package org.forgerock.opendj.rest2ldap;

import com.forgerock.opendj.util.ManifestUtil;
import com.sleepycat.je.rep.impl.RepParams;
import java.io.Closeable;
import java.io.File;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledThreadPoolExecutor;
import javax.net.ssl.KeyManager;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509KeyManager;
import org.forgerock.http.Filter;
import org.forgerock.http.Handler;
import org.forgerock.http.HttpApplication;
import org.forgerock.http.HttpApplicationException;
import org.forgerock.http.filter.Filters;
import org.forgerock.http.handler.Handlers;
import org.forgerock.http.handler.HttpClientHandler;
import org.forgerock.http.io.Buffer;
import org.forgerock.http.oauth2.AccessTokenResolver;
import org.forgerock.http.oauth2.OAuth2Error;
import org.forgerock.http.oauth2.resolver.CachingAccessTokenResolver;
import org.forgerock.http.oauth2.resolver.OpenAmAccessTokenResolver;
import org.forgerock.http.protocol.Headers;
import org.forgerock.http.swagger.OpenApiRequestFilter;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.LocalizedIllegalArgumentException;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.json.JsonValue;
import org.forgerock.json.JsonValueFunctions;
import org.forgerock.json.resource.CrestApplication;
import org.forgerock.json.resource.RequestHandler;
import org.forgerock.json.resource.Resources;
import org.forgerock.json.resource.http.CrestHttp;
import org.forgerock.opendj.ldap.ConnectionFactory;
import org.forgerock.opendj.ldap.DN;
import org.forgerock.opendj.ldap.KeyManagers;
import org.forgerock.opendj.ldap.SearchScope;
import org.forgerock.opendj.ldap.schema.Schema;
import org.forgerock.opendj.rest2ldap.authz.AuthenticationStrategies;
import org.forgerock.opendj.rest2ldap.authz.AuthenticationStrategy;
import org.forgerock.opendj.rest2ldap.authz.Authorization;
import org.forgerock.opendj.rest2ldap.authz.ConditionalFilters;
import org.forgerock.opendj.rest2ldap.authz.CredentialExtractors;
import org.forgerock.util.Factory;
import org.forgerock.util.Function;
import org.forgerock.util.Option;
import org.forgerock.util.Options;
import org.forgerock.util.Pair;
import org.forgerock.util.PerItemEvictionStrategyCache;
import org.forgerock.util.Reject;
import org.forgerock.util.annotations.VisibleForTesting;
import org.forgerock.util.promise.NeverThrowsException;
import org.forgerock.util.time.Duration;
import org.forgerock.util.time.TimeService;
import org.glassfish.grizzly.http.server.Constants;

/* loaded from: input_file:embedded-opendj/opendj.zip:opendj/lib/org.openidentityplatform.opendj.opendj-rest2ldap.jar:org/forgerock/opendj/rest2ldap/Rest2LdapHttpApplication.class */
public class Rest2LdapHttpApplication implements HttpApplication {
    private static final String DEFAULT_ROOT_FACTORY = "root";
    private static final String DEFAULT_BIND_FACTORY = "bind";
    private static final String RESOLVER_CONFIG_OBJECT = "resolver";
    private static final String REALM = "realm";
    private static final String SCOPES = "requiredScopes";
    private static final String AUTHZID_TEMPLATE = "authzIdTemplate";
    private static final String CACHE_EXPIRATION_DEFAULT = "5 minutes";
    private static final String CACHE_CONFIG_OBJECT = "accessTokenCache";
    private static final String CACHE_ENABLED = "enabled";
    private static final String CACHE_EXPIRATION = "cacheExpiration";
    private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();
    protected final File configDirectory;
    protected final Schema schema;
    private ScheduledExecutorService executorService;
    private TrustManager trustManager;
    private X509KeyManager keyManager;
    private final Map<String, ConnectionFactory> connectionFactories = new HashMap();
    private final Collection<Closeable> closeableResources = new ArrayList();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:embedded-opendj/opendj.zip:opendj/lib/org.openidentityplatform.opendj.opendj-rest2ldap.jar:org/forgerock/opendj/rest2ldap/Rest2LdapHttpApplication$BindStrategy.class */
    public enum BindStrategy {
        SIMPLE("simple"),
        SEARCH("search"),
        SASL_PLAIN("sasl-plain");

        private final String jsonField;

