package org.keycloak.storage.ldap.idm.store.ldap;

import java.io.IOException;
import java.nio.CharBuffer;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Optional;
import java.util.Properties;
import javax.naming.AuthenticationException;
import javax.naming.NamingException;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.StartTlsRequest;
import javax.naming.ldap.StartTlsResponse;
import org.jboss.logging.Logger;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.LDAPConstants;
import org.keycloak.storage.ldap.LDAPConfig;
import org.keycloak.vault.VaultCharSecret;

/* loaded from: input_file:org/keycloak/storage/ldap/idm/store/ldap/LDAPContextManager.class */
public final class LDAPContextManager implements AutoCloseable {
    private static final Logger logger = Logger.getLogger(LDAPContextManager.class);
    private final KeycloakSession session;
    private final LDAPConfig ldapConfig;
    private StartTlsResponse tlsResponse;
    private VaultCharSecret vaultCharSecret = new VaultCharSecret() { // from class: org.keycloak.storage.ldap.idm.store.ldap.LDAPContextManager.1
        public Optional<CharBuffer> get() {
            return Optional.empty();
        }

        public Optional<char[]> getAsArray() {
            return Optional.empty();
        }

        public void close() {
        }
    };
    private LdapContext ldapContext;

    public LDAPContextManager(KeycloakSession keycloakSession, LDAPConfig lDAPConfig) {
        this.session = keycloakSession;
        this.ldapConfig = lDAPConfig;
    }

    public static LDAPContextManager create(KeycloakSession keycloakSession, LDAPConfig lDAPConfig) {
        return new LDAPContextManager(keycloakSession, lDAPConfig);
    }

    private void createLdapContext() throws NamingException {
        Hashtable<Object, Object> connectionProperties = getConnectionProperties(this.ldapConfig);
        if (!"none".equals(this.ldapConfig.getAuthType())) {
            this.vaultCharSecret = getVaultSecret();
            if (this.vaultCharSecret != null && !this.ldapConfig.isStartTls()) {
                connectionProperties.put("java.naming.security.credentials", this.vaultCharSecret.getAsArray().orElse(this.ldapConfig.getBindCredential().toCharArray()));
            }
        }
        this.ldapContext = new InitialLdapContext(connectionProperties, (Control[]) null);
        if (this.ldapConfig.isStartTls()) {
            this.tlsResponse = startTLS(this.ldapContext, this.ldapConfig.getAuthType(), this.ldapConfig.getBindDN(), (char[]) this.vaultCharSecret.getAsArray().orElse(this.ldapConfig.getBindCredential().toCharArray()));
            if (this.tlsResponse == null) {
                throw new NamingException("Wasn't able to establish LDAP connection through StartTLS");
            }
        }
    }

    public LdapContext getLdapContext() throws NamingException {
        if (this.ldapContext == null) {
            createLdapContext();
        }
        return this.ldapContext;
    }

    private VaultCharSecret getVaultSecret() {
        if ("none".equals(this.ldapConfig.getAuthType())) {
            return null;
        }
        return this.session.vault().getCharSecret(this.ldapConfig.getBindCredential());
    }

    public static StartTlsResponse startTLS(LdapContext ldapContext, String str, String str2, char[] cArr) throws NamingException {
        try {
            StartTlsResponse extendedOperation = ldapContext.extendedOperation(new StartTlsRequest());
            extendedOperation.negotiate();
            ldapContext.addToEnvironment("java.naming.security.authentication", str);
            if (!"none".equals(str)) {
                ldapContext.addToEnvironment("java.naming.security.principal", str2);
                ldapContext.addToEnvironment("java.naming.security.credentials", cArr);
            }
            ldapContext.lookup("");
            return extendedOperation;
        } catch (Exception e) {
            logger.error("Could not negotiate TLS", e);
            throw new AuthenticationException("Could not negotiate TLS");
        }
    }

