package com.digiwin.dap.middleware.iam.support.remote.impl;

import cn.hutool.core.util.StrUtil;
import com.digiwin.dap.middle.kms.constants.KeyConstant;
import com.digiwin.dap.middleware.commons.crypto.AES;
import com.digiwin.dap.middleware.exception.BusinessException;
import com.digiwin.dap.middleware.iam.constant.I18nError;
import com.digiwin.dap.middleware.iam.constant.IamConstants;
import com.digiwin.dap.middleware.iam.constant.enums.BooleanStrEnum;
import com.digiwin.dap.middleware.iam.domain.EnvProperties;
import com.digiwin.dap.middleware.iam.domain.login.LoginUser;
import com.digiwin.dap.middleware.iam.domain.tenant.TenantMetadataVO;
import com.digiwin.dap.middleware.iam.domain.tenant.metadata.TenantMetadataLdapVO;
import com.digiwin.dap.middleware.iam.entity.Tenant;
import com.digiwin.dap.middleware.iam.service.tenantmetadata.TenantMetadataCrudService;
import com.digiwin.dap.middleware.iam.support.remote.CustomSslSocketFactory;
import com.digiwin.dap.middleware.iam.support.remote.LdapConstants;
import com.digiwin.dap.middleware.iam.support.remote.LdapService;
import com.digiwin.dap.middleware.iam.support.remote.digiwinadwsdl.domain.AdExecution;
import com.digiwin.dap.middleware.iam.support.remote.domain.ad.AdOu;
import com.digiwin.dap.middleware.iam.support.remote.domain.ad.AdUser;
import com.digiwin.dap.middleware.iam.util.Dom4jUtil;
import java.security.Security;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import java.util.function.BiFunction;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.PagedResultsControl;
import javax.naming.ldap.PagedResultsResponseControl;
import org.apache.axis.components.jms.JNDIVendorAdapter;
import org.apache.commons.lang.StringEscapeUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.util.ObjectUtils;
import org.springframework.util.StringUtils;

@Service
/* loaded from: input_file:BOOT-INF/lib/iam-business-4.37.4.0.jar:com/digiwin/dap/middleware/iam/support/remote/impl/LdapServiceImpl.class */
public class LdapServiceImpl implements LdapService {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) LdapServiceImpl.class);

    @Autowired
    private TenantMetadataCrudService tenantMetadataCrudService;

    @Autowired
    private EnvProperties envProperties;

    @Override // com.digiwin.dap.middleware.iam.support.remote.LdapService
    public AdExecution checkAccount(String str, String str2, String str3) {
        String escapeXml = StringEscapeUtils.escapeXml(str);
        String escapeXml2 = StringEscapeUtils.escapeXml(str2);
        ArrayList arrayList = new ArrayList();
        arrayList.add(Dom4jUtil::checkADEncrypted);
        if (Locale.SIMPLIFIED_CHINESE.getCountry().equalsIgnoreCase(str3)) {
            arrayList.add(Dom4jUtil::checkLdapAliyun);
            arrayList.add(Dom4jUtil::checkLdapCn);
            arrayList.add(Dom4jUtil::checkLdapTw);
        } else {
            arrayList.add(Dom4jUtil::checkLdapTw);
            arrayList.add(Dom4jUtil::checkLdapAliyun);
            arrayList.add(Dom4jUtil::checkLdapCn);
        }
        String checkInOrder = checkInOrder(escapeXml, escapeXml2, arrayList);
        if (checkInOrder == null) {
            throw new BusinessException(I18nError.LOGIN_LDAP_AUTH);
        }
        try {
            logger.info("ad验证账号信息{}", checkInOrder);
            return Dom4jUtil.getAdExecution(checkInOrder);
        } catch (Exception e) {
            throw new BusinessException(I18nError.AD_INFO_FAILED, new Object[]{escapeXml});
        }
    }

    private static String checkInOrder(String str, String str2, List<BiFunction<String, String, String>> list) {
        Iterator<BiFunction<String, String, String>> it = list.iterator();
        while (it.hasNext()) {
            String apply = it.next().apply(str, str2);
            if (apply != null) {
                return apply;
            }
        }
        return null;
    }

