package org.neo4j.server.security.enterprise.auth;

import java.io.IOException;
import java.net.ConnectException;
import java.net.SocketTimeoutException;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Stream;
import javax.naming.AuthenticationException;
import javax.naming.CommunicationException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.StartTlsRequest;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.crypto.hash.SimpleHash;
import org.apache.shiro.realm.ldap.DefaultLdapRealm;
import org.apache.shiro.realm.ldap.JndiLdapContextFactory;
import org.apache.shiro.realm.ldap.LdapContextFactory;
import org.apache.shiro.realm.ldap.LdapUtils;
import org.apache.shiro.subject.PrincipalCollection;
import org.neo4j.graphdb.security.AuthProviderFailedException;
import org.neo4j.graphdb.security.AuthProviderTimeoutException;
import org.neo4j.graphdb.security.AuthorizationExpiredException;
import org.neo4j.internal.kernel.api.security.AuthenticationResult;
import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException;
import org.neo4j.kernel.configuration.Config;
import org.neo4j.server.security.enterprise.configuration.SecuritySettings;
import org.neo4j.server.security.enterprise.log.SecurityLog;

/* loaded from: input_file:org/neo4j/server/security/enterprise/auth/LdapRealm.class */
public class LdapRealm extends DefaultLdapRealm implements RealmLifecycle, ShiroAuthorizationInfoProvider {
    private static final String GROUP_DELIMITER = ";";
    private static final String KEY_VALUE_DELIMITER = "=";
    private static final String ROLE_DELIMITER = ",";
    public static final String LDAP_REALM = "ldap";
    private static final String JNDI_LDAP_CONNECT_TIMEOUT = "com.sun.jndi.ldap.connect.timeout";
    private static final String JNDI_LDAP_READ_TIMEOUT = "com.sun.jndi.ldap.read.timeout";
    private static final String JNDI_LDAP_CONNECTION_TIMEOUT_MESSAGE_PART = "timed out";
    private static final String JNDI_LDAP_READ_TIMEOUT_MESSAGE_PART = "timed out";
    public static final String LDAP_CONNECTION_TIMEOUT_CLIENT_MESSAGE = "LDAP connection timed out.";
    public static final String LDAP_READ_TIMEOUT_CLIENT_MESSAGE = "LDAP response timed out.";
    public static final String LDAP_AUTHORIZATION_FAILURE_CLIENT_MESSAGE = "LDAP authorization request failed.";
    public static final String LDAP_CONNECTION_REFUSED_CLIENT_MESSAGE = "LDAP connection refused.";
    private Boolean authenticationEnabled;
    private Boolean authorizationEnabled;
    private Boolean useStartTls;
    private boolean useSAMAccountName;
    private String userSearchBase;
    private String userSearchFilter;
    private List<String> membershipAttributeNames;
    private Boolean useSystemAccountForAuthorization;
    private Map<String, Collection<String>> groupToRoleMapping;
    private final SecurityLog securityLog;
    private final SecureHasher secureHasher;
    private static final String KEY_GROUP = "\\s*('(.+)'|\"(.+)\"|(\\S)|(\\S.*\\S))\\s*";
    private static final String VALUE_GROUP = "\\s*(.*)";
    private Pattern keyValuePattern = Pattern.compile("\\s*('(.+)'|\"(.+)\"|(\\S)|(\\S.*\\S))\\s*=\\s*(.*)");

    public LdapRealm(Config config, SecurityLog securityLog, SecureHasher secureHasher) {
        this.securityLog = securityLog;
        this.secureHasher = secureHasher;
        setName("ldap");
        setRolePermissionResolver(PredefinedRolesBuilder.rolePermissionResolver);
        configureRealm(config);
        if (isAuthenticationCachingEnabled()) {
            setCredentialsMatcher(secureHasher.getHashedCredentialsMatcher());
        } else {
            setCredentialsMatcher(new AllowAllCredentialsMatcher());
        }
    }

