package edu.internet2.middleware.grouper.pspng;

import edu.internet2.middleware.subject.Subject;
import java.io.IOException;
import java.io.StringReader;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import org.apache.commons.lang.StringUtils;
import org.ldaptive.AttributeModification;
import org.ldaptive.AttributeModificationType;
import org.ldaptive.Connection;
import org.ldaptive.LdapAttribute;
import org.ldaptive.LdapEntry;
import org.ldaptive.ModifyRequest;
import org.ldaptive.SearchFilter;
import org.ldaptive.SearchRequest;
import org.ldaptive.io.LdifReader;
import org.slf4j.Logger;

/* loaded from: input_file:edu/internet2/middleware/grouper/pspng/LdapGroupProvisioner.class */
public class LdapGroupProvisioner extends LdapProvisioner<LdapGroupProvisionerConfiguration> {
    public LdapGroupProvisioner(String str, LdapGroupProvisionerConfiguration ldapGroupProvisionerConfiguration, boolean z) {
        super(str, ldapGroupProvisionerConfiguration, z);
        this.LOG.debug("Constructing LdapGroupProvisioner: {}", str);
    }

    public static Class<? extends ProvisionerConfiguration> getPropertyClass() {
        return LdapGroupProvisionerConfiguration.class;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.internet2.middleware.grouper.pspng.Provisioner
    public void addMembership(GrouperGroupInfo grouperGroupInfo, LdapGroup ldapGroup, Subject subject, LdapUser ldapUser) throws PspException {
        if (ldapUser == null) {
            this.LOG.warn("{}: Skipping adding membership to group {} because ldap user does not exist: {}", new Object[]{getDisplayName(), grouperGroupInfo, subject});
            return;
        }
        if (ldapGroup == null) {
            cacheGroup(grouperGroupInfo, createGroup(grouperGroupInfo, (Collection<Subject>) Arrays.asList(subject)));
            return;
        }
        String evaluateJexlExpression = evaluateJexlExpression(((LdapGroupProvisionerConfiguration) this.config).getMemberAttributeValueFormat(), subject, ldapUser, grouperGroupInfo, ldapGroup, new Object[0]);
        if (evaluateJexlExpression != null) {
            scheduleGroupModification(grouperGroupInfo, ldapGroup, AttributeModificationType.ADD, Arrays.asList(evaluateJexlExpression));
        }
    }

    protected void scheduleGroupModification(GrouperGroupInfo grouperGroupInfo, LdapGroup ldapGroup, AttributeModificationType attributeModificationType, Collection<String> collection) {
        uncacheGroup(grouperGroupInfo, ldapGroup);
        String memberAttributeName = ((LdapGroupProvisionerConfiguration) this.config).getMemberAttributeName();
        for (String str : collection) {
            Logger logger = this.LOG;
            Object[] objArr = new Object[5];
            objArr[0] = attributeModificationType;
            objArr[1] = str;
            objArr[2] = attributeModificationType == AttributeModificationType.ADD ? "to" : "from";
            objArr[3] = memberAttributeName;
            objArr[4] = ldapGroup;
            logger.info("Will change LDAP: {} {} {} {} of {}", objArr);
        }
        scheduleLdapModification(new ModifyRequest(ldapGroup.getLdapObject().getDn(), new AttributeModification[]{new AttributeModification(attributeModificationType, new LdapAttribute(memberAttributeName, (String[]) collection.toArray(new String[0])))}));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.internet2.middleware.grouper.pspng.Provisioner
    public void deleteMembership(GrouperGroupInfo grouperGroupInfo, LdapGroup ldapGroup, Subject subject, LdapUser ldapUser) throws PspException {
        if (ldapGroup == null) {
            this.LOG.warn("{}: Ignoring request to remove {} from a group that doesn't exist: {}", new Object[]{getDisplayName(), subject.getId(), grouperGroupInfo});
            return;
        }
        if (ldapUser == null) {
            this.LOG.warn("{}: Skipping removing membership from group {} because ldap user does not exist: {}", new Object[]{getDisplayName(), grouperGroupInfo, subject});
            return;
        }
        String evaluateJexlExpression = evaluateJexlExpression(((LdapGroupProvisionerConfiguration) this.config).getMemberAttributeValueFormat(), subject, ldapUser, grouperGroupInfo, ldapGroup, new Object[0]);
        if (evaluateJexlExpression != null) {
            scheduleGroupModification(grouperGroupInfo, ldapGroup, AttributeModificationType.REMOVE, Arrays.asList(evaluateJexlExpression));
        }
    }

