package org.keycloak.storage.ldap.idm.store.ldap;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.NoSuchElementException;
import java.util.Set;
import java.util.TreeSet;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.naming.AuthenticationException;
import javax.naming.NameAlreadyBoundException;
import javax.naming.NameNotFoundException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.AttributeInUseException;
import javax.naming.directory.Attributes;
import javax.naming.directory.BasicAttribute;
import javax.naming.directory.BasicAttributes;
import javax.naming.directory.ModificationItem;
import javax.naming.directory.NoSuchAttributeException;
import javax.naming.directory.SchemaViolationException;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapName;
import org.jboss.logging.Logger;
import org.keycloak.common.util.Base64;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelException;
import org.keycloak.representations.idm.LDAPCapabilityRepresentation;
import org.keycloak.storage.ldap.LDAPConfig;
import org.keycloak.storage.ldap.idm.model.LDAPDn;
import org.keycloak.storage.ldap.idm.model.LDAPObject;
import org.keycloak.storage.ldap.idm.query.Condition;
import org.keycloak.storage.ldap.idm.query.internal.EqualCondition;
import org.keycloak.storage.ldap.idm.query.internal.LDAPQuery;
import org.keycloak.storage.ldap.idm.query.internal.LDAPQueryConditionsBuilder;
import org.keycloak.storage.ldap.idm.store.IdentityStore;
import org.keycloak.storage.ldap.mappers.LDAPOperationDecorator;

/* loaded from: input_file:org/keycloak/storage/ldap/idm/store/ldap/LDAPIdentityStore.class */
public class LDAPIdentityStore implements IdentityStore {
    private static final Logger logger = Logger.getLogger(LDAPIdentityStore.class);
    private static final Pattern rangePattern = Pattern.compile("([^;]+);range=([0-9]+)-([0-9]+|\\*)");
    private final LDAPConfig config;
    private final LDAPOperationManager operationManager;

    public LDAPIdentityStore(KeycloakSession keycloakSession, LDAPConfig lDAPConfig) {
        this.config = lDAPConfig;
        this.operationManager = new LDAPOperationManager(keycloakSession, lDAPConfig);
    }

    @Override // org.keycloak.storage.ldap.idm.store.IdentityStore
    public LDAPConfig getConfig() {
        return this.config;
    }

    @Override // org.keycloak.storage.ldap.idm.store.IdentityStore
    public void add(LDAPObject lDAPObject) {
        if (lDAPObject.getUuid() != null) {
            throw new ModelException("Can't add object with already assigned uuid");
        }
        lDAPObject.setUuid(this.operationManager.createSubContext(lDAPObject.getDn().getLdapName(), extractAttributesForSaving(lDAPObject, true)));
        if (logger.isDebugEnabled()) {
            logger.debugf("Type with identifier [%s] and dn [%s] successfully added to LDAP store.", lDAPObject.getUuid(), lDAPObject.getDn());
        }
    }

    @Override // org.keycloak.storage.ldap.idm.store.IdentityStore
    public void addMemberToGroup(LdapName ldapName, String str, String str2) {
        try {
            this.operationManager.modifyAttributesNaming(ldapName, new ModificationItem[]{new ModificationItem(1, new BasicAttribute(str, str2))}, null);
        } catch (AttributeInUseException | NameAlreadyBoundException e) {
            logger.debugf("Group %s already contains the member %s", ldapName, str2);
        } catch (NamingException e2) {
            throw new ModelException("Could not modify attribute for DN [" + String.valueOf(ldapName) + "]", e2);
        }
    }

    @Override // org.keycloak.storage.ldap.idm.store.IdentityStore
    public void removeMemberFromGroup(LdapName ldapName, String str, String str2) {
        ModificationItem modificationItem = new ModificationItem(3, new BasicAttribute(str, str2));
        try {
            this.operationManager.modifyAttributesNaming(ldapName, new ModificationItem[]{modificationItem}, null);
        } catch (SchemaViolationException e) {
            logger.infof("Schema violation in group %s removing member %s. Trying adding empty member attribute.", ldapName, str2);
            try {
                this.operationManager.modifyAttributesNaming(ldapName, new ModificationItem[]{modificationItem, new ModificationItem(1, new BasicAttribute(str, "cn=empty-membership-placeholder"))}, null);
            } catch (NamingException e2) {
                throw new ModelException("Could not modify attribute for DN [" + String.valueOf(ldapName) + "]", e2);
            }
        } catch (NamingException e3) {
            throw new ModelException("Could not modify attribute for DN [" + String.valueOf(ldapName) + "]", e3);
        } catch (NoSuchAttributeException e4) {
            logger.debugf("Group %s does not contain the member %s", ldapName, str2);
        }
    }

