package org.killbill.billing.util.security.shiro.realm;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Function;
import com.google.common.base.Functions;
import com.google.common.base.Predicate;
import com.google.common.base.Predicates;
import com.google.common.base.Splitter;
import com.google.common.collect.Collections2;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterators;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import com.google.inject.Inject;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapContext;
import jodd.util.StringPool;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.config.Ini;
import org.apache.shiro.realm.ldap.JndiLdapContextFactory;
import org.apache.shiro.realm.ldap.JndiLdapRealm;
import org.apache.shiro.realm.ldap.LdapContextFactory;
import org.apache.shiro.realm.ldap.LdapUtils;
import org.apache.shiro.subject.PrincipalCollection;
import org.killbill.billing.util.config.definition.SecurityConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/killbill/billing/util/security/shiro/realm/KillBillJndiLdapRealm.class */
public class KillBillJndiLdapRealm extends JndiLdapRealm {
    private static final String USERDN_SUBSTITUTION_TOKEN = "{0}";
    private static final Splitter SPLITTER;
    private final String searchBase;
    private final String groupSearchFilter;
    private final String groupNameId;
    private final Map<String, Collection<String>> permissionsByGroup = Maps.newLinkedHashMap();
    private final String dnSearchFilter;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) KillBillJndiLdapRealm.class);
    private static final SearchControls SUBTREE_SCOPE = new SearchControls();

    @Inject
    public KillBillJndiLdapRealm(SecurityConfig securityConfig) {
        if (securityConfig.getShiroLDAPUserDnTemplate() != null) {
            setUserDnTemplate(securityConfig.getShiroLDAPUserDnTemplate());
        }
        JndiLdapContextFactory jndiLdapContextFactory = (JndiLdapContextFactory) getContextFactory();
        if (securityConfig.disableShiroLDAPSSLCheck()) {
            jndiLdapContextFactory.getEnvironment().put("java.naming.ldap.factory.socket", SkipSSLCheckSocketFactory.class.getName());
        }
        jndiLdapContextFactory.getEnvironment().put("java.naming.referral", securityConfig.followShiroLDAPReferrals() ? "follow" : "ignore");
        if (securityConfig.getShiroLDAPUrl() != null) {
            jndiLdapContextFactory.setUrl(securityConfig.getShiroLDAPUrl());
        }
        if (securityConfig.getShiroLDAPSystemUsername() != null) {
            jndiLdapContextFactory.setSystemUsername(securityConfig.getShiroLDAPSystemUsername());
        }
        if (securityConfig.getShiroLDAPSystemPassword() != null) {
            jndiLdapContextFactory.setSystemPassword(securityConfig.getShiroLDAPSystemPassword());
        }
        if (securityConfig.getShiroLDAPAuthenticationMechanism() != null) {
            jndiLdapContextFactory.setAuthenticationMechanism(securityConfig.getShiroLDAPAuthenticationMechanism());
        }
        setContextFactory(jndiLdapContextFactory);
        this.dnSearchFilter = securityConfig.getShiroLDAPDnSearchTemplate();
        this.searchBase = securityConfig.getShiroLDAPSearchBase();
        this.groupSearchFilter = securityConfig.getShiroLDAPGroupSearchFilter();
        this.groupNameId = securityConfig.getShiroLDAPGroupNameID();
        if (securityConfig.getShiroLDAPPermissionsByGroup() != null) {
            Ini ini = new Ini();
            ini.load(securityConfig.getShiroLDAPPermissionsByGroup().replace("\\n", StringPool.NEWLINE));
            for (Ini.Section section : ini.getSections()) {
                for (String str : section.keySet()) {
                    this.permissionsByGroup.put(str.replace("\\=", "="), ImmutableList.copyOf(SPLITTER.split(section.get((Object) str))));
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.shiro.realm.ldap.DefaultLdapRealm
    public String getUserDn(String str) throws IllegalArgumentException, IllegalStateException {
        return this.dnSearchFilter != null ? findUserDN(str, getContextFactory()) : super.getUserDn(str);
    }

    private String findUserDN(String str, LdapContextFactory ldapContextFactory) {
        String str2 = null;
        try {
            try {
                String systemLdapContext = ldapContextFactory.getSystemLdapContext();
                NamingEnumeration search = systemLdapContext.search(this.searchBase, this.dnSearchFilter.replace(USERDN_SUBSTITUTION_TOKEN, str), SUBTREE_SCOPE);
                return search.hasMore() ? ((SearchResult) search.next()).getNameInNamespace() : null;
            } catch (AuthenticationException e) {
                log.info("LDAP authentication exception='{}'", e.getLocalizedMessage());
                throw new IllegalArgumentException(e);
            } catch (NamingException e2) {
                log.info("LDAP exception='{}'", e2.getLocalizedMessage());
                throw new IllegalArgumentException((Throwable) e2);
            }
        } finally {
            LdapUtils.closeContext(str2);
        }
    }

