package org.apereo.cas.web.security.authentication;

import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authorization.LdapUserAttributesToRolesAuthorizationGenerator;
import org.apereo.cas.authorization.LdapUserGroupsToRolesAuthorizationGenerator;
import org.apereo.cas.configuration.model.core.monitor.LdapSecurityActuatorEndpointsMonitorProperties;
import org.apereo.cas.configuration.model.support.ldap.LdapAuthorizationProperties;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.HttpRequestUtils;
import org.apereo.cas.util.LdapUtils;
import org.apereo.cas.util.LoggingUtils;
import org.ldaptive.ConnectionFactory;
import org.ldaptive.Credential;
import org.ldaptive.LdapEntry;
import org.ldaptive.ReturnAttributes;
import org.ldaptive.SearchOperation;
import org.ldaptive.auth.AuthenticationRequest;
import org.ldaptive.auth.AuthenticationResponse;
import org.ldaptive.auth.Authenticator;
import org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer;
import org.pac4j.core.authorization.generator.AuthorizationGenerator;
import org.pac4j.core.authorization.generator.DefaultRolesPermissionsAuthorizationGenerator;
import org.pac4j.core.context.JEEContext;
import org.pac4j.core.context.session.JEESessionStore;
import org.pac4j.core.profile.CommonProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.SimpleGrantedAuthority;

/* loaded from: input_file:WEB-INF/lib/cas-server-webapp-config-6.4.6.jar:org/apereo/cas/web/security/authentication/EndpointLdapAuthenticationProvider.class */
public class EndpointLdapAuthenticationProvider implements AuthenticationProvider {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) EndpointLdapAuthenticationProvider.class);
    private final LdapSecurityActuatorEndpointsMonitorProperties ldapProperties;
    private final SecurityProperties securityProperties;
    private final ConnectionFactory connectionFactory;
    private final Authenticator authenticator;

    private static Authentication generateAuthenticationToken(Authentication authentication, List<SimpleGrantedAuthority> list) {
        return new UsernamePasswordAuthenticationToken(authentication.getPrincipal().toString(), authentication.getCredentials(), list);
    }

    public void destroy() {
        this.connectionFactory.close();
        this.authenticator.close();
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        try {
            String obj = authentication.getPrincipal().toString();
            String str = (String) Optional.ofNullable(authentication.getCredentials()).map((v0) -> {
                return v0.toString();
            }).orElse(null);
            if (StringUtils.isBlank(str)) {
                throw new IllegalArgumentException("Password cannot be blank");
            }
            LOGGER.debug("Preparing LDAP authentication request for user [{}]", obj);
            AuthenticationRequest authenticationRequest = new AuthenticationRequest(obj, new Credential(str), ReturnAttributes.ALL.value());
            LOGGER.debug("Executing LDAP authentication request for user [{}]", obj);
            AuthenticationResponse authenticate = this.authenticator.authenticate(authenticationRequest);
            LOGGER.debug("LDAP response: [{}]", authenticate);
            if (authenticate.isSuccess()) {
                List<String> roles = this.securityProperties.getUser().getRoles();
                if (roles.isEmpty()) {
                    LOGGER.info("No user security roles are defined to enable authorization. User [{}] is considered authorized", obj);
                    return generateAuthenticationToken(authentication, new ArrayList(0));
                }
                LdapEntry ldapEntry = authenticate.getLdapEntry();
                CommonProfile commonProfile = new CommonProfile();
                commonProfile.setId(obj);
                ldapEntry.getAttributes().forEach(ldapAttribute -> {
                    commonProfile.addAttribute(ldapAttribute.getName(), ldapAttribute.getStringValues());
                });
                LOGGER.debug("Collected user profile [{}]", commonProfile);
                JEEContext jEEContext = new JEEContext(HttpRequestUtils.getHttpServletRequestFromRequestAttributes(), HttpRequestUtils.getHttpServletResponseFromRequestAttributes());
                buildAuthorizationGenerator().generate(jEEContext, JEESessionStore.INSTANCE, commonProfile);
                LOGGER.debug("Assembled user profile with roles after generating authorization claims [{}]", commonProfile);
                ArrayList arrayList = (ArrayList) commonProfile.getRoles().stream().map(SimpleGrantedAuthority::new).collect(Collectors.toCollection(ArrayList::new));
                LOGGER.debug("List of authorities remapped from profile roles are [{}]", arrayList);
                RequireAnyRoleAuthorizer requireAnyRoleAuthorizer = new RequireAnyRoleAuthorizer(roles);
                LOGGER.debug("Executing authorization for expected admin roles [{}]", requireAnyRoleAuthorizer.getElements());
                if (requireAnyRoleAuthorizer.isAllAuthorized(jEEContext, JEESessionStore.INSTANCE, CollectionUtils.wrap(commonProfile))) {
                    return generateAuthenticationToken(authentication, arrayList);
                }
                LOGGER.warn("User [{}] is not authorized to access the requested resource allowed to roles [{}]", obj, requireAnyRoleAuthorizer.getElements());
            } else {
                LOGGER.warn("LDAP authentication response produced no results for [{}]", obj);
            }
            throw new BadCredentialsException("Could not authenticate provided credentials");
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
            throw new InsufficientAuthenticationException("Unexpected LDAP error", e);
        }
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class<?> cls) {
        return UsernamePasswordAuthenticationToken.class.isAssignableFrom(cls);
    }

