package com.gitblit.auth;

import com.gitblit.Constants;
import com.gitblit.Keys;
import com.gitblit.auth.AuthenticationProvider;
import com.gitblit.ldap.LdapConnection;
import com.gitblit.models.TeamModel;
import com.gitblit.models.UserModel;
import com.gitblit.service.LdapSyncService;
import com.gitblit.utils.ArrayUtils;
import com.gitblit.utils.StringUtils;
import com.unboundid.ldap.sdk.Attribute;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.ResultCode;
import com.unboundid.ldap.sdk.SearchRequest;
import com.unboundid.ldap.sdk.SearchResult;
import com.unboundid.ldap.sdk.SearchResultEntry;
import com.unboundid.ldap.sdk.SearchScope;
import java.text.MessageFormat;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;

/* loaded from: input_file:com/gitblit/auth/LdapAuthProvider.class */
public class LdapAuthProvider extends AuthenticationProvider.UsernamePasswordAuthenticationProvider {
    private final ScheduledExecutorService scheduledExecutorService;

    public LdapAuthProvider() {
        super("ldap");
        this.scheduledExecutorService = Executors.newSingleThreadScheduledExecutor();
    }

    private long getSynchronizationPeriodInMilliseconds() {
        String string = this.settings.getString(Keys.realm.ldap.syncPeriod, null);
        if (StringUtils.isEmpty(string)) {
            string = this.settings.getString("realm.ldap.ldapCachePeriod", null);
            if (StringUtils.isEmpty(string)) {
                string = "5 MINUTES";
            } else {
                this.logger.warn("realm.ldap.ldapCachePeriod is obsolete!");
                this.logger.warn(MessageFormat.format("Please set {0}={1} in gitblit.properties!", Keys.realm.ldap.syncPeriod, string));
                this.settings.overrideSetting(Keys.realm.ldap.syncPeriod, string);
            }
        }
        try {
            String[] split = string.split(" ", 2);
            return TimeUnit.valueOf(split[1]).toMillis(Math.abs(Long.parseLong(split[0])));
        } catch (RuntimeException e) {
            throw new IllegalArgumentException("realm.ldap.syncPeriod must have format '<long> <TimeUnit>' where <TimeUnit> is one of 'MILLISECONDS', 'SECONDS', 'MINUTES', 'HOURS', 'DAYS'");
        }
    }

    @Override // com.gitblit.auth.AuthenticationProvider
    public void setup() {
        configureSyncService();
    }

    @Override // com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider, com.gitblit.auth.AuthenticationProvider
    public void stop() {
        this.scheduledExecutorService.shutdownNow();
    }

    public synchronized void sync() {
        if (this.settings.getBoolean(Keys.realm.ldap.synchronize, false)) {
            this.logger.info("Synchronizing with LDAP @ " + this.settings.getRequiredString(Keys.realm.ldap.server));
            boolean z = this.settings.getBoolean(Keys.realm.ldap.removeDeletedUsers, true);
            LdapConnection ldapConnection = new LdapConnection(this.settings);
            if (ldapConnection.connect()) {
                if (ldapConnection.bind() == null) {
                    ldapConnection.close();
                    this.logger.error("Cannot synchronize with LDAP.");
                    return;
                }
                try {
                    String string = this.settings.getString(Keys.realm.ldap.uid, "uid");
                    SearchResult doSearch = doSearch(ldapConnection, ldapConnection.getAccountBase(), StringUtils.replace(ldapConnection.getAccountPattern(), "${username}", "*"));
                    if (doSearch != null && doSearch.getEntryCount() > 0) {
                        HashMap hashMap = new HashMap();
                        for (SearchResultEntry searchResultEntry : doSearch.getSearchEntries()) {
                            Attribute attribute = searchResultEntry.getAttribute(string);
                            if (attribute == null) {
                                this.logger.error("Can not synchronize with LDAP, missing \"{}\" attribute", string);
                            } else {
                                String value = attribute.getValue();
                                this.logger.debug("LDAP synchronizing: " + value);
                                UserModel userModel = this.userManager.getUserModel(value);
                                if (userModel == null) {
                                    userModel = new UserModel(value);
                                }
                                if (!supportsTeamMembershipChanges()) {
                                    getTeamsFromLdap(ldapConnection, value, searchResultEntry, userModel);
                                }
                                setUserAttributes(userModel, searchResultEntry);
                                hashMap.put(value.toLowerCase(), userModel);
                            }
                        }
                        if (z) {
                            this.logger.debug("detecting removed LDAP users...");
                            for (UserModel userModel2 : this.userManager.getAllUsers()) {
                                if (Constants.AccountType.LDAP == userModel2.accountType && !hashMap.containsKey(userModel2.username)) {
                                    this.logger.info("deleting removed LDAP user " + userModel2.username + " from user service");
                                    this.userManager.deleteUser(userModel2.username);
                                }
                            }
                        }
                        this.userManager.updateUserModels(hashMap.values());
                        if (!supportsTeamMembershipChanges()) {
                            HashMap hashMap2 = new HashMap();
                            Iterator it = hashMap.values().iterator();
                            while (it.hasNext()) {
                                for (TeamModel teamModel : ((UserModel) it.next()).teams) {
                                    setAdminAttribute(teamModel);
                                    hashMap2.put(teamModel.name, teamModel);
                                }
                            }
                            this.userManager.updateTeamModels(hashMap2.values());
                        }
                    }
                    if (!supportsTeamMembershipChanges()) {
                        getEmptyTeamsFromLdap(ldapConnection);
                    }
                } finally {
                    ldapConnection.close();
                }
            }
        }
    }

