package com.floragunn.searchguard.enterprise.auth.ldap;

import com.floragunn.codova.config.templates.AttributeSource;
import com.floragunn.codova.config.templates.ExpressionEvaluationException;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.codova.validation.ValidatingDocNode;
import com.floragunn.codova.validation.ValidationErrors;
import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.fluent.collections.OrderedImmutableMap;
import com.floragunn.searchguard.TypedComponent;
import com.floragunn.searchguard.authc.AuthenticationBackend;
import com.floragunn.searchguard.authc.AuthenticatorUnavailableException;
import com.floragunn.searchguard.authc.CredentialsException;
import com.floragunn.searchguard.authc.UserInformationBackend;
import com.floragunn.searchguard.authc.base.AuthcResult;
import com.floragunn.searchguard.configuration.ConfigurationRepository;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchsupport.PrivilegedCode;
import com.floragunn.searchsupport.cstate.ComponentState;
import com.floragunn.searchsupport.cstate.metrics.Meter;
import com.unboundid.ldap.sdk.Attribute;
import com.unboundid.ldap.sdk.DereferencePolicy;
import com.unboundid.ldap.sdk.Entry;
import com.unboundid.ldap.sdk.Filter;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.SearchRequest;
import com.unboundid.ldap.sdk.SearchResult;
import com.unboundid.ldap.sdk.SearchResultEntry;
import com.unboundid.ldap.sdk.SearchScope;
import com.unboundid.ldap.sdk.SimpleBindRequest;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.CompletableFuture;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/auth/ldap/LDAPAuthenticationBackend.class */
public class LDAPAuthenticationBackend implements AuthenticationBackend, UserInformationBackend, AutoCloseable {
    public static final String TYPE = "ldap";
    private final LDAPConnectionManager connectionManager;
    private final String userSearchBaseDn;
    private final SearchScope userSearchScope;
    private final SearchFilter userSearchFilter;
    private final String[] userSearchAttributes;
    private final GroupSearch groupSearch;
    private final boolean fakeLoginEnabled;
    private final String fakeLoginDn;
    private final byte[] fakeLoginPassword;
    private final ComponentState componentState = new ComponentState(0, "authentication_backend", TYPE, LDAPAuthenticationBackend.class).initialized().requiresEnterpriseLicense();
    protected static final Logger log = LogManager.getLogger(LDAPAuthenticationBackend.class);
    public static Collection<TypedComponent.Info<?>> INFOS = ImmutableList.of(new TypedComponent.Info<AuthenticationBackend>() { // from class: com.floragunn.searchguard.enterprise.auth.ldap.LDAPAuthenticationBackend.1
        public Class<AuthenticationBackend> getType() {
            return AuthenticationBackend.class;
        }

        public String getName() {
            return LDAPAuthenticationBackend.TYPE;
        }

        public TypedComponent.Factory<AuthenticationBackend> getFactory() {
            return (v1, v2) -> {
                return new LDAPAuthenticationBackend(v1, v2);
            };
        }
    }, new TypedComponent.Info<UserInformationBackend>() { // from class: com.floragunn.searchguard.enterprise.auth.ldap.LDAPAuthenticationBackend.2
        public Class<UserInformationBackend> getType() {
            return UserInformationBackend.class;
        }

        public String getName() {
            return LDAPAuthenticationBackend.TYPE;
        }

        public TypedComponent.Factory<UserInformationBackend> getFactory() {
            return (v1, v2) -> {
                return new LDAPAuthenticationBackend(v1, v2);
            };
        }
    });

    public LDAPAuthenticationBackend(Map<String, Object> map, ConfigurationRepository.Context context) throws ConfigValidationException {
        ValidationErrors validationErrors = new ValidationErrors();
        ValidatingDocNode validatingDocNode = new ValidatingDocNode(map, validationErrors, context);
        this.connectionManager = (LDAPConnectionManager) validatingDocNode.get("idp").required().by(LDAPConnectionManager::new);
        this.userSearchBaseDn = validatingDocNode.get("user_search.base_dn").withDefault("").asString();
        this.userSearchScope = (SearchScope) validatingDocNode.get("user_search.scope").withDefault(SearchScope.SUB).byString(LDAP::getSearchScope);
        this.userSearchFilter = (SearchFilter) validatingDocNode.get("user_search.filter").withDefault(SearchFilter.DEFAULT).by(SearchFilter::parseForUserSearch);
        this.userSearchAttributes = (String[]) validatingDocNode.get("user_search.retrieve_attributes").withListDefault(new String[]{"+", "*"}).ofStrings().toArray(new String[0]);
        this.groupSearch = (GroupSearch) validatingDocNode.get("group_search").by(GroupSearch::new);
        this.fakeLoginEnabled = validatingDocNode.get("fake_login.enabled").withDefault(false).asBoolean();
        this.fakeLoginDn = validatingDocNode.get("fake_login.password").asString();
        this.fakeLoginPassword = validatingDocNode.get("fake_login.password").withDefault("fakeLoginPwd123").asString().getBytes();
        validationErrors.throwExceptionForPresentErrors();
        this.componentState.addPart(this.connectionManager.getComponentState());
    }

