package org.apereo.cas.config;

import com.google.common.base.Predicates;
import com.google.common.collect.Lists;
import java.time.Period;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import javax.annotation.PostConstruct;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.LdapAuthenticationHandler;
import org.apereo.cas.authentication.principal.PrincipalResolver;
import org.apereo.cas.authentication.support.DefaultAccountStateHandler;
import org.apereo.cas.authentication.support.LdapPasswordPolicyConfiguration;
import org.apereo.cas.authentication.support.OptionalWarningAccountStateHandler;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.ldap.LdapAuthenticationProperties;
import org.apereo.cas.configuration.support.Beans;
import org.apereo.cas.services.ServicesManager;
import org.ldaptive.auth.AuthenticationResponseHandler;
import org.ldaptive.auth.Authenticator;
import org.ldaptive.auth.FormatDnResolver;
import org.ldaptive.auth.PooledBindAuthenticationHandler;
import org.ldaptive.auth.PooledCompareAuthenticationHandler;
import org.ldaptive.auth.PooledSearchDnResolver;
import org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler;
import org.ldaptive.auth.ext.EDirectoryAuthenticationResponseHandler;
import org.ldaptive.auth.ext.FreeIPAAuthenticationResponseHandler;
import org.ldaptive.auth.ext.PasswordExpirationAuthenticationResponseHandler;
import org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler;
import org.ldaptive.control.PasswordPolicyControl;
import org.ldaptive.control.RequestControl;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Configuration;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration("ldapAuthenticationConfiguration")
/* loaded from: input_file:org/apereo/cas/config/LdapAuthenticationConfiguration.class */
public class LdapAuthenticationConfiguration {
    private static final Logger LOGGER = LoggerFactory.getLogger(LdapAuthenticationConfiguration.class);

    @Autowired
    private CasConfigurationProperties casProperties;

    @Autowired
    @Qualifier("personDirectoryPrincipalResolver")
    private PrincipalResolver personDirectoryPrincipalResolver;

    @Autowired
    @Qualifier("authenticationHandlersResolvers")
    private Map authenticationHandlersResolvers;

    @Autowired
    @Qualifier("servicesManager")
    private ServicesManager servicesManager;

