package org.apereo.cas.config;

import java.time.Period;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.function.Predicate;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.AuthenticationEventExecutionPlan;
import org.apereo.cas.authentication.AuthenticationEventExecutionPlanConfigurer;
import org.apereo.cas.authentication.AuthenticationHandler;
import org.apereo.cas.authentication.LdapAuthenticationHandler;
import org.apereo.cas.authentication.principal.DefaultPrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalResolver;
import org.apereo.cas.authentication.principal.resolvers.ChainingPrincipalResolver;
import org.apereo.cas.authentication.principal.resolvers.EchoingPrincipalResolver;
import org.apereo.cas.authentication.support.DefaultAccountStateHandler;
import org.apereo.cas.authentication.support.LdapPasswordPolicyConfiguration;
import org.apereo.cas.authentication.support.OptionalWarningAccountStateHandler;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.ldap.AbstractLdapProperties;
import org.apereo.cas.configuration.model.support.ldap.LdapAuthenticationProperties;
import org.apereo.cas.configuration.support.Beans;
import org.apereo.cas.services.ServicesManager;
import org.apereo.services.persondir.IPersonAttributeDao;
import org.ldaptive.auth.AuthenticationResponseHandler;
import org.ldaptive.auth.Authenticator;
import org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler;
import org.ldaptive.auth.ext.EDirectoryAuthenticationResponseHandler;
import org.ldaptive.auth.ext.FreeIPAAuthenticationResponseHandler;
import org.ldaptive.auth.ext.PasswordExpirationAuthenticationResponseHandler;
import org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration("ldapAuthenticationConfiguration")
/* loaded from: input_file:org/apereo/cas/config/LdapAuthenticationConfiguration.class */
public class LdapAuthenticationConfiguration {
    private static final Logger LOGGER = LoggerFactory.getLogger(LdapAuthenticationConfiguration.class);

    @Autowired
    private CasConfigurationProperties casProperties;

    @Autowired
    @Qualifier("personDirectoryPrincipalResolver")
    private PrincipalResolver personDirectoryPrincipalResolver;

    @Autowired
    @Qualifier("attributeRepositories")
    private List<IPersonAttributeDao> attributeRepositories;

    @Autowired
    @Qualifier("servicesManager")
    private ServicesManager servicesManager;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apereo.cas.config.LdapAuthenticationConfiguration$1, reason: invalid class name */
    /* loaded from: input_file:org/apereo/cas/config/LdapAuthenticationConfiguration$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apereo$cas$configuration$model$support$ldap$AbstractLdapProperties$LdapType = new int[AbstractLdapProperties.LdapType.values().length];

        static {
            try {
                $SwitchMap$org$apereo$cas$configuration$model$support$ldap$AbstractLdapProperties$LdapType[AbstractLdapProperties.LdapType.AD.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$support$ldap$AbstractLdapProperties$LdapType[AbstractLdapProperties.LdapType.FreeIPA.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$support$ldap$AbstractLdapProperties$LdapType[AbstractLdapProperties.LdapType.EDirectory.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration("ldapAuthenticationEventExecutionPlanConfiguration")
    /* loaded from: input_file:org/apereo/cas/config/LdapAuthenticationConfiguration$LdapAuthenticationEventExecutionPlanConfiguration.class */
    public class LdapAuthenticationEventExecutionPlanConfiguration implements AuthenticationEventExecutionPlanConfigurer {
        public LdapAuthenticationEventExecutionPlanConfiguration() {
        }

        private boolean isAttributeRepositorySourceDefined() {
            return !LdapAuthenticationConfiguration.this.attributeRepositories.isEmpty();
        }

        public void configureAuthenticationExecutionPlan(AuthenticationEventExecutionPlan authenticationEventExecutionPlan) {
            LdapAuthenticationConfiguration.this.ldapAuthenticationHandlers().forEach(authenticationHandler -> {
                ChainingPrincipalResolver chainingPrincipalResolver = new ChainingPrincipalResolver();
                if (isAttributeRepositorySourceDefined()) {
                    LdapAuthenticationConfiguration.LOGGER.debug("Attribute repository sources are defined and available for the principal resolution chain");
                    chainingPrincipalResolver.setChain(Arrays.asList(LdapAuthenticationConfiguration.this.personDirectoryPrincipalResolver, new EchoingPrincipalResolver()));
                } else {
                    LdapAuthenticationConfiguration.LOGGER.debug("Attribute repository sources are not available for principal resolution so principal resolver will echo back the principal resolved during LDAP authentication directly.");
                    chainingPrincipalResolver.setChain(Arrays.asList(new EchoingPrincipalResolver()));
                }
                LdapAuthenticationConfiguration.LOGGER.info("Ldap authentication for [{}] is to chain principal resolvers via [{}] for attribute resolution", authenticationHandler.getName(), chainingPrincipalResolver);
                authenticationEventExecutionPlan.registerAuthenticationHandlerWithPrincipalResolver(authenticationHandler, chainingPrincipalResolver);
            });
        }
    }

