package org.graylog2.security.ldap;

import com.google.common.base.Joiner;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.Sets;
import com.google.common.util.concurrent.SimpleTimeLimiter;
import com.google.common.util.concurrent.ThreadFactoryBuilder;
import com.google.common.util.concurrent.UncheckedTimeoutException;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.text.MessageFormat;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Locale;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;
import javax.annotation.Nullable;
import javax.inject.Inject;
import javax.inject.Named;
import org.apache.directory.api.ldap.model.cursor.CursorException;
import org.apache.directory.api.ldap.model.cursor.EntryCursor;
import org.apache.directory.api.ldap.model.entry.Attribute;
import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.directory.api.ldap.model.entry.Value;
import org.apache.directory.api.ldap.model.exception.LdapException;
import org.apache.directory.api.ldap.model.exception.LdapInvalidDnException;
import org.apache.directory.api.ldap.model.message.BindRequestImpl;
import org.apache.directory.api.ldap.model.message.BindResponse;
import org.apache.directory.api.ldap.model.message.ResultCodeEnum;
import org.apache.directory.api.ldap.model.message.SearchScope;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.ldap.client.api.LdapConnectionConfig;
import org.apache.directory.ldap.client.api.LdapNetworkConnection;
import org.graylog2.plugin.DocsHelper;
import org.graylog2.shared.security.ldap.LdapEntry;
import org.graylog2.shared.utilities.ExceptionUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/graylog2/security/ldap/LdapConnector.class */
public class LdapConnector {
    private static final Logger LOG = LoggerFactory.getLogger(LdapConnector.class);
    private static final String ATTRIBUTE_UNIQUE_MEMBER = "uniqueMember";
    private static final String ATTRIBUTE_MEMBER = "member";
    private static final String ATTRIBUTE_MEMBER_UID = "memberUid";
    private final int connectionTimeout;

    @Inject
    public LdapConnector(@Named("ldap_connection_timeout") int i) {
        this.connectionTimeout = i;
    }

    public LdapNetworkConnection connect(LdapConnectionConfig ldapConnectionConfig) throws LdapException {
        final LdapNetworkConnection ldapNetworkConnection = new LdapNetworkConnection(ldapConnectionConfig);
        ldapNetworkConnection.setTimeOut(this.connectionTimeout);
        if (LOG.isTraceEnabled()) {
            LOG.trace("Connecting to LDAP server {}:{}, binding with user {}", new Object[]{ldapConnectionConfig.getLdapHost(), Integer.valueOf(ldapConnectionConfig.getLdapPort()), ldapConnectionConfig.getName()});
        }
        try {
            if (!((Boolean) ((Callable) SimpleTimeLimiter.create(Executors.newSingleThreadExecutor(new ThreadFactoryBuilder().setNameFormat("ldap-connector-%d").build())).newProxy(new Callable<Boolean>() { // from class: org.graylog2.security.ldap.LdapConnector.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.concurrent.Callable
                public Boolean call() throws Exception {
                    return Boolean.valueOf(ldapNetworkConnection.connect());
                }
            }, Callable.class, this.connectionTimeout, TimeUnit.MILLISECONDS)).call()).booleanValue()) {
                return null;
            }
            ldapNetworkConnection.bind();
            return ldapNetworkConnection;
        } catch (UncheckedTimeoutException e) {
            LOG.error("Timed out connecting to LDAP server", e);
            throw new LdapException("Could not connect to LDAP server", e.getCause());
        } catch (Exception e2) {
            throw new LdapException("Unexpected error connecting to LDAP", e2);
        } catch (LdapException e3) {
            throw e3;
        }
    }