    @Override // com.digiwin.dap.middleware.iam.support.remote.LdapService
    public DirContext connect(String str, String str2, String str3, boolean z) {
        InitialLdapContext initialLdapContext = null;
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.security.authentication", "simple");
        hashtable.put("java.naming.security.principal", str2);
        hashtable.put("java.naming.security.credentials", str3);
        hashtable.put(JNDIVendorAdapter.CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("com.sun.jndi.ldap.connect.timeout", "5000");
        hashtable.put(JNDIVendorAdapter.PROVIDER_URL, str);
        if (z) {
            hashtable.put("java.naming.security.protocol", "ssl");
            if (Boolean.TRUE.equals(this.envProperties.getAdTrustSsl())) {
                Security.setProperty("jdk.tls.disabledAlgorithms", "");
                System.setProperty("com.sun.jndi.ldap.object.disableEndpointIdentification", "true");
                hashtable.put("java.naming.authoritative", "true");
                hashtable.put("java.naming.ldap.factory.socket", CustomSslSocketFactory.class.getName());
            }
        }
        try {
            initialLdapContext = new InitialLdapContext(hashtable, (Control[]) null);
        } catch (Exception e) {
            logger.error("LDAP身份验证失败 {}, username={}, {}", str, str2, e.getMessage(), e);
        }
        return initialLdapContext;
    }

    @Override // com.digiwin.dap.middleware.iam.support.remote.LdapService
    public List<Map<String, String>> search(String str, String str2, String str3, boolean z, String str4, String str5) {
        DirContext connect = connect(str, str2, str3, z);
        if (connect == null) {
            throw new BusinessException(I18nError.IAM_LOGIN_AD_AUTH_ADMIN_ERROR);
        }
        ArrayList arrayList = new ArrayList();
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        try {
            try {
                NamingEnumeration search = connect.search(str4, str5, searchControls);
                while (search != null) {
                    if (!search.hasMoreElements()) {
                        break;
                    }
                    Attributes attributes = ((SearchResult) search.next()).getAttributes();
                    if (attributes != null) {
                        HashMap hashMap = new HashMap();
                        NamingEnumeration all = attributes.getAll();
                        while (all.hasMoreElements()) {
                            Attribute attribute = (Attribute) all.next();
                            hashMap.put(attribute.getID(), getAttrValue(attribute));
                        }
                        arrayList.add(hashMap);
                    }
                }
                return arrayList;
            } finally {
                try {
                    connect.close();
                } catch (NamingException e) {
                }
            }
        } catch (NamingException e2) {
            logger.error("查询AD资料失败, searchDn={}, searchFilter={}", str4, str5, e2);
            throw new BusinessException(I18nError.IAM_LOGIN_AD_SEARCH_OBJECT_ERROR);
        }
    }

    @Override // com.digiwin.dap.middleware.iam.support.remote.LdapService
    public List<Map<String, String>> search(String str, String str2, String str3, boolean z, String str4, String str5, int i) {
        LdapContext connect = connect(str, str2, str3, z);
        if (connect == null) {
            throw new BusinessException(I18nError.IAM_LOGIN_AD_AUTH_ADMIN_ERROR);
        }
        ArrayList arrayList = new ArrayList();
        byte[] bArr = null;
        try {
            try {
                SearchControls searchControls = new SearchControls();
                searchControls.setSearchScope(2);
                do {
                    connect.setRequestControls(new Control[]{new PagedResultsControl(i, bArr, true)});
                    NamingEnumeration search = connect.search(str4, str5, searchControls);
                    while (search != null && search.hasMoreElements()) {
                        Attributes attributes = ((SearchResult) search.next()).getAttributes();
                        if (attributes != null) {
                            HashMap hashMap = new HashMap();
                            NamingEnumeration all = attributes.getAll();
                            while (all.hasMoreElements()) {
                                Attribute attribute = (Attribute) all.next();
                                hashMap.put(attribute.getID(), getAttrValue(attribute));
                            }
                            arrayList.add(hashMap);
                        }
                    }
                    PagedResultsResponseControl[] responseControls = connect.getResponseControls();
                    if (responseControls != null) {
                        for (PagedResultsResponseControl pagedResultsResponseControl : responseControls) {
                            if (pagedResultsResponseControl instanceof PagedResultsResponseControl) {
                                bArr = pagedResultsResponseControl.getCookie();
                            }
                        }
                    }
                } while (bArr != null);
                return arrayList;
            } catch (Exception e) {
                logger.error("分页查询AD资料失败, searchDn={}, searchFilter={}", str4, str5, e);
                throw new BusinessException(I18nError.IAM_LOGIN_AD_SEARCH_OBJECT_ERROR);
            }
        } finally {
            try {
                connect.close();
            } catch (NamingException e2) {
            }
        }
    }

