package org.apache.cxf.sts.claims;

import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.StringTokenizer;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import javax.naming.Name;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.x500.X500Principal;
import org.apache.batik.util.XMLConstants;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.rt.security.claims.Claim;
import org.apache.cxf.rt.security.claims.ClaimCollection;
import org.apache.cxf.sts.token.realm.RealmSupport;
import org.springframework.ldap.core.LdapTemplate;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-107.zip:modules/system/layers/fuse/org/apache/cxf/3.0/cxf-services-sts-core-3.0.4.redhat-621107.jar:org/apache/cxf/sts/claims/LdapGroupClaimsHandler.class */
public class LdapGroupClaimsHandler implements ClaimsHandler, RealmSupport {
    private static final Logger LOG = LogUtils.getL7dLogger(LdapGroupClaimsHandler.class);
    private static final String SCOPE = "%SCOPE%";
    private static final String ROLE = "%ROLE%";
    private LdapTemplate ldap;
    private String userBaseDn;
    private String groupBaseDn;
    private String userObjectClass = "person";
    private String groupObjectClass = "groupOfNames";
    private String userNameAttribute = "cn";
    private String groupMemberAttribute = "member";
    private String groupURI = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
    private String groupNameGlobalFilter = ROLE;
    private String groupNameScopedFilter = "%SCOPE%_%ROLE%";
    private Map<String, String> appliesToScopeMapping;
    private boolean useFullGroupNameAsValue;
    private List<String> supportedRealms;
    private String realm;

    public void setSupportedRealms(List<String> list) {
        this.supportedRealms = list;
    }

    public void setRealm(String str) {
        this.realm = str;
    }

    public boolean isUseFullGroupNameAsValue() {
        return this.useFullGroupNameAsValue;
    }

    public void setUseFullGroupNameAsValue(boolean z) {
        this.useFullGroupNameAsValue = z;
    }

    public String getUserObjectClass() {
        return this.userObjectClass;
    }

    public void setUserObjectClass(String str) {
        this.userObjectClass = str;
    }

    public String getGroupObjectClass() {
        return this.groupObjectClass;
    }

    public void setGroupObjectClass(String str) {
        this.groupObjectClass = str;
    }

    public String getUserNameAttribute() {
        return this.userNameAttribute;
    }

    public void setUserNameAttribute(String str) {
        this.userNameAttribute = str;
    }

    public void setLdapTemplate(LdapTemplate ldapTemplate) {
        this.ldap = ldapTemplate;
    }

    public LdapTemplate getLdapTemplate() {
        return this.ldap;
    }

    public void setUserBaseDN(String str) {
        this.userBaseDn = str;
    }

    public String getUserBaseDN() {
        return this.userBaseDn;
    }

    public String getGroupMemberAttribute() {
        return this.groupMemberAttribute;
    }

    public void setGroupMemberAttribute(String str) {
        this.groupMemberAttribute = str;
    }

    public String getGroupURI() {
        return this.groupURI;
    }

    public void setGroupURI(String str) {
        this.groupURI = str;
    }

    public void setAppliesToScopeMapping(Map<String, String> map) {
        this.appliesToScopeMapping = map;
    }

    public Map<String, String> getAppliesToScopeMapping() {
        return this.appliesToScopeMapping;
    }

    public String getGroupBaseDN() {
        return this.groupBaseDn;
    }

    public void setGroupBaseDN(String str) {
        this.groupBaseDn = str;
    }

    public String getGroupNameGlobalFilter() {
        return this.groupNameGlobalFilter;
    }

    public void setGroupNameGlobalFilter(String str) {
        this.groupNameGlobalFilter = str;
    }

    public String getGroupNameScopedFilter() {
        return this.groupNameScopedFilter;
    }

    public void setGroupNameScopedFilter(String str) {
        this.groupNameScopedFilter = str;
    }

    @Override // org.apache.cxf.sts.claims.ClaimsHandler
    public List<URI> getSupportedClaimTypes() {
        ArrayList arrayList = new ArrayList();
        try {
            arrayList.add(new URI(this.groupURI));
        } catch (URISyntaxException e) {
            LOG.warning("Invalid groupURI '" + this.groupURI + "'");
        }
        return arrayList;
    }

