package id.onyx.obdp.server.serveraction.kerberos;

import com.google.common.reflect.TypeToken;
import com.google.gson.Gson;
import com.google.inject.Inject;
import id.onyx.obdp.server.configuration.Configuration;
import id.onyx.obdp.server.controller.KerberosHelper;
import id.onyx.obdp.server.controller.internal.PrivilegeResourceProvider;
import id.onyx.obdp.server.security.InternalSSLSocketFactoryNonTrusting;
import id.onyx.obdp.server.security.InternalSSLSocketFactoryTrusting;
import id.onyx.obdp.server.security.credential.PrincipalKeyCredential;
import java.io.StringWriter;
import java.io.UnsupportedEncodingException;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Properties;
import javax.naming.AuthenticationException;
import javax.naming.CommunicationException;
import javax.naming.InvalidNameException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.BasicAttribute;
import javax.naming.directory.BasicAttributes;
import javax.naming.directory.ModificationItem;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.net.ssl.SSLHandshakeException;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.Velocity;
import org.apache.velocity.exception.MethodInvocationException;
import org.apache.velocity.exception.ParseErrorException;
import org.apache.velocity.exception.ResourceNotFoundException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:id/onyx/obdp/server/serveraction/kerberos/ADKerberosOperationHandler.class */
public class ADKerberosOperationHandler extends KerberosOperationHandler {
    private static final Logger LOG = LoggerFactory.getLogger(ADKerberosOperationHandler.class);
    private static final String LDAP_CONTEXT_FACTORY_CLASS = "com.sun.jndi.ldap.LdapCtxFactory";
    private String ldapUrl = null;
    private String principalContainerDn = null;
    private LdapName principalContainerLdapName = null;
    private String createTemplate = null;
    private LdapContext ldapContext = null;
    private SearchControls searchControls = null;

    @Inject
    private Gson gson;

    @Inject
    private Configuration configuration;

    @Override // id.onyx.obdp.server.serveraction.kerberos.KerberosOperationHandler
    public void open(PrincipalKeyCredential principalKeyCredential, String str, Map<String, String> map) throws KerberosOperationException {
        if (isOpen()) {
            close();
        }
        if (principalKeyCredential == null) {
            throw new KerberosAdminAuthenticationException("administrator credential not provided");
        }
        if (str == null) {
            throw new KerberosRealmException("realm not provided");
        }
        if (map == null) {
            throw new KerberosRealmException("kerberos-env configuration may not be null");
        }
        this.ldapUrl = map.get(KerberosOperationHandler.KERBEROS_ENV_LDAP_URL);
        if (this.ldapUrl == null) {
            throw new KerberosKDCConnectionException("ldapUrl not provided");
        }
        if (!this.ldapUrl.startsWith("ldaps://")) {
            throw new KerberosKDCConnectionException("ldapUrl is not valid ldaps URL");
        }
        this.principalContainerDn = map.get(KerberosOperationHandler.KERBEROS_ENV_PRINCIPAL_CONTAINER_DN);
        if (this.principalContainerDn == null) {
            throw new KerberosLDAPContainerException("principalContainerDn not provided");
        }
        try {
            this.principalContainerLdapName = new LdapName(this.principalContainerDn);
            super.open(principalKeyCredential, str, map);
            this.ldapContext = createLdapContext();
            this.searchControls = createSearchControls();
            this.createTemplate = map.get(KerberosOperationHandler.KERBEROS_ENV_AD_CREATE_ATTRIBUTES_TEMPLATE);
            setOpen(true);
        } catch (InvalidNameException e) {
            throw new KerberosLDAPContainerException("principalContainerDn is not a valid LDAP name", e);
        }
    }

    @Override // id.onyx.obdp.server.serveraction.kerberos.KerberosOperationHandler
    public void close() throws KerberosOperationException {
        this.searchControls = null;
        try {
            if (this.ldapContext != null) {
                try {
                    this.ldapContext.close();
                    this.ldapContext = null;
                } catch (NamingException e) {
                    throw new KerberosOperationException("Unexpected error", e);
                }
            }
            setOpen(false);
        } catch (Throwable th) {
            this.ldapContext = null;
            throw th;
        }
    }