    protected Set<String> getStringSet() {
        return ((LdapGroupProvisionerConfiguration) this.config).isMemberAttributeCaseSensitive() ? new HashSet() : new TreeSet(String.CASE_INSENSITIVE_ORDER);
    }

    protected Set<String> getStringSet(Collection<String> collection) {
        Set<String> stringSet = getStringSet();
        if (collection != null) {
            stringSet.addAll(collection);
        }
        return stringSet;
    }

    /* renamed from: doFullSync, reason: avoid collision after fix types in other method */
    protected void doFullSync2(GrouperGroupInfo grouperGroupInfo, LdapGroup ldapGroup, Set<Subject> set, Map<Subject, LdapUser> map, Set<LdapUser> set2, JobStatistics jobStatistics) throws PspException {
        jobStatistics.totalCount.set(set.size());
        if (ldapGroup != null) {
            ldapGroup.getLdapObject().getStringValues(((LdapGroupProvisionerConfiguration) this.config).getMemberAttributeName());
        }
        if (ldapGroup == null) {
            if (((LdapGroupProvisionerConfiguration) this.config).areEmptyGroupsSupported() && set.size() == 0) {
                this.LOG.info("{}: Nothing to do because empty group already not present in ldap system", getDisplayName());
                return;
            }
            LdapGroup createGroup = createGroup(grouperGroupInfo, (Collection<Subject>) set);
            jobStatistics.insertCount.set(set.size());
            cacheGroup(grouperGroupInfo, createGroup);
            return;
        }
        LdapGroup updateGroupFromTemplate = updateGroupFromTemplate(grouperGroupInfo, ldapGroup);
        cacheGroup(grouperGroupInfo, updateGroupFromTemplate);
        if (!((LdapGroupProvisionerConfiguration) this.config).areEmptyGroupsSupported() && set.size() == 0) {
            this.LOG.info("{}: Deleting empty group because schema requires its member attribute", getDisplayName());
            deleteGroup(grouperGroupInfo, updateGroupFromTemplate);
            jobStatistics.deleteCount.set(updateGroupFromTemplate.getLdapObject().getStringValues(((LdapGroupProvisionerConfiguration) this.config).getMemberAttributeName()).size());
        }
        Set<String> stringSet = getStringSet();
        for (Subject subject : set) {
            String evaluateJexlExpression = evaluateJexlExpression(((LdapGroupProvisionerConfiguration) this.config).getMemberAttributeValueFormat(), subject, map.get(subject), grouperGroupInfo, updateGroupFromTemplate, new Object[0]);
            if (evaluateJexlExpression != null) {
                stringSet.add(evaluateJexlExpression);
            }
        }
        Set<String> stringSet2 = getStringSet(updateGroupFromTemplate.getLdapObject().getStringValues(((LdapGroupProvisionerConfiguration) this.config).getMemberAttributeName()));
        this.LOG.info("{}: Full-sync comparison for {}: Target-subject count: Correct/Actual: {}/{}", new Object[]{getDisplayName(), grouperGroupInfo, Integer.valueOf(stringSet.size()), Integer.valueOf(stringSet2.size())});
        this.LOG.debug("{}: Full-sync comparison: Correct: {}", getDisplayName(), stringSet);
        this.LOG.debug("{}: Full-sync comparison: Actual: {}", getDisplayName(), stringSet2);
        Set<String> stringSet3 = getStringSet(stringSet2);
        stringSet3.removeAll(stringSet);
        jobStatistics.deleteCount.set(stringSet3.size());
        this.LOG.info("{}: Group {} has {} extra values", new Object[]{getDisplayName(), grouperGroupInfo, Integer.valueOf(stringSet3.size())});
        if (stringSet3.size() > 0) {
            scheduleGroupModification(grouperGroupInfo, updateGroupFromTemplate, AttributeModificationType.REMOVE, stringSet3);
        }
        Set<String> stringSet4 = getStringSet(stringSet);
        stringSet4.removeAll(stringSet2);
        jobStatistics.insertCount.set(stringSet4.size());
        this.LOG.info("{}: Group {} has {} missing values", new Object[]{getDisplayName(), grouperGroupInfo, Integer.valueOf(stringSet4.size())});
        if (stringSet4.size() > 0) {
            scheduleGroupModification(grouperGroupInfo, updateGroupFromTemplate, AttributeModificationType.ADD, stringSet4);
        }
    }

