package org.esbtools.auth.ldap;

import com.unboundid.ldap.sdk.BindResult;
import com.unboundid.ldap.sdk.DN;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPConnectionOptions;
import com.unboundid.ldap.sdk.LDAPConnectionPool;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.RDN;
import com.unboundid.ldap.sdk.ResultCode;
import com.unboundid.ldap.sdk.SearchRequest;
import com.unboundid.ldap.sdk.SearchResultEntry;
import com.unboundid.ldap.sdk.SearchScope;
import com.unboundid.util.DebugType;
import com.unboundid.util.ssl.SSLUtil;
import com.unboundid.util.ssl.TrustStoreTrustManager;
import java.security.GeneralSecurityException;
import java.time.Duration;
import java.time.Instant;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.atomic.AtomicBoolean;
import org.esbtools.auth.util.RolesProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/esbtools/auth/ldap/LdapRolesProvider.class */
public class LdapRolesProvider implements RolesProvider {
    private static final Logger LOGGER = LoggerFactory.getLogger(LdapRolesProvider.class);
    private final String searchBase;
    private final LdapConfiguration ldapConfiguration;
    private final LDAPConnection ldapConnection;
    private LDAPConnectionPool connectionPool;
    private volatile LDAPException connectionException;
    private volatile Instant lastConnectionAttempt;
    private final AtomicBoolean attemptingConnect;

    public LdapRolesProvider(String str, LdapConfiguration ldapConfiguration) throws Exception {
        this(str, ldapConfiguration, true);
    }

    public LdapRolesProvider(String str, LdapConfiguration ldapConfiguration, boolean z) throws Exception {
        this.attemptingConnect = new AtomicBoolean(false);
        LOGGER.debug("Creating esbtoolsLdapRoleProvider");
        Objects.requireNonNull(str);
        Objects.requireNonNull(ldapConfiguration);
        this.searchBase = str;
        this.ldapConfiguration = ldapConfiguration;
        this.ldapConnection = getLdapConnection(ldapConfiguration);
        try {
            connectIfNeeded();
        } catch (LDAPException e) {
            if (z) {
                throw e;
            }
            LOGGER.warn("Failed to connect to LDAP server, will retry on next lookup after {} seconds.", ldapConfiguration.getRetryIntervalSeconds(), e);
        }
    }

    private static LDAPConnection getLdapConnection(LdapConfiguration ldapConfiguration) throws GeneralSecurityException {
        LDAPConnection lDAPConnection;
        if (ldapConfiguration.isDebug()) {
            System.setProperty("java.util.logging.manager", "org.apache.logging.log4j.jul.LogManager");
            System.setProperty("com.unboundid.ldap.sdk.debug.enabled", "true");
            System.setProperty("com.unboundid.ldap.sdk.debug.level", "FINEST");
            System.setProperty("com.unboundid.ldap.sdk.debug.type", DebugType.getTypeNameList());
        }
        LDAPConnectionOptions lDAPConnectionOptions = new LDAPConnectionOptions();
        lDAPConnectionOptions.setConnectTimeoutMillis(ldapConfiguration.getConnectionTimeoutMS().intValue());
        lDAPConnectionOptions.setResponseTimeoutMillis(ldapConfiguration.getResponseTimeoutMS().intValue());
        lDAPConnectionOptions.setUseKeepAlive(ldapConfiguration.isKeepAlive());
        if (ldapConfiguration.getUseSSL().booleanValue()) {
            lDAPConnection = new LDAPConnection(new SSLUtil(new TrustStoreTrustManager(ldapConfiguration.getTrustStore(), ldapConfiguration.getTrustStorePassword().toCharArray(), "JKS", true)).createSSLSocketFactory(), lDAPConnectionOptions);
        } else {
            LOGGER.warn("Not using SSL to connect to ldap. This is very insecure - do not use in prod environments!");
            lDAPConnection = new LDAPConnection(lDAPConnectionOptions);
        }
        return lDAPConnection;
    }