    @PostConstruct
    public void initLdapAuthenticationHandlers() {
        this.casProperties.getAuthn().getLdap().stream().filter(ldapAuthenticationProperties -> {
            if (ldapAuthenticationProperties.getType() == null) {
                LOGGER.warn("Skipping ldap authentication entry since no type is defined");
                return false;
            }
            if (ldapAuthenticationProperties.getBaseDn() == null) {
                LOGGER.warn("Skipping ldap authentication entry since no baseDn is defined");
                return false;
            }
            if (ldapAuthenticationProperties.getLdapUrl() != null) {
                return true;
            }
            LOGGER.warn("Skipping ldap authentication entry since no ldap url is defined");
            return false;
        }).forEach(ldapAuthenticationProperties2 -> {
            LOGGER.debug("Creating ldap authentication handler for {}", ldapAuthenticationProperties2.getLdapUrl());
            LdapAuthenticationHandler ldapAuthenticationHandler = new LdapAuthenticationHandler();
            ldapAuthenticationHandler.setServicesManager(this.servicesManager);
            ArrayList newArrayList = Lists.newArrayList(ldapAuthenticationProperties2.getAdditionalAttributes());
            if (StringUtils.isNotBlank(ldapAuthenticationProperties2.getPrincipalAttributeId())) {
                newArrayList.add(ldapAuthenticationProperties2.getPrincipalAttributeId());
            }
            ldapAuthenticationHandler.setAdditionalAttributes(newArrayList);
            ldapAuthenticationHandler.setAllowMultiplePrincipalAttributeValues(ldapAuthenticationProperties2.isAllowMultiplePrincipalAttributeValues());
            ldapAuthenticationHandler.setPasswordEncoder(Beans.newPasswordEncoder(ldapAuthenticationProperties2.getPasswordEncoder()));
            ldapAuthenticationHandler.setPrincipalNameTransformer(Beans.newPrincipalNameTransformer(ldapAuthenticationProperties2.getPrincipalTransformation()));
            if (StringUtils.isNotBlank(ldapAuthenticationProperties2.getCredentialCriteria())) {
                LOGGER.debug("Ldap authentication for {} is filtering credentials by {}", ldapAuthenticationProperties2.getCredentialCriteria());
                ldapAuthenticationHandler.setCredentialSelectionPredicate(credential -> {
                    return Predicates.containsPattern(ldapAuthenticationProperties2.getCredentialCriteria()).apply(credential.getId());
                });
            }
            HashMap hashMap = new HashMap();
            if (ldapAuthenticationProperties2.getPrincipalAttributeList().isEmpty()) {
                LOGGER.debug("No principal attributes are defined for {}", ldapAuthenticationProperties2.getLdapUrl());
            } else {
                ldapAuthenticationProperties2.getPrincipalAttributeList().forEach(obj -> {
                    String trim = obj.toString().trim();
                    if (!trim.contains(":")) {
                        LOGGER.debug("Mapped principal attribute name {} for {}", trim, ldapAuthenticationProperties2.getLdapUrl());
                        hashMap.put(trim, trim);
                        return;
                    }
                    String[] split = trim.split(":");
                    String trim2 = split[0].trim();
                    String trim3 = split[1].trim();
                    LOGGER.debug("Mapped principal attribute name {} to {} for {}", new Object[]{trim2, trim3, ldapAuthenticationProperties2.getLdapUrl()});
                    hashMap.put(trim2, trim3);
                });
            }
            hashMap.putAll(this.casProperties.getAuthn().getAttributeRepository().getAttributes());
            ldapAuthenticationHandler.setPrincipalAttributeMap(hashMap);
            LOGGER.debug("Ldap authentication for {} is configured with principal attributes {}...", ldapAuthenticationProperties2.getLdapUrl(), hashMap);
            if (StringUtils.isBlank(ldapAuthenticationProperties2.getPrincipalAttributeId())) {
                LOGGER.debug("No principal id attribute is found for ldap authentication via {}", ldapAuthenticationProperties2.getLdapUrl());
            } else {
                ldapAuthenticationHandler.setPrincipalIdAttribute(ldapAuthenticationProperties2.getPrincipalAttributeId());
                LOGGER.debug("Using principal id attribute {} for ldap authentication via {}", ldapAuthenticationProperties2.getPrincipalAttributeId(), ldapAuthenticationProperties2.getLdapUrl());
            }
            LOGGER.debug("Creating ldap authenticator for {} and baseDn {}", ldapAuthenticationProperties2.getLdapUrl(), ldapAuthenticationProperties2.getBaseDn());
            Authenticator authenticator = getAuthenticator(ldapAuthenticationProperties2);
            authenticator.setReturnAttributes((String[]) hashMap.keySet().toArray(new String[0]));
            LOGGER.debug("Ldap authenticator configured with return attributes {} for {} and baseDn {}", new Object[]{hashMap.keySet(), ldapAuthenticationProperties2.getLdapUrl(), ldapAuthenticationProperties2.getBaseDn()});
            if (ldapAuthenticationProperties2.getPasswordPolicy().isEnabled()) {
                LOGGER.debug("Password policy is enabled for {}. Constructing password policy configuration", ldapAuthenticationProperties2.getLdapUrl());
                ldapAuthenticationHandler.setPasswordPolicyConfiguration(createLdapPasswordPolicyConfiguration(ldapAuthenticationProperties2, authenticator));
            }
            ldapAuthenticationHandler.setAuthenticator(authenticator);
            LOGGER.debug("Initializing ldap authentication handler...");
            ldapAuthenticationHandler.initialize();
            if (ldapAuthenticationProperties2.getAdditionalAttributes().isEmpty() && ldapAuthenticationProperties2.getPrincipalAttributeList().isEmpty()) {
                LOGGER.debug("Ldap authentication for {} is to delegate to principal resolvers for attributes", ldapAuthenticationProperties2.getLdapUrl());
                this.authenticationHandlersResolvers.put(ldapAuthenticationHandler, this.personDirectoryPrincipalResolver);
            } else {
                LOGGER.debug("Ldap authentication for {} and baseDn {} is retrieving attributes. Principal resolvers are inactive.", ldapAuthenticationProperties2.getLdapUrl(), ldapAuthenticationProperties2.getBaseDn());
                this.authenticationHandlersResolvers.put(ldapAuthenticationHandler, null);
            }
        });
    }

