package org.vaadin.addons.sitekit.util;

import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.HashMap;
import java.util.List;
import javax.persistence.EntityManager;
import org.apache.directory.api.ldap.model.cursor.EntryCursor;
import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.directory.api.ldap.model.exception.LdapException;
import org.apache.directory.api.ldap.model.message.SearchScope;
import org.apache.directory.ldap.client.api.LdapConnection;
import org.apache.directory.ldap.client.api.LdapNetworkConnection;
import org.apache.log4j.Logger;
import org.vaadin.addons.sitekit.dao.UserDao;
import org.vaadin.addons.sitekit.dao.UserDirectoryDao;
import org.vaadin.addons.sitekit.model.Company;
import org.vaadin.addons.sitekit.model.Group;
import org.vaadin.addons.sitekit.model.User;
import org.vaadin.addons.sitekit.model.UserDirectory;

/* loaded from: input_file:org/vaadin/addons/sitekit/util/PasswordLoginUtil.class */
public class PasswordLoginUtil {
    private static final long serialVersionUID = 1;
    private static final Logger LOGGER = Logger.getLogger(PasswordLoginUtil.class);

    public static String login(String str, String str2, int i, EntityManager entityManager, Company company, User user, String str3) {
        try {
            if (user == null) {
                LOGGER.warn("User login failed due to not registered email address: " + user.getEmailAddress() + " (IP: " + str + ":" + i + ")");
                return "message-login-failed";
            }
            if (user.isLockedOut()) {
                LOGGER.warn("User login failed due to user being locked out: " + user.getEmailAddress() + " (IP: " + str + ":" + i + ")");
                return "message-login-failed";
            }
            for (UserDirectory userDirectory : UserDirectoryDao.getUserDirectories(entityManager, company)) {
                if (userDirectory.isEnabled()) {
                    for (String str4 : userDirectory.getSubNetWhiteList().split(",")) {
                        if (new CidrUtil(str4).isInRange(str2)) {
                            return attemptDirectoryLogin(str, str2, i, entityManager, company, user, str3, userDirectory);
                        }
                    }
                }
            }
            return attemptLocalLogin(str, str2, i, entityManager, company, user, str3);
        } catch (Exception e) {
            LOGGER.error("Error logging in user: " + user.getEmailAddress() + " (IP: " + str + ":" + i + ")", e);
            return "message-login-error";
        }
    }

