package org.springframework.security.ldap.userdetails;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.ListIterator;
import java.util.Objects;
import javax.naming.AuthenticationException;
import javax.naming.Context;
import javax.naming.NameNotFoundException;
import javax.naming.directory.Attributes;
import javax.naming.directory.BasicAttribute;
import javax.naming.directory.ModificationItem;
import javax.naming.directory.SearchControls;
import javax.naming.ldap.Control;
import javax.naming.ldap.ExtendedRequest;
import javax.naming.ldap.ExtendedResponse;
import javax.naming.ldap.LdapContext;
import org.apache.commons.configuration2.tree.DefaultExpressionEngineSymbols;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.directory.api.ldap.model.constants.SchemaConstants;
import org.springframework.core.log.LogMessage;
import org.springframework.ldap.core.AttributesMapper;
import org.springframework.ldap.core.AttributesMapperCallbackHandler;
import org.springframework.ldap.core.ContextSource;
import org.springframework.ldap.core.DirContextAdapter;
import org.springframework.ldap.core.DistinguishedName;
import org.springframework.ldap.core.LdapTemplate;
import org.springframework.ldap.core.SearchExecutor;
import org.springframework.ldap.core.support.AbstractContextSource;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.ldap.DefaultLdapUsernameToDnMapper;
import org.springframework.security.ldap.LdapUsernameToDnMapper;
import org.springframework.security.ldap.LdapUtils;
import org.springframework.security.provisioning.UserDetailsManager;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/spring-security-ldap-5.6.6.jar:org/springframework/security/ldap/userdetails/LdapUserDetailsManager.class */
public class LdapUserDetailsManager implements UserDetailsManager {
    private final LdapTemplate template;
    private String[] attributesToRetrieve;
    private final Log logger = LogFactory.getLog(LdapUserDetailsManager.class);
    LdapUsernameToDnMapper usernameMapper = new DefaultLdapUsernameToDnMapper("cn=users", SchemaConstants.UID_AT);
    private DistinguishedName groupSearchBase = new DistinguishedName("cn=groups");
    private String passwordAttributeName = SchemaConstants.USER_PASSWORD_AT;
    private String groupRoleAttributeName = "cn";
    private String groupMemberAttributeName = "uniquemember";
    private final String rolePrefix = "ROLE_";
    private String groupSearchFilter = "(uniquemember={0})";
    private UserDetailsContextMapper userDetailsMapper = new InetOrgPersonContextMapper();
    private AttributesMapper roleMapper = attributes -> {
        String obj = attributes.get(this.groupRoleAttributeName).getAll().next().toString();
        StringBuilder sb = new StringBuilder();
        Objects.requireNonNull(this);
        return new SimpleGrantedAuthority(sb.append("ROLE_").append(obj.toUpperCase()).toString());
    };
    private boolean usePasswordModifyExtensionOperation = false;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/spring-security-ldap-5.6.6.jar:org/springframework/security/ldap/userdetails/LdapUserDetailsManager$PasswordModifyRequest.class */
    public static class PasswordModifyRequest implements ExtendedRequest {
        private static final byte SEQUENCE_TYPE = 48;
        private static final String PASSWORD_MODIFY_OID = "1.3.6.1.4.1.4203.1.11.1";
        private static final byte USER_IDENTITY_OCTET_TYPE = Byte.MIN_VALUE;
        private static final byte OLD_PASSWORD_OCTET_TYPE = -127;
        private static final byte NEW_PASSWORD_OCTET_TYPE = -126;
        private final ByteArrayOutputStream value = new ByteArrayOutputStream();

