package com.terracotta.management.security.shiro.realm;

import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import javax.naming.NameNotFoundException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapContext;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.ldap.JndiLdapRealm;
import org.apache.shiro.realm.ldap.LdapContextFactory;
import org.apache.shiro.realm.ldap.LdapUtils;
import org.apache.shiro.subject.PrincipalCollection;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:rest-management-private-classpath/com/terracotta/management/security/shiro/realm/LdapRealm.class_terracotta
 */
/* loaded from: input_file:ehcache/ehcache-ee-2.10.2.2.15.jar/rest-management-private-classpath/com/terracotta/management/security/shiro/realm/LdapRealm.class_terracotta */
public class LdapRealm extends JndiLdapRealm {
    private static final String GROUPDN_SUBSTITUTION_TOKEN = "{0}";
    private static final Logger log = LoggerFactory.getLogger(LdapRealm.class);
    private static final String OPERATOR = "operator";
    private static final String ADMIN = "admin";
    private String groupAttributeMatching;
    private boolean dynamicGroupConfiguration;
    private String groupDnTemplate;
    protected static final String ROLE_NAMES_DELIMETER = ",";
    protected Map<String, Set<String>> groupRolesMap;
    protected String searchBase;

    @Override // org.apache.shiro.realm.ldap.JndiLdapRealm
    protected AuthorizationInfo queryForAuthorizationInfo(PrincipalCollection principalCollection, LdapContextFactory ldapContextFactory) throws NamingException {
        String str = (String) getAvailablePrincipal(principalCollection);
        LdapContext systemLdapContext = ldapContextFactory.getSystemLdapContext();
        try {
            Set<String> roleNamesForUser = getRoleNamesForUser(str, systemLdapContext);
            LdapUtils.closeContext(systemLdapContext);
            return buildAuthorizationInfo(roleNamesForUser);
        } catch (Throwable th) {
            LdapUtils.closeContext(systemLdapContext);
            throw th;
        }
    }

    protected AuthorizationInfo buildAuthorizationInfo(Set<String> set) {
        return new SimpleAuthorizationInfo(set);
    }

    protected Set<String> getRoleNamesForUser(String str, LdapContext ldapContext) throws NamingException {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        if (this.dynamicGroupConfiguration) {
            SearchControls searchControls = new SearchControls();
            searchControls.setSearchScope(2);
            NamingEnumeration search = ldapContext.search(this.searchBase, "(&(objectClass=*)(" + getUserDnPrefix() + "{0}))", new Object[]{str}, searchControls);
            while (search.hasMoreElements()) {
                SearchResult searchResult = (SearchResult) search.next();
                if (log.isDebugEnabled()) {
                    log.debug("Retrieving group names for user [" + searchResult.getName() + "]");
                }
                Attributes attributes = searchResult.getAttributes();
                if (attributes != null) {
                    NamingEnumeration all = attributes.getAll();
                    while (all.hasMore()) {
                        Attribute attribute = (Attribute) all.next();
                        if (attribute.getID().equalsIgnoreCase(this.groupAttributeMatching)) {
                            Collection<String> allAttributeValues = LdapUtils.getAllAttributeValues(attribute);
                            if (log.isDebugEnabled()) {
                                log.debug("Groups found for user [" + str + "]: " + allAttributeValues);
                            }
                            linkedHashSet.addAll(getRoleNamesForGroups(allAttributeValues));
                        }
                    }
                }
            }
        } else {
            for (Map.Entry<String, Set<String>> entry : getGroupAndSubGroupRolesMap(ldapContext).entrySet()) {
                try {
                    NamingEnumeration all2 = ldapContext.getAttributes(entry.getKey()).getAll();
                    while (all2.hasMore()) {
                        Attribute attribute2 = (Attribute) all2.next();
                        if (isAMemberAttribute(attribute2)) {
                            Iterator<String> it = LdapUtils.getAllAttributeValues(attribute2).iterator();
                            while (it.hasNext()) {
                                if (it.next().equals(getUserDn(str))) {
                                    Iterator<String> it2 = entry.getValue().iterator();
                                    while (it2.hasNext()) {
                                        linkedHashSet.add(it2.next());
                                    }
                                }
                            }
                        }
                    }
                } catch (NameNotFoundException e) {
                    log.warn("The following group does not exist in the LDAP directory (please check your LDAP configuration, property ldapRealm.groupRolesMapAsString in your ~/.tc/mgmt/shiro.ini is referring to a missing group): " + entry.getKey() + " - skipping it.", e);
                }
            }
        }
        return linkedHashSet;
    }

