package org.yamcs.security;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.TimeUnit;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import org.yamcs.InitException;
import org.yamcs.Spec;
import org.yamcs.YConfiguration;
import org.yamcs.http.auth.LoginRequest;
import org.yamcs.logging.Log;

/* loaded from: input_file:org/yamcs/security/LdapAuthModule.class */
public class LdapAuthModule implements AuthModule {
    private boolean tls;
    private String providerUrl;
    private Hashtable<String, String> yamcsEnv;
    private String userBase;
    private String nameAttribute;
    private String userFilter;
    private String[] displayNameAttributes;
    private String[] emailAttributes;
    private String[] searchAttributes;
    private List<String> groupBase;
    private String groupFilter;
    private String groupFilterUserAttribute;
    private boolean requiredIfKerberos;
    private Log log = new Log(LdapAuthModule.class);
    private List<GroupMapping> groupMappings = new ArrayList();
    private Cache<String, LdapUserInfo> infoCache = CacheBuilder.newBuilder().expireAfterWrite(24, TimeUnit.HOURS).build();

    /* loaded from: input_file:org/yamcs/security/LdapAuthModule$GroupMapping.class */
    private static final class GroupMapping {
        String dn;
        String role;
        boolean superuser;

        private GroupMapping() {
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/yamcs/security/LdapAuthModule$LdapUserInfo.class */
    public static final class LdapUserInfo {
        String uid;
        String dn;
        String cn;
        String email;
        List<String> memberOf;

        private LdapUserInfo() {
        }
    }

    @Override // org.yamcs.security.AuthModule
    public Spec getSpec() {
        Spec spec = new Spec();
        spec.addOption("name", Spec.OptionType.STRING).withDefault("uid");
        spec.addOption("email", Spec.OptionType.LIST_OR_ELEMENT).withElementType(Spec.OptionType.STRING).withDefault(Arrays.asList("mail", "email", "userPrincipalName"));
        spec.addOption("displayName", Spec.OptionType.LIST_OR_ELEMENT).withElementType(Spec.OptionType.STRING).withDefault("cn");
        Spec spec2 = new Spec();
        spec2.addOption("dn", Spec.OptionType.STRING).withRequired(true);
        spec2.addOption("role", Spec.OptionType.STRING);
        spec2.addOption("superuser", Spec.OptionType.BOOLEAN);
        spec2.requireOneOf("role", "superuser");
        Spec spec3 = new Spec();
        spec3.addOption("host", Spec.OptionType.STRING).withRequired(true);
        spec3.addOption("port", Spec.OptionType.INTEGER);
        spec3.addOption("user", Spec.OptionType.STRING);
        spec3.addOption(LoginRequest.PASSWORD, Spec.OptionType.STRING).withSecret(true);
        spec3.requireTogether("user", LoginRequest.PASSWORD);
        spec3.addOption("tls", Spec.OptionType.BOOLEAN);
        spec3.addOption("userBase", Spec.OptionType.STRING).withRequired(true);
        spec3.addOption("attributes", Spec.OptionType.MAP).withSpec(spec).withApplySpecDefaults(true);
        spec3.addOption("userFilter", Spec.OptionType.STRING);
        spec3.addOption("groupMappings", Spec.OptionType.LIST).withElementType(Spec.OptionType.MAP).withSpec(spec2);
        spec3.addOption("groupBase", Spec.OptionType.LIST_OR_ELEMENT).withElementType(Spec.OptionType.STRING);
        spec3.addOption("groupFilter", Spec.OptionType.STRING);
        spec3.addOption("groupFilterUserAttribute", Spec.OptionType.STRING);
        spec3.requireTogether("groupBase", "groupFilter", "groupFilterUserAttribute");
        spec3.addOption("requiredIfKerberos", Spec.OptionType.BOOLEAN).withDefault(false);
        return spec3;
    }

