package pl.edu.icm.unity.ldap;

import com.unboundid.ldap.sdk.Attribute;
import com.unboundid.ldap.sdk.DN;
import com.unboundid.ldap.sdk.DereferencePolicy;
import com.unboundid.ldap.sdk.ExtendedResult;
import com.unboundid.ldap.sdk.FailoverServerSet;
import com.unboundid.ldap.sdk.Filter;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPConnectionOptions;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.RDN;
import com.unboundid.ldap.sdk.ResultCode;
import com.unboundid.ldap.sdk.SearchRequest;
import com.unboundid.ldap.sdk.SearchResult;
import com.unboundid.ldap.sdk.SearchResultEntry;
import com.unboundid.ldap.sdk.SearchScope;
import com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest;
import eu.emi.security.authn.x509.X509Credential;
import eu.emi.security.authn.x509.impl.X500NameUtils;
import eu.unicore.security.canl.SSLContextCreator;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.log4j.Logger;
import pl.edu.icm.unity.ldap.LdapClientConfiguration;
import pl.edu.icm.unity.server.authn.remote.RemoteAttribute;
import pl.edu.icm.unity.server.authn.remote.RemoteGroupMembership;
import pl.edu.icm.unity.server.authn.remote.RemoteIdentity;
import pl.edu.icm.unity.server.authn.remote.RemotelyAuthenticatedInput;
import pl.edu.icm.unity.server.utils.Log;

/* loaded from: input_file:pl/edu/icm/unity/ldap/LdapClient.class */
public class LdapClient {
    private static final Logger log = Log.getLogger("unity.server.ldap", LdapClient.class);
    public static final String ORIGINAL_GROUP_NAME = "originalGroupName";
    private String idpName;

    public LdapClient(String str) {
        this.idpName = str;
    }

    public RemotelyAuthenticatedInput bindAndSearch(String str, String str2, LdapClientConfiguration ldapClientConfiguration) throws LDAPException, LdapAuthenticationException, KeyManagementException, NoSuchAlgorithmException {
        LDAPConnection createConnection = createConnection(ldapClientConfiguration);
        String establishUserDN = establishUserDN(str, ldapClientConfiguration, createConnection);
        log.debug("Established user's DN is: " + establishUserDN);
        bindAsUser(createConnection, establishUserDN, str2, ldapClientConfiguration);
        if (ldapClientConfiguration.isBindOnly()) {
            RemotelyAuthenticatedInput remotelyAuthenticatedInput = new RemotelyAuthenticatedInput(this.idpName);
            remotelyAuthenticatedInput.addIdentity(new RemoteIdentity(establishUserDN, "x500Name"));
            return remotelyAuthenticatedInput;
        }
        if (!ldapClientConfiguration.isBindAsUser()) {
            bindAsSystem(createConnection, ldapClientConfiguration);
        }
        SearchResultEntry findBaseEntry = findBaseEntry(ldapClientConfiguration, establishUserDN, createConnection);
        RemotelyAuthenticatedInput assembleBaseResult = assembleBaseResult(findBaseEntry);
        findGroupsMembership(createConnection, findBaseEntry, ldapClientConfiguration, assembleBaseResult.getGroups());
        performAdditionalQueries(createConnection, ldapClientConfiguration, str, assembleBaseResult);
        createConnection.close();
        return assembleBaseResult;
    }

