package org.graylog.security.authservice.backend;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.inject.assistedinject.Assisted;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPException;
import java.security.GeneralSecurityException;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import javax.annotation.Nullable;
import javax.inject.Inject;
import org.graylog.security.authservice.AuthServiceBackend;
import org.graylog.security.authservice.AuthServiceBackendDTO;
import org.graylog.security.authservice.AuthServiceCredentials;
import org.graylog.security.authservice.AuthenticationDetails;
import org.graylog.security.authservice.ProvisionerService;
import org.graylog.security.authservice.backend.LDAPAuthServiceBackendConfig;
import org.graylog.security.authservice.ldap.LDAPConnectorConfig;
import org.graylog.security.authservice.ldap.LDAPUser;
import org.graylog.security.authservice.ldap.UnboundLDAPConfig;
import org.graylog.security.authservice.ldap.UnboundLDAPConnector;
import org.graylog.security.authservice.test.AuthServiceBackendTestResult;
import org.graylog2.security.encryption.EncryptedValue;
import org.graylog2.shared.security.AuthenticationServiceUnavailableException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/graylog/security/authservice/backend/LDAPAuthServiceBackend.class */
public class LDAPAuthServiceBackend implements AuthServiceBackend {
    public static final String TYPE_NAME = "ldap";
    private static final Logger LOG = LoggerFactory.getLogger(LDAPAuthServiceBackend.class);
    private final LDAPAuthServiceBackendConfig config;
    private final UnboundLDAPConnector ldapConnector;
    private final AuthServiceBackendDTO backend;

    /* loaded from: input_file:org/graylog/security/authservice/backend/LDAPAuthServiceBackend$Factory.class */
    public interface Factory extends AuthServiceBackend.Factory<LDAPAuthServiceBackend> {
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.graylog.security.authservice.AuthServiceBackend.Factory
        LDAPAuthServiceBackend create(AuthServiceBackendDTO authServiceBackendDTO);
    }

    @Inject
    public LDAPAuthServiceBackend(UnboundLDAPConnector unboundLDAPConnector, @Assisted AuthServiceBackendDTO authServiceBackendDTO) {
        this.ldapConnector = unboundLDAPConnector;
        this.backend = authServiceBackendDTO;
        this.config = (LDAPAuthServiceBackendConfig) authServiceBackendDTO.config();
    }

    @Override // org.graylog.security.authservice.AuthServiceBackend
    public Optional<AuthenticationDetails> authenticateAndProvision(AuthServiceCredentials authServiceCredentials, ProvisionerService provisionerService) {
        try {
            LDAPConnection connect = this.ldapConnector.connect(this.config.getLDAPConnectorConfig());
            try {
                if (connect == null) {
                    Optional<AuthenticationDetails> empty = Optional.empty();
                    if (connect != null) {
                        connect.close();
                    }
                    return empty;
                }
                Optional<LDAPUser> findUser = findUser(connect, authServiceCredentials);
                if (!findUser.isPresent()) {
                    LOG.debug("User <{}> not found in LDAP", authServiceCredentials.username());
                    Optional<AuthenticationDetails> empty2 = Optional.empty();
                    if (connect != null) {
                        connect.close();
                    }
                    return empty2;
                }
                LDAPUser lDAPUser = findUser.get();
                if (authServiceCredentials.isAuthenticated() || isAuthenticated(connect, lDAPUser, authServiceCredentials)) {
                    Optional<AuthenticationDetails> of = Optional.of(AuthenticationDetails.builder().userDetails(provisionerService.provision(provisionerService.newDetails(this).authServiceType(backendType()).authServiceId(backendId()).accountIsEnabled(true).base64AuthServiceUid(lDAPUser.base64UniqueId()).username(lDAPUser.username()).fullName(lDAPUser.fullName()).email(lDAPUser.email()).defaultRoles(this.backend.defaultRoles()).build())).build());
                    if (connect != null) {
                        connect.close();
                    }
                    return of;
                }
                LOG.debug("Invalid credentials for user <{}> (DN: {})", authServiceCredentials.username(), lDAPUser.dn());
                Optional<AuthenticationDetails> empty3 = Optional.empty();
                if (connect != null) {
                    connect.close();
                }
                return empty3;
            } catch (Throwable th) {
                if (connect != null) {
                    try {
                        connect.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (LDAPException e) {
            LOG.error("LDAP error", e);
            throw new AuthenticationServiceUnavailableException("LDAP error", e);
        } catch (GeneralSecurityException e2) {
            LOG.error("Error setting up TLS connection", e2);
            throw new AuthenticationServiceUnavailableException("Error setting up TLS connection", e2);
        }
    }

