package org.apache.tomee.security.identitystore;

import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.function.Supplier;
import javax.annotation.PostConstruct;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.LdapName;
import javax.security.enterprise.credential.Credential;
import javax.security.enterprise.credential.UsernamePasswordCredential;
import javax.security.enterprise.identitystore.CredentialValidationResult;
import javax.security.enterprise.identitystore.IdentityStore;
import javax.security.enterprise.identitystore.IdentityStorePermission;
import javax.security.enterprise.identitystore.LdapIdentityStoreDefinition;
import org.apache.commons.lang3.StringUtils;

@ApplicationScoped
/* loaded from: input_file:lib/tomee-security-8.0.6.jar:org/apache/tomee/security/identitystore/TomEELDAPIdentityStore.class */
public class TomEELDAPIdentityStore implements IdentityStore {
    private static final String DEFAULT_USER_FILTER = "(&(%s=%s)(|(objectclass=user)(objectclass=person)(objectclass=inetOrgPerson)(objectclass=organizationalPerson))(!(objectclass=computer)))";
    private static final String DEFAULT_GROUP_FILTER = "(&(%s=%s)(|(objectclass=group)(objectclass=groupofnames)(objectclass=groupofuniquenames)))";

    @Inject
    private Supplier<LdapIdentityStoreDefinition> definitionSupplier;
    private LdapIdentityStoreDefinition definition;
    private Set<IdentityStore.ValidationType> validationTypes;

    @PostConstruct
    private void init() throws Exception {
        this.definition = this.definitionSupplier.get();
        this.validationTypes = new HashSet(Arrays.asList(this.definition.useFor()));
    }

    @Override // javax.security.enterprise.identitystore.IdentityStore
    public CredentialValidationResult validate(Credential credential) {
        if (!(credential instanceof UsernamePasswordCredential)) {
            return CredentialValidationResult.NOT_VALIDATED_RESULT;
        }
        UsernamePasswordCredential usernamePasswordCredential = (UsernamePasswordCredential) credential;
        try {
            LdapContext lookup = lookup(this.definition.url(), this.definition.bindDn(), this.definition.bindDnPassword());
            String caller = usernamePasswordCredential.getCaller();
            String callerDn = getCallerDn(lookup, caller);
            if (callerDn == null) {
                CredentialValidationResult credentialValidationResult = CredentialValidationResult.INVALID_RESULT;
                silentlyCloseLdapContext(lookup);
                return credentialValidationResult;
            }
            if (!authenticateWithCallerDn(usernamePasswordCredential, callerDn)) {
                CredentialValidationResult credentialValidationResult2 = CredentialValidationResult.INVALID_RESULT;
                silentlyCloseLdapContext(lookup);
                return credentialValidationResult2;
            }
            Set<String> set = null;
            if (validationTypes().contains(IdentityStore.ValidationType.PROVIDE_GROUPS)) {
                set = getGroupsWithCallerDn(lookup, callerDn);
            }
            CredentialValidationResult credentialValidationResult3 = new CredentialValidationResult((String) null, caller, callerDn, (String) null, set);
            silentlyCloseLdapContext(lookup);
            return credentialValidationResult3;
        } catch (Throwable th) {
            silentlyCloseLdapContext(null);
            throw th;
        }
    }

    private Set<String> getGroupsWithCallerDn(LdapContext ldapContext, String str) {
        if (StringUtils.isEmpty(str)) {
            return Collections.emptySet();
        }
        if (!StringUtils.isEmpty(this.definition.groupSearchBase()) || !StringUtils.isNotEmpty(this.definition.groupMemberOfAttribute())) {
            List<SearchResult> query = query(ldapContext, this.definition.groupSearchBase(), StringUtils.isNotEmpty(this.definition.groupSearchFilter()) ? String.format(this.definition.groupSearchFilter(), str) : String.format(DEFAULT_GROUP_FILTER, this.definition.groupMemberAttribute(), str), getGroupSearchControls());
            HashSet hashSet = new HashSet();
            try {
                Iterator<SearchResult> it = query.iterator();
                while (it.hasNext()) {
                    Attribute attribute = it.next().getAttributes().get(this.definition.groupNameAttribute());
                    if (attribute != null) {
                        Iterator it2 = Collections.list(attribute.getAll()).iterator();
                        while (it2.hasNext()) {
                            Object next = it2.next();
                            if (next != null) {
                                hashSet.add(next.toString());
                            }
                        }
                    }
                }
                return hashSet;
            } catch (NamingException e) {
                throw new RuntimeException((Throwable) e);
            }
        }
        try {
            Attribute attribute2 = ldapContext.getAttributes(str, new String[]{this.definition.groupMemberOfAttribute()}).get(this.definition.groupMemberOfAttribute());
            HashSet hashSet2 = new HashSet();
            if (attribute2 != null) {
                Iterator it3 = Collections.list(attribute2.getAll()).iterator();
                while (it3.hasNext()) {
                    Object next2 = it3.next();
                    if (next2 != null) {
                        LdapName ldapName = new LdapName(next2.toString());
                        Attribute attribute3 = ldapName.getRdn(ldapName.size() - 1).toAttributes().get(this.definition.groupNameAttribute());
                        if (attribute3 == null) {
                            throw new RuntimeException(this.definition.groupNameAttribute() + "does not match any group in DN: " + next2.toString());
                        }
                        String obj = attribute3.get(0).toString();
                        if (obj != null) {
                            hashSet2.add(obj);
                        }
                    }
                }
            }
            return hashSet2;
        } catch (NamingException e2) {
            throw new RuntimeException((Throwable) e2);
        }
    }

