package org.geoserver.security.ldap;

import java.io.IOException;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.concurrent.atomic.AtomicReference;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.stream.Collectors;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.mutable.MutableObject;
import org.geoserver.security.GeoServerUserGroupService;
import org.geoserver.security.GeoServerUserGroupStore;
import org.geoserver.security.config.SecurityNamedServiceConfig;
import org.geoserver.security.event.UserGroupLoadedListener;
import org.geoserver.security.impl.GeoServerUser;
import org.geoserver.security.impl.GeoServerUserGroup;
import org.geoserver.security.impl.RoleCalculator;
import org.geotools.util.logging.Logging;
import org.springframework.dao.IncorrectResultSizeDataAccessException;
import org.springframework.ldap.core.ContextMapper;
import org.springframework.ldap.core.DirContextAdapter;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/gs-sec-ldap-2.25.3.jar:org/geoserver/security/ldap/LDAPUserGroupService.class */
public class LDAPUserGroupService extends LDAPBaseSecurityService implements GeoServerUserGroupService {
    private static final Logger LOGGER = Logging.getLogger("org.geoserver.security.ldap");
    private String passwordEncoderName;
    private String passwordValidatorName;
    private String[] populatedAttributes = new String[0];

    public LDAPUserGroupService(SecurityNamedServiceConfig securityNamedServiceConfig) throws IOException {
        initializeFromConfig(securityNamedServiceConfig);
    }

    @Override // org.geoserver.security.ldap.LDAPBaseSecurityService, org.geoserver.security.impl.AbstractGeoServerSecurityService, org.geoserver.security.GeoServerSecurityService
    public void initializeFromConfig(SecurityNamedServiceConfig securityNamedServiceConfig) throws IOException {
        super.initializeFromConfig(securityNamedServiceConfig);
        LDAPUserGroupServiceConfig lDAPUserGroupServiceConfig = (LDAPUserGroupServiceConfig) securityNamedServiceConfig;
        this.passwordEncoderName = lDAPUserGroupServiceConfig.getPasswordEncoderName();
        this.passwordValidatorName = lDAPUserGroupServiceConfig.getPasswordPolicyName();
        if (isEmpty(lDAPUserGroupServiceConfig.getPopulatedAttributes())) {
            return;
        }
        this.populatedAttributes = lDAPUserGroupServiceConfig.getPopulatedAttributes().trim().split("[\\s]*,[\\s]*");
    }

    @Override // org.geoserver.security.GeoServerUserGroupService
    public GeoServerUserGroupStore createStore() throws IOException {
        return null;
    }

    @Override // org.geoserver.security.GeoServerUserGroupService
    public void load() throws IOException {
    }

    @Override // org.geoserver.security.GeoServerUserGroupService
    public void registerUserGroupLoadedListener(UserGroupLoadedListener userGroupLoadedListener) {
    }

    @Override // org.geoserver.security.GeoServerUserGroupService
    public void unregisterUserGroupLoadedListener(UserGroupLoadedListener userGroupLoadedListener) {
    }

    @Override // org.geoserver.security.GeoServerUserGroupService
    public String getPasswordEncoderName() {
        return this.passwordEncoderName;
    }

    @Override // org.geoserver.security.GeoServerUserGroupService
    public String getPasswordValidatorName() {
        return this.passwordValidatorName;
    }

    @Override // org.geoserver.security.GeoServerUserGroupService
    public GeoServerUser createUserObject(String str, String str2, boolean z) throws IOException {
        GeoServerUser geoServerUser = new GeoServerUser(str);
        geoServerUser.setEnabled(z);
        geoServerUser.setPassword(str2);
        return geoServerUser;
    }

    @Override // org.geoserver.security.GeoServerUserGroupService
    public GeoServerUserGroup createGroupObject(String str, boolean z) throws IOException {
        GeoServerUserGroup geoServerUserGroup = new GeoServerUserGroup(str);
        geoServerUserGroup.setEnabled(z);
        return geoServerUserGroup;
    }

