package org.apereo.cas.config;

import com.google.common.collect.Multimap;
import java.time.Period;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.function.Predicate;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.AuthenticationEventExecutionPlanConfigurer;
import org.apereo.cas.authentication.AuthenticationHandler;
import org.apereo.cas.authentication.AuthenticationPasswordPolicyHandlingStrategy;
import org.apereo.cas.authentication.CoreAuthenticationUtils;
import org.apereo.cas.authentication.LdapAuthenticationHandler;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.authentication.principal.PrincipalNameTransformerUtils;
import org.apereo.cas.authentication.principal.PrincipalResolver;
import org.apereo.cas.authentication.support.DefaultLdapAccountStateHandler;
import org.apereo.cas.authentication.support.OptionalWarningLdapAccountStateHandler;
import org.apereo.cas.authentication.support.RejectResultCodeLdapPasswordPolicyHandlingStrategy;
import org.apereo.cas.authentication.support.password.DefaultPasswordPolicyHandlingStrategy;
import org.apereo.cas.authentication.support.password.GroovyPasswordPolicyHandlingStrategy;
import org.apereo.cas.authentication.support.password.PasswordEncoderUtils;
import org.apereo.cas.authentication.support.password.PasswordPolicyConfiguration;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.core.authentication.PasswordPolicyProperties;
import org.apereo.cas.configuration.model.support.ldap.AbstractLdapProperties;
import org.apereo.cas.configuration.model.support.ldap.LdapAuthenticationProperties;
import org.apereo.cas.configuration.model.support.ldap.LdapPasswordPolicyProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.LdapUtils;
import org.ldaptive.auth.AuthenticationResponse;
import org.ldaptive.auth.AuthenticationResponseHandler;
import org.ldaptive.auth.Authenticator;
import org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler;
import org.ldaptive.auth.ext.EDirectoryAuthenticationResponseHandler;
import org.ldaptive.auth.ext.FreeIPAAuthenticationResponseHandler;
import org.ldaptive.auth.ext.PasswordExpirationAuthenticationResponseHandler;
import org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.Resource;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration("ldapAuthenticationConfiguration")
/* loaded from: input_file:org/apereo/cas/config/LdapAuthenticationConfiguration.class */
public class LdapAuthenticationConfiguration {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(LdapAuthenticationConfiguration.class);

    @Autowired
    private CasConfigurationProperties casProperties;

    @Autowired
    @Qualifier("defaultPrincipalResolver")
    private ObjectProvider<PrincipalResolver> defaultPrincipalResolver;

    @Autowired
    @Qualifier("servicesManager")
    private ObjectProvider<ServicesManager> servicesManager;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apereo.cas.config.LdapAuthenticationConfiguration$1, reason: invalid class name */
    /* loaded from: input_file:org/apereo/cas/config/LdapAuthenticationConfiguration$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apereo$cas$configuration$model$support$ldap$AbstractLdapProperties$LdapType = new int[AbstractLdapProperties.LdapType.values().length];

        static {
            try {
                $SwitchMap$org$apereo$cas$configuration$model$support$ldap$AbstractLdapProperties$LdapType[AbstractLdapProperties.LdapType.AD.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$support$ldap$AbstractLdapProperties$LdapType[AbstractLdapProperties.LdapType.FreeIPA.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$support$ldap$AbstractLdapProperties$LdapType[AbstractLdapProperties.LdapType.EDirectory.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    private static Predicate<LdapAuthenticationProperties> ldapInstanceConfigurationPredicate() {
        return ldapAuthenticationProperties -> {
            if (ldapAuthenticationProperties.getType() == null) {
                LOGGER.warn("Skipping LDAP authentication entry since no type is defined");
                return false;
            }
            if (!StringUtils.isBlank(ldapAuthenticationProperties.getLdapUrl())) {
                return true;
            }
            LOGGER.warn("Skipping LDAP authentication entry since no LDAP url is defined");
            return false;
        };
    }

    @ConditionalOnMissingBean(name = {"ldapPrincipalFactory"})
    @Bean
    public PrincipalFactory ldapPrincipalFactory() {
        return PrincipalFactoryUtils.newPrincipalFactory();
    }

