package de.sep.sesam.restapi.authentication;

import de.sep.sesam.common.logging.LogGroup;
import de.sep.sesam.common.logging.SepLogLevel;
import de.sep.sesam.common.logging.messages.SimpleMessage;
import de.sep.sesam.common.security.PasswordController;
import de.sep.sesam.model.Credentials;
import de.sep.sesam.model.ExternalGroups;
import de.sep.sesam.model.Groups;
import de.sep.sesam.model.Users;
import de.sep.sesam.model.auth.dto.LoginDto;
import de.sep.sesam.model.core.defaults.DefaultUserNames;
import de.sep.sesam.model.type.AuthenticationType;
import de.sep.sesam.model.type.UserOrigin;
import de.sep.sesam.rest.exceptions.AuthenticationException;
import de.sep.sesam.rest.exceptions.ServiceException;
import de.sep.sesam.restapi.authentication.util.LdapQueryUtil;
import de.sep.sesam.restapi.dao.ExternalGroupsDaoServer;
import de.sep.sesam.restapi.dao.GroupsDaoServer;
import de.sep.sesam.restapi.dao.UserGroupRelationsDaoServer;
import de.sep.sesam.restapi.dao.UsersDaoServer;
import java.io.ByteArrayInputStream;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.UUID;
import java.util.stream.Collectors;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.configuration.tree.DefaultExpressionEngine;
import org.apache.commons.lang3.StringUtils;
import org.springframework.jdbc.datasource.init.ScriptUtils;
import org.springframework.ldap.CommunicationException;
import org.springframework.ldap.core.LdapTemplate;
import org.springframework.ldap.support.LdapUtils;
import org.springframework.security.authentication.AccountExpiredException;
import org.springframework.security.authentication.CredentialsExpiredException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.ldap.userdetails.LdapUserDetails;
import org.springframework.security.ldap.userdetails.LdapUserDetailsImpl;

/* loaded from: input_file:de/sep/sesam/restapi/authentication/AbstractExternalCredentialsLogin.class */
public abstract class AbstractExternalCredentialsLogin extends AbstractCredentialsLogin {
    private SecurityContextSourceDataProvider contextSource;
    static final /* synthetic */ boolean $assertionsDisabled;

    public AbstractExternalCredentialsLogin(Credentials credentials) {
        if (!$assertionsDisabled && credentials == null) {
            throw new AssertionError();
        }
        setCredentials(credentials);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String restoreSecret(String str) {
        if (str == null) {
            return null;
        }
        String decrypt = PasswordController.getInstance().decrypt(str);
        return decrypt != null ? decrypt : str;
    }