        BindStrategy(String str) {
            this.jsonField = str;
        }

        private static String listValues() {
            ArrayList arrayList = new ArrayList();
            for (BindStrategy bindStrategy : values()) {
                arrayList.add(bindStrategy.jsonField);
            }
            return org.forgerock.util.Utils.joinAsString(",", arrayList);
        }

        static /* synthetic */ String access$100() {
            return listValues();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:embedded-opendj/opendj.zip:opendj/lib/org.openidentityplatform.opendj.opendj-rest2ldap.jar:org/forgerock/opendj/rest2ldap/Rest2LdapHttpApplication$OAuth2ResolverType.class */
    public enum OAuth2ResolverType {
        RFC7662,
        OPENAM,
        CTS,
        FILE;

        private static String listValues() {
            ArrayList arrayList = new ArrayList();
            for (OAuth2ResolverType oAuth2ResolverType : values()) {
                arrayList.add(oAuth2ResolverType.name().toLowerCase());
            }
            return org.forgerock.util.Utils.joinAsString(",", arrayList);
        }

        static /* synthetic */ String access$000() {
            return listValues();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    /* loaded from: input_file:embedded-opendj/opendj.zip:opendj/lib/org.openidentityplatform.opendj.opendj-rest2ldap.jar:org/forgerock/opendj/rest2ldap/Rest2LdapHttpApplication$Policy.class */
    public enum Policy {
        OAUTH2,
        BASIC,
        ANONYMOUS
    }

    public Rest2LdapHttpApplication() {
        try {
            URL resource = getClass().getResource("/config.json");
            this.configDirectory = resource != null ? new File(resource.toURI()).getParentFile() : null;
            this.schema = Schema.getDefaultSchema();
        } catch (URISyntaxException e) {
            throw new IllegalStateException(e);
        }
    }

    public Rest2LdapHttpApplication(File file, Schema schema) {
        this.configDirectory = (File) Reject.checkNotNull(file, "configDirectory cannot be null");
        this.schema = (Schema) Reject.checkNotNull(schema, "schema cannot be null");
    }

    @Override // org.forgerock.http.HttpApplication
    public final Handler start() throws HttpApplicationException {
        try {
            logger.info(Rest2ldapMessages.INFO_REST2LDAP_STARTING.get(this.configDirectory));
            final ScheduledThreadPoolExecutor scheduledThreadPoolExecutor = new ScheduledThreadPoolExecutor(1);
            scheduledThreadPoolExecutor.setExecuteExistingDelayedTasksAfterShutdownPolicy(false);
            scheduledThreadPoolExecutor.setContinueExistingPeriodicTasksAfterShutdownPolicy(false);
            closeOnStop(new Closeable() { // from class: org.forgerock.opendj.rest2ldap.Rest2LdapHttpApplication.1
                @Override // java.io.Closeable, java.lang.AutoCloseable
                public void close() throws IOException {
                    scheduledThreadPoolExecutor.shutdown();
                }
            });
            this.executorService = scheduledThreadPoolExecutor;
            JsonValue readJson = Rest2LdapJsonConfigurator.readJson(new File(this.configDirectory, "config.json"));
            configureSecurity(readJson.get("security"));
            configureConnectionFactories(readJson.get("ldapConnectionFactories"));
            return Handlers.chainOf(newHttpHandler(configureRest2Ldap(this.configDirectory)), new OpenApiRequestFilter(), new ErrorLoggerFilter(), buildAuthorizationFilter(readJson.get(Constants.AUTHORIZATION_HEADER).required()));
        } catch (Exception e) {
            LocalizableMessage localizableMessage = Rest2ldapMessages.ERR_FAIL_PARSE_CONFIGURATION.get(e.getLocalizedMessage());
            logger.error(localizableMessage, e);
            stop();
            throw new HttpApplicationException(localizableMessage.toString(), e);
        }
    }

    private static RequestHandler configureRest2Ldap(File file) throws IOException {
        File file2 = new File(file, "rest2ldap");
        return Rest2LdapJsonConfigurator.configureEndpoints(new File(file2, "endpoints"), Rest2LdapJsonConfigurator.configureOptions(Rest2LdapJsonConfigurator.readJson(new File(file2, "rest2ldap.json"))));
    }

    private static Handler newHttpHandler(RequestHandler requestHandler) {
        final org.forgerock.json.resource.ConnectionFactory newInternalConnectionFactory = Resources.newInternalConnectionFactory(requestHandler);
        return CrestHttp.newHttpHandler(new CrestApplication() { // from class: org.forgerock.opendj.rest2ldap.Rest2LdapHttpApplication.2
            @Override // org.forgerock.json.resource.CrestApplication
            public org.forgerock.json.resource.ConnectionFactory getConnectionFactory() {
                return org.forgerock.json.resource.ConnectionFactory.this;
            }