    @Nullable
    public LdapEntry search(LdapNetworkConnection ldapNetworkConnection, String str, String str2, String str3, String str4, boolean z, String str5, String str6, String str7) throws LdapException, CursorException {
        LdapEntry ldapEntry = new LdapEntry();
        HashSet<String> newHashSet = Sets.newHashSet();
        String format = new MessageFormat(str2, Locale.ENGLISH).format(new Object[]{sanitizePrincipal(str4)});
        if (LOG.isTraceEnabled()) {
            Logger logger = LOG;
            Object[] objArr = new Object[3];
            objArr[0] = z ? "ActiveDirectory" : "LDAP";
            objArr[1] = format;
            objArr[2] = str;
            logger.trace("Search {} for {}, starting at {}", objArr);
        }
        try {
            EntryCursor search = ldapNetworkConnection.search(str, format, SearchScope.SUBTREE, new String[]{str6, str3, "dn", "uid", "userPrincipalName", "mail", "rfc822Mailbox", "memberOf", "isMemberOf"});
            Throwable th = null;
            try {
                Iterator it = search.iterator();
                if (!it.hasNext()) {
                    LOG.trace("No LDAP entry found for filter {}", format);
                    if (search != null) {
                        if (0 != 0) {
                            try {
                                search.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            search.close();
                        }
                    }
                    return null;
                }
                Entry entry = (Entry) it.next();
                ldapEntry.setDn(entry.getDn().getName());
                if (!z) {
                    ldapEntry.setBindPrincipal(entry.getDn().getName());
                }
                for (Attribute attribute : entry.getAttributes()) {
                    if (z && "userPrincipalName".equalsIgnoreCase(attribute.getId())) {
                        ldapEntry.setBindPrincipal(attribute.getString());
                    }
                    if (attribute.isHumanReadable()) {
                        ldapEntry.put(attribute.getId(), Joiner.on(", ").join(attribute.iterator()));
                    }
                    if ("memberOf".equalsIgnoreCase(attribute.getId()) || "isMemberOf".equalsIgnoreCase(attribute.getId())) {
                        Iterator it2 = attribute.iterator();
                        while (it2.hasNext()) {
                            newHashSet.add(((Value) it2.next()).getString());
                        }
                    }
                }
                if (!newHashSet.isEmpty() && !Strings.isNullOrEmpty(str5) && !Strings.isNullOrEmpty(str6)) {
                    try {
                        for (String str8 : newHashSet) {
                            LOG.trace("Looking up group {}", str8);
                            try {
                                Entry lookup = ldapNetworkConnection.lookup(str8, new String[]{str6});
                                if (lookup != null) {
                                    Attribute attribute2 = lookup.get(str6);
                                    LOG.trace("Resolved {} to group {}", str8, attribute2);
                                    if (attribute2 != null) {
                                        ldapEntry.addGroups(Collections.singleton(attribute2.getString()));
                                    }
                                } else {
                                    LOG.debug("Unable to lookup group: {}", str8);
                                }
                            } catch (LdapException e) {
                                LOG.warn("Error while looking up group " + str8, e);
                            }
                        }
                    } catch (Exception e2) {
                        LOG.error("Unexpected error during LDAP group resolution", e2);
                    }
                }
                if (ldapEntry.getGroups().isEmpty() && !Strings.isNullOrEmpty(str5) && !Strings.isNullOrEmpty(str6) && !Strings.isNullOrEmpty(str7)) {
                    ldapEntry.addGroups(findGroups(ldapNetworkConnection, str5, str7, str6, ldapEntry));
                    LOG.trace("LDAP search found entry for DN {} with search filter {}: {}", new Object[]{ldapEntry.getDn(), format, ldapEntry});
                } else if (newHashSet.isEmpty()) {
                    LOG.info("LDAP group search base, id attribute or object class missing, not iterating over LDAP groups.");
                }
                return ldapEntry;
            } finally {
                if (search != null) {
                    if (0 != 0) {
                        try {
                            search.close();
                        } catch (Throwable th3) {
                            th.addSuppressed(th3);
                        }
                    } else {
                        search.close();
                    }
                }
            }
        } catch (IOException e3) {
            LOG.debug("Error while closing cursor", e3);
            return null;
        }
        LOG.debug("Error while closing cursor", e3);
        return null;
    }

