package org.geoserver.security.ldap;

import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.function.Consumer;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.naming.Name;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import org.apache.commons.lang3.tuple.Pair;
import org.geotools.util.logging.Logging;
import org.springframework.ldap.core.ContextSource;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.ldap.core.support.AbstractContextMapper;
import org.springframework.ldap.support.LdapUtils;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.ldap.SpringSecurityLdapTemplate;
import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/gs-sec-ldap-2.25.3.jar:org/geoserver/security/ldap/BindingLdapAuthoritiesPopulator.class */
public class BindingLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator {
    private static final Logger logger = Logging.getLogger((Class<?>) BindingLdapAuthoritiesPopulator.class);
    private GrantedAuthority defaultRole;
    private final SpringSecurityLdapTemplate ldapTemplate;
    private String groupSearchBase;
    private final SearchControls searchControls = new SearchControls();
    private String groupRoleAttribute = "cn";
    private String groupSearchFilter = "(member={0})";
    private String rolePrefix = LDAPBaseSecurityServiceConfig.ROLE_PREFIX_DEFAULT;
    private boolean convertToUpperCase = true;
    private boolean useNestedParentGroups = false;
    private int maxGroupSearchLevel = 10;
    private String nestedGroupSearchFilter = "(member={0})";

    public BindingLdapAuthoritiesPopulator(ContextSource contextSource, String str) {
        Assert.notNull(contextSource, "contextSource must not be null");
        this.ldapTemplate = new BindingLdapTemplate(contextSource);
        this.ldapTemplate.setSearchControls(this.searchControls);
        this.groupSearchBase = str;
        if (str == null) {
            logger.info("groupSearchBase is null. No group search will be performed.");
        } else if (str.length() == 0) {
            logger.info("groupSearchBase is empty. Searches will be performed from the context source base");
        }
    }

    protected Set<GrantedAuthority> getAdditionalRoles(DirContext dirContext, DirContextOperations dirContextOperations, String str) {
        return null;
    }

    @Override // org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator
    public final Collection<GrantedAuthority> getGrantedAuthorities(DirContextOperations dirContextOperations, String str) {
        return getGrantedAuthorities(dirContextOperations, str, null);
    }

    public final Collection<GrantedAuthority> getGrantedAuthorities(DirContextOperations dirContextOperations, String str, String str2) {
        String nameInNamespace = dirContextOperations.getNameInNamespace();
        if (logger.isLoggable(Level.FINE)) {
            logger.fine("Getting authorities for user " + nameInNamespace);
        }
        ArrayList arrayList = new ArrayList();
        if (str2 != null) {
            Consumer consumer = consumer2 -> {
                this.ldapTemplate.authenticate((Name) LdapUtils.emptyLdapName(), nameInNamespace, str2, (dirContext, ldapEntryIdentification) -> {
                    consumer2.accept(dirContext);
                });
            };
            this.ldapTemplate.authenticate((Name) LdapUtils.emptyLdapName(), nameInNamespace, str2, (dirContext, ldapEntryIdentification) -> {
                getAllRoles(dirContextOperations, nameInNamespace, arrayList, str, consumer);
            });
        } else {
            getAllRoles(dirContextOperations, nameInNamespace, arrayList, str, consumer3 -> {
                consumer3.accept(null);
            });
        }
        return arrayList;
    }

    public Set<GrantedAuthority> getGroupMembershipRoles(Consumer<Consumer<DirContext>> consumer, String str, String str2) {
        if (getGroupSearchBase() == null) {
            return new HashSet();
        }
        HashSet hashSet = new HashSet();
        if (logger.isLoggable(Level.FINE)) {
            logger.fine("Searching for roles for user '" + str2 + "', DN = '" + str + "', with filter " + this.groupSearchFilter + " in search base '" + getGroupSearchBase() + "'");
        }
        ArrayList<Pair> arrayList = new ArrayList();
        consumer.accept(dirContext -> {
            arrayList.addAll(LDAPUtils.getLdapTemplateInContext(dirContext, this.ldapTemplate).search(getGroupSearchBase(), LDAPUtils.escapeSearchString(MessageFormat.format(this.groupSearchFilter, str, str2)), new AbstractContextMapper<Pair<String, String>>() { // from class: org.geoserver.security.ldap.BindingLdapAuthoritiesPopulator.1
                /* JADX INFO: Access modifiers changed from: protected */
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // org.springframework.ldap.core.support.AbstractContextMapper
                public Pair<String, String> doMapFromContext(DirContextOperations dirContextOperations) {
                    return Pair.of(dirContextOperations.getStringAttribute(BindingLdapAuthoritiesPopulator.this.groupRoleAttribute), dirContextOperations.getNameInNamespace());
                }
            }));
        });
        if (logger.isLoggable(Level.FINE)) {
            logger.fine("Roles from search: " + arrayList);
        }
        for (Pair pair : arrayList) {
            String str3 = (String) pair.getLeft();
            String str4 = (String) pair.getRight();
            if (this.convertToUpperCase) {
                str3 = str3.toUpperCase();
            }
            hashSet.add(new SimpleGrantedAuthority(this.rolePrefix + str3));
            if (this.useNestedParentGroups) {
                searchNestedGroupMembershipRoles(consumer, str4, (String) pair.getLeft(), hashSet, this.maxGroupSearchLevel - 1);
            }
        }
        return hashSet;
    }

