package org.geoserver.security.ldap;

import java.io.IOException;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.stream.Collectors;
import javax.naming.directory.DirContext;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.mutable.MutableObject;
import org.geoserver.security.GeoServerRoleService;
import org.geoserver.security.GeoServerRoleStore;
import org.geoserver.security.config.SecurityNamedServiceConfig;
import org.geoserver.security.event.RoleLoadedListener;
import org.geoserver.security.impl.GeoServerRole;
import org.geotools.util.logging.Logging;
import org.springframework.ldap.CommunicationException;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.security.ldap.LdapUtils;
import org.springframework.util.Assert;

/* loaded from: input_file:org/geoserver/security/ldap/LDAPRoleService.class */
public class LDAPRoleService extends LDAPBaseSecurityService implements GeoServerRoleService {
    private static final SortedSet<String> emptyStringSet = Collections.unmodifiableSortedSet(new TreeSet());
    private static final Map<String, String> emptyMap = Collections.emptyMap();
    static Logger LOGGER = Logging.getLogger("org.geoserver.security.ldap");
    protected Set<RoleLoadedListener> listeners = Collections.synchronizedSet(new HashSet());
    private String rolePrefix = "ROLE_";
    private boolean convertToUpperCase = true;
    private String adminGroup;
    private String groupAdminGroup;

    @Override // org.geoserver.security.ldap.LDAPBaseSecurityService
    public void initializeFromConfig(SecurityNamedServiceConfig securityNamedServiceConfig) throws IOException {
        super.initializeFromConfig(securityNamedServiceConfig);
        LDAPRoleServiceConfig lDAPRoleServiceConfig = (LDAPRoleServiceConfig) securityNamedServiceConfig;
        if (!isEmpty(lDAPRoleServiceConfig.getAdminGroup())) {
            this.adminGroup = lDAPRoleServiceConfig.getAdminGroup();
        }
        if (isEmpty(lDAPRoleServiceConfig.getGroupAdminGroup())) {
            return;
        }
        this.groupAdminGroup = lDAPRoleServiceConfig.getGroupAdminGroup();
    }

    public boolean canCreateStore() {
        return false;
    }

    public GeoServerRoleStore createStore() throws IOException {
        return null;
    }

    public void registerRoleLoadedListener(RoleLoadedListener roleLoadedListener) {
        this.listeners.add(roleLoadedListener);
    }

    public void unregisterRoleLoadedListener(RoleLoadedListener roleLoadedListener) {
        this.listeners.remove(roleLoadedListener);
    }

    public SortedSet<String> getGroupNamesForRole(GeoServerRole geoServerRole) throws IOException {
        return emptyStringSet;
    }

    public SortedSet<String> getUserNamesForRole(GeoServerRole geoServerRole) throws IOException {
        TreeSet treeSet = new TreeSet();
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            fillUsersForRole(dirContext, treeSet, geoServerRole);
        });
        if (this.useNestedGroups) {
            Set<GeoServerRole> childrenRoles = getChildrenRoles(geoServerRole);
            HashSet hashSet = new HashSet();
            hashSet.add(geoServerRole);
            Iterator<GeoServerRole> it = childrenRoles.iterator();
            while (it.hasNext()) {
                treeSet.addAll(getUserNamesForRoleNested(it.next(), hashSet, 1));
            }
        }
        return Collections.unmodifiableSortedSet(treeSet);
    }

    private SortedSet<String> getUserNamesForRoleNested(GeoServerRole geoServerRole, Set<GeoServerRole> set, int i) throws IOException {
        TreeSet treeSet = new TreeSet();
        if (isOutOfDepthBounds(i)) {
            return treeSet;
        }
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            fillUsersForRole(dirContext, treeSet, geoServerRole);
        });
        if (this.useNestedGroups) {
            for (GeoServerRole geoServerRole2 : getChildrenRoles(geoServerRole)) {
                if (!set.contains(geoServerRole2)) {
                    set.add(geoServerRole);
                    treeSet.addAll(getUserNamesForRoleNested(geoServerRole2, set, i + 1));
                }
            }
        }
        return treeSet;
    }