    @Override // org.geoserver.security.GeoServerUserGroupService
    public SortedSet<GeoServerUserGroup> getUserGroups() {
        TreeSet treeSet = new TreeSet();
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            Iterator<String> it2 = LDAPUtils.getLdapTemplateInContext(dirContext, this.template).searchForSingleAttributeValues(this.groupSearchBase, this.allGroupsSearchFilter, new String[0], this.groupNameAttribute).iterator();
            while (it2.hasNext()) {
                treeSet.add(new GeoServerUserGroup(it2.next()));
            }
        });
        return Collections.unmodifiableSortedSet(treeSet);
    }

    protected GeoServerUser createUser(DirContextOperations dirContextOperations) {
        GeoServerUser geoServerUser = new GeoServerUser(dirContextOperations.getStringAttribute(this.userNameAttribute));
        for (String str : this.populatedAttributes) {
            try {
                Attribute attribute = dirContextOperations.getAttributes().get(str.toLowerCase());
                if (attribute != null) {
                    Object obj = attribute.get();
                    if (obj instanceof String) {
                        geoServerUser.getProperties().put(str, obj);
                    }
                }
            } catch (NamingException e) {
                LOGGER.log(Level.WARNING, "Could not populate value for user attribute " + str, e);
            }
        }
        return geoServerUser;
    }

    protected ContextMapper<Object> addToUsers(SortedSet<GeoServerUser> sortedSet) {
        return obj -> {
            sortedSet.add(createUser((DirContextAdapter) obj));
            return null;
        };
    }

    @Override // org.geoserver.security.GeoServerUserGroupService
    public SortedSet<GeoServerUser> getUsers() {
        TreeSet treeSet = new TreeSet();
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            LDAPUtils.getLdapTemplateInContext(dirContext, this.template).search(this.userSearchBase, LDAPUtils.escapeSearchString(this.allUsersSearchFilter), addToUsers(treeSet));
        });
        return Collections.unmodifiableSortedSet(treeSet);
    }

    @Override // org.springframework.security.core.userdetails.UserDetailsService
    public UserDetails loadUserByUsername(String str) throws UsernameNotFoundException {
        try {
            GeoServerUser userByUsername = getUserByUsername(str);
            if (userByUsername == null) {
                throw new UsernameNotFoundException(userNotFoundMessage(str));
            }
            userByUsername.setAuthorities(new RoleCalculator(this, getSecurityManager().getActiveRoleService()).calculateRoles(userByUsername));
            return userByUsername;
        } catch (IOException e) {
            throw new UsernameNotFoundException(userNotFoundMessage(str), e);
        }
    }

    protected String userNotFoundMessage(String str) {
        return "User  " + str + " not found in usergroupservice: " + getName();
    }

    @Override // org.geoserver.security.GeoServerUserGroupService
    public GeoServerUserGroup getGroupByGroupname(String str) {
        AtomicReference atomicReference = new AtomicReference();
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            try {
                DirContextOperations searchForSingleEntry = LDAPUtils.getLdapTemplateInContext(dirContext, this.template).searchForSingleEntry(this.groupSearchBase, this.groupNameFilter, new String[]{str});
                if (searchForSingleEntry != null) {
                    atomicReference.set(new GeoServerUserGroup(searchForSingleEntry.getStringAttribute(this.groupNameAttribute)));
                }
            } catch (IncorrectResultSizeDataAccessException e) {
            }
        });
        return (GeoServerUserGroup) atomicReference.get();
    }

    @Override // org.geoserver.security.GeoServerUserGroupService
    public GeoServerUser getUserByUsername(String str) {
        AtomicReference atomicReference = new AtomicReference();
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            try {
                DirContextOperations searchForSingleEntry = LDAPUtils.getLdapTemplateInContext(dirContext, this.template).searchForSingleEntry(this.userSearchBase, this.userNameFilter, new String[]{str});
                if (searchForSingleEntry != null) {
                    atomicReference.set(createUser(searchForSingleEntry));
                }
            } catch (IncorrectResultSizeDataAccessException e) {
            }
        });
        return (GeoServerUser) atomicReference.get();
    }

    @Override // org.geoserver.security.GeoServerUserGroupService
    public SortedSet<GeoServerUser> getUsersForGroup(GeoServerUserGroup geoServerUserGroup) {
        TreeSet treeSet = new TreeSet();
        if (this.useNestedGroups) {
            Set<GeoServerUserGroup> hashSet = new HashSet<>();
            hashSet.add(geoServerUserGroup);
            searchAllNestedChildGroups(geoServerUserGroup, hashSet, 1);
            Iterator<GeoServerUserGroup> it2 = hashSet.iterator();
            while (it2.hasNext()) {
                addUsersFromGroup(it2.next(), treeSet);
            }
        } else {
            addUsersFromGroup(geoServerUserGroup, treeSet);
        }
        return Collections.unmodifiableSortedSet(treeSet);
    }