    @Bean
    public Collection<AuthenticationHandler> ldapAuthenticationHandlers() {
        HashSet hashSet = new HashSet();
        this.casProperties.getAuthn().getLdap().stream().filter(ldapInstanceConfigurationPredicate()).forEach(ldapAuthenticationProperties -> {
            Multimap transformPrincipalAttributesListIntoMultiMap = CoreAuthenticationUtils.transformPrincipalAttributesListIntoMultiMap(ldapAuthenticationProperties.getPrincipalAttributeList());
            LOGGER.debug("Created and mapped principal attributes [{}] for [{}]...", transformPrincipalAttributesListIntoMultiMap, ldapAuthenticationProperties.getLdapUrl());
            LOGGER.debug("Creating LDAP authenticator for [{}] and baseDn [{}]", ldapAuthenticationProperties.getLdapUrl(), ldapAuthenticationProperties.getBaseDn());
            Authenticator newLdaptiveAuthenticator = LdapUtils.newLdaptiveAuthenticator(ldapAuthenticationProperties);
            LOGGER.debug("Ldap authenticator configured with return attributes [{}] for [{}] and baseDn [{}]", new Object[]{transformPrincipalAttributesListIntoMultiMap.keySet(), ldapAuthenticationProperties.getLdapUrl(), ldapAuthenticationProperties.getBaseDn()});
            LOGGER.debug("Creating LDAP password policy handling strategy for [{}]", ldapAuthenticationProperties.getLdapUrl());
            AuthenticationPasswordPolicyHandlingStrategy<AuthenticationResponse, PasswordPolicyConfiguration> createLdapPasswordPolicyHandlingStrategy = createLdapPasswordPolicyHandlingStrategy(ldapAuthenticationProperties);
            LOGGER.debug("Creating LDAP authentication handler for [{}]", ldapAuthenticationProperties.getLdapUrl());
            LdapAuthenticationHandler ldapAuthenticationHandler = new LdapAuthenticationHandler(ldapAuthenticationProperties.getName(), (ServicesManager) this.servicesManager.getIfAvailable(), ldapPrincipalFactory(), ldapAuthenticationProperties.getOrder(), newLdaptiveAuthenticator, createLdapPasswordPolicyHandlingStrategy);
            ldapAuthenticationHandler.setCollectDnAttribute(ldapAuthenticationProperties.isCollectDnAttribute());
            List additionalAttributes = ldapAuthenticationProperties.getAdditionalAttributes();
            if (StringUtils.isNotBlank(ldapAuthenticationProperties.getPrincipalAttributeId())) {
                additionalAttributes.add(ldapAuthenticationProperties.getPrincipalAttributeId());
            }
            if (StringUtils.isNotBlank(ldapAuthenticationProperties.getPrincipalDnAttributeName())) {
                ldapAuthenticationHandler.setPrincipalDnAttributeName(ldapAuthenticationProperties.getPrincipalDnAttributeName());
            }
            ldapAuthenticationHandler.setAllowMultiplePrincipalAttributeValues(ldapAuthenticationProperties.isAllowMultiplePrincipalAttributeValues());
            ldapAuthenticationHandler.setAllowMissingPrincipalAttributeValue(ldapAuthenticationProperties.isAllowMissingPrincipalAttributeValue());
            ldapAuthenticationHandler.setPasswordEncoder(PasswordEncoderUtils.newPasswordEncoder(ldapAuthenticationProperties.getPasswordEncoder()));
            ldapAuthenticationHandler.setPrincipalNameTransformer(PrincipalNameTransformerUtils.newPrincipalNameTransformer(ldapAuthenticationProperties.getPrincipalTransformation()));
            if (StringUtils.isNotBlank(ldapAuthenticationProperties.getCredentialCriteria())) {
                LOGGER.debug("Ldap authentication for [{}] is filtering credentials by [{}]", ldapAuthenticationProperties.getLdapUrl(), ldapAuthenticationProperties.getCredentialCriteria());
                ldapAuthenticationHandler.setCredentialSelectionPredicate(CoreAuthenticationUtils.newCredentialSelectionPredicate(ldapAuthenticationProperties.getCredentialCriteria()));
            }
            if (StringUtils.isBlank(ldapAuthenticationProperties.getPrincipalAttributeId())) {
                LOGGER.debug("No principal id attribute is found for LDAP authentication via [{}]", ldapAuthenticationProperties.getLdapUrl());
            } else {
                ldapAuthenticationHandler.setPrincipalIdAttribute(ldapAuthenticationProperties.getPrincipalAttributeId());
                LOGGER.debug("Using principal id attribute [{}] for LDAP authentication via [{}]", ldapAuthenticationProperties.getPrincipalAttributeId(), ldapAuthenticationProperties.getLdapUrl());
            }
            LdapPasswordPolicyProperties passwordPolicy = ldapAuthenticationProperties.getPasswordPolicy();
            if (passwordPolicy.isEnabled()) {
                LOGGER.debug("Password policy is enabled for [{}]. Constructing password policy configuration", ldapAuthenticationProperties.getLdapUrl());
                ldapAuthenticationHandler.setPasswordPolicyConfiguration(createLdapPasswordPolicyConfiguration(passwordPolicy, newLdaptiveAuthenticator, transformPrincipalAttributesListIntoMultiMap));
            }
            ldapAuthenticationHandler.setPrincipalAttributeMap(CollectionUtils.wrap(transformPrincipalAttributesListIntoMultiMap));
            LOGGER.debug("Initializing LDAP authentication handler for [{}]", ldapAuthenticationProperties.getLdapUrl());
            ldapAuthenticationHandler.initialize();
            hashSet.add(ldapAuthenticationHandler);
        });
        return hashSet;
    }