    private static String attemptDirectoryLogin(String str, String str2, int i, EntityManager entityManager, Company company, User user, String str3, UserDirectory userDirectory) throws Exception {
        String groupSearchBaseDn;
        EntryCursor search;
        LOGGER.info("Attempting LDAP login: address: " + userDirectory.getAddress() + ":" + userDirectory.getPort() + ") email: " + user.getEmailAddress() + " (IP: " + str + ":" + i + ")");
        LdapNetworkConnection ldapNetworkConnection = new LdapNetworkConnection(userDirectory.getAddress(), userDirectory.getPort());
        boolean z = false;
        try {
            String loginDn = userDirectory.getLoginDn();
            String loginPassword = userDirectory.getLoginPassword();
            String userEmailAttribute = userDirectory.getUserEmailAttribute();
            String userSearchBaseDn = userDirectory.getUserSearchBaseDn();
            groupSearchBaseDn = userDirectory.getGroupSearchBaseDn();
            String str4 = "(" + userEmailAttribute + "=" + user.getEmailAddress() + ")";
            ldapNetworkConnection.bind(loginDn, loginPassword);
            search = ldapNetworkConnection.search(userSearchBaseDn, str4, SearchScope.ONELEVEL, new String[0]);
        } catch (LdapException e) {
            LOGGER.error("LDAP error: " + user.getEmailAddress() + " (IP: " + str + ":" + i + ")", e);
        }
        if (!search.next()) {
            LOGGER.warn("User not found from LDAP address: " + userDirectory.getAddress() + ":" + userDirectory.getPort() + ") email: " + user.getEmailAddress() + " (IP: " + str + ":" + i + ")");
            search.close();
            ldapNetworkConnection.unBind();
            return "message-directory-user-not-found";
        }
        Entry entry = (Entry) search.get();
        search.close();
        ldapNetworkConnection.unBind();
        ldapNetworkConnection.bind(entry.getDn(), str3);
        if (!isInRemoteGroup(ldapNetworkConnection, groupSearchBaseDn, entry, userDirectory.getRequiredRemoteGroup())) {
            LOGGER.warn("User not in required remote group '" + userDirectory.getRequiredRemoteGroup() + "', LDAP address: " + userDirectory.getAddress() + ":" + userDirectory.getPort() + ") email: " + user.getEmailAddress() + " (IP: " + str + ":" + i + ")");
            return "message-login-failed";
        }
        List<Group> userGroups = UserDao.getUserGroups(entityManager, company, user);
        HashMap hashMap = new HashMap();
        for (Group group : userGroups) {
            hashMap.put(group.getName(), group);
        }
        for (String str5 : userDirectory.getRemoteLocalGroupMapping().split(",")) {
            String[] split = str5.split("=");
            if (split.length == 2) {
                String trim = split[0].trim();
                String trim2 = split[1].trim();
                boolean isInRemoteGroup = isInRemoteGroup(ldapNetworkConnection, groupSearchBaseDn, entry, trim);
                boolean containsKey = hashMap.containsKey(trim2);
                Group group2 = UserDao.getGroup(entityManager, company, trim2);
                if (group2 == null) {
                    LOGGER.warn("No local group '" + trim2 + "'. Skipping group membership synchronization.");
                } else if (isInRemoteGroup && !containsKey) {
                    UserDao.addGroupMember(entityManager, group2, user);
                    LOGGER.info("Added user '" + user.getEmailAddress() + "' to group '" + trim2 + "' (IP: " + str + ":" + i + ")");
                } else if (!isInRemoteGroup && containsKey) {
                    UserDao.removeGroupMember(entityManager, group2, user);
                    LOGGER.info("Removed user '" + user.getEmailAddress() + "' from group '" + trim2 + "' (IP: " + str + ":" + i + ")");
                }
            }
        }
        z = true;
        ldapNetworkConnection.unBind();
        if (z) {
            LOGGER.info("User login: " + user.getEmailAddress() + " (IP: " + str + ":" + i + ")");
            UserDao.getUserGroups(entityManager, company, user);
            user.setFailedLoginCount(0);
            UserDao.updateUser(entityManager, user);
            return null;
        }
        LOGGER.warn("User login, password mismatch: " + user.getEmailAddress() + " (IP: " + str + ":" + i + ")");
        user.setFailedLoginCount(user.getFailedLoginCount() + 1);
        if (user.getFailedLoginCount() > company.getMaxFailedLoginCount().intValue()) {
            user.setLockedOut(true);
            LOGGER.warn("User locked out due to too many failed login attempts: " + user.getEmailAddress() + " (IP: " + str + ":" + i + ")");
        }
        UserDao.updateUser(entityManager, user);
        return "message-login-failed";
    }

    private static boolean isInRemoteGroup(LdapConnection ldapConnection, String str, Entry entry, String str2) throws Exception {
        EntryCursor search = ldapConnection.search(str, "(&(uniqueMember=" + entry.getDn() + ")(cn=" + str2 + "))", SearchScope.ONELEVEL, new String[0]);
        boolean next = search.next();
        search.close();
        return next;
    }

    private static String attemptLocalLogin(String str, String str2, int i, EntityManager entityManager, Company company, User user, String str3) throws UnsupportedEncodingException, NoSuchAlgorithmException {
        if (StringUtil.toHexString(MessageDigest.getInstance("SHA-256").digest((user.getEmailAddress() + ":" + str3).getBytes("UTF-8"))).equals(user.getPasswordHash())) {
            LOGGER.info("User login: " + user.getEmailAddress() + " (IP: " + str + ":" + i + ")");
            UserDao.getUserGroups(entityManager, company, user);
            user.setFailedLoginCount(0);
            UserDao.updateUser(entityManager, user);
            return null;
        }
        LOGGER.warn("User login, password mismatch: " + user.getEmailAddress() + " (IP: " + str + ":" + i + ")");
        user.setFailedLoginCount(user.getFailedLoginCount() + 1);
        if (user.getFailedLoginCount() > company.getMaxFailedLoginCount().intValue()) {
            user.setLockedOut(true);
            LOGGER.warn("User locked out due to too many failed login attempts: " + user.getEmailAddress() + " (IP: " + str + ":" + i + ")");
        }
        UserDao.updateUser(entityManager, user);
        return "message-login-failed";
    }
}