    @Override // de.sep.sesam.restapi.authentication.AbstractCredentialsLogin
    public SessionContext createAndAuthenticateUser(LoginDto loginDto) throws AuthenticationException {
        LdapTemplate ldapTemplate;
        Attributes userAttributes;
        if (!$assertionsDisabled && loginDto == null) {
            throw new AssertionError();
        }
        if (StringUtils.equalsAny(loginDto.getUsername(), DefaultUserNames.ADMIN_USER, "root", DefaultUserNames.SESAM_USER)) {
            return null;
        }
        getLogger().start("createAndAuthenticateUser", SepLogLevel.INFO, LogGroup.SECURITY, loginDto.getUsername(), loginDto.getIp());
        checkAuthenticationProvider();
        if (getAuthenticationProvider() == null) {
            getLogger().error("createAndAuthenticateUser", LogGroup.SECURITY, new SimpleMessage("Cannot complete authentication request. No authentication provider configured."), new Object[0]);
            return null;
        }
        String authenticationProviderDetailsMessage = getAuthenticationProviderDetailsMessage();
        if (StringUtils.isNotBlank(authenticationProviderDetailsMessage)) {
            getLogger().info("createAndAuthenticateUser", LogGroup.SECURITY, new SimpleMessage(authenticationProviderDetailsMessage), new Object[0]);
        }
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(loginDto.getUsername(), loginDto.getSecret());
        Authentication authentication = null;
        try {
            authentication = getAuthenticationProvider().authenticate(usernamePasswordAuthenticationToken);
        } catch (NullPointerException e) {
            getLogger().error("createAndAuthenticateUser", LogGroup.SECURITY, new SimpleMessage("{0} Authentication Failed. {1}"), loginDto.getUsername(), getExceptionMessage(e));
            throw new AuthenticationException(AuthenticationException.AuthMessage.SERVER_ERROR, loginDto.getUsername());
        } catch (CommunicationException e2) {
            getLogger().error("createAndAuthenticateUser", LogGroup.SECURITY, AuthenticationException.AuthMessage.COMMUNICATION_FAILED, getExceptionMessage(e2));
            return null;
        } catch (AccountExpiredException | LockedException e3) {
            getLogger().error("createAndAuthenticateUser", LogGroup.SECURITY, new SimpleMessage("{0} Authentication Failed. {1}"), loginDto.getUsername(), getExceptionMessage(e3));
            throw new AuthenticationException(AuthenticationException.AuthMessage.ACCOUNT_INVALID, loginDto.getUsername());
        } catch (CredentialsExpiredException e4) {
            getLogger().error("createAndAuthenticateUser", LogGroup.SECURITY, new SimpleMessage("{0} Authentication Failed. {1}"), loginDto.getUsername(), getExceptionMessage(e4));
            throw new AuthenticationException(AuthenticationException.AuthMessage.PASSWORD_INVALID, loginDto.getUsername());
        } catch (DisabledException e5) {
            getLogger().error("createAndAuthenticateUser", LogGroup.SECURITY, new SimpleMessage("{0} Authentication Failed. {1}"), loginDto.getUsername(), getExceptionMessage(e5));
            throw new AuthenticationException(AuthenticationException.AuthMessage.USER_DISABLED, loginDto.getUsername());
        } catch (org.springframework.security.core.AuthenticationException e6) {
            if (getContextSource() != null && (ldapTemplate = LdapQueryUtil.getLdapTemplate(getContextSource(), getContextSource().getUser(), getContextSource().getPassword())) != null && (userAttributes = LdapQueryUtil.getUserAttributes(ldapTemplate, loginDto.getUsername())) != null) {
                authentication = verifyCertificate(userAttributes, usernamePasswordAuthenticationToken, loginDto.getCertificate());
            }
            if (authentication == null) {
                getLogger().error("createAndAuthenticateUser", LogGroup.SECURITY, new SimpleMessage("{0} Authentication Failed. {1}"), loginDto.getUsername(), getExceptionMessage(e6));
                return null;
            }
        }
        if (authentication == null || !authentication.isAuthenticated()) {
            throw new AuthenticationException(AuthenticationException.AuthMessage.CREDENTIALS_INVALID, loginDto.getUsername());
        }
        LdapUserDetails ldapUserDetails = null;
        if (authentication.getPrincipal() instanceof LdapUserDetails) {
            ldapUserDetails = (LdapUserDetails) authentication.getPrincipal();
        }
        if (ldapUserDetails != null && (!ldapUserDetails.isAccountNonExpired() || !ldapUserDetails.isAccountNonLocked())) {
            throw new AuthenticationException(AuthenticationException.AuthMessage.ACCOUNT_INVALID, loginDto.getUsername());
        }
        if (ldapUserDetails != null && !ldapUserDetails.isCredentialsNonExpired()) {
            throw new AuthenticationException(AuthenticationException.AuthMessage.PASSWORD_INVALID, loginDto.getUsername());
        }
        String dn = ldapUserDetails != null ? ldapUserDetails.getDn() : "";
        String str = (String) usernamePasswordAuthenticationToken.getCredentials();
        if ((StringUtils.isBlank(dn) || StringUtils.isBlank(str)) && StringUtils.isNotBlank(getContextSource().getUser()) && StringUtils.isNotBlank(getContextSource().getPassword())) {
            dn = getContextSource().getUser();
            str = getContextSource().getPassword();
        }
        LdapTemplate ldapTemplate2 = LdapQueryUtil.getLdapTemplate(getContextSource(), dn, str);
        String userPrincipalName = (ldapUserDetails == null || !StringUtils.isNotBlank(ldapUserDetails.getDn())) ? null : LdapQueryUtil.getUserPrincipalName(ldapTemplate2, (String) usernamePasswordAuthenticationToken.getPrincipal());
        ArrayList arrayList = new ArrayList(ldapUserDetails != null ? ldapUserDetails.getAuthorities() : Collections.emptyList());
        checkAuthorities(ldapTemplate2, (String) usernamePasswordAuthenticationToken.getPrincipal(), arrayList);
        getLogger().info("createAndAuthenticateUser", LogGroup.SECURITY, new SimpleMessage("{0} {1} Groups: {2}"), loginDto.getUsername(), getCredentialsType(), arrayList);
        if (!$assertionsDisabled && arrayList == null) {
            throw new AssertionError();
        }
        List<String> list = (List) arrayList.stream().map((v0) -> {
            return v0.getAuthority();
        }).collect(Collectors.toList());
        if (list.isEmpty()) {
            getLogger().error("createAndAuthenticateUser", LogGroup.SECURITY, AuthenticationException.AuthMessage.NO_AUTHORITIES, loginDto.getUsername());
            return null;
        }
        ArrayList arrayList2 = new ArrayList();
        try {
            List<ExternalGroups> byMapping = ((ExternalGroupsDaoServer) getDaos().getService(ExternalGroupsDaoServer.class)).getByMapping(list, true);
            if (byMapping != null) {
                arrayList2.addAll(byMapping);
            }
        } catch (ServiceException e7) {
        }
        if (arrayList2.isEmpty()) {
            getLogger().error("createAndAuthenticateUser", LogGroup.SECURITY, AuthenticationException.AuthMessage.NO_MAPPING, loginDto.getUsername());
            return null;
        }
        Users user = getUser(loginDto.getUsername(), userPrincipalName, getAuthenticationType());
        if (user == null) {
            Users users = new Users();
            users.setAccountExpired(false);
            users.setEnabled(true);
            users.setLocked(false);
            users.setPasswordExpired(false);
            users.setName(loginDto.getUsername());
            users.setComment(userPrincipalName);
            users.setPassword(UUID.randomUUID().toString());
            UserOrigin credentialsOrigin = getCredentialsOrigin();
            if (!$assertionsDisabled && credentialsOrigin == null) {
                throw new AssertionError();
            }
            users.setOrigin(credentialsOrigin);
            users.setUsercomment(getCredentialsType() + " User");
            try {
                user = ((UsersDaoServer) getDaos().getService(UsersDaoServer.class)).create(users);
            } catch (ServiceException e8) {
                getLogger().info("createAndAuthenticateUser", LogGroup.SECURITY, new SimpleMessage("Failed to auto create {0} user with name {1}. Cause: {2}"), getCredentialsType(), loginDto.getUsername(), e8.getMessage());
                throw new AuthenticationException(AuthenticationException.AuthMessage.USER_MISSING, loginDto.getUsername());
            }
        }
        if ((user != null && StringUtils.isNotBlank(userPrincipalName) && !StringUtils.equals(userPrincipalName, user.getComment())) || (StringUtils.isBlank(userPrincipalName) && StringUtils.isNotBlank(user.getComment()))) {
            user.setComment(userPrincipalName);
            try {
                user = ((UsersDaoServer) getDaos().getService(UsersDaoServer.class)).update(user);
            } catch (ServiceException e9) {
            }
        }
        if (user == null) {
            getLogger().info("createAndAuthenticateUser", LogGroup.SECURITY, new SimpleMessage("Failed to auto create or update {0} user with name {1}."), getCredentialsType(), loginDto.getUsername());
            throw new AuthenticationException(AuthenticationException.AuthMessage.USER_MISSING, loginDto.getUsername());
        }
        if (!Boolean.TRUE.equals(user.getEnabled())) {
            getLogger().info("createAndAuthenticateUser", LogGroup.SECURITY, AuthenticationException.AuthMessage.USER_DISABLED, loginDto.getUsername());
            throw new AuthenticationException(AuthenticationException.AuthMessage.ACCOUNT_INVALID, loginDto.getUsername());
        }
        List<Groups> list2 = null;
        try {
            ((UserGroupRelationsDaoServer) getDaos().getService(UserGroupRelationsDaoServer.class)).removeByUser(user.getId());
            list2 = ((GroupsDaoServer) getDaos().getService(GroupsDaoServer.class)).getGroupsByExternalGroup(arrayList2);
            Iterator<Groups> it = list2.iterator();
            while (it.hasNext()) {
                ((GroupsDaoServer) getDaos().getService(GroupsDaoServer.class)).persistUsers(user.getId(), it.next().getId());
            }
        } catch (ServiceException e10) {
        }
        getLogger().success("createAndAuthenticateUser", SepLogLevel.INFO, LogGroup.SECURITY, loginDto.getUsername(), list2);
        AuthenticationType authenticationType = getAuthenticationType();
        if ($assertionsDisabled || authenticationType != null) {
            return new SessionContext(getDaos(), loginDto.getType(), authenticationType, user, loginDto.getIp(), loginDto.getLoginName());
        }
        throw new AssertionError();
    }

