package org.opendaylight.aaa.shiro.realm;

import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapContext;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.ldap.DefaultLdapRealm;
import org.apache.shiro.realm.ldap.LdapContextFactory;
import org.apache.shiro.realm.ldap.LdapUtils;
import org.apache.shiro.subject.PrincipalCollection;
import org.opendaylight.aaa.shiro.realm.mapping.api.GroupsToRolesMappingStrategy;
import org.opendaylight.aaa.shiro.realm.mapping.impl.BestAttemptGroupToRolesMappingStrategy;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/opendaylight/aaa/shiro/realm/ODLJndiLdapRealm.class */
public class ODLJndiLdapRealm extends DefaultLdapRealm {
    private static final String DEFAULT_LDAP_ATTRIBUTE_FOR_COMPARISON = "objectClass";
    private static final String UID = "uid";
    private static final String ROLE_NAMES_DELIMITER = ",";
    private String searchBase = super.getUserDnSuffix();
    private String ldapAttributeForComparison = DEFAULT_LDAP_ATTRIBUTE_FOR_COMPARISON;
    private Map<String, String> groupRolesMap;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) ODLJndiLdapRealm.class);
    private static final GroupsToRolesMappingStrategy GROUPS_TO_ROLES_MAPPING_STRATEGY = new BestAttemptGroupToRolesMappingStrategy();

    public ODLJndiLdapRealm() {
        LOG.debug("Creating ODLJndiLdapRealm");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.shiro.realm.ldap.DefaultLdapRealm, org.apache.shiro.realm.AuthenticatingRealm
    public AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        try {
            logIncomingConnection(getUsername(authenticationToken));
            return super.doGetAuthenticationInfo(authenticationToken);
        } catch (ClassCastException e) {
            LOG.info("Couldn't service the LDAP connection", (Throwable) e);
            return null;
        }
    }

    protected void logIncomingConnection(String str) {
        LOG.info("AAA LDAP connection from {}", str);
    }

    public static String getUsername(AuthenticationToken authenticationToken) throws ClassCastException {
        if (null == authenticationToken) {
            return null;
        }
        return (String) authenticationToken.getPrincipal();
    }

    protected String getUsername(PrincipalCollection principalCollection) throws ClassCastException {
        if (null == principalCollection) {
            return null;
        }
        return (String) getAvailablePrincipal(principalCollection);
    }

    @Override // org.apache.shiro.realm.ldap.DefaultLdapRealm, org.apache.shiro.realm.AuthorizingRealm
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        AuthorizationInfo authorizationInfo = null;
        try {
            authorizationInfo = queryForAuthorizationInfo(principalCollection, getContextFactory());
        } catch (NamingException e) {
            LOG.error("Unable to query for AuthZ info", e);
        }
        return authorizationInfo;
    }

    @Override // org.apache.shiro.realm.ldap.DefaultLdapRealm
    protected AuthorizationInfo queryForAuthorizationInfo(PrincipalCollection principalCollection, LdapContextFactory ldapContextFactory) throws NamingException {
        AuthorizationInfo authorizationInfo = null;
        try {
            String username = getUsername(principalCollection);
            LdapContext systemLdapContext = ldapContextFactory.getSystemLdapContext();
            try {
                authorizationInfo = buildAuthorizationInfo(getRoleNamesForUser(username, systemLdapContext));
                LdapUtils.closeContext(systemLdapContext);
            } catch (Throwable th) {
                LdapUtils.closeContext(systemLdapContext);
                throw th;
            }
        } catch (ClassCastException e) {
            LOG.error("Unable to extract a valid user", (Throwable) e);
        }
        return authorizationInfo;
    }

    public static AuthorizationInfo buildAuthorizationInfo(Set<String> set) {
        if (null == set) {
            return null;
        }
        return new SimpleAuthorizationInfo(set);
    }

    protected Set<String> getRoleNamesForUser(String str, LdapContext ldapContext) throws NamingException {
        Collection<String> collection;
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        SearchControls createSearchControls = createSearchControls();
        LOG.debug("Asking the configured LDAP about which groups uid=\"{}\" belongs to using searchBase=\"{}\" ldapAttributeForComparison=\"{}\"", str, this.searchBase, this.ldapAttributeForComparison);
        NamingEnumeration search = ldapContext.search(this.searchBase, String.format("%s=%s", UID, str), createSearchControls);
        while (search.hasMoreElements()) {
            Attributes attributes = ((SearchResult) search.next()).getAttributes();
            if (attributes != null) {
                NamingEnumeration all = attributes.getAll();
                while (all.hasMore()) {
                    Attribute attribute = (Attribute) all.next();
                    LOG.debug("LDAP returned \"{}\" attribute for \"{}\"", attribute.getID(), str);
                    if (attribute.getID().equals(this.ldapAttributeForComparison)) {
                        Collection<String> allAttributeValues = LdapUtils.getAllAttributeValues(attribute);
                        Map<String, Set<String>> mapGroupsToRoles = GROUPS_TO_ROLES_MAPPING_STRATEGY.mapGroupsToRoles(allAttributeValues, ROLE_NAMES_DELIMITER, this.groupRolesMap);
                        if (this.groupRolesMap != null) {
                            collection = new HashSet();
                            Iterator<Set<String>> it = mapGroupsToRoles.values().iterator();
                            while (it.hasNext()) {
                                collection.addAll(it.next());
                            }
                            if (LOG.isDebugEnabled()) {
                                for (Map.Entry<String, Set<String>> entry : mapGroupsToRoles.entrySet()) {
                                    LOG.debug("Mapped the \"{}\" LDAP group to \"{}\" ODL role for \"{}\"", entry.getKey(), entry.getValue(), str);
                                }
                            }
                        } else {
                            LOG.debug("Since groupRolesMap was unspecified, no mapping is attempted so the role names are set to the extracted group names");
                            collection = allAttributeValues;
                            if (LOG.isDebugEnabled()) {
                                for (String str2 : allAttributeValues) {
                                    LOG.debug("Mapped the \"{}\" LDAP group to \"{}\" ODL role for \"{}\"", str2, str2, str);
                                }
                            }
                        }
                        linkedHashSet.addAll(collection);
                    }
                }
            }
        }
        return linkedHashSet;
    }

    protected static SearchControls createSearchControls() {
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        return searchControls;
    }

    @Override // org.apache.shiro.realm.ldap.DefaultLdapRealm
    public String getUserDnSuffix() {
        return super.getUserDnSuffix();
    }

    public void setSearchBase(String str) {
        this.searchBase = str;
    }

    public void setLdapAttributeForComparison(String str) {
        this.ldapAttributeForComparison = str;
    }

    public void setGroupRolesMap(Map<String, String> map) {
        this.groupRolesMap = map;
    }
}
