package de.otto.edison.authentication;

import com.unboundid.ldap.sdk.LDAPBindException;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.ResultCode;
import de.otto.edison.authentication.configuration.LdapProperties;
import de.otto.edison.authentication.connection.LdapConnectionFactory;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.Iterator;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:de/otto/edison/authentication/LdapAuthenticationFilter.class */
public class LdapAuthenticationFilter extends OncePerRequestFilter {
    private static Logger LOG = LoggerFactory.getLogger(LdapAuthenticationFilter.class);
    private final LdapProperties ldapProperties;
    private final LdapConnectionFactory ldapConnectionFactory;

    public LdapAuthenticationFilter(LdapProperties ldapProperties, LdapConnectionFactory ldapConnectionFactory) {
        if (!ldapProperties.isValid()) {
            throw new IllegalStateException("Invalid LdapProperties");
        }
        this.ldapProperties = ldapProperties;
        this.ldapConnectionFactory = ldapConnectionFactory;
    }

    protected boolean shouldNotFilter(HttpServletRequest httpServletRequest) throws ServletException {
        String servletPath = httpServletRequest.getServletPath();
        Stream<String> stream = this.ldapProperties.getAllowlistedPaths().stream();
        Objects.requireNonNull(servletPath);
        return stream.anyMatch(servletPath::startsWith);
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        Optional<Credentials> readFrom = Credentials.readFrom(httpServletRequest);
        if (!readFrom.isPresent()) {
            unauthorized(httpServletResponse);
            return;
        }
        Optional<HttpServletRequest> tryToGetAuthenticatedRequest = tryToGetAuthenticatedRequest(httpServletRequest, readFrom.get());
        if (tryToGetAuthenticatedRequest.isPresent()) {
            filterChain.doFilter(tryToGetAuthenticatedRequest.get(), httpServletResponse);
        } else {
            unauthorized(httpServletResponse);
        }
    }

    private Optional<HttpServletRequest> tryToGetAuthenticatedRequest(HttpServletRequest httpServletRequest, Credentials credentials) {
        try {
            LDAPConnection buildLdapConnection = this.ldapConnectionFactory.buildLdapConnection();
            try {
                Iterator<String> it = this.ldapProperties.getBaseDn().iterator();
                while (it.hasNext()) {
                    String userDnFrom = userDnFrom(credentials, it.next());
                    try {
                    } catch (LDAPBindException e) {
                        LOG.debug("LDAPBindException for userDN: {}", userDnFrom);
                    }
                    if (authenticate(buildLdapConnection, userDnFrom, credentials.password())) {
                        Optional<HttpServletRequest> of = this.ldapProperties.getRoleBaseDn() != null ? Optional.of(new LdapRoleCheckingRequest(httpServletRequest, buildLdapConnection, userDnFrom, this.ldapProperties)) : Optional.of(httpServletRequest);
                        if (buildLdapConnection != null) {
                            buildLdapConnection.close();
                        }
                        return of;
                    }
                }
                LOG.warn("Could not bind to LDAP: {}", credentials.username());
                if (buildLdapConnection != null) {
                    buildLdapConnection.close();
                }
            } finally {
            }
        } catch (LDAPException | GeneralSecurityException e2) {
            LOG.warn("Authentication error: ", e2);
        }
        return Optional.empty();
    }

    void unauthorized(HttpServletResponse httpServletResponse) {
        httpServletResponse.addHeader("WWW-Authenticate", "Basic realm=Authorization Required");
        httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
    }

    String userDnFrom(Credentials credentials, String str) {
        return String.format("%s=%s,%s", this.ldapProperties.getRdnIdentifier(), credentials.username(), str);
    }

    boolean authenticate(LDAPConnection lDAPConnection, String str, String str2) throws LDAPException {
        if (lDAPConnection.bind(str, str2).getResultCode().equals(ResultCode.SUCCESS)) {
            LOG.debug("Login successful: " + str);
            return true;
        }
        LOG.warn("Access denied: " + str);
        return false;
    }
}