    private void checkAuthorities(LdapTemplate ldapTemplate, String str, List<GrantedAuthority> list) {
        Attributes attributesOfObject;
        if (ldapTemplate == null || StringUtils.isBlank(str) || list == null) {
            return;
        }
        HashSet hashSet = new HashSet();
        Attributes userAttributes = LdapQueryUtil.getUserAttributes(ldapTemplate, str);
        if (userAttributes != null) {
            LdapQueryUtil.searchForMemberOf(userAttributes.getAll(), hashSet);
            Integer integerAttribute = LdapQueryUtil.getIntegerAttribute(userAttributes, "primaryGroupId");
            byte[] binaryAttribute = LdapQueryUtil.getBinaryAttribute(userAttributes, "objectSid");
            if (integerAttribute != null && binaryAttribute != null) {
                String convertBinarySidToString = LdapUtils.convertBinarySidToString(binaryAttribute);
                if (StringUtils.isNotBlank(convertBinarySidToString) && (attributesOfObject = LdapQueryUtil.getAttributesOfObject(ldapTemplate, "group", "objectSid", StringUtils.substringBeforeLast(convertBinarySidToString, "-") + "-" + integerAttribute)) != null) {
                    updateAuthorities(list, attributesOfObject);
                    LdapQueryUtil.searchForMemberOf(attributesOfObject.getAll(), hashSet);
                }
            }
            searchForParentGroups(ldapTemplate, Collections.unmodifiableSet(hashSet), new HashSet<>(), list);
        }
    }

