package org.apache.solr.handler.component;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.collect.LinkedHashMultimap;
import com.google.common.collect.Multimap;
import java.io.IOException;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.StartTlsRequest;
import javax.naming.ldap.StartTlsResponse;
import javax.net.ssl.HostnameVerifier;
import org.apache.solr.common.SolrException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/solr/handler/component/LdapUserAttributeSource.class */
public class LdapUserAttributeSource implements UserAttributeSource {
    private static volatile Cache<String, Set<String>> scache;
    private Hashtable env;
    private LdapUserAttributeSourceParams params;
    private SearchControls searchControls;
    private Cache<String, Set<String>> cache;
    private static final HostnameVerifier PERMISSIVE_HOSTNAME_VERIFIER = (str, sSLSession) -> {
        return true;
    };
    private static final Logger LOG = LoggerFactory.getLogger(LdapUserAttributeSource.class);
    private static final Object SCACHE_SYNC = new Object();

    public static Cache<String, Set<String>> getCache(long j, long j2) {
        Cache<String, Set<String>> cache;
        if (scache != null) {
            return scache;
        }
        synchronized (SCACHE_SYNC) {
            if (scache == null) {
                LOG.info("Creating access group cache, ttl={} maxSize={}", Long.valueOf(j), Long.valueOf(j2));
                scache = CacheBuilder.newBuilder().expireAfterWrite(j, TimeUnit.SECONDS).maximumSize(j2).build();
            }
            cache = scache;
        }
        return cache;
    }

    @Override // org.apache.solr.handler.component.UserAttributeSource
    public void init(UserAttributeSourceParams userAttributeSourceParams, Collection<String> collection) {
        LOG.debug("Creating LDAP user attribute source, params={}, attributes={}", userAttributeSourceParams, collection);
        if (!(userAttributeSourceParams instanceof LdapUserAttributeSourceParams)) {
            throw new SolrException(SolrException.ErrorCode.INVALID_STATE, "LdapUserAttributeSource has been misconfigured with the wrong parameters {" + userAttributeSourceParams.getClass().getName() + "}");
        }
        this.params = (LdapUserAttributeSourceParams) userAttributeSourceParams;
        this.env = toEnv(this.params);
        this.searchControls = new SearchControls();
        this.searchControls.setReturningAttributes((String[]) collection.toArray(new String[collection.size()]));
        this.searchControls.setSearchScope(2);
        if (this.params.isStartTlsEnabled() && this.params.getServerUrl().startsWith("ldaps://")) {
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Start TLS should not be used with ldaps://");
        }
        this.cache = getCache(this.params.getGroupCacheTtl(), this.params.getGroupCacheMaxSize());
    }

    private Hashtable toEnv(LdapUserAttributeSourceParams ldapUserAttributeSourceParams) {
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.provider.url", ldapUserAttributeSourceParams.getServerUrl());
        String authType = ldapUserAttributeSourceParams.getAuthType();
        hashtable.put("java.naming.security.authentication", authType);
        if ("simple".equals(authType)) {
            hashtable.put("java.naming.security.principal", ldapUserAttributeSourceParams.getUsername());
            hashtable.put("java.naming.security.credentials", ldapUserAttributeSourceParams.getPassword());
        }
        return hashtable;
    }

    @Override // org.apache.solr.handler.component.UserAttributeSource
    public Multimap<String, String> getAttributesForUser(String str) {
        Multimap<String, String> doAttributeSearch;
        LdapContext ldapContext = null;
        try {
            try {
                InitialLdapContext initialLdapContext = new InitialLdapContext(this.env, (Control[]) null);
                if (this.params.isStartTlsEnabled()) {
                    StartTlsResponse extendedOperation = initialLdapContext.extendedOperation(new StartTlsRequest());
                    if (this.params.isHostNameVerificationDisabled()) {
                        extendedOperation.setHostnameVerifier(PERMISSIVE_HOSTNAME_VERIFIER);
                    }
                    extendedOperation.negotiate();
                    doAttributeSearch = doAttributeSearch(str, initialLdapContext);
                    extendedOperation.close();
                } else {
                    doAttributeSearch = doAttributeSearch(str, initialLdapContext);
                }
                Multimap<String, String> multimap = doAttributeSearch;
                if (initialLdapContext != null) {
                    try {
                        initialLdapContext.close();
                    } catch (NamingException e) {
                    }
                }
                return multimap;
            } catch (NamingException | IOException e2) {
                throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Unable to query LDAP server", e2);
            }
        } catch (Throwable th) {
            if (0 != 0) {
                try {
                    ldapContext.close();
                } catch (NamingException e3) {
                }
            }
            throw th;
        }
    }