    private Hashtable<Object, Object> getConnectionProperties(LDAPConfig lDAPConfig) {
        Hashtable<Object, Object> nonAuthConnectionProperties = getNonAuthConnectionProperties(lDAPConfig);
        if (!lDAPConfig.isStartTls()) {
            String authType = lDAPConfig.getAuthType();
            nonAuthConnectionProperties.put("java.naming.security.authentication", authType);
            String bindDN = lDAPConfig.getBindDN();
            char[] cArr = null;
            if (lDAPConfig.getBindCredential() != null) {
                cArr = lDAPConfig.getBindCredential().toCharArray();
            }
            if (!"none".equals(authType)) {
                nonAuthConnectionProperties.put("java.naming.security.principal", bindDN);
                nonAuthConnectionProperties.put("java.naming.security.credentials", cArr);
            }
        }
        if (logger.isDebugEnabled()) {
            Hashtable hashtable = new Hashtable(nonAuthConnectionProperties);
            if (hashtable.containsKey("java.naming.security.credentials")) {
                hashtable.put("java.naming.security.credentials", "**************************************");
            }
            logger.debugf("Creating LdapContext using properties: [%s]", hashtable);
        }
        return nonAuthConnectionProperties;
    }

    public static Hashtable<Object, Object> getNonAuthConnectionProperties(LDAPConfig lDAPConfig) {
        HashMap hashMap = new HashMap();
        hashMap.put("java.naming.factory.initial", lDAPConfig.getFactoryName());
        String connectionUrl = lDAPConfig.getConnectionUrl();
        if (connectionUrl != null) {
            hashMap.put("java.naming.provider.url", connectionUrl);
        } else {
            logger.warn("LDAP URL is null. LDAPOperationManager won't work correctly");
        }
        LDAPConstants.setTruststoreSpiIfNeeded(lDAPConfig.getUseTruststoreSpi(), connectionUrl, hashMap);
        String connectionPooling = lDAPConfig.getConnectionPooling();
        if (connectionPooling != null) {
            hashMap.put("com.sun.jndi.ldap.connect.pool", connectionPooling);
        }
        String connectionTimeout = lDAPConfig.getConnectionTimeout();
        if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
            hashMap.put("com.sun.jndi.ldap.connect.timeout", connectionTimeout);
        }
        String readTimeout = lDAPConfig.getReadTimeout();
        if (readTimeout != null && !readTimeout.isEmpty()) {
            hashMap.put("com.sun.jndi.ldap.read.timeout", readTimeout);
        }
        Properties additionalConnectionProperties = lDAPConfig.getAdditionalConnectionProperties();
        if (additionalConnectionProperties != null) {
            for (Object obj : additionalConnectionProperties.keySet()) {
                hashMap.put(obj.toString(), additionalConnectionProperties.getProperty(obj.toString()));
            }
        }
        StringBuilder sb = new StringBuilder();
        if (lDAPConfig.isObjectGUID()) {
            sb.append("objectGUID").append(" ");
        }
        if (lDAPConfig.isEdirectory()) {
            sb.append("guid").append(" ");
        }
        Iterator<String> it = lDAPConfig.getBinaryAttributeNames().iterator();
        while (it.hasNext()) {
            sb.append(it.next()).append(" ");
        }
        String trim = sb.toString().trim();
        if (!trim.isEmpty()) {
            hashMap.put("java.naming.ldap.attributes.binary", trim);
        }
        return new Hashtable<>(hashMap);
    }

    @Override // java.lang.AutoCloseable
    public void close() {
        if (this.vaultCharSecret != null) {
            this.vaultCharSecret.close();
        }
        if (this.tlsResponse != null) {
            try {
                this.tlsResponse.close();
            } catch (IOException e) {
                logger.error("Could not close Ldap tlsResponse.", e);
            }
        }
        if (this.ldapContext != null) {
            try {
                this.ldapContext.close();
            } catch (NamingException e2) {
                logger.error("Could not close Ldap context.", e2);
            }
        }
    }
}
