package org.vaadin.addons.sitekit.viewlet.anonymous.login;

import com.vaadin.server.VaadinService;
import com.vaadin.shared.ui.MarginInfo;
import com.vaadin.ui.Button;
import com.vaadin.ui.HorizontalLayout;
import com.vaadin.ui.LoginForm;
import com.vaadin.ui.Notification;
import com.vaadin.ui.Panel;
import com.vaadin.ui.UI;
import com.vaadin.ui.VerticalLayout;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.persistence.EntityManager;
import javax.servlet.http.HttpServletRequest;
import org.apache.directory.api.ldap.model.cursor.EntryCursor;
import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.directory.api.ldap.model.exception.LdapException;
import org.apache.directory.api.ldap.model.message.SearchScope;
import org.apache.directory.ldap.client.api.LdapConnection;
import org.apache.directory.ldap.client.api.LdapNetworkConnection;
import org.apache.log4j.Logger;
import org.vaadin.addons.sitekit.dao.UserDao;
import org.vaadin.addons.sitekit.dao.UserDirectoryDao;
import org.vaadin.addons.sitekit.flow.AbstractFlowlet;
import org.vaadin.addons.sitekit.model.Company;
import org.vaadin.addons.sitekit.model.Group;
import org.vaadin.addons.sitekit.model.User;
import org.vaadin.addons.sitekit.model.UserDirectory;
import org.vaadin.addons.sitekit.site.SecurityProviderSessionImpl;
import org.vaadin.addons.sitekit.util.CIDRUtils;
import org.vaadin.addons.sitekit.util.OpenIdUtil;
import org.vaadin.addons.sitekit.util.StringUtil;

/* loaded from: input_file:org/vaadin/addons/sitekit/viewlet/anonymous/login/LoginFlowlet.class */
public final class LoginFlowlet extends AbstractFlowlet implements LoginForm.LoginListener {
    private static final long serialVersionUID = 1;
    private static final Logger LOGGER = Logger.getLogger(LoginFlowlet.class);
    private LoginForm loginForm;

    @Override // org.vaadin.addons.sitekit.flow.AbstractFlowlet, org.vaadin.addons.sitekit.flow.Flowlet
    public String getFlowletKey() {
        return "login";
    }

    @Override // org.vaadin.addons.sitekit.flow.AbstractFlowlet
    public void initialize() {
        VerticalLayout verticalLayout = new VerticalLayout();
        verticalLayout.setSpacing(true);
        Company company = (Company) getSite().getSiteContext().getObject(Company.class);
        if (company.isOpenIdLogin()) {
            Panel panel = new Panel();
            panel.setStyleName("light");
            panel.setCaption("OpenID Login");
            verticalLayout.addComponent(panel);
            HorizontalLayout horizontalLayout = new HorizontalLayout();
            panel.setContent(horizontalLayout);
            horizontalLayout.setMargin(new MarginInfo(false, false, true, false));
            horizontalLayout.setSpacing(true);
            Map<String, String> openIdProviderUrlIconMap = OpenIdUtil.getOpenIdProviderUrlIconMap();
            for (String str : openIdProviderUrlIconMap.keySet()) {
                horizontalLayout.addComponent(OpenIdUtil.getLoginButton(str, openIdProviderUrlIconMap.get(str), "openidlogin"));
            }
        }
        this.loginForm = new LoginForm() { // from class: org.vaadin.addons.sitekit.viewlet.anonymous.login.LoginFlowlet.1
            public String getLoginHTML() {
                return super.getLoginHTML().replace("<input class='v-textfield v-widget' style='display:block;'", "<input class='v-textfield v-widget' style='margin-bottom:10px; display:block;'");
            }
        };
        this.loginForm.setLoginButtonCaption(getSite().localize("button-login"));
        this.loginForm.setUsernameCaption(getSite().localize("input-user-name"));
        this.loginForm.setPasswordCaption(getSite().localize("input-user-password"));
        this.loginForm.addListener(this);
        verticalLayout.addComponent(this.loginForm);
        Button button = new Button(getSite().localize("button-register") + " >>");
        button.addListener(new Button.ClickListener() { // from class: org.vaadin.addons.sitekit.viewlet.anonymous.login.LoginFlowlet.2
            public void buttonClick(Button.ClickEvent clickEvent) {
                LoginFlowlet.this.getFlow().forward(RegisterFlowlet.class);
            }
        });
        verticalLayout.addComponent(button);
        if (company.isEmailPasswordReset()) {
            Button button2 = new Button(getSite().localize("button-forgot-password") + " >>");
            button2.addListener(new Button.ClickListener() { // from class: org.vaadin.addons.sitekit.viewlet.anonymous.login.LoginFlowlet.3
                public void buttonClick(Button.ClickEvent clickEvent) {
                    LoginFlowlet.this.getFlow().forward(ForgotPasswordFlowlet.class);
                }
            });
            verticalLayout.addComponent(button2);
        }
        setViewContent(verticalLayout);
    }

