package com.erudika.para.server.security.filters;

import com.erudika.para.core.App;
import com.erudika.para.core.User;
import com.erudika.para.core.utils.Config;
import com.erudika.para.core.utils.CoreUtils;
import com.erudika.para.core.utils.Para;
import com.erudika.para.core.utils.Utils;
import com.erudika.para.server.security.AuthenticatedUserDetails;
import com.erudika.para.server.security.LDAPAuthentication;
import com.erudika.para.server.security.SecurityUtils;
import com.erudika.para.server.security.UserAuthentication;
import java.io.IOException;
import java.util.Collection;
import java.util.Collections;
import java.util.Optional;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.config.Elements;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.ldap.userdetails.InetOrgPerson;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;

/* loaded from: input_file:BOOT-INF/lib/para-server-1.48.2.jar:com/erudika/para/server/security/filters/LdapAuthFilter.class */
public class LdapAuthFilter extends AbstractAuthenticationProcessingFilter {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) LdapAuthFilter.class);
    public static final String LDAP_ACTION = "ldap_auth";

    public LdapAuthFilter(String str) {
        super(str);
    }

    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String requestURI = httpServletRequest.getRequestURI();
        UserAuthentication userAuthentication = null;
        String parameter = httpServletRequest.getParameter(Para.getConfig().ldapUsernameParameter());
        String parameter2 = httpServletRequest.getParameter(Para.getConfig().ldapPasswordParameter());
        String appidFromAuthRequest = SecurityUtils.getAppidFromAuthRequest(httpServletRequest);
        if (requestURI.endsWith(LDAP_ACTION) && !StringUtils.isBlank(parameter) && !StringUtils.isBlank(parameter2)) {
            try {
                App app = (App) Para.getDAO().read(App.id(appidFromAuthRequest == null ? Para.getConfig().getRootAppIdentifier() : appidFromAuthRequest));
                LDAPAuthentication withApp = new LDAPAuthentication(parameter, parameter2).withApp(app);
                SecurityContextHolder.getContext().setAuthentication(new AnonymousAuthenticationToken("key", Elements.ANONYMOUS, AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS")));
                Authentication authenticate = getAuthenticationManager().authenticate(withApp);
                if (authenticate != null) {
                    userAuthentication = getOrCreateUser(app, authenticate);
                } else {
                    LOG.error("LDAP authentication failed.");
                }
            } catch (Exception e) {
                LOG.info("Failed to authenticate '{}' with LDAP server: {}", parameter, e.getMessage());
                throw new AuthenticationServiceException(e.getMessage(), e.getCause());
            }
        }
        return SecurityUtils.checkIfActive(userAuthentication, SecurityUtils.getAuthenticatedUser(userAuthentication), true);
    }