    private void searchNestedGroupMembershipRoles(Consumer<Consumer<DirContext>> consumer, String str, String str2, Set<GrantedAuthority> set, int i) {
        if (logger.isLoggable(Level.FINE)) {
            logger.fine("Searching for roles for nested group '" + str2 + "', DN = '" + str + "', with filter " + this.nestedGroupSearchFilter + " in search base '" + getGroupSearchBase() + "'");
        }
        ArrayList<Pair> arrayList = new ArrayList();
        consumer.accept(dirContext -> {
            arrayList.addAll(LDAPUtils.getLdapTemplateInContext(dirContext, this.ldapTemplate).search(getGroupSearchBase(), LDAPUtils.escapeSearchString(MessageFormat.format(this.nestedGroupSearchFilter, str, str2)), new AbstractContextMapper<Pair<String, String>>() { // from class: org.geoserver.security.ldap.BindingLdapAuthoritiesPopulator.2
                /* JADX INFO: Access modifiers changed from: protected */
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // org.springframework.ldap.core.support.AbstractContextMapper
                public Pair<String, String> doMapFromContext(DirContextOperations dirContextOperations) {
                    return Pair.of(dirContextOperations.getStringAttribute(BindingLdapAuthoritiesPopulator.this.groupRoleAttribute), dirContextOperations.getNameInNamespace());
                }
            }));
        });
        if (logger.isLoggable(Level.FINE)) {
            logger.fine("Roles from search: " + arrayList);
        }
        for (Pair pair : arrayList) {
            String str3 = (String) pair.getLeft();
            String str4 = (String) pair.getRight();
            if (this.convertToUpperCase) {
                str3 = str3.toUpperCase();
            }
            boolean add = set.add(new SimpleGrantedAuthority(this.rolePrefix + str3));
            if (this.maxGroupSearchLevel == -1 || i > 0) {
                if (add) {
                    searchNestedGroupMembershipRoles(consumer, str4, (String) pair.getLeft(), set, i - 1);
                }
            }
        }
    }

    protected ContextSource getContextSource() {
        return this.ldapTemplate.getContextSource();
    }

    protected String getGroupSearchBase() {
        return this.groupSearchBase;
    }

    public void setGroupRoleAttribute(String str) {
        Assert.notNull(str, "groupRoleAttribute must not be null");
        this.groupRoleAttribute = str;
    }

    public void setGroupSearchFilter(String str) {
        Assert.notNull(str, "groupSearchFilter must not be null");
        this.groupSearchFilter = str;
    }

    public void setSearchSubtree(boolean z) {
        this.searchControls.setSearchScope(z ? 2 : 1);
    }

    public void setIgnorePartialResultException(boolean z) {
        this.ldapTemplate.setIgnorePartialResultException(z);
    }

    private void getAllRoles(DirContextOperations dirContextOperations, String str, List<GrantedAuthority> list, String str2, Consumer<Consumer<DirContext>> consumer) {
        Set<GrantedAuthority> groupMembershipRoles = getGroupMembershipRoles(consumer, str, str2);
        HashSet hashSet = new HashSet();
        consumer.accept(dirContext -> {
            hashSet.addAll(getAdditionalRoles(dirContext, dirContextOperations, str2));
        });
        if (hashSet != null) {
            groupMembershipRoles.addAll(hashSet);
        }
        if (this.defaultRole != null) {
            groupMembershipRoles.add(this.defaultRole);
        }
        list.addAll(groupMembershipRoles);
    }

    public void setUseNestedParentGroups(boolean z) {
        this.useNestedParentGroups = z;
    }

    public void setMaxGroupSearchLevel(int i) {
        this.maxGroupSearchLevel = i;
    }

    public void setNestedGroupSearchFilter(String str) {
        this.nestedGroupSearchFilter = str;
    }
}
