package software.netcore.unimus.common.aaa.impl;

import java.util.HashMap;
import javax.net.ssl.SSLSocketFactory;
import lombok.NonNull;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.ldap.InvalidNameException;
import org.springframework.ldap.core.LdapTemplate;
import org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy;
import org.springframework.ldap.core.support.LdapContextSource;
import org.springframework.ldap.filter.AndFilter;
import org.springframework.ldap.filter.HardcodedFilter;
import org.springframework.ldap.query.LdapQueryBuilder;
import org.springframework.ldap.support.LdapUtils;
import software.netcore.unimus.common.aaa.impl.support.NoOpHostNameVerifier;
import software.netcore.unimus.common.aaa.impl.support.SslNoOpSslSocketFactory;
import software.netcore.unimus.common.aaa.impl.support.TlsNoOpSslSocketFactory;
import software.netcore.unimus.common.aaa.spi.AAAStorage;
import software.netcore.unimus.common.aaa.spi.AccountingException;
import software.netcore.unimus.common.aaa.spi.data.Account;
import software.netcore.unimus.common.aaa.spi.data.AuthenticationType;
import software.netcore.unimus.common.aaa.spi.data.LDAPConfig;
import software.netcore.unimus.common.aaa.spi.data.LDAPSecurity;

/* loaded from: input_file:WEB-INF/lib/unimus-common-aaa-impl-3.30.0-STAGE.jar:software/netcore/unimus/common/aaa/impl/LDAPAAAProvider.class */
public class LDAPAAAProvider implements AAAProvider {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) LDAPAAAProvider.class);
    private static final String CONNECT_TIMEOUT = "com.sun.jndi.ldap.connect.timeout";
    private static final String READ_TIMEOUT = "com.sun.jndi.ldap.read.timeout";
    private static final String SOCKET_FACTORY = "java.naming.ldap.factory.socket";
    private final AAAProperties aaaProperties;
    private final AAAStorage aaaStorage;

    @Override // software.netcore.unimus.common.aaa.impl.AAAProvider
    public boolean authentication(Account account, String str) {
        return authentication(account.getUsername(), str, false);
    }

    public boolean authentication(String str, String str2, boolean z) {
        log.debug("[authentication] username = '{}', password = '{}' characters long", str, Integer.valueOf(str2.length()));
        LDAPConfig loadConfig = loadConfig();
        log.trace("LDAP config loaded = '{}'", loadConfig);
        if (!z && Boolean.FALSE.equals(loadConfig.getEnabled())) {
            log.trace("Unable to authenticate user, config is disabled");
            return false;
        }
        if (!validateConfig(loadConfig)) {
            log.trace("Unable to authenticate user, config is not configured");
            return false;
        }
        LdapContextSource createContextSource = createContextSource(loadConfig);
        if (createContextSource == null) {
            return false;
        }
        LdapTemplate ldapTemplate = new LdapTemplate(createContextSource);
        ldapTemplate.setDefaultTimeLimit(this.aaaProperties.getLdapDefaultTimeLimit());
        AndFilter and = new AndFilter().and(new HardcodedFilter("(" + loadConfig.getUserIdentifier() + "=" + str + ")"));
        if (StringUtils.isNotBlank(loadConfig.getFilter())) {
            and.and(new HardcodedFilter("(" + loadConfig.getFilter() + ")"));
        }
        try {
            ldapTemplate.authenticate(LdapQueryBuilder.query().filter(and), str2);
            return true;
        } catch (Exception e) {
            log.warn("Ldap authentication failed: '{}'", e.getMessage());
            log.debug("[authentication] stack trace:", (Throwable) e);
            return false;
        }
    }

    private LDAPConfig loadConfig() {
        return this.aaaStorage.findLdapConfig();
    }

    private boolean validateConfig(LDAPConfig lDAPConfig) {
        if (!lDAPConfig.isConfigured()) {
            log.debug("Unable to authenticate user, config is not configured");
            return false;
        }
        try {
            LdapUtils.newLdapName(lDAPConfig.getAccessUser());
            try {
                LdapUtils.newLdapName(lDAPConfig.getBaseDn());
                return true;
            } catch (InvalidNameException e) {
                log.warn("Ldap authentication failed, base DN invalid: '{}'", e.getMessage());
                log.debug("[validateConfig] stack trace:", (Throwable) e);
                return false;
            }
        } catch (InvalidNameException e2) {
            log.warn("Ldap authentication failed, access user DN invalid: '{}'", e2.getMessage());
            log.debug("[validateConfig] stack trace:", (Throwable) e2);
            return false;
        }
    }

    private LdapContextSource createContextSource(LDAPConfig lDAPConfig) {
        String str = lDAPConfig.getSecurity().getProtocol() + lDAPConfig.getServerAddress() + ":" + lDAPConfig.getPort();
        LdapContextSource ldapContextSource = new LdapContextSource();
        ldapContextSource.setUrl(str);
        ldapContextSource.setUserDn(lDAPConfig.getAccessUser());
        ldapContextSource.setPassword(lDAPConfig.getAccessPassword());
        ldapContextSource.setReferral("follow");
        try {
            ldapContextSource.setBase(lDAPConfig.getBaseDn());
            HashMap hashMap = new HashMap();
            hashMap.put(CONNECT_TIMEOUT, String.valueOf(this.aaaProperties.getLdapConnectTimeout()));
            hashMap.put(READ_TIMEOUT, String.valueOf(this.aaaProperties.getLdapReadTimeout()));
            if (lDAPConfig.getSecurity() == LDAPSecurity.LDAPS && Boolean.TRUE.equals(lDAPConfig.getSkipCertCheck())) {
                hashMap.put(SOCKET_FACTORY, SslNoOpSslSocketFactory.class.getName());
            } else if (lDAPConfig.getSecurity() == LDAPSecurity.START_TLS) {
                DefaultTlsDirContextAuthenticationStrategy defaultTlsDirContextAuthenticationStrategy = new DefaultTlsDirContextAuthenticationStrategy();
                if (Boolean.TRUE.equals(lDAPConfig.getSkipCertCheck())) {
                    defaultTlsDirContextAuthenticationStrategy.setSslSocketFactory((SSLSocketFactory) TlsNoOpSslSocketFactory.getDefault());
                    defaultTlsDirContextAuthenticationStrategy.setHostnameVerifier(NoOpHostNameVerifier.INSTANCE);
                }
                ldapContextSource.setAuthenticationStrategy(defaultTlsDirContextAuthenticationStrategy);
            }
            ldapContextSource.setBaseEnvironmentProperties(hashMap);
            ldapContextSource.afterPropertiesSet();
            return ldapContextSource;
        } catch (Exception e) {
            log.warn("Ldap base DN is not configured properly, authentication failed");
            log.debug("[createContextSource] stack trace:", (Throwable) e);
            return null;
        }
    }

    @Override // software.netcore.unimus.common.aaa.impl.AAAProvider
    public void accounting(@NonNull AccountingType accountingType, @NonNull String str, String str2, AAAProvider aAAProvider, long j) throws AccountingException {
        if (accountingType == null) {
            throw new NullPointerException("type is marked non-null but is null");
        }
        if (str == null) {
            throw new NullPointerException("username is marked non-null but is null");
        }
    }

    @Override // software.netcore.unimus.common.aaa.impl.AAAProvider
    public AuthenticationType getAuthenticationType() {
        return AuthenticationType.LDAP;
    }

    public LDAPAAAProvider(AAAProperties aAAProperties, AAAStorage aAAStorage) {
        this.aaaProperties = aAAProperties;
        this.aaaStorage = aAAStorage;
    }
}