    @Override // com.gitblit.auth.AuthenticationProvider
    public boolean supportsCredentialChanges() {
        return false;
    }

    @Override // com.gitblit.auth.AuthenticationProvider
    public boolean supportsDisplayNameChanges() {
        return StringUtils.isEmpty(this.settings.getString(Keys.realm.ldap.displayName, ""));
    }

    @Override // com.gitblit.auth.AuthenticationProvider
    public boolean supportsEmailAddressChanges() {
        return StringUtils.isEmpty(this.settings.getString(Keys.realm.ldap.email, ""));
    }

    @Override // com.gitblit.auth.AuthenticationProvider
    public boolean supportsTeamMembershipChanges() {
        return !this.settings.getBoolean(Keys.realm.ldap.maintainTeams, false);
    }

    @Override // com.gitblit.auth.AuthenticationProvider
    public boolean supportsRoleChanges(UserModel userModel, Constants.Role role) {
        return Constants.Role.ADMIN != role || supportsTeamMembershipChanges();
    }

    @Override // com.gitblit.auth.AuthenticationProvider
    public boolean supportsRoleChanges(TeamModel teamModel, Constants.Role role) {
        return Constants.Role.ADMIN != role || supportsTeamMembershipChanges();
    }

    @Override // com.gitblit.auth.AuthenticationProvider
    public Constants.AccountType getAccountType() {
        return Constants.AccountType.LDAP;
    }

    @Override // com.gitblit.auth.AuthenticationProvider
    public UserModel authenticate(String str, char[] cArr) {
        UserModel userModel;
        String simpleUsername = getSimpleUsername(str);
        LdapConnection ldapConnection = new LdapConnection(this.settings);
        if (!ldapConnection.connect()) {
            return null;
        }
        String str2 = new String(cArr);
        String string = this.settings.getString(Keys.realm.ldap.bindpattern, "");
        if ((!StringUtils.isEmpty(string) ? ldapConnection.bind(string, simpleUsername, str2) : ldapConnection.bind()) == null) {
            ldapConnection.close();
            return null;
        }
        try {
            SearchResult searchUser = ldapConnection.searchUser(simpleUsername);
            if (searchUser != null && searchUser.getEntryCount() == 1) {
                SearchResultEntry searchResultEntry = (SearchResultEntry) searchUser.getSearchEntries().get(0);
                if (ldapConnection.isAuthenticated(searchResultEntry.getDN(), str2)) {
                    this.logger.debug("LDAP authenticated: " + str);
                    synchronized (this) {
                        userModel = this.userManager.getUserModel(simpleUsername);
                        if (userModel == null) {
                            userModel = new UserModel(simpleUsername);
                        }
                        setCookie(userModel);
                        if (!supportsTeamMembershipChanges()) {
                            getTeamsFromLdap(ldapConnection, simpleUsername, searchResultEntry, userModel);
                        }
                        setUserAttributes(userModel, searchResultEntry);
                        updateUser(userModel);
                        if (!supportsTeamMembershipChanges()) {
                            for (TeamModel teamModel : userModel.teams) {
                                setAdminAttribute(teamModel);
                                updateTeam(teamModel);
                            }
                        }
                    }
                    return userModel;
                }
            }
            ldapConnection.close();
            return null;
        } finally {
            ldapConnection.close();
        }
    }

