package tv.hd3g.authkit.mod.service;

import java.net.InetAddress;
import java.util.Arrays;
import java.util.Hashtable;
import java.util.Optional;
import java.util.Spliterators;
import java.util.function.UnaryOperator;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import java.util.stream.StreamSupport;
import javax.naming.CommunicationException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.owasp.esapi.Encoder;
import org.owasp.esapi.reference.DefaultEncoder;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import tv.hd3g.authkit.mod.config.ExternalLDAP;
import tv.hd3g.authkit.mod.dto.ExternalAuthUserDto;
import tv.hd3g.authkit.mod.dto.Password;
import tv.hd3g.authkit.mod.exception.AuthKitException;
import tv.hd3g.authkit.mod.exception.UserCantLoginException;

@Service
/* loaded from: input_file:tv/hd3g/authkit/mod/service/ExternalAuthClientLDAPServiceImpl.class */
public class ExternalAuthClientLDAPServiceImpl implements ExternalAuthClientService {
    private static Logger log = LogManager.getLogger();
    private static final Encoder encoder;

    @Autowired
    private ExternalLDAP externalLDAP;
    private static final UnaryOperator<String> extractOrganizationalUnits;

    @Override // tv.hd3g.authkit.mod.service.ExternalAuthClientService
    public boolean isAvailable() {
        return this.externalLDAP != null && this.externalLDAP.isAvailable();
    }

    private ExternalLDAP.LDAPEntry getConfiguration(String str) {
        Optional<ExternalLDAP.LDAPEntry> byDomainName = this.externalLDAP.getByDomainName(str);
        if (!byDomainName.isEmpty()) {
            return byDomainName.get();
        }
        log.error("Can't found configuration for {} domain", str);
        throw new AuthKitException(500, "Can't login");
    }

    @Override // tv.hd3g.authkit.mod.service.ExternalAuthClientService
    public ExternalAuthUserDto logonUser(String str, Password password, String str2) throws UserCantLoginException {
        String encodeForDN = encoder.encodeForDN(str2);
        String encodeForLDAP = encoder.encodeForLDAP(str);
        if (!isAvailable()) {
            throw new UserCantLoginException.ExternalAuthErrorCantLoginException();
        }
        if (password == null || password.length() == 0) {
            throw new UserCantLoginException.NoPasswordUserCantLoginException();
        }
        if (!StringUtils.isAlphanumeric(encodeForDN) || !StringUtils.isAlphanumeric(encodeForLDAP)) {
            throw new IllegalArgumentException("Login or domain invalid");
        }
        ExternalLDAP.LDAPEntry configuration = getConfiguration(encodeForDN);
        if (configuration.getType() != ExternalLDAP.LDAPType.AD) {
            throw new IllegalArgumentException("Unsuported LDAP typ server: " + configuration.getType());
        }
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.security.principal", encodeForLDAP + "@" + encodeForDN);
        hashtable.put("java.naming.security.credentials", password.subSequence(0, password.length()).toString());
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.provider.url", "ldap://" + configuration.getHost() + ":" + configuration.getPort() + "/");
        hashtable.put("java.naming.ldap.attributes.binary", "tokenGroups");
        try {
            InitialLdapContext initialLdapContext = new InitialLdapContext(hashtable, (Control[]) null);
            if (!((String) initialLdapContext.getEnvironment().get("java.naming.security.principal")).contains("@")) {
                throw new UserCantLoginException.UnknownUserCantLoginException();
            }
            SearchControls searchControls = new SearchControls();
            searchControls.setSearchScope(2);
            searchControls.setCountLimit(1L);
            searchControls.setTimeLimit(500);
            NamingEnumeration search = initialLdapContext.search(toDC(encodeForDN), configuration.getLdapSearchLogonQuery().replace("<ldapTenantName>", encodeForLDAP), searchControls);
            if (!search.hasMore()) {
                log.error("Can't get LDAP entry for {}", encodeForLDAP);
                throw new UserCantLoginException.UnknownUserCantLoginException();
            }
            Attributes attributes = ((SearchResult) search.next()).getAttributes();
            if (attributes.get(configuration.getLdapTenantName()) != null) {
                return new ExternalAuthUserDto(encodeForLDAP, encodeForDN, extractLDAPSearchResultVar(configuration.getLdapCommonName(), attributes).orElseThrow(() -> {
                    return new NamingException("Can't get LDAP user CN for " + encodeForLDAP);
                }), extractLDAPSearchResultVar(configuration.getLdapMailName(), attributes).orElse(null), extractLDAPSearchResultVars("memberOf", attributes).map(extractOrganizationalUnits).toList());
            }
            log.error("Can't get LDAP user for {}", encodeForLDAP);
            throw new UserCantLoginException.UnknownUserCantLoginException();
        } catch (CommunicationException e) {
            log.error("Failed to connect to {}: {}", configuration.getHost(), Integer.valueOf(configuration.getPort()), e);
            throw new UserCantLoginException.ExternalAuthErrorCantLoginException();
        } catch (NamingException e2) {
            log.error("Failed to authenticate {}@{} through {}", encodeForLDAP, encodeForDN, configuration.getHost(), e2);
            throw new UserCantLoginException.BadPasswordUserCantLoginException();
        }
    }

