package org.apache.james.user.ldap;

import com.github.steveash.guavate.Guavate;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableList;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Optional;
import java.util.Properties;
import java.util.Set;
import javax.annotation.PostConstruct;
import javax.inject.Inject;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import org.apache.commons.configuration.ConfigurationException;
import org.apache.commons.configuration.HierarchicalConfiguration;
import org.apache.commons.lang.StringUtils;
import org.apache.directory.api.ldap.model.constants.JndiPropertyConstants;
import org.apache.directory.api.ldap.model.constants.SchemaConstants;
import org.apache.directory.api.ldap.model.filter.FilterEncoder;
import org.apache.james.core.MailAddress;
import org.apache.james.domainlist.api.DomainList;
import org.apache.james.lifecycle.api.Configurable;
import org.apache.james.user.api.UsersRepository;
import org.apache.james.user.api.UsersRepositoryException;
import org.apache.james.user.api.model.User;
import org.apache.james.util.retry.DoublingRetrySchedule;
import org.apache.james.util.retry.api.RetrySchedule;
import org.apache.james.util.retry.naming.ldap.RetryingLdapContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/james-server-data-ldap-3.3.0.jar:org/apache/james/user/ldap/ReadOnlyUsersLDAPRepository.class */
public class ReadOnlyUsersLDAPRepository implements UsersRepository, Configurable {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) ReadOnlyUsersLDAPRepository.class);
    private static final String INITIAL_CONTEXT_FACTORY = "com.sun.jndi.ldap.LdapCtxFactory";
    private static final String PROPERTY_NAME_CONNECTION_POOL = "com.sun.jndi.ldap.connect.pool";
    private static final String PROPERTY_NAME_CONNECT_TIMEOUT = "com.sun.jndi.ldap.connect.timeout";
    private static final String PROPERTY_NAME_READ_TIMEOUT = "com.sun.jndi.ldap.read.timeout";
    public static final String SUPPORTS_VIRTUAL_HOSTING = "supportsVirtualHosting";
    private LdapContext ldapContext;
    private RetrySchedule schedule = null;
    private final DomainList domainList;
    private LdapRepositoryConfiguration ldapConfiguration;

    @Inject
    public ReadOnlyUsersLDAPRepository(DomainList domainList) {
        this.domainList = domainList;
    }

    @Override // org.apache.james.lifecycle.api.Configurable
    public void configure(HierarchicalConfiguration hierarchicalConfiguration) throws ConfigurationException {
        configure(LdapRepositoryConfiguration.from(hierarchicalConfiguration));
    }

    public void configure(LdapRepositoryConfiguration ldapRepositoryConfiguration) {
        this.ldapConfiguration = ldapRepositoryConfiguration;
        this.schedule = new DoublingRetrySchedule(ldapRepositoryConfiguration.getRetryStartInterval(), ldapRepositoryConfiguration.getRetryMaxInterval(), ldapRepositoryConfiguration.getScale());
    }

    @PostConstruct
    public void init() throws Exception {
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug(getClass().getName() + ".init()\nLDAP host: " + this.ldapConfiguration.getLdapHost() + "\nUser baseDN: " + this.ldapConfiguration.getUserBase() + "\nuserIdAttribute: " + this.ldapConfiguration.getUserIdAttribute() + "\nGroup restriction: " + this.ldapConfiguration.getRestriction() + "\nUseConnectionPool: " + this.ldapConfiguration.useConnectionPool() + "\nconnectionTimeout: " + this.ldapConfiguration.getConnectionTimeout() + "\nreadTimeout: " + this.ldapConfiguration.getReadTimeout() + "\nretrySchedule: " + this.schedule + "\nmaxRetries: " + this.ldapConfiguration.getMaxRetries() + '\n');
        }
        updateLdapContext();
    }

    protected LdapContext getLdapContext() throws NamingException {
        if (null == this.ldapContext) {
            updateLdapContext();
        }
        return this.ldapContext;
    }

    protected void updateLdapContext() throws NamingException {
        this.ldapContext = computeLdapContext();
    }

    protected LdapContext computeLdapContext() throws NamingException {
        return new RetryingLdapContext(this.schedule, this.ldapConfiguration.getMaxRetries()) { // from class: org.apache.james.user.ldap.ReadOnlyUsersLDAPRepository.1
            @Override // org.apache.james.util.retry.api.ExceptionRetryingProxy
            public Context newDelegate() throws NamingException {
                return new InitialLdapContext(ReadOnlyUsersLDAPRepository.this.getContextEnvironment(), (Control[]) null);
            }
        };
    }

