package org.pac4j.config.ldaptive;

import java.time.Duration;
import java.util.Arrays;
import java.util.stream.Collectors;
import org.ldaptive.BindConnectionInitializer;
import org.ldaptive.ConnectionConfig;
import org.ldaptive.Credential;
import org.ldaptive.FilterTemplate;
import org.ldaptive.PooledConnectionFactory;
import org.ldaptive.ReturnAttributes;
import org.ldaptive.SearchConnectionValidator;
import org.ldaptive.SearchOperation;
import org.ldaptive.SearchRequest;
import org.ldaptive.SearchScope;
import org.ldaptive.SimpleBindRequest;
import org.ldaptive.ad.extended.FastBindConnectionInitializer;
import org.ldaptive.auth.Authenticator;
import org.ldaptive.auth.CompareAuthenticationHandler;
import org.ldaptive.auth.EntryResolver;
import org.ldaptive.auth.FormatDnResolver;
import org.ldaptive.auth.SearchDnResolver;
import org.ldaptive.auth.SearchEntryResolver;
import org.ldaptive.auth.SimpleBindAuthenticationHandler;
import org.ldaptive.control.PasswordPolicyControl;
import org.ldaptive.pool.BindConnectionPassivator;
import org.ldaptive.pool.IdlePruneStrategy;
import org.ldaptive.sasl.Mechanism;
import org.ldaptive.sasl.SaslConfig;
import org.ldaptive.ssl.KeyStoreCredentialConfig;
import org.ldaptive.ssl.SslConfig;
import org.ldaptive.ssl.X509CredentialConfig;
import org.pac4j.config.ldaptive.AbstractLdapProperties;
import org.pac4j.config.ldaptive.LdapAuthenticationProperties;
import org.pac4j.core.util.CommonHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/pac4j-config-5.1.0.jar:org/pac4j/config/ldaptive/LdaptiveAuthenticatorBuilder.class */
public class LdaptiveAuthenticatorBuilder {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) LdaptiveAuthenticatorBuilder.class);

    protected LdaptiveAuthenticatorBuilder() {
    }

    public static Authenticator getAuthenticator(LdapAuthenticationProperties ldapAuthenticationProperties) {
        if (ldapAuthenticationProperties.getType() == LdapAuthenticationProperties.AuthenticationTypes.AD) {
            LOGGER.debug("Creating active directory authenticator for {}", ldapAuthenticationProperties.getLdapUrl());
            return getActiveDirectoryAuthenticator(ldapAuthenticationProperties);
        }
        if (ldapAuthenticationProperties.getType() == LdapAuthenticationProperties.AuthenticationTypes.DIRECT) {
            LOGGER.debug("Creating direct-bind authenticator for {}", ldapAuthenticationProperties.getLdapUrl());
            return getDirectBindAuthenticator(ldapAuthenticationProperties);
        }
        if (ldapAuthenticationProperties.getType() == LdapAuthenticationProperties.AuthenticationTypes.SASL) {
            LOGGER.debug("Creating SASL authenticator for {}", ldapAuthenticationProperties.getLdapUrl());
            return getSaslAuthenticator(ldapAuthenticationProperties);
        }
        if (ldapAuthenticationProperties.getType() == LdapAuthenticationProperties.AuthenticationTypes.AUTHENTICATED) {
            LOGGER.debug("Creating authenticated authenticator for {}", ldapAuthenticationProperties.getLdapUrl());
            return getAuthenticatedOrAnonSearchAuthenticator(ldapAuthenticationProperties);
        }
        LOGGER.debug("Creating anonymous authenticator for {}", ldapAuthenticationProperties.getLdapUrl());
        return getAuthenticatedOrAnonSearchAuthenticator(ldapAuthenticationProperties);
    }

    private static Authenticator getSaslAuthenticator(LdapAuthenticationProperties ldapAuthenticationProperties) {
        SearchDnResolver searchDnResolver = new SearchDnResolver();
        searchDnResolver.setBaseDn(ldapAuthenticationProperties.getBaseDn());
        searchDnResolver.setSubtreeSearch(ldapAuthenticationProperties.isSubtreeSearch());
        searchDnResolver.setAllowMultipleDns(ldapAuthenticationProperties.isAllowMultipleDns());
        searchDnResolver.setConnectionFactory(newPooledConnectionFactory(ldapAuthenticationProperties));
        searchDnResolver.setUserFilter(ldapAuthenticationProperties.getUserFilter());
        return new Authenticator(searchDnResolver, getPooledBindAuthenticationHandler(ldapAuthenticationProperties));
    }

