package org.apache.brooklyn.rest.security.provider;

import com.google.common.base.CharMatcher;
import com.google.common.collect.ImmutableList;
import java.util.Arrays;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.ListIterator;
import java.util.Map;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.brooklyn.api.mgmt.ManagementContext;
import org.apache.brooklyn.config.ConfigKey;
import org.apache.brooklyn.config.StringConfigMap;
import org.apache.brooklyn.core.config.ConfigPredicates;
import org.apache.brooklyn.rest.BrooklynWebConfig;
import org.apache.brooklyn.rest.security.provider.SecurityProvider;
import org.apache.brooklyn.util.collections.MutableList;
import org.apache.brooklyn.util.exceptions.Exceptions;
import org.apache.brooklyn.util.text.Strings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.class */
public class LdapSecurityProvider extends AbstractSecurityProvider implements SecurityProvider {
    public static final String LDAP_CONTEXT_FACTORY = "com.sun.jndi.ldap.LdapCtxFactory";
    private final String ldapUrl;
    private final String defaultLdapRealm;
    private final String organizationUnit;
    private final String userNameRegex;
    private final String domainRegex;
    private boolean logUserLoginAttempt;
    private boolean fetchUserGroups;
    private List<String> validGroups;
    private Boolean recursiveSearch;
    private final String groupBaseOU;
    private final String groupSearchFilter;
    public static final Logger LOG = LoggerFactory.getLogger(LdapSecurityProvider.class);
    public static final String LDAP_USER_GROUPS_ORIGIN = LdapSecurityProvider.class.getName();
    static boolean triedLoading = false;

    public LdapSecurityProvider(ManagementContext managementContext) {
        this.fetchUserGroups = false;
        StringConfigMap config = managementContext.getConfig();
        this.ldapUrl = (String) config.getConfig(BrooklynWebConfig.LDAP_URL);
        Strings.checkNonEmpty(this.ldapUrl, "LDAP security provider configuration missing required property " + BrooklynWebConfig.LDAP_URL);
        this.fetchUserGroups = ((Boolean) config.getConfig(BrooklynWebConfig.LDAP_FETCH_USER_GROUPS)).booleanValue();
        this.recursiveSearch = (Boolean) config.getConfig(BrooklynWebConfig.LDAP_RECURSIVE);
        this.logUserLoginAttempt = ((Boolean) config.getConfig(BrooklynWebConfig.LDAP_LOGIN_INFO_LOG)).booleanValue();
        this.domainRegex = (String) config.getConfig(BrooklynWebConfig.LDAP_DOMAIN_REGEX);
        this.userNameRegex = (String) config.getConfig(BrooklynWebConfig.LDAP_USERNAME_REGEX);
        List<String> list = (List) config.getConfig(BrooklynWebConfig.GROUP_CONFIG_KEY_NAME);
        this.groupSearchFilter = (String) config.getConfig(BrooklynWebConfig.LDAP_GROUP_FILTER);
        this.groupBaseOU = (String) config.getConfig(BrooklynWebConfig.LDAP_GROUP_OU);
        if (!this.fetchUserGroups || list.isEmpty()) {
            this.validGroups = ImmutableList.of();
            if (!list.isEmpty() || !this.groupBaseOU.isEmpty() || !this.groupSearchFilter.isEmpty()) {
                LOG.warn("LdapSecurityProvider group search/fetch configuration (" + list + ", " + this.groupBaseOU + ", " + this.groupSearchFilter + ") is not valid unless " + BrooklynWebConfig.LDAP_FETCH_USER_GROUPS + " set true (ignoring)");
            }
        } else {
            this.validGroups = getBrooklynConfiguredLdapGroups(config, list);
            if ((Strings.isNonBlank(this.groupSearchFilter) || Strings.isNonBlank(this.groupBaseOU)) && (Strings.isBlank(this.groupSearchFilter) || Strings.isBlank(this.groupBaseOU))) {
                LOG.warn("LdapSecurityProvider group BaseOU+Search configuration (" + this.groupBaseOU + " / " + this.groupSearchFilter + ") is not; either specify both " + BrooklynWebConfig.LDAP_GROUP_OU + " / " + BrooklynWebConfig.LDAP_GROUP_FILTER + " or neither (ignoring)");
            }
        }
        String str = (String) config.getConfig(BrooklynWebConfig.LDAP_REALM);
        if (Strings.isNonBlank(str)) {
            this.defaultLdapRealm = CharMatcher.isNot('\"').retainFrom(str);
        } else {
            this.defaultLdapRealm = "";
        }
        if (!Strings.isBlank((CharSequence) config.getConfig(BrooklynWebConfig.LDAP_OU))) {
            this.organizationUnit = CharMatcher.isNot('\"').retainFrom((CharSequence) config.getConfig(BrooklynWebConfig.LDAP_OU));
        } else {
            LOG.info("Setting LDAP ou attribute to: Users");
            this.organizationUnit = "Users";
        }
    }

