package org.graylog2.security.ldap;

import com.google.common.base.Strings;
import com.google.common.collect.Sets;
import com.google.common.util.concurrent.SimpleTimeLimiter;
import com.google.common.util.concurrent.ThreadFactoryBuilder;
import com.google.common.util.concurrent.UncheckedTimeoutException;
import java.nio.charset.StandardCharsets;
import java.text.MessageFormat;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;
import javax.annotation.Nullable;
import javax.inject.Inject;
import javax.inject.Named;
import org.apache.directory.api.ldap.model.constants.SchemaConstants;
import org.apache.directory.api.ldap.model.cursor.Cursor;
import org.apache.directory.api.ldap.model.cursor.CursorException;
import org.apache.directory.api.ldap.model.cursor.EntryCursor;
import org.apache.directory.api.ldap.model.entry.Attribute;
import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.directory.api.ldap.model.entry.Value;
import org.apache.directory.api.ldap.model.exception.LdapException;
import org.apache.directory.api.ldap.model.message.BindRequestImpl;
import org.apache.directory.api.ldap.model.message.BindResponse;
import org.apache.directory.api.ldap.model.message.ResultCodeEnum;
import org.apache.directory.api.ldap.model.message.SearchScope;
import org.apache.directory.ldap.client.api.LdapConnectionConfig;
import org.apache.directory.ldap.client.api.LdapNetworkConnection;
import org.graylog2.shared.security.ldap.LdapEntry;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/graylog2/security/ldap/LdapConnector.class */
public class LdapConnector {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) LdapConnector.class);
    private final int connectionTimeout;

    @Inject
    public LdapConnector(@Named("ldap_connection_timeout") int i) {
        this.connectionTimeout = i;
    }

    public LdapNetworkConnection connect(LdapConnectionConfig ldapConnectionConfig) throws LdapException {
        final LdapNetworkConnection ldapNetworkConnection = new LdapNetworkConnection(ldapConnectionConfig);
        ldapNetworkConnection.setTimeOut(this.connectionTimeout);
        if (LOG.isTraceEnabled()) {
            LOG.trace("Connecting to LDAP server {}:{}, binding with user {}", ldapConnectionConfig.getLdapHost(), Integer.valueOf(ldapConnectionConfig.getLdapPort()), ldapConnectionConfig.getName());
        }
        try {
            if (!((Boolean) ((Callable) new SimpleTimeLimiter(Executors.newSingleThreadExecutor(new ThreadFactoryBuilder().setNameFormat("ldap-connector-%d").build())).newProxy(new Callable<Boolean>() { // from class: org.graylog2.security.ldap.LdapConnector.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.concurrent.Callable
                public Boolean call() throws Exception {
                    return Boolean.valueOf(ldapNetworkConnection.connect());
                }
            }, Callable.class, this.connectionTimeout, TimeUnit.MILLISECONDS)).call()).booleanValue()) {
                return null;
            }
            ldapNetworkConnection.bind();
            return ldapNetworkConnection;
        } catch (UncheckedTimeoutException e) {
            LOG.error("Timed out connecting to LDAP server", (Throwable) e);
            throw new LdapException("Could not connect to LDAP server", e.getCause());
        } catch (LdapException e2) {
            throw e2;
        } catch (Exception e3) {
            throw new LdapException("Unexpected error connecting to LDAP", e3);
        }
    }

    @Nullable
    public LdapEntry search(LdapNetworkConnection ldapNetworkConnection, String str, String str2, String str3, boolean z, String str4, String str5, String str6) throws LdapException, CursorException {
        LdapEntry ldapEntry = new LdapEntry();
        String format = MessageFormat.format(str2, sanitizePrincipal(str3));
        if (LOG.isTraceEnabled()) {
            Logger logger = LOG;
            Object[] objArr = new Object[3];
            objArr[0] = z ? "ActiveDirectory" : "LDAP";
            objArr[1] = format;
            objArr[2] = str;
            logger.trace("Search {} for {}, starting at {}", objArr);
        }
        Cursor cursor = null;
        try {
            EntryCursor search = ldapNetworkConnection.search(str, format, SearchScope.SUBTREE, "*");
            Iterator it = search.iterator();
            if (!it.hasNext()) {
                LOG.trace("No LDAP entry found for filter {}", format);
                if (search != null) {
                    search.close();
                }
                return null;
            }
            Entry entry = (Entry) it.next();
            ldapEntry.setDn(entry.getDn().getName());
            if (!z) {
                ldapEntry.setBindPrincipal(entry.getDn().getName());
            }
            for (Attribute attribute : entry.getAttributes()) {
                if (z && "userPrincipalName".equalsIgnoreCase(attribute.getId())) {
                    ldapEntry.setBindPrincipal(attribute.getString());
                }
                if (attribute.isHumanReadable()) {
                    ldapEntry.put(attribute.getId(), attribute.getString());
                }
            }
            if (Strings.isNullOrEmpty(str4) || Strings.isNullOrEmpty(str5) || Strings.isNullOrEmpty(str6)) {
                LOG.info("LDAP group search base, id attribute or object class missing, not searching for LDAP groups.");
            } else {
                ldapEntry.addGroups(findGroups(ldapNetworkConnection, str4, str6, str5, ldapEntry.getDn()));
                LOG.trace("LDAP search found entry for DN {} with search filter {}: {}", ldapEntry.getDn(), format, ldapEntry);
            }
            if (search != null) {
                search.close();
            }
            return ldapEntry;
        } catch (Throwable th) {
            if (0 != 0) {
                cursor.close();
            }
            throw th;
        }
    }