    @Override // org.yamcs.security.AuthModule
    public void init(YConfiguration yConfiguration) throws InitException {
        String string = yConfiguration.getString("host");
        this.tls = yConfiguration.getBoolean("tls", false);
        if (this.tls) {
            this.providerUrl = String.format("ldaps://%s:%s", string, Integer.valueOf(yConfiguration.getInt("port", 636)));
        } else {
            this.providerUrl = String.format("ldap://%s:%s", string, Integer.valueOf(yConfiguration.getInt("port", 389)));
        }
        this.userBase = yConfiguration.getString("userBase");
        YConfiguration config = yConfiguration.getConfig("attributes");
        this.nameAttribute = config.getString("name");
        this.userFilter = yConfiguration.getString("userFilter", "(" + this.nameAttribute + "={0})");
        if (!this.userFilter.contains("{0}")) {
            throw new InitException("LDAP user filter should contain the {0} character sequence, which will be replaced with the attempted username");
        }
        this.displayNameAttributes = (String[]) config.getList("displayName").toArray(new String[0]);
        this.emailAttributes = (String[]) config.getList("email").toArray(new String[0]);
        this.groupBase = yConfiguration.containsKey("groupBase") ? yConfiguration.getList("groupBase") : null;
        this.groupFilter = yConfiguration.getString("groupFilter", (String) null);
        this.groupFilterUserAttribute = yConfiguration.getString("groupFilterUserAttribute", (String) null);
        if (yConfiguration.containsKey("groupMappings")) {
            for (YConfiguration yConfiguration2 : yConfiguration.getConfigList("groupMappings")) {
                GroupMapping groupMapping = new GroupMapping();
                groupMapping.dn = yConfiguration2.getString("dn");
                groupMapping.role = yConfiguration2.getString("role", (String) null);
                groupMapping.superuser = yConfiguration2.getBoolean("superuser", false);
                this.groupMappings.add(groupMapping);
            }
        }
        HashSet hashSet = new HashSet();
        hashSet.add(this.nameAttribute);
        hashSet.addAll(config.getList("displayName"));
        hashSet.addAll(config.getList("email"));
        hashSet.add("memberOf");
        if (this.groupFilterUserAttribute != null) {
            hashSet.add(this.groupFilterUserAttribute);
        }
        this.searchAttributes = (String[]) hashSet.toArray(new String[0]);
        this.requiredIfKerberos = yConfiguration.getBoolean("requiredIfKerberos");
        this.yamcsEnv = new Hashtable<>();
        this.yamcsEnv.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        this.yamcsEnv.put("java.naming.provider.url", this.providerUrl);
        this.yamcsEnv.put("java.naming.referral", "follow");
        this.yamcsEnv.put("java.naming.security.authentication", "simple");
        if (yConfiguration.containsKey("user")) {
            this.yamcsEnv.put("java.naming.security.principal", yConfiguration.getString("user"));
        }
        if (yConfiguration.containsKey(LoginRequest.PASSWORD)) {
            this.yamcsEnv.put("java.naming.security.credentials", yConfiguration.getString(LoginRequest.PASSWORD));
        }
        if (this.tls) {
            this.yamcsEnv.put("java.naming.security.protocol", "ssl");
        }
    }

    @Override // org.yamcs.security.AuthModule
    public AuthenticationInfo getAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        if (!(authenticationToken instanceof UsernamePasswordToken)) {
            return null;
        }
        String principal = ((UsernamePasswordToken) authenticationToken).getPrincipal();
        char[] password = ((UsernamePasswordToken) authenticationToken).getPassword();
        try {
            LdapUserInfo searchUserInfo = searchUserInfo(principal);
            if (searchUserInfo == null) {
                return null;
            }
            bindUser(searchUserInfo.dn, password);
            AuthenticationInfo authenticationInfo = new AuthenticationInfo(this, searchUserInfo.uid);
            authenticationInfo.addExternalIdentity(getClass().getName(), searchUserInfo.dn);
            authenticationInfo.setDisplayName(searchUserInfo.cn);
            authenticationInfo.setEmail(searchUserInfo.email);
            return authenticationInfo;
        } catch (NamingException e) {
            this.log.warn("Failed to search LDAP for user {}", principal, e);
            return null;
        }
    }

    @Override // org.yamcs.security.AuthModule
    public void authenticationSucceeded(AuthenticationInfo authenticationInfo) {
        if (authenticationInfo.isKerberos()) {
            String username = authenticationInfo.getUsername();
            try {
                LdapUserInfo searchUserInfo = searchUserInfo(username);
                if (searchUserInfo == null) {
                    this.log.warn("User {} not found in LDAP", username);
                } else {
                    authenticationInfo.addExternalIdentity(getClass().getName(), searchUserInfo.dn);
                    authenticationInfo.setDisplayName(searchUserInfo.cn);
                    authenticationInfo.setEmail(searchUserInfo.email);
                }
            } catch (NamingException e) {
                this.log.warn("Failed to search LDAP for user {}", username, e);
            }
        }
    }

