package org.graylog.security.authservice.ldap;

import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.primitives.Ints;
import com.unboundid.ldap.sdk.Attribute;
import com.unboundid.ldap.sdk.BindRequest;
import com.unboundid.ldap.sdk.BindResult;
import com.unboundid.ldap.sdk.Entry;
import com.unboundid.ldap.sdk.FailoverServerSet;
import com.unboundid.ldap.sdk.Filter;
import com.unboundid.ldap.sdk.LDAPBindException;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPConnectionOptions;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.PostConnectProcessor;
import com.unboundid.ldap.sdk.ResultCode;
import com.unboundid.ldap.sdk.SearchRequest;
import com.unboundid.ldap.sdk.SearchResult;
import com.unboundid.ldap.sdk.SearchScope;
import com.unboundid.ldap.sdk.SimpleBindRequest;
import com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest;
import com.unboundid.util.Base64;
import com.unboundid.util.LDAPTestUtils;
import com.unboundid.util.StaticUtils;
import com.unboundid.util.ssl.SSLUtil;
import java.security.GeneralSecurityException;
import java.text.MessageFormat;
import java.util.Arrays;
import java.util.Locale;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Singleton;
import javax.net.ssl.SSLSocketFactory;
import org.apache.commons.lang3.StringUtils;
import org.graylog.security.authservice.backend.ADAuthServiceBackend;
import org.graylog.security.authservice.ldap.LDAPEntry;
import org.graylog2.configuration.TLSProtocolsConfiguration;
import org.graylog2.security.TrustAllX509TrustManager;
import org.graylog2.security.TrustManagerProvider;
import org.graylog2.security.encryption.EncryptedValue;
import org.graylog2.security.encryption.EncryptedValueService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:org/graylog/security/authservice/ldap/UnboundLDAPConnector.class */
public class UnboundLDAPConnector {
    private static final Logger LOG = LoggerFactory.getLogger(UnboundLDAPConnector.class);
    private static final String OBJECT_CLASS_ATTRIBUTE = "objectClass";
    private final int connectionTimeout;
    private final TLSProtocolsConfiguration tlsConfiguration;
    private final TrustManagerProvider trustManagerProvider;
    private final EncryptedValueService encryptedValueService;
    private final int requestTimeoutSeconds = 60;

    @Inject
    public UnboundLDAPConnector(@Named("ldap_connection_timeout") int i, TLSProtocolsConfiguration tLSProtocolsConfiguration, TrustManagerProvider trustManagerProvider, EncryptedValueService encryptedValueService) {
        this.connectionTimeout = i;
        this.tlsConfiguration = tLSProtocolsConfiguration;
        this.trustManagerProvider = trustManagerProvider;
        this.encryptedValueService = encryptedValueService;
    }

    public LDAPConnection connect(LDAPConnectorConfig lDAPConnectorConfig) throws GeneralSecurityException, LDAPException {
        if (lDAPConnectorConfig.serverList().isEmpty()) {
            LOG.warn("Cannot connect with empty server list");
            return null;
        }
        String[] strArr = (String[]) lDAPConnectorConfig.serverList().stream().map((v0) -> {
            return v0.hostname();
        }).toArray(i -> {
            return new String[i];
        });
        int[] array = lDAPConnectorConfig.serverList().stream().mapToInt((v0) -> {
            return v0.port();
        }).toArray();
        LDAPConnectionOptions lDAPConnectionOptions = new LDAPConnectionOptions();
        lDAPConnectionOptions.setUseReuseAddress(true);
        lDAPConnectionOptions.setConnectTimeoutMillis(this.connectionTimeout);
        StartTLSExtendedRequest startTLSExtendedRequest = null;
        SSLSocketFactory sSLSocketFactory = null;
        if (lDAPConnectorConfig.transportSecurity() != LDAPTransportSecurity.NONE) {
            SSLUtil.setEnabledSSLProtocols(this.tlsConfiguration.getEnabledTlsProtocols());
            SSLUtil sSLUtil = lDAPConnectorConfig.verifyCertificates() ? new SSLUtil(this.trustManagerProvider.create(Arrays.asList(strArr))) : new SSLUtil(new TrustAllX509TrustManager());
            if (lDAPConnectorConfig.transportSecurity() == LDAPTransportSecurity.START_TLS) {
                startTLSExtendedRequest = new StartTLSExtendedRequest(sSLUtil.createSSLContext());
            } else if (lDAPConnectorConfig.transportSecurity() == LDAPTransportSecurity.TLS) {
                sSLSocketFactory = sSLUtil.createSSLSocketFactory();
            }
        }
        LDAPConnection connection = new FailoverServerSet(strArr, array, sSLSocketFactory, lDAPConnectionOptions, (BindRequest) null, (PostConnectProcessor) null).getConnection();
        if (startTLSExtendedRequest != null) {
            LDAPTestUtils.assertResultCodeEquals(connection.processExtendedOperation(startTLSExtendedRequest), new ResultCode[]{ResultCode.SUCCESS});
        }
        if (lDAPConnectorConfig.systemUsername().isPresent()) {
            if (lDAPConnectorConfig.systemPassword().isSet()) {
                connection.bind(new SimpleBindRequest(lDAPConnectorConfig.systemUsername().get(), this.encryptedValueService.decrypt(lDAPConnectorConfig.systemPassword())));
            } else {
                LOG.warn("System username has been set to <{}> but no system password has been set. Skipping bind request.", lDAPConnectorConfig.systemUsername().get());
            }
        }
        return connection;
    }

