package org.apereo.cas.authentication;

import java.security.GeneralSecurityException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.annotation.PostConstruct;
import javax.security.auth.login.AccountNotFoundException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.support.LdapPasswordPolicyConfiguration;
import org.apereo.cas.services.ServicesManager;
import org.ldaptive.LdapAttribute;
import org.ldaptive.LdapEntry;
import org.ldaptive.LdapException;
import org.ldaptive.ReturnAttributes;
import org.ldaptive.auth.AuthenticationRequest;
import org.ldaptive.auth.AuthenticationResponse;
import org.ldaptive.auth.AuthenticationResultCode;
import org.ldaptive.auth.Authenticator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-ldap-5.1.2.jar:org/apereo/cas/authentication/LdapAuthenticationHandler.class */
public class LdapAuthenticationHandler extends AbstractUsernamePasswordAuthenticationHandler {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) LdapAuthenticationHandler.class);
    protected Map<String, String> principalAttributeMap;
    private final Authenticator authenticator;
    private String principalIdAttribute;
    private boolean allowMultiplePrincipalAttributeValues;
    private boolean allowMissingPrincipalAttributeValue;
    private String[] authenticatedEntryAttributes;

    public LdapAuthenticationHandler(String str, ServicesManager servicesManager, PrincipalFactory principalFactory, Integer num, Authenticator authenticator) {
        super(str, servicesManager, principalFactory, num);
        this.principalAttributeMap = Collections.emptyMap();
        this.allowMissingPrincipalAttributeValue = true;
        this.authenticatedEntryAttributes = ReturnAttributes.NONE.value();
        this.authenticator = authenticator;
    }

    public void setPrincipalIdAttribute(String str) {
        this.principalIdAttribute = str;
    }

    public void setAllowMultiplePrincipalAttributeValues(boolean z) {
        this.allowMultiplePrincipalAttributeValues = z;
    }

    public void setPrincipalAttributeMap(Map<String, String> map) {
        this.principalAttributeMap = map;
    }

    public void setPrincipalAttributeList(List<String> list) {
        this.principalAttributeMap = (Map) list.stream().collect(Collectors.toMap((v0) -> {
            return v0.toString();
        }, Function.identity()));
    }

    @Override // org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler
    protected HandlerResult authenticateUsernamePasswordInternal(UsernamePasswordCredential usernamePasswordCredential, String str) throws GeneralSecurityException, PreventedException {
        List<MessageDescriptor> emptyList;
        try {
            LOGGER.debug("Attempting LDAP authentication for [{}]. Authenticator pre-configured attributes are [{}], additional requested attributes for this authentication request are [{}]", usernamePasswordCredential, this.authenticator.getReturnAttributes(), this.authenticatedEntryAttributes);
            AuthenticationResponse authenticate = this.authenticator.authenticate(new AuthenticationRequest(usernamePasswordCredential.getUsername(), new org.ldaptive.Credential(usernamePasswordCredential.getPassword()), this.authenticatedEntryAttributes));
            LOGGER.debug("LDAP response: [{}]", authenticate);
            LdapPasswordPolicyConfiguration ldapPasswordPolicyConfiguration = (LdapPasswordPolicyConfiguration) super.getPasswordPolicyConfiguration();
            if (ldapPasswordPolicyConfiguration != null) {
                LOGGER.debug("Applying password policy to [{}]", authenticate);
                emptyList = ldapPasswordPolicyConfiguration.getAccountStateHandler().handle(authenticate, ldapPasswordPolicyConfiguration);
            } else {
                LOGGER.debug("No ldap password policy configuration is defined");
                emptyList = Collections.emptyList();
            }
            if (authenticate.getResult().booleanValue()) {
                LOGGER.debug("LDAP response returned a result. Creating the final LDAP principal");
                return createHandlerResult(usernamePasswordCredential, createPrincipal(usernamePasswordCredential.getUsername(), authenticate.getLdapEntry()), emptyList);
            }
            if (AuthenticationResultCode.DN_RESOLUTION_FAILURE != authenticate.getAuthenticationResultCode()) {
                throw new FailedLoginException("Invalid credentials");
            }
            LOGGER.warn("DN resolution failed. [{}]", authenticate.getMessage());
            throw new AccountNotFoundException(usernamePasswordCredential.getUsername() + " not found.");
        } catch (LdapException e) {
            LOGGER.trace(e.getMessage(), (Throwable) e);
            throw new PreventedException("Unexpected LDAP error", e);
        }
    }