    private void setAdminAttribute(UserModel userModel) {
        if (supportsTeamMembershipChanges()) {
            return;
        }
        List<String> strings = this.settings.getStrings(Keys.realm.ldap.admins);
        if (ArrayUtils.isEmpty(strings)) {
            return;
        }
        userModel.canAdmin = false;
        Iterator<String> it = strings.iterator();
        while (it.hasNext()) {
            if (userModel.getName().equalsIgnoreCase(it.next())) {
                userModel.canAdmin = true;
            }
        }
    }

    private void setAdminAttribute(TeamModel teamModel) {
        if (supportsTeamMembershipChanges()) {
            return;
        }
        List<String> strings = this.settings.getStrings(Keys.realm.ldap.admins);
        if (ArrayUtils.isEmpty(strings)) {
            return;
        }
        teamModel.canAdmin = false;
        for (String str : strings) {
            if (str.startsWith("@") && teamModel.name.equalsIgnoreCase(str.substring(1))) {
                teamModel.canAdmin = true;
            }
        }
    }

    private void setUserAttributes(UserModel userModel, SearchResultEntry searchResultEntry) {
        setAdminAttribute(userModel);
        userModel.password = Constants.EXTERNAL_ACCOUNT;
        userModel.accountType = getAccountType();
        String string = this.settings.getString(Keys.realm.ldap.displayName, "");
        if (!StringUtils.isEmpty(string)) {
            if (string.contains("${")) {
                for (Attribute attribute : searchResultEntry.getAttributes()) {
                    string = StringUtils.replace(string, "${" + attribute.getName() + "}", attribute.getValue());
                }
                userModel.displayName = string;
            } else {
                Attribute attribute2 = searchResultEntry.getAttribute(string);
                if (attribute2 != null && attribute2.hasValue()) {
                    userModel.displayName = attribute2.getValue();
                }
            }
        }
        String string2 = this.settings.getString(Keys.realm.ldap.email, "");
        if (StringUtils.isEmpty(string2)) {
            return;
        }
        if (string2.contains("${")) {
            for (Attribute attribute3 : searchResultEntry.getAttributes()) {
                string2 = StringUtils.replace(string2, "${" + attribute3.getName() + "}", attribute3.getValue());
            }
            userModel.emailAddress = string2;
            return;
        }
        Attribute attribute4 = searchResultEntry.getAttribute(string2);
        if (attribute4 == null || !attribute4.hasValue()) {
            userModel.emailAddress = null;
        } else {
            userModel.emailAddress = attribute4.getValue();
        }
    }

    private void getTeamsFromLdap(LdapConnection ldapConnection, String str, SearchResultEntry searchResultEntry, UserModel userModel) {
        String dn = searchResultEntry.getDN();
        userModel.teams.clear();
        String string = this.settings.getString(Keys.realm.ldap.groupBase, "");
        String replace = StringUtils.replace(StringUtils.replace(this.settings.getString(Keys.realm.ldap.groupMemberPattern, "(&(objectClass=group)(member=${dn}))"), "${dn}", LdapConnection.escapeLDAPSearchFilter(dn)), "${username}", LdapConnection.escapeLDAPSearchFilter(str));
        for (Attribute attribute : searchResultEntry.getAttributes()) {
            replace = StringUtils.replace(replace, "${" + attribute.getName() + "}", LdapConnection.escapeLDAPSearchFilter(attribute.getValue()));
        }
        SearchResult searchTeamsInLdap = searchTeamsInLdap(ldapConnection, string, true, replace, Arrays.asList("cn"));
        if (searchTeamsInLdap == null || searchTeamsInLdap.getEntryCount() <= 0) {
            return;
        }
        for (int i = 0; i < searchTeamsInLdap.getEntryCount(); i++) {
            SearchResultEntry searchResultEntry2 = (SearchResultEntry) searchTeamsInLdap.getSearchEntries().get(i);
            TeamModel teamModel = this.userManager.getTeamModel(searchResultEntry2.getAttribute("cn").getValue());
            if (teamModel == null) {
                teamModel = createTeamFromLdap(searchResultEntry2);
            }
            userModel.teams.add(teamModel);
            teamModel.addUser(userModel.getName());
        }
    }