    public RemotelyAuthenticatedInput search(String str, LdapClientConfiguration ldapClientConfiguration) throws LDAPException, LdapAuthenticationException, KeyManagementException, NoSuchAlgorithmException {
        if (ldapClientConfiguration.isBindAsUser()) {
            log.error("LDAP verification of externaly verified credentials (as TLS verified certificates) can be only performed when the LDAP subsystem is configured to bind with a system credential");
            throw new LdapAuthenticationException("Can't authenticate");
        }
        LDAPConnection createConnection = createConnection(ldapClientConfiguration);
        String establishUserDN = establishUserDN(str, ldapClientConfiguration, createConnection);
        log.debug("Established user's DN is: " + establishUserDN);
        if (ldapClientConfiguration.isBindOnly()) {
            RemotelyAuthenticatedInput remotelyAuthenticatedInput = new RemotelyAuthenticatedInput(this.idpName);
            remotelyAuthenticatedInput.addIdentity(new RemoteIdentity(establishUserDN, "x500Name"));
            return remotelyAuthenticatedInput;
        }
        bindAsSystem(createConnection, ldapClientConfiguration);
        SearchResultEntry findBaseEntry = findBaseEntry(ldapClientConfiguration, establishUserDN, createConnection);
        RemotelyAuthenticatedInput assembleBaseResult = assembleBaseResult(findBaseEntry);
        findGroupsMembership(createConnection, findBaseEntry, ldapClientConfiguration, assembleBaseResult.getGroups());
        performAdditionalQueries(createConnection, ldapClientConfiguration, str, assembleBaseResult);
        createConnection.close();
        return assembleBaseResult;
    }

    private String establishUserDN(String str, LdapClientConfiguration ldapClientConfiguration, LDAPConnection lDAPConnection) throws LDAPException, LdapAuthenticationException {
        SearchSpecification searchForUserSpec = ldapClientConfiguration.getSearchForUserSpec();
        if (searchForUserSpec == null) {
            return ldapClientConfiguration.getBindDN(str);
        }
        bindAsSystem(lDAPConnection, ldapClientConfiguration);
        SearchResult performSearch = performSearch(lDAPConnection, searchForUserSpec, str, ldapClientConfiguration.getSearchTimeLimit(), ldapClientConfiguration.getAttributesLimit(), ldapClientConfiguration.getDereferencePolicy());
        if (performSearch.getEntryCount() == 0) {
            log.debug("Search for the user DN returned no results");
            throw new LdapAuthenticationException("User was not found");
        }
        if (performSearch.getEntryCount() <= 1) {
            return ((SearchResultEntry) performSearch.getSearchEntries().get(0)).getDN();
        }
        log.debug("Search for the user DN returned moe than one results");
        throw new LdapAuthenticationException("Too many users found");
    }

    private LDAPConnection createConnection(LdapClientConfiguration ldapClientConfiguration) throws KeyManagementException, NoSuchAlgorithmException, LDAPException {
        FailoverServerSet failoverServerSet;
        LDAPConnectionOptions lDAPConnectionOptions = new LDAPConnectionOptions();
        lDAPConnectionOptions.setConnectTimeoutMillis(ldapClientConfiguration.getSocketConnectTimeout());
        lDAPConnectionOptions.setFollowReferrals(ldapClientConfiguration.isFollowReferral());
        lDAPConnectionOptions.setReferralHopLimit(ldapClientConfiguration.getReferralHopCount());
        lDAPConnectionOptions.setResponseTimeoutMillis(ldapClientConfiguration.getSocketReadTimeout());
        if (ldapClientConfiguration.getConnectionMode() == LdapClientConfiguration.ConnectionMode.SSL) {
            failoverServerSet = new FailoverServerSet(ldapClientConfiguration.getServers(), ldapClientConfiguration.getPorts(), SSLContextCreator.createSSLContext((X509Credential) null, ldapClientConfiguration.getTlsValidator(), "TLS", "LDAP client", log).getSocketFactory(), lDAPConnectionOptions);
        } else {
            failoverServerSet = new FailoverServerSet(ldapClientConfiguration.getServers(), ldapClientConfiguration.getPorts(), lDAPConnectionOptions);
        }
        LDAPConnection connection = failoverServerSet.getConnection();
        log.debug("Established connection to LDAP server");
        if (ldapClientConfiguration.getConnectionMode() == LdapClientConfiguration.ConnectionMode.startTLS) {
            ExtendedResult processExtendedOperation = connection.processExtendedOperation(new StartTLSExtendedRequest(SSLContextCreator.createSSLContext((X509Credential) null, ldapClientConfiguration.getTlsValidator(), "TLSv1.2", "LDAP client", log)));
            if (processExtendedOperation.getResultCode() != ResultCode.SUCCESS) {
                connection.close();
                throw new LDAPException(processExtendedOperation.getResultCode(), "Unable to esablish a secure TLS connection to the LDAP server: " + processExtendedOperation.toString());
            }
            log.debug("Connection upgraded to TLS");
        }
        return connection;
    }