    public ImmutableList<LDAPEntry> search(LDAPConnection lDAPConnection, String str, Filter filter, String str2, Set<String> set) throws LDAPException {
        SearchRequest searchRequest = new SearchRequest(str, SearchScope.SUB, filter, (String[]) ImmutableSet.builder().add(OBJECT_CLASS_ATTRIBUTE).addAll(set).build().toArray(new String[0]));
        searchRequest.setTimeLimitSeconds(this.requestTimeoutSeconds);
        if (LOG.isTraceEnabled()) {
            LOG.trace("Search LDAP for <{}> using search base <{}>", filter.toNormalizedString(), str);
        }
        SearchResult search = lDAPConnection.search(searchRequest);
        if (!search.getSearchEntries().isEmpty()) {
            return (ImmutableList) search.getSearchEntries().stream().map(searchResultEntry -> {
                return createLDAPEntry(searchResultEntry, str2);
            }).collect(ImmutableList.toImmutableList());
        }
        LOG.trace("No LDAP entry found for filter <{}>", filter.toNormalizedString());
        return ImmutableList.of();
    }

    public Optional<LDAPUser> searchUserByPrincipal(LDAPConnection lDAPConnection, UnboundLDAPConfig unboundLDAPConfig, String str) throws LDAPException {
        return searchUser(lDAPConnection, unboundLDAPConfig, Filter.create(new MessageFormat(unboundLDAPConfig.userSearchPattern(), Locale.ENGLISH).format(new Object[]{Filter.encodeValue(str)})));
    }

    public Optional<LDAPUser> searchUserByUniqueId(LDAPConnection lDAPConnection, UnboundLDAPConfig unboundLDAPConfig, byte[] bArr) throws LDAPException {
        return searchUser(lDAPConnection, unboundLDAPConfig, Filter.createEqualityFilter(unboundLDAPConfig.userUniqueIdAttribute(), bArr));
    }

    private Optional<LDAPUser> searchUser(LDAPConnection lDAPConnection, UnboundLDAPConfig unboundLDAPConfig, Filter filter) throws LDAPException {
        ImmutableList<LDAPEntry> search = search(lDAPConnection, unboundLDAPConfig.userSearchBase(), filter, unboundLDAPConfig.userUniqueIdAttribute(), ImmutableSet.builder().add(ADAuthServiceBackend.AD_USER_PRINCIPAL_NAME).add("userAccountControl").add("mail").add("rfc822Mailbox").add(unboundLDAPConfig.userUniqueIdAttribute()).add(unboundLDAPConfig.userNameAttribute()).add(unboundLDAPConfig.userFullNameAttribute()).build());
        if (search.size() > 1) {
            LOG.warn("Found more than one user for <{}> in search base <{}> - Using the first one", filter.toString(), unboundLDAPConfig.userSearchBase());
        }
        return search.stream().findFirst().map(lDAPEntry -> {
            return createLDAPUser(unboundLDAPConfig, lDAPEntry);
        });
    }

