package ome.logic;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.naming.AuthenticationException;
import javax.naming.NamingException;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import ome.annotations.NotNull;
import ome.annotations.RevisionDate;
import ome.annotations.RevisionNumber;
import ome.annotations.RolesAllowed;
import ome.api.ILdap;
import ome.api.ServiceInterface;
import ome.conditions.ApiUsageException;
import ome.conditions.SecurityViolation;
import ome.conditions.ValidationException;
import ome.model.meta.Experimenter;
import ome.model.meta.ExperimenterGroup;
import ome.model.meta.GroupExperimenterMap;
import ome.parameters.Parameters;
import ome.security.auth.AttributeNewUserGroupBean;
import ome.security.auth.AttributeSet;
import ome.security.auth.GroupAttributeMapper;
import ome.security.auth.LdapConfig;
import ome.security.auth.NewUserGroupBean;
import ome.security.auth.OrgUnitNewUserGroupBean;
import ome.security.auth.PersonContextMapper;
import ome.security.auth.QueryNewUserGroupBean;
import ome.security.auth.RoleProvider;
import ome.system.OmeroContext;
import ome.system.Roles;
import ome.util.SqlAction;
import org.apache.commons.logging.Log;
import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.dao.EmptyResultDataAccessException;
import org.springframework.ldap.core.ContextSource;
import org.springframework.ldap.core.DistinguishedName;
import org.springframework.ldap.core.LdapOperations;
import org.springframework.ldap.filter.AndFilter;
import org.springframework.ldap.filter.EqualsFilter;
import org.springframework.transaction.annotation.Transactional;

@Transactional(readOnly = true)
@RevisionNumber("$Revision: 1552 $")
@RevisionDate("$Date: 2007-05-23 09:43:33 +0100 (Wed, 23 May 2007) $")
/* loaded from: input_file:ome/logic/LdapImpl.class */
public class LdapImpl extends AbstractLevel2Service implements ILdap, ApplicationContextAware {
    private final SqlAction sql;
    private final RoleProvider provider;
    private final ContextSource ctx;
    private final LdapOperations ldap;
    private final LdapConfig config;
    private final Roles roles;
    private OmeroContext appContext;
    private static final Pattern p = Pattern.compile("^:(ou|attribute|filtered_attribute|dn_attribute|filtered_dn_attribute|query|bean):(.*)$");

    public LdapImpl(ContextSource contextSource, LdapOperations ldapOperations, Roles roles, LdapConfig ldapConfig, RoleProvider roleProvider, SqlAction sqlAction) {
        this.ctx = contextSource;
        this.sql = sqlAction;
        this.ldap = ldapOperations;
        this.roles = roles;
        this.config = ldapConfig;
        this.provider = roleProvider;
    }

    public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
        this.appContext = (OmeroContext) applicationContext;
    }

    public Class<? extends ServiceInterface> getServiceInterface() {
        return ILdap.class;
    }

    @RolesAllowed({"system"})
    public List<Experimenter> searchAll() {
        return this.ldap.search(DistinguishedName.EMPTY_PATH, this.config.getUserFilter().encode(), getContextMapper());
    }

    @RolesAllowed({"system"})
    public List<Experimenter> searchByAttribute(String str, String str2, String str3) {
        DistinguishedName distinguishedName = str == null ? DistinguishedName.EMPTY_PATH : new DistinguishedName(str);
        if (str2 == null || str2.equals("") || str3 == null || str3.equals("")) {
            return Collections.EMPTY_LIST;
        }
        AndFilter andFilter = new AndFilter();
        andFilter.and(this.config.getUserFilter());
        andFilter.and(new EqualsFilter(str2, str3));
        return this.ldap.search(distinguishedName, andFilter.encode(), getContextMapper());
    }

    @RolesAllowed({"system"})
    public Experimenter searchByDN(String str) {
        return (Experimenter) this.ldap.lookup(new DistinguishedName(str), getContextMapper());
    }