    @Override // org.keycloak.storage.ldap.idm.store.IdentityStore
    public void update(LDAPObject lDAPObject) {
        checkRename(lDAPObject);
        this.operationManager.modifyAttributes(lDAPObject.getDn().getLdapName(), extractAttributesForSaving(lDAPObject, false).getAll());
        if (logger.isDebugEnabled()) {
            logger.debugf("Type with identifier [%s] and DN [%s] successfully updated to LDAP store.", lDAPObject.getUuid(), lDAPObject.getDn());
        }
    }

    protected void checkRename(LDAPObject lDAPObject) {
        String attributeAsString;
        LDAPDn.RDN firstRdn = lDAPObject.getDn().getFirstRdn();
        LdapName ldapName = lDAPObject.getDn().getLdapName();
        List<String> allKeys = firstRdn.getAllKeys();
        allKeys.retainAll(lDAPObject.getRdnAttributeNames());
        List<String> allKeys2 = firstRdn.getAllKeys();
        allKeys2.removeAll(lDAPObject.getRdnAttributeNames());
        ArrayList<String> arrayList = new ArrayList(lDAPObject.getRdnAttributeNames());
        arrayList.removeAll(firstRdn.getAllKeys());
        boolean z = false;
        for (String str : allKeys) {
            if (!lDAPObject.getReadOnlyAttributeNames().contains(str.toLowerCase()) && (attributeAsString = lDAPObject.getAttributeAsString(str)) != null && !firstRdn.getAttrValue(str).equalsIgnoreCase(attributeAsString)) {
                z = true;
                firstRdn.setAttrValue(str, attributeAsString);
            }
        }
        for (String str2 : arrayList) {
            String attributeAsString2 = lDAPObject.getAttributeAsString(str2);
            if (attributeAsString2 != null) {
                z = true;
                firstRdn.setAttrValue(str2, attributeAsString2);
            }
        }
        Iterator<String> it = allKeys2.iterator();
        while (it.hasNext()) {
            z |= firstRdn.removeAttrValue(it.next());
        }
        if (z) {
            LDAPDn parentDn = lDAPObject.getDn().getParentDn();
            parentDn.addFirst(firstRdn);
            LdapName ldapName2 = parentDn.getLdapName();
            logger.debugf("Renaming LDAP Object. Old DN: [%s], New DN: [%s]", ldapName, ldapName2);
            lDAPObject.setDn(LDAPDn.fromLdapName(this.operationManager.renameEntry(ldapName, ldapName2, true)));
        }
    }

    @Override // org.keycloak.storage.ldap.idm.store.IdentityStore
    public void remove(LDAPObject lDAPObject) {
        this.operationManager.removeEntry(lDAPObject.getDn().getLdapName());
        if (logger.isDebugEnabled()) {
            logger.debugf("Type with identifier [%s] and DN [%s] successfully removed from LDAP store.", lDAPObject.getUuid(), lDAPObject.getDn().toString());
        }
    }