    private Optional<String> extractLDAPSearchResultVar(String str, Attributes attributes) {
        Attribute attribute = attributes.get(str);
        if (attribute == null) {
            return Optional.empty();
        }
        try {
            Object obj = attribute.get();
            return !(obj instanceof String) ? Optional.ofNullable(String.valueOf(obj)) : Optional.ofNullable((String) obj);
        } catch (NamingException e) {
            log.debug("Can't found {} in LDAP datas", str, e);
            return Optional.empty();
        }
    }

    private Stream<String> extractLDAPSearchResultVars(String str, Attributes attributes) {
        Attribute attribute = attributes.get(str);
        if (attribute == null) {
            return Stream.empty();
        }
        try {
            return StreamSupport.stream(Spliterators.spliterator(attribute.getAll().asIterator(), attribute.size(), 16), false).map(obj -> {
                return !(obj instanceof String) ? String.valueOf(obj) : (String) obj;
            });
        } catch (NamingException e) {
            log.debug("Can't found {} in LDAP datas", str, e);
            return Stream.empty();
        }
    }

    private static String toDC(String str) {
        return (String) Arrays.stream(str.split("\\.")).filter(str2 -> {
            return !str2.isEmpty();
        }).collect(Collectors.joining(",DC=", "DC=", ""));
    }

    @Override // tv.hd3g.authkit.mod.service.ExternalAuthClientService
    public Optional<String> getDefaultDomainName() {
        return !isAvailable() ? Optional.empty() : Optional.ofNullable(this.externalLDAP.getServers().get(0).getDomain());
    }

    @Override // tv.hd3g.authkit.mod.service.ExternalAuthClientService
    public boolean isIPAllowedToCreateUserAccount(InetAddress inetAddress, String str) {
        if (isAvailable()) {
            return ((Boolean) this.externalLDAP.getByDomainName(str).map(lDAPEntry -> {
                return Boolean.valueOf(lDAPEntry.isAllowed(inetAddress));
            }).orElse(false)).booleanValue();
        }
        return false;
    }

    static {
        System.setProperty("org.owasp.esapi.logSpecial.discard", "true");
        encoder = DefaultEncoder.getInstance();
        extractOrganizationalUnits = str -> {
            String[] split = str.split(",");
            return ((String) Arrays.stream(split).filter(str -> {
                return str.toUpperCase().startsWith("CN=");
            }).map(str2 -> {
                return str2.substring(3);
            }).collect(Collectors.joining())) + " (" + ((String) Arrays.stream(split).filter(str3 -> {
                return str3.toUpperCase().startsWith("DC=");
            }).map(str4 -> {
                return str4.substring(3);
            }).collect(Collectors.joining("."))) + ((String) Arrays.stream(split).filter(str5 -> {
                return str5.toUpperCase().startsWith("OU=");
            }).map(str6 -> {
                return str6.substring(3);
            }).collect(Collectors.joining("/", "/", ""))) + ")";
        };
    }
}
