package org.appng.core.service;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import javax.naming.AuthenticationException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.StartTlsRequest;
import javax.naming.ldap.StartTlsResponse;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSession;
import org.apache.batik.constants.XMLConstants;
import org.apache.commons.lang3.StringUtils;
import org.apache.uima.resource.JMSMessagingSpecifier;
import org.appng.api.model.Properties;
import org.appng.api.model.Site;
import org.appng.core.domain.SubjectImpl;
import org.quartz.impl.StdSchedulerFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/appng-core-1.23.5-SNAPSHOT.jar:org/appng/core/service/LdapService.class */
public class LdapService {
    private String ldapCtxFactory = JMSMessagingSpecifier.defaultInitialContextFactory;
    private static final String CN_ATTRIBUTE = "cn";
    private static final String MEMBER_ATTRIBUTE = "member";
    private static final String MAIL_ATTRIBUTE = "mail";
    private static final String SAM_DOMAIN_SEPARATOR = "\\";
    private static final String LDAP_NETWORK_TIMEOUTS = "8000";
    public static final String LDAP_DISABLED = "ldapDisabled";
    public static final String LDAP_DOMAIN = "ldapDomain";
    public static final String LDAP_GROUP_BASE_DN = "ldapGroupBaseDn";
    public static final String LDAP_HOST = "ldapHost";
    public static final String LDAP_ID_ATTRIBUTE = "ldapIdAttribute";
    public static final String LDAP_PASSWORD = "ldapPassword";
    public static final String LDAP_PRINCIPAL_SCHEME = "ldapPrincipalScheme";
    public static final String LDAP_START_TLS = "ldapStartTls";
    public static final String LDAP_USER = "ldapUser";
    public static final String LDAP_USER_BASE_DN = "ldapUserBaseDn";
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) LdapService.class);
    private static final Pattern DN_PATTERN = Pattern.compile("^[a-z0-9+\"\\\\<>; \\n\\d]+?=.+?(,[a-z0-9+\"\\\\<>; \\n\\d]+?=.+?)+$");

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/appng-core-1.23.5-SNAPSHOT.jar:org/appng/core/service/LdapService$LdapCredentials.class */
    public class LdapCredentials {
        private String siteName;
        private String principal;
        private String password;
        private String ldapHost;
        private String baseDn;
        private boolean useStartTls;

        private LdapCredentials(Site site, String str, char[] cArr, boolean z) {
            Properties properties = site.getProperties();
            this.siteName = site.getName();
            this.password = String.valueOf(cArr);
            this.ldapHost = properties.getString(LdapService.LDAP_HOST);
            this.baseDn = properties.getString(LdapService.LDAP_USER_BASE_DN);
            this.useStartTls = properties.getBoolean(LdapService.LDAP_START_TLS).booleanValue();
            String string = properties.getString(LdapService.LDAP_ID_ATTRIBUTE);
            String string2 = properties.getString(LdapService.LDAP_DOMAIN);
            String string3 = properties.getString(LdapService.LDAP_PRINCIPAL_SCHEME);
            if (z && LdapService.DN_PATTERN.matcher(str).matches()) {
                this.principal = str;
                return;
            }
            String upperCase = string3.toUpperCase();
            boolean z2 = -1;
            switch (upperCase.hashCode()) {
                case 2186:
                    if (upperCase.equals("DN")) {
                        z2 = false;
                        break;
                    }
                    break;
                case 81855:
                    if (upperCase.equals("SAM")) {
                        z2 = 2;
                        break;
                    }
                    break;
                case 84243:
                    if (upperCase.equals("UPN")) {
                        z2 = true;
                        break;
                    }
                    break;
            }
            switch (z2) {
                case false:
                    this.principal = string + XMLConstants.XML_EQUAL_SIGN + str + "," + this.baseDn;
                    return;
                case true:
                    this.principal = str + "@" + string2;
                    return;
                case true:
                    this.principal = string2 + LdapService.SAM_DOMAIN_SEPARATOR + str;
                    return;
                default:
                    this.principal = str;
                    LdapService.LOGGER.info("Unknown keyword '{}' in site property '{}.{}'. Falling back to plain username '{}' as principal.", string3, this.siteName, LdapService.LDAP_PRINCIPAL_SCHEME, str);
                    return;
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public java.util.Properties getLdapEnv() {
            java.util.Properties properties = new java.util.Properties();
            properties.put(StdSchedulerFactory.PROP_DATASOURCE_JNDI_INITIAL, LdapService.this.ldapCtxFactory);
            properties.put(StdSchedulerFactory.PROP_DATASOURCE_JNDI_PROVDER, this.ldapHost);
            properties.put("com.sun.jndi.ldap.connect.timeout", LdapService.LDAP_NETWORK_TIMEOUTS);
            properties.put("com.sun.jndi.ldap.read.timeout", LdapService.LDAP_NETWORK_TIMEOUTS);
            if (this.useStartTls) {
                properties.put("java.naming.security.authentication", "none");
                return properties;
            }
            if (!this.ldapHost.toLowerCase().startsWith("ldaps://")) {
                LdapService.LOGGER.info("LDAP Configuration of site '{}' neither uses LDAP over SSL ('ldaps://') nor STARTTLS. Credentials will be transmitted as cleartext.", this.siteName);
            }
            properties.put("java.naming.security.authentication", "simple");
            properties.put(StdSchedulerFactory.PROP_DATASOURCE_JNDI_PRINCIPAL, this.principal);
            properties.put(StdSchedulerFactory.PROP_DATASOURCE_JNDI_CREDENTIALS, this.password);
            return properties;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void addToContext(LdapContext ldapContext) throws NamingException {
            ldapContext.addToEnvironment("java.naming.security.authentication", "simple");
            ldapContext.addToEnvironment(StdSchedulerFactory.PROP_DATASOURCE_JNDI_PRINCIPAL, this.principal);
            ldapContext.addToEnvironment(StdSchedulerFactory.PROP_DATASOURCE_JNDI_CREDENTIALS, this.password);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/appng-core-1.23.5-SNAPSHOT.jar:org/appng/core/service/LdapService$TlsAwareLdapContext.class */
    public class TlsAwareLdapContext implements AutoCloseable {
        private final LdapContext delegate;
        private StartTlsResponse tls;

