package org.glassfish.soteria.identitystores;

import jakarta.security.enterprise.credential.Credential;
import jakarta.security.enterprise.credential.UsernamePasswordCredential;
import jakarta.security.enterprise.identitystore.CredentialValidationResult;
import jakarta.security.enterprise.identitystore.IdentityStore;
import jakarta.security.enterprise.identitystore.IdentityStorePermission;
import jakarta.security.enterprise.identitystore.LdapIdentityStoreDefinition;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.naming.AuthenticationException;
import javax.naming.CommunicationException;
import javax.naming.NameNotFoundException;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.InvalidSearchControlsException;
import javax.naming.directory.InvalidSearchFilterException;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.LdapName;
import org.glassfish.internal.api.ORBLocator;

/* loaded from: input_file:org/glassfish/soteria/identitystores/LdapIdentityStore.class */
public class LdapIdentityStore implements IdentityStore {
    private static final String DEFAULT_USER_FILTER = "(&(%s=%s)(|(objectclass=user)(objectclass=person)(objectclass=inetOrgPerson)(objectclass=organizationalPerson))(!(objectclass=computer)))";
    private static final String DEFAULT_GROUP_FILTER = "(&(%s=%s)(|(objectclass=group)(objectclass=groupofnames)(objectclass=groupofuniquenames)))";
    private final LdapIdentityStoreDefinition ldapIdentityStoreDefinition;
    private final Set<IdentityStore.ValidationType> validationTypes;

    protected LdapIdentityStore() {
        this.ldapIdentityStoreDefinition = null;
        this.validationTypes = null;
    }

    public LdapIdentityStore(LdapIdentityStoreDefinition ldapIdentityStoreDefinition) {
        this.ldapIdentityStoreDefinition = ldapIdentityStoreDefinition;
        this.validationTypes = Collections.unmodifiableSet(new HashSet(Arrays.asList(ldapIdentityStoreDefinition.useFor())));
    }

    @Override // jakarta.security.enterprise.identitystore.IdentityStore
    public CredentialValidationResult validate(Credential credential) {
        return credential instanceof UsernamePasswordCredential ? validate((UsernamePasswordCredential) credential) : CredentialValidationResult.NOT_VALIDATED_RESULT;
    }

    public CredentialValidationResult validate(UsernamePasswordCredential usernamePasswordCredential) {
        LdapContext createSearchLdapContext = createSearchLdapContext();
        try {
            CredentialValidationResult validateCallerAndGetGroups = validateCallerAndGetGroups(createSearchLdapContext, getCallerDn(createSearchLdapContext, usernamePasswordCredential.getCaller()), usernamePasswordCredential);
            closeContext(createSearchLdapContext);
            return validateCallerAndGetGroups;
        } catch (Throwable th) {
            closeContext(createSearchLdapContext);
            throw th;
        }
    }

    private String getCallerDn(LdapContext ldapContext, String str) {
        return (this.ldapIdentityStoreDefinition.callerBaseDn().isEmpty() || !this.ldapIdentityStoreDefinition.callerSearchBase().isEmpty()) ? searchCaller(ldapContext, str) : String.format("%s=%s,%s", this.ldapIdentityStoreDefinition.callerNameAttribute(), str, this.ldapIdentityStoreDefinition.callerBaseDn());
    }

    private CredentialValidationResult validateCallerAndGetGroups(LdapContext ldapContext, String str, UsernamePasswordCredential usernamePasswordCredential) {
        LdapContext createCallerLdapContext;
        if (str != null && (createCallerLdapContext = createCallerLdapContext(str, new String(usernamePasswordCredential.getPassword().getValue()))) != null) {
            closeContext(createCallerLdapContext);
            Set<String> set = null;
            if (validationTypes().contains(IdentityStore.ValidationType.PROVIDE_GROUPS)) {
                set = retrieveGroupsForCallerDn(ldapContext, str);
            }
            return new CredentialValidationResult((String) null, usernamePasswordCredential.getCaller(), str, (String) null, set);
        }
        return CredentialValidationResult.INVALID_RESULT;
    }

