package systems.dennis.auth.delegations.ldap;

import jakarta.servlet.http.HttpServletRequest;
import java.util.Date;
import java.util.Hashtable;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import systems.dennis.auth.client.LoginPassword;
import systems.dennis.auth.client.entity.UserData;
import systems.dennis.auth.config.AuthorizationDelegator;
import systems.dennis.auth.config.AuthorizeResponse;
import systems.dennis.auth.delegations.simple.AuthorizationAttemptProcessor;
import systems.dennis.auth.delegations.simple.UserTokenCreationParams;
import systems.dennis.auth.entity.ActiveToken;
import systems.dennis.auth.entity.LoginHistory;
import systems.dennis.auth.entity.RefreshToken;
import systems.dennis.auth.form.ChangePasswordForm;
import systems.dennis.auth.form.RegistrationForm;
import systems.dennis.auth.repository.ActiveTokensRepo;
import systems.dennis.auth.repository.LoginHistoryRepository;
import systems.dennis.auth.repository.UserDataRepository;
import systems.dennis.auth.role_validator.TokenProvider;
import systems.dennis.auth.service.AuthScopeService;
import systems.dennis.auth.service.LoginPasswordService;
import systems.dennis.auth.service.ProfilePageService;
import systems.dennis.auth.service.RefreshTokenService;
import systems.dennis.auth.service.UserInScopeService;
import systems.dennis.shared.auth_client.form.UserTokenDTO;
import systems.dennis.shared.config.WebContext;
import systems.dennis.shared.exceptions.AccessDeniedException;
import systems.dennis.shared.exceptions.AuthorizationFailedException;
import systems.dennis.shared.exceptions.ItemNotFoundException;
import systems.dennis.shared.model.IDPresenter;
import systems.dennis.shared.scopes.model.ScopeModel;
import systems.dennis.shared.scopes.service.ScopeService;
import systems.dennis.shared.servers.model.ServerConfig;
import systems.dennis.shared.servers.providers.ServerTypeProvider;
import systems.dennis.shared.servers.repository.ServerConfigRepo;

/* loaded from: input_file:systems/dennis/auth/delegations/ldap/LdapAuthorization.class */
public class LdapAuthorization implements AuthorizationAttemptProcessor, AuthorizationDelegator {
    private static final Logger log = LoggerFactory.getLogger(LdapAuthorization.class);

    @Override // systems.dennis.auth.delegations.simple.AuthorizationAttemptProcessor
    public <T extends UserTokenDTO> T authorize(LoginPassword loginPassword, WebContext.LocalWebContext localWebContext, ScopeModel scopeModel, boolean z) {
        ServerConfig ldapConfig = getLdapConfig(localWebContext);
        if (ldapConfig == null) {
            log.info(" NO LDAP CONFIG FOUND. return null");
            return null;
        }
        validateLoginPassword(loginPassword);
        try {
            UserData userInfo = getUserInfo(loginPassword.getLogin(), new InitialLdapContext(setupLdapParameters(ldapConfig, loginPassword), (Control[]) null), getSearchControls(), ldapConfig, localWebContext);
            checkUserInScope(userInfo, scopeModel, localWebContext);
            loginPassword = findOrSaveLoginPassword((LoginPasswordService) localWebContext.getBean(LoginPasswordService.class), loginPassword);
            return (T) createUserTokenDTO(new UserTokenCreationParams(userInfo, loginPassword, localWebContext, "LDAP"));
        } catch (NamingException e) {
            throw new AuthorizationFailedException(loginPassword.getLogin());
        }
    }

    private ServerConfig getLdapConfig(WebContext.LocalWebContext localWebContext) {
        return (ServerConfig) ((ServerConfigRepo) localWebContext.getBean(ServerConfigRepo.class)).filteredFirst(localWebContext.getDataFilterProvider().eq("active", true).and(localWebContext.getDataFilterProvider().eq("type", ServerTypeProvider.LDAP))).orElse(null);
    }

    private void validateLoginPassword(LoginPassword loginPassword) {
        if (loginPassword.getDomain() == null) {
            throw new AuthorizationFailedException("Domain is required for authorization");
        }
    }