    private void connectIfNeeded() throws LDAPException {
        if (this.connectionPool != null) {
            return;
        }
        if (!readyForConnectionAttempt()) {
            throw lastSeenConnectionException();
        }
        try {
            if (!this.attemptingConnect.compareAndSet(false, true)) {
                throw lastSeenConnectionException();
            }
            try {
                if (this.lastConnectionAttempt != null) {
                    LOGGER.info("Connection retry interval ({} seconds) passed, attempting connection recovery to LDAP at {}:{}", new Object[]{this.ldapConfiguration.getRetryIntervalSeconds(), this.ldapConfiguration.getServer(), this.ldapConfiguration.getPort()});
                }
                this.lastConnectionAttempt = Instant.now();
                BindResult bindResult = null;
                if (!this.ldapConnection.isConnected()) {
                    this.ldapConnection.connect(this.ldapConfiguration.getServer(), this.ldapConfiguration.getPort().intValue());
                    bindResult = this.ldapConnection.bind(this.ldapConfiguration.getBindDn(), this.ldapConfiguration.getBindDNPwd());
                } else if (this.ldapConnection.getLastBindRequest() == null) {
                    bindResult = this.ldapConnection.bind(this.ldapConfiguration.getBindDn(), this.ldapConfiguration.getBindDNPwd());
                }
                if (bindResult != null && bindResult.getResultCode() != ResultCode.SUCCESS) {
                    LOGGER.error("Error binding to LDAP" + bindResult.getResultCode());
                    throw new LDAPException(bindResult.getResultCode(), "Error binding to LDAP");
                }
                this.connectionPool = new LDAPConnectionPool(this.ldapConnection, this.ldapConfiguration.getPoolSize().intValue());
                this.connectionPool.setMaxConnectionAgeMillis(this.ldapConfiguration.getPoolMaxConnectionAgeMS().intValue());
                LOGGER.info("Initialized LDAPConnectionPool: poolSize={}, poolMaxAge={}, connectionTimeout={}, responseTimeout={}, debug={}, keepAlive={}.", new Object[]{this.ldapConfiguration.getPoolSize(), this.ldapConfiguration.getPoolMaxConnectionAgeMS(), this.ldapConfiguration.getConnectionTimeoutMS(), this.ldapConfiguration.getResponseTimeoutMS(), Boolean.valueOf(this.ldapConfiguration.isDebug()), Boolean.valueOf(this.ldapConfiguration.isKeepAlive())});
                this.attemptingConnect.set(false);
            } catch (LDAPException e) {
                this.connectionException = e;
                throw e;
            }
        } catch (Throwable th) {
            this.attemptingConnect.set(false);
            throw th;
        }
    }

    @Override // org.esbtools.auth.util.RolesProvider
    public Set<String> getUserRoles(String str) throws Exception {
        LOGGER.debug("getRoles(" + str + ")");
        Objects.requireNonNull(str);
        connectIfNeeded();
        HashSet hashSet = new HashSet();
        List searchEntries = this.connectionPool.search(new SearchRequest(this.searchBase, SearchScope.SUB, "(uid=" + str + ")", new String[0])).getSearchEntries();
        if (searchEntries.isEmpty()) {
            LOGGER.warn("No result found roles for user: " + str);
            return new HashSet();
        }
        if (searchEntries.size() > 1) {
            LOGGER.error("Multiples users found and only one was expected for user: " + str);
            return new HashSet();
        }
        Iterator it = searchEntries.iterator();
        while (it.hasNext()) {
            String[] attributeValues = ((SearchResultEntry) it.next()).getAttributeValues("memberOf");
            if (null != attributeValues) {
                for (String str2 : attributeValues) {
                    RDN[] rDNs = new DN(str2).getRDNs();
                    int length = rDNs.length;
                    int i = 0;
                    while (true) {
                        if (i < length) {
                            RDN rdn = rDNs[i];
                            if (rdn.hasAttribute("cn")) {
                                hashSet.addAll(Arrays.asList(rdn.getAttributeValues()));
                                break;
                            }
                            i++;
                        }
                    }
                }
            }
        }
        return hashSet;
    }

    private LDAPException lastSeenConnectionException() {
        if (this.connectionException == null) {
            throw new IllegalStateException("Expected connection exception, but was null. There was probably a problem connecting but the exception is unknown. Please report this bug to maintainers: https://github.com/esbtools/cert-ldap-login-module/issues/new");
        }
        return this.connectionException;
    }

    private boolean readyForConnectionAttempt() {
        return this.lastConnectionAttempt == null || Duration.between(this.lastConnectionAttempt, Instant.now()).compareTo(Duration.ofSeconds((long) this.ldapConfiguration.getRetryIntervalSeconds().intValue())) >= 0;
    }
}