    private void bindAsUser(LDAPConnection lDAPConnection, String str, String str2, LdapClientConfiguration ldapClientConfiguration) throws LdapAuthenticationException, LDAPException {
        try {
            lDAPConnection.bind(str, str2);
            log.debug("LDAP bind as user " + str + " was successful");
        } catch (LDAPException e) {
            if (!ResultCode.INVALID_CREDENTIALS.equals(e.getResultCode())) {
                throw e;
            }
            log.debug("LDAP bind as user " + str + " was not successful - invalid password");
            throw new LdapAuthenticationException("Wrong username or credentials", e);
        }
    }

    private void bindAsSystem(LDAPConnection lDAPConnection, LdapClientConfiguration ldapClientConfiguration) throws LdapAuthenticationException, LDAPException {
        try {
            lDAPConnection.bind(ldapClientConfiguration.getSystemDN(), ldapClientConfiguration.getSystemPassword());
            log.debug("LDAP bind as system user was successful");
        } catch (LDAPException e) {
            if (!ResultCode.INVALID_CREDENTIALS.equals(e.getResultCode())) {
                throw e;
            }
            throw new LdapAuthenticationException("Wrong username or credentials of the system LDAP client (system, not the ones provided by the user)", e);
        }
    }

    private SearchResultEntry findBaseEntry(LdapClientConfiguration ldapClientConfiguration, String str, LDAPConnection lDAPConnection) throws LdapAuthenticationException, LDAPException {
        String[] queriedAttributes = ldapClientConfiguration.getQueriedAttributes();
        SearchScope searchScope = ldapClientConfiguration.getSearchScope();
        int searchTimeLimit = ldapClientConfiguration.getSearchTimeLimit();
        SearchResultEntry searchEntry = lDAPConnection.search(new SearchRequest(str, searchScope, ldapClientConfiguration.getDereferencePolicy(), ldapClientConfiguration.getAttributesLimit(), searchTimeLimit, false, ldapClientConfiguration.getValidUsersFilter(), queriedAttributes)).getSearchEntry(str);
        if (searchEntry == null) {
            throw new LdapAuthenticationException("User is not matching the valid users filter");
        }
        return searchEntry;
    }

    private RemotelyAuthenticatedInput assembleBaseResult(SearchResultEntry searchResultEntry) {
        RemotelyAuthenticatedInput remotelyAuthenticatedInput = new RemotelyAuthenticatedInput(this.idpName);
        for (Attribute attribute : searchResultEntry.getAttributes()) {
            remotelyAuthenticatedInput.addAttribute(new RemoteAttribute(attribute.getBaseName(), attribute.getValues()));
        }
        remotelyAuthenticatedInput.addIdentity(new RemoteIdentity(searchResultEntry.getDN(), "x500Name"));
        return remotelyAuthenticatedInput;
    }

    private void findGroupsMembership(LDAPConnection lDAPConnection, SearchResultEntry searchResultEntry, LdapClientConfiguration ldapClientConfiguration, Map<String, RemoteGroupMembership> map) throws LDAPException {
        if (nonEmpty(ldapClientConfiguration.getMemberOfAttribute())) {
            findMemberOfGroups(map, searchResultEntry, ldapClientConfiguration);
        }
        if (nonEmpty(ldapClientConfiguration.getGroupsBaseName())) {
            searchGroupsForMember(lDAPConnection, map, searchResultEntry, ldapClientConfiguration);
        }
    }