    private UserAuthentication getOrCreateUser(App app, Authentication authentication) {
        LOG.debug("LDAP response: {}", authentication);
        if (authentication == null) {
            return null;
        }
        UserAuthentication userAuthentication = null;
        User user = new User();
        InetOrgPerson inetOrgPerson = (InetOrgPerson) authentication.getPrincipal();
        if (inetOrgPerson != null && inetOrgPerson.isEnabled() && inetOrgPerson.isAccountNonLocked() && inetOrgPerson.isAccountNonExpired()) {
            String username = inetOrgPerson.getUsername();
            String mail = inetOrgPerson.getMail();
            String join = StringUtils.join(inetOrgPerson.getCn(), ", ");
            String str = (String) app.getSetting("security.ldap.active_directory_domain");
            String groupsFromDN = getGroupsFromDN(inetOrgPerson.getDn(), (String) ((Collection) Optional.ofNullable(inetOrgPerson.getAuthorities()).orElse(Collections.emptyList())).stream().map(grantedAuthority -> {
                return "CN=" + grantedAuthority.getAuthority();
            }).collect(Collectors.joining(",")), app);
            if (StringUtils.isBlank(mail)) {
                if (Utils.isValidEmail(username)) {
                    mail = username;
                } else if (StringUtils.isBlank(str)) {
                    LOG.warn("Blank email attribute for LDAP user '{}'.", username);
                    mail = username + "@paraio.com";
                } else {
                    LOG.warn("The AD doesn't have email attribute. Instead, it uses domain name for email address: {}@{}.", username, str);
                    mail = username.concat("@").concat(str);
                }
            }
            if (Boolean.parseBoolean(String.valueOf(app.getSetting("security.ldap.username_as_name")))) {
                join = mail.split("@")[0];
            }
            user.setAppid(getAppid(app));
            user.setIdentifier(Config.LDAP_PREFIX.concat(username));
            user.setEmail(mail);
            User readUserForIdentifier = User.readUserForIdentifier(user);
            if (readUserForIdentifier == null) {
                readUserForIdentifier = new User();
                readUserForIdentifier.setActive(true);
                readUserForIdentifier.setAppid(getAppid(app));
                readUserForIdentifier.setEmail(mail);
                readUserForIdentifier.setGroups(groupsFromDN);
                readUserForIdentifier.setName(StringUtils.isBlank(join) ? "No Name" : join);
                readUserForIdentifier.setPassword(Utils.generateSecurityToken());
                readUserForIdentifier.setIdentifier(Config.LDAP_PREFIX.concat(username));
                if (readUserForIdentifier.create() == null) {
                    throw new AuthenticationServiceException("Authentication failed: cannot create new user.");
                }
            } else if (updateUserInfo(readUserForIdentifier, mail, join, groupsFromDN)) {
                readUserForIdentifier.update();
            }
            userAuthentication = new UserAuthentication(new AuthenticatedUserDetails(readUserForIdentifier));
        } else {
            LOG.error("Failed to create account - is the LDAP user active? principal={}", inetOrgPerson);
        }
        return userAuthentication;
    }

    private boolean updateUserInfo(User user, String str, String str2, String str3) {
        boolean z = false;
        if (!StringUtils.isBlank(str) && !StringUtils.equals(user.getEmail(), str)) {
            user.setEmail(str);
            z = true;
        }
        if (!StringUtils.isBlank(str2) && !StringUtils.equals(user.getName(), str2)) {
            user.setName(str2);
            z = true;
        }
        if (!StringUtils.isBlank(str3) && !StringUtils.equals(user.getGroups(), str3)) {
            user.setGroups(str3);
            CoreUtils.getInstance().overwrite(user.getAppid(), user);
            z = false;
        }
        return z;
    }

    public UserAuthentication getOrCreateUser(App app, String str) throws IOException {
        UserAuthentication userAuthentication = null;
        if (str != null && str.contains(Para.getConfig().separator())) {
            String[] split = str.split(Para.getConfig().separator(), 2);
            String str2 = split[0];
            try {
                LDAPAuthentication withApp = new LDAPAuthentication(str2, split[1]).withApp(app);
                SecurityContextHolder.getContext().setAuthentication(new AnonymousAuthenticationToken("key", Elements.ANONYMOUS, AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS")));
                Authentication authenticate = getAuthenticationManager().authenticate(withApp);
                if (authenticate != null) {
                    userAuthentication = getOrCreateUser(app, authenticate);
                }
            } catch (Exception e) {
                LOG.info("Failed to authenticate '{}' with LDAP server: {}", str2, e.getMessage());
            }
        }
        return SecurityUtils.checkIfActive(userAuthentication, SecurityUtils.getAuthenticatedUser(userAuthentication), false);
    }

    private String getAppid(App app) {
        if (app == null) {
            return null;
        }
        return app.getAppIdentifier();
    }

    private String getGroupsFromDN(String str, String str2, App app) {
        String groups = User.Groups.USERS.toString();
        if (!StringUtils.isBlank(str)) {
            String str3 = (String) app.getSetting("security.ldap.mods_group_node");
            String str4 = (String) app.getSetting("security.ldap.admins_group_node");
            if (!StringUtils.isBlank(str3) && (StringUtils.containsIgnoreCase(str, str3) || StringUtils.containsIgnoreCase(str2, str3))) {
                groups = User.Groups.MODS.toString();
            }
            if (!StringUtils.isBlank(str4) && (StringUtils.containsIgnoreCase(str, str4) || StringUtils.containsIgnoreCase(str2, str4))) {
                groups = User.Groups.ADMINS.toString();
            }
        }
        return groups;
    }
}