    private static AuthenticationPasswordPolicyHandlingStrategy<AuthenticationResponse, PasswordPolicyConfiguration> createLdapPasswordPolicyHandlingStrategy(LdapAuthenticationProperties ldapAuthenticationProperties) {
        if (ldapAuthenticationProperties.getPasswordPolicy().getStrategy() == PasswordPolicyProperties.PasswordPolicyHandlingOptions.REJECT_RESULT_CODE) {
            LOGGER.debug("Created LDAP password policy handling strategy based on blacklisted authentication result codes");
            return new RejectResultCodeLdapPasswordPolicyHandlingStrategy();
        }
        Resource location = ldapAuthenticationProperties.getPasswordPolicy().getGroovy().getLocation();
        if (ldapAuthenticationProperties.getPasswordPolicy().getStrategy() != PasswordPolicyProperties.PasswordPolicyHandlingOptions.GROOVY || location == null) {
            LOGGER.debug("Created default LDAP password policy handling strategy");
            return new DefaultPasswordPolicyHandlingStrategy();
        }
        LOGGER.debug("Created LDAP password policy handling strategy based on Groovy script [{}]", location);
        return new GroovyPasswordPolicyHandlingStrategy(location);
    }

    private static PasswordPolicyConfiguration createLdapPasswordPolicyConfiguration(LdapPasswordPolicyProperties ldapPasswordPolicyProperties, Authenticator authenticator, Multimap<String, Object> multimap) {
        PasswordPolicyConfiguration passwordPolicyConfiguration = new PasswordPolicyConfiguration(ldapPasswordPolicyProperties);
        HashSet hashSet = new HashSet();
        String customPolicyClass = ldapPasswordPolicyProperties.getCustomPolicyClass();
        if (StringUtils.isNotBlank(customPolicyClass)) {
            try {
                LOGGER.debug("Configuration indicates use of a custom password policy handler [{}]", customPolicyClass);
                hashSet.add(Class.forName(customPolicyClass).getDeclaredConstructor(new Class[0]).newInstance(new Object[0]));
            } catch (Exception e) {
                LOGGER.warn("Unable to construct an instance of the password policy handler", e);
            }
        }
        LOGGER.debug("Password policy authentication response handler is set to accommodate directory type: [{}]", ldapPasswordPolicyProperties.getType());
        switch (AnonymousClass1.$SwitchMap$org$apereo$cas$configuration$model$support$ldap$AbstractLdapProperties$LdapType[ldapPasswordPolicyProperties.getType().ordinal()]) {
            case 1:
                hashSet.add(new ActiveDirectoryAuthenticationResponseHandler(Period.ofDays(passwordPolicyConfiguration.getPasswordWarningNumberOfDays())));
                Arrays.stream(ActiveDirectoryAuthenticationResponseHandler.ATTRIBUTES).forEach(str -> {
                    LOGGER.debug("Configuring authentication to retrieve password policy attribute [{}]", str);
                    multimap.put(str, str);
                });
                break;
            case 2:
                Arrays.stream(FreeIPAAuthenticationResponseHandler.ATTRIBUTES).forEach(str2 -> {
                    LOGGER.debug("Configuring authentication to retrieve password policy attribute [{}]", str2);
                    multimap.put(str2, str2);
                });
                hashSet.add(new FreeIPAAuthenticationResponseHandler(Period.ofDays(passwordPolicyConfiguration.getPasswordWarningNumberOfDays()), passwordPolicyConfiguration.getLoginFailures()));
                break;
            case 3:
                Arrays.stream(EDirectoryAuthenticationResponseHandler.ATTRIBUTES).forEach(str3 -> {