    protected LdapGroup updateGroupFromTemplate(GrouperGroupInfo grouperGroupInfo, LdapGroup ldapGroup) throws PspException {
        this.LOG.debug("{}: Making sure (non-membership) attributes of group are up to date: {}", getDisplayName(), ldapGroup.dn);
        try {
            LdapEntry ldapEntryFromLdif = getLdapEntryFromLdif(getGroupLdifFromTemplate(grouperGroupInfo));
            ensureLdapOusExist(ldapEntryFromLdif.getDn(), false);
            return getLdapSystem().makeLdapObjectCorrect(ldapEntryFromLdif, ldapGroup.ldapObject.ldapEntry) ? fetchTargetSystemGroup(grouperGroupInfo) : ldapGroup;
        } catch (PspException e) {
            this.LOG.error("{}: Problem checking and updating group's template attributes", getDisplayName(), e);
            throw e;
        } catch (IOException e2) {
            this.LOG.error("{}: Problem checking and updating group's tempalte attributes", getDisplayName(), e2);
            throw new PspException("IO Exception while checking and updating group's template attributes", e2, new Object[0]);
        }
    }

    @Override // edu.internet2.middleware.grouper.pspng.Provisioner
    protected void doFullSync_cleanupExtraGroups(Set<GrouperGroupInfo> set, Map<GrouperGroupInfo, LdapGroup> map, JobStatistics jobStatistics) throws PspException {
        TreeSet treeSet = new TreeSet(String.CASE_INSENSITIVE_ORDER);
        Iterator<LdapGroup> it = map.values().iterator();
        while (it.hasNext()) {
            treeSet.add(it.next().getLdapObject().getDn());
        }
        String allGroupSearchFilter = ((LdapGroupProvisionerConfiguration) this.config).getAllGroupSearchFilter();
        if (StringUtils.isEmpty(allGroupSearchFilter)) {
            this.LOG.error("{}: Cannot cleanup extra groups without a configured all-group search filter", getDisplayName());
            return;
        }
        String groupSearchBaseDn = ((LdapGroupProvisionerConfiguration) this.config).getGroupSearchBaseDn();
        if (StringUtils.isEmpty(groupSearchBaseDn)) {
            this.LOG.error("{}: Cannot cleanup extra groups without a configured group-search base dn", getDisplayName());
            return;
        }
        List<LdapObject> performLdapSearchRequest = getLdapSystem().performLdapSearchRequest(new SearchRequest(groupSearchBaseDn, allGroupSearchFilter, getLdapAttributesToFetch()));
        ArrayList<LdapObject> arrayList = new ArrayList();
        for (LdapObject ldapObject : performLdapSearchRequest) {
            if (!treeSet.contains(ldapObject.getDn())) {
                arrayList.add(ldapObject);
            }
        }
        this.LOG.info("{}: There are {} groups that we should delete", getDisplayName(), Integer.valueOf(arrayList.size()));
        int i = 0;
        for (LdapObject ldapObject2 : arrayList) {
            i += ldapObject2.getStringValues(((LdapGroupProvisionerConfiguration) this.config).getMemberAttributeName()).size();
            getLdapSystem().performLdapDelete(ldapObject2.getDn());
        }
        jobStatistics.deleteCount.addAndGet(i);
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // edu.internet2.middleware.grouper.pspng.Provisioner
    protected LdapGroup createGroup(GrouperGroupInfo grouperGroupInfo, Collection<Subject> collection) throws PspException {
        String evaluateJexlExpression;
        if (!((LdapGroupProvisionerConfiguration) this.config).areEmptyGroupsSupported() && collection.size() == 0) {
            this.LOG.warn("Not Creating LDAP group because empty groups are not supported: {}", grouperGroupInfo);
