package org.jasig.cas.authorization.generator;

import java.util.Iterator;
import javax.annotation.Nullable;
import javax.validation.constraints.NotNull;
import org.aspectj.lang.JoinPoint;
import org.aspectj.runtime.internal.AroundClosure;
import org.aspectj.runtime.reflect.Factory;
import org.jasig.inspektr.aspect.TraceLogAspect;
import org.ldaptive.ConnectionFactory;
import org.ldaptive.LdapAttribute;
import org.ldaptive.LdapEntry;
import org.ldaptive.LdapException;
import org.ldaptive.Response;
import org.ldaptive.SearchExecutor;
import org.ldaptive.SearchFilter;
import org.ldaptive.SearchResult;
import org.pac4j.core.authorization.AuthorizationGenerator;
import org.pac4j.core.exception.AccountNotFoundException;
import org.pac4j.core.profile.CommonProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;

@Component("ldapAuthorizationGenerator")
/* loaded from: input_file:org/jasig/cas/authorization/generator/LdapAuthorizationGenerator.class */
public class LdapAuthorizationGenerator implements AuthorizationGenerator<CommonProfile> {
    public static final String DEFAULT_ROLE_PREFIX = "ROLE_";

    @Autowired(required = false)
    @Nullable
    @Qualifier("ldapAuthorizationGeneratorConnectionFactory")
    private ConnectionFactory connectionFactory;

    @Autowired(required = false)
    @Nullable
    @Qualifier("ldapAuthorizationGeneratorUserSearchExecutor")
    private SearchExecutor userSearchExecutor;

    @Autowired(required = false)
    @Nullable
    @Qualifier("ldapAuthorizationGeneratorRoleSearchExecutor")
    private SearchExecutor roleSearchExecutor;

    @NotNull
    @Value("${ldap.authorizationgenerator.user.attr:}")
    private String userAttributeName;

    @NotNull
    @Value("${ldap.authorizationgenerator.role.attr:}")
    private String roleAttributeName;

    @Value("${ldap.authorizationgenerator.allow.multiple:false}")
    private boolean allowMultipleResults;
    private static final JoinPoint.StaticPart ajc$tjp_0 = null;
    private final Logger logger = LoggerFactory.getLogger(getClass());

    @NotNull
    @Value("${ldap.authorizationgenerator.role.prefix:ROLE_}")
    private String rolePrefix = DEFAULT_ROLE_PREFIX;

    /* loaded from: input_file:org/jasig/cas/authorization/generator/LdapAuthorizationGenerator$AjcClosure1.class */
    public class AjcClosure1 extends AroundClosure {
        public AjcClosure1(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            LdapAuthorizationGenerator.generate_aroundBody0((LdapAuthorizationGenerator) objArr2[0], (CommonProfile) objArr2[1], (JoinPoint) objArr2[2]);
            return null;
        }
    }

    public LdapAuthorizationGenerator() {
    }

    public LdapAuthorizationGenerator(ConnectionFactory connectionFactory, SearchExecutor searchExecutor, SearchExecutor searchExecutor2, String str, String str2) {
        this.connectionFactory = connectionFactory;
        this.userSearchExecutor = searchExecutor;
        this.roleSearchExecutor = searchExecutor2;
        this.userAttributeName = str;
        this.roleAttributeName = str2;
    }

    public void setRolePrefix(String str) {
        this.rolePrefix = str;
    }

    public void setAllowMultipleResults(boolean z) {
        this.allowMultipleResults = z;
    }

    public void generate(CommonProfile commonProfile) {
        TraceLogAspect.aspectOf().traceMethod(new AjcClosure1(new Object[]{this, commonProfile, Factory.makeJP(ajc$tjp_0, this, this, commonProfile)}).linkClosureAndJoinPoint(69648));
    }

    private SearchFilter createSearchFilter(SearchExecutor searchExecutor, String str) {
        SearchFilter searchFilter = new SearchFilter();
        searchFilter.setFilter(searchExecutor.getSearchFilter().getFilter());
        searchFilter.setParameter(0, str);
        this.logger.debug("Constructed LDAP search filter [{}]", searchFilter.format());
        return searchFilter;
    }

    static {
        ajc$preClinit();
    }

    static final void generate_aroundBody0(LdapAuthorizationGenerator ldapAuthorizationGenerator, CommonProfile commonProfile, JoinPoint joinPoint) {
        String id = commonProfile.getId();
        try {
            ldapAuthorizationGenerator.logger.debug("Attempting to get details for user {}.", id);
            Response search = ldapAuthorizationGenerator.userSearchExecutor.search(ldapAuthorizationGenerator.connectionFactory, ldapAuthorizationGenerator.createSearchFilter(ldapAuthorizationGenerator.userSearchExecutor, id));
            ldapAuthorizationGenerator.logger.debug("LDAP user search response: {}", search);
            SearchResult searchResult = (SearchResult) search.getResult();
            if (searchResult.size() == 0) {
                throw new AccountNotFoundException(String.valueOf(id) + " not found.");
            }
            if (searchResult.size() > 1 && !ldapAuthorizationGenerator.allowMultipleResults) {
                throw new IllegalStateException("Found multiple results for user which is not allowed (allowMultipleResults=false).");
            }
            LdapEntry entry = searchResult.getEntry();
            String dn = entry.getDn();
            if (entry.getAttribute(ldapAuthorizationGenerator.userAttributeName) == null) {
                throw new IllegalStateException(String.valueOf(ldapAuthorizationGenerator.userAttributeName) + " attribute not found in results.");
            }
            try {
                ldapAuthorizationGenerator.logger.debug("Attempting to get roles for user {}.", dn);
                Response search2 = ldapAuthorizationGenerator.roleSearchExecutor.search(ldapAuthorizationGenerator.connectionFactory, ldapAuthorizationGenerator.createSearchFilter(ldapAuthorizationGenerator.roleSearchExecutor, dn));
                ldapAuthorizationGenerator.logger.debug("LDAP role search response: {}", search2);
                for (LdapEntry ldapEntry : ((SearchResult) search2.getResult()).getEntries()) {
                    LdapAttribute attribute = ldapEntry.getAttribute(ldapAuthorizationGenerator.roleAttributeName);
                    if (attribute == null) {
                        ldapAuthorizationGenerator.logger.warn("Role attribute not found on entry {}", ldapEntry);
                    } else {
                        Iterator it = attribute.getStringValues().iterator();
                        while (it.hasNext()) {
                            commonProfile.addRole(String.valueOf(ldapAuthorizationGenerator.rolePrefix) + ((String) it.next()).toUpperCase());
                        }
                    }
                }
            } catch (LdapException e) {
                throw new RuntimeException("LDAP error fetching roles for user.", e);
            }
        } catch (LdapException e2) {
            throw new RuntimeException("LDAP error fetching details for user.", e2);
        }
    }

    private static void ajc$preClinit() {
        Factory factory = new Factory("LdapAuthorizationGenerator.java", LdapAuthorizationGenerator.class);
        ajc$tjp_0 = factory.makeSJP("method-execution", factory.makeMethodSig("1", "generate", "org.jasig.cas.authorization.generator.LdapAuthorizationGenerator", "org.pac4j.core.profile.CommonProfile", "profile", "", "void"), 160);
    }
}