            @Override // org.forgerock.json.resource.CrestApplication
            public String getApiId() {
                return "frapi:opendj:rest2ldap";
            }

            @Override // org.forgerock.json.resource.CrestApplication
            public String getApiVersion() {
                return ManifestUtil.getVersionWithRevision("opendj-core");
            }
        });
    }

    private void configureSecurity(JsonValue jsonValue) {
        this.trustManager = Rest2LdapJsonConfigurator.configureTrustManager(jsonValue);
        this.keyManager = Rest2LdapJsonConfigurator.configureKeyManager(jsonValue);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void configureConnectionFactories(JsonValue jsonValue) {
        jsonValue.get(DEFAULT_ROOT_FACTORY).required();
        this.connectionFactories.clear();
        for (String str : jsonValue.keys()) {
            this.connectionFactories.put(str, closeOnStop(Rest2LdapJsonConfigurator.configureConnectionFactory(jsonValue, str, this.trustManager, this.keyManager)));
        }
    }

    private <T extends Closeable> T closeOnStop(T t) {
        this.closeableResources.add(t);
        return t;
    }

    @Override // org.forgerock.http.HttpApplication
    public Factory<Buffer> getBufferFactory() {
        return null;
    }

    @Override // org.forgerock.http.HttpApplication
    public void stop() {
        org.forgerock.util.Utils.closeSilently(this.closeableResources);
        this.closeableResources.clear();
        this.connectionFactories.clear();
        this.executorService = null;
    }

    private Filter buildAuthorizationFilter(JsonValue jsonValue) throws HttpApplicationException {
        Set set = (Set) jsonValue.get("policies").as(JsonValueFunctions.setOf(JsonValueFunctions.enumConstant(Policy.class)));
        ArrayList arrayList = new ArrayList(set.size());
        if (set.contains(Policy.OAUTH2)) {
            arrayList.add(buildOAuth2Filter(jsonValue.get("oauth2")));
        }
        if (set.contains(Policy.BASIC)) {
            arrayList.add(buildBasicFilter(jsonValue.get(RepParams.ChannelTypeConfigParam.BASIC)));
        }
        if (set.contains(Policy.ANONYMOUS)) {
            arrayList.add(buildAnonymousFilter(jsonValue.get("anonymous")));
        }
        return Authorization.newAuthorizationFilter(arrayList);
    }

    @VisibleForTesting
    ConditionalFilters.ConditionalFilter buildOAuth2Filter(JsonValue jsonValue) throws HttpApplicationException {
        ConditionalFilters.ConditionalFilter newConditionalOAuth2ResourceServerFilter = Authorization.newConditionalOAuth2ResourceServerFilter(jsonValue.get("realm").defaultTo("no_realm").asString(), (Set) jsonValue.get(SCOPES).required().as(JsonValueFunctions.setOf(String.class)), createCachedTokenResolverIfNeeded(jsonValue, parseUnderlyingResolver(jsonValue)), jsonValue.get(jsonValue.get(RESOLVER_CONFIG_OBJECT).asString()).get(AUTHZID_TEMPLATE).required().asString());
        return ConditionalFilters.newConditionalFilter(Filters.chainOf(newConditionalOAuth2ResourceServerFilter.getFilter(), newProxyAuthzFilter(getConnectionFactory(DEFAULT_ROOT_FACTORY))), newConditionalOAuth2ResourceServerFilter.getCondition());
    }

    @VisibleForTesting
    AccessTokenResolver createCachedTokenResolverIfNeeded(JsonValue jsonValue, AccessTokenResolver accessTokenResolver) {
        JsonValue jsonValue2 = jsonValue.get(CACHE_CONFIG_OBJECT);
        if (jsonValue2.isNull() || !jsonValue2.get(CACHE_ENABLED).defaultTo(Boolean.FALSE).asBoolean().booleanValue()) {
            return accessTokenResolver;
        }
        Duration parseCacheExpiration = parseCacheExpiration(jsonValue2.get(CACHE_EXPIRATION).defaultTo(CACHE_EXPIRATION_DEFAULT));
        PerItemEvictionStrategyCache perItemEvictionStrategyCache = new PerItemEvictionStrategyCache(this.executorService, parseCacheExpiration);
        perItemEvictionStrategyCache.setMaxTimeout(parseCacheExpiration);
        return new CachingAccessTokenResolver(TimeService.SYSTEM, accessTokenResolver, perItemEvictionStrategyCache);
    }

