package org.yamcs.security;

import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Set;
import javax.naming.AuthenticationException;
import javax.naming.NameNotFoundException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.yamcs.YConfiguration;

/* loaded from: input_file:org/yamcs/security/LdapRealm.class */
public class LdapRealm implements Realm {
    public static String tmParaPrivPath;
    public static String tmParaSetPrivPath;
    public static String tmPacketPrivPath;
    public static String tcPrivPath;
    public static String systemPrivPath;
    public static String rolePath;
    public static String userPath;
    static final Hashtable<String, String> contextEnv = new Hashtable<>();
    static Logger log = LoggerFactory.getLogger(LdapRealm.class);

    private String getUserDn(User user) {
        String obj = user.getAuthenticationToken().getPrincipal().toString();
        if (obj == null) {
            return null;
        }
        return "uid=" + obj + "," + userPath;
    }

    @Override // org.yamcs.security.Realm
    public boolean supports(AuthenticationToken authenticationToken) {
        return authenticationToken.getClass() == UsernamePasswordToken.class || authenticationToken.getClass() == CertificateToken.class;
    }

    @Override // org.yamcs.security.Realm
    public boolean authenticates(AuthenticationToken authenticationToken) {
        if (authenticationToken == null || authenticationToken.getPrincipal() == null) {
            return false;
        }
        if (authenticationToken.getClass() == UsernamePasswordToken.class) {
            return authenticateUsernamePassword((UsernamePasswordToken) authenticationToken);
        }
        if (authenticationToken.getClass() == CertificateToken.class) {
            return authenticateCertificate((CertificateToken) authenticationToken);
        }
        log.error("Authentication Token of type {} is not supported by LDAP realm.", authenticationToken.getClass());
        return false;
    }

    private boolean authenticateCertificate(CertificateToken certificateToken) {
        try {
            X509Certificate cert = certificateToken.getCert();
            try {
                byte[] encoded = cert.getEncoded();
                InitialDirContext initialDirContext = new InitialDirContext(contextEnv);
                try {
                    SearchControls searchControls = new SearchControls();
                    searchControls.setSearchScope(2);
                    searchControls.setReturningAttributes(new String[]{"userCertificate"});
                    NamingEnumeration search = initialDirContext.search(userPath, "userCertificate=*", searchControls);
                    boolean z = false;
                    while (search.hasMore()) {
                        SearchResult searchResult = (SearchResult) search.next();
                        searchResult.getNameInNamespace();
                        Attribute attribute = searchResult.getAttributes().get("userCertificate;binary");
                        if (attribute != null) {
                            int i = 0;
                            while (true) {
                                if (i >= attribute.size()) {
                                    break;
                                }
                                if (Arrays.equals(encoded, (byte[]) attribute.get(i))) {
                                    z = true;
                                    break;
                                }
                                i++;
                            }
                        }
                        if (z) {
                            break;
                        }
                    }
                    return z;
                } finally {
                    initialDirContext.close();
                }
            } catch (CertificateEncodingException e) {
                log.warn("got CertificateEncodingException when encoding certificate: {}", cert, e);
                return false;
            }
        } catch (NamingException e2) {
            log.error("Unable to authenticate this X509Certificate certificate against LDAP.", e2);
            return false;
        }
    }

    private boolean authenticateUsernamePassword(UsernamePasswordToken usernamePasswordToken) {
        String username = usernamePasswordToken.getUsername();
        String passwordS = usernamePasswordToken.getPasswordS();
        try {
            String str = "uid=" + username + "," + userPath;
            Hashtable hashtable = new Hashtable();
            hashtable.put("java.naming.factory.initial", contextEnv.get("java.naming.factory.initial"));
            hashtable.put("java.naming.provider.url", contextEnv.get("java.naming.provider.url"));
            hashtable.put("com.sun.jndi.ldap.connect.pool", "true");
            hashtable.put("java.naming.security.authentication", "simple");
            hashtable.put("java.naming.security.principal", str);
            if (passwordS != null) {
                hashtable.put("java.naming.security.credentials", passwordS);
            }
            new InitialDirContext(hashtable).close();
            return true;
        } catch (NamingException e) {
            log.warn("User '{}' not authenticated with LDAP; An LDAP error was caught: {}", username, e);
            return false;
        } catch (AuthenticationException e2) {
            log.warn("User '{}' not authenticated with LDAP; Could not bind with supplied username and password.", username);
            return false;
        }
    }