    private String withRealm(String str, Object... objArr) {
        return "{LdapRealm}: " + String.format(str, objArr);
    }

    private String server(JndiLdapContextFactory jndiLdapContextFactory) {
        return "'" + jndiLdapContextFactory.getUrl() + "'" + (this.useStartTls.booleanValue() ? " using StartTLS" : "");
    }

    protected AuthenticationInfo queryForAuthenticationInfo(AuthenticationToken authenticationToken, LdapContextFactory ldapContextFactory) throws NamingException {
        if (!this.authenticationEnabled.booleanValue()) {
            return null;
        }
        if (this.useSAMAccountName) {
            return queryForAuthenticationInfoSAM(authenticationToken, ldapContextFactory);
        }
        String server = server((JndiLdapContextFactory) ldapContextFactory);
        try {
            AuthenticationInfo queryForAuthenticationInfoUsingStartTls = this.useStartTls.booleanValue() ? queryForAuthenticationInfoUsingStartTls(authenticationToken, ldapContextFactory) : super.queryForAuthenticationInfo(authenticationToken, ldapContextFactory);
            this.securityLog.debug(withRealm("Authenticated user '%s' against %s", authenticationToken.getPrincipal(), server));
            return queryForAuthenticationInfoUsingStartTls;
        } catch (Exception e) {
            if (isExceptionAnLdapConnectionTimeout(e)) {
                throw new AuthProviderTimeoutException(LDAP_CONNECTION_TIMEOUT_CLIENT_MESSAGE, e);
            }
            if (isExceptionAnLdapReadTimeout(e)) {
                throw new AuthProviderTimeoutException(LDAP_READ_TIMEOUT_CLIENT_MESSAGE, e);
            }
            if (isExceptionConnectionRefused(e)) {
                throw new AuthProviderFailedException(LDAP_CONNECTION_REFUSED_CLIENT_MESSAGE, e);
            }
            throw e;
        }
    }

    protected AuthenticationInfo queryForAuthenticationInfoUsingStartTls(AuthenticationToken authenticationToken, LdapContextFactory ldapContextFactory) throws NamingException {
        Object ldapPrincipal = getLdapPrincipal(authenticationToken);
        Object credentials = authenticationToken.getCredentials();
        LdapContext ldapContext = null;
        try {
            ldapContext = getLdapContextUsingStartTls(ldapContextFactory, ldapPrincipal, credentials);
            AuthenticationInfo createAuthenticationInfo = createAuthenticationInfo(authenticationToken, ldapPrincipal, credentials, ldapContext);
            LdapUtils.closeContext(ldapContext);
            return createAuthenticationInfo;
        } catch (Throwable th) {
            LdapUtils.closeContext(ldapContext);
            throw th;
        }
    }

    private LdapContext getLdapContextUsingStartTls(LdapContextFactory ldapContextFactory, Object obj, Object obj2) throws NamingException {
        JndiLdapContextFactory jndiLdapContextFactory = (JndiLdapContextFactory) ldapContextFactory;
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.factory.initial", jndiLdapContextFactory.getContextFactoryClassName());
        hashtable.put("java.naming.provider.url", jndiLdapContextFactory.getUrl());
        LdapContext ldapContext = null;
        try {
            ldapContext = new InitialLdapContext(hashtable, (Control[]) null);
            ldapContext.extendedOperation(new StartTlsRequest()).negotiate();
            ldapContext.addToEnvironment("java.naming.security.authentication", jndiLdapContextFactory.getAuthenticationMechanism());
            ldapContext.addToEnvironment("java.naming.security.principal", obj);
            ldapContext.addToEnvironment("java.naming.security.credentials", obj2);
            return ldapContext;
        } catch (IOException e) {
            LdapUtils.closeContext(ldapContext);
            this.securityLog.error(withRealm("Failed to negotiate TLS connection with '%s': ", server(jndiLdapContextFactory), e));
            throw new CommunicationException(e.getMessage());
        } catch (Throwable th) {
            LdapUtils.closeContext(ldapContext);
            this.securityLog.error(withRealm("Unexpected failure to negotiate TLS connection with '%s': ", server(jndiLdapContextFactory), th));
            throw th;
        }
    }