    @Override // com.digiwin.dap.middleware.iam.support.remote.LdapService
    public List<Map<String, String>> searchPage(LdapContext ldapContext, String str, String str2, int i, List<byte[]> list) {
        if (ldapContext == null) {
            throw new BusinessException(I18nError.IAM_LOGIN_AD_AUTH_ADMIN_ERROR);
        }
        ArrayList arrayList = new ArrayList();
        try {
            ldapContext.setRequestControls(new Control[]{new PagedResultsControl(i, list.get(0), true)});
            SearchControls searchControls = new SearchControls();
            searchControls.setSearchScope(2);
            NamingEnumeration search = ldapContext.search(str, str2, searchControls);
            while (search != null && search.hasMoreElements()) {
                Attributes attributes = ((SearchResult) search.next()).getAttributes();
                if (attributes != null) {
                    HashMap hashMap = new HashMap();
                    NamingEnumeration all = attributes.getAll();
                    while (all.hasMoreElements()) {
                        Attribute attribute = (Attribute) all.next();
                        hashMap.put(attribute.getID(), getAttrValue(attribute));
                    }
                    arrayList.add(hashMap);
                }
            }
            PagedResultsResponseControl[] responseControls = ldapContext.getResponseControls();
            if (responseControls != null) {
                for (PagedResultsResponseControl pagedResultsResponseControl : responseControls) {
                    if (pagedResultsResponseControl instanceof PagedResultsResponseControl) {
                        list.set(0, pagedResultsResponseControl.getCookie());
                    }
                }
            }
            return arrayList;
        } catch (Exception e) {
            logger.error("分页查询AD资料失败, searchDn={}, searchFilter={}", str, str2, e);
            throw new BusinessException(I18nError.IAM_LOGIN_AD_SEARCH_OBJECT_ERROR);
        }
    }

    @Override // com.digiwin.dap.middleware.iam.support.remote.LdapService
    public AdUser getAdUser(LoginUser loginUser, Tenant tenant) {
        TenantMetadataLdapVO tenantMetadataLdapVO = getTenantMetadataLdapVO(tenant.getSid());
        String baseDn = tenantMetadataLdapVO.getBaseDn();
        String adminAccount = tenantMetadataLdapVO.getAdminAccount();
        String decrypt = AES.decrypt(tenantMetadataLdapVO.getAdminPassword(), KeyConstant.WECHAT_UNION_ID);
        tenantMetadataLdapVO.setUserFilter(String.format("(&(%s=%s)(objectCategory=person)%s)", (String) Optional.ofNullable(tenantMetadataLdapVO.getUserLoginAttr()).filter(StringUtils::hasLength).orElse(LdapConstants.USER_LOGIN_ATTR), loginUser.getUserId(), (String) Optional.ofNullable(tenantMetadataLdapVO.getUserFilter()).filter(StringUtils::hasLength).orElse(LdapConstants.USER_FILTER)));
        boolean equals = BooleanStrEnum.TRUE.getValue().equals(tenantMetadataLdapVO.getSslEnabled());
        List<AdUser> listAdUser = listAdUser(tenantMetadataLdapVO.getUrl(), adminAccount, decrypt, equals, baseDn, tenantMetadataLdapVO);
        if (listAdUser.isEmpty()) {
            throw new BusinessException(I18nError.IAM_LOGIN_AD_AUTH_ACCOUNT_PASSWORD_ERROR);
        }
        AdUser adUser = listAdUser.get(0);
        DirContext connect = connect(tenantMetadataLdapVO.getUrl(), adUser.getDistinguishedName(), loginUser.getPassword(), equals);
        if (connect == null) {
            throw new BusinessException(I18nError.IAM_LOGIN_AD_AUTH_ACCOUNT_PASSWORD_ERROR);
        }
        try {
            connect.close();
        } catch (NamingException e) {
        }
        return adUser;
    }