    @VisibleForTesting
    AccessTokenResolver parseUnderlyingResolver(JsonValue jsonValue) throws HttpApplicationException {
        JsonValue required = jsonValue.get(RESOLVER_CONFIG_OBJECT).required();
        switch ((OAuth2ResolverType) required.as(JsonValueFunctions.enumConstant(OAuth2ResolverType.class))) {
            case RFC7662:
                return parseRfc7662Resolver(jsonValue);
            case OPENAM:
                JsonValue jsonValue2 = jsonValue.get("openam");
                return new OpenAmAccessTokenResolver(newHttpClientHandler(jsonValue2), TimeService.SYSTEM, jsonValue2.get("endpointUrl").required().asString());
            case CTS:
                JsonValue required2 = jsonValue.get("cts").required();
                return Authorization.newCtsAccessTokenResolver(getConnectionFactory(required2.get("ldapConnectionFactory").defaultTo(DEFAULT_ROOT_FACTORY).asString()), required2.get("baseDn").required().asString());
            case FILE:
                return Authorization.newFileAccessTokenResolver(jsonValue.get("file").get("folderPath").required().asString());
            default:
                throw Utils.newJsonValueException(required, Rest2ldapMessages.ERR_CONFIG_OAUTH2_UNSUPPORTED_ACCESS_TOKEN_RESOLVER.get(required.getObject(), OAuth2ResolverType.access$000()));
        }
    }

    private AccessTokenResolver parseRfc7662Resolver(JsonValue jsonValue) throws HttpApplicationException {
        JsonValue required = jsonValue.get("rfc7662").required();
        String asString = required.get("endpointUrl").required().asString();
        try {
            return Authorization.newRfc7662AccessTokenResolver(newHttpClientHandler(required), new URI(asString), required.get("clientId").required().asString(), required.get("clientSecret").required().asString());
        } catch (URISyntaxException e) {
            throw new IllegalArgumentException(Rest2ldapMessages.ERR_CONFIG_OAUTH2_INVALID_INTROSPECT_URL.get(asString, e.getLocalizedMessage()).toString(), e);
        }
    }

    private HttpClientHandler newHttpClientHandler(JsonValue jsonValue) throws HttpApplicationException {
        Options defaultOptions = Options.defaultOptions();
        if (this.trustManager != null) {
            defaultOptions.set(HttpClientHandler.OPTION_TRUST_MANAGERS, new TrustManager[]{this.trustManager});
        }
        if (this.keyManager != null) {
            String asString = jsonValue.get("sslCertAlias").asString();
            Option<KeyManager[]> option = HttpClientHandler.OPTION_KEY_MANAGERS;
            KeyManager[] keyManagerArr = new KeyManager[1];
            keyManagerArr[0] = asString != null ? KeyManagers.useSingleCertificate(asString, this.keyManager) : this.keyManager;
            defaultOptions.set(option, keyManagerArr);
        }
        return (HttpClientHandler) closeOnStop(new HttpClientHandler(defaultOptions));
    }

    private Duration parseCacheExpiration(JsonValue jsonValue) {
        try {
            Duration duration = (Duration) jsonValue.as(JsonValueFunctions.duration());
            if (duration.isZero() || duration.isUnlimited()) {
                throw Utils.newJsonValueException(jsonValue, duration.isZero() ? Rest2ldapMessages.ERR_CONFIG_OAUTH2_CACHE_ZERO_DURATION.get() : Rest2ldapMessages.ERR_CONFIG_OAUTH2_CACHE_UNLIMITED_DURATION.get());
            }
            return duration;
        } catch (Exception e) {
            throw Utils.newJsonValueException(jsonValue, Rest2ldapMessages.ERR_CONFIG_OAUTH2_CACHE_INVALID_DURATION.get(jsonValue.toString()));
        }
    }

    protected Filter newProxyAuthzFilter(ConnectionFactory connectionFactory) {
        return Authorization.newProxyAuthorizationFilter(connectionFactory);
    }