    @Override // org.keycloak.storage.ldap.idm.store.IdentityStore
    public List<LDAPObject> fetchQueryResults(LDAPQuery lDAPQuery) {
        if (lDAPQuery.getSorting() != null && !lDAPQuery.getSorting().isEmpty()) {
            throw new ModelException("LDAP Identity Store does not yet support sorted queries.");
        }
        ArrayList arrayList = new ArrayList();
        try {
            LdapName searchDn = lDAPQuery.getSearchDn();
            for (Condition condition : lDAPQuery.getConditions()) {
                String uuidLDAPAttributeName = getConfig().getUuidLDAPAttributeName();
                if (condition instanceof EqualCondition) {
                    EqualCondition equalCondition = (EqualCondition) condition;
                    if (equalCondition.getParameterName().equalsIgnoreCase(uuidLDAPAttributeName)) {
                        SearchResult lookupById = this.operationManager.lookupById(searchDn, equalCondition.getValue().toString(), lDAPQuery.getReturningLdapAttributes());
                        if (lookupById != null) {
                            arrayList.add(populateAttributedType(lookupById, lDAPQuery));
                        }
                        return arrayList;
                    }
                }
            }
            Condition createIdentityTypeSearchFilter = createIdentityTypeSearchFilter(lDAPQuery);
            for (SearchResult searchResult : (!getConfig().isPagination() || lDAPQuery.getLimit() <= 0) ? this.operationManager.search(searchDn, createIdentityTypeSearchFilter, lDAPQuery.getReturningLdapAttributes(), lDAPQuery.getSearchScope()) : this.operationManager.searchPaginated(searchDn, createIdentityTypeSearchFilter, lDAPQuery)) {
                if (lDAPQuery.getSearchScope() != 2 || !searchDn.equals(new LdapName(searchResult.getNameInNamespace()))) {
                    arrayList.add(populateAttributedType(searchResult, lDAPQuery));
                }
            }
            return arrayList;
        } catch (NameNotFoundException e) {
            if (lDAPQuery.getSearchScope() == 0) {
                return Collections.emptyList();
            }
            throw new ModelException("Querying of LDAP failed " + String.valueOf(lDAPQuery), e);
        } catch (Exception e2) {
            throw new ModelException("Querying of LDAP failed " + String.valueOf(lDAPQuery), e2);
        }
    }

    @Override // org.keycloak.storage.ldap.idm.store.IdentityStore
    public int countQueryResults(LDAPQuery lDAPQuery) {
        int limit = lDAPQuery.getLimit();
        lDAPQuery.setLimit(0);
        int size = lDAPQuery.getResultList().size();
        lDAPQuery.setLimit(limit);
        return size;
    }

    @Override // org.keycloak.storage.ldap.idm.store.IdentityStore
    public Set<LDAPCapabilityRepresentation> queryServerCapabilities() {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        try {
            ArrayList<String> arrayList = new ArrayList();
            arrayList.add("supportedControl");
            arrayList.add("supportedExtension");
            arrayList.add("supportedFeatures");
            List<SearchResult> search = this.operationManager.search(new LdapName(Collections.emptyList()), new LDAPQueryConditionsBuilder().present("objectclass"), Collections.unmodifiableCollection(arrayList), 0);
            if (search.size() != 1) {
                throw new ModelException("Could not query root DSE: unexpected result size");
            }
            Attributes attributes = search.get(0).getAttributes();
            for (String str : arrayList) {
                Attribute attribute = attributes.get(str);
                if (null != attribute) {
                    LDAPCapabilityRepresentation.CapabilityType fromRootDseAttributeName = LDAPCapabilityRepresentation.CapabilityType.fromRootDseAttributeName(str);
                    NamingEnumeration all = attribute.getAll();
                    while (all.hasMoreElements()) {
                        LDAPCapabilityRepresentation lDAPCapabilityRepresentation = new LDAPCapabilityRepresentation(all.nextElement(), fromRootDseAttributeName);
                        logger.info("rootDSE query: " + String.valueOf(lDAPCapabilityRepresentation));
                        linkedHashSet.add(lDAPCapabilityRepresentation);
                    }
                }
            }
            return linkedHashSet;
        } catch (NamingException e) {
            throw new ModelException("Failed to query root DSE: " + e.getMessage(), e);
        }
    }

    @Override // org.keycloak.storage.ldap.idm.store.IdentityStore
    public void validatePassword(LDAPObject lDAPObject, String str) throws AuthenticationException {
        if (logger.isTraceEnabled()) {
            logger.tracef("Using DN [%s] for authentication of user", lDAPObject.getDn());
        }
        this.operationManager.authenticate(lDAPObject.getDn().getLdapName(), str);
    }

