package org.apereo.cas.web.ldap;

import java.util.ArrayList;
import java.util.Collection;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apereo.cas.configuration.model.core.web.security.AdminPagesSecurityProperties;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.LdapUtils;
import org.apereo.cas.util.Pac4jUtils;
import org.ldaptive.Credential;
import org.ldaptive.LdapEntry;
import org.ldaptive.ReturnAttributes;
import org.ldaptive.auth.AuthenticationRequest;
import org.ldaptive.auth.AuthenticationResponse;
import org.ldaptive.auth.Authenticator;
import org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer;
import org.pac4j.core.authorization.generator.AuthorizationGenerator;
import org.pac4j.core.context.J2EContext;
import org.pac4j.core.profile.CommonProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.SimpleGrantedAuthority;

/* loaded from: input_file:org/apereo/cas/web/ldap/LdapAuthenticationProvider.class */
public class LdapAuthenticationProvider implements AuthenticationProvider {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(LdapAuthenticationProvider.class);
    private final AuthorizationGenerator<CommonProfile> authorizationGenerator;
    private final AdminPagesSecurityProperties adminPagesSecurityProperties;

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        try {
            String obj = authentication.getPrincipal().toString();
            Object credentials = authentication.getCredentials();
            String obj2 = credentials == null ? null : credentials.toString();
            LOGGER.debug("Preparing LDAP authentication request for user [{}]", obj);
            AuthenticationRequest authenticationRequest = new AuthenticationRequest(obj, new Credential(obj2), ReturnAttributes.ALL.value());
            Authenticator newLdaptiveAuthenticator = LdapUtils.newLdaptiveAuthenticator(this.adminPagesSecurityProperties.getLdap());
            LOGGER.debug("Executing LDAP authentication request for user [{}]", obj);
            AuthenticationResponse authenticate = newLdaptiveAuthenticator.authenticate(authenticationRequest);
            LOGGER.debug("LDAP response: [{}]", authenticate);
            if (((Boolean) authenticate.getResult()).booleanValue()) {
                J2EContext pac4jJ2EContext = Pac4jUtils.getPac4jJ2EContext();
                LdapEntry ldapEntry = authenticate.getLdapEntry();
                CommonProfile commonProfile = new CommonProfile();
                commonProfile.setId(obj);
                ldapEntry.getAttributes().forEach(ldapAttribute -> {
                    commonProfile.addAttribute(ldapAttribute.getName(), ldapAttribute.getStringValues());
                });
                LOGGER.debug("Collected user profile [{}]", commonProfile);
                this.authorizationGenerator.generate(pac4jJ2EContext, commonProfile);
                LOGGER.debug("Assembled user profile with roles after generating authorization claims [{}]", commonProfile);
                ArrayList arrayList = new ArrayList();
                arrayList.addAll((Collection) commonProfile.getRoles().stream().map(SimpleGrantedAuthority::new).collect(Collectors.toList()));
                LOGGER.debug("List of authorities remapped from profile roles are [{}]", arrayList);
                RequireAnyRoleAuthorizer requireAnyRoleAuthorizer = new RequireAnyRoleAuthorizer(this.adminPagesSecurityProperties.getAdminRoles());
                LOGGER.debug("Executing authorization for expected admin roles [{}]", requireAnyRoleAuthorizer.getElements());
                if (requireAnyRoleAuthorizer.isAllAuthorized(pac4jJ2EContext, CollectionUtils.wrap(commonProfile))) {
                    return new UsernamePasswordAuthenticationToken(obj, obj2, arrayList);
                }
                LOGGER.warn("User [{}] is not authorized to access the requested resource allowed to roles [{}]", obj, requireAnyRoleAuthorizer.getElements());
            } else {
                LOGGER.warn("LDAP authentication response produced no results for [{}]", obj);
            }
            throw new BadCredentialsException("Could not authenticate provided credentials");
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), e);
            throw new InsufficientAuthenticationException("Unexpected LDAP error", e);
        }
    }

    public boolean supports(Class<?> cls) {
        return UsernamePasswordAuthenticationToken.class.isAssignableFrom(cls);
    }

    @Generated
    public LdapAuthenticationProvider(AuthorizationGenerator<CommonProfile> authorizationGenerator, AdminPagesSecurityProperties adminPagesSecurityProperties) {
        this.authorizationGenerator = authorizationGenerator;
        this.adminPagesSecurityProperties = adminPagesSecurityProperties;
    }
}