    @Override // org.apache.cxf.sts.claims.ClaimsHandler
    public ProcessedClaimCollection retrieveClaimValues(ClaimCollection claimCollection, ClaimsParameters claimsParameters) {
        boolean z = false;
        Iterator<Claim> it = claimCollection.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (it.next().getClaimType().toString().equals(this.groupURI)) {
                z = true;
                break;
            }
        }
        if (!z) {
            return new ProcessedClaimCollection();
        }
        String str = null;
        KerberosPrincipal principal = claimsParameters.getPrincipal();
        if (principal instanceof KerberosPrincipal) {
            str = new StringTokenizer(principal.getName(), "@").nextToken();
        } else if (principal instanceof X500Principal) {
            LOG.warning("Unsupported principal type X500: " + ((X500Principal) principal).getName());
        } else if (principal != null) {
            str = principal.getName();
            if (str == null) {
                LOG.warning("Principal name must not be null");
            }
        } else {
            LOG.warning("Principal is null");
        }
        if (str == null) {
            return new ProcessedClaimCollection();
        }
        if (!LdapUtils.isDN(str)) {
            Name dnOfEntry = LdapUtils.getDnOfEntry(this.ldap, this.userBaseDn, getUserObjectClass(), getUserNameAttribute(), str);
            if (dnOfEntry == null) {
                LOG.warning("DN not found for user '" + str + "'");
                return new ProcessedClaimCollection();
            }
            str = dnOfEntry.toString();
            LOG.fine("DN for (" + getUserNameAttribute() + XMLConstants.XML_EQUAL_SIGN + str + ") found: " + str);
        }
        if (LOG.isLoggable(Level.FINER)) {
            LOG.finer("Retrieve groups for user " + str);
        }
        List<String> attributeOfEntries = LdapUtils.getAttributeOfEntries(this.ldap, this.groupBaseDn, getGroupObjectClass(), this.groupMemberAttribute, str, "cn");
        if (attributeOfEntries == null || attributeOfEntries.size() == 0) {
            if (LOG.isLoggable(Level.INFO)) {
                LOG.info("No groups found for user '" + str + "'");
            }
            return new ProcessedClaimCollection();
        }
        if (LOG.isLoggable(Level.FINE)) {
            LOG.fine("Groups for user '" + claimsParameters.getPrincipal().getName() + "': " + attributeOfEntries);
        }
        String str2 = null;
        if (getAppliesToScopeMapping() != null && getAppliesToScopeMapping().size() > 0 && claimsParameters.getAppliesToAddress() != null) {
            str2 = getAppliesToScopeMapping().get(claimsParameters.getAppliesToAddress());
            if (LOG.isLoggable(Level.FINE)) {
                LOG.fine("AppliesTo matchs with scope: " + str2);
            }
        }
        Pattern compile = Pattern.compile(this.groupNameGlobalFilter.replaceAll(ROLE, ".*"));
        Pattern compile2 = str2 != null ? Pattern.compile(this.groupNameScopedFilter.replaceAll(SCOPE, str2).replaceAll(ROLE, ".*")) : null;
        ArrayList arrayList = new ArrayList();
        for (String str3 : attributeOfEntries) {
            if (compile2 != null && compile2.matcher(str3).matches()) {
                arrayList.add(isUseFullGroupNameAsValue() ? str3 : parseRole(str3, this.groupNameScopedFilter.replaceAll(SCOPE, str2)));
            } else if (compile.matcher(str3).matches()) {
                arrayList.add(isUseFullGroupNameAsValue() ? str3 : parseRole(str3, this.groupNameGlobalFilter));
            } else {
                LOG.finer("Group '" + str3 + "' doesn't match scoped and global group filter");
            }
        }
        LOG.info("Filtered groups: " + arrayList);
        if (arrayList.size() == 0) {
            LOG.info("No matching groups found for user '" + principal + "'");
            return new ProcessedClaimCollection();
        }
        ProcessedClaimCollection processedClaimCollection = new ProcessedClaimCollection();
        ProcessedClaim processedClaim = new ProcessedClaim();
        processedClaim.setClaimType(URI.create(this.groupURI));
        processedClaim.setPrincipal(principal);
        processedClaim.setValues(new ArrayList(arrayList));
        processedClaimCollection.add(processedClaim);
        return processedClaimCollection;
    }

    @Override // org.apache.cxf.sts.token.realm.RealmSupport
    public List<String> getSupportedRealms() {
        return this.supportedRealms;
    }

    @Override // org.apache.cxf.sts.token.realm.RealmSupport
    public String getHandlerRealm() {
        return this.realm;
    }

    private String parseRole(String str, String str2) {
        int indexOf = str2.indexOf(ROLE);
        return str.substring(indexOf, str.length() - ((str2.length() - ROLE.length()) - indexOf));
    }
}