    private AuthorizationGenerator buildAuthorizationGenerator() {
        LdapAuthorizationProperties ldapAuthz = this.ldapProperties.getLdapAuthz();
        if (isGroupBasedAuthorization()) {
            LOGGER.debug("Handling LDAP authorization based on groups");
            return new LdapUserGroupsToRolesAuthorizationGenerator(ldapAuthorizationGeneratorUserSearchOperation(this.connectionFactory), ldapAuthz.isAllowMultipleResults(), ldapAuthz.getGroupAttribute(), ldapAuthz.getGroupPrefix(), ldapAuthorizationGeneratorGroupSearchOperation(this.connectionFactory));
        }
        if (isUserBasedAuthorization()) {
            LOGGER.debug("Handling LDAP authorization based on attributes and roles");
            return new LdapUserAttributesToRolesAuthorizationGenerator(ldapAuthorizationGeneratorUserSearchOperation(this.connectionFactory), ldapAuthz.isAllowMultipleResults(), ldapAuthz.getRoleAttribute(), ldapAuthz.getRolePrefix());
        }
        List<String> roles = this.securityProperties.getUser().getRoles();
        LOGGER.info("Could not determine authorization generator based on users or groups. Authorization will generate static roles based on [{}]", roles);
        return new DefaultRolesPermissionsAuthorizationGenerator(roles, new ArrayList(0));
    }

    private boolean isGroupBasedAuthorization() {
        LdapAuthorizationProperties ldapAuthz = this.ldapProperties.getLdapAuthz();
        return StringUtils.isNotBlank(ldapAuthz.getGroupFilter()) && StringUtils.isNotBlank(ldapAuthz.getGroupAttribute());
    }

    private boolean isUserBasedAuthorization() {
        LdapAuthorizationProperties ldapAuthz = this.ldapProperties.getLdapAuthz();
        return StringUtils.isNotBlank(ldapAuthz.getBaseDn()) && StringUtils.isNotBlank(ldapAuthz.getSearchFilter());
    }

    private SearchOperation ldapAuthorizationGeneratorUserSearchOperation(ConnectionFactory connectionFactory) {
        LdapAuthorizationProperties ldapAuthz = this.ldapProperties.getLdapAuthz();
        SearchOperation newLdaptiveSearchOperation = LdapUtils.newLdaptiveSearchOperation(ldapAuthz.getBaseDn(), ldapAuthz.getSearchFilter(), new ArrayList(0), CollectionUtils.wrap(ldapAuthz.getRoleAttribute()));
        newLdaptiveSearchOperation.setConnectionFactory(connectionFactory);
        return newLdaptiveSearchOperation;
    }

    private SearchOperation ldapAuthorizationGeneratorGroupSearchOperation(ConnectionFactory connectionFactory) {
        LdapAuthorizationProperties ldapAuthz = this.ldapProperties.getLdapAuthz();
        SearchOperation newLdaptiveSearchOperation = LdapUtils.newLdaptiveSearchOperation(ldapAuthz.getGroupBaseDn(), ldapAuthz.getGroupFilter(), new ArrayList(0), CollectionUtils.wrap(ldapAuthz.getGroupAttribute()));
        newLdaptiveSearchOperation.setConnectionFactory(connectionFactory);
        return newLdaptiveSearchOperation;
    }

    @Generated
    public EndpointLdapAuthenticationProvider(LdapSecurityActuatorEndpointsMonitorProperties ldapSecurityActuatorEndpointsMonitorProperties, SecurityProperties securityProperties, ConnectionFactory connectionFactory, Authenticator authenticator) {
        this.ldapProperties = ldapSecurityActuatorEndpointsMonitorProperties;
        this.securityProperties = securityProperties;
        this.connectionFactory = connectionFactory;
        this.authenticator = authenticator;
    }
}