    private Hashtable<Object, Object> setupLdapParameters(ServerConfig serverConfig, LoginPassword loginPassword) {
        Hashtable<Object, Object> hashtable = new Hashtable<>();
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.provider.url", "ldap://" + serverConfig.getHost() + ":" + serverConfig.getPort());
        hashtable.put("java.naming.security.authentication", "simple");
        hashtable.put("java.naming.referral", "follow");
        hashtable.put("java.naming.security.principal", loginPassword.getDomain() + "\\" + loginPassword.getLogin());
        hashtable.put("java.naming.security.credentials", loginPassword.getPassword());
        return hashtable;
    }

    private void checkUserInScope(UserData userData, ScopeModel scopeModel, WebContext.LocalWebContext localWebContext) {
        if (!((UserInScopeService) localWebContext.getBean(UserInScopeService.class)).isRelationExist(userData, scopeModel)) {
            throw new AuthorizationFailedException(userData.getLogin());
        }
    }

    private LoginPassword findOrSaveLoginPassword(LoginPasswordService loginPasswordService, LoginPassword loginPassword) {
        return loginPasswordService.findUserByLogin(loginPassword.getLogin()).orElseGet(() -> {
            return loginPasswordService.save(loginPassword);
        });
    }

    private static SearchControls getSearchControls() {
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(new String[]{"distinguishedName", "sn", "givenname", "mail", "telephonenumber", "thumbnailPhoto"});
        searchControls.setDerefLinkFlag(true);
        return searchControls;
    }

    private UserData getUserInfo(String str, InitialLdapContext initialLdapContext, SearchControls searchControls, ServerConfig serverConfig, WebContext.LocalWebContext localWebContext) {
        NamingEnumeration search;
        System.out.println("*** " + str + " ***");
        UserData orElse = ((UserDataRepository) localWebContext.getBean(UserDataRepository.class)).findByLogin(str).orElse(new UserData());
        try {
            search = initialLdapContext.search(serverConfig.getServerParam(), "sAMAccountName=" + str, searchControls);
        } catch (Exception e) {
            e.printStackTrace();
        } catch (AuthorizationFailedException e2) {
            throw e2;
        }
        if (!search.hasMore()) {
            throw new AuthorizationFailedException("User had successfully logged in, but there is no info in LDAP about user" + str);
        }
        Attributes attributes = ((SearchResult) search.next()).getAttributes();
        orElse.setLogin(str);
        orElse.setEmail(getValue(attributes.get("mail")));
        orElse.setName(getValue(attributes.get("givenname")) + " " + getValue(attributes.get("sn")));
        orElse.setPhone(getValue(attributes.get("telephonenumber")));
        orElse.setEmail(getValue(attributes.get("mail")));
        orElse = ((UserDataRepository) localWebContext.getBean(UserDataRepository.class)).save(orElse);
        search.close();
        return orElse;
    }

    private String getValue(Attribute attribute) {
        try {
            return String.valueOf(attribute.get());
        } catch (Exception e) {
            return "";
        }
    }

    @Override // systems.dennis.auth.delegations.simple.AuthorizationAttemptProcessor
    public <T extends UserData> T createUser(LoginPassword loginPassword, WebContext.LocalWebContext localWebContext) {
        return null;
    }

    @Override // systems.dennis.auth.delegations.simple.AuthorizationAttemptProcessor
    public void saveLoginAttempt(UserTokenDTO userTokenDTO, WebContext.LocalWebContext localWebContext) {
        IDPresenter loginHistory = new LoginHistory();
        log.debug("TRacing Login history started");
        loginHistory.setUserDataId((Long) localWebContext.getCurrentUser());
        loginHistory.setToken(userTokenDTO.getToken());
        loginHistory.setRefreshToken(userTokenDTO.getRefreshToken());
        loginHistory.setAuthorizationType("LDAP");
        loginHistory.setLogin(userTokenDTO.getUserData().getLogin());
        ((LoginHistoryRepository) localWebContext.getBean(LoginHistoryRepository.class)).save(loginHistory);
    }

    @Override // systems.dennis.auth.config.AuthorizationDelegator
    public AuthorizeResponse authorize(HttpServletRequest httpServletRequest, LoginPassword loginPassword, WebContext.LocalWebContext localWebContext, boolean z) {
        UserData orElseThrow = ((ProfilePageService) localWebContext.getBean(ProfilePageService.class)).findByLogin(loginPassword.getLogin()).orElseThrow(() -> {
            return ItemNotFoundException.fromId(loginPassword.getLogin());
        });
        ScopeModel scopeFromRequest = ((AuthScopeService) localWebContext.getBean(AuthScopeService.class)).getScopeFromRequest(httpServletRequest, orElseThrow.getId(), false);
        ((ProfilePageService) localWebContext.getBean(ProfilePageService.class)).checkVerifiedUser(orElseThrow, scopeFromRequest);
        return AuthorizeResponse.of(authorize(loginPassword, localWebContext, scopeFromRequest, z), false);
    }

