package de.sep.sesam.restapi.authentication;

import de.sep.sesam.gui.common.logging.LogGroup;
import de.sep.sesam.gui.common.logging.SepLogLevel;
import de.sep.sesam.gui.common.logging.messages.SimpleMessage;
import de.sep.sesam.model.Credentials;
import de.sep.sesam.model.ExternalGroups;
import de.sep.sesam.model.Groups;
import de.sep.sesam.model.Users;
import de.sep.sesam.model.dto.SEPAuthentication;
import de.sep.sesam.model.type.LoginType;
import de.sep.sesam.model.type.UserOrigin;
import de.sep.sesam.restapi.dao.DaoAccessor;
import de.sep.sesam.restapi.exception.AuthenticationException;
import de.sep.sesam.restapi.exception.ServiceException;
import de.sep.sesam.security.PasswordController;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.UUID;
import org.apache.commons.lang.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.jdbc.datasource.init.ScriptUtils;
import org.springframework.ldap.CommunicationException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
import org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider;
import org.springframework.security.ldap.authentication.BindAuthenticator;
import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;

/* loaded from: input_file:de/sep/sesam/restapi/authentication/LDAPCredentialsLogin.class */
public class LDAPCredentialsLogin extends AbstractLoginMethod {

    @Autowired
    private DaoAccessor daos;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX WARN: Multi-variable type inference failed */
    @Override // de.sep.sesam.restapi.authentication.AbstractLoginMethod
    public SessionContext createAndAuthenticateUser(SEPAuthentication sEPAuthentication) throws AuthenticationException {
        getLogger().start("createAndAuthenticateUser", SepLogLevel.INFO, LogGroup.SECURITY, sEPAuthentication.name, sEPAuthentication.ip);
        checkAuthenticationProvider();
        try {
            Authentication authenticate = getAuthenticationProvider().authenticate(new UsernamePasswordAuthenticationToken(sEPAuthentication.name, sEPAuthentication.password));
            if (authenticate == null || !authenticate.isAuthenticated()) {
                throw new AuthenticationException(AuthenticationException.AuthMessage.INVALID_CREDENTIALS, sEPAuthentication.name);
            }
            getLogger().info("createAndAuthenticateUser", LogGroup.SECURITY, new SimpleMessage("{0} LDAP Groups: {1}"), sEPAuthentication.name, authenticate.getAuthorities());
            ArrayList arrayList = new ArrayList();
            Iterator<? extends GrantedAuthority> it = authenticate.getAuthorities().iterator();
            while (it.hasNext()) {
                arrayList.add(it.next().getAuthority());
            }
            ArrayList arrayList2 = new ArrayList();
            try {
                List<ExternalGroups> byMapping = getDaos().getExternalGroupsDao().getByMapping(arrayList, true);
                if (byMapping != null) {
                    arrayList2.addAll(byMapping);
                }
            } catch (ServiceException e) {
            }
            if (arrayList2.isEmpty()) {
                throw new AuthenticationException(AuthenticationException.AuthMessage.USER_DISABLED, sEPAuthentication.name);
            }
            Users users = getDaos().getUsersDao().get(sEPAuthentication.name);
            if (users == null) {
                Users users2 = new Users();
                users2.setAccountExpired(false);
                users2.setEnabled(true);
                users2.setLocked(false);
                users2.setPasswordExpired(false);
                users2.setName(sEPAuthentication.name);
                users2.setPassword(UUID.randomUUID().toString());
                users2.setOrigin(UserOrigin.LDAP);
                users2.setUsercomment("LDAP User");
                try {
                    users = (Users) getDaos().getUsersDao().create(users2);
                } catch (ServiceException e2) {
                    getLogger().info("createAndAuthenticateUser", LogGroup.SECURITY, new SimpleMessage("Failed to auto create account for user {0}."), sEPAuthentication.name);
                    throw new AuthenticationException(AuthenticationException.AuthMessage.ACCOUNT_INVALID, sEPAuthentication.name);
                }
            }
            if (!Boolean.TRUE.equals(users.getEnabled())) {
                getLogger().info("createAndAuthenticateUser", LogGroup.SECURITY, new SimpleMessage("Account for user {0} is disabled."), sEPAuthentication.name);
                throw new AuthenticationException(AuthenticationException.AuthMessage.ACCOUNT_INVALID, sEPAuthentication.name);
            }
            List<Groups> list = null;
            try {
                getDaos().getUserGroupRelationsDao().removeByUser(users.getId());
                list = getDaos().getGroupsDao().getGroupsByExternalGroup(arrayList2);
                Iterator<Groups> it2 = list.iterator();
                while (it2.hasNext()) {
                    getDaos().getGroupsDao().persistUsers(users.getId(), it2.next().getId());
                }
            } catch (ServiceException e3) {
            }
            ArrayList arrayList3 = new ArrayList();
            getLogger().success("createAndAuthenticateUser", SepLogLevel.INFO, LogGroup.SECURITY, sEPAuthentication.name);
            return new SessionContext(getDaos(), LoginType.LDAP, users, list, arrayList3, arrayList, sEPAuthentication.ip);
        } catch (CommunicationException | org.springframework.security.core.AuthenticationException e4) {
            getLogger().error("createAndAuthenticateUser", LogGroup.SECURITY, AuthenticationException.AuthMessage.INVALID_CREDENTIALS, sEPAuthentication.name);
            return null;
        }
    }

