package org.apereo.cas.authentication;

import com.google.common.collect.Maps;
import java.security.GeneralSecurityException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.security.auth.login.AccountNotFoundException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import lombok.Generated;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.credential.UsernamePasswordCredential;
import org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.CollectionUtils;
import org.ldaptive.LdapAttribute;
import org.ldaptive.LdapEntry;
import org.ldaptive.LdapException;
import org.ldaptive.ReturnAttributes;
import org.ldaptive.auth.AuthenticationRequest;
import org.ldaptive.auth.AuthenticationResponse;
import org.ldaptive.auth.AuthenticationResultCode;
import org.ldaptive.auth.Authenticator;
import org.ldaptive.control.PasswordPolicyControl;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.DisposableBean;
import org.springframework.jdbc.datasource.init.ScriptUtils;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-ldap-core-6.6.11.jar:org/apereo/cas/authentication/LdapAuthenticationHandler.class */
public class LdapAuthenticationHandler extends AbstractUsernamePasswordAuthenticationHandler implements DisposableBean {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) LdapAuthenticationHandler.class);
    protected Map<String, Object> principalAttributeMap;
    private final Authenticator authenticator;
    private String principalIdAttribute;
    private boolean allowMultiplePrincipalAttributeValues;
    private boolean allowMissingPrincipalAttributeValue;
    private String[] authenticatedEntryAttributes;
    private boolean collectDnAttribute;
    private String principalDnAttributeName;

    public LdapAuthenticationHandler(String str, ServicesManager servicesManager, PrincipalFactory principalFactory, Integer num, Authenticator authenticator, AuthenticationPasswordPolicyHandlingStrategy authenticationPasswordPolicyHandlingStrategy) {
        super(str, servicesManager, principalFactory, num);
        this.principalAttributeMap = new HashMap(0);
        this.allowMissingPrincipalAttributeValue = true;
        this.authenticatedEntryAttributes = ReturnAttributes.NONE.value();
        this.principalDnAttributeName = "principalLdapDn";
        this.authenticator = authenticator;
        this.passwordPolicyHandlingStrategy = authenticationPasswordPolicyHandlingStrategy;
    }

    @Override // org.springframework.beans.factory.DisposableBean
    public void destroy() {
        this.authenticator.close();
    }

    public void initialize() {
        HashSet hashSet = new HashSet();
        LOGGER.debug("Initializing LDAP attribute configuration...");
        if (StringUtils.isNotBlank(this.principalIdAttribute)) {
            LOGGER.debug("Configured to retrieve principal id attribute [{}]", this.principalIdAttribute);
            hashSet.add(this.principalIdAttribute);
        }
        if (this.principalAttributeMap != null && !this.principalAttributeMap.isEmpty()) {
            Set<String> keySet = this.principalAttributeMap.keySet();
            hashSet.addAll(keySet);
            LOGGER.debug("Configured to retrieve principal attribute collection of [{}]", keySet);
        }
        this.authenticatedEntryAttributes = (String[]) hashSet.toArray(ArrayUtils.EMPTY_STRING_ARRAY);
        LOGGER.debug("LDAP authentication entry attributes for the authentication request are [{}]", (Object[]) this.authenticatedEntryAttributes);
    }

    @Override // org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler
    protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(UsernamePasswordCredential usernamePasswordCredential, String str) throws GeneralSecurityException, PreventedException {
        AuthenticationResponse ldapAuthenticationResponse = getLdapAuthenticationResponse(usernamePasswordCredential);
        LOGGER.debug("LDAP response: [{}]", ldapAuthenticationResponse);
        if (!this.passwordPolicyHandlingStrategy.supports(ldapAuthenticationResponse)) {
            LOGGER.warn("Authentication has failed because LDAP password policy handling strategy [{}] cannot handle [{}].", ldapAuthenticationResponse, this.passwordPolicyHandlingStrategy.getClass().getSimpleName());
            throw new FailedLoginException("Invalid credentials");
        }
        LOGGER.debug("Attempting to examine and handle LDAP password policy via [{}]", this.passwordPolicyHandlingStrategy.getClass().getSimpleName());
        List<MessageDescriptor> handle = this.passwordPolicyHandlingStrategy.handle(ldapAuthenticationResponse, getPasswordPolicyConfiguration());
        if (ldapAuthenticationResponse.isSuccess()) {
            LOGGER.debug("LDAP response returned a result [{}], creating the final LDAP principal", ldapAuthenticationResponse.getLdapEntry());
            return createHandlerResult(usernamePasswordCredential, createPrincipal(usernamePasswordCredential.getUsername(), ldapAuthenticationResponse.getLdapEntry()), handle);
        }
        if (AuthenticationResultCode.DN_RESOLUTION_FAILURE != ldapAuthenticationResponse.getAuthenticationResultCode()) {
            throw new FailedLoginException("Invalid credentials");
        }
        LOGGER.warn("DN resolution failed. [{}]", ldapAuthenticationResponse.getDiagnosticMessage());
        throw new AccountNotFoundException(usernamePasswordCredential.getUsername() + " not found.");
    }