    @Override // systems.dennis.auth.config.AuthorizationDelegator
    public AuthorizeResponse refreshToken(HttpServletRequest httpServletRequest, String str, WebContext.LocalWebContext localWebContext) {
        RefreshToken findByToken = ((RefreshTokenService) localWebContext.getBean(RefreshTokenService.class)).findByToken(str);
        ProfilePageService profilePageService = (ProfilePageService) localWebContext.getBean(ProfilePageService.class);
        UserData userData = (UserData) profilePageService.filteredFirst(profilePageService.getFilterImpl().id(findByToken.getUserDataId()).and(profilePageService.getNotDeletedQuery())).orElseThrow(() -> {
            return ItemNotFoundException.fromId(findByToken.getUserDataId());
        });
        ((RefreshTokenService) localWebContext.getBean(RefreshTokenService.class)).validateRefreshToken(findByToken, ((ScopeService) localWebContext.getBean(ScopeService.class)).findByName(httpServletRequest.getHeader(AuthorizationDelegator.AUTH_SCOPE_HEADER), userData.getId(), true));
        return authorize(httpServletRequest, ((LoginPasswordService) localWebContext.getBean(LoginPasswordService.class)).findUserByLogin(userData.getLogin()).orElseThrow(() -> {
            return ItemNotFoundException.fromId("Login Password not found: " + userData.getLogin());
        }), localWebContext, true);
    }

    @Override // systems.dennis.auth.config.AuthorizationDelegator
    public boolean shouldAuthorize(HttpServletRequest httpServletRequest, WebContext.LocalWebContext localWebContext) {
        if ("LDAP".equals(httpServletRequest.getHeader(AuthorizationDelegator.AUTH_TYPE_HEADER))) {
            log.debug("Header AUTH-TYPE declares to use VirtualUserAuth");
            return true;
        }
        log.debug("Header AUTH-TYPE declares not to use VirtualUserAuth");
        return false;
    }

    @Override // systems.dennis.auth.config.AuthorizationDelegator
    public boolean blockUser(boolean z, Long l, WebContext.LocalWebContext localWebContext) {
        UserDataRepository userDataRepository = (UserDataRepository) localWebContext.getBean(UserDataRepository.class);
        userDataRepository.save((UserData) userDataRepository.findById(l).orElseThrow(() -> {
            return ItemNotFoundException.fromId(l);
        }));
        for (ActiveToken activeToken : ((ActiveTokensRepo) localWebContext.getBean(ActiveTokensRepo.class)).findByUserDataIdAndActiveIsTrueAndDueGreaterThan(l, new Date())) {
            logout(activeToken.getToken(), localWebContext, activeToken.getScope());
        }
        return true;
    }

    @Override // systems.dennis.auth.config.AuthorizationDelegator
    public boolean logout(String str, WebContext.LocalWebContext localWebContext, ScopeModel scopeModel) {
        ((TokenProvider) localWebContext.getBean(TokenProvider.class)).removeAuthToken(str, "VIRTUAL", scopeModel);
        return true;
    }

    @Override // systems.dennis.auth.config.AuthorizationDelegator
    public boolean register(RegistrationForm registrationForm, WebContext.LocalWebContext localWebContext, ScopeModel scopeModel, Long l) {
        throw new AccessDeniedException("User can not be registered in LDAP");
    }

    @Override // systems.dennis.auth.config.AuthorizationDelegator
    public void validate(UserTokenDTO userTokenDTO, WebContext.LocalWebContext localWebContext) {
        userTokenDTO.validate(localWebContext);
    }

    @Override // systems.dennis.auth.config.AuthorizationDelegator
    public boolean changePassword(HttpServletRequest httpServletRequest, WebContext.LocalWebContext localWebContext, ChangePasswordForm changePasswordForm, ScopeModel scopeModel) {
        throw new AccessDeniedException("User can not be changed in LDAP");
    }

    @Override // systems.dennis.auth.config.AuthorizationDelegator
    public String forgetPassword(HttpServletRequest httpServletRequest, WebContext.LocalWebContext localWebContext, String str) {
        throw new AccessDeniedException("User can not restore password in LDAP");
    }
}
