package org.apereo.cas.authentication;

import java.security.GeneralSecurityException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.annotation.PostConstruct;
import javax.security.auth.login.AccountNotFoundException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.support.AccountStateHandler;
import org.apereo.cas.authentication.support.LdapPasswordPolicyConfiguration;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.CollectionUtils;
import org.ldaptive.Credential;
import org.ldaptive.LdapAttribute;
import org.ldaptive.LdapEntry;
import org.ldaptive.LdapException;
import org.ldaptive.ReturnAttributes;
import org.ldaptive.auth.AuthenticationRequest;
import org.ldaptive.auth.AuthenticationResponse;
import org.ldaptive.auth.AuthenticationResultCode;
import org.ldaptive.auth.Authenticator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/authentication/LdapAuthenticationHandler.class */
public class LdapAuthenticationHandler extends AbstractUsernamePasswordAuthenticationHandler {
    private static final Logger LOGGER = LoggerFactory.getLogger(LdapAuthenticationHandler.class);
    protected Map<String, Collection<String>> principalAttributeMap;
    private final Authenticator authenticator;
    private String principalIdAttribute;
    private boolean allowMultiplePrincipalAttributeValues;
    private boolean allowMissingPrincipalAttributeValue;
    private String[] authenticatedEntryAttributes;
    private boolean collectDnAttribute;
    private String principalDnAttributeName;

    public LdapAuthenticationHandler(String str, ServicesManager servicesManager, PrincipalFactory principalFactory, Integer num, Authenticator authenticator) {
        super(str, servicesManager, principalFactory, num);
        this.principalAttributeMap = new HashMap();
        this.allowMissingPrincipalAttributeValue = true;
        this.authenticatedEntryAttributes = ReturnAttributes.NONE.value();
        this.principalDnAttributeName = "principalLdapDn";
        this.authenticator = authenticator;
    }

    public void setPrincipalIdAttribute(String str) {
        this.principalIdAttribute = str;
    }

    public void setPrincipalDnAttributeName(String str) {
        this.principalDnAttributeName = str;
    }

    public void setAllowMultiplePrincipalAttributeValues(boolean z) {
        this.allowMultiplePrincipalAttributeValues = z;
    }

    public void setPrincipalAttributeMap(Map<String, Collection<String>> map) {
        this.principalAttributeMap = map;
    }

    protected HandlerResult authenticateUsernamePasswordInternal(UsernamePasswordCredential usernamePasswordCredential, String str) throws GeneralSecurityException, PreventedException {
        List arrayList;
        try {
            LOGGER.debug("Attempting LDAP authentication for [{}]. Authenticator pre-configured attributes are [{}], additional requested attributes for this authentication request are [{}]", new Object[]{usernamePasswordCredential, this.authenticator.getReturnAttributes(), this.authenticatedEntryAttributes});
            AuthenticationResponse authenticate = this.authenticator.authenticate(new AuthenticationRequest(usernamePasswordCredential.getUsername(), new Credential(usernamePasswordCredential.getPassword()), this.authenticatedEntryAttributes));
            LOGGER.debug("LDAP response: [{}]", authenticate);
            LdapPasswordPolicyConfiguration passwordPolicyConfiguration = super.getPasswordPolicyConfiguration();
            if (passwordPolicyConfiguration != null) {
                AccountStateHandler accountStateHandler = passwordPolicyConfiguration.getAccountStateHandler();
                LOGGER.debug("Applying password policy [{}] to [{}]", authenticate, accountStateHandler);
                arrayList = accountStateHandler.handle(authenticate, passwordPolicyConfiguration);
            } else {
                LOGGER.debug("No ldap password policy configuration is defined");
                arrayList = new ArrayList(0);
            }
            if (((Boolean) authenticate.getResult()).booleanValue()) {
                LOGGER.debug("LDAP response returned a result. Creating the final LDAP principal");
                return createHandlerResult(usernamePasswordCredential, createPrincipal(usernamePasswordCredential.getUsername(), authenticate.getLdapEntry()), arrayList);
            }
            if (AuthenticationResultCode.DN_RESOLUTION_FAILURE != authenticate.getAuthenticationResultCode()) {
                throw new FailedLoginException("Invalid credentials");
            }
            LOGGER.warn("DN resolution failed. [{}]", authenticate.getMessage());
            throw new AccountNotFoundException(usernamePasswordCredential.getUsername() + " not found.");
        } catch (LdapException e) {
            LOGGER.trace(e.getMessage(), e);
            throw new PreventedException("Unexpected LDAP error", e);
        }
    }

    protected Principal createPrincipal(String str, LdapEntry ldapEntry) throws LoginException {
        LOGGER.debug("Creating LDAP principal for [{}] based on [{}] and attributes [{}]", new Object[]{str, ldapEntry.getDn(), ldapEntry.getAttributeNames()});
        String ldapPrincipalIdentifier = getLdapPrincipalIdentifier(str, ldapEntry);
        LOGGER.debug("LDAP principal identifier created is [{}]", ldapPrincipalIdentifier);
        Map<String, Object> collectAttributesForLdapEntry = collectAttributesForLdapEntry(ldapEntry, ldapPrincipalIdentifier);
        LOGGER.debug("Created LDAP principal for id [{}] and [{}] attributes", ldapPrincipalIdentifier, Integer.valueOf(collectAttributesForLdapEntry.size()));
        return this.principalFactory.createPrincipal(ldapPrincipalIdentifier, collectAttributesForLdapEntry);
    }