    protected Principal createPrincipal(String str, LdapEntry ldapEntry) throws LoginException {
        LOGGER.debug("Creating LDAP principal for [{}] based on [{}] and attributes [{}]", str, ldapEntry.getDn(), ldapEntry.getAttributeNames());
        String ldapPrincipalIdentifier = getLdapPrincipalIdentifier(str, ldapEntry);
        LOGGER.debug("LDAP principal identifier created is [{}]", ldapPrincipalIdentifier);
        Map<String, List<Object>> collectAttributesForLdapEntry = collectAttributesForLdapEntry(ldapEntry, ldapPrincipalIdentifier);
        LOGGER.debug("Created LDAP principal for id [{}] and [{}] attributes", ldapPrincipalIdentifier, Integer.valueOf(collectAttributesForLdapEntry.size()));
        return this.principalFactory.createPrincipal(ldapPrincipalIdentifier, collectAttributesForLdapEntry);
    }

    protected Map<String, List<Object>> collectAttributesForLdapEntry(LdapEntry ldapEntry, String str) {
        HashMap newHashMapWithExpectedSize = Maps.newHashMapWithExpectedSize(this.principalAttributeMap.size());
        LOGGER.debug("The following attributes are requested to be retrieved and mapped: [{}]", newHashMapWithExpectedSize.keySet());
        this.principalAttributeMap.forEach((str2, obj) -> {
            ArrayList arrayList = (ArrayList) CollectionUtils.toCollection(obj, ArrayList.class);
            if (arrayList.size() == 1 && arrayList.stream().allMatch(obj -> {
                return obj.toString().endsWith(ScriptUtils.DEFAULT_STATEMENT_SEPARATOR);
            })) {
                ((List) ldapEntry.getAttributes().stream().filter(ldapAttribute -> {
                    return ldapAttribute.getName().startsWith(str2.concat(ScriptUtils.DEFAULT_STATEMENT_SEPARATOR));
                }).collect(Collectors.toList())).forEach(ldapAttribute2 -> {
                    newHashMapWithExpectedSize.putAll(collectAttributeValueForEntry(ldapEntry, ldapAttribute2.getName(), List.of()));
                });
            } else {
                newHashMapWithExpectedSize.putAll(collectAttributeValueForEntry(ldapEntry, str2, arrayList));
            }
        });
        if (this.collectDnAttribute) {
            LOGGER.debug("Recording principal DN attribute as [{}]", this.principalDnAttributeName);
            newHashMapWithExpectedSize.put(this.principalDnAttributeName, CollectionUtils.wrapList(ldapEntry.getDn()));
        }
        return newHashMapWithExpectedSize;
    }

    protected String getLdapPrincipalIdentifier(String str, LdapEntry ldapEntry) throws LoginException {
        if (!StringUtils.isNotBlank(this.principalIdAttribute)) {
            LOGGER.debug("Principal id attribute is not defined. Using the default provided user id [{}]", str);
            return str;
        }
        LdapAttribute attribute = ldapEntry.getAttribute(this.principalIdAttribute);
        if (attribute == null || attribute.size() == 0) {
            if (this.allowMissingPrincipalAttributeValue) {
                LOGGER.warn("The principal id attribute [{}] is not found. CAS cannot construct the final authenticated principal if it's unable to locate the attribute that is designated as the principal id. Attributes available on the LDAP entry are [{}]. Since principal id attribute is not available, CAS will fall back to construct the principal based on the provided user id: [{}]", this.principalIdAttribute, ldapEntry.getAttributes(), str);
                return str;
            }
            LOGGER.error("The principal id attribute [{}] is not found. CAS is configured to disallow missing principal attributes", this.principalIdAttribute);
            throw new LoginException("Principal id attribute is not found for " + attribute);
        }
        String stringValue = attribute.getStringValue();
        if (attribute.size() > 1) {
            if (!this.allowMultiplePrincipalAttributeValues) {
                throw new LoginException("Multiple principal values are not allowed: " + attribute);
            }
            LOGGER.warn("Found multiple values for principal id attribute: [{}]. Using first value=[{}].", attribute, stringValue);
        }
        LOGGER.debug("Retrieved principal id attribute [{}]", stringValue);
        return stringValue;
    }