    protected Principal createPrincipal(String str, LdapEntry ldapEntry) throws LoginException {
        LOGGER.debug("Creating LDAP principal for [{}] based on [{}] and attributes [{}]", str, ldapEntry.getDn(), ldapEntry.getAttributeNames());
        String ldapPrincipalIdentifier = getLdapPrincipalIdentifier(str, ldapEntry);
        LinkedHashMap linkedHashMap = new LinkedHashMap(this.principalAttributeMap.size());
        this.principalAttributeMap.forEach((str2, str3) -> {
            LdapAttribute attribute = ldapEntry.getAttribute(str2);
            if (attribute == null) {
                LOGGER.warn("Requested LDAP attribute [{}] could not be found on the resolved LDAP entry for [{}]", str2, ldapEntry.getDn());
                return;
            }
            LOGGER.debug("Found principal attribute: [{}]", attribute);
            if (attribute.size() <= 1) {
                linkedHashMap.put(str3, attribute.getStringValue());
            } else {
                LOGGER.debug("Principal attribute: [{}] is multivalued", attribute);
                linkedHashMap.put(str3, new ArrayList(attribute.getStringValues()));
            }
        });
        String concat = getName().concat(".").concat(str);
        LOGGER.debug("Recording principal DN attribute as [{}]", concat);
        linkedHashMap.put(concat, ldapEntry.getDn());
        LOGGER.debug("Created LDAP principal for id [{}] and [{}] attributes", ldapPrincipalIdentifier, Integer.valueOf(linkedHashMap.size()));
        return this.principalFactory.createPrincipal(ldapPrincipalIdentifier, linkedHashMap);
    }

    protected String getLdapPrincipalIdentifier(String str, LdapEntry ldapEntry) throws LoginException {
        if (!StringUtils.isNotBlank(this.principalIdAttribute)) {
            LOGGER.debug("Principal id attribute is not defined. Using the default provided user id [{}]", str);
            return str;
        }
        LdapAttribute attribute = ldapEntry.getAttribute(this.principalIdAttribute);
        if (attribute == null || attribute.size() == 0) {
            if (this.allowMissingPrincipalAttributeValue) {
                LOGGER.warn("The principal id attribute [{}] is not found. CAS cannot construct the final authenticated principal if it's unable to locate the attribute that is designated as the principal id. Attributes available on the LDAP entry are [{}]. Since principal id attribute is not available, CAS will fall back to construct the principal based on the provided user id: [{}]", this.principalIdAttribute, ldapEntry.getAttributes(), str);
                return str;
            }
            LOGGER.error("The principal id attribute [{}] is not found. CAS is configured to disallow missing principal attributes", this.principalIdAttribute);
            throw new LoginException("Principal id attribute is not found for " + attribute);
        }
        if (attribute.size() > 1) {
            if (!this.allowMultiplePrincipalAttributeValues) {
                throw new LoginException("Multiple principal values are not allowed: " + attribute);
            }
            LOGGER.warn("Found multiple values for principal id attribute: [{}]. Using first value=[{}].", attribute, attribute.getStringValue());
        }
        LOGGER.debug("Retrieved principal id attribute [{}]", attribute.getStringValue());
        return attribute.getStringValue();
    }

    public void setAllowMissingPrincipalAttributeValue(boolean z) {
        this.allowMissingPrincipalAttributeValue = z;
    }

    @PostConstruct
    public void initialize() {
        List asList;
        HashSet hashSet = new HashSet();
        LOGGER.debug("Initializing LDAP attribute configuration...");
        if (StringUtils.isNotBlank(this.principalIdAttribute)) {
            LOGGER.debug("Configured to retrieve principal id attribute [{}]", this.principalIdAttribute);
            hashSet.add(this.principalIdAttribute);
        }
        if (this.principalAttributeMap != null && !this.principalAttributeMap.isEmpty()) {
            Set<String> keySet = this.principalAttributeMap.keySet();
            hashSet.addAll(keySet);
            LOGGER.debug("Configured to retrieve principal attribute collection of [{}]", keySet);
        }
        if (this.authenticator.getReturnAttributes() != null && (asList = Arrays.asList(this.authenticator.getReturnAttributes())) != null && !asList.isEmpty()) {
            LOGGER.debug("Filtering authentication entry attributes [{}] based on authenticator attributes [{}]", this.authenticatedEntryAttributes, asList);
            asList.getClass();
            hashSet.removeIf((v1) -> {
                return r1.contains(v1);
            });
        }
        this.authenticatedEntryAttributes = (String[]) hashSet.toArray(new String[hashSet.size()]);
        LOGGER.debug("LDAP authentication entry attributes for the authentication request are [{}]", (Object[]) this.authenticatedEntryAttributes);
    }
}