        PasswordModifyRequest(String str, String str2, String str3) {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            if (str != null) {
                berEncode(Byte.MIN_VALUE, str.getBytes(), byteArrayOutputStream);
            }
            if (str2 != null) {
                berEncode((byte) -127, str2.getBytes(), byteArrayOutputStream);
            }
            if (str3 != null) {
                berEncode((byte) -126, str3.getBytes(), byteArrayOutputStream);
            }
            berEncode((byte) 48, byteArrayOutputStream.toByteArray(), this.value);
        }

        public String getID() {
            return "1.3.6.1.4.1.4203.1.11.1";
        }

        public byte[] getEncodedValue() {
            return this.value.toByteArray();
        }

        public ExtendedResponse createExtendedResponse(String str, byte[] bArr, int i, int i2) {
            return null;
        }

        private void berEncode(byte b, byte[] bArr, ByteArrayOutputStream byteArrayOutputStream) {
            int length = bArr.length;
            byteArrayOutputStream.write(b);
            if (length < 128) {
                byteArrayOutputStream.write(length);
            } else if ((length & 255) == length) {
                byteArrayOutputStream.write(OLD_PASSWORD_OCTET_TYPE);
                byteArrayOutputStream.write((byte) (length & 255));
            } else if ((length & 65535) == length) {
                byteArrayOutputStream.write(NEW_PASSWORD_OCTET_TYPE);
                byteArrayOutputStream.write((byte) ((length >> 8) & 255));
                byteArrayOutputStream.write((byte) (length & 255));
            } else if ((length & 16777215) == length) {
                byteArrayOutputStream.write(-125);
                byteArrayOutputStream.write((byte) ((length >> 16) & 255));
                byteArrayOutputStream.write((byte) ((length >> 8) & 255));
                byteArrayOutputStream.write((byte) (length & 255));
            } else {
                byteArrayOutputStream.write(-124);
                byteArrayOutputStream.write((byte) ((length >> 24) & 255));
                byteArrayOutputStream.write((byte) ((length >> 16) & 255));
                byteArrayOutputStream.write((byte) ((length >> 8) & 255));
                byteArrayOutputStream.write((byte) (length & 255));
            }
            try {
                byteArrayOutputStream.write(bArr);
            } catch (IOException e) {
                throw new IllegalArgumentException("Failed to BER encode provided value of type: " + ((int) b));
            }
        }
    }

    public LdapUserDetailsManager(ContextSource contextSource) {
        this.template = new LdapTemplate(contextSource);
    }

    @Override // org.springframework.security.core.userdetails.UserDetailsService
    public UserDetails loadUserByUsername(String str) {
        DistinguishedName buildDn = this.usernameMapper.buildDn(str);
        List<GrantedAuthority> userAuthorities = getUserAuthorities(buildDn, str);
        this.logger.debug(LogMessage.format("Loading user '%s' with DN '%s'", str, buildDn));
        return this.userDetailsMapper.mapUserFromContext(loadUserAsContext(buildDn, str), str, userAuthorities);
    }

    private DirContextAdapter loadUserAsContext(DistinguishedName distinguishedName, String str) {
        return (DirContextAdapter) this.template.executeReadOnly(dirContext -> {
            try {
                return new DirContextAdapter(dirContext.getAttributes(distinguishedName, this.attributesToRetrieve), LdapUtils.getFullDn(distinguishedName, dirContext));
            } catch (NameNotFoundException e) {
                throw new UsernameNotFoundException("User " + str + " not found", e);
            }
        });
    }

    @Override // org.springframework.security.provisioning.UserDetailsManager
    public void changePassword(String str, String str2) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        Assert.notNull(authentication, "No authentication object found in security context. Can't change current user's password!");
        String name = authentication.getName();
        this.logger.debug(LogMessage.format("Changing password for user '%s'", name));
        DistinguishedName buildDn = this.usernameMapper.buildDn(name);
        if (this.usePasswordModifyExtensionOperation) {
            changePasswordUsingExtensionOperation(buildDn, str, str2);
        } else {
            changePasswordUsingAttributeModification(buildDn, str, str2);
        }
    }