    private void addUsersFromGroup(GeoServerUserGroup geoServerUserGroup, Set<GeoServerUser> set) {
        String groupDn = getGroupDn(geoServerUserGroup);
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            Object[] objectAttributes;
            GeoServerUser userByUsername;
            try {
                DirContextOperations searchForSingleEntry = LDAPUtils.getLdapTemplateInContext(dirContext, this.template).searchForSingleEntry(this.groupSearchBase, this.groupNameFilter, new String[]{geoServerUserGroup.getGroupname(), groupDn});
                if (searchForSingleEntry != null && (objectAttributes = searchForSingleEntry.getObjectAttributes(this.groupMembershipAttribute)) != null) {
                    for (Object obj : objectAttributes) {
                        String obj2 = obj.toString();
                        Matcher matcher = this.userMembershipPattern.matcher(obj2);
                        if (matcher.matches()) {
                            obj2 = matcher.group(1);
                        }
                        String userNameFromMembership = getUserNameFromMembership(obj2);
                        if (StringUtils.isNotBlank(userNameFromMembership) && (userByUsername = getUserByUsername(userNameFromMembership)) != null) {
                            set.add(userByUsername);
                        }
                    }
                }
            } catch (IncorrectResultSizeDataAccessException e) {
            }
        });
    }

    private void searchAllNestedChildGroups(GeoServerUserGroup geoServerUserGroup, Set<GeoServerUserGroup> set, int i) {
        if (isOutOfDepthBounds(i)) {
            return;
        }
        for (GeoServerUserGroup geoServerUserGroup2 : getChildrenGroups(geoServerUserGroup)) {
            if (!set.contains(geoServerUserGroup2)) {
                set.add(geoServerUserGroup2);
                searchAllNestedChildGroups(geoServerUserGroup2, set, i + 1);
            }
        }
    }

    private Set<GeoServerUserGroup> getChildrenGroups(GeoServerUserGroup geoServerUserGroup) {
        Assert.notNull(geoServerUserGroup, "Geoserver group shouldn't be null.");
        String groupname = geoServerUserGroup.getGroupname();
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            hashSet.addAll((Set) LDAPUtils.getLdapTemplateInContext(dirContext, this.template).searchForSingleAttributeValues(this.groupSearchBase, this.groupNameFilter, new String[]{groupname}, this.groupMembershipAttribute).stream().filter(this::acceptChildGroup).collect(Collectors.toSet()));
        });
        Iterator it2 = hashSet.iterator();
        while (it2.hasNext()) {
            String extractGroupCnFromDn = extractGroupCnFromDn((String) it2.next());
            if (StringUtils.isNotBlank(extractGroupCnFromDn)) {
                hashSet2.add(new GeoServerUserGroup(extractGroupCnFromDn));
            }
        }
        return hashSet2;
    }

    private boolean acceptChildGroup(String str) {
        return !this.useNestedGroups || StringUtils.containsIgnoreCase(str, this.groupSearchBase);
    }

    @Override // org.geoserver.security.GeoServerUserGroupService
    public SortedSet<GeoServerUserGroup> getGroupsForUser(GeoServerUser geoServerUser) {
        TreeSet treeSet = new TreeSet();
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            Iterator<String> it2 = LDAPUtils.getLdapTemplateInContext(dirContext, this.template).searchForSingleAttributeValues(this.groupSearchBase, this.groupMembershipFilter, new String[]{geoServerUser.getUsername(), lookupDn(geoServerUser.getUsername())}, this.groupNameAttribute).iterator();
            while (it2.hasNext()) {
                treeSet.add(new GeoServerUserGroup(it2.next()));
            }
        });
        if (this.useNestedGroups) {
            Iterator it2 = new TreeSet((SortedSet) treeSet).iterator();
            while (it2.hasNext()) {
                addNestedParentGroups((GeoServerUserGroup) it2.next(), treeSet, 1);
            }
        }
        return Collections.unmodifiableSortedSet(treeSet);
    }

    private void addNestedParentGroups(GeoServerUserGroup geoServerUserGroup, Set<GeoServerUserGroup> set, int i) {
        if (isOutOfDepthBounds(i)) {
            return;
        }
        String groupDn = getGroupDn(geoServerUserGroup);
        HashSet<GeoServerUserGroup> hashSet = new HashSet();
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            Iterator<String> it2 = LDAPUtils.getLdapTemplateInContext(dirContext, this.template).searchForSingleAttributeValues(this.groupSearchBase, this.groupMembershipFilter, new String[]{geoServerUserGroup.getGroupname(), groupDn}, this.groupNameAttribute).iterator();
            while (it2.hasNext()) {
                hashSet.add(new GeoServerUserGroup(it2.next()));
            }
        });
        for (GeoServerUserGroup geoServerUserGroup2 : hashSet) {
            if (!set.contains(geoServerUserGroup2)) {
                set.add(geoServerUserGroup2);
                addNestedParentGroups(geoServerUserGroup2, set, i + 1);
            }
        }
    }

