package org.apereo.cas.authentication.surrogate;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import lombok.Generated;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.configuration.model.support.surrogate.SurrogateLdapAuthenticationProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.LdapConnectionFactory;
import org.apereo.cas.util.LdapUtils;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.util.RegexUtils;
import org.ldaptive.ConnectionFactory;
import org.ldaptive.FilterTemplate;
import org.ldaptive.LdapAttribute;
import org.ldaptive.LdapEntry;
import org.ldaptive.SearchResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.DisposableBean;

/* loaded from: input_file:org/apereo/cas/authentication/surrogate/SurrogateLdapAuthenticationService.class */
public class SurrogateLdapAuthenticationService extends BaseSurrogateAuthenticationService implements DisposableBean {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(SurrogateLdapAuthenticationService.class);
    private final LdapConnectionFactory connectionFactory;
    private final SurrogateLdapAuthenticationProperties ldapProperties;

    public SurrogateLdapAuthenticationService(ConnectionFactory connectionFactory, SurrogateLdapAuthenticationProperties surrogateLdapAuthenticationProperties, ServicesManager servicesManager) {
        super(servicesManager);
        this.connectionFactory = new LdapConnectionFactory(connectionFactory);
        this.ldapProperties = surrogateLdapAuthenticationProperties;
    }

    public boolean canImpersonateInternal(String str, Principal principal, Optional<Service> optional) {
        try {
            String id = principal.getId();
            FilterTemplate newLdaptiveSearchFilter = LdapUtils.newLdaptiveSearchFilter(this.ldapProperties.getSurrogateSearchFilter(), CollectionUtils.wrapList(new String[]{"user", "surrogate"}), CollectionUtils.wrapList(new String[]{id, str}));
            LOGGER.debug("Using search filter to locate surrogate accounts for [{}]: [{}]", id, newLdaptiveSearchFilter);
            SearchResponse executeSearchOperation = this.connectionFactory.executeSearchOperation(this.ldapProperties.getBaseDn(), newLdaptiveSearchFilter, this.ldapProperties.getPageSize());
            LOGGER.debug("LDAP response: [{}]", executeSearchOperation);
            return LdapUtils.containsResultEntry(executeSearchOperation);
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
            return false;
        }
    }

    public Collection<String> getImpersonationAccounts(String str) {
        try {
            FilterTemplate newLdaptiveSearchFilter = LdapUtils.newLdaptiveSearchFilter(this.ldapProperties.getSearchFilter(), CollectionUtils.wrap(str));
            LOGGER.debug("Using search filter to find eligible accounts: [{}]", newLdaptiveSearchFilter);
            SearchResponse executeSearchOperation = this.connectionFactory.executeSearchOperation(this.ldapProperties.getBaseDn(), newLdaptiveSearchFilter, this.ldapProperties.getPageSize());
            LOGGER.debug("LDAP response: [{}]", executeSearchOperation);
            if (!LdapUtils.containsResultEntry(executeSearchOperation)) {
                LOGGER.warn("LDAP response is not found or does not contain a result entry for [{}]", str);
                return new ArrayList(0);
            }
            LdapEntry entry = executeSearchOperation.getEntry();
            LdapAttribute attribute = entry.getAttribute(this.ldapProperties.getMemberAttributeName());
            LOGGER.debug("Locating LDAP entry [{}] with attribute [{}]", entry, attribute);
            if (attribute == null || attribute.getStringValues().isEmpty()) {
                LOGGER.warn("Attribute [{}] not found or has no values", this.ldapProperties.getMemberAttributeName());
                return new ArrayList(0);
            }
            Pattern createPattern = RegexUtils.createPattern(this.ldapProperties.getMemberAttributeValueRegex());
            LOGGER.debug("Constructed attribute value regex pattern [{}]", createPattern.pattern());
            Stream stream = attribute.getStringValues().stream();
            Objects.requireNonNull(createPattern);
            List list = (List) stream.map((v1) -> {
                return r1.matcher(v1);
            }).filter((v0) -> {
                return v0.matches();
            }).map(matcher -> {
                return matcher.groupCount() > 0 ? matcher.group(1) : matcher.group();
            }).sorted().collect(Collectors.toList());
            LOGGER.debug("Following accounts may be eligible for surrogate authentication: [{}]", list);
            return list;
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
            LOGGER.debug("No accounts may be eligible for surrogate authentication");
            return new ArrayList(0);
        }
    }

    public void destroy() {
        this.connectionFactory.close();
    }
}