    public Set<String> findGroups(LdapNetworkConnection ldapNetworkConnection, String str, String str2, String str3, @Nullable LdapEntry ldapEntry) {
        EntryCursor<Entry> search;
        Throwable th;
        String str4;
        HashSet newHashSet = Sets.newHashSet();
        try {
            search = ldapNetworkConnection.search(str, str2, SearchScope.SUBTREE, new String[]{"objectClass", ATTRIBUTE_UNIQUE_MEMBER, ATTRIBUTE_MEMBER, ATTRIBUTE_MEMBER_UID, str3});
            th = null;
        } catch (Exception e) {
            LOG.warn("Unable to iterate over user's groups, unable to perform group mapping. Graylog does not support LDAP referrals at the moment. Please see " + DocsHelper.PAGE_LDAP_TROUBLESHOOTING.toString() + " for more information.", ExceptionUtils.getRootCause(e));
        }
        try {
            try {
                LOG.trace("LDAP search for groups: {} starting at {}", str2, str);
                for (Entry entry : search) {
                    if (LOG.isTraceEnabled()) {
                        LOG.trace("Group Entry: {}", entry.toString("  "));
                    }
                    if (entry.containsAttribute(new String[]{str3})) {
                        String string = entry.get(str3).getString();
                        if (ldapEntry == null) {
                            newHashSet.add(string);
                        } else {
                            if (entry.hasObjectClass(new String[]{"groupOfUniqueNames"})) {
                                str4 = ATTRIBUTE_UNIQUE_MEMBER;
                            } else if (entry.hasObjectClass(new String[]{"groupOfNames"}) || entry.hasObjectClass(new String[]{LdapSettingsImpl.LDAP_GROUP_MAPPING_NAMEKEY})) {
                                str4 = ATTRIBUTE_MEMBER;
                            } else if (entry.hasObjectClass(new String[]{"posixGroup"})) {
                                str4 = ATTRIBUTE_MEMBER_UID;
                            } else {
                                str4 = entry.containsAttribute(new String[]{ATTRIBUTE_UNIQUE_MEMBER}) ? ATTRIBUTE_UNIQUE_MEMBER : entry.containsAttribute(new String[]{ATTRIBUTE_MEMBER_UID}) ? ATTRIBUTE_MEMBER_UID : ATTRIBUTE_MEMBER;
                                LOG.warn("Unable to auto-detect the LDAP group object class, assuming '{}' is the correct attribute.", str4);
                            }
                            Attribute<Value> attribute = entry.get(str4);
                            if (attribute != null) {
                                String normalizedDn = normalizedDn(ldapEntry.getDn());
                                String str5 = ldapEntry.get("uid");
                                for (Value value : attribute) {
                                    LOG.trace("DN {} == {} member?", normalizedDn, value.getString());
                                    if (normalizedDn != null && normalizedDn.equalsIgnoreCase(normalizedDn(value.getString()))) {
                                        newHashSet.add(string);
                                    } else if (!Strings.isNullOrEmpty(str5) && str5.equalsIgnoreCase(value.getString())) {
                                        LOG.trace("UID {} == {} member?", str5, value.getString());
                                        newHashSet.add(string);
                                    }
                                }
                            }
                        }
                    } else {
                        LOG.warn("Unknown group id attribute {}, skipping group entry {}", str3, entry);
                    }
                }
                if (search != null) {
                    if (0 != 0) {
                        try {
                            search.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        search.close();
                    }
                }
                return newHashSet;
            } finally {
            }
        } finally {
        }
    }

    @Nullable
    private String normalizedDn(String str) {
        if (Strings.isNullOrEmpty(str)) {
            return str;
        }
        try {
            return new Dn(new String[]{str}).getNormName();
        } catch (LdapInvalidDnException e) {
            LOG.debug("Invalid DN", e);
            return str;
        }
    }

    public Set<String> listGroups(LdapNetworkConnection ldapNetworkConnection, String str, String str2, String str3) {
        return findGroups(ldapNetworkConnection, str, str2, str3, null);
    }

    private String sanitizePrincipal(String str) {
        String str2 = "";
        for (int i = 0; i < str.length(); i++) {
            char charAt = str.charAt(i);
            if (charAt == '*') {
                str2 = str2 + "\\2a";
            } else if (charAt == '(') {
                str2 = str2 + "\\28";
            } else if (charAt == ')') {
                str2 = str2 + "\\29";
            } else if (charAt == '\\') {
                str2 = str2 + "\\5c";
            } else if (charAt == 0) {
                str2 = str2 + "\\00";
            } else if (charAt <= 127) {
                str2 = str2 + String.valueOf(charAt);
            } else if (charAt >= 128) {
                for (byte b : String.valueOf(charAt).getBytes(StandardCharsets.UTF_8)) {
                    str2 = str2 + String.format(Locale.ENGLISH, "\\%02x", Byte.valueOf(b));
                }
            }
        }
        return str2;
    }

    public boolean authenticate(LdapNetworkConnection ldapNetworkConnection, String str, String str2) throws LdapException {
        Preconditions.checkArgument(!Strings.isNullOrEmpty(str), "Binding with empty principal is forbidden.");
        Preconditions.checkArgument(!Strings.isNullOrEmpty(str2), "Binding with empty credentials is forbidden.");
        BindRequestImpl bindRequestImpl = new BindRequestImpl();
        bindRequestImpl.setName(str);
        bindRequestImpl.setCredentials(str2);
        LOG.trace("Re-binding with DN {} using password", str);
        BindResponse bind = ldapNetworkConnection.bind(bindRequestImpl);
        if (bind.getLdapResult().getResultCode().equals(ResultCodeEnum.SUCCESS)) {
            LOG.trace("Binding DN {} did not throw, connection authenticated: {}", str, Boolean.valueOf(ldapNetworkConnection.isAuthenticated()));
            return ldapNetworkConnection.isAuthenticated();
        }
        LOG.trace("Re-binding DN {} failed", str);
        throw new RuntimeException(bind.toString());
    }
}