    @Override // org.yamcs.security.Realm
    public User loadUser(AuthenticationToken authenticationToken) {
        Set<String> loadRoles;
        log.info("");
        User user = new User(authenticationToken);
        user.lastUpdated = System.currentTimeMillis();
        try {
            InitialDirContext initialDirContext = new InitialDirContext(contextEnv);
            try {
                try {
                    loadRoles = loadRoles(initialDirContext, "uid=" + user.getPrincipalName() + "," + userPath);
                    user.roles = ldapRolesToRoles(loadRoles);
                } catch (Throwable th) {
                    try {
                        initialDirContext.close();
                    } catch (NamingException e) {
                        log.error("", e);
                    }
                    throw th;
                }
            } catch (NamingException e2) {
                log.error("", e2);
                try {
                    initialDirContext.close();
                } catch (NamingException e3) {
                    log.error("", e3);
                }
            }
            if (user.roles == null) {
                try {
                    initialDirContext.close();
                } catch (NamingException e4) {
                    log.error("", e4);
                }
                return user;
            }
            user.tmParaPrivileges = loadPrivileges(initialDirContext, loadRoles, tmParaPrivPath, "groupOfNames", "cn");
            user.tmPacketPrivileges = loadPrivileges(initialDirContext, loadRoles, tmPacketPrivPath, "groupOfNames", "cn");
            user.tcPrivileges = loadPrivileges(initialDirContext, loadRoles, tcPrivPath, "groupOfNames", "cn");
            user.systemPrivileges = loadPrivileges(initialDirContext, loadRoles, systemPrivPath, "groupOfNames", "cn");
            user.tmParaSetPrivileges = loadPrivileges(initialDirContext, loadRoles, tmParaSetPrivPath, "groupOfNames", "cn");
            try {
                initialDirContext.close();
            } catch (NamingException e5) {
                log.error("", e5);
            }
            user.setAuthenticated(authenticates(authenticationToken));
            log.debug("got user from ldap: " + user);
            return user;
        } catch (NamingException e6) {
            log.error("", e6);
            return null;
        }
    }

    private Set<String> ldapRolesToRoles(Set<String> set) {
        if (set == null) {
            return null;
        }
        HashSet hashSet = new HashSet();
        for (String str : set) {
            try {
                hashSet.add(str.substring(str.indexOf("cn=") + 3, str.indexOf(",ou=")));
            } catch (Exception e) {
                log.error("Unable to extract role from LDAP search result", e);
            }
        }
        return hashSet;
    }

    Set<String> loadAssertedIdentities(DirContext dirContext, String str) throws NamingException {
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(new String[]{"member"});
        try {
            NamingEnumeration search = dirContext.search("cn=assertedIdentities, " + str, "member=*", searchControls);
            if (!search.hasMore()) {
                return null;
            }
            HashSet hashSet = new HashSet();
            Attribute attribute = ((SearchResult) search.next()).getAttributes().get("member");
            for (int i = 0; i < attribute.size(); i++) {
                hashSet.add((String) attribute.get(i));
            }
            return hashSet;
        } catch (NameNotFoundException e) {
            return null;
        }
    }

    Set<String> loadRoles(DirContext dirContext, String str) throws NamingException {
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(new String[]{"cn"});
        NamingEnumeration search = dirContext.search(rolePath, "member={0}", new String[]{str}, searchControls);
        if (!search.hasMore()) {
            return null;
        }
        HashSet hashSet = new HashSet();
        while (search.hasMore()) {
            hashSet.add(((SearchResult) search.next()).getNameInNamespace());
        }
        return hashSet;
    }

    Set<String> loadPrivileges(DirContext dirContext, Set<String> set, String str, String str2, String str3) throws NamingException {
        HashSet hashSet = new HashSet();
        StringBuilder sb = new StringBuilder();
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(new String[]{str3});
        sb.append("(&(objectClass=" + str2 + ")(|");
        for (int i = 0; i < set.size(); i++) {
            sb.append("(member={" + i + "})");
        }
        sb.append("))");
        NamingEnumeration search = dirContext.search(str, sb.toString(), set.toArray(), searchControls);
        while (search.hasMore()) {
            hashSet.add((String) ((SearchResult) search.next()).getAttributes().get("cn").get());
        }
        return hashSet;
    }

    public String getUserPath() {
        return userPath;
    }

    static {
        YConfiguration configuration = YConfiguration.getConfiguration("privileges");
        String string = configuration.getString("ldaphost");
        userPath = configuration.getString("userPath");
        rolePath = configuration.getString("rolePath");
        systemPrivPath = configuration.getString("systemPath");
        tmParaPrivPath = configuration.getString("tmParameterPath");
        tmParaSetPrivPath = configuration.getString("tmParameterSetPath");
        tmPacketPrivPath = configuration.getString("tmPacketPath");
        tcPrivPath = configuration.getString("tcPath");
        contextEnv.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        contextEnv.put("java.naming.provider.url", "ldap://" + string);
        contextEnv.put("com.sun.jndi.ldap.connect.pool", "true");
    }
}
