package sirius.web.security;

import com.google.common.collect.Sets;
import java.util.Collections;
import java.util.Hashtable;
import java.util.List;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.naming.AuthenticationException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapName;
import sirius.kernel.commons.Explain;
import sirius.kernel.di.std.Register;
import sirius.kernel.health.Exceptions;
import sirius.kernel.settings.Extension;
import sirius.web.http.WebContext;
import sirius.web.security.UserInfo;

/* loaded from: input_file:sirius/web/security/LDAPUserManager.class */
public class LDAPUserManager extends GenericUserManager {
    private String authPrefix;
    private String authSuffix;
    private String searchPrefix;
    private String searchSuffix;
    private String server;
    private boolean useSSL;
    private String objectClass;
    private String nameAttribute;
    private String[] returnedAtts;
    private String searchBase;
    private final List<String> requiredRoles;

    @Register(name = "ldap")
    /* loaded from: input_file:sirius/web/security/LDAPUserManager$Factory.class */
    public static class Factory implements UserManagerFactory {
        @Override // sirius.web.security.UserManagerFactory
        @Nonnull
        public UserManager createManager(@Nonnull ScopeInfo scopeInfo, @Nonnull Extension extension) {
            return new LDAPUserManager(scopeInfo, extension);
        }
    }

    protected LDAPUserManager(ScopeInfo scopeInfo, Extension extension) {
        super(scopeInfo, extension);
        this.authPrefix = extension.get("authPrefix").asString(extension.get("prefix").asString());
        this.authSuffix = extension.get("authSuffix").asString(extension.get("suffix").asString());
        this.searchPrefix = extension.get("searchPrefix").asString(extension.get("prefix").asString());
        this.searchSuffix = extension.get("searchSuffix").asString(extension.get("suffix").asString());
        this.server = extension.get("server").asString();
        this.useSSL = extension.get("ssl").asBoolean(false);
        this.objectClass = extension.get("objectClass").asString("user");
        this.nameAttribute = extension.get("nameAttribute").asString("userPrincipalName");
        List list = (List) extension.get("returnedAtts").get(List.class, Collections.singletonList("memberOf"));
        this.returnedAtts = (String[]) list.toArray(new String[list.size()]);
        this.searchBase = extension.get("searchBase").asString();
        this.requiredRoles = (List) extension.get("requiredRoles").get(List.class, Collections.emptyList());
        if ("client".equals(this.sessionStorage)) {
            UserContext.LOG.WARN("LDAPUserManager (ldap) for scope %s does not support 'client' as session type! Switching to 'server'.", new Object[]{scopeInfo.getScopeType()});
            this.sessionStorage = "server";
        }
    }

    @Override // sirius.web.security.UserManager
    public UserInfo findUserByName(WebContext webContext, String str) {
        return null;
    }

    @Override // sirius.web.security.UserManager
    public UserInfo findUserByCredentials(@Nullable WebContext webContext, String str, String str2) {
        try {
            String str3 = this.authPrefix + str + this.authSuffix;
            String str4 = this.searchPrefix + str + this.searchSuffix;
            log("User: %s, logonUser: %s, searchUser: %s", str, str3, str4);
            DirContext createInitialContext = createInitialContext(str2, str3);
            try {
                NamingEnumeration<SearchResult> searchInDirectory = searchInDirectory(str4, createInitialContext);
                Set<String> newTreeSet = Sets.newTreeSet();
                if (!searchInDirectory.hasMoreElements()) {
                    return null;
                }
                SearchResult searchResult = (SearchResult) searchInDirectory.next();
                log("Found user: %s", searchResult.getName());
                Set<String> computePermissions = computePermissions(newTreeSet, searchResult, webContext);
                if (!computePermissions.containsAll(this.requiredRoles)) {
                    createInitialContext.close();
                    return null;
                }
                UserInfo build = UserInfo.Builder.createUser(str).withUsername(str).withPermissions(computePermissions).build();
                createInitialContext.close();
                return build;
            } finally {
                createInitialContext.close();
            }
        } catch (AuthenticationException e) {
            log("Auth-Exception for %s: %s", str, e.getMessage());
            return null;
        } catch (Exception e2) {
            throw Exceptions.handle(UserContext.LOG, e2);
        }
    }

    @Explain("Legacy collections are required here as InitialDirContext requires them.")
    private DirContext createInitialContext(String str, String str2) throws NamingException {
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.provider.url", this.server);
        if (this.useSSL) {
            log("using ssl...", new Object[0]);
            hashtable.put("java.naming.security.protocol", "ssl");
        }
        hashtable.put("java.naming.security.authentication", "simple");
        hashtable.put("java.naming.security.principal", str2);
        hashtable.put("java.naming.security.credentials", str);
        return new InitialDirContext(hashtable);
    }

    private Set<String> computePermissions(Set<String> set, SearchResult searchResult, @Nullable WebContext webContext) {
        Attributes attributes = searchResult.getAttributes();
        if (attributes != null) {
            extractRoles(set, attributes);
        }
        Set<String> transformRoles = transformRoles(set, webContext != null && webContext.isTrusted());
        transformRoles.add(UserInfo.PERMISSION_LOGGED_IN);
        return transformRoles;
    }

    private void extractRoles(Set<String> set, Attributes attributes) {
        try {
            NamingEnumeration all = attributes.getAll();
            while (all.hasMore()) {
                NamingEnumeration all2 = ((Attribute) all.next()).getAll();
                while (all2.hasMore()) {
                    String valueOf = String.valueOf(all2.next());
                    LdapName ldapName = new LdapName(valueOf);
                    String valueOf2 = String.valueOf(ldapName.getRdn(ldapName.size() - 1).getValue());
                    log("Found group: %s (%s)", valueOf, valueOf2);
                    set.add(valueOf2);
                }
            }
        } catch (NamingException e) {
            Exceptions.handle(UserContext.LOG, e);
        }
    }

    private NamingEnumeration<SearchResult> searchInDirectory(String str, DirContext dirContext) throws NamingException {
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        String str2 = "(&(objectClass=" + this.objectClass + ")(" + this.nameAttribute + "=" + str + "))";
        searchControls.setReturningAttributes(this.returnedAtts);
        return dirContext.search(this.searchBase, str2, searchControls);
    }

    @Override // sirius.web.security.GenericUserManager
    protected Object getUserObject(UserInfo userInfo) {
        return null;
    }
}