    @Override // org.vaadin.addons.sitekit.flow.Flowlet
    public boolean isDirty() {
        return false;
    }

    @Override // org.vaadin.addons.sitekit.flow.AbstractFlowlet
    public boolean isValid() {
        return false;
    }

    @Override // org.vaadin.addons.sitekit.flow.Flowlet
    public void enter() {
    }

    public void onLogin(LoginForm.LoginEvent loginEvent) {
        if (loginEvent.getLoginParameter("username") == null) {
            Notification.show(getSite().localize("message-login-failed"), Notification.TYPE_WARNING_MESSAGE);
            return;
        }
        if (loginEvent.getLoginParameter("password") == null) {
            Notification.show(getSite().localize("message-login-failed"), Notification.TYPE_WARNING_MESSAGE);
            return;
        }
        HttpServletRequest httpServletRequest = VaadinService.getCurrentRequest().getHttpServletRequest();
        String loginParameter = loginEvent.getLoginParameter("username");
        try {
            EntityManager entityManager = (EntityManager) getSite().getSiteContext().getObject(EntityManager.class);
            Company company = (Company) getSite().getSiteContext().getObject(Company.class);
            User user = UserDao.getUser(entityManager, company, loginParameter);
            if (user == null) {
                LOGGER.warn("User login failed due to not registered email address: " + loginParameter + " (IP: " + httpServletRequest.getRemoteHost() + ":" + httpServletRequest.getRemotePort() + ")");
                Notification.show(getSite().localize("message-login-failed"), Notification.TYPE_WARNING_MESSAGE);
                return;
            }
            if (user.isLockedOut()) {
                LOGGER.warn("User login failed due to user being locked out: " + loginParameter + " (IP: " + httpServletRequest.getRemoteHost() + ":" + httpServletRequest.getRemotePort() + ")");
                Notification.show(getSite().localize("message-login-failed"), Notification.TYPE_WARNING_MESSAGE);
                return;
            }
            List<UserDirectory> userDirectories = UserDirectoryDao.getUserDirectories(entityManager, company);
            String remoteAddr = httpServletRequest.getRemoteAddr();
            boolean z = false;
            for (UserDirectory userDirectory : userDirectories) {
                if (userDirectory.isEnabled()) {
                    String[] split = userDirectory.getSubNetWhiteList().split(",");
                    int length = split.length;
                    int i = 0;
                    while (true) {
                        if (i >= length) {
                            break;
                        }
                        if (new CIDRUtils(split[i]).isInRange(remoteAddr)) {
                            z = attemptDirectoryLogin(loginEvent, httpServletRequest, entityManager, company, user, userDirectory);
                            break;
                        }
                        i++;
                    }
                    if (z) {
                        break;
                    }
                }
            }
            if (!z) {
                attemptLocalLogin(loginEvent, httpServletRequest, entityManager, company, user);
            }
        } catch (Exception e) {
            LOGGER.error("Error logging in user: " + loginParameter + " (IP: " + httpServletRequest.getRemoteHost() + ":" + httpServletRequest.getRemotePort() + ")", e);
            Notification.show(getSite().localize("message-login-error"), Notification.TYPE_ERROR_MESSAGE);
        }
    }