    @Override // id.onyx.obdp.server.serveraction.kerberos.KerberosOperationHandler
    public boolean principalExists(String str, boolean z) throws KerberosOperationException {
        if (!isOpen()) {
            throw new KerberosOperationException("This operation handler has not been opened");
        }
        if (str == null) {
            throw new KerberosOperationException("principal is null");
        }
        try {
            return findPrincipalDN(createDeconstructPrincipal(str).getNormalizedPrincipal()) != null;
        } catch (NamingException e) {
            throw new KerberosOperationException("can not check if principal exists: " + str, e);
        }
    }

    @Override // id.onyx.obdp.server.serveraction.kerberos.KerberosOperationHandler
    public Integer createPrincipal(String str, String str2, boolean z) throws KerberosOperationException {
        if (!isOpen()) {
            throw new KerberosOperationException("This operation handler has not been opened");
        }
        if (str == null) {
            throw new KerberosOperationException("principal is null");
        }
        if (str2 == null) {
            throw new KerberosOperationException("principal password is null");
        }
        if (principalExists(str, z)) {
            throw new KerberosPrincipalAlreadyExistsException(str);
        }
        DeconstructedPrincipal createDeconstructPrincipal = createDeconstructPrincipal(str);
        String realm = createDeconstructPrincipal.getRealm();
        if (realm == null) {
            realm = Configuration.JDBC_IN_MEMORY_PASSWORD;
        }
        HashMap hashMap = new HashMap();
        hashMap.put("normalized_principal", createDeconstructPrincipal.getNormalizedPrincipal());
        hashMap.put(PrivilegeResourceProvider.PRINCIPAL_NAME_PROPERTY_ID, createDeconstructPrincipal.getPrincipalName());
        hashMap.put("principal_primary", createDeconstructPrincipal.getPrimary());
        hashMap.put("principal_instance", createDeconstructPrincipal.getInstance());
        hashMap.put(KerberosHelper.DEFAULT_REALM, realm);
        hashMap.put("realm_lowercase", realm.toLowerCase());
        hashMap.put("password", str2);
        hashMap.put("is_service", Boolean.valueOf(z));
        hashMap.put(KerberosOperationHandler.KERBEROS_ENV_PRINCIPAL_CONTAINER_DN, this.principalContainerDn);
        hashMap.put("principal_digest", DigestUtils.sha1Hex(createDeconstructPrincipal.getNormalizedPrincipal()));
        hashMap.put("principal_digest_256", DigestUtils.sha256Hex(createDeconstructPrincipal.getNormalizedPrincipal()));
        hashMap.put("principal_digest_512", DigestUtils.sha512Hex(createDeconstructPrincipal.getNormalizedPrincipal()));
        Map<String, Object> processCreateTemplate = processCreateTemplate(hashMap);
        BasicAttributes basicAttributes = new BasicAttributes();
        String str3 = null;
        if (processCreateTemplate != null) {
            for (Map.Entry<String, Object> entry : processCreateTemplate.entrySet()) {
                String key = entry.getKey();
                Object value = entry.getValue();
                if (!"unicodePwd".equals(key)) {
                    BasicAttribute basicAttribute = new BasicAttribute(key);
                    if (value instanceof Collection) {
                        Iterator it = ((Collection) value).iterator();
                        while (it.hasNext()) {
                            basicAttribute.add(it.next());
                        }
                    } else {
                        if ("cn".equals(key) && value != null) {
                            str3 = value.toString();
                        } else if ("sAMAccountName".equals(key) && value != null) {
                            value = value.toString().replaceAll("\\[|\\]|\\:|\\;|\\||\\=|\\+|\\*|\\?|\\<|\\>|\\/|\\\\|\\,|\\s", "_");
                        }
                        basicAttribute.add(value);
                    }
                    basicAttributes.put(basicAttribute);
                } else if (value instanceof String) {
                    try {
                        basicAttributes.put(new BasicAttribute("unicodePwd", String.format("\"%s\"", str2).getBytes("UTF-16LE")));
                    } catch (UnsupportedEncodingException e) {
                        throw new KerberosOperationException("Can not encode password with UTF-16LE", e);
                    }
                } else {
                    continue;
                }
            }
        }
        if (str3 == null) {
            str3 = createDeconstructPrincipal.getNormalizedPrincipal();
        }
        try {
            Rdn rdn = new Rdn("cn", str3);
            LdapName ldapName = new LdapName(this.principalContainerLdapName.getRdns());
            ldapName.add(ldapName.size(), rdn);
            this.ldapContext.createSubcontext(ldapName, basicAttributes);
            return 0;
        } catch (NamingException e2) {
            throw new KerberosOperationException("Can not create principal : " + str, e2);
        }
    }