    private boolean isAuthenticated(LDAPConnection lDAPConnection, LDAPUser lDAPUser, AuthServiceCredentials authServiceCredentials) throws LDAPException {
        return this.ldapConnector.authenticate(lDAPConnection, lDAPUser.dn(), authServiceCredentials.password());
    }

    private Optional<LDAPUser> findUser(LDAPConnection lDAPConnection, AuthServiceCredentials authServiceCredentials) throws LDAPException {
        return this.ldapConnector.searchUserByPrincipal(lDAPConnection, UnboundLDAPConfig.builder().userSearchBase(this.config.userSearchBase()).userSearchPattern(this.config.userSearchPattern()).userUniqueIdAttribute(this.config.userUniqueIdAttribute()).userNameAttribute(this.config.userNameAttribute()).userFullNameAttribute(this.config.userFullNameAttribute()).build(), authServiceCredentials.username());
    }

    @Override // org.graylog.security.authservice.AuthServiceBackend
    public String backendType() {
        return TYPE_NAME;
    }

    @Override // org.graylog.security.authservice.AuthServiceBackend
    public String backendId() {
        return this.backend.id();
    }

    @Override // org.graylog.security.authservice.AuthServiceBackend
    public String backendTitle() {
        return this.backend.title();
    }

    @Override // org.graylog.security.authservice.AuthServiceBackend
    public AuthServiceBackendDTO prepareConfigUpdate(AuthServiceBackendDTO authServiceBackendDTO, AuthServiceBackendDTO authServiceBackendDTO2) {
        LDAPAuthServiceBackendConfig lDAPAuthServiceBackendConfig = (LDAPAuthServiceBackendConfig) authServiceBackendDTO2.config();
        if (lDAPAuthServiceBackendConfig.systemUserPassword().isDeleteValue()) {
            return authServiceBackendDTO2.toBuilder().config(lDAPAuthServiceBackendConfig.toBuilder().systemUserPassword(EncryptedValue.createUnset()).build()).build();
        }
        if (!lDAPAuthServiceBackendConfig.systemUserPassword().isKeepValue()) {
            return authServiceBackendDTO2;
        }
        return authServiceBackendDTO2.toBuilder().config(lDAPAuthServiceBackendConfig.toBuilder().systemUserPassword(((LDAPAuthServiceBackendConfig) authServiceBackendDTO.config()).systemUserPassword()).build()).build();
    }

    @Override // org.graylog.security.authservice.AuthServiceBackend
    public AuthServiceBackendTestResult testConnection(@Nullable AuthServiceBackendDTO authServiceBackendDTO) {
        LDAPConnectorConfig lDAPConnectorConfig = buildTestConfig(authServiceBackendDTO).getLDAPConnectorConfig();
        if (lDAPConnectorConfig.serverList().size() == 1) {
            return testSingleConnection(lDAPConnectorConfig, (LDAPConnectorConfig.LDAPServer) lDAPConnectorConfig.serverList().get(0));
        }
        List list = (List) lDAPConnectorConfig.serverList().stream().map(lDAPServer -> {
            return testSingleConnection(lDAPConnectorConfig, lDAPServer);
        }).collect(Collectors.toList());
        return list.stream().anyMatch(authServiceBackendTestResult -> {
            return !authServiceBackendTestResult.isSuccess();
        }) ? AuthServiceBackendTestResult.createFailure("Test failure", (List<String>) list.stream().map(authServiceBackendTestResult2 -> {
            return authServiceBackendTestResult2.isSuccess() ? authServiceBackendTestResult2.message() : authServiceBackendTestResult2.message() + " : " + String.join((CharSequence) ",", (Iterable<? extends CharSequence>) authServiceBackendTestResult2.errors());
        }).collect(Collectors.toList())) : AuthServiceBackendTestResult.createSuccess("Successfully connected to " + lDAPConnectorConfig.serverList());
    }