    @Override // org.keycloak.storage.ldap.idm.store.IdentityStore
    public void updatePassword(LDAPObject lDAPObject, String str, LDAPOperationDecorator lDAPOperationDecorator) {
        if (logger.isDebugEnabled()) {
            logger.debugf("Using DN [%s] for updating LDAP password of user", lDAPObject.getDn());
        }
        if (getConfig().isActiveDirectory()) {
            updateADPassword(lDAPObject.getDn().getLdapName(), str, lDAPOperationDecorator);
            return;
        }
        try {
            if (this.config.useExtendedPasswordModifyOp()) {
                this.operationManager.passwordModifyExtended(lDAPObject.getDn().getLdapName(), str, lDAPOperationDecorator);
            } else {
                this.operationManager.modifyAttributes(lDAPObject.getDn().getLdapName(), new ModificationItem[]{new ModificationItem(2, new BasicAttribute("userpassword", str))}, lDAPOperationDecorator);
            }
        } catch (ModelException e) {
            throw e;
        } catch (Exception e2) {
            throw new ModelException("Error updating password.", e2);
        }
    }

    private void updateADPassword(LdapName ldapName, String str, LDAPOperationDecorator lDAPOperationDecorator) {
        try {
            BasicAttribute basicAttribute = new BasicAttribute("unicodePwd", ("\"" + str + "\"").getBytes("UTF-16LE"));
            ArrayList arrayList = new ArrayList();
            arrayList.add(new ModificationItem(2, basicAttribute));
            this.operationManager.modifyAttributes(ldapName, (ModificationItem[]) arrayList.toArray(new ModificationItem[0]), lDAPOperationDecorator);
        } catch (ModelException e) {
            throw e;
        } catch (Exception e2) {
            throw new ModelException("Error updating password", e2);
        }
    }

    protected Condition createIdentityTypeSearchFilter(LDAPQuery lDAPQuery) {
        LDAPQueryConditionsBuilder lDAPQueryConditionsBuilder = new LDAPQueryConditionsBuilder();
        LinkedHashSet linkedHashSet = new LinkedHashSet(lDAPQuery.getConditions());
        addObjectClassesConditions(lDAPQueryConditionsBuilder, lDAPQuery.getObjectClasses(), linkedHashSet);
        return lDAPQueryConditionsBuilder.andCondition((Condition[]) linkedHashSet.toArray(i -> {
            return new Condition[i];
        }));
    }

    private Set<Condition> addObjectClassesConditions(LDAPQueryConditionsBuilder lDAPQueryConditionsBuilder, Collection<String> collection, Set<Condition> set) {
        if (collection.isEmpty()) {
            set.add(lDAPQueryConditionsBuilder.present("objectclass"));
        } else {
            Iterator<String> it = collection.iterator();
            while (it.hasNext()) {
                set.add(lDAPQueryConditionsBuilder.equal("objectclass", it.next()));
            }
        }
        return set;
    }

    private LDAPObject populateAttributedType(SearchResult searchResult, LDAPQuery lDAPQuery) {
        Set<String> returningReadOnlyLdapAttributes = lDAPQuery.getReturningReadOnlyLdapAttributes();
        TreeSet treeSet = new TreeSet();
        Iterator<String> it = lDAPQuery.getReturningLdapAttributes().iterator();
        while (it.hasNext()) {
            treeSet.add(it.next().toLowerCase());
        }
        try {
            String nameInNamespace = searchResult.getNameInNamespace();
            Attributes attributes = searchResult.getAttributes();
            LDAPObject lDAPObject = new LDAPObject();
            LDAPDn fromString = LDAPDn.fromString(nameInNamespace);
            lDAPObject.setDn(fromString);
            lDAPObject.setRdnAttributeNames(fromString.getFirstRdn().getAllKeys());
            NamingEnumeration all = attributes.getAll();
            while (all.hasMore()) {
                Attribute attribute = (Attribute) all.next();
                try {
                    attribute.get();
                    String id = attribute.getID();
                    Matcher matcher = rangePattern.matcher(id);
                    if (matcher.matches()) {
                        id = matcher.group(1);
                        if (!matcher.group(3).equals("*")) {
                            try {
                                lDAPObject.addRangedAttribute(id, Integer.parseInt(matcher.group(3)));
                            } catch (NumberFormatException e) {
                                logger.warnf("Invalid ranged expresion for attribute: %s", matcher.group(0));
                            }
                        }
                    }
                    if (id.equalsIgnoreCase(getConfig().getUuidLDAPAttributeName())) {
                        lDAPObject.setUuid(this.operationManager.decodeEntryUUID(attribute.get()));
                    }
                    if (!id.equalsIgnoreCase(getConfig().getUuidLDAPAttributeName()) || treeSet.contains(id.toLowerCase())) {
                        LinkedHashSet linkedHashSet = new LinkedHashSet();
                        NamingEnumeration all2 = attribute.getAll();
                        while (all2.hasMoreElements()) {
                            Object next = all2.next();
                            if (next instanceof byte[]) {
                                linkedHashSet.add(Base64.encodeBytes((byte[]) next));
                            } else {
                                linkedHashSet.add(next.toString().trim());
                            }
                        }
                        if (id.equalsIgnoreCase("objectclass")) {
                            lDAPObject.setObjectClasses(linkedHashSet);
                        } else {
                            lDAPObject.setAttribute(id, linkedHashSet);
                            if (returningReadOnlyLdapAttributes.contains(id.toLowerCase())) {
                                lDAPObject.addReadOnlyAttributeName(id);
                            }
                        }
                    }
                } catch (NoSuchElementException e2) {
                }
            }
            if (logger.isTraceEnabled()) {
                logger.tracef("Found ldap object and populated with the attributes. LDAP Object: %s", lDAPObject.toString());
            }
            return lDAPObject;
        } catch (Exception e3) {
            throw new ModelException("Could not populate attribute type " + searchResult.getNameInNamespace() + ".", e3);
        }
    }