    public Set<String> findGroups(LdapNetworkConnection ldapNetworkConnection, String str, String str2, String str3, String str4) throws LdapException {
        String str5;
        HashSet newHashSet = Sets.newHashSet();
        EntryCursor<Entry> entryCursor = null;
        try {
            entryCursor = ldapNetworkConnection.search(str, str2, SearchScope.SUBTREE, "*");
            LOG.trace("LDAP search for groups: {} starting at {}", str2, str);
            for (Entry entry : entryCursor) {
                if (LOG.isTraceEnabled()) {
                    LOG.trace("Group Entry: {}", entry.toString("  "));
                }
                if (entry.containsAttribute(str3)) {
                    String string = entry.get(str3).getString();
                    if (str4 == null) {
                        newHashSet.add(string);
                    } else {
                        if (entry.hasObjectClass(SchemaConstants.GROUP_OF_UNIQUE_NAMES_OC)) {
                            str5 = SchemaConstants.UNIQUE_MEMBER_AT;
                        } else if (entry.hasObjectClass(SchemaConstants.GROUP_OF_NAMES_OC) || entry.hasObjectClass("group")) {
                            str5 = SchemaConstants.MEMBER_AT;
                        } else {
                            LOG.warn("Unable to auto-detect the LDAP group object class, assuming 'member' is the correct attribute.");
                            str5 = SchemaConstants.MEMBER_AT;
                        }
                        Attribute attribute = entry.get(str5);
                        if (attribute != null) {
                            for (Value<?> value : attribute) {
                                LOG.trace("DN {} == {} member?", str4, value.getString());
                                if (str4.equalsIgnoreCase(value.getString())) {
                                    newHashSet.add(string);
                                }
                            }
                        }
                    }
                } else {
                    LOG.warn("Unknown group id attribute {}, skipping group entry {}", str3, entry);
                }
            }
            if (entryCursor != null) {
                entryCursor.close();
            }
            return newHashSet;
        } catch (Throwable th) {
            if (entryCursor != null) {
                entryCursor.close();
            }
            throw th;
        }
    }

    public Set<String> listGroups(LdapNetworkConnection ldapNetworkConnection, String str, String str2, String str3) throws LdapException {
        return findGroups(ldapNetworkConnection, str, str2, str3, null);
    }

    private String sanitizePrincipal(String str) {
        String str2 = "";
        for (int i = 0; i < str.length(); i++) {
            char charAt = str.charAt(i);
            if (charAt == '*') {
                str2 = str2 + "\\2a";
            } else if (charAt == '(') {
                str2 = str2 + "\\28";
            } else if (charAt == ')') {
                str2 = str2 + "\\29";
            } else if (charAt == '\\') {
                str2 = str2 + "\\5c";
            } else if (charAt == 0) {
                str2 = str2 + "\\00";
            } else if (charAt <= 127) {
                str2 = str2 + String.valueOf(charAt);
            } else if (charAt >= 128) {
                for (byte b : String.valueOf(charAt).getBytes(StandardCharsets.UTF_8)) {
                    str2 = str2 + String.format("\\%02x", Byte.valueOf(b));
                }
            }
        }
        return str2;
    }

    public boolean authenticate(LdapNetworkConnection ldapNetworkConnection, String str, String str2) throws LdapException {
        BindRequestImpl bindRequestImpl = new BindRequestImpl();
        bindRequestImpl.setName(str);
        bindRequestImpl.setCredentials(str2);
        LOG.trace("Re-binding with DN {} using password", str);
        BindResponse bind = ldapNetworkConnection.bind(bindRequestImpl);
        if (bind.getLdapResult().getResultCode().equals(ResultCodeEnum.SUCCESS)) {
            LOG.trace("Binding DN {} did not throw, connection authenticated: {}", str, Boolean.valueOf(ldapNetworkConnection.isAuthenticated()));
            return ldapNetworkConnection.isAuthenticated();
        }
        LOG.trace("Re-binding DN {} failed", str);
        throw new RuntimeException(bind.toString());
    }
}
