package org.apereo.cas.authorization;

import javax.annotation.Nullable;
import org.apereo.cas.configuration.support.Beans;
import org.ldaptive.ConnectionFactory;
import org.ldaptive.LdapAttribute;
import org.ldaptive.LdapException;
import org.ldaptive.Response;
import org.ldaptive.SearchExecutor;
import org.ldaptive.SearchResult;
import org.pac4j.core.authorization.generator.AuthorizationGenerator;
import org.pac4j.core.exception.AccountNotFoundException;
import org.pac4j.core.profile.CommonProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-ldap-core-5.0.3.1.jar:org/apereo/cas/authorization/LdapAuthorizationGenerator.class */
public class LdapAuthorizationGenerator implements AuthorizationGenerator<CommonProfile> {
    private transient Logger logger = LoggerFactory.getLogger(getClass());
    private ConnectionFactory connectionFactory;
    private SearchExecutor userSearchExecutor;
    private String roleAttribute;
    private String rolePrefix;
    private boolean allowMultipleResults;

    public LdapAuthorizationGenerator() {
    }

    public LdapAuthorizationGenerator(ConnectionFactory connectionFactory, SearchExecutor searchExecutor) {
        this.connectionFactory = connectionFactory;
        this.userSearchExecutor = searchExecutor;
    }

    public void setRolePrefix(String str) {
        this.rolePrefix = str;
    }

    public void setAllowMultipleResults(boolean z) {
        this.allowMultipleResults = z;
    }

    @Override // org.pac4j.core.authorization.generator.AuthorizationGenerator
    public void generate(CommonProfile commonProfile) {
        Assert.notNull(this.connectionFactory, "connectionFactory must not be null");
        Assert.notNull(this.userSearchExecutor, "userSearchExecutor must not be null");
        String id = commonProfile.getId();
        try {
            this.logger.debug("Attempting to get details for user {}.", id);
            Response<SearchResult> search = this.userSearchExecutor.search(this.connectionFactory, Beans.newSearchFilter(this.userSearchExecutor.getSearchFilter().getFilter(), id));
            this.logger.debug("LDAP user search response: {}", search);
            SearchResult result = search.getResult();
            if (result.size() == 0) {
                throw new AccountNotFoundException(id + " not found.");
            }
            if (result.size() > 1 && !this.allowMultipleResults) {
                throw new IllegalStateException("Found multiple results for user which is not allowed (allowMultipleResults=false).");
            }
            if (result.getEntry().getAttributes().isEmpty()) {
                throw new IllegalStateException("No attributes are retrieved for this user.");
            }
            LdapAttribute attribute = result.getEntry().getAttribute(this.roleAttribute);
            if (attribute == null) {
                throw new IllegalStateException("Configured role attribute cannot be found for this user");
            }
            addProfileRolesFromAttributes(commonProfile, attribute);
        } catch (LdapException e) {
            throw new RuntimeException("LDAP error fetching details for user.", e);
        }
    }

    protected void addProfileRolesFromAttributes(CommonProfile commonProfile, LdapAttribute ldapAttribute) {
        ldapAttribute.getStringValues().stream().forEach(str -> {
            commonProfile.addRole(this.rolePrefix.concat(str.toUpperCase()));
            commonProfile.addAttribute(ldapAttribute.getName(), str);
        });
    }

    public void setConnectionFactory(@Nullable ConnectionFactory connectionFactory) {
        this.connectionFactory = connectionFactory;
    }

    public void setUserSearchExecutor(@Nullable SearchExecutor searchExecutor) {
        this.userSearchExecutor = searchExecutor;
    }

    public void setRoleAttribute(String str) {
        this.roleAttribute = str;
    }
}
