package org.keycloak.storage.ldap.idm.store.ldap;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.List;
import java.util.Set;
import javax.naming.AuthenticationException;
import javax.naming.Binding;
import javax.naming.NameAlreadyBoundException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.ModificationItem;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.PagedResultsControl;
import javax.naming.ldap.PagedResultsResponseControl;
import javax.naming.ldap.StartTlsResponse;
import javax.net.ssl.SSLSocketFactory;
import org.jboss.logging.Logger;
import org.keycloak.common.util.Time;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelException;
import org.keycloak.storage.ldap.LDAPConfig;
import org.keycloak.storage.ldap.idm.model.LDAPDn;
import org.keycloak.storage.ldap.idm.query.EscapeStrategy;
import org.keycloak.storage.ldap.idm.query.internal.LDAPQuery;
import org.keycloak.storage.ldap.idm.store.ldap.extended.PasswordModifyRequest;
import org.keycloak.storage.ldap.mappers.LDAPOperationDecorator;
import org.keycloak.truststore.TruststoreProvider;

/* loaded from: input_file:org/keycloak/storage/ldap/idm/store/ldap/LDAPOperationManager.class */
public class LDAPOperationManager {
    private static final Logger logger = Logger.getLogger(LDAPOperationManager.class);
    private static final Logger perfLogger = Logger.getLogger(LDAPOperationManager.class, "perf");
    private final KeycloakSession session;
    private final LDAPConfig config;

    /* loaded from: input_file:org/keycloak/storage/ldap/idm/store/ldap/LDAPOperationManager$LdapOperation.class */
    public interface LdapOperation<R> {
        R execute(LdapContext ldapContext) throws NamingException;
    }

    public LDAPOperationManager(KeycloakSession keycloakSession, LDAPConfig lDAPConfig) {
        this.session = keycloakSession;
        this.config = lDAPConfig;
    }

    public void modifyAttribute(LdapName ldapName, Attribute attribute) {
        modifyAttributes(ldapName, new ModificationItem[]{new ModificationItem(2, attribute)}, null);
    }

    public void modifyAttributes(LdapName ldapName, NamingEnumeration<Attribute> namingEnumeration) {
        try {
            ArrayList arrayList = new ArrayList();
            while (namingEnumeration.hasMore()) {
                arrayList.add(new ModificationItem(2, (Attribute) namingEnumeration.next()));
            }
            modifyAttributes(ldapName, (ModificationItem[]) arrayList.toArray(i -> {
                return new ModificationItem[i];
            }), null);
        } catch (NamingException e) {
            throw new ModelException("Could not modify attributes on entry from DN [" + ldapName + "]", e);
        }
    }

    public void removeAttribute(LdapName ldapName, Attribute attribute) {
        modifyAttributes(ldapName, new ModificationItem[]{new ModificationItem(3, attribute)}, null);
    }

    public void addAttribute(LdapName ldapName, Attribute attribute) {
        modifyAttributes(ldapName, new ModificationItem[]{new ModificationItem(1, attribute)}, null);
    }

    public void removeEntry(final LdapName ldapName) {
        try {
            execute(new LdapOperation<SearchResult>() { // from class: org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.LdapOperation
                public SearchResult execute(LdapContext ldapContext) throws NamingException {
                    if (LDAPOperationManager.logger.isTraceEnabled()) {
                        LDAPOperationManager.logger.tracef("Removing entry with DN [%s]", ldapName);
                    }
                    LDAPOperationManager.this.destroySubcontext(ldapContext, ldapName);
                    return null;
                }

                public String toString() {
                    return "LdapOperation: remove\n dn: " + ldapName;
                }
            });
        } catch (NamingException e) {
            throw new ModelException("Could not remove entry from DN [" + ldapName + "]", e);
        }
    }

    public LdapName renameEntry(final LdapName ldapName, final LdapName ldapName2, final boolean z) {
        try {
            return (LdapName) execute(new LdapOperation<LdapName>() { // from class: org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.LdapOperation
                public LdapName execute(LdapContext ldapContext) throws NamingException {
                    LdapName ldapName3 = ldapName2;
                    for (int i = 0; i < 5; i++) {
                        try {
                            ldapContext.rename(ldapName, ldapName3);
                            return ldapName3;
                        } catch (NameAlreadyBoundException e) {
                            if (!z) {
                                throw e;
                            }
                            LdapName ldapName4 = ldapName3;
                            if (i >= 5) {
                                LDAPOperationManager.logger.warnf("Failed all fallbacks for renaming [%s]", ldapName);
                                throw e;
                            }
                            ldapName3 = LDAPOperationManager.this.findNextDNForFallback(ldapName2, i);
                            LDAPOperationManager.logger.warnf("Failed to rename DN [%s] to [%s]. Will try to fallback to DN [%s]", ldapName, ldapName4, ldapName3);
                        }
                    }
                    throw new ModelException("Could not rename entry from DN [" + ldapName + "] to new DN [" + ldapName2 + "]. All fallbacks failed");
                }