                    LOGGER.debug("Configuring authentication to retrieve password policy attribute [{}]", str3);
                    multimap.put(str3, str3);
                });
                hashSet.add(new EDirectoryAuthenticationResponseHandler(Period.ofDays(passwordPolicyConfiguration.getPasswordWarningNumberOfDays())));
                break;
            default:
                hashSet.add(new PasswordPolicyAuthenticationResponseHandler());
                hashSet.add(new PasswordExpirationAuthenticationResponseHandler());
                break;
        }
        authenticator.setAuthenticationResponseHandlers((AuthenticationResponseHandler[]) hashSet.toArray(new AuthenticationResponseHandler[0]));
        LOGGER.debug("LDAP authentication response handlers configured are: [{}]", hashSet);
        if (!ldapPasswordPolicyProperties.isAccountStateHandlingEnabled()) {
            passwordPolicyConfiguration.setAccountStateHandler((obj, obj2) -> {
                return new ArrayList(0);
            });
            LOGGER.debug("Handling LDAP account states is disabled via CAS configuration");
        } else if (StringUtils.isNotBlank(ldapPasswordPolicyProperties.getWarningAttributeName()) && StringUtils.isNotBlank(ldapPasswordPolicyProperties.getWarningAttributeValue())) {
            OptionalWarningLdapAccountStateHandler optionalWarningLdapAccountStateHandler = new OptionalWarningLdapAccountStateHandler();
            optionalWarningLdapAccountStateHandler.setDisplayWarningOnMatch(ldapPasswordPolicyProperties.isDisplayWarningOnMatch());
            optionalWarningLdapAccountStateHandler.setWarnAttributeName(ldapPasswordPolicyProperties.getWarningAttributeName());
            optionalWarningLdapAccountStateHandler.setWarningAttributeValue(ldapPasswordPolicyProperties.getWarningAttributeValue());
            optionalWarningLdapAccountStateHandler.setAttributesToErrorMap(ldapPasswordPolicyProperties.getPolicyAttributes());
            passwordPolicyConfiguration.setAccountStateHandler(optionalWarningLdapAccountStateHandler);
            LOGGER.debug("Configuring an warning account state handler for LDAP authentication for warning attribute [{}] and value [{}]", ldapPasswordPolicyProperties.getWarningAttributeName(), ldapPasswordPolicyProperties.getWarningAttributeValue());
        } else {
            DefaultLdapAccountStateHandler defaultLdapAccountStateHandler = new DefaultLdapAccountStateHandler();
            defaultLdapAccountStateHandler.setAttributesToErrorMap(ldapPasswordPolicyProperties.getPolicyAttributes());
            passwordPolicyConfiguration.setAccountStateHandler(defaultLdapAccountStateHandler);
            LOGGER.debug("Configuring the default account state handler for LDAP authentication");
        }
        return passwordPolicyConfiguration;
    }

    @ConditionalOnMissingBean(name = {"ldapAuthenticationEventExecutionPlanConfigurer"})
    @Bean
    public AuthenticationEventExecutionPlanConfigurer ldapAuthenticationEventExecutionPlanConfigurer() {
        return authenticationEventExecutionPlan -> {
            ldapAuthenticationHandlers().forEach(authenticationHandler -> {
                LOGGER.info("Registering LDAP authentication for [{}]", authenticationHandler.getName());
                authenticationEventExecutionPlan.registerAuthenticationHandlerWithPrincipalResolver(authenticationHandler, (PrincipalResolver) this.defaultPrincipalResolver.getIfAvailable());
            });
        };
    }
}