    private boolean attemptDirectoryLogin(LoginForm.LoginEvent loginEvent, HttpServletRequest httpServletRequest, EntityManager entityManager, Company company, User user, UserDirectory userDirectory) throws IOException, NoSuchAlgorithmException, Exception {
        String groupSearchBaseDn;
        EntryCursor search;
        LOGGER.info("Attempting LDAP login: address: " + userDirectory.getAddress() + ":" + userDirectory.getPort() + ") email: " + user.getEmailAddress() + " (IP: " + httpServletRequest.getRemoteHost() + ":" + httpServletRequest.getRemotePort() + ")");
        (user.getEmailAddress() + ":" + loginEvent.getLoginParameter("password")).getBytes("UTF-8");
        String loginParameter = loginEvent.getLoginParameter("password");
        LdapNetworkConnection ldapNetworkConnection = new LdapNetworkConnection(userDirectory.getAddress(), userDirectory.getPort());
        boolean z = false;
        try {
            String loginDn = userDirectory.getLoginDn();
            String loginPassword = userDirectory.getLoginPassword();
            String userEmailAttribute = userDirectory.getUserEmailAttribute();
            String userSearchBaseDn = userDirectory.getUserSearchBaseDn();
            groupSearchBaseDn = userDirectory.getGroupSearchBaseDn();
            String str = "(" + userEmailAttribute + "=" + user.getEmailAddress() + ")";
            ldapNetworkConnection.bind(loginDn, loginPassword);
            search = ldapNetworkConnection.search(userSearchBaseDn, str, SearchScope.ONELEVEL, new String[0]);
        } catch (LdapException e) {
            LOGGER.error("LDAP error: " + user.getEmailAddress() + " (IP: " + httpServletRequest.getRemoteHost() + ":" + httpServletRequest.getRemotePort() + ")", e);
        }
        if (!search.next()) {
            LOGGER.warn("User not found from LDAP address: " + userDirectory.getAddress() + ":" + userDirectory.getPort() + ") email: " + user.getEmailAddress() + " (IP: " + httpServletRequest.getRemoteHost() + ":" + httpServletRequest.getRemotePort() + ")");
            search.close();
            ldapNetworkConnection.unBind();
            return false;
        }
        Entry entry = (Entry) search.get();
        search.close();
        ldapNetworkConnection.unBind();
        ldapNetworkConnection.bind(entry.getDn(), loginParameter);
        if (!isInRemoteGroup(ldapNetworkConnection, groupSearchBaseDn, entry, userDirectory.getRequiredRemoteGroup())) {
            LOGGER.warn("User not in required remote group '" + userDirectory.getRequiredRemoteGroup() + "', LDAP address: " + userDirectory.getAddress() + ":" + userDirectory.getPort() + ") email: " + user.getEmailAddress() + " (IP: " + httpServletRequest.getRemoteHost() + ":" + httpServletRequest.getRemotePort() + ")");
            Notification.show(getSite().localize("message-login-failed"), Notification.TYPE_WARNING_MESSAGE);
            return true;
        }
        List<Group> userGroups = UserDao.getUserGroups(entityManager, company, user);
        HashMap hashMap = new HashMap();
        for (Group group : userGroups) {
            hashMap.put(group.getName(), group);
        }
        for (String str2 : userDirectory.getRemoteLocalGroupMapping().split(",")) {
            String[] split = str2.split("=");
            if (split.length == 2) {
                String trim = split[0].trim();
                String trim2 = split[1].trim();
                boolean isInRemoteGroup = isInRemoteGroup(ldapNetworkConnection, groupSearchBaseDn, entry, trim);
                boolean containsKey = hashMap.containsKey(trim2);
                Group group2 = UserDao.getGroup(entityManager, company, trim2);
                if (group2 == null) {
                    LOGGER.warn("No local group '" + trim2 + "'. Skipping group membership synchronization.");
                } else if (isInRemoteGroup && !containsKey) {
                    UserDao.addGroupMember(entityManager, group2, user);
                    LOGGER.info("Added user '" + user.getEmailAddress() + "' to group '" + trim2 + "' (IP: " + httpServletRequest.getRemoteHost() + ":" + httpServletRequest.getRemotePort() + ")");
                } else if (!isInRemoteGroup && containsKey) {
                    UserDao.removeGroupMember(entityManager, group2, user);
                    LOGGER.info("Removed user '" + user.getEmailAddress() + "' from group '" + trim2 + "' (IP: " + httpServletRequest.getRemoteHost() + ":" + httpServletRequest.getRemotePort() + ")");
                }
            }
        }
        z = true;
        ldapNetworkConnection.unBind();
        if (z) {
            LOGGER.info("User login: " + user.getEmailAddress() + " (IP: " + httpServletRequest.getRemoteHost() + ":" + httpServletRequest.getRemotePort() + ")");
            List<Group> userGroups2 = UserDao.getUserGroups(entityManager, company, user);
            user.setFailedLoginCount(0);
            UserDao.updateUser(entityManager, user);
            ((SecurityProviderSessionImpl) getSite().getSecurityProvider()).setUser(user, userGroups2);
            UI.getCurrent().getNavigator().navigateTo(getSite().getCurrentNavigationVersion().getDefaultPageName());
            return true;
        }
        LOGGER.warn("User login, password mismatch: " + user.getEmailAddress() + " (IP: " + httpServletRequest.getRemoteHost() + ":" + httpServletRequest.getRemotePort() + ")");
        user.setFailedLoginCount(user.getFailedLoginCount() + 1);
        if (user.getFailedLoginCount() > company.getMaxFailedLoginCount().intValue()) {
            user.setLockedOut(true);
            LOGGER.warn("User locked out due to too many failed login attempts: " + user.getEmailAddress() + " (IP: " + httpServletRequest.getRemoteHost() + ":" + httpServletRequest.getRemotePort() + ")");
        }
        UserDao.updateUser(entityManager, user);
        Notification.show(getSite().localize("message-login-failed"), Notification.TYPE_WARNING_MESSAGE);
        return true;
    }

