package org.graylog2.migrations;

import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.google.auto.value.AutoValue;
import com.google.common.collect.ImmutableSet;
import com.mongodb.client.MongoCollection;
import com.mongodb.client.MongoCursor;
import com.mongodb.client.model.Sorts;
import jakarta.inject.Inject;
import java.net.URI;
import java.time.ZonedDateTime;
import java.util.Collections;
import java.util.Iterator;
import java.util.Locale;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.lang3.StringUtils;
import org.bson.Document;
import org.bson.types.ObjectId;
import org.graylog.security.authservice.AuthServiceBackendDTO;
import org.graylog.security.authservice.DBAuthServiceBackendService;
import org.graylog.security.authservice.backend.ADAuthServiceBackend;
import org.graylog.security.authservice.backend.ADAuthServiceBackendConfig;
import org.graylog.security.authservice.backend.LDAPAuthServiceBackendConfig;
import org.graylog.security.authservice.ldap.LDAPTransportSecurity;
import org.graylog.security.authzroles.PaginatedAuthzRolesService;
import org.graylog2.Configuration;
import org.graylog2.database.MongoConnection;
import org.graylog2.notifications.Notification;
import org.graylog2.notifications.NotificationService;
import org.graylog2.plugin.cluster.ClusterConfigService;
import org.graylog2.security.AESTools;
import org.graylog2.security.encryption.EncryptedValue;
import org.graylog2.security.encryption.EncryptedValueService;
import org.graylog2.users.UserImpl;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/graylog2/migrations/V20201103145400_LegacyAuthServiceMigration.class */
public class V20201103145400_LegacyAuthServiceMigration extends Migration {
    private static final Logger LOG = LoggerFactory.getLogger(V20201103145400_LegacyAuthServiceMigration.class);
    private final MongoCollection<Document> ldapSettings;
    private final Set<MigrationModule> migrationModules;
    private final EncryptedValueService encryptedValueService;
    private final PaginatedAuthzRolesService rolesService;
    private final DBAuthServiceBackendService authServiceBackendService;
    private final NotificationService notificationService;
    private final ClusterConfigService clusterConfigService;
    private final String encryptionKey;

    @AutoValue
    /* loaded from: input_file:org/graylog2/migrations/V20201103145400_LegacyAuthServiceMigration$MigrationCompleted.class */
    public static abstract class MigrationCompleted {
        @JsonProperty("migrated_configs")
        public abstract Set<String> migratedConfigs();

        public boolean isDone(String str) {
            return migratedConfigs().contains(str);
        }

        @JsonCreator
        public static MigrationCompleted create(@JsonProperty("migrated_configs") Set<String> set) {
            return new AutoValue_V20201103145400_LegacyAuthServiceMigration_MigrationCompleted(set);
        }

        public static MigrationCompleted createEmpty() {
            return create(Collections.emptySet());
        }
    }

    /* loaded from: input_file:org/graylog2/migrations/V20201103145400_LegacyAuthServiceMigration$MigrationModule.class */
    public interface MigrationModule {
        void upgrade(Document document, AuthServiceBackendDTO authServiceBackendDTO);
    }

    @Inject
    public V20201103145400_LegacyAuthServiceMigration(MongoConnection mongoConnection, Set<MigrationModule> set, EncryptedValueService encryptedValueService, Configuration configuration, PaginatedAuthzRolesService paginatedAuthzRolesService, DBAuthServiceBackendService dBAuthServiceBackendService, NotificationService notificationService, ClusterConfigService clusterConfigService) {
        this.ldapSettings = mongoConnection.getMongoDatabase().getCollection("ldap_settings");
        this.migrationModules = set;
        this.encryptedValueService = encryptedValueService;
        this.encryptionKey = configuration.getPasswordSecret().substring(0, 16);
        this.rolesService = paginatedAuthzRolesService;
        this.authServiceBackendService = dBAuthServiceBackendService;
        this.notificationService = notificationService;
        this.clusterConfigService = clusterConfigService;
    }

    @Override // org.graylog2.migrations.Migration
    public ZonedDateTime createdAt() {
        return ZonedDateTime.parse("2020-11-03T14:54:00Z");
    }