    private ConditionalFilters.ConditionalFilter buildAnonymousFilter(JsonValue jsonValue) {
        return newAnonymousFilter(getConnectionFactory(jsonValue.get("ldapConnectionFactory").defaultTo(DEFAULT_ROOT_FACTORY).asString()));
    }

    protected ConditionalFilters.ConditionalFilter newAnonymousFilter(ConnectionFactory connectionFactory) {
        return Authorization.newConditionalDirectConnectionFilter(connectionFactory);
    }

    protected ConnectionFactory getConnectionFactory(String str) {
        return this.connectionFactories.get(str);
    }

    private ConditionalFilters.ConditionalFilter buildBasicFilter(JsonValue jsonValue) {
        String asString = jsonValue.get(DEFAULT_BIND_FACTORY).required().asString();
        return newBasicAuthenticationFilter(buildBindStrategy(BindStrategy.valueOf(asString.toUpperCase().replace('-', '_')), jsonValue.get(asString).required()), jsonValue.get("supportAltAuthentication").defaultTo(Boolean.FALSE).asBoolean().booleanValue() ? CredentialExtractors.newCustomHeaderExtractor(jsonValue.get("altAuthenticationUsernameHeader").required().asString(), jsonValue.get("altAuthenticationPasswordHeader").required().asString()) : CredentialExtractors.httpBasicExtractor());
    }

    protected ConditionalFilters.ConditionalFilter newBasicAuthenticationFilter(AuthenticationStrategy authenticationStrategy, Function<Headers, Pair<String, String>, NeverThrowsException> function) {
        ConditionalFilters.ConditionalFilter newConditionalHttpBasicAuthenticationFilter = Authorization.newConditionalHttpBasicAuthenticationFilter(authenticationStrategy, function);
        return ConditionalFilters.newConditionalFilter(Filters.chainOf(newConditionalHttpBasicAuthenticationFilter.getFilter(), newProxyAuthzFilter(getConnectionFactory(DEFAULT_ROOT_FACTORY))), newConditionalHttpBasicAuthenticationFilter.getCondition());
    }

    private AuthenticationStrategy buildBindStrategy(BindStrategy bindStrategy, JsonValue jsonValue) {
        switch (bindStrategy) {
            case SIMPLE:
                return buildSimpleBindStrategy(jsonValue);
            case SEARCH:
                return buildSearchThenBindStrategy(jsonValue);
            case SASL_PLAIN:
                return buildSaslBindStrategy(jsonValue);
            default:
                throw new LocalizedIllegalArgumentException(Rest2ldapMessages.ERR_CONFIG_UNSUPPORTED_BIND_STRATEGY.get(bindStrategy, BindStrategy.access$100()));
        }
    }

    private AuthenticationStrategy buildSimpleBindStrategy(JsonValue jsonValue) {
        return AuthenticationStrategies.newSimpleBindStrategy(getConnectionFactory(jsonValue.get("ldapConnectionFactory").defaultTo(DEFAULT_BIND_FACTORY).asString()), parseUserNameTemplate(jsonValue.get("bindDnTemplate").defaultTo("%s")), this.schema);
    }

    private AuthenticationStrategy buildSaslBindStrategy(JsonValue jsonValue) {
        return AuthenticationStrategies.newSaslPlainStrategy(getConnectionFactory(jsonValue.get("ldapConnectionFactory").defaultTo(DEFAULT_BIND_FACTORY).asString()), this.schema, parseUserNameTemplate(jsonValue.get(AUTHZID_TEMPLATE).defaultTo("u:%s")));
    }

    private AuthenticationStrategy buildSearchThenBindStrategy(JsonValue jsonValue) {
        return AuthenticationStrategies.newSearchThenBindStrategy(getConnectionFactory(jsonValue.get("searchLdapConnectionFactory").defaultTo(DEFAULT_ROOT_FACTORY).asString()), getConnectionFactory(jsonValue.get("bindLdapConnectionFactory").defaultTo(DEFAULT_BIND_FACTORY).asString()), DN.valueOf(jsonValue.get("baseDn").required().asString(), this.schema), SearchScope.valueOf(jsonValue.get(OAuth2Error.F_SCOPE).required().asString().toLowerCase()), parseUserNameTemplate(jsonValue.get("filterTemplate").required()));
    }

    private String parseUserNameTemplate(JsonValue jsonValue) {
        return jsonValue.asString().replace("{username}", "%s");
    }
}