    private static LdapPasswordPolicyConfiguration createLdapPasswordPolicyConfiguration(LdapAuthenticationProperties ldapAuthenticationProperties, Authenticator authenticator) {
        LdapPasswordPolicyConfiguration ldapPasswordPolicyConfiguration = new LdapPasswordPolicyConfiguration(ldapAuthenticationProperties.getPasswordPolicy());
        HashSet hashSet = new HashSet();
        if (ldapPasswordPolicyConfiguration.getPasswordWarningNumberOfDays() > 0) {
            hashSet.add(new EDirectoryAuthenticationResponseHandler(Period.ofDays(ldapPasswordPolicyConfiguration.getPasswordWarningNumberOfDays())));
            hashSet.add(new ActiveDirectoryAuthenticationResponseHandler(Period.ofDays(ldapPasswordPolicyConfiguration.getPasswordWarningNumberOfDays())));
            hashSet.add(new FreeIPAAuthenticationResponseHandler(Period.ofDays(ldapPasswordPolicyConfiguration.getPasswordWarningNumberOfDays()), ldapPasswordPolicyConfiguration.getLoginFailures()));
        }
        hashSet.add(new PasswordPolicyAuthenticationResponseHandler());
        hashSet.add(new PasswordExpirationAuthenticationResponseHandler());
        authenticator.setAuthenticationResponseHandlers((AuthenticationResponseHandler[]) hashSet.toArray(new AuthenticationResponseHandler[hashSet.size()]));
        if (StringUtils.isNotBlank(ldapAuthenticationProperties.getPasswordPolicy().getWarningAttributeName()) && StringUtils.isNotBlank(ldapAuthenticationProperties.getPasswordPolicy().getWarningAttributeValue())) {
            OptionalWarningAccountStateHandler optionalWarningAccountStateHandler = new OptionalWarningAccountStateHandler();
            optionalWarningAccountStateHandler.setDisplayWarningOnMatch(ldapAuthenticationProperties.getPasswordPolicy().isDisplayWarningOnMatch());
            optionalWarningAccountStateHandler.setWarnAttributeName(ldapAuthenticationProperties.getPasswordPolicy().getWarningAttributeName());
            optionalWarningAccountStateHandler.setWarningAttributeValue(ldapAuthenticationProperties.getPasswordPolicy().getWarningAttributeValue());
            optionalWarningAccountStateHandler.setAttributesToErrorMap(ldapAuthenticationProperties.getPasswordPolicy().getPolicyAttributes());
            ldapPasswordPolicyConfiguration.setAccountStateHandler(optionalWarningAccountStateHandler);
        } else {
            DefaultAccountStateHandler defaultAccountStateHandler = new DefaultAccountStateHandler();
            defaultAccountStateHandler.setAttributesToErrorMap(ldapAuthenticationProperties.getPasswordPolicy().getPolicyAttributes());
            ldapPasswordPolicyConfiguration.setAccountStateHandler(defaultAccountStateHandler);
        }
        return ldapPasswordPolicyConfiguration;
    }

    private static Authenticator getAuthenticator(LdapAuthenticationProperties ldapAuthenticationProperties) {
        if (ldapAuthenticationProperties.getType() == LdapAuthenticationProperties.AuthenticationTypes.AD) {
            LOGGER.debug("Creating active directory authenticator for {}", ldapAuthenticationProperties.getLdapUrl());
            return getActiveDirectoryAuthenticator(ldapAuthenticationProperties);
        }
        if (ldapAuthenticationProperties.getType() == LdapAuthenticationProperties.AuthenticationTypes.DIRECT) {
            LOGGER.debug("Creating direct-bind authenticator for {}", ldapAuthenticationProperties.getLdapUrl());
            return getDirectBindAuthenticator(ldapAuthenticationProperties);
        }
        if (ldapAuthenticationProperties.getType() == LdapAuthenticationProperties.AuthenticationTypes.SASL) {
            LOGGER.debug("Creating SASL authenticator for {}", ldapAuthenticationProperties.getLdapUrl());
            return getSaslAuthenticator(ldapAuthenticationProperties);
        }
        if (ldapAuthenticationProperties.getType() == LdapAuthenticationProperties.AuthenticationTypes.AUTHENTICATED) {
            LOGGER.debug("Creating authenticated authenticator for {}", ldapAuthenticationProperties.getLdapUrl());
            return getAuthenticatedOrAnonSearchAuthenticator(ldapAuthenticationProperties);
        }
        LOGGER.debug("Creating anonymous authenticator for {}", ldapAuthenticationProperties.getLdapUrl());
        return getAuthenticatedOrAnonSearchAuthenticator(ldapAuthenticationProperties);
    }