    @Override // org.apache.shiro.realm.ldap.DefaultLdapRealm
    protected AuthorizationInfo queryForAuthorizationInfo(PrincipalCollection principalCollection, LdapContextFactory ldapContextFactory) throws NamingException {
        Set<String> findLDAPGroupsForUser = findLDAPGroupsForUser(principalCollection, ldapContextFactory);
        SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo(findLDAPGroupsForUser);
        simpleAuthorizationInfo.setStringPermissions(groupsPermissions(findLDAPGroupsForUser));
        return simpleAuthorizationInfo;
    }

    private Set<String> findLDAPGroupsForUser(PrincipalCollection principalCollection, LdapContextFactory ldapContextFactory) throws NamingException {
        String str = (String) getAvailablePrincipal(principalCollection);
        LdapContext ldapContext = null;
        try {
            try {
                ldapContext = ldapContextFactory.getSystemLdapContext();
                Set<String> findLDAPGroupsForUser = findLDAPGroupsForUser(str, ldapContext);
                LdapUtils.closeContext(ldapContext);
                return findLDAPGroupsForUser;
            } catch (AuthenticationException e) {
                log.info("LDAP authentication exception='{}'", e.getLocalizedMessage());
                ImmutableSet of = ImmutableSet.of();
                LdapUtils.closeContext(ldapContext);
                return of;
            }
        } catch (Throwable th) {
            LdapUtils.closeContext(ldapContext);
            throw th;
        }
    }

    private Set<String> findLDAPGroupsForUser(String str, LdapContext ldapContext) throws NamingException {
        NamingEnumeration search = ldapContext.search(this.searchBase, this.groupSearchFilter.replace(USERDN_SUBSTITUTION_TOKEN, str), SUBTREE_SCOPE);
        return !search.hasMoreElements() ? ImmutableSet.of() : Sets.newHashSet(Collections2.filter(extractGroupNamesFromSearchResult((SearchResult) search.next()), Predicates.notNull()));
    }

    private Collection<String> extractGroupNamesFromSearchResult(SearchResult searchResult) {
        return ImmutableList.copyOf(Iterators.transform(Iterators.filter(Iterators.concat(Iterators.transform(Iterators.filter(Iterators.forEnumeration(searchResult.getAttributes().getAll()), new Predicate<Attribute>() { // from class: org.killbill.billing.util.security.shiro.realm.KillBillJndiLdapRealm.1
            @Override // com.google.common.base.Predicate
            public boolean apply(Attribute attribute) {
                return KillBillJndiLdapRealm.this.groupNameId.equalsIgnoreCase(attribute.getID());
            }
        }), new Function<Attribute, Iterator<?>>() { // from class: org.killbill.billing.util.security.shiro.realm.KillBillJndiLdapRealm.2
            @Override // com.google.common.base.Function, java.util.function.Function
            public Iterator<?> apply(Attribute attribute) {
                try {
                    return Iterators.forEnumeration(attribute.getAll());
                } catch (NamingException e) {
                    KillBillJndiLdapRealm.log.warn("Unable to read group name(s)", e);
                    return null;
                }
            }
        })), Predicates.notNull()), Functions.toStringFunction()));
    }

    private Set<String> groupsPermissions(Set<String> set) {
        HashSet hashSet = new HashSet();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            Collection<String> collection = this.permissionsByGroup.get(it.next());
            if (collection != null) {
                hashSet.addAll(collection);
            }
        }
        return hashSet;
    }

    @VisibleForTesting
    public Map<String, Collection<String>> getPermissionsByGroup() {
        return this.permissionsByGroup;
    }

    static {
        SUBTREE_SCOPE.setSearchScope(2);
        SPLITTER = Splitter.on(',').omitEmptyStrings().trimResults();
    }
}