    @Override // com.digiwin.dap.middleware.iam.support.remote.LdapService
    public List<AdUser> listAdUser(String str, String str2, String str3, boolean z, String str4, TenantMetadataLdapVO tenantMetadataLdapVO) {
        TenantMetadataLdapVO tenantMetadataLdapVO2 = (TenantMetadataLdapVO) Optional.ofNullable(tenantMetadataLdapVO).orElse(new TenantMetadataLdapVO());
        String str5 = (String) Optional.ofNullable(tenantMetadataLdapVO2.getUserFilter()).filter(StringUtils::hasLength).orElse(LdapConstants.USER_FILTER);
        List<Map<String, String>> search = search(str, str2, str3, z, str4, str5);
        ArrayList arrayList = new ArrayList();
        for (Map<String, String> map : search) {
            checkObjectClass(map.get(LdapConstants.OBJECT_CLASS_ATTR), "user", str5);
            AdUser adUser = getAdUser(tenantMetadataLdapVO2, map);
            if (ObjectUtils.isEmpty(adUser.getId()) || ObjectUtils.isEmpty(adUser.getName())) {
                logger.warn("AD用户id或name为空，DN = {}, searchDn = {}, searchFilter={}, url = {},", adUser.getDistinguishedName(), str4, str5, str);
            } else {
                arrayList.add(adUser);
            }
        }
        return arrayList;
    }

    @Override // com.digiwin.dap.middleware.iam.support.remote.LdapService
    public List<AdUser> listAdUserPage(LdapContext ldapContext, String str, TenantMetadataLdapVO tenantMetadataLdapVO, int i, List<byte[]> list) {
        TenantMetadataLdapVO tenantMetadataLdapVO2 = (TenantMetadataLdapVO) Optional.ofNullable(tenantMetadataLdapVO).orElse(new TenantMetadataLdapVO());
        String str2 = (String) Optional.ofNullable(tenantMetadataLdapVO2.getUserFilter()).filter(StringUtils::hasLength).orElse(LdapConstants.USER_FILTER);
        List<Map<String, String>> searchPage = searchPage(ldapContext, str, str2, i, list);
        ArrayList arrayList = new ArrayList();
        for (Map<String, String> map : searchPage) {
            checkObjectClass(map.get(LdapConstants.OBJECT_CLASS_ATTR), "user", str2);
            AdUser adUser = getAdUser(tenantMetadataLdapVO2, map);
            if (ObjectUtils.isEmpty(adUser.getId()) || ObjectUtils.isEmpty(adUser.getName())) {
                logger.warn("AD用户id或name为空，DN = {}, searchDn = {}, searchFilter={}, ctx = {},", adUser.getDistinguishedName(), str, str2, ldapContext);
            } else {
                arrayList.add(adUser);
            }
        }
        return arrayList;
    }

    @Override // com.digiwin.dap.middleware.iam.support.remote.LdapService
    public List<AdOu> listAdOu(String str, String str2, String str3, boolean z, String str4, TenantMetadataLdapVO tenantMetadataLdapVO) {
        String str5 = (String) Optional.ofNullable(tenantMetadataLdapVO.getOuFilter()).filter(StringUtils::hasLength).orElse(LdapConstants.OU_FILTER);
        List<Map<String, String>> search = search(str, str2, str3, z, str4, str5);
        ArrayList arrayList = new ArrayList();
        for (Map<String, String> map : search) {
            checkObjectClass(map.get(LdapConstants.OBJECT_CLASS_ATTR), LdapConstants.OU_OBJECT_CLASS, str5);
            AdOu adOu = getAdOu(tenantMetadataLdapVO, map);
            if (ObjectUtils.isEmpty(adOu.getId())) {
                logger.warn("AD组织id为空，DN = {}, searchDn = {}, searchFilter={}, url = {},", adOu.getDistinguishedName(), str4, str5, str);
            } else {
                arrayList.add(adOu);
            }
        }
        return arrayList;
    }