    @Override // org.apache.solr.handler.component.UserAttributeSource
    public Class<LdapUserAttributeSourceParams> getParamsClass() {
        return LdapUserAttributeSourceParams.class;
    }

    private Multimap<String, String> doAttributeSearch(String str, LdapContext ldapContext) throws NamingException {
        NamingEnumeration search = ldapContext.search(this.params.getBaseDn(), this.params.getUserFilter().replace("{0}", str), this.searchControls);
        if (!search.hasMore()) {
            LOG.error("User '{}' not found in LDAP", str);
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "User not found in LDAP");
        }
        LOG.info("Fetching attributes for {} from LDAP using {}", str, this);
        LinkedHashMultimap create = LinkedHashMultimap.create();
        while (search.hasMore()) {
            NamingEnumeration all = ((SearchResult) search.next()).getAttributes().getAll();
            while (all.hasMore()) {
                Attribute attribute = (Attribute) all.next();
                NamingEnumeration all2 = attribute.getAll();
                while (all2.hasMore()) {
                    create.put(attribute.getID(), (String) all2.next());
                }
            }
        }
        LOG.debug("Direct attributes found for user {}: {}", str, create);
        if (this.params.isNestedQueryEnabled() && this.params.getMaxRecurseDepth() > 0) {
            LOG.debug("Querying nested groups for user {} up to depth {}", str, Integer.valueOf(this.params.getMaxRecurseDepth()));
            String recursiveAttribute = this.params.getRecursiveAttribute();
            for (String str2 : new HashSet(create.get(recursiveAttribute))) {
                HashSet hashSet = new HashSet();
                hashSet.add(str2);
                getParentGroups(str2, hashSet, ldapContext, 1);
                hashSet.remove(str2);
                LOG.debug("Adding parent groups for {} : {}", str2, hashSet);
                create.putAll(recursiveAttribute, hashSet);
            }
            LOG.debug("Total attributes found for user {}: {}", str, create);
        }
        return create;
    }

    private Set<String> getParentGroups(String str, Set<String> set, LdapContext ldapContext, int i) throws NamingException {
        if (i > this.params.getMaxRecurseDepth()) {
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Nested groups recursion limit exceeded for group " + str + " at depth " + i);
        }
        Set<String> set2 = (Set) this.cache.getIfPresent(str);
        if (set2 != null) {
            LOG.debug("Cache hit for {} : {}", str, set2);
            set.addAll(set2);
            return set2;
        }
        LOG.debug("Querying LDAP for parent groups of {} at depth {}...", str, Integer.valueOf(i));
        String recursiveAttribute = this.params.getRecursiveAttribute();
        Attribute attribute = ldapContext.getAttributes(str, new String[]{recursiveAttribute}).get(recursiveAttribute);
        if (attribute == null || attribute.size() <= 0) {
            LOG.debug("No parent groups found for group {}", str);
            this.cache.put(str, Collections.emptySet());
        } else {
            LOG.debug("Group {} has direct parent groups: {}", str, attribute);
            NamingEnumeration all = attribute.getAll();
            while (all.hasMore()) {
                String obj = all.next().toString();
                if (set.add(obj)) {
                    LOG.debug("Found new parent group: {} - recursing...", obj);
                    getParentGroups(obj, set, ldapContext, i + 1);
                } else {
                    LOG.debug("Cycle detected for parent group: {} - stopping recursion.", obj);
                }
            }
        }
        return set;
    }
}