    protected Collection<String> getRoleNamesForGroups(Collection<String> collection) {
        HashSet hashSet = new HashSet(collection.size());
        if (this.groupRolesMap != null) {
            for (String str : collection) {
                Set<String> set = this.groupRolesMap.get(str);
                if (set != null) {
                    for (String str2 : set) {
                        if (log.isDebugEnabled()) {
                            log.debug("User is member of group [" + str + "] so adding role [" + str2 + "]");
                        }
                        hashSet.add(str2);
                    }
                }
            }
        }
        return hashSet;
    }

    private Map<String, Set<String>> getGroupRolesMapDn(Map<String, Set<String>> map) {
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, Set<String>> entry : map.entrySet()) {
            hashMap.put(getGroupDn(entry.getKey()), entry.getValue());
        }
        return hashMap;
    }

    private String getGroupDn(String str) {
        return this.groupDnTemplate.replace(GROUPDN_SUBSTITUTION_TOKEN, str);
    }

    private void fixRoleNamesForTMS(Set<String> set) {
        if (set.contains(ADMIN)) {
            if (log.isDebugEnabled()) {
                log.debug("User has role [admin] so adding role [operator]");
            }
            set.add(OPERATOR);
        }
    }

    private boolean isAMemberAttribute(Attribute attribute) {
        return attribute.getID().equals(this.groupAttributeMatching);
    }

    private Map<String, Set<String>> getGroupAndSubGroupRolesMap(LdapContext ldapContext) {
        HashMap hashMap = new HashMap();
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        for (Map.Entry<String, Set<String>> entry : getGroupRolesMapDn(this.groupRolesMap).entrySet()) {
            hashMap.put(entry.getKey(), entry.getValue());
            try {
                NamingEnumeration search = ldapContext.search(entry.getKey(), "(objectClass=*)", searchControls);
                while (search.hasMoreElements()) {
                    SearchResult searchResult = (SearchResult) search.next();
                    Attributes attributes = searchResult.getAttributes();
                    if (attributes != null) {
                        NamingEnumeration all = attributes.getAll();
                        while (all.hasMore()) {
                            if (isAMemberAttribute((Attribute) all.next())) {
                                hashMap.put(searchResult.getNameInNamespace(), entry.getValue());
                            }
                        }
                    }
                }
            } catch (NamingException e) {
                log.error("Impossible to search the group : " + entry.getKey(), e);
            }
        }
        return hashMap;
    }

    public void setGroupAttributeMatching(String str) {
        this.groupAttributeMatching = str;
    }

    public void setDynamicGroupConfiguration(boolean z) {
        this.dynamicGroupConfiguration = z;
    }

    public void setGroupRolesMap(Map<String, Set<String>> map) {
        this.groupRolesMap = map;
    }

    public void setGroupRolesMapAsString(Map<String, String> map) {
        this.groupRolesMap = new HashMap();
        for (Map.Entry<String, String> entry : map.entrySet()) {
            this.groupRolesMap.put(entry.getKey(), getRolesFromString(entry.getValue()));
        }
    }

    private Set<String> getRolesFromString(String str) {
        String[] split = str.split(",");
        HashSet hashSet = new HashSet();
        for (String str2 : split) {
            hashSet.add(str2.trim());
        }
        return hashSet;
    }

    public void setSearchBase(String str) {
        this.searchBase = str;
    }

    public String getGroupDnTemplate() {
        return this.groupDnTemplate;
    }

    public void setGroupDnTemplate(String str) {
        this.groupDnTemplate = str;
    }

    public void setSystemUsername(String str) {
        ((TCJndiLdapContextFactory) getContextFactory()).setSystemUsername(getUserDn(str));
        ((TCJndiLdapContextFactory) getContextFactory()).setSimpleSystemUsername(str);
    }
}