    private LdapUserInfo searchUserInfo(String str) throws NamingException {
        LdapUserInfo ldapUserInfo = (LdapUserInfo) this.infoCache.getIfPresent(str);
        if (ldapUserInfo != null) {
            return ldapUserInfo;
        }
        DirContext dirContext = null;
        try {
            dirContext = new InitialDirContext(this.yamcsEnv);
            SearchControls searchControls = new SearchControls();
            searchControls.setReturningAttributes(this.searchAttributes);
            searchControls.setSearchScope(2);
            SearchResult singleResult = getSingleResult(dirContext, this.userBase, this.userFilter.replace("{0}", str), searchControls);
            if (singleResult == null) {
                if (dirContext != null) {
                    dirContext.close();
                }
                return null;
            }
            LdapUserInfo ldapUserInfo2 = new LdapUserInfo();
            ldapUserInfo2.uid = (String) singleResult.getAttributes().get(this.nameAttribute).get();
            ldapUserInfo2.dn = singleResult.getNameInNamespace();
            ldapUserInfo2.cn = findAttribute(singleResult, this.displayNameAttributes);
            ldapUserInfo2.email = findAttribute(singleResult, this.emailAttributes);
            ldapUserInfo2.memberOf = findListAttribute(singleResult, new String[]{"memberOf"});
            if (this.groupBase != null) {
                SearchControls searchControls2 = new SearchControls();
                searchControls2.setSearchScope(2);
                String findAttribute = findAttribute(singleResult, new String[]{this.groupFilterUserAttribute});
                if (findAttribute == null && "dn".equalsIgnoreCase(this.groupFilterUserAttribute)) {
                    findAttribute = singleResult.getNameInNamespace();
                }
                if (findAttribute != null) {
                    String replace = this.groupFilter.replace("{0}", findAttribute);
                    Iterator<String> it = this.groupBase.iterator();
                    while (it.hasNext()) {
                        NamingEnumeration search = dirContext.search(it.next(), replace, searchControls2);
                        while (search.hasMore()) {
                            ldapUserInfo2.memberOf.add(((SearchResult) search.next()).getNameInNamespace());
                        }
                        search.close();
                    }
                }
            }
            this.infoCache.put(str, ldapUserInfo2);
            if (dirContext != null) {
                dirContext.close();
            }
            return ldapUserInfo2;
        } catch (Throwable th) {
            if (dirContext != null) {
                dirContext.close();
            }
            throw th;
        }
    }

    private void bindUser(String str, char[] cArr) throws AuthenticationException {
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.provider.url", this.providerUrl);
        hashtable.put("com.sun.jndi.ldap.connect.pool", "true");
        hashtable.put("java.naming.security.authentication", "simple");
        hashtable.put("java.naming.security.principal", str);
        hashtable.put("java.naming.security.credentials", new String(cArr));
        if (this.tls) {
            hashtable.put("java.naming.security.protocol", "ssl");
        }
        try {
            new InitialDirContext(hashtable).close();
        } catch (javax.naming.AuthenticationException e) {
            this.log.warn("Bind failed for dn '{}'", str, e);
            throw new AuthenticationException("Invalid password");
        } catch (NamingException e2) {
            throw new AuthenticationException((Throwable) e2);
        }
    }

    @Override // org.yamcs.security.AuthModule
    public AuthorizationInfo getAuthorizationInfo(AuthenticationInfo authenticationInfo) throws AuthorizationException {
        AuthorizationInfo authorizationInfo = new AuthorizationInfo();
        LdapUserInfo ldapUserInfo = (LdapUserInfo) this.infoCache.getIfPresent(authenticationInfo.getUsername());
        if (authenticationInfo.isKerberos() && this.requiredIfKerberos && ldapUserInfo == null) {
            throw new AuthorizationException("Cannot link Kerberos user with LDAP directory");
        }
        if (ldapUserInfo != null) {
            for (GroupMapping groupMapping : this.groupMappings) {
                Iterator<String> it = ldapUserInfo.memberOf.iterator();
                while (it.hasNext()) {
                    if (groupMapping.dn.equalsIgnoreCase(it.next())) {
                        if (groupMapping.role != null) {
                            authorizationInfo.addRole(groupMapping.role);
                        }
                        if (groupMapping.superuser) {
                            authorizationInfo.grantSuperuser();
                        }
                    }
                }
            }
        }
        return authorizationInfo;
    }

    @Override // org.yamcs.security.AuthModule
    public boolean verifyValidity(AuthenticationInfo authenticationInfo) {
        return true;
    }

    private SearchResult getSingleResult(DirContext dirContext, String str, String str2, SearchControls searchControls) throws NamingException {
        NamingEnumeration search = dirContext.search(str, str2, searchControls);
        if (!search.hasMore()) {
            return null;
        }
        SearchResult searchResult = (SearchResult) search.next();
        search.close();
        return searchResult;
    }

    private String findAttribute(SearchResult searchResult, String[] strArr) throws NamingException {
        for (String str : strArr) {
            Attribute attribute = searchResult.getAttributes().get(str);
            if (attribute != null) {
                return (String) attribute.get();
            }
        }
        return null;
    }

    private List<String> findListAttribute(SearchResult searchResult, String[] strArr) throws NamingException {
        for (String str : strArr) {
            ArrayList arrayList = new ArrayList();
            Attribute attribute = searchResult.getAttributes().get(str);
            if (attribute != null) {
                NamingEnumeration all = attribute.getAll();
                while (all.hasMoreElements()) {
                    arrayList.add((String) all.next());
                }
                return arrayList;
            }
        }
        return new ArrayList();
    }
}