            return null;
        }
        this.LOG.info("Creating LDAP group for GrouperGroup: {} ", grouperGroupInfo);
        String groupLdifFromTemplate = getGroupLdifFromTemplate(grouperGroupInfo);
        if (collection != null && collection.size() > 0) {
            HashSet hashSet = new HashSet(collection.size());
            for (Subject subject : collection) {
                LdapUser targetSystemUser = getTargetSystemUser(subject);
                if (targetSystemUser != null && (evaluateJexlExpression = evaluateJexlExpression(((LdapGroupProvisionerConfiguration) this.config).getMemberAttributeValueFormat(), subject, targetSystemUser, grouperGroupInfo, null, new Object[0])) != null) {
                    hashSet.add(evaluateJexlExpression);
                }
            }
            StringBuilder sb = new StringBuilder();
            Iterator it = hashSet.iterator();
            while (it.hasNext()) {
                sb.append(String.format("%s: %s\n", ((LdapGroupProvisionerConfiguration) this.config).getMemberAttributeName(), (String) it.next()));
            }
            groupLdifFromTemplate = groupLdifFromTemplate.concat("\n").concat(sb.toString());
        }
        Connection ldapConnection = getLdapSystem().getLdapConnection();
        try {
            try {
                this.LOG.debug("{}: LDIF for new group (with partial DN): {}", getDisplayName(), groupLdifFromTemplate.replaceAll("\\n", "||"));
                LdapEntry ldapEntryFromLdif = getLdapEntryFromLdif(groupLdifFromTemplate);
                for (String str : ldapEntryFromLdif.getAttributeNames()) {
                    if (LdapSystem.attributeHasNoValues(ldapEntryFromLdif.getAttribute(str))) {
                        this.LOG.warn("{}: LDIF for new group did not define any values for {}", getDisplayName(), str);
                        ldapEntryFromLdif.removeAttribute(str);
                    }
                }
                this.LOG.debug("{}: Adding group: {}", getDisplayName(), ldapEntryFromLdif);
                performLdapAdd(ldapEntryFromLdif);
                this.LOG.debug("Reading group that was just added to ldap server: {}", grouperGroupInfo);
                LdapGroup fetchTargetSystemGroup = fetchTargetSystemGroup(grouperGroupInfo);
                ldapConnection.close();
                return fetchTargetSystemGroup;
            } catch (PspException e) {
                this.LOG.error("Problem while creating new group: {}", groupLdifFromTemplate, e);
                throw e;
            } catch (IOException e2) {
                this.LOG.error("IO problem while creating group: {}", groupLdifFromTemplate, e2);
                throw new PspException("IO problem while creating group: %s", e2.getMessage());
            }
        } catch (Throwable th) {
            ldapConnection.close();
            throw th;
        }
    }

    private LdapEntry getLdapEntryFromLdif(String str) throws IOException {
        LdapEntry entry = new LdifReader(new StringReader(str)).read().getEntry();
        entry.setDn(String.format("%s,%s", entry.getDn(), ((LdapGroupProvisionerConfiguration) this.config).getGroupCreationBaseDn()));
        return entry;
    }

    private String getGroupLdifFromTemplate(GrouperGroupInfo grouperGroupInfo) throws PspException {
        return evaluateJexlExpression(((LdapGroupProvisionerConfiguration) this.config).getGroupCreationLdifTemplate().replaceAll("\\|\\|", "\n"), null, null, grouperGroupInfo, null, new Object[0]);
    }