    public CompletableFuture<AuthCredentials> authenticate(AuthCredentials authCredentials, Meter meter) throws AuthenticatorUnavailableException, CredentialsException {
        Meter detail;
        SearchResultEntry searchResultEntry = (SearchResultEntry) PrivilegedCode.execute(() -> {
            return search(authCredentials, meter);
        }, AuthenticatorUnavailableException.class);
        if (searchResultEntry == null) {
            if (this.fakeLoginEnabled) {
                String str = this.fakeLoginDn != null ? this.fakeLoginDn : "CN=faketomakebindfail,DC=" + UUID.randomUUID().toString();
                try {
                    detail = meter.detail("invalid_login_delay");
                    try {
                        checkPassword(str, this.fakeLoginPassword);
                        if (detail != null) {
                            detail.close();
                        }
                    } finally {
                    }
                } catch (LDAPException e) {
                }
            }
            throw new CredentialsException(new AuthcResult.DebugInfo(TYPE, false, "User could not be found by query", ImmutableMap.of("user_name", authCredentials.getName())));
        }
        String dn = searchResultEntry.getDN();
        if (log.isTraceEnabled()) {
            log.trace("Try to authenticate dn {}", dn);
        }
        try {
            detail = meter.detail("check_password");
            try {
                checkPassword(searchResultEntry.getDN(), authCredentials.getPassword());
                if (detail != null) {
                    detail.close();
                }
                AuthCredentials userMappingAttribute = authCredentials.userMappingAttribute("ldap_user_entry", entryToMap(searchResultEntry));
                AuthCredentials.Builder copy = userMappingAttribute.copy();
                if (this.groupSearch != null) {
                    Set<Entry> searchGroups = searchGroups(searchResultEntry, userMappingAttribute, meter);
                    copy.userMappingAttribute("ldap_group_entries", ImmutableList.map(searchGroups, entry -> {
                        return entryToMap(entry);
                    }));
                    copy.backendRoles(extractRoles(searchGroups));
                }
                return CompletableFuture.completedFuture(copy.authDomainInfo(authCredentials.getAuthDomainInfo().authBackendType(getType())).build());
            } finally {
                if (detail != null) {
                    try {
                        detail.close();
                    } catch (Throwable th) {
                        th.addSuppressed(th);
                    }
                }
            }
        } catch (LDAPException e2) {
            throw new CredentialsException(new AuthcResult.DebugInfo(TYPE, false, "User could not be authenticated by password", OrderedImmutableMap.of("user_name", authCredentials.getName(), "dn", searchResultEntry.getDN(), "ldap_error", e2.getMessage()).with(LDAP.getDetailsFrom(e2))), e2);
        }
    }

    public CompletableFuture<AuthCredentials> getUserInformation(AuthCredentials authCredentials, Meter meter) throws AuthenticatorUnavailableException {
        SearchResultEntry searchResultEntry = (SearchResultEntry) PrivilegedCode.execute(() -> {
            return search(authCredentials, meter);
        }, AuthenticatorUnavailableException.class);
        if (searchResultEntry == null) {
            return CompletableFuture.completedFuture(null);
        }
        AuthCredentials userMappingAttribute = authCredentials.userMappingAttribute("ldap_user_entry", entryToMap(searchResultEntry));
        AuthCredentials.Builder copy = userMappingAttribute.copy();
        if (this.groupSearch != null) {
            Set<Entry> searchGroups = searchGroups(searchResultEntry, userMappingAttribute, meter);
            copy.userMappingAttribute("ldap_group_entries", ImmutableList.map(searchGroups, entry -> {
                return entryToMap(entry);
            }));
            copy.backendRoles(extractRoles(searchGroups));
        }
        return CompletableFuture.completedFuture(copy.build());
    }

    public String getType() {
        return TYPE;
    }

    @Override // java.lang.AutoCloseable
    public void close() {
        if (this.connectionManager != null) {
            try {
                this.connectionManager.close();
            } catch (IOException e) {
                log.warn("Error while closing " + String.valueOf(this.connectionManager), e);
            }
        }
    }