    List<GrantedAuthority> getUserAuthorities(DistinguishedName distinguishedName, String str) {
        SearchExecutor searchExecutor = dirContext -> {
            DistinguishedName fullDn = LdapUtils.getFullDn(distinguishedName, dirContext);
            SearchControls searchControls = new SearchControls();
            searchControls.setReturningAttributes(new String[]{this.groupRoleAttributeName});
            return dirContext.search(this.groupSearchBase, this.groupSearchFilter, new String[]{fullDn.toUrl(), str}, searchControls);
        };
        AttributesMapperCallbackHandler attributesMapperCallbackHandler = new AttributesMapperCallbackHandler(this.roleMapper);
        this.template.search(searchExecutor, attributesMapperCallbackHandler);
        return attributesMapperCallbackHandler.getList();
    }

    @Override // org.springframework.security.provisioning.UserDetailsManager
    public void createUser(UserDetails userDetails) {
        DirContextAdapter dirContextAdapter = new DirContextAdapter();
        copyToContext(userDetails, dirContextAdapter);
        DistinguishedName buildDn = this.usernameMapper.buildDn(userDetails.getUsername());
        this.logger.debug(LogMessage.format("Creating new user '%s' with DN '%s'", userDetails.getUsername(), buildDn));
        this.template.bind(buildDn, dirContextAdapter, (Attributes) null);
        List<GrantedAuthority> userAuthorities = getUserAuthorities(buildDn, userDetails.getUsername());
        if (userAuthorities.size() > 0) {
            removeAuthorities(buildDn, userAuthorities);
        }
        addAuthorities(buildDn, userDetails.getAuthorities());
    }

    @Override // org.springframework.security.provisioning.UserDetailsManager
    public void updateUser(UserDetails userDetails) {
        DistinguishedName buildDn = this.usernameMapper.buildDn(userDetails.getUsername());
        this.logger.debug(LogMessage.format("Updating new user '%s' with DN '%s'", userDetails.getUsername(), buildDn));
        List<GrantedAuthority> userAuthorities = getUserAuthorities(buildDn, userDetails.getUsername());
        DirContextAdapter loadUserAsContext = loadUserAsContext(buildDn, userDetails.getUsername());
        loadUserAsContext.setUpdateMode(true);
        copyToContext(userDetails, loadUserAsContext);
        LinkedList linkedList = new LinkedList(Arrays.asList(loadUserAsContext.getModificationItems()));
        ListIterator listIterator = linkedList.listIterator();
        while (listIterator.hasNext()) {
            if ("objectclass".equalsIgnoreCase(((ModificationItem) listIterator.next()).getAttribute().getID())) {
                listIterator.remove();
            }
        }
        this.template.modifyAttributes(buildDn, (ModificationItem[]) linkedList.toArray(new ModificationItem[0]));
        removeAuthorities(buildDn, userAuthorities);
        addAuthorities(buildDn, userDetails.getAuthorities());
    }

    @Override // org.springframework.security.provisioning.UserDetailsManager
    public void deleteUser(String str) {
        DistinguishedName buildDn = this.usernameMapper.buildDn(str);
        removeAuthorities(buildDn, getUserAuthorities(buildDn, str));
        this.template.unbind(buildDn);
    }

    @Override // org.springframework.security.provisioning.UserDetailsManager
    public boolean userExists(String str) {
        try {
            Object lookup = this.template.lookup(this.usernameMapper.buildDn(str));
            if (!(lookup instanceof Context)) {
                return true;
            }
            LdapUtils.closeContext((Context) lookup);
            return true;
        } catch (org.springframework.ldap.NameNotFoundException e) {
            return false;
        }
    }

    protected DistinguishedName buildGroupDn(String str) {
        DistinguishedName distinguishedName = new DistinguishedName(this.groupSearchBase);
        distinguishedName.add(this.groupRoleAttributeName, str.toLowerCase());
        return distinguishedName;
    }

    protected void copyToContext(UserDetails userDetails, DirContextAdapter dirContextAdapter) {
        this.userDetailsMapper.mapUserToContext(userDetails, dirContextAdapter);
    }

    protected void addAuthorities(DistinguishedName distinguishedName, Collection<? extends GrantedAuthority> collection) {
        modifyAuthorities(distinguishedName, collection, 1);
    }