    private void searchForParentGroups(LdapTemplate ldapTemplate, Set<String> set, HashSet<String> hashSet, List<GrantedAuthority> list) {
        if (ldapTemplate == null || set == null || hashSet == null || list == null) {
            return;
        }
        Set<String> hashSet2 = new HashSet();
        if (CollectionUtils.isNotEmpty(set)) {
            set.stream().filter(str -> {
                return !CollectionUtils.containsAny(hashSet, StringUtils.lowerCase(str));
            }).forEach(str2 -> {
                hashSet.add(StringUtils.lowerCase(str2));
                Attributes attributesOfObject = LdapQueryUtil.getAttributesOfObject(ldapTemplate, "group", "distinguishedName", str2);
                if (attributesOfObject != null) {
                    updateAuthorities(list, attributesOfObject);
                    LdapQueryUtil.searchForMemberOf(attributesOfObject.getAll(), hashSet2);
                }
            });
        }
        if (CollectionUtils.isNotEmpty(hashSet2)) {
            hashSet2 = (Set) hashSet2.stream().filter(str3 -> {
                return !hashSet.contains(str3);
            }).collect(Collectors.toSet());
        }
        if (CollectionUtils.isNotEmpty(hashSet2)) {
            searchForParentGroups(ldapTemplate, hashSet2, hashSet, list);
        }
    }