                public String toString() {
                    return "LdapOperation: renameEntry\n oldDn: " + ldapName + "\n newDn: " + ldapName2;
                }
            });
        } catch (NamingException e) {
            throw new ModelException("Could not rename entry from DN [" + ldapName + "] to new DN [" + ldapName2 + "]", e);
        }
    }

    private LdapName findNextDNForFallback(LdapName ldapName, int i) {
        LDAPDn fromLdapName = LDAPDn.fromLdapName(ldapName);
        LDAPDn.RDN firstRdn = fromLdapName.getFirstRdn();
        String str = firstRdn.getAllKeys().get(0);
        String attrValue = firstRdn.getAttrValue(str);
        LDAPDn parentDn = fromLdapName.getParentDn();
        parentDn.addFirst(str, attrValue + i);
        return parentDn.getLdapName();
    }

    public List<SearchResult> search(final LdapName ldapName, final String str, final Collection<String> collection, final int i) throws NamingException {
        final ArrayList arrayList = new ArrayList();
        final SearchControls searchControls = getSearchControls(collection, i);
        try {
            return (List) execute(new LdapOperation<List<SearchResult>>() { // from class: org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.3
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.LdapOperation
                public List<SearchResult> execute(LdapContext ldapContext) throws NamingException {
                    NamingEnumeration search = ldapContext.search(ldapName, str, searchControls);
                    while (search.hasMoreElements()) {
                        arrayList.add((SearchResult) search.nextElement());
                    }
                    search.close();
                    return arrayList;
                }

                public String toString() {
                    return "LdapOperation: search\n baseDn: " + ldapName + "\n filter: " + str + "\n searchScope: " + i + "\n returningAttrs: " + collection + "\n resultSize: " + arrayList.size();
                }
            });
        } catch (NamingException e) {
            logger.errorf(e, "Could not query server using DN [%s] and filter [%s]", ldapName, str);
            throw e;
        }
    }

    public List<SearchResult> searchPaginated(final LdapName ldapName, final String str, final LDAPQuery lDAPQuery) throws NamingException {
        final ArrayList arrayList = new ArrayList();
        final SearchControls searchControls = getSearchControls(lDAPQuery.getReturningLdapAttributes(), lDAPQuery.getSearchScope());
        if (lDAPQuery.getPaginationContext() == null) {
            lDAPQuery.initPagination();
        }
        try {
            return (List) execute(new LdapOperation<List<SearchResult>>() { // from class: org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.4
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.LdapOperation
                public List<SearchResult> execute(LdapContext ldapContext) throws NamingException {
                    try {
                        ldapContext.setRequestControls(new Control[]{new PagedResultsControl(lDAPQuery.getLimit(), lDAPQuery.getPaginationContext().getCookie(), true)});
                        NamingEnumeration search = ldapContext.search(ldapName, str, searchControls);
                        while (search.hasMoreElements()) {
                            arrayList.add((SearchResult) search.nextElement());
                        }
                        search.close();
                        PagedResultsResponseControl[] responseControls = ldapContext.getResponseControls();
                        if (responseControls != null) {
                            for (PagedResultsResponseControl pagedResultsResponseControl : responseControls) {
                                if (pagedResultsResponseControl instanceof PagedResultsResponseControl) {
                                    lDAPQuery.getPaginationContext().setCookie(pagedResultsResponseControl.getCookie());
                                }
                            }
                        } else {
                            lDAPQuery.getPaginationContext().setCookie(null);
                            LDAPOperationManager.logger.warnf("Did not receive response controls for paginated query using DN [%s], filter [%s]. Did you hit a query result size limit?", ldapName, str);
                        }
                        return arrayList;
                    } catch (IOException e) {
                        LDAPOperationManager.logger.errorf(e, "Could not query server with paginated query using DN [%s], filter [%s]", ldapName, str);
                        throw new NamingException(e.getMessage());
                    }
                }

