package de.gwdg.cdstar.ext.realm.ldap;

import com.github.benmanes.caffeine.cache.Caffeine;
import com.github.benmanes.caffeine.cache.LoadingCache;
import com.github.benmanes.caffeine.cache.Scheduler;
import de.gwdg.cdstar.FailableSupplier;
import de.gwdg.cdstar.Utils;
import de.gwdg.cdstar.auth.Credentials;
import de.gwdg.cdstar.auth.Session;
import de.gwdg.cdstar.auth.UsernamePasswordCredentials;
import de.gwdg.cdstar.auth.realm.Authenticator;
import de.gwdg.cdstar.runtime.Config;
import de.gwdg.cdstar.runtime.ConfigException;
import java.time.Duration;
import java.util.Hashtable;
import java.util.Optional;
import javax.naming.AuthenticationException;
import javax.naming.CommunicationException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/gwdg/cdstar/ext/realm/ldap/LDAPRealm.class */
public class LDAPRealm implements Authenticator {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) LDAPRealm.class);
    private final String server;
    private final Duration conntectTimeout;
    private final Duration readTimeout;
    private final String searchBase;
    private final String searchFilter;
    private final SearchControls searchControls;
    private final Hashtable<String, String> searchEnv;
    private final String uidAttribute;
    private final String domainAttribute;
    private final String realmName;
    private final LoadingCache<String, Optional<LDAPPrincipal>> principalCache;
    private final Duration cacheExpire;

    public LDAPRealm(Config config) throws ConfigException, NamingException {
        config.setDefault("cache.size", "1024");
        config.setDefault("cache.expire", "600");
        config.setDefault("timeout.connect", "1000");
        config.setDefault("timeout.read", "1000");
        config.setDefault("name", config.get("_name", "ldap"));
        this.server = config.get("server");
        this.realmName = config.get("name");
        this.searchBase = config.get("search.base");
        this.searchFilter = config.get("search.filter", "(|(uid={})(mail={}))");
        this.uidAttribute = config.get("attr.uid", "uid");
        this.domainAttribute = config.get("attr.domain", (String) null);
        this.cacheExpire = Duration.ofSeconds(config.getInt("cache.expire"));
        this.principalCache = Caffeine.newBuilder().maximumSize(config.getInt("cache.size")).expireAfterWrite(this.cacheExpire).scheduler(Scheduler.systemScheduler()).build(str -> {
            return Optional.ofNullable(findLdapUser(str));
        });
        this.conntectTimeout = Duration.ofMillis(config.getLong("timeout.connect"));
        this.readTimeout = Duration.ofMillis(config.getLong("timeout.read"));
        this.searchEnv = makeLdapConfig(true, config.get("search.user", (String) null), config.get("search.password", (String) null));
        this.searchControls = new SearchControls();
        this.searchControls.setSearchScope(2);
        this.searchControls.setReturningAttributes(new String[]{this.uidAttribute, this.domainAttribute});
        this.searchControls.setCountLimit(1L);
    }

    private Hashtable<String, String> makeLdapConfig(boolean z, String str, String str2) {
        Hashtable<String, String> hashtable = new Hashtable<>();
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.provider.url", this.server);
        hashtable.put("com.sun.jndi.ldap.connect.timeout", String.valueOf(this.conntectTimeout.toMillis()));
        hashtable.put("com.sun.jndi.ldap.read.timeout", String.valueOf(this.readTimeout.toMillis()));
        if (z) {
            hashtable.put("com.sun.jndi.ldap.connect.pool", "true");
        }
        if (str != null) {
            hashtable.put("java.naming.security.principal", str);
            hashtable.put("java.naming.security.credentials", str2);
        } else {
            hashtable.put("java.naming.security.authentication", "none");
        }
        return hashtable;
    }

    public String getName() {
        return this.realmName;
    }

    static final String escapeLDAPFilter(String str) {
        StringBuilder sb = new StringBuilder();
        for (int i = 0; i < str.length(); i++) {
            char charAt = str.charAt(i);
            switch (charAt) {
                case 0:
                    sb.append("\\00");
                    break;
                case '(':
                    sb.append("\\28");
                    break;
                case ')':
                    sb.append("\\29");
                    break;
                case '*':
                    sb.append("\\2a");
                    break;
                case '\\':
                    sb.append("\\5c");
                    break;
                default:
                    sb.append(charAt);
                    break;
            }
        }
        return sb.toString();
    }