    private static Authenticator getAuthenticatedOrAnonSearchAuthenticator(LdapAuthenticationProperties ldapAuthenticationProperties) {
        SearchDnResolver searchDnResolver = new SearchDnResolver();
        searchDnResolver.setBaseDn(ldapAuthenticationProperties.getBaseDn());
        searchDnResolver.setSubtreeSearch(ldapAuthenticationProperties.isSubtreeSearch());
        searchDnResolver.setAllowMultipleDns(ldapAuthenticationProperties.isAllowMultipleDns());
        searchDnResolver.setConnectionFactory(newPooledConnectionFactory(ldapAuthenticationProperties));
        searchDnResolver.setUserFilter(ldapAuthenticationProperties.getUserFilter());
        Authenticator authenticator = CommonHelper.isBlank(ldapAuthenticationProperties.getPrincipalAttributePassword()) ? new Authenticator(searchDnResolver, getPooledBindAuthenticationHandler(ldapAuthenticationProperties)) : new Authenticator(searchDnResolver, getPooledCompareAuthenticationHandler(ldapAuthenticationProperties));
        if (ldapAuthenticationProperties.isEnhanceWithEntryResolver()) {
            authenticator.setEntryResolver(newSearchEntryResolver(ldapAuthenticationProperties));
        }
        return authenticator;
    }

    private static Authenticator getDirectBindAuthenticator(LdapAuthenticationProperties ldapAuthenticationProperties) {
        if (CommonHelper.isBlank(ldapAuthenticationProperties.getDnFormat())) {
            throw new IllegalArgumentException("Dn format cannot be empty/blank for direct bind authentication");
        }
        Authenticator authenticator = new Authenticator(new FormatDnResolver(ldapAuthenticationProperties.getDnFormat()), getPooledBindAuthenticationHandler(ldapAuthenticationProperties));
        if (ldapAuthenticationProperties.isEnhanceWithEntryResolver()) {
            authenticator.setEntryResolver(newSearchEntryResolver(ldapAuthenticationProperties));
        }
        return authenticator;
    }

    private static Authenticator getActiveDirectoryAuthenticator(LdapAuthenticationProperties ldapAuthenticationProperties) {
        if (CommonHelper.isBlank(ldapAuthenticationProperties.getDnFormat())) {
            throw new IllegalArgumentException("Dn format cannot be empty/blank for active directory authentication");
        }
        Authenticator authenticator = new Authenticator(new FormatDnResolver(ldapAuthenticationProperties.getDnFormat()), getPooledBindAuthenticationHandler(ldapAuthenticationProperties));
        if (ldapAuthenticationProperties.isEnhanceWithEntryResolver()) {
            authenticator.setEntryResolver(newSearchEntryResolver(ldapAuthenticationProperties));
        }
        return authenticator;
    }

    private static SimpleBindAuthenticationHandler getPooledBindAuthenticationHandler(LdapAuthenticationProperties ldapAuthenticationProperties) {
        SimpleBindAuthenticationHandler simpleBindAuthenticationHandler = new SimpleBindAuthenticationHandler(newPooledConnectionFactory(ldapAuthenticationProperties));
        simpleBindAuthenticationHandler.setAuthenticationControls(new PasswordPolicyControl());
        return simpleBindAuthenticationHandler;
    }

    private static CompareAuthenticationHandler getPooledCompareAuthenticationHandler(LdapAuthenticationProperties ldapAuthenticationProperties) {
        CompareAuthenticationHandler compareAuthenticationHandler = new CompareAuthenticationHandler(newPooledConnectionFactory(ldapAuthenticationProperties));
        compareAuthenticationHandler.setPasswordAttribute(ldapAuthenticationProperties.getPrincipalAttributePassword());
        return compareAuthenticationHandler;
    }