        public TlsAwareLdapContext(LdapCredentials ldapCredentials) throws NamingException, IOException {
            this.delegate = new InitialLdapContext(ldapCredentials.getLdapEnv(), (Control[]) null);
            if (ldapCredentials.useStartTls) {
                this.tls = this.delegate.extendedOperation(new StartTlsRequest());
                this.tls.setHostnameVerifier(new HostnameVerifier() { // from class: org.appng.core.service.LdapService.TlsAwareLdapContext.1
                    @Override // javax.net.ssl.HostnameVerifier
                    public boolean verify(String str, SSLSession sSLSession) {
                        return true;
                    }
                });
                this.tls.negotiate();
                ldapCredentials.addToContext(this.delegate);
                this.delegate.reconnect((Control[]) null);
            }
        }

        @Override // java.lang.AutoCloseable
        public void close() {
            if (this.tls != null) {
                try {
                    this.tls.close();
                } catch (IOException e) {
                    LdapService.LOGGER.warn("error closing TLS connection", (Throwable) e);
                }
            }
            if (this.delegate != null) {
                try {
                    this.delegate.close();
                } catch (NamingException e2) {
                    LdapService.LOGGER.warn("error closing LDAP context", e2);
                }
            }
        }
    }

    public void setLdapCtxFactory(String str) {
        this.ldapCtxFactory = str;
    }

    public boolean loginUser(Site site, String str, char[] cArr) {
        if (isLdapDisabled(site)) {
            return false;
        }
        LdapCredentials ldapCredentials = new LdapCredentials(site, str, cArr, false);
        try {
            TlsAwareLdapContext tlsAwareLdapContext = new TlsAwareLdapContext(ldapCredentials);
            Throwable th = null;
            try {
                try {
                    String string = site.getProperties().getString(LDAP_USER_BASE_DN);
                    if (StringUtils.isBlank(string)) {
                        string = site.getProperties().getString(LDAP_GROUP_BASE_DN);
                    }
                    tlsAwareLdapContext.delegate.getAttributes(string);
                    if (tlsAwareLdapContext != null) {
                        if (0 != 0) {
                            try {
                                tlsAwareLdapContext.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            tlsAwareLdapContext.close();
                        }
                    }
                    return true;
                } finally {
                }
            } catch (Throwable th3) {
                if (tlsAwareLdapContext != null) {
                    if (th != null) {
                        try {
                            tlsAwareLdapContext.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        tlsAwareLdapContext.close();
                    }
                }
                throw th3;
            }
        } catch (IOException | NamingException e) {
            logException(ldapCredentials.ldapHost, str, e);
            return false;
        }
    }

    public List<String> loginGroup(Site site, String str, char[] cArr, SubjectImpl subjectImpl, List<String> list) {
        if (isLdapDisabled(site)) {
            return Collections.emptyList();
        }
        LdapCredentials ldapCredentials = new LdapCredentials(site, str, cArr, false);
        try {
            TlsAwareLdapContext tlsAwareLdapContext = new TlsAwareLdapContext(ldapCredentials);
            Throwable th = null;
            try {
                try {
                    List<String> userGroups = getUserGroups(tlsAwareLdapContext.delegate, str, site, subjectImpl, list);
                    if (tlsAwareLdapContext != null) {
                        if (0 != 0) {
                            try {
                                tlsAwareLdapContext.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            tlsAwareLdapContext.close();
                        }
                    }
                    return userGroups;
                } finally {
                }
            } catch (Throwable th3) {
                if (tlsAwareLdapContext != null) {
                    if (th != null) {
                        try {
                            tlsAwareLdapContext.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        tlsAwareLdapContext.close();
                    }
                }
                throw th3;
            }
        } catch (NamingException | IOException e) {
            logException(ldapCredentials.ldapHost, ldapCredentials.principal, e);
            return Collections.emptyList();
        }
    }