    private AdUser getAdUser(TenantMetadataLdapVO tenantMetadataLdapVO, Map<String, String> map) {
        AdUser adUser = new AdUser();
        adUser.setId(map.get(Optional.ofNullable(tenantMetadataLdapVO.getUserLoginAttr()).filter(StringUtils::hasLength).orElse(LdapConstants.USER_LOGIN_ATTR)));
        adUser.setName(map.get(Optional.ofNullable(tenantMetadataLdapVO.getUserNameAttr()).filter(StringUtils::hasLength).orElse("name")));
        adUser.setMail(map.get(Optional.ofNullable(tenantMetadataLdapVO.getUserEmailAttr()).filter(StringUtils::hasLength).orElse(LdapConstants.USER_EMAIL_ATTR)));
        adUser.setDepartment(map.get("department"));
        adUser.setMobile(map.get("mobile"));
        adUser.setTelephoneNumber(map.get(Optional.ofNullable(tenantMetadataLdapVO.getUserPhoneAttr()).filter(StringUtils::hasLength).orElse(LdapConstants.USER_PHONE_ATTR)));
        adUser.setDisplayName(map.get("displayName"));
        adUser.setDistinguishedName(map.get("distinguishedName"));
        adUser.setManager(map.get(LdapConstants.MANAGER_ATTR));
        adUser.setTitle(map.get("title"));
        adUser.setUserAccountControl(map.get(LdapConstants.USER_ACCOUNT_CONTROL_ATTR));
        if (LdapConstants.LDAP_DISABLED_USER_FLAG.contains(adUser.getUserAccountControl())) {
            adUser.setDisabled(Boolean.TRUE);
        }
        return adUser;
    }

    private AdOu getAdOu(TenantMetadataLdapVO tenantMetadataLdapVO, Map<String, String> map) {
        AdOu adOu = new AdOu();
        adOu.setId(map.get(Optional.ofNullable(tenantMetadataLdapVO.getOuUniqueIdAttr()).filter(StringUtils::hasLength).orElse("distinguishedName")));
        adOu.setName(map.get(Optional.ofNullable(tenantMetadataLdapVO.getOuNameAttr()).filter(StringUtils::hasLength).orElse("name")));
        adOu.setDistinguishedName(map.get("distinguishedName"));
        adOu.setManagedBy(map.get(LdapConstants.OU_MANAGED_BY_ATTR));
        return adOu;
    }

    private void checkObjectClass(String str, String str2, String str3) {
        if (ObjectUtils.isEmpty(str) || !Arrays.asList(str.split(",")).contains(str2)) {
            throw new BusinessException(StrUtil.indexedFormat("查询AD资料类型异常，请联系管理人员。objectClass = {0}, searchFilter = {1}", str, str3));
        }
    }

    private TenantMetadataLdapVO getTenantMetadataLdapVO(long j) {
        List<TenantMetadataVO> tenantMetadataValue = this.tenantMetadataCrudService.getTenantMetadataValue(j, IamConstants.TENANT_METADATA_CATALOG_ID_LDAP, IamConstants.LDAP_KEY_LIST);
        if (tenantMetadataValue.isEmpty()) {
            throw new BusinessException(I18nError.ERROR_21010);
        }
        return new TenantMetadataLdapVO(tenantMetadataValue);
    }

    private String getAttrValue(Attribute attribute) throws NamingException {
        StringBuilder sb = new StringBuilder();
        boolean z = true;
        NamingEnumeration all = attribute.getAll();
        while (all.hasMoreElements()) {
            if (!z) {
                sb.append(",");
            }
            sb.append(all.nextElement());
            z = false;
        }
        return sb.toString();
    }
}