    private SearchResultEntry search(AuthCredentials authCredentials, Meter meter) throws AuthenticatorUnavailableException {
        Meter detail = meter.detail("user_search");
        try {
            LDAPConnection connection = this.connectionManager.getConnection();
            try {
                try {
                    Filter filter = this.userSearchFilter.toFilter(AttributeSource.of("user.name", authCredentials.getName()));
                    SearchRequest searchRequest = new SearchRequest(this.userSearchBaseDn, this.userSearchScope, filter, this.userSearchAttributes);
                    searchRequest.setDerefPolicy(DereferencePolicy.ALWAYS);
                    try {
                        Meter detail2 = detail.detail("ldap_search_operation");
                        try {
                            SearchResult search = connection.search(searchRequest);
                            log.trace("User search {} yielded {} results", filter, Integer.valueOf(search.getEntryCount()));
                            if (search == null || search.getEntryCount() <= 0) {
                                if (detail2 != null) {
                                    detail2.close();
                                }
                                if (connection != null) {
                                    connection.close();
                                }
                                if (detail != null) {
                                    detail.close();
                                }
                                return null;
                            }
                            SearchResultEntry searchResultEntry = (SearchResultEntry) search.getSearchEntries().get(0);
                            if (detail2 != null) {
                                detail2.close();
                            }
                            if (connection != null) {
                                connection.close();
                            }
                            if (detail != null) {
                                detail.close();
                            }
                            return searchResultEntry;
                        } catch (Throwable th) {
                            if (detail2 != null) {
                                try {
                                    detail2.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            }
                            throw th;
                        }
                    } catch (LDAPException e) {
                        throw new AuthenticatorUnavailableException("LDAP user search failed", LDAP.getBetterErrorMessage(e), e).details(LDAP.getDetailsFrom(e).with("ldap_base_dn", this.userSearchBaseDn).with("ldap_filter", filter.toString()));
                    }
                } catch (Throwable th3) {
                    if (connection != null) {
                        try {
                            connection.close();
                        } catch (Throwable th4) {
                            th3.addSuppressed(th4);
                        }
                    }
                    throw th3;
                }
            } catch (LDAPException | ExpressionEvaluationException e2) {
                throw new AuthenticatorUnavailableException("Could not create query for LDAP user search", e2.getMessage(), e2);
            }
        } catch (Throwable th5) {
            if (detail != null) {
                try {
                    detail.close();
                } catch (Throwable th6) {
                    th5.addSuppressed(th6);
                }
            }
            throw th5;
        }
    }

    private Set<Entry> searchGroups(SearchResultEntry searchResultEntry, AuthCredentials authCredentials, Meter meter) throws AuthenticatorUnavailableException {
        Meter detail = meter.detail("group_search");
        try {
            LDAPConnection connection = this.connectionManager.getConnection();
            try {
                Set<Entry> search = this.groupSearch.search(connection, searchResultEntry.getDN(), AttributeSource.from(authCredentials.getAttributesForUserMapping()), detail);
                if (connection != null) {
                    connection.close();
                }
                if (detail != null) {
                    detail.close();
                }
                return search;
            } finally {
            }
        } catch (Throwable th) {
            if (detail != null) {
                try {
                    detail.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void checkPassword(String str, byte[] bArr) throws LDAPException {
        PrivilegedCode.execute(() -> {
            return this.connectionManager.getPool().bindAndRevertAuthentication(new SimpleBindRequest(str, bArr));
        }, LDAPException.class);
    }

    private ImmutableMap<String, Object> entryToMap(Entry entry) {
        ImmutableMap.Builder builder = new ImmutableMap.Builder();
        builder.with("dn", entry.getDN());
        for (Attribute attribute : entry.getAttributes()) {
            builder.with(attribute.getName(), Arrays.asList(attribute.getValues()));
        }
        return builder.build();
    }

    private ImmutableSet<String> extractRoles(Set<Entry> set) {
        String roleNameAttribute = this.groupSearch.getRoleNameAttribute();
        if (roleNameAttribute == null || set.isEmpty()) {
            return ImmutableSet.empty();
        }
        ImmutableSet.Builder builder = new ImmutableSet.Builder();
        for (Entry entry : set) {
            if ("dn".equalsIgnoreCase(roleNameAttribute)) {
                builder.add(entry.getDN());
            } else {
                String[] attributeValues = entry.getAttributeValues(roleNameAttribute);
                if (attributeValues != null && attributeValues.length > 0) {
                    builder.addAll(attributeValues);
                }
            }
        }
        return builder.build();
    }

    public ComponentState getComponentState() {
        return this.componentState;
    }
}