                public String toString() {
                    return "LdapOperation: searchPaginated\n baseDn: " + ldapName + "\n filter: " + str + "\n searchScope: " + lDAPQuery.getSearchScope() + "\n returningAttrs: " + lDAPQuery.getReturningLdapAttributes() + "\n limit: " + lDAPQuery.getLimit() + "\n resultSize: " + arrayList.size();
                }
            }, lDAPQuery.getPaginationContext().getLdapContext(), null);
        } catch (NamingException e) {
            logger.errorf(e, "Could not query server using DN [%s] and filter [%s]", ldapName, str);
            throw e;
        }
    }

    private SearchControls getSearchControls(Collection<String> collection, int i) {
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(i);
        searchControls.setReturningObjFlag(false);
        Set<String> returningAttributes = getReturningAttributes(collection);
        searchControls.setReturningAttributes((String[]) returningAttributes.toArray(new String[returningAttributes.size()]));
        return searchControls;
    }

    public String getFilterById(String str) {
        StringBuilder sb = new StringBuilder();
        sb.insert(0, "(&");
        if (this.config.isObjectGUID()) {
            sb.append("(objectClass=*)(").append(getUuidAttributeName()).append("=").append(LDAPUtil.convertObjectGUIDToByteString(LDAPUtil.encodeObjectGUID(str))).append(")");
        } else if (this.config.isEdirectoryGUID()) {
            sb.append("(objectClass=*)(").append(getUuidAttributeName().toUpperCase()).append("=").append(LDAPUtil.convertGUIDToEdirectoryHexString(str)).append(")");
        } else {
            sb.append("(objectClass=*)(").append(getUuidAttributeName()).append("=").append(EscapeStrategy.DEFAULT.escape(str)).append(")");
        }
        if (this.config.getCustomUserSearchFilter() != null) {
            sb.append(this.config.getCustomUserSearchFilter());
        }
        sb.append(")");
        String sb2 = sb.toString();
        logger.tracef("Using filter for lookup user by LDAP ID: %s", sb2);
        return sb2;
    }

    public SearchResult lookupById(final LdapName ldapName, String str, final Collection<String> collection) {
        final String filterById = getFilterById(str);
        try {
            final SearchControls searchControls = getSearchControls(collection, this.config.getSearchScope());
            return (SearchResult) execute(new LdapOperation<SearchResult>() { // from class: org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.5
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.LdapOperation
                public SearchResult execute(LdapContext ldapContext) throws NamingException {
                    NamingEnumeration search = ldapContext.search(ldapName, filterById, searchControls);
                    try {
                        if (!search.hasMoreElements()) {
                        }
                        SearchResult searchResult = (SearchResult) search.next();
                        if (search != null) {
                            search.close();
                        }
                        return searchResult;
                    } finally {
                        if (search != null) {
                            search.close();
                        }
                    }
                }

                public String toString() {
                    return "LdapOperation: lookupById\n baseDN: " + ldapName + "\n filter: " + filterById + "\n searchScope: " + searchControls.getSearchScope() + "\n returningAttrs: " + collection;
                }
            });
        } catch (NamingException e) {
            throw new ModelException("Could not query server using DN [" + ldapName + "] and filter [" + filterById + "]", e);
        }
    }

    private void destroySubcontext(LdapContext ldapContext, LdapName ldapName) {
        NamingEnumeration namingEnumeration = null;
        try {
            try {
                namingEnumeration = ldapContext.listBindings(ldapName);
                while (namingEnumeration.hasMore()) {
                    destroySubcontext(ldapContext, new LdapName(((Binding) namingEnumeration.next()).getNameInNamespace()));
                }
                ldapContext.unbind(ldapName);
                try {
                    namingEnumeration.close();
                } catch (Exception e) {
                }
            } catch (Exception e2) {
                throw new ModelException("Could not unbind DN [" + ldapName + "]", e2);
            }
        } catch (Throwable th) {
            try {
                namingEnumeration.close();
            } catch (Exception e3) {
            }
            throw th;
        }
    }

