package com.greenhat.server.container.server.security.ldap;

import com.greenhat.server.container.server.security.AdminCredentialsRejectedExeption;
import com.greenhat.server.container.server.security.Authenticator;
import com.greenhat.server.container.server.security.AuthenticatorException;
import com.greenhat.server.container.server.security.UnexpectedAuthenticatorException;
import com.greenhat.server.container.server.security.ldap.operations.GetUserSearchResultOperation;
import com.greenhat.server.container.server.security.ldap.operations.UserRecordNotFoundException;
import com.greenhat.server.container.server.security.ldap.trace.LdapAuthenticationTrace;
import com.greenhat.server.container.shared.datamodel.Role;
import com.greenhat.server.container.shared.datamodel.User;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapContext;

/* loaded from: input_file:com/greenhat/server/container/server/security/ldap/BaseLDAPAuthenticator.class */
public abstract class BaseLDAPAuthenticator implements Authenticator, CommonLDAPConfigurationAttributes {
    private static final Logger logger;
    protected final Map<String, String> config;
    protected final Map<String, Set<Role>> groupMappings;
    private LdapContext adminContext;
    private boolean used;
    protected final LdapAuthenticationTrace trace = new LdapAuthenticationTrace();
    private SearchResult userSearchResult;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: protected */
    public BaseLDAPAuthenticator(Map<String, String> map, Map<String, Set<Role>> map2) {
        if (!$assertionsDisabled && map == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && map2 == null) {
            throw new AssertionError();
        }
        this.config = map;
        this.groupMappings = map2;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public LdapContext getAdminContext() throws AdminCredentialsRejectedExeption {
        LdapContext makeAdminContext = this.adminContext == null ? makeAdminContext() : this.adminContext;
        this.adminContext = makeAdminContext;
        return makeAdminContext;
    }

    private LdapContext makeAdminContext() throws AdminCredentialsRejectedExeption {
        try {
            String adminUser = getAdminUser();
            String adminPassword = getAdminPassword();
            this.trace.adminConnectionAttempt = LdapAuthenticationTrace.AttemptStatus.STARTED_NOT_COMPLETED;
            LdapContext loginToLDAP = loginToLDAP(makeUsernamePasswordConnection(adminUser, adminPassword));
            logger.fine("Logged in to LDAP server as admin user " + adminUser + ", creating LDAP context: " + loginToLDAP);
            this.trace.adminConnectionAttempt = LdapAuthenticationTrace.AttemptStatus.SUCCEEDED;
            return loginToLDAP;
        } catch (LdapLoginFailedException e) {
            logger.log(Level.SEVERE, "Failed to login to LDAP using admin account", (Throwable) e);
            this.trace.adminConnectionException = e;
            throw new AdminCredentialsRejectedExeption(this.trace, e);
        }
    }

    protected LdapContext loginToLDAP(LdapConnection ldapConnection) throws LdapLoginFailedException {
        try {
            Hashtable<String, String> hashtable = new Hashtable<>();
            addCustomContextAttributes(hashtable);
            ldapConnection.open(hashtable);
            return ldapConnection.getRootDirContext();
        } catch (LdapLoginFailedException e) {
            throw e;
        } catch (LdapConnectionException e2) {
            throw new RuntimeException(e2);
        }
    }

    protected LdapConnection getUsernamePasswordConnection(String str, String str2) throws LdapLoginFailedException, AuthenticatorException {
        logger.entering(BaseLDAPAuthenticator.class.getName(), "getUsernamePasswordConnection", str);
        String makeQualifiedUsername = makeQualifiedUsername(str);
        this.trace.userConnectionLogin = makeQualifiedUsername;
        this.trace.userConnectionPasswordHash = sha256(str2);
        if (makeQualifiedUsername == null) {
            throw new LdapLoginFailedException("Login failed for user " + str + ". Qualified username returned as null.");
        }
        return makeUsernamePasswordConnection(makeQualifiedUsername, str2);
    }

    private String sha256(String str) {
        try {
            byte[] digest = MessageDigest.getInstance("SHA-256").digest(str.getBytes(StandardCharsets.UTF_8));
            StringBuilder sb = new StringBuilder(digest.length * 2);
            for (byte b : digest) {
                String hexString = Integer.toHexString(255 & b);
                if (hexString.length() == 1) {
                    sb.append('0');
                }
                sb.append(hexString);
            }
            return sb.toString();
        } catch (NoSuchAlgorithmException e) {
            logger.log(Level.FINE, "Could not get SHA-256 hash of password for authentication trace", (Throwable) e);
            return null;
        }
    }

    protected LdapConnection makeUsernamePasswordConnection(String str, String str2) {
        return new UsernamePasswordConnection(getServerURL(), str, str2);
    }

    protected String makeQualifiedUsername(String str) throws AuthenticatorException {
        return str;
    }

    protected void addCustomContextAttributes(Hashtable<String, String> hashtable) {
    }