    @RolesAllowed({"system"})
    public String findDN(String str) {
        PersonContextMapper contextMapper = getContextMapper();
        return contextMapper.getDn(mapUserName(str, contextMapper));
    }

    @RolesAllowed({"system"})
    public Experimenter findExperimenter(String str) {
        return mapUserName(str, getContextMapper());
    }

    private Experimenter mapUserName(String str, PersonContextMapper personContextMapper) {
        List search = this.ldap.search("", this.config.usernameFilter(str).encode(), personContextMapper.getControls(), personContextMapper);
        if (search.size() == 1 && search.get(0) != null && ((Experimenter) search.get(0)).getOmeName().equals(str)) {
            return (Experimenter) search.get(0);
        }
        throw new ApiUsageException("Cannot find unique DistinguishedName: found=" + search.size());
    }

    @RolesAllowed({"system"})
    public List<String> searchDnInGroups(String str, String str2) {
        if (str == null || str.equals("") || str2 == null || str2.equals("")) {
            return Collections.EMPTY_LIST;
        }
        AndFilter andFilter = new AndFilter();
        andFilter.and(this.config.getGroupFilter());
        andFilter.and(new EqualsFilter(str, str2));
        return this.ldap.search("", andFilter.encode(), new GroupAttributeMapper(this.config));
    }

    @RolesAllowed({"system"})
    public List<Experimenter> searchByAttributes(String str, String[] strArr, String[] strArr2) {
        if (strArr.length != strArr2.length) {
            return Collections.EMPTY_LIST;
        }
        AndFilter andFilter = new AndFilter();
        for (int i = 0; i < strArr.length; i++) {
            andFilter.and(new EqualsFilter(strArr[i], strArr2[i]));
        }
        return this.ldap.search(new DistinguishedName(str), andFilter.encode(), getContextMapper());
    }

    @RolesAllowed({"system"})
    @Transactional(readOnly = false)
    public void setDN(@NotNull Long l, String str) {
        this.sql.setUserDn(l, str);
    }

    @RolesAllowed({"system"})
    public boolean getSetting() {
        return this.config.isEnabled();
    }

    public void synchronizeLdapUser(String str) {
        if (!this.config.isSyncOnLogin()) {
            if (getBeanHelper().getLogger().isTraceEnabled()) {
                getBeanHelper().getLogger().trace("sync_on_login=false");
                return;
            }
            return;
        }
        Experimenter findByString = this.iQuery.findByString(Experimenter.class, "omeName", str);
        Experimenter findExperimenter = findExperimenter(str);
        List<Long> loadLdapGroups = loadLdapGroups(str, new DistinguishedName(getContextMapper().getDn(findExperimenter)));
        List projection = this.iQuery.projection("select g.id from ExperimenterGroup g join g.groupExperimenterMap m join m.child e where e.id = :id", new Parameters().addId(findByString.getId()));
        HashSet hashSet = new HashSet();
        Iterator it = projection.iterator();
        while (it.hasNext()) {
            hashSet.add((Long) ((Object[]) it.next())[0]);
        }
        modifyGroups(findByString, hashSet, loadLdapGroups, false);
        modifyGroups(findByString, loadLdapGroups, hashSet, true);
        for (String str2 : Arrays.asList("ome.model.meta.Experimenter_firstName", "ome.model.meta.Experimenter_middleName", "ome.model.meta.Experimenter_lastName", "ome.model.meta.Experimenter_email", "ome.model.meta.Experimenter_institution")) {
            String substring = str2.substring(str2.indexOf("_") + 1);
            String str3 = (String) findByString.retrieve(str2);
            String str4 = (String) findExperimenter.retrieve(str2);
            if (str3 == null) {
                if (str4 != null) {
                    getBeanHelper().getLogger().info(String.format("Nulling %s for %s, was:", substring, str, str3));
                    findByString.putAt(str2, str4);
                }
            } else if (!str3.equals(str4)) {
                getBeanHelper().getLogger().info(String.format("Changing %s for %s: %s -> %s", substring, str, str3, str4));
                findByString.putAt(str2, str4);
            }
        }
        this.iUpdate.flush();
    }