    private void searchGroupsForMember(LDAPConnection lDAPConnection, Map<String, RemoteGroupMembership> map, SearchResultEntry searchResultEntry, LdapClientConfiguration ldapClientConfiguration) throws LDAPException {
        String groupsBaseName = ldapClientConfiguration.getGroupsBaseName();
        List<GroupSpecification> groupSpecifications = ldapClientConfiguration.getGroupSpecifications();
        HashMap hashMap = new HashMap(groupSpecifications.size());
        StringBuilder sb = new StringBuilder(128);
        sb.append("(|");
        HashSet hashSet = new HashSet();
        hashSet.add(LdapProperties.GROUP_DEFINITION_OC);
        for (GroupSpecification groupSpecification : groupSpecifications) {
            String objectClass = groupSpecification.getObjectClass();
            sb.append("(objectClass=").append(objectClass).append(")");
            hashMap.put(objectClass, groupSpecification);
            if (nonEmpty(groupSpecification.getMemberAttribute())) {
                hashSet.add(groupSpecification.getMemberAttribute());
            }
            if (nonEmpty(groupSpecification.getGroupNameAttribute())) {
                hashSet.add(groupSpecification.getGroupNameAttribute());
            }
        }
        sb.append(")");
        try {
            for (SearchResultEntry searchResultEntry2 : lDAPConnection.search(new SearchRequest(groupsBaseName, SearchScope.SUB, ldapClientConfiguration.getDereferencePolicy(), ldapClientConfiguration.getAttributesLimit(), ldapClientConfiguration.getSearchTimeLimit(), false, Filter.create(sb.toString()), (String[]) hashSet.toArray(new String[hashSet.size()]))).getSearchEntries()) {
                String[] objectClassValues = searchResultEntry2.getObjectClassValues();
                int length = objectClassValues.length;
                int i = 0;
                while (true) {
                    if (i >= length) {
                        break;
                    }
                    GroupSpecification groupSpecification2 = (GroupSpecification) hashMap.get(objectClassValues[i]);
                    if (groupSpecification2 != null) {
                        findMemberInGroup(map, searchResultEntry, searchResultEntry2, groupSpecification2);
                        break;
                    }
                    i++;
                }
            }
        } catch (LDAPException e) {
            throw new LDAPException(e.getResultCode(), "Specification of group object class is wrong. Unable to create a filter, which was: " + ((Object) sb), e);
        }
    }

    private void findMemberInGroup(Map<String, RemoteGroupMembership> map, SearchResultEntry searchResultEntry, SearchResultEntry searchResultEntry2, GroupSpecification groupSpecification) {
        String value;
        Attribute attribute = searchResultEntry2.getAttribute(groupSpecification.getMemberAttribute());
        if (attribute == null) {
            return;
        }
        String[] values = attribute.getValues();
        if (!nonEmpty(groupSpecification.getMatchByMemberAttribute())) {
            for (String str : values) {
                if (X500NameUtils.equal(str, searchResultEntry.getDN())) {
                    RemoteGroupMembership createGroupMembership = createGroupMembership(searchResultEntry2.getDN(), groupSpecification.getGroupNameAttribute());
                    if (createGroupMembership != null) {
                        map.put(createGroupMembership.getName(), createGroupMembership);
                        return;
                    }
                    return;
                }
            }
            return;
        }
        Attribute attribute2 = searchResultEntry.getAttribute(groupSpecification.getMatchByMemberAttribute());
        if (attribute2 == null || (value = attribute2.getValue()) == null) {
            return;
        }
        for (String str2 : values) {
            if (str2.equals(value)) {
                RemoteGroupMembership createGroupMembership2 = createGroupMembership(searchResultEntry2.getDN(), groupSpecification.getGroupNameAttribute());
                if (createGroupMembership2 != null) {
                    map.put(createGroupMembership2.getName(), createGroupMembership2);
                    return;
                }
                return;
            }
        }
    }