    @Override // edu.internet2.middleware.grouper.pspng.Provisioner
    protected Map<GrouperGroupInfo, LdapGroup> fetchTargetSystemGroups(Collection<GrouperGroupInfo> collection) throws PspException {
        if (collection.size() > ((LdapGroupProvisionerConfiguration) this.config).getGroupSearch_batchSize()) {
            throw new IllegalArgumentException("LdapGroupProvisioner.fetchTargetSystemGroups: invoked with too many groups to fetch");
        }
        String[] ldapAttributesToFetch = getLdapAttributesToFetch();
        if (((LdapGroupProvisionerConfiguration) this.config).isBulkGroupSearchingEnabled()) {
            StringBuilder sb = new StringBuilder();
            sb.append("(|");
            Iterator<GrouperGroupInfo> it = collection.iterator();
            while (it.hasNext()) {
                String format = getGroupLdapFilter(it.next()).format();
                if (format.startsWith("(")) {
                    sb.append(format);
                } else {
                    sb.append('(').append(format).append(')');
                }
            }
            sb.append(')');
            this.LOG.debug("{}: Searching for {} groups with:: {}", new Object[]{getDisplayName(), Integer.valueOf(collection.size()), sb});
            try {
                List<LdapObject> performLdapSearchRequest = getLdapSystem().performLdapSearchRequest(new SearchRequest(((LdapGroupProvisionerConfiguration) this.config).getGroupSearchBaseDn(), sb.toString(), ldapAttributesToFetch));
                this.LOG.debug("{}: Group search returned {} groups", getDisplayName(), Integer.valueOf(performLdapSearchRequest.size()));
                HashMap hashMap = new HashMap();
                HashSet hashSet = new HashSet();
                for (GrouperGroupInfo grouperGroupInfo : collection) {
                    SearchFilter groupLdapFilter = getGroupLdapFilter(grouperGroupInfo);
                    Iterator<LdapObject> it2 = performLdapSearchRequest.iterator();
                    while (true) {
                        if (it2.hasNext()) {
                            LdapObject next = it2.next();
                            if (next.matchesLdapFilter(groupLdapFilter)) {
                                hashMap.put(grouperGroupInfo, new LdapGroup(next));
                                hashSet.add(next);
                                break;
                            }
                        }
                    }
                }
                HashSet hashSet2 = new HashSet(performLdapSearchRequest);
                hashSet2.removeAll(hashSet);
                Iterator it3 = hashSet2.iterator();
                while (it3.hasNext()) {
                    this.LOG.warn("{}: Bulk fetch failed (returned unmatchable group data). This can be caused by searching for a DN with escaping or by singleGroupSearchFilter ({}) that are not included in groupSearchAttributes ({})?): {}", new Object[]{getDisplayName(), ((LdapGroupProvisionerConfiguration) this.config).getSingleGroupSearchFilter(), ((LdapGroupProvisionerConfiguration) this.config).getGroupSearchAttributes(), ((LdapObject) it3.next()).getDn()});
                    this.LOG.warn("{}: Slower fetching will be attempted", getDisplayName());
                }
                if (hashSet2.size() == 0) {
                    return hashMap;
                }
            } catch (PspException e) {
                this.LOG.error("Problem fetching groups with filter '{}' on base '{}'", new Object[]{sb, ((LdapGroupProvisionerConfiguration) this.config).getGroupSearchBaseDn(), e});
                throw e;
            }
        }
        HashMap hashMap2 = new HashMap();
        for (GrouperGroupInfo grouperGroupInfo2 : collection) {
            SearchFilter groupLdapFilter2 = getGroupLdapFilter(grouperGroupInfo2);
            try {
                this.LOG.debug("{}: Searching for group {} with:: {}", new Object[]{getDisplayName(), grouperGroupInfo2, groupLdapFilter2});
                List<LdapObject> performLdapSearchRequest2 = getLdapSystem().performLdapSearchRequest(new SearchRequest(((LdapGroupProvisionerConfiguration) this.config).getGroupSearchBaseDn(), groupLdapFilter2, ldapAttributesToFetch));
                if (performLdapSearchRequest2.size() == 1) {
                    LdapObject next2 = performLdapSearchRequest2.iterator().next();
                    this.LOG.debug("{}: Group search returned {}", getDisplayName(), next2.getDn());
                    hashMap2.put(grouperGroupInfo2, new LdapGroup(next2));
                } else {
                    if (performLdapSearchRequest2.size() > 1) {
                        this.LOG.error("{}: Search for group {} with '{}' returned multiple matches: {}", new Object[]{getDisplayName(), grouperGroupInfo2, groupLdapFilter2, performLdapSearchRequest2});
                        throw new PspException("Search for ldap group returned multiple matches", new Object[0]);
                    }
                    if (performLdapSearchRequest2.size() == 0) {
                        this.LOG.debug("{}: Group search did not return any results", getDisplayName());
                    }
                }
            } catch (PspException e2) {
                this.LOG.error("{}: Problem fetching group with filter '{}' on base '{}'", new Object[]{getDisplayName(), groupLdapFilter2, ((LdapGroupProvisionerConfiguration) this.config).getGroupSearchBaseDn(), e2});
                throw e2;
            }
        }
        return hashMap2;
    }