    protected Map<String, Object> collectAttributesForLdapEntry(LdapEntry ldapEntry, String str) {
        LinkedHashMap linkedHashMap = new LinkedHashMap(this.principalAttributeMap.size());
        LOGGER.debug("The following attributes are requested to be retrieved and mapped: [{}]", linkedHashMap.keySet());
        this.principalAttributeMap.forEach((str2, collection) -> {
            LdapAttribute attribute = ldapEntry.getAttribute(str2);
            if (attribute == null) {
                LOGGER.warn("Requested LDAP attribute [{}] could not be found on the resolved LDAP entry for [{}]", str2, ldapEntry.getDn());
                return;
            }
            LOGGER.debug("Found principal attribute: [{}]", attribute);
            if (!collection.isEmpty()) {
                collection.forEach(str2 -> {
                    LOGGER.debug("Principal attribute [{}] is virtually remapped/renamed to [{}]", attribute, str2);
                    linkedHashMap.put(str2, CollectionUtils.wrap(attribute.getStringValues()));
                });
            } else {
                LOGGER.debug("Principal attribute [{}] is collected as [{}]", attribute, str2);
                linkedHashMap.put(str2, CollectionUtils.wrap(attribute.getStringValues()));
            }
        });
        if (this.collectDnAttribute) {
            LOGGER.debug("Recording principal DN attribute as [{}]", this.principalDnAttributeName);
            linkedHashMap.put(this.principalDnAttributeName, ldapEntry.getDn());
        }
        return linkedHashMap;
    }

    protected String getLdapPrincipalIdentifier(String str, LdapEntry ldapEntry) throws LoginException {
        if (!StringUtils.isNotBlank(this.principalIdAttribute)) {
            LOGGER.debug("Principal id attribute is not defined. Using the default provided user id [{}]", str);
            return str;
        }
        LdapAttribute attribute = ldapEntry.getAttribute(this.principalIdAttribute);
        if (attribute == null || attribute.size() == 0) {
            if (this.allowMissingPrincipalAttributeValue) {
                LOGGER.warn("The principal id attribute [{}] is not found. CAS cannot construct the final authenticated principal if it's unable to locate the attribute that is designated as the principal id. Attributes available on the LDAP entry are [{}]. Since principal id attribute is not available, CAS will fall back to construct the principal based on the provided user id: [{}]", new Object[]{this.principalIdAttribute, ldapEntry.getAttributes(), str});
                return str;
            }
            LOGGER.error("The principal id attribute [{}] is not found. CAS is configured to disallow missing principal attributes", this.principalIdAttribute);
            throw new LoginException("Principal id attribute is not found for " + attribute);
        }
        if (attribute.size() > 1) {
            if (!this.allowMultiplePrincipalAttributeValues) {
                throw new LoginException("Multiple principal values are not allowed: " + attribute);
            }
            LOGGER.warn("Found multiple values for principal id attribute: [{}]. Using first value=[{}].", attribute, attribute.getStringValue());
        }
        LOGGER.debug("Retrieved principal id attribute [{}]", attribute.getStringValue());
        return attribute.getStringValue();
    }

    public void setAllowMissingPrincipalAttributeValue(boolean z) {
        this.allowMissingPrincipalAttributeValue = z;
    }

    @PostConstruct
    public void initialize() {
        HashSet hashSet = new HashSet();
        LOGGER.debug("Initializing LDAP attribute configuration...");
        if (StringUtils.isNotBlank(this.principalIdAttribute)) {
            LOGGER.debug("Configured to retrieve principal id attribute [{}]", this.principalIdAttribute);
            hashSet.add(this.principalIdAttribute);
        }
        if (this.principalAttributeMap != null && !this.principalAttributeMap.isEmpty()) {
            Set<String> keySet = this.principalAttributeMap.keySet();
            hashSet.addAll(keySet);
            LOGGER.debug("Configured to retrieve principal attribute collection of [{}]", keySet);
        }
        if (this.authenticator.getReturnAttributes() != null) {
            List wrapList = CollectionUtils.wrapList(this.authenticator.getReturnAttributes());
            if (!wrapList.isEmpty()) {
                LOGGER.debug("Filtering authentication entry attributes [{}] based on authenticator attributes [{}]", this.authenticatedEntryAttributes, wrapList);
                wrapList.getClass();
                hashSet.removeIf((v1) -> {
                    return r1.contains(v1);
                });
            }
        }
        this.authenticatedEntryAttributes = (String[]) hashSet.toArray(new String[hashSet.size()]);
        LOGGER.debug("LDAP authentication entry attributes for the authentication request are [{}]", this.authenticatedEntryAttributes);
    }

    public void setCollectDnAttribute(boolean z) {
        this.collectDnAttribute = z;
    }
}