    protected AuthorizationInfo queryForAuthorizationInfo(PrincipalCollection principalCollection, LdapContextFactory ldapContextFactory) throws NamingException {
        String username;
        if (!this.authorizationEnabled.booleanValue() || (username = getUsername(principalCollection)) == null) {
            return null;
        }
        if (!this.useSystemAccountForAuthorization.booleanValue()) {
            AuthorizationInfo authorizationInfo = (AuthorizationInfo) getAuthorizationCache().get(username);
            if (authorizationInfo == null) {
                throw new AuthorizationExpiredException("LDAP authorization info expired.");
            }
            return authorizationInfo;
        }
        LdapContext systemLdapContextUsingStartTls = this.useStartTls.booleanValue() ? getSystemLdapContextUsingStartTls(ldapContextFactory) : ldapContextFactory.getSystemLdapContext();
        try {
            Set<String> findRoleNamesForUser = findRoleNamesForUser(username, systemLdapContextUsingStartTls);
            LdapUtils.closeContext(systemLdapContextUsingStartTls);
            return new SimpleAuthorizationInfo(findRoleNamesForUser);
        } catch (Throwable th) {
            LdapUtils.closeContext(systemLdapContextUsingStartTls);
            throw th;
        }
    }

    private String getUsername(PrincipalCollection principalCollection) {
        String str = null;
        Collection fromRealm = principalCollection.fromRealm(getName());
        if (!fromRealm.isEmpty()) {
            str = (String) fromRealm.iterator().next();
        } else if (this.useSystemAccountForAuthorization.booleanValue()) {
            str = (String) principalCollection.getPrimaryPrincipal();
        }
        return str;
    }

    private LdapContext getSystemLdapContextUsingStartTls(LdapContextFactory ldapContextFactory) throws NamingException {
        JndiLdapContextFactory jndiLdapContextFactory = (JndiLdapContextFactory) ldapContextFactory;
        return getLdapContextUsingStartTls(ldapContextFactory, jndiLdapContextFactory.getSystemUsername(), jndiLdapContextFactory.getSystemPassword());
    }

    protected AuthenticationInfo createAuthenticationInfo(AuthenticationToken authenticationToken, Object obj, Object obj2, LdapContext ldapContext) throws NamingException {
        if (this.authorizationEnabled.booleanValue() && !this.useSystemAccountForAuthorization.booleanValue()) {
            String str = (String) authenticationToken.getPrincipal();
            cacheAuthorizationInfo(str, findRoleNamesForUser(str, ldapContext));
        }
        if (!isAuthenticationCachingEnabled()) {
            return new ShiroAuthenticationInfo(authenticationToken.getPrincipal(), getName(), AuthenticationResult.SUCCESS);
        }
        SimpleHash hash = this.secureHasher.hash(((String) authenticationToken.getCredentials()).getBytes());
        return new ShiroAuthenticationInfo(authenticationToken.getPrincipal(), hash.getBytes(), hash.getSalt(), getName(), AuthenticationResult.SUCCESS);
    }

    public boolean supports(AuthenticationToken authenticationToken) {
        return supportsSchemeAndRealm(authenticationToken);
    }

    private boolean supportsSchemeAndRealm(AuthenticationToken authenticationToken) {
        try {
            if (!(authenticationToken instanceof ShiroAuthToken)) {
                return false;
            }
            ShiroAuthToken shiroAuthToken = (ShiroAuthToken) authenticationToken;
            if (shiroAuthToken.getScheme().equals("basic")) {
                if (shiroAuthToken.supportsRealm("ldap")) {
                    return true;
                }
            }
            return false;
        } catch (InvalidAuthTokenException e) {
            return false;
        }
    }