    private String[] getLdapAttributesToFetch() {
        String[] groupSearchAttributes = ((LdapGroupProvisionerConfiguration) this.config).getGroupSearchAttributes();
        if (this.fullSyncMode) {
            this.LOG.debug("Fetching membership attribute, too");
            groupSearchAttributes = (String[]) Arrays.copyOf(groupSearchAttributes, groupSearchAttributes.length + 1);
            groupSearchAttributes[groupSearchAttributes.length - 1] = ((LdapGroupProvisionerConfiguration) this.config).getMemberAttributeName();
        } else {
            this.LOG.debug("Fetching without membership attribute");
        }
        return groupSearchAttributes;
    }

    private SearchFilter getGroupLdapFilter(GrouperGroupInfo grouperGroupInfo) throws PspException {
        String evaluateJexlExpression = evaluateJexlExpression(((LdapGroupProvisionerConfiguration) this.config).getSingleGroupSearchFilter(), null, null, grouperGroupInfo, null, new Object[0]);
        if (StringUtils.isEmpty(evaluateJexlExpression)) {
            throw new RuntimeException("Group searching requires singleGroupSearchFilter to be configured correctly");
        }
        String[] split = evaluateJexlExpression.split("\\|\\|");
        SearchFilter searchFilter = new SearchFilter(split[0]);
        for (int i = 1; i < split.length; i++) {
            searchFilter.setParameter(i - 1, split[i].trim());
        }
        this.LOG.trace("{}: Filter for group {}: {}", new Object[]{getDisplayName(), grouperGroupInfo, searchFilter});
        return searchFilter;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.internet2.middleware.grouper.pspng.Provisioner
    public void deleteGroup(GrouperGroupInfo grouperGroupInfo, LdapGroup ldapGroup) throws PspException {
        if (ldapGroup == null) {
            this.LOG.warn("Nothing to do: Unable to delete group {} because the group wasn't found on target system", grouperGroupInfo);
            return;
        }
        String dn = ldapGroup.getLdapObject().getDn();
        this.LOG.info("Deleting group {} by deleting DN {}", grouperGroupInfo, dn);
        getLdapSystem().performLdapDelete(dn);
    }

    @Override // edu.internet2.middleware.grouper.pspng.Provisioner
    protected /* bridge */ /* synthetic */ void doFullSync(GrouperGroupInfo grouperGroupInfo, LdapGroup ldapGroup, Set set, Map<Subject, LdapUser> map, Set<LdapUser> set2, JobStatistics jobStatistics) throws PspException {
        doFullSync2(grouperGroupInfo, ldapGroup, (Set<Subject>) set, map, set2, jobStatistics);
    }

    @Override // edu.internet2.middleware.grouper.pspng.Provisioner
    protected /* bridge */ /* synthetic */ LdapGroup createGroup(GrouperGroupInfo grouperGroupInfo, Collection collection) throws PspException {
        return createGroup(grouperGroupInfo, (Collection<Subject>) collection);
    }
}