    private boolean authenticateWithCallerDn(UsernamePasswordCredential usernamePasswordCredential, String str) {
        try {
            silentlyCloseLdapContext(lookup(this.definition.url(), str, usernamePasswordCredential.getPasswordAsString()));
            return true;
        } catch (Exception e) {
            return false;
        }
    }

    private void silentlyCloseLdapContext(LdapContext ldapContext) {
        if (ldapContext == null) {
            return;
        }
        try {
            ldapContext.close();
        } catch (NamingException e) {
        }
    }

    private String getCallerDn(LdapContext ldapContext, String str) {
        String str2 = null;
        if (StringUtils.isNotEmpty(this.definition.callerBaseDn()) && StringUtils.isNotEmpty(this.definition.callerNameAttribute()) && StringUtils.isEmpty(this.definition.callerSearchBase())) {
            str2 = String.format("%s=%s,%s", this.definition.callerNameAttribute(), str, this.definition.callerBaseDn());
        } else {
            List<SearchResult> query = query(ldapContext, this.definition.callerSearchBase(), StringUtils.isNotEmpty(this.definition.callerSearchFilter()) ? String.format(this.definition.callerSearchFilter(), str) : String.format(DEFAULT_USER_FILTER, this.definition.callerNameAttribute(), str), getCallerSearchControls());
            if (query.size() == 1) {
                str2 = query.get(0).getNameInNamespace();
            }
        }
        return str2;
    }

    @Override // javax.security.enterprise.identitystore.IdentityStore
    public Set<String> getCallerGroups(CredentialValidationResult credentialValidationResult) {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new IdentityStorePermission("getGroups"));
        }
        LdapContext ldapContext = null;
        try {
            ldapContext = lookup(this.definition.url(), this.definition.bindDn(), this.definition.bindDnPassword());
            String callerDn = credentialValidationResult.getCallerDn();
            if (StringUtils.isEmpty(callerDn)) {
                callerDn = getCallerDn(ldapContext, credentialValidationResult.getCallerPrincipal().getName());
            }
            Set<String> groupsWithCallerDn = getGroupsWithCallerDn(ldapContext, callerDn);
            silentlyCloseLdapContext(ldapContext);
            return groupsWithCallerDn;
        } catch (Throwable th) {
            silentlyCloseLdapContext(ldapContext);
            throw th;
        }
    }

    @Override // javax.security.enterprise.identitystore.IdentityStore
    public int priority() {
        return this.definition.priority();
    }

    @Override // javax.security.enterprise.identitystore.IdentityStore
    public Set<IdentityStore.ValidationType> validationTypes() {
        return this.validationTypes;
    }

    public static LdapContext lookup(String str, String str2, String str3) {
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.provider.url", str);
        hashtable.put("java.naming.security.authentication", "simple");
        hashtable.put("java.naming.security.principal", str2);
        hashtable.put("java.naming.security.credentials", str3);
        try {
            return new InitialLdapContext(hashtable, (Control[]) null);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private SearchControls getCallerSearchControls() {
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(of(this.definition.callerSearchScope()));
        searchControls.setCountLimit(this.definition.maxResults());
        searchControls.setTimeLimit(this.definition.readTimeout());
        return searchControls;
    }

    private SearchControls getGroupSearchControls() {
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(of(this.definition.groupSearchScope()));
        searchControls.setCountLimit(this.definition.maxResults());
        searchControls.setTimeLimit(this.definition.readTimeout());
        searchControls.setReturningAttributes(new String[]{this.definition.groupNameAttribute()});
        return searchControls;
    }

    private static int of(LdapIdentityStoreDefinition.LdapSearchScope ldapSearchScope) {
        return (ldapSearchScope != LdapIdentityStoreDefinition.LdapSearchScope.ONE_LEVEL && ldapSearchScope == LdapIdentityStoreDefinition.LdapSearchScope.SUBTREE) ? 2 : 1;
    }

    private static List<SearchResult> query(LdapContext ldapContext, String str, String str2, SearchControls searchControls) {
        try {
            return Collections.list(ldapContext.search(str, str2, searchControls));
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}