    @Override // id.onyx.obdp.server.serveraction.kerberos.KerberosOperationHandler
    public Integer setPrincipalPassword(String str, String str2, boolean z) throws KerberosOperationException {
        if (!isOpen()) {
            throw new KerberosOperationException("This operation handler has not been opened");
        }
        if (str == null) {
            throw new KerberosOperationException("principal is null");
        }
        if (str2 == null) {
            throw new KerberosOperationException("principal password is null");
        }
        if (!principalExists(str, z)) {
            throw new KerberosPrincipalDoesNotExistException(str);
        }
        try {
            String findPrincipalDN = findPrincipalDN(createDeconstructPrincipal(str).getNormalizedPrincipal());
            if (findPrincipalDN == null) {
                throw new KerberosOperationException(String.format("Can not set password for principal %s: Not Found", str));
            }
            this.ldapContext.modifyAttributes(new LdapName(findPrincipalDN), new ModificationItem[]{new ModificationItem(2, new BasicAttribute("unicodePwd", String.format("\"%s\"", str2).getBytes("UTF-16LE")))});
            return 0;
        } catch (UnsupportedEncodingException e) {
            throw new KerberosOperationException("Unsupported encoding UTF-16LE", e);
        } catch (NamingException e2) {
            throw new KerberosOperationException(String.format("Can not set password for principal %s: %s", str, e2.getMessage()), e2);
        }
    }

    @Override // id.onyx.obdp.server.serveraction.kerberos.KerberosOperationHandler
    public boolean removePrincipal(String str, boolean z) throws KerberosOperationException {
        if (!isOpen()) {
            throw new KerberosOperationException("This operation handler has not been opened");
        }
        if (str == null) {
            throw new KerberosOperationException("principal is null");
        }
        try {
            String findPrincipalDN = findPrincipalDN(createDeconstructPrincipal(str).getNormalizedPrincipal());
            if (findPrincipalDN != null) {
                this.ldapContext.destroySubcontext(new LdapName(findPrincipalDN));
            }
            return true;
        } catch (NamingException e) {
            throw new KerberosOperationException(String.format("Can not remove principal %s: %s", str, e.getMessage()), e);
        }
    }

    @Override // id.onyx.obdp.server.serveraction.kerberos.KerberosOperationHandler
    public boolean testAdministratorCredentials() throws KerberosOperationException {
        if (isOpen()) {
            return true;
        }
        throw new KerberosOperationException("This operation handler has not been opened");
    }