    private List<String> getUserGroups(LdapContext ldapContext, String str, Site site, SubjectImpl subjectImpl, List<String> list) throws NamingException {
        ArrayList arrayList = new ArrayList();
        String string = site.getProperties().getString(LDAP_GROUP_BASE_DN);
        String string2 = site.getProperties().getString(LDAP_ID_ATTRIBUTE);
        for (String str2 : list) {
            if (checkGroupMembership(ldapContext, str, subjectImpl, string, string2, str2)) {
                arrayList.add(str2);
            }
        }
        return arrayList;
    }

    private boolean checkGroupMembership(LdapContext ldapContext, String str, SubjectImpl subjectImpl, String str2, String str3, String str4) throws NamingException {
        String groupDn = getGroupDn(str4, str2);
        try {
            for (String str5 : getGroupMembers(ldapContext, groupDn)) {
                Attributes userAttributes = getUserAttributes(ldapContext, str5, str3);
                if (str.equalsIgnoreCase(getAttribute(userAttributes, str3))) {
                    fillSubjectFromAttributes(subjectImpl, str3, userAttributes);
                    LOGGER.info("User '{}' ({}) is member of '{}'", str, str5, groupDn);
                    return true;
                }
            }
            return false;
        } catch (NamingException e) {
            LOGGER.info(String.format("Cannot evaluate group members of group '%s' (%s: %s)", groupDn, e.getClass().getName(), e.getMessage()));
            return false;
        }
    }

    private Attributes getUserAttributes(LdapContext ldapContext, String str, String str2) throws NamingException {
        return ldapContext.getAttributes(str, new String[]{str2, CN_ATTRIBUTE, MAIL_ATTRIBUTE});
    }

    public List<SubjectImpl> getMembersOfGroup(Site site, String str) {
        if (isLdapDisabled(site)) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        LdapCredentials ldapCredentials = new LdapCredentials(site, site.getProperties().getString(LDAP_USER), site.getProperties().getString(LDAP_PASSWORD).toCharArray(), true);
        String string = site.getProperties().getString(LDAP_GROUP_BASE_DN);
        String string2 = site.getProperties().getString(LDAP_ID_ATTRIBUTE);
        String groupDn = getGroupDn(str, string);
        try {
            TlsAwareLdapContext tlsAwareLdapContext = new TlsAwareLdapContext(ldapCredentials);
            Throwable th = null;
            try {
                try {
                    Iterator<String> it = getGroupMembers(tlsAwareLdapContext.delegate, groupDn).iterator();
                    while (it.hasNext()) {
                        arrayList.add(fillSubjectFromAttributes(new SubjectImpl(), string2, getUserAttributes(tlsAwareLdapContext.delegate, it.next(), string2)));
                    }
                    if (tlsAwareLdapContext != null) {
                        if (0 != 0) {
                            try {
                                tlsAwareLdapContext.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            tlsAwareLdapContext.close();
                        }
                    }
                } finally {
                }
            } finally {
            }
        } catch (IOException | NamingException e) {
            logException(ldapCredentials.ldapHost, ldapCredentials.principal, e);
        }
        LOGGER.info("Found {} member(s) for group '{}'", Integer.valueOf(arrayList.size()), groupDn);
        return arrayList;
    }

    private boolean isLdapDisabled(Site site) {
        return site.getProperties().getBoolean(LDAP_DISABLED).booleanValue();
    }

    private SubjectImpl fillSubjectFromAttributes(SubjectImpl subjectImpl, String str, Attributes attributes) throws NamingException {
        subjectImpl.setName(getAttribute(attributes, str));
        subjectImpl.setRealname(getAttribute(attributes, CN_ATTRIBUTE));
        subjectImpl.setEmail(StringUtils.lowerCase(getAttribute(attributes, MAIL_ATTRIBUTE)));
        return subjectImpl;
    }

    private List<String> getGroupMembers(LdapContext ldapContext, String str) throws NamingException {
        Attribute attribute = ldapContext.getAttributes(str, new String[]{"member"}).get("member");
        ArrayList arrayList = new ArrayList();
        if (attribute != null) {
            NamingEnumeration all = attribute.getAll();
            while (all.hasMoreElements()) {
                arrayList.add((String) all.nextElement());
            }
        }
        return arrayList;
    }

    private String getGroupDn(String str, String str2) {
        return StringUtils.isBlank(str2) ? str : "cn=" + str + "," + str2;
    }

    private String getAttribute(Attributes attributes, String str) throws NamingException {
        Attribute attribute = attributes.get(str);
        if (null == attribute) {
            return null;
        }
        return (String) attribute.get();
    }

    private void logException(String str, String str2, Exception exc) {
        String str3 = "(" + exc.getClass().getName() + ": " + exc.getMessage() + ")";
        String str4 = exc instanceof AuthenticationException ? "failed to login user '" + str2 + "' on host '" + str + "' " + str3 : "LDAP operation failed on host '" + str + "' with principal '" + str2 + "' " + str3;
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug(str4, (Throwable) exc);
        } else if (LOGGER.isInfoEnabled()) {
            LOGGER.info(str4);
        }
    }
}