    LDAPPrincipal findLdapUser(String str) {
        try {
            return (LDAPPrincipal) retry(() -> {
                InitialLdapContext initialLdapContext = new InitialLdapContext(this.searchEnv, (Control[]) null);
                try {
                    NamingEnumeration search = initialLdapContext.search(this.searchBase, this.searchFilter.replace("{}", escapeLDAPFilter(str)), this.searchControls);
                    if (!search.hasMore()) {
                        initialLdapContext.close();
                        return null;
                    }
                    LDAPPrincipal buildPrincipalFromLdap = buildPrincipalFromLdap(str, (SearchResult) search.next());
                    log.debug("Found LDAP user: {} -> {}", str, buildPrincipalFromLdap.getLdapDN());
                    initialLdapContext.close();
                    return buildPrincipalFromLdap;
                } catch (Throwable th) {
                    initialLdapContext.close();
                    throw th;
                }
            }, 3, Duration.ofSeconds(1L));
        } catch (NamingException e) {
            log.warn("LDAP search failed", e);
            return null;
        }
    }

    Optional<LDAPPrincipal> searchUser(String str) {
        return (Optional) this.principalCache.get(str);
    }

    private <T> T retry(FailableSupplier<T, NamingException> failableSupplier, int i, Duration duration) throws NamingException {
        if (i <= 0) {
            i = 1;
        }
        Throwable th = null;
        for (int i2 = 1; i2 <= i; i2++) {
            try {
                return (T) failableSupplier.supply();
            } catch (CommunicationException e) {
                log.warn("LDAP communication failed (retry {}/{})", Integer.valueOf(i2), Integer.valueOf(i), e);
                Utils.sleepInterruptable(duration.toMillis());
                if (th != null) {
                    e.addSuppressed(th);
                }
                th = e;
            }
        }
        throw th;
    }

    private LDAPPrincipal buildPrincipalFromLdap(String str, SearchResult searchResult) throws NamingException {
        Attributes attributes = searchResult.getAttributes();
        return new LDAPPrincipal(this, searchResult.getNameInNamespace(), attributes.get(this.uidAttribute).get().toString(), (this.domainAttribute == null || attributes.get(this.domainAttribute) == null) ? this.realmName : attributes.get(this.domainAttribute).get().toString(), str);
    }

    boolean tryLogin(LDAPPrincipal lDAPPrincipal, char[] cArr) {
        if (cArr == null || cArr.length == 0 || Utils.arrayContains(cArr, (char) 0)) {
            return false;
        }
        synchronized (lDAPPrincipal) {
            if (lDAPPrincipal.hasCachedPassword()) {
                if (lDAPPrincipal.checkCachedPassword(cArr)) {
                    log.debug("Login success (cached): {}", lDAPPrincipal.getLdapDN());
                    return true;
                }
                log.warn("Login failed (cached): {}", lDAPPrincipal.getLdapDN());
                return false;
            }
            try {
                Hashtable<String, String> makeLdapConfig = makeLdapConfig(false, lDAPPrincipal.getLdapDN(), new String(cArr));
                retry(() -> {
                    new InitialLdapContext(makeLdapConfig, (Control[]) null).close();
                    return null;
                }, 3, Duration.ofSeconds(1L));
                lDAPPrincipal.cachePassword(cArr);
                log.debug("Login success: {}", lDAPPrincipal.getLdapDN());
                return true;
            } catch (AuthenticationException e) {
                log.info("Login failed: {}", lDAPPrincipal.getLdapDN());
                return false;
            } catch (NamingException e2) {
                log.warn("Login failed (ldap error): {}", lDAPPrincipal.getLdapDN(), e2);
                return false;
            }
        }
    }

    public Session login(Credentials credentials) {
        if (!(credentials instanceof UsernamePasswordCredentials)) {
            return null;
        }
        UsernamePasswordCredentials usernamePasswordCredentials = (UsernamePasswordCredentials) credentials;
        Optional<LDAPPrincipal> searchUser = searchUser(usernamePasswordCredentials.getName());
        if (!searchUser.isPresent()) {
            return null;
        }
        LDAPPrincipal lDAPPrincipal = searchUser.get();
        if (usernamePasswordCredentials.getDomain() != null && !Utils.equalNotNull(lDAPPrincipal.getDomain(), usernamePasswordCredentials.getDomain())) {
            log.info("Login failed (wrong domain): {}", lDAPPrincipal.getLdapDN());
            return null;
        }
        if (tryLogin(lDAPPrincipal, usernamePasswordCredentials.getPassword())) {
            return lDAPPrincipal;
        }
        return null;
    }

    public void logout(Session session) {
        if (session.getAuthenticator() == this && (session.getPrincipal() instanceof LDAPPrincipal)) {
            this.principalCache.invalidate(((LDAPPrincipal) session.getPrincipal()).getLoginName());
        }
    }
}