    @Override // org.graylog2.migrations.Migration
    public void upgrade() {
        MigrationCompleted migrationCompleted = (MigrationCompleted) this.clusterConfigService.getOrDefault(MigrationCompleted.class, MigrationCompleted.createEmpty());
        ImmutableSet.Builder builder = ImmutableSet.builder();
        String str = null;
        builder.addAll(migrationCompleted.migratedConfigs());
        MongoCursor it = this.ldapSettings.find().sort(Sorts.ascending(new String[]{"_id"})).iterator();
        while (it.hasNext()) {
            Document document = (Document) it.next();
            String hexString = document.getObjectId("_id").toHexString();
            if (!document.getBoolean("enabled").booleanValue()) {
                LOG.debug("Skipping disabled configuration <{}>", hexString);
            } else if (migrationCompleted.isDone(hexString)) {
                LOG.debug("Configuration <{}> already migrated", hexString);
            } else {
                AuthServiceBackendDTO save = this.authServiceBackendService.save(document.getBoolean("active_directory").booleanValue() ? buildActiveDirectoryConfig(document) : buildLDAPConfig(document));
                Iterator<MigrationModule> it2 = this.migrationModules.iterator();
                while (it2.hasNext()) {
                    it2.next().upgrade(document, save);
                }
                str = save.id();
                builder.add(hexString);
            }
        }
        this.clusterConfigService.write(MigrationCompleted.create(builder.build()));
        if (str != null) {
            this.notificationService.publishIfFirst(this.notificationService.buildNow().addType(Notification.Type.LEGACY_LDAP_CONFIG_MIGRATION).addSeverity(Notification.Severity.URGENT).addDetail(UserImpl.AUTH_SERVICE_ID, str));
        }
    }

    private AuthServiceBackendDTO buildActiveDirectoryConfig(Document document) {
        return AuthServiceBackendDTO.builder().title(getTitle(document, "Active Directory")).description("Migrated from legacy Active Directory configuration.").defaultRoles(getDefaultRoles(document)).config(ADAuthServiceBackendConfig.builder().servers(Collections.singletonList(getADHostAndPort(document))).transportSecurity(getTransportSecurity(document)).verifyCertificates(getVerifyCertificates(document)).systemUserDn(document.getString("system_username")).systemUserPassword(getSystemUserPassword(document)).userSearchBase(document.getString("search_base")).userSearchPattern(document.getString("principal_search_pattern")).userNameAttribute(ADAuthServiceBackend.AD_SAM_ACCOUNT_NAME).userFullNameAttribute(document.getString("username_attribute")).build()).build();
    }

    private AuthServiceBackendDTO buildLDAPConfig(Document document) {
        return AuthServiceBackendDTO.builder().title(getTitle(document, "LDAP")).description("Migrated from legacy LDAP configuration.").defaultRoles(getDefaultRoles(document)).config(LDAPAuthServiceBackendConfig.builder().servers(Collections.singletonList(getLDAPHostAndPort(document))).transportSecurity(getTransportSecurity(document)).verifyCertificates(getVerifyCertificates(document)).systemUserDn(document.getString("system_username")).systemUserPassword(getSystemUserPassword(document)).userSearchBase(document.getString("search_base")).userSearchPattern(document.getString("principal_search_pattern")).userUniqueIdAttribute("entryUUID").userNameAttribute("uid").userFullNameAttribute(document.getString("username_attribute")).build()).build();
    }

    private String getTitle(Document document, String str) {
        return String.format(Locale.US, "%s- %s", str, document.getString("ldap_uri"));
    }

    private LDAPAuthServiceBackendConfig.HostAndPort getLDAPHostAndPort(Document document) {
        URI create = URI.create(document.getString("ldap_uri"));
        return LDAPAuthServiceBackendConfig.HostAndPort.create(create.getHost(), create.getPort());
    }

    private ADAuthServiceBackendConfig.HostAndPort getADHostAndPort(Document document) {
        URI create = URI.create(document.getString("ldap_uri"));
        return ADAuthServiceBackendConfig.HostAndPort.create(create.getHost(), create.getPort());
    }

    private LDAPTransportSecurity getTransportSecurity(Document document) {
        return document.getBoolean("use_start_tls").booleanValue() ? LDAPTransportSecurity.START_TLS : document.getString("ldap_uri").toLowerCase(Locale.US).startsWith("ldaps://") ? LDAPTransportSecurity.TLS : LDAPTransportSecurity.NONE;
    }

    private boolean getVerifyCertificates(Document document) {
        return !document.getBoolean("trust_all_certificates", false);
    }

    private EncryptedValue getSystemUserPassword(Document document) {
        String string = document.getString("system_password");
        String string2 = document.getString("system_password_salt");
        return (StringUtils.isNotBlank(string) && StringUtils.isNotBlank(string2)) ? this.encryptedValueService.encrypt(AESTools.decrypt(string, this.encryptionKey, string2)) : EncryptedValue.createUnset();
    }

    private Set<String> getDefaultRoles(Document document) {
        return (Set) this.rolesService.findByIds((Set) Stream.concat(Stream.of(document.getString("default_group")), document.getList("additional_default_groups", String.class, Collections.emptyList()).stream()).filter((v0) -> {
            return StringUtils.isNotBlank(v0);
        }).filter(ObjectId::isValid).collect(Collectors.toSet())).stream().map((v0) -> {
            return v0.id();
        }).collect(Collectors.toSet());
    }
}