    private void getEmptyTeamsFromLdap(LdapConnection ldapConnection) {
        this.logger.info("Start fetching empty teams from ldap.");
        SearchResult searchTeamsInLdap = searchTeamsInLdap(ldapConnection, this.settings.getString(Keys.realm.ldap.groupBase, ""), true, this.settings.getString(Keys.realm.ldap.groupEmptyMemberPattern, "(&(objectClass=group)(!(member=*)))"), null);
        if (searchTeamsInLdap != null && searchTeamsInLdap.getEntryCount() > 0) {
            for (int i = 0; i < searchTeamsInLdap.getEntryCount(); i++) {
                SearchResultEntry searchResultEntry = (SearchResultEntry) searchTeamsInLdap.getSearchEntries().get(i);
                if (!searchResultEntry.hasAttribute("member")) {
                    if (this.userManager.getTeamModel(searchResultEntry.getAttribute("cn").getValue()) == null) {
                        TeamModel createTeamFromLdap = createTeamFromLdap(searchResultEntry);
                        setAdminAttribute(createTeamFromLdap);
                        this.userManager.updateTeamModel(createTeamFromLdap);
                    }
                }
            }
        }
        this.logger.info("Finished fetching empty teams from ldap.");
    }

    private SearchResult searchTeamsInLdap(LdapConnection ldapConnection, String str, boolean z, String str2, List<String> list) {
        SearchResult search = ldapConnection.search(str, z, str2, list);
        if (search == null) {
            return null;
        }
        if (search.getResultCode() != ResultCode.SUCCESS) {
            this.logger.debug("Rebinding as user to search for teams in LDAP");
            search = null;
            if (ldapConnection.rebindAsUser()) {
                search = ldapConnection.search(str, z, str2, list);
                if (search.getResultCode() != ResultCode.SUCCESS) {
                    return null;
                }
                this.logger.info("Successful search after rebinding as user.");
            }
        }
        return search;
    }

    private TeamModel createTeamFromLdap(SearchResultEntry searchResultEntry) {
        TeamModel teamModel = new TeamModel(searchResultEntry.getAttributeValue("cn"));
        teamModel.accountType = getAccountType();
        return teamModel;
    }

    private SearchResult doSearch(LdapConnection ldapConnection, String str, String str2) {
        try {
            SearchResult search = ldapConnection.search(new SearchRequest(str, SearchScope.SUB, str2, new String[0]));
            if (search.getResultCode() != ResultCode.SUCCESS) {
                return null;
            }
            return search;
        } catch (LDAPException e) {
            this.logger.error("Problem creating LDAP search", e);
            return null;
        }
    }

    protected String getSimpleUsername(String str) {
        int lastIndexOf = str.lastIndexOf(92);
        if (lastIndexOf > -1) {
            str = str.substring(lastIndexOf + 1);
        }
        return str;
    }

    private void configureSyncService() {
        LdapSyncService ldapSyncService = new LdapSyncService(this.settings, this);
        if (!ldapSyncService.isReady()) {
            this.logger.info("Ldap sync service is disabled.");
            return;
        }
        long synchronizationPeriodInMilliseconds = getSynchronizationPeriodInMilliseconds();
        this.logger.info("Ldap sync service will update users and groups every {} minutes.", Long.valueOf(TimeUnit.MILLISECONDS.toMinutes(synchronizationPeriodInMilliseconds)));
        this.scheduledExecutorService.scheduleAtFixedRate(ldapSyncService, 1, synchronizationPeriodInMilliseconds, TimeUnit.MILLISECONDS);
    }
}
