package de.deepamehta.ldap;

import de.deepamehta.accesscontrol.AccessControlService;
import de.deepamehta.accesscontrol.AuthorizationMethod;
import de.deepamehta.core.Topic;
import de.deepamehta.core.osgi.PluginActivator;
import de.deepamehta.core.service.Inject;
import de.deepamehta.core.service.accesscontrol.Credentials;
import de.deepamehta.core.storage.spi.DeepaMehtaTransaction;
import java.util.Hashtable;
import java.util.logging.Logger;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.StartTlsRequest;

/* loaded from: input_file:de/deepamehta/ldap/LDAPPlugin.class */
public class LDAPPlugin extends PluginActivator implements AuthorizationMethod {
    private Logger logger = Logger.getLogger(getClass().getName());
    private static final String LDAP_SERVER = System.getProperty("dm4.ldap.server", "127.0.0.1");
    private static final String LDAP_PORT = System.getProperty("dm4.ldap.port");
    private static final String LDAP_MANAGER = System.getProperty("dm4.ldap.manager", "");
    private static final String LDAP_PASSWORD = System.getProperty("dm4.ldap.password", "");
    private static final String LDAP_USER_BASE = System.getProperty("dm4.ldap.user_base", "");
    private static final String LDAP_USER_ATTRIBUTE = System.getProperty("dm4.ldap.user_attribute", "");
    private static final String LDAP_FILTER = System.getProperty("dm4.ldap.filter", "");
    private static final String LDAP_PROTOCOL = System.getProperty("dm4.ldap.protocol", "");

    @Inject
    private AccessControlService acs;

    public void serviceArrived(Object obj) {
        ((AccessControlService) obj).registerAuthorizationMethod("LDAP", this);
    }

    public void serviceGone(Object obj) {
        ((AccessControlService) obj).unregisterAuthorizationMethod("LDAP");
    }

    public Topic checkCredentials(Credentials credentials) {
        if (!checkLdapCredentials(credentials.username, credentials.plaintextPassword)) {
            return null;
        }
        this.logger.info("LDAP login: OK");
        Topic usernameTopic = this.acs.getUsernameTopic(credentials.username);
        return usernameTopic != null ? usernameTopic : createUsername(credentials.username);
    }

    private Topic createUsername(String str) {
        DeepaMehtaTransaction beginTx = this.dm4.beginTx();
        try {
            try {
                Topic createUsername = this.acs.createUsername(str);
                beginTx.success();
                beginTx.finish();
                return createUsername;
            } catch (Exception e) {
                this.logger.warning("ROLLBACK! (" + this + ")");
                throw new RuntimeException("Creating username failed", e);
            }
        } catch (Throwable th) {
            beginTx.finish();
            throw th;
        }
    }

    private boolean checkLdapCredentials(String str, String str2) {
        try {
            String str3 = (LDAP_PROTOCOL.equals("LDAPS") ? "ldaps://" : "ldap://") + LDAP_SERVER + ":" + (LDAP_PORT == null ? LDAP_PROTOCOL.equals("LDAPS") ? "636" : "389" : LDAP_PORT);
            String lookupUserCn = lookupUserCn(connect(str3, LDAP_MANAGER, LDAP_PASSWORD), LDAP_USER_BASE, str);
            if (lookupUserCn == null) {
                return false;
            }
            return connect(str3, lookupUserCn, str2) != null;
        } catch (Exception e) {
            throw new RuntimeException("Checking LDAP credentials failed", e);
        }
    }

    private LdapContext connect(String str, String str2, String str3) throws NamingException {
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.security.authentication", "simple");
        hashtable.put("java.naming.provider.url", str);
        hashtable.put("java.naming.security.principal", str2);
        hashtable.put("java.naming.security.credentials", str3);
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.ldap.attributes.binary", "objectSID");
        InitialLdapContext initialLdapContext = new InitialLdapContext(hashtable, new Control[0]);
        if (LDAP_PROTOCOL.equals("StartTLS")) {
            try {
                initialLdapContext.extendedOperation(new StartTlsRequest()).negotiate();
            } catch (Exception e) {
                throw new RuntimeException("Could not establish TLS connection: " + e.toString());
            }
        }
        return initialLdapContext;
    }

    private static String lookupUserCn(LdapContext ldapContext, String str, String str2) throws NamingException {
        String str3 = LDAP_FILTER.equals("") ? "(" + LDAP_USER_ATTRIBUTE + "=" + str2 + ")" : "(&(" + LDAP_FILTER + ")(" + LDAP_USER_ATTRIBUTE + "=" + str2 + "))";
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        NamingEnumeration search = ldapContext.search(str, str3, searchControls);
        if (!search.hasMoreElements()) {
            return null;
        }
        SearchResult searchResult = (SearchResult) search.nextElement();
        if (search.hasMoreElements()) {
            throw new RuntimeException("Ambiguity in LDAP CN query: Matched multiple users for the accountName");
        }
        return searchResult.getNameInNamespace();
    }
}