    @Override // jakarta.security.enterprise.identitystore.IdentityStore
    public Set<String> getCallerGroups(CredentialValidationResult credentialValidationResult) {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new IdentityStorePermission("getGroups"));
        }
        LdapContext createSearchLdapContext = createSearchLdapContext();
        try {
            String callerDn = credentialValidationResult.getCallerDn();
            if (callerDn == null || callerDn.isEmpty()) {
                callerDn = getCallerDn(createSearchLdapContext, credentialValidationResult.getCallerPrincipal().getName());
            }
            Set<String> retrieveGroupsForCallerDn = retrieveGroupsForCallerDn(createSearchLdapContext, callerDn);
            closeContext(createSearchLdapContext);
            return retrieveGroupsForCallerDn;
        } catch (Throwable th) {
            closeContext(createSearchLdapContext);
            throw th;
        }
    }

    private Set<String> retrieveGroupsForCallerDn(LdapContext ldapContext, String str) {
        return (str == null || str.isEmpty()) ? Collections.emptySet() : (!this.ldapIdentityStoreDefinition.groupSearchBase().isEmpty() || this.ldapIdentityStoreDefinition.groupMemberOfAttribute().isEmpty()) ? retrieveGroupsBySearching(str, ldapContext) : retrieveGroupsFromCallerObject(str, ldapContext);
    }

    private Set<String> retrieveGroupsBySearching(String str, LdapContext ldapContext) {
        List<SearchResult> searchGroups = searchGroups(ldapContext, str);
        HashSet hashSet = new HashSet();
        try {
            Iterator<SearchResult> it = searchGroups.iterator();
            while (it.hasNext()) {
                Attribute attribute = it.next().getAttributes().get(this.ldapIdentityStoreDefinition.groupNameAttribute());
                if (attribute != null) {
                    Iterator it2 = Collections.list(attribute.getAll()).iterator();
                    while (it2.hasNext()) {
                        Object next = it2.next();
                        if (next != null) {
                            hashSet.add(next.toString());
                        }
                    }
                }
            }
            return hashSet;
        } catch (NamingException e) {
            throw new IdentityStoreRuntimeException((Throwable) e);
        }
    }

    private Set<String> retrieveGroupsFromCallerObject(String str, LdapContext ldapContext) {
        String groupNameFromDn;
        try {
            Attribute attribute = ldapContext.getAttributes(str, new String[]{this.ldapIdentityStoreDefinition.groupMemberOfAttribute()}).get(this.ldapIdentityStoreDefinition.groupMemberOfAttribute());
            HashSet hashSet = new HashSet();
            if (attribute != null) {
                Iterator it = Collections.list(attribute.getAll()).iterator();
                while (it.hasNext()) {
                    Object next = it.next();
                    if (next != null && (groupNameFromDn = getGroupNameFromDn(next.toString(), this.ldapIdentityStoreDefinition.groupNameAttribute())) != null) {
                        hashSet.add(groupNameFromDn);
                    }
                }
            }
            return hashSet;
        } catch (NamingException e) {
            throw new IdentityStoreRuntimeException((Throwable) e);
        }
    }

    private static String getGroupNameFromDn(String str, String str2) throws NamingException {
        LdapName ldapName = new LdapName(str);
        Attribute attribute = ldapName.getRdn(ldapName.size() - 1).toAttributes().get(str2);
        if (attribute == null) {
            throw new IdentityStoreConfigurationException("Group name attribute '" + str2 + "' not found for DN: " + str);
        }
        return attribute.get(0).toString();
    }

    private String searchCaller(LdapContext ldapContext, String str) {
        List<SearchResult> search = search(ldapContext, this.ldapIdentityStoreDefinition.callerSearchBase(), (this.ldapIdentityStoreDefinition.callerSearchFilter() == null || this.ldapIdentityStoreDefinition.callerSearchFilter().trim().isEmpty()) ? String.format(DEFAULT_USER_FILTER, this.ldapIdentityStoreDefinition.callerNameAttribute(), str) : String.format(this.ldapIdentityStoreDefinition.callerSearchFilter(), str), getCallerSearchControls());
        if (search.size() > 1) {
        }
        if (search.size() == 1) {
            return search.get(0).getNameInNamespace();
        }
        return null;
    }