    private static Authenticator getSaslAuthenticator(LdapAuthenticationProperties ldapAuthenticationProperties) {
        PooledSearchDnResolver pooledSearchDnResolver = new PooledSearchDnResolver();
        pooledSearchDnResolver.setBaseDn(ldapAuthenticationProperties.getBaseDn());
        pooledSearchDnResolver.setSubtreeSearch(ldapAuthenticationProperties.isSubtreeSearch());
        pooledSearchDnResolver.setAllowMultipleDns(ldapAuthenticationProperties.isAllowMultipleDns());
        pooledSearchDnResolver.setConnectionFactory(Beans.newPooledConnectionFactory(ldapAuthenticationProperties));
        pooledSearchDnResolver.setUserFilter(ldapAuthenticationProperties.getUserFilter());
        return new Authenticator(pooledSearchDnResolver, getPooledBindAuthenticationHandler(ldapAuthenticationProperties));
    }

    private static Authenticator getAuthenticatedOrAnonSearchAuthenticator(LdapAuthenticationProperties ldapAuthenticationProperties) {
        PooledSearchDnResolver pooledSearchDnResolver = new PooledSearchDnResolver();
        pooledSearchDnResolver.setBaseDn(ldapAuthenticationProperties.getBaseDn());
        pooledSearchDnResolver.setSubtreeSearch(ldapAuthenticationProperties.isSubtreeSearch());
        pooledSearchDnResolver.setAllowMultipleDns(ldapAuthenticationProperties.isAllowMultipleDns());
        pooledSearchDnResolver.setConnectionFactory(Beans.newPooledConnectionFactory(ldapAuthenticationProperties));
        pooledSearchDnResolver.setUserFilter(ldapAuthenticationProperties.getUserFilter());
        Authenticator authenticator = StringUtils.isBlank(ldapAuthenticationProperties.getPrincipalAttributePassword()) ? new Authenticator(pooledSearchDnResolver, getPooledBindAuthenticationHandler(ldapAuthenticationProperties)) : new Authenticator(pooledSearchDnResolver, getPooledCompareAuthenticationHandler(ldapAuthenticationProperties));
        if (ldapAuthenticationProperties.isEnhanceWithEntryResolver()) {
            authenticator.setEntryResolver(Beans.newSearchEntryResolver(ldapAuthenticationProperties));
        }
        return authenticator;
    }

    private static Authenticator getDirectBindAuthenticator(LdapAuthenticationProperties ldapAuthenticationProperties) {
        Authenticator authenticator = new Authenticator(new FormatDnResolver(ldapAuthenticationProperties.getBaseDn()), getPooledBindAuthenticationHandler(ldapAuthenticationProperties));
        if (ldapAuthenticationProperties.isEnhanceWithEntryResolver()) {
            authenticator.setEntryResolver(Beans.newSearchEntryResolver(ldapAuthenticationProperties));
        }
        return authenticator;
    }

    private static Authenticator getActiveDirectoryAuthenticator(LdapAuthenticationProperties ldapAuthenticationProperties) {
        if (StringUtils.isBlank(ldapAuthenticationProperties.getDnFormat())) {
            throw new IllegalArgumentException("Dn format cannot be empty/blank for active directory authentication");
        }
        Authenticator authenticator = new Authenticator(new FormatDnResolver(ldapAuthenticationProperties.getDnFormat()), getPooledBindAuthenticationHandler(ldapAuthenticationProperties));
        if (ldapAuthenticationProperties.isEnhanceWithEntryResolver()) {
            authenticator.setEntryResolver(Beans.newSearchEntryResolver(ldapAuthenticationProperties));
        }
        return authenticator;
    }

    private static PooledBindAuthenticationHandler getPooledBindAuthenticationHandler(LdapAuthenticationProperties ldapAuthenticationProperties) {
        PooledBindAuthenticationHandler pooledBindAuthenticationHandler = new PooledBindAuthenticationHandler(Beans.newPooledConnectionFactory(ldapAuthenticationProperties));
        pooledBindAuthenticationHandler.setAuthenticationControls(new RequestControl[]{new PasswordPolicyControl()});
        return pooledBindAuthenticationHandler;
    }

    private static PooledCompareAuthenticationHandler getPooledCompareAuthenticationHandler(LdapAuthenticationProperties ldapAuthenticationProperties) {
        PooledCompareAuthenticationHandler pooledCompareAuthenticationHandler = new PooledCompareAuthenticationHandler(Beans.newPooledConnectionFactory(ldapAuthenticationProperties));
        pooledCompareAuthenticationHandler.setPasswordAttribute(ldapAuthenticationProperties.getPrincipalAttributePassword());
        return pooledCompareAuthenticationHandler;
    }
}