    public void authenticate(LdapName ldapName, String str) throws AuthenticationException {
        if (str == null || str.isEmpty()) {
            throw new AuthenticationException("Empty password used");
        }
        LdapContext ldapContext = null;
        StartTlsResponse startTlsResponse = null;
        try {
            try {
                try {
                    try {
                        Hashtable<Object, Object> nonAuthConnectionProperties = LDAPContextManager.getNonAuthConnectionProperties(this.config);
                        nonAuthConnectionProperties.put("com.sun.jndi.ldap.connect.pool", "false");
                        if (!this.config.isStartTls()) {
                            nonAuthConnectionProperties.put("java.naming.security.authentication", "simple");
                            nonAuthConnectionProperties.put("java.naming.security.principal", ldapName.toString());
                            nonAuthConnectionProperties.put("java.naming.security.credentials", str);
                        }
                        ldapContext = new InitialLdapContext(nonAuthConnectionProperties, (Control[]) null);
                        if (this.config.isStartTls()) {
                            SSLSocketFactory sSLSocketFactory = null;
                            if (LDAPUtil.shouldUseTruststoreSpi(this.config)) {
                                sSLSocketFactory = this.session.getProvider(TruststoreProvider.class).getSSLSocketFactory();
                            }
                            startTlsResponse = LDAPContextManager.startTLS(ldapContext, "simple", ldapName.toString(), str.toCharArray(), sSLSocketFactory);
                            if (startTlsResponse == null) {
                                throw new AuthenticationException("Null TLS Response returned from the authentication");
                            }
                        }
                        if (startTlsResponse != null) {
                            try {
                                startTlsResponse.close();
                            } catch (IOException e) {
                                e.printStackTrace();
                            }
                        }
                        if (ldapContext != null) {
                            try {
                                ldapContext.close();
                            } catch (NamingException e2) {
                                e2.printStackTrace();
                            }
                        }
                    } catch (Exception e3) {
                        logger.errorf(e3, "Unexpected exception when validating password of DN [%s]", ldapName);
                        throw new AuthenticationException("Unexpected exception when validating password of user");
                    }
                } catch (RuntimeException e4) {
                    if (logger.isDebugEnabled()) {
                        logger.debugf(e4, "LDAP Connection TimeOut for DN [%s]", ldapName);
                    }
                    throw e4;
                }
            } catch (AuthenticationException e5) {
                if (logger.isDebugEnabled()) {
                    logger.debugf(e5, "Authentication failed for DN [%s]", ldapName);
                }
                throw e5;
            }
        } catch (Throwable th) {
            if (startTlsResponse != null) {
                try {
                    startTlsResponse.close();
                } catch (IOException e6) {
                    e6.printStackTrace();
                }
            }
            if (ldapContext != null) {
                try {
                    ldapContext.close();
                } catch (NamingException e7) {
                    e7.printStackTrace();
                }
            }
            throw th;
        }
    }

    public void modifyAttributesNaming(final LdapName ldapName, final ModificationItem[] modificationItemArr, LDAPOperationDecorator lDAPOperationDecorator) throws NamingException {
        if (logger.isTraceEnabled()) {
            logger.tracef("Modifying attributes for entry [%s]: [", ldapName);
            for (ModificationItem modificationItem : modificationItemArr) {
                String str = modificationItem.getAttribute().size() > 0 ? modificationItem.getAttribute().get() : "No values";
                String upperCase = modificationItem.getAttribute().getID().toUpperCase();
                if (upperCase.contains("PASSWORD") || upperCase.contains("UNICODEPWD")) {
                    str = "********************";
                }
                logger.tracef("  Op [%s]: %s = %s", modificationItem.getModificationOp(), modificationItem.getAttribute().getID(), str);
            }
            logger.tracef("]", new Object[0]);
        }
        execute(new LdapOperation<Void>() { // from class: org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.6
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.LdapOperation
            public Void execute(LdapContext ldapContext) throws NamingException {
                ldapContext.modifyAttributes(ldapName, modificationItemArr);
                return null;
            }

            public String toString() {
                return "LdapOperation: modify\n dn: " + ldapName + "\n modificationsSize: " + modificationItemArr.length;
            }
        }, lDAPOperationDecorator);
    }

    public void modifyAttributes(LdapName ldapName, ModificationItem[] modificationItemArr, LDAPOperationDecorator lDAPOperationDecorator) {
        try {
            modifyAttributesNaming(ldapName, modificationItemArr, lDAPOperationDecorator);
        } catch (NamingException e) {
            throw new ModelException("Could not modify attribute for DN [" + ldapName + "]", e);
        }
    }

    public void createSubContext(final LdapName ldapName, final Attributes attributes) {
        try {
            if (logger.isTraceEnabled()) {
                logger.tracef("Creating entry [%s] with attributes: [", ldapName);
                NamingEnumeration all = attributes.getAll();
                while (all.hasMore()) {
                    Attribute attribute = (Attribute) all.next();
                    String upperCase = attribute.getID().toUpperCase();
                    Object obj = attribute.get();
                    if (upperCase.contains("PASSWORD") || upperCase.contains("UNICODEPWD")) {
                        obj = "********************";
                    }
                    logger.tracef("  %s = %s", attribute.getID(), obj);
                }
                logger.tracef("]", new Object[0]);
            }
            execute(new LdapOperation<Void>() { // from class: org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.7
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.LdapOperation
                public Void execute(LdapContext ldapContext) throws NamingException {
                    ldapContext.createSubcontext(ldapName, attributes).close();
                    return null;
                }

