package org.apereo.cas.authentication;

import java.util.Collections;
import java.util.List;
import java.util.Optional;
import lombok.Generated;
import org.apereo.cas.authentication.credential.UsernamePasswordCredential;
import org.apereo.cas.configuration.model.support.ldap.AbstractLdapSearchProperties;
import org.apereo.cas.util.LdapUtils;
import org.apereo.cas.util.LoggingUtils;
import org.ldaptive.AttributeModification;
import org.ldaptive.ConnectionFactory;
import org.ldaptive.FilterTemplate;
import org.ldaptive.LdapAttribute;
import org.ldaptive.ModifyOperation;
import org.ldaptive.ModifyRequest;
import org.ldaptive.ModifyResponse;
import org.ldaptive.ResultCode;
import org.ldaptive.SearchResponse;
import org.ldaptive.ad.UnicodePwdAttribute;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.DisposableBean;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-ldap-core-6.5.5.jar:org/apereo/cas/authentication/LdapPasswordSynchronizationAuthenticationPostProcessor.class */
public class LdapPasswordSynchronizationAuthenticationPostProcessor implements AuthenticationPostProcessor, DisposableBean {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) LdapPasswordSynchronizationAuthenticationPostProcessor.class);
    private final ConnectionFactory searchFactory;
    private final AbstractLdapSearchProperties ldapProperties;

    public LdapPasswordSynchronizationAuthenticationPostProcessor(AbstractLdapSearchProperties abstractLdapSearchProperties) {
        this.ldapProperties = abstractLdapSearchProperties;
        this.searchFactory = LdapUtils.newLdaptiveConnectionFactory(abstractLdapSearchProperties);
    }

    @Override // org.springframework.beans.factory.DisposableBean
    public void destroy() {
        this.searchFactory.close();
    }

    @Override // org.apereo.cas.authentication.AuthenticationPostProcessor
    public void process(AuthenticationBuilder authenticationBuilder, AuthenticationTransaction authenticationTransaction) throws AuthenticationException {
        Optional<Credential> primaryCredential = authenticationTransaction.getPrimaryCredential();
        if (primaryCredential.isEmpty()) {
            LOGGER.warn("Current authentication transaction does not have a primary credential");
            return;
        }
        try {
            UsernamePasswordCredential usernamePasswordCredential = (UsernamePasswordCredential) UsernamePasswordCredential.class.cast(primaryCredential.get());
            FilterTemplate newLdaptiveSearchFilter = LdapUtils.newLdaptiveSearchFilter(this.ldapProperties.getSearchFilter(), "user", (List<String>) Collections.singletonList(usernamePasswordCredential.getUsername()));
            LOGGER.trace("Constructed LDAP filter [{}] to locate user and update password", newLdaptiveSearchFilter);
            SearchResponse executeSearchOperation = LdapUtils.executeSearchOperation(this.searchFactory, this.ldapProperties.getBaseDn(), newLdaptiveSearchFilter, this.ldapProperties.getPageSize());
            LOGGER.debug("LDAP response is [{}]", executeSearchOperation);
            if (LdapUtils.containsResultEntry(executeSearchOperation)) {
                String dn = executeSearchOperation.getEntry().getDn();
                LOGGER.trace("Updating account password for [{}]", dn);
                ModifyResponse execute = new ModifyOperation(this.searchFactory).execute(new ModifyRequest(dn, new AttributeModification(AttributeModification.Type.REPLACE, getLdapPasswordAttribute(usernamePasswordCredential))));
                LOGGER.trace("Result code [{}], message: [{}]", executeSearchOperation.getResultCode(), executeSearchOperation.getDiagnosticMessage());
                if (execute.getResultCode() == ResultCode.SUCCESS) {
                    LOGGER.info("Updated the LDAP entry's password for [{}] and base DN [{}]", newLdaptiveSearchFilter.format(), this.ldapProperties.getBaseDn());
                } else {
                    LOGGER.warn("Could not update the LDAP entry's password for [{}] and base DN [{}]", newLdaptiveSearchFilter.format(), this.ldapProperties.getBaseDn());
                }
            } else {
                LOGGER.error("Could not locate an LDAP entry for [{}] and base DN [{}]", newLdaptiveSearchFilter.format(), this.ldapProperties.getBaseDn());
            }
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
        }
    }

    @Override // org.apereo.cas.authentication.AuthenticationPostProcessor
    public boolean supports(Credential credential) {
        return credential instanceof UsernamePasswordCredential;
    }

    protected LdapAttribute getLdapPasswordAttribute(UsernamePasswordCredential usernamePasswordCredential) {
        return new UnicodePwdAttribute(usernamePasswordCredential.getPassword());
    }
}