    @Override // com.greenhat.server.container.server.security.Authenticator
    public User login(String str, String str2) throws AuthenticatorException {
        traceLogin(str, str2);
        return this.trace.user;
    }

    @Override // com.greenhat.server.container.server.security.Authenticator
    public LdapAuthenticationTrace traceLogin(String str, String str2) throws AuthenticatorException {
        if (this.used) {
            throw new IllegalStateException("Authenticator object was called a second time. Authenticator objects can only be used once.");
        }
        this.used = true;
        try {
            try {
                LdapContext loginToLDAP = loginToLDAP(getUsernamePasswordConnection(str, str2));
                loginToLDAP.close();
                logger.fine("Logged in to LDAP server as user " + str + ", creating LDAP context: " + loginToLDAP);
                Set<Role> roles = getRoles(str);
                if (roles.contains(Role.USER)) {
                    String userName = getUserName(str);
                    if (userName != null) {
                        this.trace.user = new User(userName, roles);
                    } else {
                        this.trace.finalRejection = LdapAuthenticationTrace.FinalRejection.COULD_NOT_FIND_CANONICAL_NAME;
                        logger.warning("RTCP authentication failed: User " + str + " successfully logged in to LDAP, but either could not find LDAP record, or could not find canonical user name.");
                    }
                } else {
                    this.trace.finalRejection = LdapAuthenticationTrace.FinalRejection.DID_NOT_HAVE_USER_ROLE;
                }
                return this.trace;
            } catch (LdapLoginFailedException e) {
                logger.log(Level.FINE, "Could not make connection to LDAP server using user's credentials", (Throwable) e);
                this.trace.userConnectionException = e;
                this.trace.finalRejection = LdapAuthenticationTrace.FinalRejection.LDAP_AUTHENTICATION_DID_NOT_SUCCEED;
                return this.trace;
            } catch (UserRecordNotFoundException e2) {
                this.trace.userConnectionException = e2;
                this.trace.finalRejection = LdapAuthenticationTrace.FinalRejection.USER_NOT_FOUND;
                throw e2;
            }
        } catch (AuthenticatorException e3) {
            throw e3;
        } catch (Throwable th) {
            throw new UnexpectedAuthenticatorException(this.trace, th);
        }
    }

    @Override // com.greenhat.server.container.server.security.Authenticator
    public String userExists(String str) {
        if (this.used) {
            throw new IllegalStateException("Authenticator object was called a second time. Authenticator objects can only be used once.");
        }
        this.used = true;
        try {
            return getUserName(str);
        } catch (AuthenticatorException e) {
            return null;
        } catch (NamingException e2) {
            throw new RuntimeException((Throwable) e2);
        }
    }

    private Set<Role> mapGroups(Set<String> set) {
        this.trace.groupRoleMappings = this.groupMappings;
        this.trace.userRolesFromEachGroup = new HashMap();
        HashSet hashSet = new HashSet();
        for (String str : set) {
            if (this.groupMappings.containsKey(str)) {
                Set<Role> set2 = this.groupMappings.get(str);
                hashSet.addAll(set2);
                this.trace.userRolesFromEachGroup.put(str, set2.toString());
            }
        }
        if (hashSet.contains(Role.SERVER_ADMIN)) {
            logger.fine("Granting 'user' role to this user as they have 'admin' role");
            hashSet.add(Role.USER);
        }
        return hashSet;
    }

    private final Set<Role> getRoles(String str) throws AuthenticatorException {
        logger.fine("Getting roles for user " + str);
        return mapGroups(getGroups(str));
    }

    protected abstract Set<String> getGroups(String str) throws AuthenticatorException;

    /* JADX INFO: Access modifiers changed from: protected */
    public SearchResult getUserSearchResult(String str) throws NamingException, UserRecordNotFoundException, AuthenticatorException {
        logger.entering(BaseLDAPAuthenticator.class.getName(), "getUserSearchResult", str);
        if (this.userSearchResult == null) {
            GetUserSearchResultOperation userSearchResult = getUserSearchResult(getAdminContext(), str);
            this.userSearchResult = userSearchResult.getLatestResult();
            if (this.trace.userEntryQuery != null) {
                this.trace.userEntryQuery = userSearchResult.getLatestTrace();
            }
            if (this.userSearchResult == null) {
                throw new UserRecordNotFoundException(userSearchResult, this.trace);
            }
        }
        return this.userSearchResult;
    }