    protected void removeAuthorities(DistinguishedName distinguishedName, Collection<? extends GrantedAuthority> collection) {
        modifyAuthorities(distinguishedName, collection, 3);
    }

    private void modifyAuthorities(DistinguishedName distinguishedName, Collection<? extends GrantedAuthority> collection, int i) {
        this.template.executeReadWrite(dirContext -> {
            Iterator it = collection.iterator();
            while (it.hasNext()) {
                dirContext.modifyAttributes(buildGroupDn(convertAuthorityToGroup((GrantedAuthority) it.next())), new ModificationItem[]{new ModificationItem(i, new BasicAttribute(this.groupMemberAttributeName, LdapUtils.getFullDn(distinguishedName, dirContext).toUrl()))});
            }
            return null;
        });
    }

    private String convertAuthorityToGroup(GrantedAuthority grantedAuthority) {
        String authority = grantedAuthority.getAuthority();
        Objects.requireNonNull(this);
        if (authority.startsWith("ROLE_")) {
            Objects.requireNonNull(this);
            authority = authority.substring("ROLE_".length());
        }
        return authority;
    }

    public void setUsernameMapper(LdapUsernameToDnMapper ldapUsernameToDnMapper) {
        this.usernameMapper = ldapUsernameToDnMapper;
    }

    public void setPasswordAttributeName(String str) {
        this.passwordAttributeName = str;
    }

    public void setGroupSearchBase(String str) {
        this.groupSearchBase = new DistinguishedName(str);
    }

    public void setGroupRoleAttributeName(String str) {
        this.groupRoleAttributeName = str;
    }

    public void setAttributesToRetrieve(String[] strArr) {
        Assert.notNull(strArr, "attributesToRetrieve cannot be null");
        this.attributesToRetrieve = strArr;
    }

    public void setUserDetailsMapper(UserDetailsContextMapper userDetailsContextMapper) {
        this.userDetailsMapper = userDetailsContextMapper;
    }

    public void setGroupMemberAttributeName(String str) {
        Assert.hasText(str, "groupMemberAttributeName should have text");
        this.groupMemberAttributeName = str;
        this.groupSearchFilter = DefaultExpressionEngineSymbols.DEFAULT_INDEX_START + str + "={0})";
    }

    public void setRoleMapper(AttributesMapper attributesMapper) {
        this.roleMapper = attributesMapper;
    }

    public void setUsePasswordModifyExtensionOperation(boolean z) {
        this.usePasswordModifyExtensionOperation = z;
    }

    private void changePasswordUsingAttributeModification(DistinguishedName distinguishedName, String str, String str2) {
        ModificationItem[] modificationItemArr = {new ModificationItem(2, new BasicAttribute(this.passwordAttributeName, str2))};
        if (str == null) {
            this.template.modifyAttributes(distinguishedName, modificationItemArr);
        } else {
            this.template.executeReadWrite(dirContext -> {
                LdapContext ldapContext = (LdapContext) dirContext;
                ldapContext.removeFromEnvironment(AbstractContextSource.SUN_LDAP_POOLING_FLAG);
                ldapContext.addToEnvironment("java.naming.security.principal", LdapUtils.getFullDn(distinguishedName, ldapContext).toString());
                ldapContext.addToEnvironment("java.naming.security.credentials", str);
                try {
                    ldapContext.reconnect((Control[]) null);
                    ldapContext.modifyAttributes(distinguishedName, modificationItemArr);
                    return null;
                } catch (AuthenticationException e) {
                    throw new BadCredentialsException("Authentication for password change failed.");
                }
            });
        }
    }

    private void changePasswordUsingExtensionOperation(DistinguishedName distinguishedName, String str, String str2) {
        this.template.executeReadWrite(dirContext -> {
            LdapContext ldapContext = (LdapContext) dirContext;
            try {
                return ldapContext.extendedOperation(new PasswordModifyRequest(LdapUtils.getFullDn(distinguishedName, ldapContext).encode(), str, str2));
            } catch (AuthenticationException e) {
                throw new BadCredentialsException("Authentication for password change failed.");
            }
        });
    }
}