    @Override // de.sep.sesam.restapi.authentication.AbstractLoginMethod
    protected String getCredentialsType() {
        return "LDAP";
    }

    private String restoreSecret(String str) {
        if (str == null) {
            return null;
        }
        String decrypt = PasswordController.getInstance().decrypt(str);
        return decrypt != null ? decrypt : str;
    }

    @Override // de.sep.sesam.restapi.authentication.AbstractLoginMethod
    protected AbstractLdapAuthenticationProvider createAuthenticationProvider(Credentials credentials) {
        if (!$assertionsDisabled && credentials == null) {
            throw new AssertionError();
        }
        String path = credentials.getPath();
        String accessName = credentials.getAccessName();
        String osAccessName = credentials.getOsAccessName();
        String restoreSecret = restoreSecret(credentials.getSecret());
        String name = credentials.getName();
        String storeName = credentials.getStoreName();
        if (StringUtils.isBlank(path)) {
            path = "ldap://localhost:739";
        }
        if (StringUtils.isBlank(osAccessName)) {
            osAccessName = "uid={0},cn=users,dc=sep,dc=de";
        }
        if (StringUtils.isBlank(accessName)) {
            accessName = "uid={0},cn=users,dc=domain,dc=com";
        }
        if (StringUtils.isBlank(storeName)) {
            storeName = "(member={0})";
        }
        DefaultSpringSecurityContextSource defaultSpringSecurityContextSource = new DefaultSpringSecurityContextSource(path);
        defaultSpringSecurityContextSource.setUserDn(osAccessName);
        defaultSpringSecurityContextSource.setPassword(restoreSecret);
        defaultSpringSecurityContextSource.afterPropertiesSet();
        BindAuthenticator bindAuthenticator = new BindAuthenticator(defaultSpringSecurityContextSource);
        bindAuthenticator.setUserDnPatterns(accessName.split(ScriptUtils.DEFAULT_STATEMENT_SEPARATOR));
        DefaultLdapAuthoritiesPopulator defaultLdapAuthoritiesPopulator = new DefaultLdapAuthoritiesPopulator(defaultSpringSecurityContextSource, name);
        defaultLdapAuthoritiesPopulator.setGroupSearchFilter(storeName);
        defaultLdapAuthoritiesPopulator.setRolePrefix("");
        defaultLdapAuthoritiesPopulator.setSearchSubtree(true);
        defaultLdapAuthoritiesPopulator.setConvertToUpperCase(true);
        return new LdapAuthenticationProvider(bindAuthenticator, defaultLdapAuthoritiesPopulator);
    }

    @Override // de.sep.sesam.restapi.authentication.AbstractLoginMethod
    public DaoAccessor getDaos() {
        return this.daos;
    }

    static {
        $assertionsDisabled = !LDAPCredentialsLogin.class.desiredAssertionStatus();
    }
}
