valueOf(obj);
        } catch (NamingException e) {
            throw WrappedException.wrap(e, "Ldap attribute {0} found, but is empty", new Object[]{str});
        }
    }

    private VFile base64toVFile(String str, String str2) {
        byte[] bArr = (byte[]) this.codecManager.getBase64Codec().decode(str2);
        return new StreamFile(str, LDAP_PHOTO_MIME_TYPE, Instant.now(), bArr.length, () -> {
            return new ByteArrayInputStream(bArr);
        });
    }

    private LdapContext createLdapContext(String str, String str2) {
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.factory.initial", DEFAULT_CONTEXT_FACTORY_CLASS_NAME);
        hashtable.put("java.naming.referral", DEFAULT_REFERRAL);
        hashtable.put("java.naming.security.authentication", SIMPLE_AUTHENTICATION_MECHANISM_NAME);
        hashtable.put("java.naming.provider.url", "ldap://" + this.ldapServer);
        if (str2 != null) {
            hashtable.put("java.naming.security.principal", str);
            hashtable.put("java.naming.security.credentials", str2);
        } else {
            hashtable.put("java.naming.security.authentication", "none");
        }
        try {
            return new InitialLdapContext(hashtable, (Control[]) null);
        } catch (CommunicationException e) {
            throw WrappedException.wrap(e, "Can't connect to LDAP : {0} ", new Object[]{this.ldapServer});
        } catch (NamingException e2) {
            throw WrappedException.wrap(e2, "Can't connect user : {0} ", new Object[]{str});
        }
    }

    private static String protectLdap(String str) {
        return EsapiLdapEncoder.encodeForDN(str);
    }

    private static void closeLdapContext(LdapContext ldapContext) {
        try {
            ldapContext.close();
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("LDAP connection successfully \"" + ldapContext.toString() + "\" ");
            }
        } catch (NamingException e) {
            throw WrappedException.wrap(e, "Error when closing LdapContext", new Object[0]);
        }
    }

    private Entity parseUser(Attributes attributes) {
        try {
            Entity entity = (Entity) Entity.class.cast(DtObjectUtil.createDtObject(this.mapperHelper.getDestDefinition()));
            for (DtField dtField : this.mapperHelper.destAttributes()) {
                String parseNullableAttribute = parseNullableAttribute(this.mapperHelper.getSourceAttribute(dtField), attributes);
                if (parseNullableAttribute != null) {
                    setTypedValue(dtField, entity, parseNullableAttribute);
                }
            }
            return entity;
        } catch (FormatterException e) {
            throw WrappedException.wrap(e, "Can't parse Account from LDAP", new Object[0]);
        }
    }

    private static void setTypedValue(DtField dtField, Entity entity, String str) throws FormatterException {
        dtField.getDataAccessor().setValue(entity, (Serializable) dtField.getDomain().stringToValue(str));
    }

    private static List<Attributes> searchLdapAttributes(String str, String str2, int i, Collection<String> collection, LdapContext ldapContext) {
        ArrayList arrayList = new ArrayList();
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(buildReturingAttributes(collection));
        searchControls.setCountLimit(i);
        try {
            NamingEnumeration search = ldapContext.search(str, str2, searchControls);
            while (search.hasMore()) {
                arrayList.add(((SearchResult) search.next()).getAttributes());
            }
            return arrayList;
        } catch (NamingException e) {
            throw WrappedException.wrap(e, "Can't search LDAP user with request: {0}", new Object[]{str2});
        }
    }

    private static String[] buildReturingAttributes(Collection<String> collection) {
        Assertion.checkNotNull(collection);
        return (String[]) collection.toArray(new String[collection.size()]);
    }
}