    private List<SearchResult> searchGroups(LdapContext ldapContext, String str) {
        return search(ldapContext, this.ldapIdentityStoreDefinition.groupSearchBase(), (this.ldapIdentityStoreDefinition.groupSearchFilter() == null || this.ldapIdentityStoreDefinition.groupSearchFilter().trim().isEmpty()) ? String.format(DEFAULT_GROUP_FILTER, this.ldapIdentityStoreDefinition.groupMemberAttribute(), str) : String.format(this.ldapIdentityStoreDefinition.groupSearchFilter(), str), getGroupSearchControls());
    }

    private static List<SearchResult> search(LdapContext ldapContext, String str, String str2, SearchControls searchControls) {
        try {
            return Collections.list(ldapContext.search(str, str2, searchControls));
        } catch (NameNotFoundException e) {
            throw new IdentityStoreConfigurationException("Invalid searchBase", e);
        } catch (Exception e2) {
            throw new IdentityStoreRuntimeException(e2);
        } catch (InvalidSearchFilterException e3) {
            throw new IdentityStoreConfigurationException("Invalid search filter", e3);
        } catch (InvalidSearchControlsException e4) {
            throw new IdentityStoreConfigurationException("Invalid search controls", e4);
        }
    }

    private SearchControls getCallerSearchControls() {
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(convertScopeValue(this.ldapIdentityStoreDefinition.callerSearchScope()));
        searchControls.setCountLimit(this.ldapIdentityStoreDefinition.maxResults());
        searchControls.setTimeLimit(this.ldapIdentityStoreDefinition.readTimeout());
        return searchControls;
    }

    private SearchControls getGroupSearchControls() {
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(convertScopeValue(this.ldapIdentityStoreDefinition.groupSearchScope()));
        searchControls.setCountLimit(this.ldapIdentityStoreDefinition.maxResults());
        searchControls.setTimeLimit(this.ldapIdentityStoreDefinition.readTimeout());
        searchControls.setReturningAttributes(new String[]{this.ldapIdentityStoreDefinition.groupNameAttribute()});
        return searchControls;
    }

    private static int convertScopeValue(LdapIdentityStoreDefinition.LdapSearchScope ldapSearchScope) {
        return (ldapSearchScope != LdapIdentityStoreDefinition.LdapSearchScope.ONE_LEVEL && ldapSearchScope == LdapIdentityStoreDefinition.LdapSearchScope.SUBTREE) ? 2 : 1;
    }

    private LdapContext createSearchLdapContext() {
        try {
            return createLdapContext(this.ldapIdentityStoreDefinition.url(), this.ldapIdentityStoreDefinition.bindDn(), this.ldapIdentityStoreDefinition.bindDnPassword());
        } catch (AuthenticationException e) {
            throw new IdentityStoreConfigurationException("Bad bindDn or bindPassword for: " + this.ldapIdentityStoreDefinition.bindDn(), e);
        }
    }

    private LdapContext createCallerLdapContext(String str, String str2) {
        try {
            return createLdapContext(this.ldapIdentityStoreDefinition.url(), str, str2);
        } catch (AuthenticationException e) {
            return null;
        }
    }

    private static LdapContext createLdapContext(String str, String str2, String str3) throws AuthenticationException {
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put(ORBLocator.JNDI_PROVIDER_URL_PROPERTY, str);
        hashtable.put("java.naming.security.authentication", "simple");
        hashtable.put("java.naming.security.principal", str2);
        hashtable.put("java.naming.security.credentials", str3);
        try {
            return new InitialLdapContext(hashtable, (Control[]) null);
        } catch (Exception e) {
            throw new IdentityStoreRuntimeException(e);
        } catch (CommunicationException e2) {
            throw new IdentityStoreConfigurationException("Bad connection URL: " + str, e2);
        } catch (AuthenticationException e3) {
            throw e3;
        }
    }

    private static void closeContext(LdapContext ldapContext) {
        if (ldapContext != null) {
            try {
                ldapContext.close();
            } catch (NamingException e) {
            }
        }
    }

    @Override // jakarta.security.enterprise.identitystore.IdentityStore
    public int priority() {
        return this.ldapIdentityStoreDefinition.priority();
    }

    @Override // jakarta.security.enterprise.identitystore.IdentityStore
    public Set<IdentityStore.ValidationType> validationTypes() {
        return this.validationTypes;
    }
}