    protected GetUserSearchResultOperation getUserSearchResult(LdapContext ldapContext, String str) throws NamingException {
        GetUserSearchResultOperation getUserSearchResultOperation = new GetUserSearchResultOperation(ldapContext, str, getUserFilter(), getUserSearchBase());
        getUserSearchResultOperation.run();
        return getUserSearchResultOperation;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getUserDN(String str) throws NamingException, AuthenticatorException {
        return getUserSearchResult(str).getNameInNamespace();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getUserName(String str) throws NamingException, AuthenticatorException {
        try {
            this.trace.canonicalNameRetrievalAttempt = LdapAuthenticationTrace.AttemptStatus.STARTED_NOT_COMPLETED;
            SearchResult userSearchResult = getUserSearchResult(str);
            this.trace.canonicalNameUserSearchResultFound = Boolean.valueOf(userSearchResult != null);
            String userNameAttribute = getUserNameAttribute();
            this.trace.canonicalNameAttributeName = userNameAttribute;
            if (userNameAttribute != null) {
                Attribute attribute = userSearchResult.getAttributes().get(userNameAttribute);
                if (attribute != null) {
                    this.trace.canonicalNameAttributeFound = true;
                    Object obj = attribute.get();
                    this.trace.canonicalNameObject = obj;
                    if (obj instanceof String) {
                        this.trace.canonicalNameRetrievalAttempt = LdapAuthenticationTrace.AttemptStatus.SUCCEEDED;
                        return (String) obj;
                    }
                } else {
                    this.trace.canonicalNameAttributeFound = false;
                }
            }
            logger.severe("LDAP entry found for user " + str + " but no canonical username was found in field " + userNameAttribute);
            return null;
        } catch (NamingException e) {
            this.trace.canonicalNameException = e;
            throw e;
        } catch (AuthenticatorException e2) {
            this.trace.canonicalNameException = e2;
            throw e2;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public final String getWithDefault(String str, String str2) {
        return this.config.containsKey(str) ? this.config.get(str) : str2;
    }

    protected String getAdminPassword() {
        return this.config.get(CommonLDAPConfigurationAttributes.ADMIN_PASSWORD);
    }

    protected String getAdminUser() {
        return this.config.get(CommonLDAPConfigurationAttributes.ADMIN_USERNAME);
    }

    protected String getServerURL() {
        return this.config.get(CommonLDAPConfigurationAttributes.URL);
    }

    protected String getUserFilter() {
        return this.config.get(CommonLDAPConfigurationAttributes.USER_FILTER);
    }

    protected String getUserNameAttribute() {
        return this.config.get(CommonLDAPConfigurationAttributes.USER_NAME_ATTRIBUTE);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getSearchBase() {
        return trim(this.config.get(CommonLDAPConfigurationAttributes.SEARCH_BASE));
    }

    protected String getUserSearchBase() {
        return isEmptyString(this.config.get(CommonLDAPConfigurationAttributes.USER_SEARCH_BASE)) ? getSearchBase() : this.config.get(CommonLDAPConfigurationAttributes.USER_SEARCH_BASE);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getGroupIdentifier() {
        return this.config.get(CommonLDAPConfigurationAttributes.GROUP_IDENTIFIER);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getAllGroupsFilter() {
        return this.config.get(CommonLDAPConfigurationAttributes.ALL_GROUPS_FILTER);
    }

    private String trim(String str) {
        if (str == null) {
            return null;
        }
        return str.trim();
    }

    private boolean isEmptyString(String str) {
        return str == null || trim(str).isEmpty();
    }

    @Override // com.greenhat.server.container.server.security.Authenticator
    public final void close() {
        try {
            if (this.adminContext != null) {
                this.adminContext.close();
            }
        } catch (NamingException e) {
            logger.log(Level.SEVERE, "Exception closing admin context", e);
            throw new RuntimeException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Map<String, String> getAllGroups(LdapContext ldapContext, String str) {
        HashMap hashMap = new HashMap();
        try {
            String[] strArr = {getGroupIdentifier()};
            SearchControls searchControls = new SearchControls();
            searchControls.setReturningAttributes(strArr);
            searchControls.setSearchScope(2);
            NamingEnumeration search = ldapContext.search(getSearchBase(), str, searchControls);
            while (search.hasMoreElements()) {
                SearchResult searchResult = (SearchResult) search.next();
                Attributes attributes = searchResult.getAttributes();
                if (attributes != null) {
                    NamingEnumeration all = attributes.getAll();
                    while (all.hasMore()) {
                        hashMap.put(searchResult.getNameInNamespace(), ((Attribute) all.next()).get().toString());
                    }
                    all.close();
                }
            }
            return hashMap;
        } catch (NamingException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    static {
        $assertionsDisabled = !BaseLDAPAuthenticator.class.desiredAssertionStatus();
        logger = Logger.getLogger(BaseLDAPAuthenticator.class.getName());
    }
}