    public SortedSet<GeoServerRole> getRolesForUser(String str) throws IOException {
        TreeSet treeSet = new TreeSet();
        String lookupDn = lookupDn(str);
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            fillRolesForUser(dirContext, str, lookupDn, treeSet);
        });
        if (this.useNestedGroups) {
            Iterator it = new TreeSet((SortedSet) treeSet).iterator();
            while (it.hasNext()) {
                searchNestedParentRoles((GeoServerRole) it.next(), treeSet, 1);
            }
        }
        return Collections.unmodifiableSortedSet(treeSet);
    }

    private void searchNestedParentRoles(GeoServerRole geoServerRole, Set<GeoServerRole> set, int i) {
        if (isOutOfDepthBounds(i)) {
            return;
        }
        for (GeoServerRole geoServerRole2 : getParentRolesbyMember(geoServerRole)) {
            if (!set.contains(geoServerRole2)) {
                set.add(geoServerRole2);
                searchNestedParentRoles(geoServerRole2, set, i + 1);
            }
        }
    }

    public SortedSet<GeoServerRole> getRolesForGroup(String str) throws IOException {
        TreeSet treeSet = new TreeSet();
        GeoServerRole roleByName = getRoleByName(str);
        if (roleByName != null) {
            treeSet.add(roleByName);
        }
        return Collections.unmodifiableSortedSet(treeSet);
    }

    public SortedSet<GeoServerRole> getRoles() throws IOException {
        TreeSet treeSet = new TreeSet();
        try {
            authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
                fillAllRoles(dirContext, treeSet);
            });
            return Collections.unmodifiableSortedSet(treeSet);
        } catch (CommunicationException e) {
            throw new IOException((Throwable) e);
        }
    }

    private void fillAllRoles(DirContext dirContext, SortedSet<GeoServerRole> sortedSet) {
        addRolesToSet(sortedSet, LDAPUtils.getLdapTemplateInContext(dirContext, this.template).searchForSingleAttributeValues(this.groupSearchBase, this.allGroupsSearchFilter, new String[0], this.groupNameAttribute));
    }

    private void fillUsersForRole(DirContext dirContext, SortedSet<String> sortedSet, GeoServerRole geoServerRole) {
        Object[] objectAttributes;
        DirContextOperations searchForSingleEntry = LDAPUtils.getLdapTemplateInContext(dirContext, this.template).searchForSingleEntry(this.groupSearchBase, this.groupNameFilter, new String[]{normalizeGroupName(geoServerRole.toString()), getRoleDn(geoServerRole)});
        if (searchForSingleEntry == null || (objectAttributes = searchForSingleEntry.getObjectAttributes(this.groupMembershipAttribute)) == null) {
            return;
        }
        for (Object obj : objectAttributes) {
            String obj2 = obj.toString();
            Matcher matcher = this.userMembershipPattern.matcher(obj2);
            if (matcher.matches()) {
                obj2 = matcher.group(1);
            }
            if (!this.useNestedGroups || StringUtils.containsIgnoreCase(obj.toString(), this.userSearchBase)) {
                sortedSet.add(getUserNameFromMembership(removeBaseDN(obj2)));
            }
        }
    }

    private String removeBaseDN(String str) {
        try {
            str = LdapUtils.getRelativeName(str, this.template.getContextSource().getReadOnlyContext());
        } catch (Exception e) {
        }
        return str;
    }

    private void addRolesToSet(SortedSet<GeoServerRole> sortedSet, Set<String> set) {
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            try {
                sortedSet.add(createRoleObject(it.next()));
            } catch (IOException e) {
                LOGGER.log(Level.SEVERE, "Error adding a new role from LDAP", (Throwable) e);
            }
        }
    }

    private void fillRolesForUser(DirContext dirContext, String str, String str2, SortedSet<GeoServerRole> sortedSet) {
        addRolesToSet(sortedSet, LDAPUtils.getLdapTemplateInContext(dirContext, this.template).searchForSingleAttributeValues(this.groupSearchBase, this.groupMembershipFilter, new String[]{str, str2}, this.groupNameAttribute));
    }

    public Map<String, String> getParentMappings() throws IOException {
        return emptyMap;
    }

    public GeoServerRole createRoleObject(String str) throws IOException {
        return new GeoServerRole(this.rolePrefix + (this.convertToUpperCase ? str.toUpperCase() : str));
    }