    private AuthServiceBackendTestResult testSingleConnection(LDAPConnectorConfig lDAPConnectorConfig, LDAPConnectorConfig.LDAPServer lDAPServer) {
        try {
            LDAPConnection connect = this.ldapConnector.connect(lDAPConnectorConfig.toBuilder().serverList(ImmutableList.of(lDAPServer)).build());
            try {
                if (connect == null) {
                    AuthServiceBackendTestResult createFailure = AuthServiceBackendTestResult.createFailure("Couldn't establish connection to " + lDAPServer);
                    if (connect != null) {
                        connect.close();
                    }
                    return createFailure;
                }
                AuthServiceBackendTestResult createSuccess = AuthServiceBackendTestResult.createSuccess("Successfully connected to " + lDAPServer);
                if (connect != null) {
                    connect.close();
                }
                return createSuccess;
            } finally {
            }
        } catch (Exception e) {
            return AuthServiceBackendTestResult.createFailure("Couldn't establish connection to " + lDAPServer, (List<String>) Collections.singletonList(e.getMessage()));
        }
    }

    @Override // org.graylog.security.authservice.AuthServiceBackend
    public AuthServiceBackendTestResult testLogin(AuthServiceCredentials authServiceCredentials, @Nullable AuthServiceBackendDTO authServiceBackendDTO) {
        LDAPAuthServiceBackendConfig buildTestConfig = buildTestConfig(authServiceBackendDTO);
        try {
            LDAPConnection connect = this.ldapConnector.connect(buildTestConfig.getLDAPConnectorConfig());
            try {
                if (connect == null) {
                    AuthServiceBackendTestResult createFailure = AuthServiceBackendTestResult.createFailure("Couldn't establish connection to " + buildTestConfig.servers());
                    if (connect != null) {
                        connect.close();
                    }
                    return createFailure;
                }
                Optional<LDAPUser> findUser = findUser(connect, authServiceCredentials);
                if (!findUser.isPresent()) {
                    AuthServiceBackendTestResult createFailure2 = AuthServiceBackendTestResult.createFailure("User <" + authServiceCredentials.username() + "> doesn't exist", createTestResult(buildTestConfig, false, false, null));
                    if (connect != null) {
                        connect.close();
                    }
                    return createFailure2;
                }
                if (isAuthenticated(connect, findUser.get(), authServiceCredentials)) {
                    AuthServiceBackendTestResult createSuccess = AuthServiceBackendTestResult.createSuccess("Successfully logged in <" + authServiceCredentials.username() + "> into " + buildTestConfig.servers(), createTestResult(buildTestConfig, true, true, findUser.get()));
                    if (connect != null) {
                        connect.close();
                    }
                    return createSuccess;
                }
                AuthServiceBackendTestResult createFailure3 = AuthServiceBackendTestResult.createFailure("Login for user <" + authServiceCredentials.username() + "> failed", createTestResult(buildTestConfig, true, false, findUser.get()));
                if (connect != null) {
                    connect.close();
                }
                return createFailure3;
            } finally {
            }
        } catch (Exception e) {
            return AuthServiceBackendTestResult.createFailure("Couldn't test user login on " + buildTestConfig.servers(), (List<String>) Collections.singletonList(e.getMessage()));
        }
    }

    private LDAPAuthServiceBackendConfig buildTestConfig(@Nullable AuthServiceBackendDTO authServiceBackendDTO) {
        LDAPAuthServiceBackendConfig.Builder builder = this.config.toBuilder();
        if (this.config.systemUserPassword().isKeepValue() && authServiceBackendDTO != null) {
            builder.systemUserPassword(((LDAPAuthServiceBackendConfig) authServiceBackendDTO.config()).systemUserPassword());
        }
        return builder.build();
    }

    private Map<String, Object> createTestResult(LDAPAuthServiceBackendConfig lDAPAuthServiceBackendConfig, boolean z, boolean z2, @Nullable LDAPUser lDAPUser) {
        ImmutableMap.Builder put = ImmutableMap.builder().put("user_exists", Boolean.valueOf(z)).put("login_success", Boolean.valueOf(z2));
        if (lDAPUser != null) {
            HashMap hashMap = new HashMap();
            hashMap.put("dn", lDAPUser.dn());
            hashMap.put("unique_id (" + lDAPAuthServiceBackendConfig.userUniqueIdAttribute() + ")", lDAPUser.base64UniqueId());
            hashMap.put(lDAPAuthServiceBackendConfig.userNameAttribute(), lDAPUser.username());
            hashMap.put(lDAPAuthServiceBackendConfig.userFullNameAttribute(), lDAPUser.fullName());
            hashMap.put("email", lDAPUser.email());
            put.put("user_details", ImmutableMap.copyOf(hashMap));
        } else {
            put.put("user_details", ImmutableMap.of());
        }
        return put.build();
    }
}