    private String getGroupDn(GeoServerUserGroup geoServerUserGroup) {
        String groupname = geoServerUserGroup.getGroupname();
        MutableObject mutableObject = new MutableObject(null);
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            mutableObject.setValue(LDAPUtils.getLdapTemplateInContext(dirContext, this.template).searchForSingleEntry(this.groupSearchBase, this.groupNameFilter, new String[]{groupname}).getDn().toString());
        });
        return (String) mutableObject.getValue2();
    }

    @Override // org.geoserver.security.GeoServerUserGroupService
    public int getUserCount() {
        AtomicInteger atomicInteger = new AtomicInteger(0);
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            LDAPUtils.getLdapTemplateInContext(dirContext, this.template).search(this.userSearchBase, LDAPUtils.escapeSearchString(this.allUsersSearchFilter), counter(atomicInteger));
        });
        return atomicInteger.get();
    }

    @Override // org.geoserver.security.GeoServerUserGroupService
    public int getGroupCount() {
        AtomicInteger atomicInteger = new AtomicInteger(0);
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            LDAPUtils.getLdapTemplateInContext(dirContext, this.template).search(this.groupSearchBase, LDAPUtils.escapeSearchString(this.allGroupsSearchFilter), counter(atomicInteger));
        });
        return atomicInteger.get();
    }

    @Override // org.geoserver.security.GeoServerUserGroupService
    public SortedSet<GeoServerUser> getUsersHavingProperty(String str) {
        TreeSet treeSet = new TreeSet();
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            LDAPUtils.getLdapTemplateInContext(dirContext, this.template).search(this.userSearchBase, str + "=*", addToUsers(treeSet));
        });
        return treeSet;
    }

    @Override // org.geoserver.security.GeoServerUserGroupService
    public int getUserCountHavingProperty(String str) {
        AtomicInteger atomicInteger = new AtomicInteger(0);
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            LDAPUtils.getLdapTemplateInContext(dirContext, this.template).search(this.userSearchBase, str + "=*", counter(atomicInteger));
        });
        return atomicInteger.get();
    }

    @Override // org.geoserver.security.GeoServerUserGroupService
    public SortedSet<GeoServerUser> getUsersNotHavingProperty(String str) {
        TreeSet treeSet = new TreeSet();
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            LDAPUtils.getLdapTemplateInContext(dirContext, this.template).search(this.userSearchBase, "(&(!(" + str + "=*))(" + LDAPUtils.escapeSearchString(this.allUsersSearchFilter) + "))", addToUsers(treeSet));
        });
        return treeSet;
    }

    @Override // org.geoserver.security.GeoServerUserGroupService
    public int getUserCountNotHavingProperty(String str) {
        AtomicInteger atomicInteger = new AtomicInteger(0);
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            LDAPUtils.getLdapTemplateInContext(dirContext, this.template).search(this.userSearchBase, "(&(!(" + str + "=*))(" + LDAPUtils.escapeSearchString(this.allUsersSearchFilter) + "))", counter(atomicInteger));
        });
        return atomicInteger.get();
    }

    @Override // org.geoserver.security.GeoServerUserGroupService
    public SortedSet<GeoServerUser> getUsersHavingPropertyValue(String str, String str2) throws IOException {
        TreeSet treeSet = new TreeSet();
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            LDAPUtils.getLdapTemplateInContext(dirContext, this.template).search(this.userSearchBase, str + "=" + LDAPUtils.escapeSearchString(str2), addToUsers(treeSet));
        });
        return treeSet;
    }

    @Override // org.geoserver.security.GeoServerUserGroupService
    public int getUserCountHavingPropertyValue(String str, String str2) throws IOException {
        AtomicInteger atomicInteger = new AtomicInteger(0);
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            LDAPUtils.getLdapTemplateInContext(dirContext, this.template).search(this.userSearchBase, str + "=" + LDAPUtils.escapeSearchString(str2), counter(atomicInteger));
        });
        return atomicInteger.get();
    }
}