    public GeoServerRole getParentRole(GeoServerRole geoServerRole) throws IOException {
        return null;
    }

    public GeoServerRole getRoleByName(String str) throws IOException {
        if (str.startsWith("ROLE_")) {
            str = str.substring(5);
        }
        String str2 = str;
        TreeSet treeSet = new TreeSet();
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            treeSet.addAll(LDAPUtils.getLdapTemplateInContext(dirContext, this.template).searchForSingleAttributeValues(this.groupSearchBase, this.groupNameFilter, new String[]{str2}, this.groupNameAttribute));
        });
        if (treeSet.size() == 1) {
            return createRoleObject(str);
        }
        return null;
    }

    public void load() throws IOException {
    }

    public Properties personalizeRoleParams(String str, Properties properties, String str2, Properties properties2) throws IOException {
        return null;
    }

    public GeoServerRole getAdminRole() {
        if (this.adminGroup == null) {
            return null;
        }
        try {
            return getRoleByName(this.adminGroup);
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    public GeoServerRole getGroupAdminRole() {
        if (this.groupAdminGroup == null) {
            return null;
        }
        try {
            return getRoleByName(this.groupAdminGroup);
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    public int getRoleCount() throws IOException {
        AtomicInteger atomicInteger = new AtomicInteger(0);
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            LDAPUtils.getLdapTemplateInContext(dirContext, this.template).search(this.groupSearchBase, this.allGroupsSearchFilter, counter(atomicInteger));
        });
        return atomicInteger.get();
    }

    private String normalizeGroupName(String str) {
        if (str.startsWith("ROLE_")) {
            str = str.substring(5);
        }
        return str;
    }

    private Set<GeoServerRole> getChildrenRoles(GeoServerRole geoServerRole) {
        Assert.notNull(geoServerRole, "Geoserver role shouldn't be null.");
        String normalizeGroupName = normalizeGroupName(geoServerRole.getAuthority());
        String roleDn = getRoleDn(geoServerRole);
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            hashSet.addAll((Collection) LDAPUtils.getLdapTemplateInContext(dirContext, this.template).searchForSingleAttributeValues(this.groupSearchBase, this.groupNameFilter, new String[]{normalizeGroupName, roleDn}, this.groupMembershipAttribute).stream().filter(str -> {
                return str.contains(this.groupSearchBase);
            }).collect(Collectors.toSet()));
        });
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            String extractGroupCnFromDn = extractGroupCnFromDn((String) it.next());
            if (StringUtils.isNotBlank(extractGroupCnFromDn)) {
                try {
                    hashSet2.add(createRoleObject(extractGroupCnFromDn));
                } catch (IOException e) {
                    throw new RuntimeException(e);
                }
            }
        }
        return hashSet2;
    }

    private Set<GeoServerRole> getParentRolesbyMember(GeoServerRole geoServerRole) {
        if (geoServerRole == null) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet();
        String roleDn = getRoleDn(geoServerRole);
        String normalizeGroupName = normalizeGroupName(geoServerRole.getAuthority());
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            Iterator it = LDAPUtils.getLdapTemplateInContext(dirContext, this.template).searchForSingleAttributeValues(this.groupSearchBase, this.nestedGroupSearchFilter, new String[]{normalizeGroupName, roleDn}, this.groupNameAttribute).iterator();
            while (it.hasNext()) {
                try {
                    hashSet.add(createRoleObject((String) it.next()));
                } catch (IOException e) {
                    throw new RuntimeException(e);
                }
            }
        });
        return hashSet;
    }

    private String getRoleDn(GeoServerRole geoServerRole) {
        String normalizeGroupName = normalizeGroupName(geoServerRole.getAuthority());
        MutableObject mutableObject = new MutableObject((Object) null);
        authenticateIfNeeded((dirContext, ldapEntryIdentification) -> {
            mutableObject.setValue(LDAPUtils.getLdapTemplateInContext(dirContext, this.template).searchForSingleEntry(this.groupSearchBase, this.groupNameFilter, new String[]{normalizeGroupName}).getNameInNamespace());
        });
        return (String) mutableObject.getValue();
    }
}