    protected Properties getContextEnvironment() {
        Properties properties = new Properties();
        properties.put(JndiPropertyConstants.JNDI_FACTORY_INITIAL, INITIAL_CONTEXT_FACTORY);
        properties.put(JndiPropertyConstants.JNDI_PROVIDER_URL, Optional.ofNullable(this.ldapConfiguration.getLdapHost()).orElse(""));
        if (Strings.isNullOrEmpty(this.ldapConfiguration.getCredentials())) {
            properties.put(JndiPropertyConstants.JNDI_SECURITY_AUTHENTICATION, "none");
        } else {
            properties.put(JndiPropertyConstants.JNDI_SECURITY_AUTHENTICATION, "simple");
            properties.put(JndiPropertyConstants.JNDI_SECURITY_PRINCIPAL, Optional.ofNullable(this.ldapConfiguration.getPrincipal()).orElse(""));
            properties.put(JndiPropertyConstants.JNDI_SECURITY_CREDENTIALS, this.ldapConfiguration.getCredentials());
        }
        properties.put(PROPERTY_NAME_CONNECTION_POOL, String.valueOf(this.ldapConfiguration.useConnectionPool()));
        if (this.ldapConfiguration.getConnectionTimeout() > -1) {
            properties.put(PROPERTY_NAME_CONNECT_TIMEOUT, String.valueOf(this.ldapConfiguration.getConnectionTimeout()));
        }
        if (this.ldapConfiguration.getReadTimeout() > -1) {
            properties.put(PROPERTY_NAME_READ_TIMEOUT, Integer.toString(this.ldapConfiguration.getReadTimeout()));
        }
        return properties;
    }

    private boolean userInGroupsMembershipList(String str, Map<String, Collection<String>> map) {
        boolean z = false;
        Iterator<Collection<String>> it = map.values().iterator();
        while (it.hasNext() && !z) {
            z = it.next().contains(str);
        }
        return z;
    }

    private Set<String> getAllUsersFromLDAP() throws NamingException {
        HashSet hashSet = new HashSet();
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(new String[]{SchemaConstants.DISTINGUISHED_NAME_AT});
        NamingEnumeration search = this.ldapContext.search(this.ldapConfiguration.getUserBase(), "(objectClass=" + this.ldapConfiguration.getUserObjectClass() + ")", searchControls);
        while (search.hasMore()) {
            hashSet.add(((SearchResult) search.next()).getNameInNamespace());
        }
        return hashSet;
    }

    private Collection<ReadOnlyLDAPUser> buildUserCollection(Collection<String> collection) throws NamingException {
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            arrayList.add(buildUser(it.next()));
        }
        return arrayList;
    }

    private ReadOnlyLDAPUser searchAndBuildUser(String str) throws NamingException {
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(new String[]{this.ldapConfiguration.getUserIdAttribute()});
        searchControls.setCountLimit(1L);
        NamingEnumeration search = this.ldapContext.search(this.ldapConfiguration.getUserBase(), FilterEncoder.format("(&({0}={1})(objectClass={2})" + StringUtils.defaultString(this.ldapConfiguration.getFilter(), "") + ")", this.ldapConfiguration.getUserIdAttribute(), str, this.ldapConfiguration.getUserObjectClass()), searchControls);
        if (!search.hasMore()) {
            return null;
        }
        SearchResult searchResult = (SearchResult) search.next();
        Attribute attribute = searchResult.getAttributes().get(this.ldapConfiguration.getUserIdAttribute());
        if (!this.ldapConfiguration.getRestriction().isActivated() || userInGroupsMembershipList(searchResult.getNameInNamespace(), this.ldapConfiguration.getRestriction().getGroupMembershipLists(this.ldapContext))) {
            return new ReadOnlyLDAPUser(attribute.get().toString(), searchResult.getNameInNamespace(), this.ldapContext);
        }
        return null;
    }

    private ReadOnlyLDAPUser buildUser(String str) throws NamingException {
        return new ReadOnlyLDAPUser(this.ldapContext.getAttributes(str).get(this.ldapConfiguration.getUserIdAttribute()).get().toString(), str, this.ldapContext);
    }

    @Override // org.apache.james.user.api.UsersRepository
    public boolean contains(String str) throws UsersRepositoryException {
        return getUserByName(str) != null;
    }

    @Deprecated
    public boolean containsCaseInsensitive(String str) throws UsersRepositoryException {
        return getUserByNameCaseInsensitive(str) != null;
    }

    @Override // org.apache.james.user.api.UsersRepository
    public int countUsers() throws UsersRepositoryException {
        try {
            return getValidUsers().size();
        } catch (NamingException e) {
            LOGGER.error("Unable to retrieve user count from ldap", e);
            throw new UsersRepositoryException("Unable to retrieve user count from ldap", e);
        }
    }

