package com.hazelcast.webmonitor.security.spi.impl.ldap;

import com.hazelcast.webmonitor.model.SecurityConfigConstants;
import com.hazelcast.webmonitor.repositories.sql.GroupedSettingsDAO;
import com.hazelcast.webmonitor.security.spi.SecurityConfigApiException;
import com.hazelcast.webmonitor.security.spi.SecurityConfigParameter;
import com.hazelcast.webmonitor.security.spi.impl.AbstractLdapSecurityProvider;
import com.hazelcast.webmonitor.security.spi.impl.LdapUserDetailsContextMapper;
import com.hazelcast.webmonitor.security.spi.impl.SecurityConfigImportService;
import com.hazelcast.webmonitor.service.HomeDirectoryProvider;
import com.hazelcast.webmonitor.ssl.SSLConfig;
import com.hazelcast.webmonitor.ssl.SSLContextFactory;
import java.util.Arrays;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import javax.naming.Context;
import javax.net.ssl.SSLContext;
import org.jdbi.v3.core.Jdbi;
import org.opensaml.soap.wssecurity.Password;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.ldap.NamingException;
import org.springframework.ldap.core.LdapTemplate;
import org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy;
import org.springframework.ldap.core.support.LdapContextSource;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.ldap.LdapUtils;
import org.springframework.security.ldap.authentication.BindAuthenticator;
import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
import org.springframework.security.ldap.userdetails.NestedLdapAuthoritiesPopulator;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/classes/com/hazelcast/webmonitor/security/spi/impl/ldap/LdapSecurityProvider.class
 */
/* loaded from: input_file:com/hazelcast/webmonitor/security/spi/impl/ldap/LdapSecurityProvider.class */
public class LdapSecurityProvider extends AbstractLdapSecurityProvider {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) LdapSecurityProvider.class);
    public static final String LDAP_SECURITY_PROVIDER_NAME = "LDAP";
    private static final String LDAPS_SSL_PREFIX = "hazelcast.mc.ldap.ssl.";
    private LdapAuthenticationProvider authenticationProvider;
    private PersistentLdapConfig persistentLdapConfig;
    private SecurityConfigImportService securityConfigImportService;

    public LdapSecurityProvider(HomeDirectoryProvider homeDirectoryProvider, Jdbi jdbi, GroupedSettingsDAO groupedSettingsDAO, SecurityConfigImportService securityConfigImportService) {
        this.persistentLdapConfig = new PersistentLdapConfigFactory(homeDirectoryProvider, jdbi, groupedSettingsDAO).create();
        this.securityConfigImportService = securityConfigImportService;
    }

    @Override // com.hazelcast.webmonitor.security.spi.SecurityProvider
    public String getName() {
        return LDAP_SECURITY_PROVIDER_NAME;
    }

    @Override // com.hazelcast.webmonitor.security.spi.SecurityProvider
    public List<SecurityConfigParameter> getConfigParameters() {
        return Arrays.asList(SecurityConfigParameter.stringParam("url", "URL", "ldap://localhost:10389"), SecurityConfigParameter.stringParam("username", "Distinguished name (DN) of user", "cn=Some User,cn=users,dc=example,dc=com"), SecurityConfigParameter.secretParam("password", Password.ELEMENT_LOCAL_NAME), SecurityConfigParameter.stringParam(LdapConfig.USER_DN_PROPERTY_NAME, "User DN", "ou=users,o=yourorg"), SecurityConfigParameter.stringParam(LdapConfig.GROUP_DN_PROPERTY_NAME, "Group DN", "ou=groups,o=yourorg"), SecurityConfigParameter.stringParam("adminGroup", "Admin Group Name", SecurityConfigConstants.DEFAULT_ADMIN_GROUP), SecurityConfigParameter.stringParam("userGroup", "User Group Name", SecurityConfigConstants.DEFAULT_USER_GROUP), SecurityConfigParameter.stringParam("readonlyUserGroup", "Read-only User Group Name", SecurityConfigConstants.DEFAULT_READONLY_USER_GROUP), SecurityConfigParameter.stringParam("metricsOnlyGroup", "Metrics-only Group Name", SecurityConfigConstants.DEFAULT_METRICS_ONLY_GROUP), SecurityConfigParameter.boolParam(LdapConfig.START_TLS_PROPERTY_NAME, "Start TLS"), SecurityConfigParameter.stringParam("userSearchFilter", "User Search Filter", "uid={0}"), SecurityConfigParameter.stringParam(LdapConfig.GROUP_SEARCH_FILTER_PROPERTY_NAME, "Group Search Filter", "uniquemember={0}"), SecurityConfigParameter.boolParam("nestedGroupSearch", "Nested Group Search", true));
    }

    @Override // com.hazelcast.webmonitor.security.spi.SecurityProvider
    public void saveConfig(Map<String, String> map) {
        String str = map.get("url");
        String str2 = map.get("username");
        String str3 = map.get("password");
        String str4 = map.get(LdapConfig.USER_DN_PROPERTY_NAME);
        String str5 = map.get(LdapConfig.GROUP_DN_PROPERTY_NAME);
        String str6 = map.get("adminGroup");
        String str7 = map.get("userGroup");
        String str8 = map.get("readonlyUserGroup");
        String str9 = map.get("metricsOnlyGroup");
        boolean parseBoolean = Boolean.parseBoolean(map.get(LdapConfig.START_TLS_PROPERTY_NAME));
        String str10 = map.get("userSearchFilter");
        String str11 = map.get(LdapConfig.GROUP_SEARCH_FILTER_PROPERTY_NAME);
        LdapConfig build = LdapConfig.builder().url(str).username(str2).password(str3).userDn(str4).groupDn(str5).adminGroup(str6).readonlyUserGroup(str8).userGroup(str7).metricsOnlyGroup(str9).startTls(parseBoolean).userSearchFilter(str10).groupSearchFilter(str11).nestedGroupSearch(Boolean.parseBoolean(map.getOrDefault("nestedGroupSearch", "true"))).build();
        this.persistentLdapConfig.write(build);
        initAuthenticationProvider(build);
    }