    public LdapSecurityProvider(String str, String str2, String str3) {
        this.fetchUserGroups = false;
        this.ldapUrl = str;
        this.defaultLdapRealm = str2;
        this.organizationUnit = str3;
        this.userNameRegex = "";
        this.domainRegex = "";
        this.groupBaseOU = "";
        this.groupSearchFilter = "";
    }

    @Override // org.apache.brooklyn.rest.security.provider.SecurityProvider
    public boolean authenticate(HttpServletRequest httpServletRequest, Supplier<HttpSession> supplier, String str, String str2) throws SecurityProvider.SecurityProviderDeniedAuthentication {
        if (str == null) {
            return false;
        }
        String ldapRegexPattern = getLdapRegexPattern();
        if (Strings.isNonEmpty(ldapRegexPattern) && !str.matches(ldapRegexPattern)) {
            LOG.debug("LDAP authentication not permitted for user `{}` due to userNameRegex configuration: {}", str, ldapRegexPattern);
            return false;
        }
        checkCanLoad();
        if (Strings.isBlank(str2)) {
            return false;
        }
        addToInfoLog("Login attempt with " + str);
        try {
            Hashtable hashtable = new Hashtable();
            hashtable.put("java.naming.factory.initial", LDAP_CONTEXT_FACTORY);
            hashtable.put("java.naming.provider.url", this.ldapUrl);
            hashtable.put("java.naming.security.authentication", "simple");
            hashtable.put("java.naming.security.principal", getSecurityPrincipal(str));
            hashtable.put("java.naming.security.credentials", str2);
            InitialDirContext initialDirContext = new InitialDirContext(hashtable);
            if (this.fetchUserGroups) {
                supplier.get().setAttribute("brooklyn.entitlements.user.groups.origin", LDAP_USER_GROUPS_ORIGIN);
                List<String> userGroups = getUserGroups(str, initialDirContext);
                if (userGroups.isEmpty()) {
                    addToInfoLog("Unsuccessful for " + str);
                    LOG.trace("User {} is not member of any group", str);
                    return false;
                }
                supplier.get().setAttribute("brooklyn.entitlements.user.groups", userGroups);
                addToInfoLog("Authentication successful for user " + str + ", in relevant LDAP groups " + userGroups);
            } else {
                addToInfoLog("Successful for " + str);
            }
            return allow(supplier.get(), str);
        } catch (NamingException e) {
            addToInfoLog("Unsuccessful for " + str);
            return false;
        }
    }

    private String getLdapRegexPattern() {
        if (Strings.isBlank(this.domainRegex) && Strings.isBlank(this.userNameRegex)) {
            return "";
        }
        if (Strings.isBlank(this.domainRegex)) {
            return this.userNameRegex;
        }
        String[] strArr = new String[2];
        strArr[0] = this.domainRegex;
        strArr[1] = Strings.isNonBlank(this.userNameRegex) ? this.userNameRegex : ".*";
        return Strings.join(strArr, "\\\\");
    }

    private List<String> getBrooklynConfiguredLdapGroups(StringConfigMap stringConfigMap, List<String> list) {
        ImmutableList.Builder builder = ImmutableList.builder();
        for (String str : list) {
            Iterator it = stringConfigMap.submap(ConfigPredicates.nameStartsWith(str + ".")).getAllConfigLocalRaw().entrySet().iterator();
            while (it.hasNext()) {
                builder.add(Strings.removeFromStart(((ConfigKey) ((Map.Entry) it.next()).getKey()).getName(), str + "."));
            }
        }
        return builder.build();
    }