    private void findMemberOfGroups(Map<String, RemoteGroupMembership> map, SearchResultEntry searchResultEntry, LdapClientConfiguration ldapClientConfiguration) {
        Attribute attribute = searchResultEntry.getAttribute(ldapClientConfiguration.getMemberOfAttribute());
        if (attribute != null) {
            String[] values = attribute.getValues();
            String memberOfGroupAttribute = ldapClientConfiguration.getMemberOfGroupAttribute();
            for (String str : values) {
                RemoteGroupMembership createGroupMembership = createGroupMembership(str, memberOfGroupAttribute);
                if (createGroupMembership != null) {
                    map.put(createGroupMembership.getName(), createGroupMembership);
                }
            }
        }
    }

    private RemoteGroupMembership createGroupMembership(String str, String str2) {
        String extractNameFromDn = nonEmpty(str2) ? extractNameFromDn(str2, str) : str;
        if (extractNameFromDn == null) {
            return null;
        }
        RemoteGroupMembership remoteGroupMembership = new RemoteGroupMembership(extractNameFromDn);
        remoteGroupMembership.getMetadata().put(ORIGINAL_GROUP_NAME, str);
        return remoteGroupMembership;
    }

    private void performAdditionalQueries(LDAPConnection lDAPConnection, LdapClientConfiguration ldapClientConfiguration, String str, RemotelyAuthenticatedInput remotelyAuthenticatedInput) throws LDAPException {
        int searchTimeLimit = ldapClientConfiguration.getSearchTimeLimit();
        int attributesLimit = ldapClientConfiguration.getAttributesLimit();
        DereferencePolicy dereferencePolicy = ldapClientConfiguration.getDereferencePolicy();
        Iterator<SearchSpecification> it = ldapClientConfiguration.getExtraSearches().iterator();
        while (it.hasNext()) {
            consolidateAttributes(performSearch(lDAPConnection, it.next(), str, searchTimeLimit, attributesLimit, dereferencePolicy), remotelyAuthenticatedInput);
        }
    }

    private SearchResult performSearch(LDAPConnection lDAPConnection, SearchSpecification searchSpecification, String str, int i, int i2, DereferencePolicy dereferencePolicy) throws LDAPException {
        String[] attributes = searchSpecification.getAttributes();
        Filter filter = searchSpecification.getFilter(str);
        String baseDN = searchSpecification.getBaseDN(str);
        SearchScope internalScope = searchSpecification.getScope().getInternalScope();
        log.debug("Performing LDAP search filter: [" + filter + "] base: [" + baseDN + "] scope: [" + internalScope + "]");
        return lDAPConnection.search(new SearchRequest(baseDN, internalScope, dereferencePolicy, i2, i, false, filter, attributes));
    }

    private void consolidateAttributes(SearchResult searchResult, RemotelyAuthenticatedInput remotelyAuthenticatedInput) {
        HashMap hashMap = new HashMap();
        Iterator it = searchResult.getSearchEntries().iterator();
        while (it.hasNext()) {
            for (Attribute attribute : ((SearchResultEntry) it.next()).getAttributes()) {
                Set set = (Set) hashMap.get(attribute.getName());
                if (set == null) {
                    set = new LinkedHashSet();
                    hashMap.put(attribute.getName(), set);
                }
                Collections.addAll(set, attribute.getValues());
            }
        }
        for (Map.Entry entry : hashMap.entrySet()) {
            remotelyAuthenticatedInput.addAttribute(new RemoteAttribute((String) entry.getKey(), ((Set) entry.getValue()).toArray()));
        }
    }

    private static String extractNameFromDn(String str, String str2) {
        try {
            for (RDN rdn : DN.getRDNs(str2)) {
                String[] attributeNames = rdn.getAttributeNames();
                String[] attributeValues = rdn.getAttributeValues();
                if (attributeNames.length == 1 && attributeValues.length == 1 && attributeNames[0].equals(str)) {
                    return attributeValues[0];
                }
            }
            return null;
        } catch (LDAPException e) {
            log.warn("Found a string which is not a DN, what was expected. Most probably the LDAP configuration is invalid wrt the schema used by the LDAP server. Expected as DN: " + str2, e);
            return null;
        }
    }

    private static boolean nonEmpty(String str) {
        return (str == null || str.isEmpty()) ? false : true;
    }
}