    @Override // com.hazelcast.webmonitor.security.spi.SecurityProvider
    public AuthenticationProvider getAuthenticationProvider() {
        if (this.authenticationProvider == null) {
            initAuthenticationProvider(this.persistentLdapConfig.get());
        }
        return this.authenticationProvider;
    }

    @Override // com.hazelcast.webmonitor.security.spi.ReloadableSecurityProvider
    public void reloadConfig() {
        this.persistentLdapConfig.write(LdapConfig.fromProperties(this.securityConfigImportService.readProperties()));
        initAuthenticationProvider(this.persistentLdapConfig.get());
        this.securityConfigImportService.cleanupOnSuccessfulImport();
    }

    @Override // com.hazelcast.webmonitor.security.spi.ReloadableSecurityProvider
    public boolean reloadConfigAvailable() {
        return this.securityConfigImportService.importPropertiesAvailable();
    }

    private void initAuthenticationProvider(LdapConfig ldapConfig) {
        checkLdapCredentials(ldapConfig);
        LdapContextSource createLdapContextSource = createLdapContextSource(ldapConfig);
        String groupDn = ldapConfig.getGroupDn() == null ? "" : ldapConfig.getGroupDn();
        DefaultLdapAuthoritiesPopulator nestedLdapAuthoritiesPopulator = ldapConfig.isNestedGroupSearch() ? new NestedLdapAuthoritiesPopulator(createLdapContextSource, groupDn) : new DefaultLdapAuthoritiesPopulator(createLdapContextSource, groupDn);
        nestedLdapAuthoritiesPopulator.setRolePrefix("");
        nestedLdapAuthoritiesPopulator.setGroupSearchFilter(ldapConfig.getGroupSearchFilter());
        nestedLdapAuthoritiesPopulator.setSearchSubtree(true);
        BindAuthenticator bindAuthenticator = new BindAuthenticator(createLdapContextSource);
        FilterBasedLdapUserSearch filterBasedLdapUserSearch = new FilterBasedLdapUserSearch(ldapConfig.getUserDn(), ldapConfig.getUserSearchFilter(), createLdapContextSource);
        filterBasedLdapUserSearch.setSearchSubtree(true);
        bindAuthenticator.setUserSearch(filterBasedLdapUserSearch);
        LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(bindAuthenticator, nestedLdapAuthoritiesPopulator);
        ldapAuthenticationProvider.setUserDetailsContextMapper(new LdapUserDetailsContextMapper(ldapConfig.getGroupsToRolesMappingConfig()));
        this.authenticationProvider = ldapAuthenticationProvider;
    }

    private LdapContextSource createLdapContextSource(LdapConfig ldapConfig) {
        LdapContextSource ldapContextSource = new LdapContextSource();
        ldapContextSource.setUrl(ldapConfig.getUrl());
        ldapContextSource.setUserDn(ldapConfig.getUsername());
        ldapContextSource.setPassword(ldapConfig.getPassword());
        Hashtable hashtable = new Hashtable();
        hashtable.put("com.sun.jndi.ldap.connect.timeout", String.valueOf(this.ldapConnTimeout));
        hashtable.put("com.sun.jndi.ldap.read.timeout", String.valueOf(this.ldapConnTimeout));
        ldapContextSource.setBaseEnvironmentProperties(hashtable);
        if (ldapConfig.isStartTls()) {
            LOGGER.info("Using Start TLS for LDAP authentication.");
            DefaultTlsDirContextAuthenticationStrategy defaultTlsDirContextAuthenticationStrategy = new DefaultTlsDirContextAuthenticationStrategy();
            try {
                defaultTlsDirContextAuthenticationStrategy.setSslSocketFactory(createSslContext().getSocketFactory());
            } catch (Exception e) {
                LOGGER.warn("Failed to enable Start TLS.", (Throwable) e);
            }
            ldapContextSource.setAuthenticationStrategy(defaultTlsDirContextAuthenticationStrategy);
        }
        if (ldapConfig.getUrl().startsWith("ldaps")) {
            LOGGER.info("Using LDAP over SSL for LDAP authentication.");
            try {
                SSLContext.setDefault(createSslContext());
            } catch (Exception e2) {
                LOGGER.warn("Failed to enable ldaps.", (Throwable) e2);
            }
        }
        ldapContextSource.afterPropertiesSet();
        return ldapContextSource;
    }

    private static SSLContext createSslContext() throws Exception {
        return new SSLContextFactory(new SSLConfig(LDAPS_SSL_PREFIX)).create();
    }

    private void checkLdapCredentials(LdapConfig ldapConfig) {
        Context context = null;
        try {
            try {
                context = new LdapTemplate(createLdapContextSource(ldapConfig)).getContextSource().getContext(ldapConfig.getUsername(), ldapConfig.getPassword());
                LdapUtils.closeContext(context);
            } catch (NamingException e) {
                LOGGER.warn(e.getMessage(), (Throwable) e);
                throw new SecurityConfigApiException(e.getExplanation());
            }
        } catch (Throwable th) {
            LdapUtils.closeContext(context);
            throw th;
        }
    }
}