                public String toString() {
                    return "LdapOperation: create\n dn: " + ldapName + "\n attributesSize: " + attributes.size();
                }
            });
        } catch (NamingException e) {
            throw new ModelException("Error creating subcontext [" + ldapName + "]", e);
        }
    }

    private String getUuidAttributeName() {
        return this.config.getUuidLDAPAttributeName();
    }

    public Attributes getAttributes(String str, LdapName ldapName, Set<String> set) {
        SearchResult lookupById = lookupById(ldapName, str, set);
        if (lookupById == null) {
            throw new ModelException("Couldn't find item with ID [" + str + " under base DN [" + ldapName + "]");
        }
        return lookupById.getAttributes();
    }

    public String decodeEntryUUID(Object obj) {
        if (obj instanceof byte[]) {
            if (this.config.isObjectGUID()) {
                return LDAPUtil.decodeObjectGUID((byte[]) obj);
            }
            if (this.config.isEdirectory() && this.config.isEdirectoryGUID()) {
                return LDAPUtil.decodeGuid((byte[]) obj);
            }
        }
        return obj.toString();
    }

    public void passwordModifyExtended(LdapName ldapName, String str, LDAPOperationDecorator lDAPOperationDecorator) {
        try {
            execute(ldapContext -> {
                return ldapContext.extendedOperation(new PasswordModifyRequest(ldapName.toString(), null, str));
            }, lDAPOperationDecorator);
        } catch (NamingException e) {
            throw new ModelException("Could not execute the password modify extended operation for DN [" + ldapName + "]", e);
        }
    }

    private <R> R execute(LdapOperation<R> ldapOperation) throws NamingException {
        return (R) execute(ldapOperation, null);
    }

    private <R> R execute(LdapOperation<R> ldapOperation, LDAPOperationDecorator lDAPOperationDecorator) throws NamingException {
        LDAPContextManager create = LDAPContextManager.create(this.session, this.config);
        try {
            R r = (R) execute(ldapOperation, create.getLdapContext(), lDAPOperationDecorator);
            if (create != null) {
                create.close();
            }
            return r;
        } catch (Throwable th) {
            if (create != null) {
                try {
                    create.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private <R> R execute(LdapOperation<R> ldapOperation, LdapContext ldapContext, LDAPOperationDecorator lDAPOperationDecorator) throws NamingException {
        if (ldapContext == null) {
            throw new IllegalArgumentException("Ldap context cannot be null");
        }
        Long l = null;
        if (perfLogger.isDebugEnabled()) {
            l = Long.valueOf(Time.currentTimeMillis());
        }
        if (lDAPOperationDecorator != null) {
            try {
                lDAPOperationDecorator.beforeLDAPOperation(ldapContext, ldapOperation);
            } catch (Throwable th) {
                if (perfLogger.isDebugEnabled()) {
                    long currentTimeMillis = Time.currentTimeMillis() - l.longValue();
                    if (currentTimeMillis > 100) {
                        perfLogger.debugf("\n%s\ntook: %d ms\n", ldapOperation.toString(), Long.valueOf(currentTimeMillis));
                    } else if (perfLogger.isTraceEnabled()) {
                        perfLogger.tracef("\n%s\ntook: %d ms\n", ldapOperation.toString(), Long.valueOf(currentTimeMillis));
                    }
                }
                throw th;
            }
        }
        R execute = ldapOperation.execute(ldapContext);
        if (perfLogger.isDebugEnabled()) {
            long currentTimeMillis2 = Time.currentTimeMillis() - l.longValue();
            if (currentTimeMillis2 > 100) {
                perfLogger.debugf("\n%s\ntook: %d ms\n", ldapOperation.toString(), Long.valueOf(currentTimeMillis2));
            } else if (perfLogger.isTraceEnabled()) {
                perfLogger.tracef("\n%s\ntook: %d ms\n", ldapOperation.toString(), Long.valueOf(currentTimeMillis2));
            }
        }
        return execute;
    }

    private Set<String> getReturningAttributes(Collection<String> collection) {
        HashSet hashSet = new HashSet();
        hashSet.addAll(collection);
        hashSet.add(getUuidAttributeName());
        hashSet.add("objectclass");
        return hashSet;
    }
}