    public static EntryResolver newSearchEntryResolver(LdapAuthenticationProperties ldapAuthenticationProperties) {
        SearchEntryResolver searchEntryResolver = new SearchEntryResolver();
        searchEntryResolver.setBaseDn(ldapAuthenticationProperties.getBaseDn());
        searchEntryResolver.setUserFilter(ldapAuthenticationProperties.getUserFilter());
        searchEntryResolver.setSubtreeSearch(ldapAuthenticationProperties.isSubtreeSearch());
        searchEntryResolver.setConnectionFactory(newPooledConnectionFactory(ldapAuthenticationProperties));
        return searchEntryResolver;
    }

    public static ConnectionConfig newConnectionConfig(AbstractLdapProperties abstractLdapProperties) {
        SaslConfig build;
        ConnectionConfig connectionConfig = new ConnectionConfig();
        String str = (String) Arrays.stream(abstractLdapProperties.getLdapUrl().split(",")).collect(Collectors.joining(" "));
        LOGGER.debug("Transformed LDAP urls from [{}] to [{}]", abstractLdapProperties.getLdapUrl(), str);
        connectionConfig.setLdapUrl(str);
        connectionConfig.setUseStartTLS(abstractLdapProperties.isUseStartTls());
        connectionConfig.setConnectTimeout(newDuration(abstractLdapProperties.getConnectTimeout()));
        if (abstractLdapProperties.getTrustCertificates() != null) {
            X509CredentialConfig x509CredentialConfig = new X509CredentialConfig();
            x509CredentialConfig.setTrustCertificates(abstractLdapProperties.getTrustCertificates());
            connectionConfig.setSslConfig(new SslConfig(x509CredentialConfig));
        } else if (abstractLdapProperties.getKeystore() != null) {
            KeyStoreCredentialConfig keyStoreCredentialConfig = new KeyStoreCredentialConfig();
            keyStoreCredentialConfig.setKeyStore(abstractLdapProperties.getKeystore());
            keyStoreCredentialConfig.setKeyStorePassword(abstractLdapProperties.getKeystorePassword());
            keyStoreCredentialConfig.setKeyStoreType(abstractLdapProperties.getKeystoreType());
            connectionConfig.setSslConfig(new SslConfig(keyStoreCredentialConfig));
        } else {
            connectionConfig.setSslConfig(new SslConfig());
        }
        if (abstractLdapProperties.getSaslMechanism() != null) {
            BindConnectionInitializer bindConnectionInitializer = new BindConnectionInitializer();
            switch (abstractLdapProperties.getSaslMechanism()) {
                case DIGEST_MD5:
                    build = SaslConfig.builder().mechanism(Mechanism.DIGEST_MD5).realm(abstractLdapProperties.getSaslRealm()).build();
                    break;
                case CRAM_MD5:
                    build = SaslConfig.builder().mechanism(Mechanism.CRAM_MD5).build();
                    break;
                case EXTERNAL:
                    build = SaslConfig.builder().mechanism(Mechanism.EXTERNAL).build();
                    break;
                case GSSAPI:
                    build = SaslConfig.builder().mechanism(Mechanism.GSSAPI).realm(abstractLdapProperties.getSaslRealm()).build();
                    break;
                default:
                    throw new IllegalArgumentException("Unknown SASL mechanism " + abstractLdapProperties.getSaslMechanism().name());
            }
            build.setAuthorizationId(abstractLdapProperties.getSaslAuthorizationId());
            build.setMutualAuthentication(abstractLdapProperties.getSaslMutualAuth());
            build.setQualityOfProtection(abstractLdapProperties.getSaslQualityOfProtection());
            build.setSecurityStrength(abstractLdapProperties.getSaslSecurityStrength());
            bindConnectionInitializer.setBindSaslConfig(build);
            connectionConfig.setConnectionInitializers(bindConnectionInitializer);
        } else if (CommonHelper.areEquals(abstractLdapProperties.getBindCredential(), "*") && CommonHelper.areEquals(abstractLdapProperties.getBindDn(), "*")) {
            connectionConfig.setConnectionInitializers(new FastBindConnectionInitializer());
        } else if (CommonHelper.isNotBlank(abstractLdapProperties.getBindDn()) && CommonHelper.isNotBlank(abstractLdapProperties.getBindCredential())) {
            connectionConfig.setConnectionInitializers(new BindConnectionInitializer(abstractLdapProperties.getBindDn(), new Credential(abstractLdapProperties.getBindCredential())));
        }
        return connectionConfig;
    }