    @ConditionalOnMissingBean(name = {"ldapPrincipalFactory"})
    @Bean
    public PrincipalFactory ldapPrincipalFactory() {
        return new DefaultPrincipalFactory();
    }

    @Bean
    public Collection<AuthenticationHandler> ldapAuthenticationHandlers() {
        HashSet hashSet = new HashSet();
        this.casProperties.getAuthn().getLdap().stream().filter(ldapInstanceConfigurationPredicate()).forEach(ldapAuthenticationProperties -> {
            Map<String, String> transformPrincipalAttributesListIntoMap = Beans.transformPrincipalAttributesListIntoMap(ldapAuthenticationProperties.getPrincipalAttributeList());
            LOGGER.debug("Created and mapped principal attributes [{}] for [{}]...", transformPrincipalAttributesListIntoMap, ldapAuthenticationProperties.getLdapUrl());
            LOGGER.debug("Creating ldap authenticator for [{}] and baseDn [{}]", ldapAuthenticationProperties.getLdapUrl(), ldapAuthenticationProperties.getBaseDn());
            Authenticator newLdaptiveAuthenticator = Beans.newLdaptiveAuthenticator(ldapAuthenticationProperties);
            LOGGER.debug("Ldap authenticator configured with return attributes [{}] for [{}] and baseDn [{}]", new Object[]{transformPrincipalAttributesListIntoMap.keySet(), ldapAuthenticationProperties.getLdapUrl(), ldapAuthenticationProperties.getBaseDn()});
            LOGGER.debug("Creating ldap authentication handler for [{}]", ldapAuthenticationProperties.getLdapUrl());
            LdapAuthenticationHandler ldapAuthenticationHandler = new LdapAuthenticationHandler(ldapAuthenticationProperties.getName(), this.servicesManager, ldapPrincipalFactory(), ldapAuthenticationProperties.getOrder(), newLdaptiveAuthenticator);
            List additionalAttributes = ldapAuthenticationProperties.getAdditionalAttributes();
            if (StringUtils.isNotBlank(ldapAuthenticationProperties.getPrincipalAttributeId())) {
                additionalAttributes.add(ldapAuthenticationProperties.getPrincipalAttributeId());
            }
            ldapAuthenticationHandler.setAllowMultiplePrincipalAttributeValues(ldapAuthenticationProperties.isAllowMultiplePrincipalAttributeValues());
            ldapAuthenticationHandler.setAllowMissingPrincipalAttributeValue(ldapAuthenticationProperties.isAllowMissingPrincipalAttributeValue());
            ldapAuthenticationHandler.setPasswordEncoder(Beans.newPasswordEncoder(ldapAuthenticationProperties.getPasswordEncoder()));
            ldapAuthenticationHandler.setPrincipalNameTransformer(Beans.newPrincipalNameTransformer(ldapAuthenticationProperties.getPrincipalTransformation()));
            if (StringUtils.isNotBlank(ldapAuthenticationProperties.getCredentialCriteria())) {
                LOGGER.debug("Ldap authentication for [{}] is filtering credentials by [{}]", ldapAuthenticationProperties.getLdapUrl(), ldapAuthenticationProperties.getCredentialCriteria());
                ldapAuthenticationHandler.setCredentialSelectionPredicate(Beans.newCredentialSelectionPredicate(ldapAuthenticationProperties.getCredentialCriteria()));
            }
            ldapAuthenticationHandler.setPrincipalAttributeMap(transformPrincipalAttributesListIntoMap);
            if (StringUtils.isBlank(ldapAuthenticationProperties.getPrincipalAttributeId())) {
                LOGGER.debug("No principal id attribute is found for ldap authentication via [{}]", ldapAuthenticationProperties.getLdapUrl());
            } else {
                ldapAuthenticationHandler.setPrincipalIdAttribute(ldapAuthenticationProperties.getPrincipalAttributeId());
                LOGGER.debug("Using principal id attribute [{}] for ldap authentication via [{}]", ldapAuthenticationProperties.getPrincipalAttributeId(), ldapAuthenticationProperties.getLdapUrl());
            }
            if (ldapAuthenticationProperties.getPasswordPolicy().isEnabled()) {
                LOGGER.debug("Password policy is enabled for [{}]. Constructing password policy configuration", ldapAuthenticationProperties.getLdapUrl());
                ldapAuthenticationHandler.setPasswordPolicyConfiguration(createLdapPasswordPolicyConfiguration(ldapAuthenticationProperties, newLdaptiveAuthenticator));
            }
            LOGGER.debug("Initializing ldap authentication handler for [{}]", ldapAuthenticationProperties.getLdapUrl());
            ldapAuthenticationHandler.initialize();
            hashSet.add(ldapAuthenticationHandler);
        });
        return hashSet;
    }