    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        try {
            AuthorizationInfo doGetAuthorizationInfo = super.doGetAuthorizationInfo(principalCollection);
            this.securityLog.debug(withRealm("Queried for authorization info for user '%s'", principalCollection.getPrimaryPrincipal()));
            return doGetAuthorizationInfo;
        } catch (AuthorizationException e) {
            this.securityLog.error(withRealm("Failed to get authorization info: '%s' caused by '%s'", e.getMessage(), e.getCause().getMessage()));
            if (isAuthorizationExceptionAnLdapReadTimeout(e)) {
                throw new AuthProviderTimeoutException(LDAP_READ_TIMEOUT_CLIENT_MESSAGE, e);
            }
            throw new AuthProviderFailedException(LDAP_AUTHORIZATION_FAILURE_CLIENT_MESSAGE, e);
        }
    }

    private boolean isExceptionAnLdapReadTimeout(Exception exc) {
        return (exc instanceof NamingException) && exc.getMessage().contains("timed out");
    }

    private boolean isExceptionAnLdapConnectionTimeout(Exception exc) {
        return (exc instanceof CommunicationException) && ((((CommunicationException) exc).getRootCause() instanceof SocketTimeoutException) || ((CommunicationException) exc).getRootCause().getMessage().contains("timed out"));
    }

    private boolean isExceptionConnectionRefused(Exception exc) {
        return (exc instanceof CommunicationException) && (((CommunicationException) exc).getRootCause() instanceof ConnectException);
    }

    private boolean isAuthorizationExceptionAnLdapReadTimeout(AuthorizationException authorizationException) {
        return authorizationException.getCause() != null && (authorizationException.getCause() instanceof NamingException) && authorizationException.getCause().getMessage().contains("timed out");
    }

    private void cacheAuthorizationInfo(String str, Set<String> set) {
        getAuthorizationCache().put(str, new SimpleAuthorizationInfo(set));
    }

    private void configureRealm(Config config) {
        JndiLdapContextFactory jndiLdapContextFactory = new JndiLdapContextFactory();
        Map environment = jndiLdapContextFactory.getEnvironment();
        Long valueOf = Long.valueOf(((Duration) config.get(SecuritySettings.ldap_connection_timeout)).toMillis());
        Long valueOf2 = Long.valueOf(((Duration) config.get(SecuritySettings.ldap_read_timeout)).toMillis());
        environment.put(JNDI_LDAP_CONNECT_TIMEOUT, valueOf.toString());
        environment.put(JNDI_LDAP_READ_TIMEOUT, valueOf2.toString());
        jndiLdapContextFactory.setEnvironment(environment);
        jndiLdapContextFactory.setUrl(parseLdapServerUrl((String) config.get(SecuritySettings.ldap_server)));
        jndiLdapContextFactory.setAuthenticationMechanism((String) config.get(SecuritySettings.ldap_authentication_mechanism));
        jndiLdapContextFactory.setReferral((String) config.get(SecuritySettings.ldap_referral));
        jndiLdapContextFactory.setSystemUsername((String) config.get(SecuritySettings.ldap_authorization_system_username));
        jndiLdapContextFactory.setSystemPassword((String) config.get(SecuritySettings.ldap_authorization_system_password));
        jndiLdapContextFactory.setPoolingEnabled(((Boolean) config.get(SecuritySettings.ldap_authorization_connection_pooling)).booleanValue());
        setContextFactory(jndiLdapContextFactory);
        String str = (String) config.get(SecuritySettings.ldap_authentication_user_dn_template);
        if (str != null) {
            setUserDnTemplate(str);
        }
        this.authenticationEnabled = (Boolean) config.get(SecuritySettings.ldap_authentication_enabled);
        this.authorizationEnabled = (Boolean) config.get(SecuritySettings.ldap_authorization_enabled);
        this.useStartTls = (Boolean) config.get(SecuritySettings.ldap_use_starttls);
        this.userSearchBase = (String) config.get(SecuritySettings.ldap_authorization_user_search_base);
        this.userSearchFilter = (String) config.get(SecuritySettings.ldap_authorization_user_search_filter);
        this.useSAMAccountName = ((Boolean) config.get(SecuritySettings.ldap_authentication_use_samaccountname)).booleanValue();
        this.membershipAttributeNames = (List) config.get(SecuritySettings.ldap_authorization_group_membership_attribute_names);
        this.useSystemAccountForAuthorization = (Boolean) config.get(SecuritySettings.ldap_authorization_use_system_account);
        this.groupToRoleMapping = parseGroupToRoleMapping((String) config.get(SecuritySettings.ldap_authorization_group_to_role_mapping));
        setAuthenticationCachingEnabled(((Boolean) config.get(SecuritySettings.ldap_authentication_cache_enabled)).booleanValue());
        setAuthorizationCachingEnabled(true);
    }