    public static PooledConnectionFactory newPooledConnectionFactory(AbstractLdapProperties abstractLdapProperties) {
        PooledConnectionFactory pooledConnectionFactory = new PooledConnectionFactory(newConnectionConfig(abstractLdapProperties));
        pooledConnectionFactory.setBlockWaitTime(newDuration(abstractLdapProperties.getBlockWaitTime()));
        pooledConnectionFactory.setMinPoolSize(abstractLdapProperties.getMinPoolSize());
        pooledConnectionFactory.setMaxPoolSize(abstractLdapProperties.getMaxPoolSize());
        pooledConnectionFactory.setValidateOnCheckOut(abstractLdapProperties.isValidateOnCheckout());
        pooledConnectionFactory.setValidatePeriodically(abstractLdapProperties.isValidatePeriodically());
        IdlePruneStrategy idlePruneStrategy = new IdlePruneStrategy();
        idlePruneStrategy.setIdleTime(newDuration(abstractLdapProperties.getIdleTime()));
        idlePruneStrategy.setPrunePeriod(newDuration(abstractLdapProperties.getPrunePeriod()));
        pooledConnectionFactory.setPruneStrategy(idlePruneStrategy);
        pooledConnectionFactory.setFailFastInitialize(abstractLdapProperties.isFailFast());
        SearchConnectionValidator searchConnectionValidator = new SearchConnectionValidator();
        searchConnectionValidator.setValidatePeriod(newDuration(abstractLdapProperties.getValidatePeriod()));
        pooledConnectionFactory.setValidator(searchConnectionValidator);
        if (CommonHelper.isNotBlank(abstractLdapProperties.getPoolPassivator())) {
            switch (AbstractLdapProperties.LdapConnectionPoolPassivator.valueOf(abstractLdapProperties.getPoolPassivator().toUpperCase())) {
                case CLOSE:
                    pooledConnectionFactory.setPassivator(connection -> {
                        connection.close();
                        return true;
                    });
                    break;
                case BIND:
                    LOGGER.debug("Creating a bind passivator instance for the connection pool");
                    pooledConnectionFactory.setPassivator(new BindConnectionPassivator(new SimpleBindRequest(abstractLdapProperties.getBindDn(), new Credential(abstractLdapProperties.getBindCredential()))));
                    break;
            }
        }
        LOGGER.debug("Initializing ldap connection pool for {} and bindDn {}", abstractLdapProperties.getLdapUrl(), abstractLdapProperties.getBindDn());
        pooledConnectionFactory.initialize();
        return pooledConnectionFactory;
    }

    public static Duration newDuration(long j) {
        return Duration.ofSeconds(j);
    }

    public static SearchRequest newSearchRequest(String str, FilterTemplate filterTemplate) {
        SearchRequest searchRequest = new SearchRequest(str, filterTemplate, new String[0]);
        searchRequest.setReturnAttributes(ReturnAttributes.ALL_USER.value());
        searchRequest.setSearchScope(SearchScope.SUBTREE);
        return searchRequest;
    }

    public static FilterTemplate newSearchFilter(String str, String... strArr) {
        FilterTemplate filterTemplate = new FilterTemplate();
        filterTemplate.setFilter(str);
        if (strArr != null) {
            for (int i = 0; i < strArr.length; i++) {
                if (filterTemplate.getFilter().contains("{" + i + "}")) {
                    filterTemplate.setParameter(i, strArr[i]);
                } else {
                    filterTemplate.setParameter("user", strArr[i]);
                }
            }
        }
        LOGGER.debug("Constructed LDAP search filter [{}]", filterTemplate.format());
        return filterTemplate;
    }

    public static SearchOperation newSearchOperation(String str, String str2, String... strArr) {
        SearchOperation searchOperation = new SearchOperation();
        searchOperation.setRequest((SearchRequest) SearchRequest.builder().dn(str).filter(newSearchFilter(str2, strArr)).returnAttributes(ReturnAttributes.ALL.value()).scope(SearchScope.SUBTREE).build());
        return searchOperation;
    }
}