    private boolean isInRemoteGroup(LdapConnection ldapConnection, String str, Entry entry, String str2) throws Exception {
        EntryCursor search = ldapConnection.search(str, "(&(uniqueMember=" + entry.getDn() + ")(cn=" + str2 + "))", SearchScope.ONELEVEL, new String[0]);
        boolean next = search.next();
        search.close();
        return next;
    }

    private void attemptLocalLogin(LoginForm.LoginEvent loginEvent, HttpServletRequest httpServletRequest, EntityManager entityManager, Company company, User user) throws UnsupportedEncodingException, NoSuchAlgorithmException {
        if (StringUtil.toHexString(MessageDigest.getInstance("SHA-256").digest((user.getEmailAddress() + ":" + loginEvent.getLoginParameter("password")).getBytes("UTF-8"))).equals(user.getPasswordHash())) {
            LOGGER.info("User login: " + user.getEmailAddress() + " (IP: " + httpServletRequest.getRemoteHost() + ":" + httpServletRequest.getRemotePort() + ")");
            List<Group> userGroups = UserDao.getUserGroups(entityManager, company, user);
            user.setFailedLoginCount(0);
            UserDao.updateUser(entityManager, user);
            ((SecurityProviderSessionImpl) getSite().getSecurityProvider()).setUser(user, userGroups);
            UI.getCurrent().getNavigator().navigateTo(getSite().getCurrentNavigationVersion().getDefaultPageName());
            return;
        }
        LOGGER.warn("User login, password mismatch: " + user.getEmailAddress() + " (IP: " + httpServletRequest.getRemoteHost() + ":" + httpServletRequest.getRemotePort() + ")");
        user.setFailedLoginCount(user.getFailedLoginCount() + 1);
        if (user.getFailedLoginCount() > company.getMaxFailedLoginCount().intValue()) {
            user.setLockedOut(true);
            LOGGER.warn("User locked out due to too many failed login attempts: " + user.getEmailAddress() + " (IP: " + httpServletRequest.getRemoteHost() + ":" + httpServletRequest.getRemotePort() + ")");
        }
        UserDao.updateUser(entityManager, user);
        Notification.show(getSite().localize("message-login-failed"), Notification.TYPE_WARNING_MESSAGE);
    }
}
