package com.appiancorp.security.auth.ldap;

import com.appiancorp.common.ContextClassLoaderSwitcher;
import com.appiancorp.common.StartupContextListener;
import com.appiancorp.common.config.ApplicationContextHolder;
import com.appiancorp.core.data.Record;
import com.appiancorp.core.data.Variant;
import com.appiancorp.core.expr.AppianScriptContext;
import com.appiancorp.core.expr.EvalPath;
import com.appiancorp.core.expr.exceptions.AppianScriptException;
import com.appiancorp.core.expr.fn.PublicFunction;
import com.appiancorp.core.expr.portable.Type;
import com.appiancorp.core.expr.portable.Value;
import com.appiancorp.core.util.FluentDictionary;
import com.appiancorp.process.common.validation.type.DataTypeValidatorFactory;
import com.appiancorp.security.auth.SpringSecurityContextHelper;
import com.appiancorp.services.ServiceContext;
import com.appiancorp.suite.cfg.ConfigurationFactory;
import com.appiancorp.suite.cfg.FeatureToggleConfiguration;
import com.appiancorp.suite.cfg.LdapConfiguration;
import com.appiancorp.suiteapi.encryption.EncryptionService;
import com.appiancorp.suiteapi.type.TypedValue;
import com.appiancorp.type.AppianTypeLong;
import com.appiancorp.util.BundleUtils;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.collect.Lists;
import java.util.ArrayList;
import java.util.Locale;
import org.apache.commons.lang3.StringUtils;
import org.apache.log4j.Logger;
import org.springframework.ldap.AuthenticationException;
import org.springframework.ldap.CommunicationException;
import org.springframework.ldap.NameNotFoundException;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.ldap.authentication.BindAuthenticator;

/* loaded from: input_file:com/appiancorp/security/auth/ldap/LdapTestAuthenticationFunction.class */
public class LdapTestAuthenticationFunction extends PublicFunction {
    private static final Logger LOG = Logger.getLogger(LdapTestAuthenticationFunction.class);
    private static final long serialVersionUID = 1;
    private static final String PROPERTY_VALUE_KEY = "value";
    public static final String FN_NAME = "testldapconfiguration_appian_internal";

    public Value eval(EvalPath evalPath, Value[] valueArr, AppianScriptContext appianScriptContext) {
        if (!SpringSecurityContextHelper.isCurrentUserSystemAdmin()) {
            throw new AppianScriptException("Only system administrators can test ldap");
        }
        Preconditions.checkNotNull(valueArr, "Parameter value should not be null.");
        Preconditions.checkArgument(valueArr.length == 3, "testldapconfiguration_appian_internal expects 3 parameters (ldapProperties, username, password)");
        EncryptionService encryptionService = (EncryptionService) ApplicationContextHolder.getBean(EncryptionService.class);
        FluentDictionary fromExistingDictionary = FluentDictionary.fromExistingDictionary(valueArr[0].getRuntimeValue());
        String str = (String) valueArr[1].getValue();
        String str2 = (String) valueArr[2].getValue();
        Locale locale = appianScriptContext.getServiceContext().getLocale();
        String[] splitMultipleServerUrls = AppianLdapUtil.splitMultipleServerUrls(getStringProperty(fromExistingDictionary, LdapConfiguration.SERVER_URL.getName()));
        ArrayList newArrayList = Lists.newArrayList();
        newArrayList.add(validateBaseDns(locale, splitMultipleServerUrls));
        for (String str3 : splitMultipleServerUrls) {
            BindAuthenticator buildBindAuthenticator = buildBindAuthenticator(fromExistingDictionary, encryptionService, str3);
            if (buildBindAuthenticator == null) {
                newArrayList.add(getErrorMessage(locale, "error.serverurl.or.basedn.invalid", null));
            } else {
                newArrayList.add(bindToAndValidateConfiguredLdapConnection(buildBindAuthenticator, str, str2, fromExistingDictionary, locale));
            }
        }
        return Type.LIST_OF_STRING.valueOf(newArrayList.toArray(new String[newArrayList.size()]));
    }

    private String validateBaseDns(Locale locale, String[] strArr) {
        String str = null;
        try {
            for (String str2 : strArr) {
                Object parseBaseDnFromServerUrl = AppianLdapUtil.parseBaseDnFromServerUrl(str2);
                if (str == null) {
                    str = parseBaseDnFromServerUrl;
                } else if (!str.equals(parseBaseDnFromServerUrl)) {
                    return getErrorMessage(locale, "error.mismatch.basedn", null);
                }
            }
            return "";
        } catch (Exception e) {
            return getErrorMessage(locale, "error.serverurl.syntax", null);
        }
    }

    @VisibleForTesting
    String bindToAndValidateConfiguredLdapConnection(BindAuthenticator bindAuthenticator, String str, String str2, FluentDictionary fluentDictionary, Locale locale) {
        try {
            return validateUserCreationConfiguration(fluentDictionary, bindToConfiguredLdap(bindAuthenticator, str, str2), locale);
        } catch (NameNotFoundException e) {
            LOG.error("Invalid Base DN");
            return getErrorMessage(locale, "error.basedn.invalid", null);
        } catch (BadCredentialsException e2) {
            if (getBooleanProperty(fluentDictionary, LdapConfiguration.BIND_AS_USER.getName())) {
                LOG.error("One or more of the Server URL, DN Pattern, Username, or Password fields were incorrect");
                return getErrorMessage(locale, "error.basedn.or.userdnpattern.or.usernamepassword.invalid", null);
            }
            LOG.error("One or more of the Search Filter, Username, or Password fields were incorrect");
            return getErrorMessage(locale, "error.searchfilter.or.usernamepassword.invalid", null);
        } catch (UsernameNotFoundException e3) {
            LOG.error("One or more of the Search Filter, Username, or Password fields were incorrect");
            return getErrorMessage(locale, "error.searchfilter.or.usernamepassword.invalid", null);
        } catch (CommunicationException e4) {
            LOG.error(e4.getMessage(), e4);
            return getErrorMessage(locale, "error.serverurl.invalid", null);
        } catch (Exception e5) {
            LOG.error(e5.getMessage(), e5);
            return getErrorMessage(locale, "error.unknown", null);
        } catch (AuthenticationException e6) {
            LOG.error("Administrator credentials are invalid");
            return getErrorMessage(locale, "error.admincredentials.invalid", null);
        }
    }