    private String parseLdapServerUrl(String str) {
        if (str == null) {
            return null;
        }
        return str.contains("://") ? str : "ldap://" + str;
    }

    private Map<String, Collection<String>> parseGroupToRoleMapping(String str) {
        HashMap hashMap = new HashMap();
        if (str != null) {
            for (String str2 : str.split(GROUP_DELIMITER)) {
                if (!str2.isEmpty()) {
                    Matcher matcher = this.keyValuePattern.matcher(str2);
                    if (!matcher.find() || matcher.groupCount() != 6) {
                        throw new IllegalArgumentException(String.format("Failed to parse setting %s: wrong number of fields", SecuritySettings.ldap_authorization_group_to_role_mapping.name()));
                    }
                    String group = matcher.group(2) != null ? matcher.group(2) : matcher.group(3) != null ? matcher.group(3) : matcher.group(4) != null ? matcher.group(4) : matcher.group(5) != null ? matcher.group(5) : "";
                    if (group.isEmpty()) {
                        throw new IllegalArgumentException(String.format("Failed to parse setting %s: empty group name", SecuritySettings.ldap_authorization_group_to_role_mapping.name()));
                    }
                    ArrayList arrayList = new ArrayList();
                    for (String str3 : matcher.group(6).trim().split(ROLE_DELIMITER)) {
                        if (!str3.isEmpty()) {
                            arrayList.add(str3);
                        }
                    }
                    hashMap.put(group.toLowerCase(), arrayList);
                }
            }
        }
        return hashMap;
    }

    private AuthenticationInfo queryForAuthenticationInfoSAM(AuthenticationToken authenticationToken, LdapContextFactory ldapContextFactory) throws NamingException {
        Object principal = authenticationToken.getPrincipal();
        Object credentials = authenticationToken.getCredentials();
        try {
            LdapContext systemLdapContextUsingStartTls = this.useStartTls.booleanValue() ? getSystemLdapContextUsingStartTls(ldapContextFactory) : ldapContextFactory.getSystemLdapContext();
            NamingEnumeration search = systemLdapContextUsingStartTls.search(this.userSearchBase, "sAMAccountName={0}", new Object[]{principal}, new SearchControls(2, 1L, 0, new String[]{"cn"}, false, false));
            if (!search.hasMore()) {
                throw new AuthenticationException("No user matching: " + principal);
            }
            String nameInNamespace = ((SearchResult) search.next()).getNameInNamespace();
            if (search.hasMore()) {
                this.securityLog.error("More than one user matching: " + principal);
                throw new AuthenticationException("More than one user matching: " + principal);
            }
            LdapUtils.closeContext(ldapContextFactory.getLdapContext(nameInNamespace, credentials));
            AuthenticationInfo createAuthenticationInfo = createAuthenticationInfo(authenticationToken, principal, credentials, systemLdapContextUsingStartTls);
            LdapUtils.closeContext(systemLdapContextUsingStartTls);
            return createAuthenticationInfo;
        } catch (Throwable th) {
            LdapUtils.closeContext((LdapContext) null);
            throw th;
        }
    }