    private Predicate<LdapAuthenticationProperties> ldapInstanceConfigurationPredicate() {
        return ldapAuthenticationProperties -> {
            if (ldapAuthenticationProperties.getType() == null) {
                LOGGER.warn("Skipping ldap authentication entry since no type is defined");
                return false;
            }
            if (!StringUtils.isBlank(ldapAuthenticationProperties.getLdapUrl())) {
                return true;
            }
            LOGGER.warn("Skipping ldap authentication entry since no ldap url is defined");
            return false;
        };
    }

    private static LdapPasswordPolicyConfiguration createLdapPasswordPolicyConfiguration(LdapAuthenticationProperties ldapAuthenticationProperties, Authenticator authenticator) {
        LdapPasswordPolicyConfiguration ldapPasswordPolicyConfiguration = new LdapPasswordPolicyConfiguration(ldapAuthenticationProperties.getPasswordPolicy());
        HashSet hashSet = new HashSet();
        if (ldapPasswordPolicyConfiguration.getPasswordWarningNumberOfDays() > 0) {
            LOGGER.debug("Password policy authentication response handler is set to accommodate directory type: [{}]", ldapAuthenticationProperties.getPasswordPolicy().getType());
            switch (AnonymousClass1.$SwitchMap$org$apereo$cas$configuration$model$support$ldap$AbstractLdapProperties$LdapType[ldapAuthenticationProperties.getPasswordPolicy().getType().ordinal()]) {
                case 1:
                    hashSet.add(new ActiveDirectoryAuthenticationResponseHandler(Period.ofDays(ldapPasswordPolicyConfiguration.getPasswordWarningNumberOfDays())));
                    break;
                case 2:
                    hashSet.add(new FreeIPAAuthenticationResponseHandler(Period.ofDays(ldapPasswordPolicyConfiguration.getPasswordWarningNumberOfDays()), ldapPasswordPolicyConfiguration.getLoginFailures()));
                    break;
                case 3:
                    hashSet.add(new EDirectoryAuthenticationResponseHandler(Period.ofDays(ldapPasswordPolicyConfiguration.getPasswordWarningNumberOfDays())));
                    break;
                default:
                    hashSet.add(new PasswordPolicyAuthenticationResponseHandler());
                    hashSet.add(new PasswordExpirationAuthenticationResponseHandler());
                    break;
            }
        } else {
            LOGGER.debug("Password warning number of days is undefined; LDAP authentication may NOT support EDirectory, AD and FreeIPA to handle password policy authentication responses");
        }
        authenticator.setAuthenticationResponseHandlers((AuthenticationResponseHandler[]) hashSet.toArray(new AuthenticationResponseHandler[hashSet.size()]));
        LOGGER.debug("LDAP authentication response handlers configured are: [{}]", hashSet);
        if (StringUtils.isNotBlank(ldapAuthenticationProperties.getPasswordPolicy().getWarningAttributeName()) && StringUtils.isNotBlank(ldapAuthenticationProperties.getPasswordPolicy().getWarningAttributeValue())) {
            LOGGER.debug("Configuring an warning account state handler for LDAP authentication for warning attribute [{}] and value [{}]", ldapAuthenticationProperties.getPasswordPolicy().getWarningAttributeName(), ldapAuthenticationProperties.getPasswordPolicy().getWarningAttributeValue());
            OptionalWarningAccountStateHandler optionalWarningAccountStateHandler = new OptionalWarningAccountStateHandler();
            optionalWarningAccountStateHandler.setDisplayWarningOnMatch(ldapAuthenticationProperties.getPasswordPolicy().isDisplayWarningOnMatch());
            optionalWarningAccountStateHandler.setWarnAttributeName(ldapAuthenticationProperties.getPasswordPolicy().getWarningAttributeName());
            optionalWarningAccountStateHandler.setWarningAttributeValue(ldapAuthenticationProperties.getPasswordPolicy().getWarningAttributeValue());
            optionalWarningAccountStateHandler.setAttributesToErrorMap(ldapAuthenticationProperties.getPasswordPolicy().getPolicyAttributes());
            ldapPasswordPolicyConfiguration.setAccountStateHandler(optionalWarningAccountStateHandler);
        } else {
            DefaultAccountStateHandler defaultAccountStateHandler = new DefaultAccountStateHandler();
            defaultAccountStateHandler.setAttributesToErrorMap(ldapAuthenticationProperties.getPasswordPolicy().getPolicyAttributes());
            ldapPasswordPolicyConfiguration.setAccountStateHandler(defaultAccountStateHandler);
            LOGGER.debug("Configuring the default account state handler for LDAP authentication");
        }
        return ldapPasswordPolicyConfiguration;
    }
}