    @VisibleForTesting
    BindAuthenticator buildBindAuthenticator(FluentDictionary fluentDictionary, EncryptionService encryptionService, String str) {
        try {
            boolean booleanProperty = getBooleanProperty(fluentDictionary, LdapConfiguration.BIND_AS_USER.getName());
            BindAuthenticatorBuilder bindAuthenticatorBuilder = new BindAuthenticatorBuilder(str, booleanProperty, getIntegerProperty(fluentDictionary, LdapConfiguration.CONNECT_TIMEOUT_SECS.getName()) * 1000, (FeatureToggleConfiguration) ConfigurationFactory.getConfiguration(FeatureToggleConfiguration.class));
            if (booleanProperty) {
                bindAuthenticatorBuilder.userDnPattern(getStringProperty(fluentDictionary, LdapConfiguration.USER_DN_PATTERN.getName()));
            } else {
                bindAuthenticatorBuilder.bindDn(getStringProperty(fluentDictionary, LdapConfiguration.BIND_DN.getName())).bindPassword(encryptionService.decrypt(getEncryptedTextProperty(fluentDictionary, LdapConfiguration.BIND_PASSWORD.getName()))).searchFilter(getStringProperty(fluentDictionary, LdapConfiguration.SEARCH_FILTER.getName()));
            }
            return bindAuthenticatorBuilder.build();
        } catch (Exception e) {
            return null;
        }
    }

    private DirContextOperations bindToConfiguredLdap(BindAuthenticator bindAuthenticator, String str, String str2) throws Exception {
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(str, str2);
        return (DirContextOperations) ContextClassLoaderSwitcher.runInContext(StartupContextListener.getWebAppClassLoader(), () -> {
            return bindAuthenticator.authenticate(usernamePasswordAuthenticationToken);
        });
    }

    private String validateUserCreationConfiguration(FluentDictionary fluentDictionary, DirContextOperations dirContextOperations, Locale locale) {
        return getBooleanProperty(fluentDictionary, LdapConfiguration.AUTO_CREATE_USERS.getName()) ? validateUserAttributes(fluentDictionary, dirContextOperations, locale) : "";
    }

    private String validateUserAttributes(FluentDictionary fluentDictionary, DirContextOperations dirContextOperations, Locale locale) {
        ArrayList newArrayList = Lists.newArrayList();
        String stringProperty = getStringProperty(fluentDictionary, LdapConfiguration.USERNAME.getName());
        if (!dirContextOperations.attributeExists(stringProperty)) {
            newArrayList.add(getErrorMessage(locale, "error.attribute.username.missing", stringProperty));
        }
        String stringProperty2 = getStringProperty(fluentDictionary, LdapConfiguration.EMAIL.getName());
        if (!dirContextOperations.attributeExists(stringProperty2)) {
            newArrayList.add(getErrorMessage(locale, "error.attribute.email.missing", stringProperty2));
        } else if (!DataTypeValidatorFactory.createDataTypeValidator(AppianTypeLong.EMAIL_ADDRESS).isValid(dirContextOperations.getStringAttribute(stringProperty2), true, (ServiceContext) null)) {
            newArrayList.add(getErrorMessage(locale, "error.attribute.email.invalid", stringProperty2));
        }
        String stringProperty3 = getStringProperty(fluentDictionary, LdapConfiguration.FIRST_NAME.getName());
        if (!dirContextOperations.attributeExists(stringProperty3)) {
            newArrayList.add(getErrorMessage(locale, "error.attribute.firstname.missing", stringProperty3));
        }
        String stringProperty4 = getStringProperty(fluentDictionary, LdapConfiguration.LAST_NAME.getName());
        if (!dirContextOperations.attributeExists(stringProperty4)) {
            newArrayList.add(getErrorMessage(locale, "error.attribute.lastname.missing", stringProperty4));
        }
        return StringUtils.join(newArrayList, ";");
    }

    private String getErrorMessage(Locale locale, String str, String str2) {
        return BundleUtils.getText(LdapTestAuthenticationFunction.class, locale, str, new String[]{str2});
    }

    private String getStringProperty(FluentDictionary fluentDictionary, String str) {
        return ((Record) fluentDictionary.get(str).getValue()).getValue("value").getValue().toString();
    }

    private boolean getBooleanProperty(FluentDictionary fluentDictionary, String str) {
        return ((Record) fluentDictionary.get(str).getValue()).getValue("value").booleanValue();
    }

    private int getIntegerProperty(FluentDictionary fluentDictionary, String str) {
        return ((Record) fluentDictionary.get(str).getValue()).getValue("value").intValue();
    }

    private TypedValue getEncryptedTextProperty(FluentDictionary fluentDictionary, String str) {
        Record record = (Record) fluentDictionary.get(str).getValue();
        return new TypedValue(AppianTypeLong.ENCRYPTED_TEXT, ((Variant) record.getAtIndex(record.getIndex("value"))).getValue());
    }
}