    private void addToInfoLog(String str) {
        if (this.logUserLoginAttempt) {
            LOG.info(str);
        }
    }

    private List<String> getUserGroups(String str, DirContext dirContext) throws NamingException {
        ImmutableList.Builder builder = ImmutableList.builder();
        SearchControls searchControls = new SearchControls();
        searchControls.setReturningAttributes(new String[]{"memberOf"});
        if (Boolean.TRUE.equals(this.recursiveSearch)) {
            searchControls.setSearchScope(2);
        }
        NamingEnumeration search = dirContext.search(buildContainer(this.organizationUnit, this.defaultLdapRealm), "(&(objectclass=user)(sAMAccountName=" + getAccountName(str) + "))", searchControls);
        while (search.hasMore()) {
            SearchResult searchResult = (SearchResult) search.next();
            if (Strings.isNonBlank(this.groupSearchFilter) && Strings.isNonBlank(this.groupBaseOU)) {
                NamingEnumeration search2 = dirContext.search(buildContainer(this.groupBaseOU, this.defaultLdapRealm), this.groupSearchFilter.replace("{0}", searchResult.getNameInNamespace()), searchControls);
                if (search2 != null) {
                    while (search2.hasMore()) {
                        builder.add(getGroupName(((SearchResult) search2.next()).getNameInNamespace()));
                    }
                }
            } else {
                Attribute attribute = searchResult.getAttributes().get("memberOf");
                if (attribute != null) {
                    NamingEnumeration all = attribute.getAll();
                    while (all.hasMore()) {
                        builder.add(getGroupName(all.next().toString()));
                    }
                }
            }
        }
        ImmutableList build = builder.build();
        if (LOG.isTraceEnabled()) {
            LOG.trace("LDAP groups for {}: {}", str, build);
        }
        return (List) build.stream().filter(str2 -> {
            return this.validGroups.contains(str2);
        }).collect(Collectors.toList());
    }

    private String buildContainer(String str, String str2) {
        MutableList of = MutableList.of();
        Stream map = Arrays.stream(str.split("\\.")).map(str3 -> {
            return str3.toLowerCase().startsWith("ou=") ? str3 : "OU=" + str3;
        });
        of.getClass();
        map.forEach((v1) -> {
            r1.add(v1);
        });
        Stream map2 = Arrays.stream(str2.split("\\.")).map(str4 -> {
            return str4.toLowerCase().startsWith("dc=") ? str4 : "DC=" + str4;
        });
        of.getClass();
        map2.forEach((v1) -> {
            r1.add(v1);
        });
        return Strings.join(of, ",");
    }

    private String getAccountName(String str) {
        if (!str.contains("\\")) {
            return str;
        }
        String[] split = str.split("\\\\");
        return split[split.length - 1];
    }

    private String getGroupName(String str) throws NamingException {
        LdapName ldapName = new LdapName(str);
        ListIterator listIterator = ldapName.getRdns().listIterator(ldapName.getRdns().size());
        while (listIterator.hasPrevious()) {
            Rdn rdn = (Rdn) listIterator.previous();
            if (rdn.getType().equalsIgnoreCase("CN")) {
                return rdn.getValue().toString();
            }
        }
        throw new IllegalStateException("No valid CN group found in " + str);
    }

    protected String getSecurityPrincipal(String str) throws NamingException {
        return (str.contains("@") || str.contains("\\")) ? str : "CN=" + str + "," + buildContainer(this.organizationUnit, this.defaultLdapRealm);
    }

    public static synchronized void checkCanLoad() {
        if (triedLoading) {
            return;
        }
        try {
            Class.forName(LDAP_CONTEXT_FACTORY);
            triedLoading = true;
        } catch (Throwable th) {
            throw Exceptions.propagate(new ClassNotFoundException("Unable to load LDAP classes (com.sun.jndi.ldap.LdapCtxFactory) required for Brooklyn LDAP security provider"));
        }
    }

    @Override // org.apache.brooklyn.rest.security.provider.SecurityProvider
    public boolean requiresUserPass() {
        return true;
    }
}