    public boolean authenticate(LDAPConnection lDAPConnection, String str, EncryptedValue encryptedValue) throws LDAPException {
        Preconditions.checkArgument(!Strings.isNullOrEmpty(str), "Binding with empty principal is forbidden.");
        Preconditions.checkArgument(encryptedValue != null, "Binding with null credentials is forbidden.");
        Preconditions.checkArgument(encryptedValue.isSet(), "Binding with empty credentials is forbidden.");
        SimpleBindRequest simpleBindRequest = new SimpleBindRequest(str, this.encryptedValueService.decrypt(encryptedValue));
        LOG.trace("Re-binding with DN <{}> using password", str);
        try {
            BindResult bind = lDAPConnection.bind(simpleBindRequest);
            if (!bind.getResultCode().equals(ResultCode.SUCCESS)) {
                LOG.trace("Re-binding DN <{}> failed", str);
                throw new RuntimeException(bind.toString());
            }
            boolean equals = lDAPConnection.getLastBindRequest().equals(simpleBindRequest);
            LOG.trace("Binding DN <{}> did not throw, connection authenticated: {}", str, Boolean.valueOf(equals));
            return equals;
        } catch (LDAPBindException e) {
            LOG.trace("Re-binding DN <{}> failed", str);
            return false;
        }
    }

    public LDAPEntry createLDAPEntry(Entry entry, String str) {
        Objects.requireNonNull(entry, "entry cannot be null");
        Preconditions.checkArgument(!StringUtils.isBlank(str), "uniqueIdAttribute cannot be blank");
        LDAPEntry.Builder builder = LDAPEntry.builder();
        builder.dn(entry.getDN());
        builder.base64UniqueId(Base64.encode((byte[]) Objects.requireNonNull(entry.getAttributeValueBytes(str), str + " attribute cannot be null")));
        if (entry.getObjectClassValues() != null) {
            builder.objectClasses(Arrays.asList(entry.getObjectClassValues()));
        }
        for (Attribute attribute : entry.getAttributes()) {
            if (!OBJECT_CLASS_ATTRIBUTE.equalsIgnoreCase(attribute.getBaseName())) {
                if (attribute.needsBase64Encoding()) {
                    for (byte[] bArr : attribute.getValueByteArrays()) {
                        if (StaticUtils.isValidUTF8(bArr)) {
                            builder.addAttribute(attribute.getBaseName(), StaticUtils.toUTF8String(bArr));
                        } else {
                            builder.addAttribute(attribute.getBaseName(), Base64.encode(bArr));
                        }
                    }
                } else {
                    for (String str2 : attribute.getValues()) {
                        builder.addAttribute(attribute.getBaseName(), str2);
                    }
                }
            }
        }
        return builder.build();
    }

    public LDAPUser createLDAPUser(UnboundLDAPConfig unboundLDAPConfig, Entry entry) {
        return createLDAPUser(unboundLDAPConfig, createLDAPEntry(entry, unboundLDAPConfig.userUniqueIdAttribute()));
    }

    public LDAPUser createLDAPUser(UnboundLDAPConfig unboundLDAPConfig, LDAPEntry lDAPEntry) {
        String nonBlankAttribute = lDAPEntry.nonBlankAttribute(unboundLDAPConfig.userNameAttribute());
        return LDAPUser.builder().base64UniqueId(lDAPEntry.base64UniqueId()).accountIsEnabled(findAccountIsEnabled(lDAPEntry)).username(nonBlankAttribute).fullName(lDAPEntry.firstAttributeValue(unboundLDAPConfig.userFullNameAttribute()).orElse(nonBlankAttribute)).email(lDAPEntry.firstAttributeValue("mail").orElse(lDAPEntry.firstAttributeValue("rfc822Mailbox").orElse("unknown@unknown.invalid"))).entry(lDAPEntry).build();
    }

    private boolean findAccountIsEnabled(LDAPEntry lDAPEntry) {
        Optional<String> firstAttributeValue = lDAPEntry.firstAttributeValue("userAccountControl");
        if (!firstAttributeValue.isPresent()) {
            return true;
        }
        Integer tryParse = Ints.tryParse(firstAttributeValue.get());
        if (tryParse != null) {
            return !ADUserAccountControl.create(tryParse.intValue()).accountIsDisabled();
        }
        LOG.warn("Ignoring non-parseable userAccountControl value");
        return true;
    }
}