    private void updateAuthorities(List<GrantedAuthority> list, Attributes attributes) {
        Attribute attribute;
        if (list == null || attributes == null || (attribute = attributes.get("cn")) == null) {
            return;
        }
        try {
            String obj = attribute.get().toString();
            if (StringUtils.isNotBlank(obj)) {
                if (CollectionUtils.isEmpty(list) || list.stream().noneMatch(grantedAuthority -> {
                    return StringUtils.equalsIgnoreCase(grantedAuthority.getAuthority(), obj);
                })) {
                    list.add(new SimpleGrantedAuthority(obj));
                }
            }
        } catch (NamingException e) {
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r14v1 */
    private Authentication verifyCertificate(Attributes attributes, Authentication authentication, Certificate certificate) {
        if (attributes == null || authentication == null || certificate == null) {
            return null;
        }
        boolean z = false;
        byte[] binaryAttribute = LdapQueryUtil.getBinaryAttribute(attributes, "userCertificate");
        if (binaryAttribute != null) {
            try {
                X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(binaryAttribute));
                if (x509Certificate != null) {
                    certificate.verify(x509Certificate.getPublicKey());
                    z = true;
                }
            } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
            }
        }
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = null;
        if (z) {
            LdapUserDetailsImpl.Essence essence = new LdapUserDetailsImpl.Essence();
            essence.setDn(LdapQueryUtil.getStringAttribute(attributes, "cn"));
            ?? objectAttribute = LdapQueryUtil.getObjectAttribute(attributes, "userPassword");
            if (objectAttribute != 0) {
                boolean z2 = objectAttribute instanceof String;
                String str = objectAttribute;
                if (!z2) {
                    str = new String((byte[]) objectAttribute);
                }
                essence.setPassword(str);
            }
            essence.setUsername(LdapQueryUtil.getStringAttribute(attributes, "sAMAccountName"));
            Integer integerAttribute = LdapQueryUtil.getIntegerAttribute(attributes, "userAccountControl");
            Integer integerAttribute2 = LdapQueryUtil.getIntegerAttribute(attributes, "lockoutTime");
            if (integerAttribute != null) {
                boolean z3 = (integerAttribute.intValue() & 2) != 0;
                boolean z4 = (integerAttribute.intValue() & 16) != 0;
                boolean z5 = (integerAttribute.intValue() & 8388608) != 0;
                essence.setAccountNonExpired(!z3);
                essence.setAccountNonLocked(!z4);
                essence.setCredentialsNonExpired(!z5);
            }
            if (integerAttribute2 != null && integerAttribute2.intValue() > 0) {
                essence.setAccountNonLocked(false);
            }
            usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(essence.createUserDetails(), authentication.getCredentials(), Collections.emptyList());
        }
        return usernamePasswordAuthenticationToken;
    }

    protected String getExceptionMessage(Throwable th) {
        if (th == null || StringUtils.isBlank(th.getLocalizedMessage())) {
            return "";
        }
        StringBuilder sb = new StringBuilder(th.getLocalizedMessage());
        Throwable cause = th.getCause();
        if (cause instanceof org.springframework.security.core.AuthenticationException) {
            boolean z = false;
            sb.append(" (");
            do {
                if (z) {
                    sb.append(ScriptUtils.DEFAULT_STATEMENT_SEPARATOR);
                }
                sb.append(cause.getLocalizedMessage());
                z = true;
                cause = cause.getCause();
            } while (cause instanceof org.springframework.security.core.AuthenticationException);
            sb.append(DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        return sb.toString();
    }

    protected abstract UserOrigin getCredentialsOrigin();

    protected String getAuthenticationProviderDetailsMessage() {
        return "Trying external authentication source with '" + getCredentials() + "'.";
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecurityContextSourceDataProvider getContextSource() {
        return this.contextSource;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setContextSource(SecurityContextSourceDataProvider securityContextSourceDataProvider) {
        this.contextSource = securityContextSourceDataProvider;
    }

    static {
        $assertionsDisabled = !AbstractExternalCredentialsLogin.class.desiredAssertionStatus();
    }
}