    Set<String> findRoleNamesForUser(String str, LdapContext ldapContext) throws NamingException {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes((String[]) this.membershipAttributeNames.toArray(new String[1]));
        NamingEnumeration search = ldapContext.search(this.userSearchBase, this.userSearchFilter, new Object[]{str}, searchControls);
        if (search.hasMoreElements()) {
            SearchResult searchResult = (SearchResult) search.next();
            if (search.hasMoreElements()) {
                this.securityLog.warn(this.securityLog.isDebugEnabled() ? withRealm("LDAP user search for user principal '%s' is ambiguous. The first match that will be checked for group membership is '%s' but the search also matches '%s'. Please check your LDAP realm configuration.", str, searchResult.toString(), search.next().toString()) : withRealm("LDAP user search for user principal '%s' is ambiguous. The search matches more than one entry. Please check your LDAP realm configuration.", str));
            }
            Attributes attributes = searchResult.getAttributes();
            if (attributes != null) {
                NamingEnumeration all = attributes.getAll();
                while (all.hasMore()) {
                    Attribute attribute = (Attribute) all.next();
                    String id = attribute.getID();
                    Stream<String> stream = this.membershipAttributeNames.stream();
                    id.getClass();
                    if (stream.anyMatch(id::equalsIgnoreCase)) {
                        linkedHashSet.addAll(getRoleNamesForGroups(LdapUtils.getAllAttributeValues(attribute)));
                    }
                }
            }
        }
        return linkedHashSet;
    }

    private void assertValidUserSearchSettings() {
        boolean z = true;
        if (this.userSearchBase == null || this.userSearchBase.isEmpty()) {
            this.securityLog.error("LDAP user search base is empty.");
            z = false;
        }
        if (this.userSearchFilter == null || !this.userSearchFilter.contains("{0}")) {
            this.securityLog.warn("LDAP user search filter does not contain the argument placeholder {0}, so the search result will be independent of the user principal.");
        }
        if (this.membershipAttributeNames == null || this.membershipAttributeNames.isEmpty()) {
            this.securityLog.error("LDAP group membership attribute names are empty. Authorization will not be possible.");
            z = false;
        }
        if (!z) {
            throw new IllegalArgumentException("Illegal LDAP user search settings, see security log for details.");
        }
    }

    private Collection<String> getRoleNamesForGroups(Collection<String> collection) {
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            Collection<String> collection2 = this.groupToRoleMapping.get(it.next().toLowerCase());
            if (collection2 != null) {
                arrayList.addAll(collection2);
            }
        }
        return arrayList;
    }

    Map<String, Collection<String>> getGroupToRoleMapping() {
        return this.groupToRoleMapping;
    }

    @Override // org.neo4j.server.security.enterprise.auth.RealmLifecycle
    public void initialize() {
        if (this.authorizationEnabled.booleanValue()) {
            assertValidUserSearchSettings();
        }
    }

    @Override // org.neo4j.server.security.enterprise.auth.RealmLifecycle
    public void start() {
    }

    @Override // org.neo4j.server.security.enterprise.auth.RealmLifecycle
    public void stop() {
    }

    @Override // org.neo4j.server.security.enterprise.auth.RealmLifecycle
    public void shutdown() {
    }

    @Override // org.neo4j.server.security.enterprise.auth.ShiroAuthorizationInfoProvider
    public AuthorizationInfo getAuthorizationInfoSnapshot(PrincipalCollection principalCollection) {
        return getAuthorizationInfo(principalCollection);
    }
}