    private void modifyGroups(Experimenter experimenter, Collection<Long> collection, Collection<Long> collection2, boolean z) {
        Log logger = getBeanHelper().getLogger();
        HashSet hashSet = new HashSet(collection);
        hashSet.removeAll(collection2);
        hashSet.remove(Long.valueOf(this.roles.getSystemGroupId()));
        hashSet.remove(Long.valueOf(this.roles.getUserGroupId()));
        if (hashSet.size() > 0) {
            Object[] objArr = new Object[3];
            objArr[0] = z ? "Adding" : "Removing";
            objArr[1] = experimenter.getOmeName();
            objArr[2] = hashSet;
            logger.info(String.format("%s groups for %s: %s", objArr));
            HashSet hashSet2 = new HashSet();
            Iterator it = hashSet.iterator();
            while (it.hasNext()) {
                hashSet2.add(new ExperimenterGroup((Long) it.next(), false));
            }
            if (z) {
                this.provider.addGroups(experimenter, (ExperimenterGroup[]) hashSet2.toArray(new ExperimenterGroup[0]));
            } else {
                this.provider.removeGroups(experimenter, (ExperimenterGroup[]) hashSet2.toArray(new ExperimenterGroup[0]));
            }
            if (z) {
                Experimenter experimenter2 = this.iQuery.get(Experimenter.class, experimenter.getId().longValue());
                logger.debug("sizeOfGroupExperimenterMap=" + experimenter2.sizeOfGroupExperimenterMap());
                if (experimenter2.sizeOfGroupExperimenterMap() > 1) {
                    GroupExperimenterMap groupExperimenterMap = experimenter2.getGroupExperimenterMap(0);
                    GroupExperimenterMap groupExperimenterMap2 = experimenter2.getGroupExperimenterMap(1);
                    logger.debug("primary=" + groupExperimenterMap.parent().getId());
                    logger.debug("next=" + groupExperimenterMap2.parent().getId());
                    if (groupExperimenterMap.parent().getId().equals(Long.valueOf(this.roles.getUserGroupId()))) {
                        logger.debug("calling setDefaultGroup");
                        this.provider.setDefaultGroup(experimenter2, groupExperimenterMap2.parent());
                    }
                }
            }
        }
    }

    public boolean createUserFromLdap(String str, String str2) {
        Experimenter findExperimenter = findExperimenter(str);
        DistinguishedName distinguishedName = new DistinguishedName(getContextMapper().getDn(findExperimenter));
        boolean validatePassword = validatePassword(distinguishedName.toString(), str2);
        if (validatePassword) {
            List<Long> loadLdapGroups = loadLdapGroups(str, distinguishedName);
            if (loadLdapGroups.size() == 0) {
                throw new ValidationException("No group found for: " + distinguishedName);
            }
            ExperimenterGroup experimenterGroup = new ExperimenterGroup(loadLdapGroups.remove(0), false);
            HashSet hashSet = new HashSet(loadLdapGroups);
            ExperimenterGroup[] experimenterGroupArr = new ExperimenterGroup[hashSet.size() + 1];
            int i = 0;
            Iterator it = hashSet.iterator();
            while (it.hasNext()) {
                int i2 = i;
                i++;
                experimenterGroupArr[i2] = new ExperimenterGroup((Long) it.next(), false);
            }
            experimenterGroupArr[i] = new ExperimenterGroup(Long.valueOf(this.roles.getUserGroupId()), false);
            setDN(Long.valueOf(this.provider.createExperimenter(findExperimenter, experimenterGroup, experimenterGroupArr)), distinguishedName.toString());
        }
        return validatePassword;
    }