    protected LdapContext createLdapContext() throws KerberosOperationException {
        PrincipalKeyCredential administratorCredential = getAdministratorCredential();
        Properties properties = new Properties();
        properties.put("java.naming.factory.initial", LDAP_CONTEXT_FACTORY_CLASS);
        properties.put("java.naming.provider.url", this.ldapUrl);
        properties.put("java.naming.security.principal", administratorCredential.getPrincipal());
        properties.put("java.naming.security.credentials", String.valueOf(administratorCredential.getKey()));
        properties.put("java.naming.security.authentication", "simple");
        properties.put("java.naming.referral", "follow");
        if (this.ldapUrl.startsWith("ldaps")) {
            if (this.configuration.validateKerberosOperationSSLCertTrust()) {
                properties.put("java.naming.ldap.factory.socket", InternalSSLSocketFactoryNonTrusting.class.getName());
            } else {
                properties.put("java.naming.ldap.factory.socket", InternalSSLSocketFactoryTrusting.class.getName());
            }
        }
        try {
            return createInitialLdapContext(properties, null);
        } catch (NamingException e) {
            String message = e.getMessage();
            if (!StringUtils.isEmpty(message)) {
                throw new KerberosOperationException("Unexpected error condition", e);
            }
            String format = String.format("Failed to communicate with the Active Directory at %s: %s", this.ldapUrl, e.getMessage());
            LOG.warn(format, e);
            if (message.startsWith("Cannot parse url:")) {
                throw new KerberosKDCConnectionException(format, e);
            }
            throw new KerberosOperationException(format, e);
        } catch (CommunicationException e2) {
            Throwable rootCause = e2.getRootCause();
            String format2 = String.format("Failed to communicate with the Active Directory at %s: %s", this.ldapUrl, e2.getMessage());
            LOG.warn(format2, e2);
            if (rootCause instanceof SSLHandshakeException) {
                throw new KerberosKDCSSLConnectionException(format2, e2);
            }
            throw new KerberosKDCConnectionException(format2, e2);
        } catch (AuthenticationException e3) {
            String format3 = String.format("Failed to authenticate with the Active Directory at %s: %s", this.ldapUrl, e3.getMessage());
            LOG.warn(format3, e3);
            throw new KerberosAdminAuthenticationException(format3, e3);
        }
    }

    protected LdapContext createInitialLdapContext(Properties properties, Control[] controlArr) throws NamingException {
        return new InitialLdapContext(properties, controlArr);
    }

    protected SearchControls createSearchControls() {
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(1);
        searchControls.setReturningAttributes(new String[]{"cn"});
        return searchControls;
    }

    /* JADX WARN: Type inference failed for: r0v18, types: [id.onyx.obdp.server.serveraction.kerberos.ADKerberosOperationHandler$1] */
    protected Map<String, Object> processCreateTemplate(Map<String, Object> map) throws KerberosOperationException {
        if (this.gson == null) {
            throw new KerberosOperationException("The JSON parser must not be null");
        }
        Map<String, Object> map2 = null;
        StringWriter stringWriter = new StringWriter();
        try {
            if (Velocity.evaluate(new VelocityContext(map), stringWriter, "Active Directory principal create template", StringUtils.isEmpty(this.createTemplate) ? "{\"objectClass\": [\"top\", \"person\", \"organizationalPerson\", \"user\"],\"cn\": \"$principal_name\",#if( $is_service )  \"servicePrincipalName\": \"$principal_name\",#end\"userPrincipalName\": \"$normalized_principal\",\"unicodePwd\": \"$password\",\"accountExpires\": \"0\",\"userAccountControl\": \"66048\"}" : this.createTemplate)) {
                map2 = (Map) this.gson.fromJson(stringWriter.toString(), new TypeToken<Map<String, Object>>() { // from class: id.onyx.obdp.server.serveraction.kerberos.ADKerberosOperationHandler.1
                }.getType());
            }
            return map2;
        } catch (MethodInvocationException | ResourceNotFoundException e) {
            LOG.warn("Failed to process Active Directory create principal template", e);
            throw new KerberosOperationException("Failed to process Active Directory create principal template", e);
        } catch (ParseErrorException e2) {
            LOG.warn("Failed to parse Active Directory create principal template", e2);
            throw new KerberosOperationException("Failed to parse Active Directory create principal template", e2);
        }
    }

    private String findPrincipalDN(String str) throws NamingException, KerberosOperationException {
        String str2 = null;
        if (str != null) {
            NamingEnumeration namingEnumeration = null;
            try {
                namingEnumeration = this.ldapContext.search(this.principalContainerLdapName, String.format("(userPrincipalName=%s)", str), this.searchControls);
                if (namingEnumeration != null && namingEnumeration.hasMore()) {
                    str2 = ((SearchResult) namingEnumeration.next()).getNameInNamespace();
                }
                if (namingEnumeration != null) {
                    try {
                        namingEnumeration.close();
                    } catch (NamingException e) {
                    }
                }
            } catch (Throwable th) {
                if (namingEnumeration != null) {
                    try {
                        namingEnumeration.close();
                    } catch (NamingException e2) {
                        throw th;
                    }
                }
                throw th;
            }
        }
        return str2;
    }
}