    @Deprecated
    public String getRealName(String str) throws UsersRepositoryException {
        User userByNameCaseInsensitive = getUserByNameCaseInsensitive(str);
        if (userByNameCaseInsensitive != null) {
            return userByNameCaseInsensitive.getUserName();
        }
        return null;
    }

    @Override // org.apache.james.user.api.UsersRepository
    public User getUserByName(String str) throws UsersRepositoryException {
        try {
            return searchAndBuildUser(str);
        } catch (NamingException e) {
            LOGGER.error("Unable to retrieve user from ldap", e);
            throw new UsersRepositoryException("Unable to retrieve user from ldap", e);
        }
    }

    @Deprecated
    public User getUserByNameCaseInsensitive(String str) throws UsersRepositoryException {
        try {
            for (ReadOnlyLDAPUser readOnlyLDAPUser : buildUserCollection(getValidUsers())) {
                if (readOnlyLDAPUser.getUserName().equalsIgnoreCase(str)) {
                    return readOnlyLDAPUser;
                }
            }
            return null;
        } catch (NamingException e) {
            LOGGER.error("Unable to retrieve user from ldap", e);
            throw new UsersRepositoryException("Unable to retrieve user from ldap", e);
        }
    }

    @Override // org.apache.james.user.api.UsersRepository
    public Iterator<String> list() throws UsersRepositoryException {
        try {
            return ((ImmutableList) buildUserCollection(getValidUsers()).stream().map((v0) -> {
                return v0.getUserName();
            }).collect(Guavate.toImmutableList())).iterator();
        } catch (NamingException e) {
            throw new UsersRepositoryException("Unable to retrieve users list from LDAP due to unknown naming error.", e);
        }
    }

    private Collection<String> getValidUsers() throws NamingException {
        Collection collection;
        Set<String> allUsersFromLDAP = getAllUsersFromLDAP();
        if (this.ldapConfiguration.getRestriction().isActivated()) {
            Map<String, Collection<String>> groupMembershipLists = this.ldapConfiguration.getRestriction().getGroupMembershipLists(this.ldapContext);
            collection = new ArrayList();
            for (String str : allUsersFromLDAP) {
                if (userInGroupsMembershipList(str, groupMembershipLists)) {
                    collection.add(str);
                }
            }
        } else {
            collection = allUsersFromLDAP;
        }
        return collection;
    }

    @Override // org.apache.james.user.api.UsersRepository
    public void removeUser(String str) throws UsersRepositoryException {
        LOGGER.warn("This user-repository is read-only. Modifications are not permitted.");
        throw new UsersRepositoryException("This user-repository is read-only. Modifications are not permitted.");
    }

    @Override // org.apache.james.user.api.UsersRepository
    public boolean test(String str, String str2) throws UsersRepositoryException {
        User userByName = getUserByName(str);
        return userByName != null && userByName.verifyPassword(str2);
    }

    @Override // org.apache.james.user.api.UsersRepository
    public void addUser(String str, String str2) throws UsersRepositoryException {
        LOGGER.error("This user-repository is read-only. Modifications are not permitted.");
        throw new UsersRepositoryException("This user-repository is read-only. Modifications are not permitted.");
    }

    @Override // org.apache.james.user.api.UsersRepository
    public void updateUser(User user) throws UsersRepositoryException {
        LOGGER.error("This user-repository is read-only. Modifications are not permitted.");
        throw new UsersRepositoryException("This user-repository is read-only. Modifications are not permitted.");
    }

    @Override // org.apache.james.user.api.UsersRepository
    public boolean supportVirtualHosting() {
        return this.ldapConfiguration.supportsVirtualHosting();
    }

    @Override // org.apache.james.user.api.UsersRepository
    public String getUser(MailAddress mailAddress) {
        return supportVirtualHosting() ? mailAddress.asString() : mailAddress.getLocalPart();
    }

    @Override // org.apache.james.user.api.UsersRepository
    public boolean isAdministrator(String str) {
        if (this.ldapConfiguration.getAdministratorId().isPresent()) {
            return this.ldapConfiguration.getAdministratorId().get().equals(str);
        }
        return false;
    }

    @Override // org.apache.james.user.api.UsersRepository
    public boolean isReadOnly() {
        return true;
    }

    @Override // org.apache.james.user.api.UsersRepository
    public MailAddress getMailAddressFor(org.apache.james.core.User user) throws UsersRepositoryException {
        try {
            return supportVirtualHosting() ? new MailAddress(user.asString()) : new MailAddress(user.getLocalPart(), this.domainList.getDefaultDomain());
        } catch (Exception e) {
            throw new UsersRepositoryException("Failed to compute mail address associated with the user", e);
        }
    }
}