    private AuthenticationResponse getLdapAuthenticationResponse(UsernamePasswordCredential usernamePasswordCredential) throws PreventedException {
        try {
            LOGGER.debug("Attempting LDAP authentication for [{}]. Authenticator pre-configured attributes are [{}], additional requested attributes for this authentication request are [{}]", usernamePasswordCredential, this.authenticator.getReturnAttributes(), this.authenticatedEntryAttributes);
            AuthenticationRequest authenticationRequest = new AuthenticationRequest(usernamePasswordCredential.getUsername(), new org.ldaptive.Credential(usernamePasswordCredential.getPassword()), this.authenticatedEntryAttributes);
            authenticationRequest.setControls(new PasswordPolicyControl());
            return this.authenticator.authenticate(authenticationRequest);
        } catch (LdapException e) {
            LOGGER.trace(e.getMessage(), (Throwable) e);
            throw new PreventedException(e);
        }
    }

    private static Map<String, List<Object>> collectAttributeValueForEntry(LdapEntry ldapEntry, String str, Collection<String> collection) {
        HashMap hashMap = new HashMap();
        LdapAttribute attribute = ldapEntry.getAttribute(str);
        if (attribute != null) {
            LOGGER.debug("Found principal attribute: [{}]", attribute);
            if (collection.isEmpty()) {
                LOGGER.debug("Principal attribute [{}] is collected as [{}]", attribute, str);
                hashMap.put(str, CollectionUtils.wrap(attribute.getStringValues()));
            } else {
                collection.forEach(str2 -> {
                    LOGGER.debug("Principal attribute [{}] is virtually remapped/renamed to [{}]", attribute, str2);
                    hashMap.put(str2, CollectionUtils.wrap(attribute.getStringValues()));
                });
            }
        } else {
            LOGGER.warn("Requested LDAP attribute [{}] could not be found on LDAP entry for [{}]", str, ldapEntry.getDn());
        }
        return hashMap;
    }

    @Generated
    public void setPrincipalAttributeMap(Map<String, Object> map) {
        this.principalAttributeMap = map;
    }

    @Generated
    public void setPrincipalIdAttribute(String str) {
        this.principalIdAttribute = str;
    }

    @Generated
    public void setAllowMultiplePrincipalAttributeValues(boolean z) {
        this.allowMultiplePrincipalAttributeValues = z;
    }

    @Generated
    public void setAllowMissingPrincipalAttributeValue(boolean z) {
        this.allowMissingPrincipalAttributeValue = z;
    }

    @Generated
    public void setAuthenticatedEntryAttributes(String[] strArr) {
        this.authenticatedEntryAttributes = strArr;
    }

    @Generated
    public void setCollectDnAttribute(boolean z) {
        this.collectDnAttribute = z;
    }

    @Generated
    public void setPrincipalDnAttributeName(String str) {
        this.principalDnAttributeName = str;
    }

    @Generated
    public Map<String, Object> getPrincipalAttributeMap() {
        return this.principalAttributeMap;
    }

    @Generated
    public Authenticator getAuthenticator() {
        return this.authenticator;
    }

    @Generated
    public String getPrincipalIdAttribute() {
        return this.principalIdAttribute;
    }

    @Generated
    public boolean isAllowMultiplePrincipalAttributeValues() {
        return this.allowMultiplePrincipalAttributeValues;
    }

    @Generated
    public boolean isAllowMissingPrincipalAttributeValue() {
        return this.allowMissingPrincipalAttributeValue;
    }

    @Generated
    public String[] getAuthenticatedEntryAttributes() {
        return this.authenticatedEntryAttributes;
    }

    @Generated
    public boolean isCollectDnAttribute() {
        return this.collectDnAttribute;
    }

    @Generated
    public String getPrincipalDnAttributeName() {
        return this.principalDnAttributeName;
    }
}