    public List<Long> loadLdapGroups(String str, DistinguishedName distinguishedName) {
        String newUserGroup = this.config.getNewUserGroup();
        ArrayList arrayList = new ArrayList();
        if (!newUserGroup.startsWith(":")) {
            arrayList.add(Long.valueOf(this.provider.createGroup(newUserGroup, null, false)));
            return arrayList;
        }
        Matcher matcher = p.matcher(newUserGroup);
        if (!matcher.matches()) {
            throw new ValidationException(newUserGroup + " spec currently not supported.");
        }
        String group = matcher.group(1);
        String group2 = matcher.group(2);
        NewUserGroupBean newUserGroupBean = null;
        AttributeSet attributeSet = null;
        if ("ou".equals(group)) {
            newUserGroupBean = new OrgUnitNewUserGroupBean(distinguishedName);
            attributeSet = getAttributeSet(str, getContextMapper());
        } else if ("filtered_attribute".equals(group)) {
            newUserGroupBean = new AttributeNewUserGroupBean(group2, true, false);
            attributeSet = getAttributeSet(str, getContextMapper(group2));
        } else if ("attribute".equals(group)) {
            newUserGroupBean = new AttributeNewUserGroupBean(group2, false, false);
            attributeSet = getAttributeSet(str, getContextMapper(group2));
        } else if ("filtered_dn_attribute".equals(group)) {
            newUserGroupBean = new AttributeNewUserGroupBean(group2, true, true);
            attributeSet = getAttributeSet(str, getContextMapper(group2));
        } else if ("dn_attribute".equals(group)) {
            newUserGroupBean = new AttributeNewUserGroupBean(group2, false, true);
            attributeSet = getAttributeSet(str, getContextMapper(group2));
        } else if ("query".equals(group)) {
            newUserGroupBean = new QueryNewUserGroupBean(group2);
            attributeSet = getAttributeSet(str, getContextMapper());
        } else if ("bean".equals(group)) {
            newUserGroupBean = (NewUserGroupBean) this.appContext.getBean(group2, NewUserGroupBean.class);
            attributeSet = getAttributeSet(str, getContextMapper());
        }
        arrayList.addAll(newUserGroupBean.groups(str, this.config, this.ldap, this.provider, attributeSet));
        return arrayList;
    }

    private AttributeSet getAttributeSet(String str, PersonContextMapper personContextMapper) {
        Experimenter mapUserName = mapUserName(str, personContextMapper);
        String dn = personContextMapper.getDn(mapUserName);
        AttributeSet attributeSet = personContextMapper.getAttributeSet(mapUserName);
        attributeSet.put("dn", dn);
        return attributeSet;
    }

    public boolean validatePassword(String str, String str2) {
        try {
            isAuthContext(str, str2);
            return true;
        } catch (SecurityViolation e) {
            return false;
        }
    }

    public List<Map<String, Object>> lookupLdapAuthExperimenters() {
        return this.sql.dnExperimenterMaps();
    }

    public String lookupLdapAuthExperimenter(Long l) {
        String str;
        try {
            str = this.sql.dnForUser(l);
        } catch (EmptyResultDataAccessException e) {
            str = null;
        }
        return str;
    }

    private PersonContextMapper getContextMapper() {
        return new PersonContextMapper(this.config, getBase());
    }

    private PersonContextMapper getContextMapper(String str) {
        return new PersonContextMapper(this.config, getBase(), str);
    }

    private void isAuthContext(String str, String str2) {
        new Hashtable(5, 0.75f);
        if (str != null) {
            try {
                if (!str.equals("") && str2 != null && !str2.equals("")) {
                    Hashtable environment = this.ctx.getReadOnlyContext().getEnvironment();
                    environment.put("java.naming.security.principal", str);
                    environment.put("java.naming.security.credentials", str2);
                    new InitialLdapContext(environment, (Control[]) null);
                    return;
                }
            } catch (AuthenticationException e) {
                throw new SecurityViolation("Authentication falilure! " + e.toString());
            } catch (NamingException e2) {
                throw new SecurityViolation("Naming exception! " + e2.toString());
            }
        }
        throw new SecurityViolation("Refused to authenticate without username and password!");
    }

    private String getBase() {
        try {
            return this.ctx.getReadOnlyContext().getNameInNamespace();
        } catch (NamingException e) {
            throw new ApiUsageException("Cannot get BASE from ContextSource. Naming exception! " + e.toString());
        }
    }
}