    protected BasicAttributes extractAttributesForSaving(LDAPObject lDAPObject, boolean z) {
        BasicAttributes basicAttributes = new BasicAttributes();
        Set set = (Set) lDAPObject.getRdnAttributeNames().stream().map((v0) -> {
            return v0.toLowerCase();
        }).collect(Collectors.toSet());
        if (!z) {
            lDAPObject.addReadOnlyAttributeName("pwdChangedTime");
        }
        for (Map.Entry<String, Set<String>> entry : lDAPObject.getAttributes().entrySet()) {
            String key = entry.getKey();
            Set<String> value = entry.getValue();
            if (value == null) {
                logger.warnf("Attribute '%s' is null on LDAP object '%s' . Using empty value to be saved to LDAP", key, lDAPObject.getDn().toString());
                value = Collections.emptySet();
            }
            String lowerCase = key.toLowerCase();
            if (!z || !value.isEmpty()) {
                if (z || !lDAPObject.getReadOnlyAttributeNames().contains(lowerCase)) {
                    if (z || !set.contains(lowerCase)) {
                        if (getConfig().getBinaryAttributeNames().contains(key)) {
                            basicAttributes.put(createBinaryBasicAttribute(key, value));
                        } else {
                            basicAttributes.put(createBasicAttribute(key, value));
                        }
                    }
                }
            }
        }
        if (z) {
            BasicAttribute basicAttribute = new BasicAttribute("objectclass");
            Iterator<String> it = lDAPObject.getObjectClasses().iterator();
            while (it.hasNext()) {
                basicAttribute.add(it.next());
            }
            basicAttributes.put(basicAttribute);
        }
        return basicAttributes;
    }

    private BasicAttribute createBasicAttribute(String str, Set<String> set) {
        BasicAttribute basicAttribute = new BasicAttribute(str);
        for (String str2 : set) {
            if (str2 == null || str2.trim().length() == 0) {
                str2 = " ";
            }
            basicAttribute.add(str2);
        }
        return basicAttribute;
    }

    private BasicAttribute createBinaryBasicAttribute(String str, Set<String> set) {
        BasicAttribute basicAttribute = new BasicAttribute(str);
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            String next = it.next();
            if (next == null || next.trim().length() == 0) {
                next = " ";
            }
            try {
                basicAttribute.add(Base64.decode(next));
            } catch (IOException e) {
                logger.warnf("Wasn't able to Base64 decode the attribute value. Ignoring attribute update. Attribute: %s, Attribute value: %s", str, set);
            }
        }
        return basicAttribute;
    }

    public String getPasswordModificationTimeAttributeName() {
        return getConfig().isActiveDirectory() ? "pwdLastSet" : "pwdChangedTime";
    }
}
