package com.terracotta.management.security.shiro.realm;

import java.net.ConnectException;
import java.net.MalformedURLException;
import java.net.UnknownHostException;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Set;
import javax.naming.AuthenticationException;
import javax.naming.InvalidNameException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.ServiceUnavailableException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;

/* loaded from: input_file:WEB-INF/classes/com/terracotta/management/security/shiro/realm/LdapConfigurationChecker.class */
public class LdapConfigurationChecker {
    public static void connectAndCheckConfiguration(String str, String str2, String str3, Set<String> set, Set<String> set2, String str4, String str5, String str6, boolean z) throws LdapConfigurationException {
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.security.authentication", "simple");
        hashtable.put("java.naming.provider.url", str);
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.referral", "follow");
        boolean z2 = str4 == null;
        if (str3 != null) {
            TMCJndiLdapContextFactory tMCJndiLdapContextFactory = new TMCJndiLdapContextFactory();
            tMCJndiLdapContextFactory.setSimpleSystemUsername(str3);
            if (!z2) {
                str3 = getDnSystemUsername(str4, str3);
            }
            tMCJndiLdapContextFactory.setSystemUsername(str3);
            tMCJndiLdapContextFactory.setUrl(str);
            try {
                hashtable.put("java.naming.security.credentials", tMCJndiLdapContextFactory.getSystemPassword());
                hashtable.put("java.naming.security.principal", str3);
            } catch (NullPointerException e) {
                throw new LdapConfigurationException("Impossible to retrieve systemUsername password from the keychain : " + tMCJndiLdapContextFactory.getAliasFromSystemUsernameAndUrl(str, str3), e);
            }
        }
        if (str.startsWith("ldaps")) {
            hashtable.put("java.naming.ldap.factory.socket", "com.terracotta.management.security.impl.CustomTrustStoreSSLSocketFactory");
        }
        try {
            InitialLdapContext initialLdapContext = new InitialLdapContext(hashtable, (Control[]) null);
            SearchControls searchControls = new SearchControls();
            searchControls.setSearchScope(2);
            if (z2) {
                HashSet hashSet = new HashSet();
                hashSet.addAll(set);
                hashSet.addAll(set2);
                Iterator it = hashSet.iterator();
                while (it.hasNext()) {
                    checkGroupExists(str2, initialLdapContext, searchControls, "(&(objectClass=*)(CN={0}))", (String) it.next());
                }
            } else if (z) {
                HashSet<String> hashSet2 = new HashSet();
                hashSet2.addAll(set);
                hashSet2.addAll(set2);
                for (String str7 : hashSet2) {
                    checkGroupExistsLdap(str2, initialLdapContext, searchControls, str5.substring(0, str5.indexOf("=")) + "=" + str7, str7);
                }
                if (!verifyStaticGroupAttributeMatchingIsValid(initialLdapContext, str6, (String) set2.toArray()[0], str5)) {
                    throw new LdapConfigurationException("Impossible to find the groupMatching attribute : " + str6 + " in the group named : " + set2.toArray()[0] + " . Are you sure you want to use staticGroupMatching ?");
                }
            } else if (str3 != null && !verifyDynamicGroupAttributeMatchingIsValid(initialLdapContext, str2, str4, str3, str6)) {
                throw new LdapConfigurationException("Impossible to find the groupMatching attribute : " + str6 + " in the user entry named : " + str3 + " . Are you sure you want to use dynamicGroupMatching ?");
            }
        } catch (NamingException e2) {
            if (e2.getRootCause() instanceof UnknownHostException) {
                throw new LdapConfigurationException("The host provided in the Ldap URL is not reachable : " + str, e2);
            }
            if (e2.getRootCause() instanceof MalformedURLException) {
                throw new LdapConfigurationException("The provided Ldap URL is not valid : " + str, e2);
            }
            if (e2.getRootCause() instanceof ConnectException) {
                throw new LdapConfigurationException("The connection was refused : " + str, e2);
            }
            if (e2.getRootCause() instanceof SSLHandshakeException) {
                throw new LdapConfigurationException("You can not connect to the secured Ldap server at  : " + str + " because you did not import its certificate to your tms-trustore, or you did not ignore certificate errors using -Dtc.ssl.trustAllCerts=true when launching the TMS.", e2);
            }
            if (e2.getRootCause() instanceof SSLException) {
                throw new LdapConfigurationException("The connection was refused, please check your Ldap server accepts SSL connections : " + str, e2);
            }
            if (e2 instanceof ServiceUnavailableException) {
                throw new LdapConfigurationException("The host provided in the Ldap URL does not accept non secured (ldap, not ldaps) connections : " + str, e2);
            }
            if (e2 instanceof AuthenticationException) {
                throw new LdapConfigurationException("Cannot authenticate user (did you add your systemUsername password to the keychain ?), please check your systemUsername credentials : " + str3, e2);
            }
            if (!(e2 instanceof InvalidNameException)) {
                throw new LdapConfigurationException("Your LDAP / Active Directory configuration is not valid, please review your configuration, this information might help you : ", e2);
            }
            throw new LdapConfigurationException("Invalid username : " + str3, e2);
        }
    }

    private static void checkGroupExists(String str, DirContext dirContext, SearchControls searchControls, String str2, String str3) throws NamingException, LdapConfigurationException {
        if (!dirContext.search(str, str2, new Object[]{str3}, searchControls).hasMoreElements()) {
            throw new LdapConfigurationException("We could not find the specified group in the directory : " + str3);
        }
    }

    private static void checkGroupExistsLdap(String str, DirContext dirContext, SearchControls searchControls, String str2, String str3) throws NamingException, LdapConfigurationException {
        if (!dirContext.search(str, str2, searchControls).hasMoreElements()) {
            throw new LdapConfigurationException("We could not find the specified group in the directory : " + str3);
        }
    }

    public static String getDnSystemUsername(String str, String str2) {
        return str.replace("{0}", str2);
    }

    private static boolean verifyStaticGroupAttributeMatchingIsValid(DirContext dirContext, String str, String str2, String str3) throws NamingException {
        NamingEnumeration all = dirContext.getAttributes(str3.replace("{0}", str2)).getAll();
        while (all.hasMore()) {
            if (((Attribute) all.next()).getID().equals(str)) {
                return true;
            }
        }
        return false;
    }

    private static boolean verifyDynamicGroupAttributeMatchingIsValid(DirContext dirContext, String str, String str2, String str3, String str4) throws NamingException {
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        NamingEnumeration search = dirContext.search(str, getUserDnPrefix(str2) + str3, searchControls);
        while (search.hasMoreElements()) {
            Attributes attributes = ((SearchResult) search.next()).getAttributes();
            if (attributes != null) {
                NamingEnumeration all = attributes.getAll();
                while (all.hasMore()) {
                    if (((Attribute) all.next()).getID().equalsIgnoreCase(str4)) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    private static String getUserDnPrefix(String str) {
        return str.substring(0, str.indexOf("{0}"));
    }
}
