package org.apache.geronimo.security.realm.providers;

import java.io.IOException;
import java.security.Principal;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.naming.AuthenticationException;
import javax.naming.CommunicationException;
import javax.naming.NameParser;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import org.apache.geronimo.security.jaas.JaasLoginModuleUse;
import org.apache.geronimo.security.jaas.WrappingLoginModule;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/geronimo/security/realm/providers/LDAPLoginModule.class */
public class LDAPLoginModule implements LoginModule {
    private Subject subject;
    private CallbackHandler handler;
    private String initialContextFactory;
    private String connectionURL;
    private String connectionUsername;
    private String connectionPassword;
    private String connectionProtocol;
    private String authentication;
    private String userBase;
    private String roleBase;
    private String roleName;
    private String userRoleName;
    private String cbUsername;
    private String cbPassword;
    private MessageFormat userSearchMatchingFormat;
    private MessageFormat roleSearchMatchingFormat;
    private boolean loginSucceeded;
    private static final Logger log = LoggerFactory.getLogger(LDAPLoginModule.class);
    private static final String INITIAL_CONTEXT_FACTORY = "initialContextFactory";
    private static final String CONNECTION_URL = "connectionURL";
    private static final String CONNECTION_USERNAME = "connectionUsername";
    private static final String CONNECTION_PASSWORD = "connectionPassword";
    private static final String CONNECTION_PROTOCOL = "connectionProtocol";
    private static final String AUTHENTICATION = "authentication";
    private static final String USER_BASE = "userBase";
    private static final String USER_SEARCH_MATCHING = "userSearchMatching";
    private static final String USER_SEARCH_SUBTREE = "userSearchSubtree";
    private static final String ROLE_BASE = "roleBase";
    private static final String ROLE_NAME = "roleName";
    private static final String ROLE_SEARCH_MATCHING = "roleSearchMatching";
    private static final String ROLE_SEARCH_SUBTREE = "roleSearchSubtree";
    private static final String USER_ROLE_NAME = "userRoleName";
    private static final String FOLLOW_REFERRALS = "followReferrals";
    public static final List<String> supportedOptions = Collections.unmodifiableList(Arrays.asList(INITIAL_CONTEXT_FACTORY, CONNECTION_URL, CONNECTION_USERNAME, CONNECTION_PASSWORD, CONNECTION_PROTOCOL, AUTHENTICATION, USER_BASE, USER_SEARCH_MATCHING, USER_SEARCH_SUBTREE, ROLE_BASE, ROLE_NAME, ROLE_SEARCH_MATCHING, ROLE_SEARCH_SUBTREE, USER_ROLE_NAME, FOLLOW_REFERRALS));
    private boolean followReferrals = true;
    protected DirContext context = null;
    private boolean userSearchSubtreeBool = false;
    private boolean roleSearchSubtreeBool = false;
    private final Set<String> groups = new HashSet();
    private final Set<Principal> allPrincipals = new HashSet();

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        this.subject = subject;
        this.handler = callbackHandler;
        for (Object obj : map2.keySet()) {
            if (!supportedOptions.contains(obj) && !JaasLoginModuleUse.supportedOptions.contains(obj) && !WrappingLoginModule.supportedOptions.contains(obj)) {
                log.warn("Ignoring option: " + obj + ". Not supported.");
            }
        }
        this.initialContextFactory = (String) map2.get(INITIAL_CONTEXT_FACTORY);
        this.connectionURL = (String) map2.get(CONNECTION_URL);
        this.connectionUsername = (String) map2.get(CONNECTION_USERNAME);
        this.connectionPassword = (String) map2.get(CONNECTION_PASSWORD);
        this.connectionProtocol = (String) map2.get(CONNECTION_PROTOCOL);
        this.authentication = (String) map2.get(AUTHENTICATION);
        this.userBase = (String) map2.get(USER_BASE);
        String str = (String) map2.get(USER_SEARCH_MATCHING);
        String str2 = (String) map2.get(USER_SEARCH_SUBTREE);
        this.roleBase = (String) map2.get(ROLE_BASE);
        this.roleName = (String) map2.get(ROLE_NAME);
        String str3 = (String) map2.get(ROLE_SEARCH_MATCHING);
        String str4 = (String) map2.get(ROLE_SEARCH_SUBTREE);
        this.userRoleName = (String) map2.get(USER_ROLE_NAME);
        this.userSearchMatchingFormat = new MessageFormat(str);
        this.roleSearchMatchingFormat = new MessageFormat(str3);
        this.userSearchSubtreeBool = Boolean.valueOf(str2).booleanValue();
        this.roleSearchSubtreeBool = Boolean.valueOf(str4).booleanValue();
        String str5 = (String) map2.get(FOLLOW_REFERRALS);
        this.followReferrals = str5 == null ? true : Boolean.valueOf(str5).booleanValue();
    }

    public boolean login() throws LoginException {
        this.loginSucceeded = false;
        NameCallback[] nameCallbackArr = {new NameCallback("User name"), new PasswordCallback("Password", false)};
        try {
            this.handler.handle(nameCallbackArr);
            this.cbUsername = nameCallbackArr[0].getName();
            this.cbPassword = new String(((PasswordCallback) nameCallbackArr[1]).getPassword());
            if (this.cbUsername == null || "".equals(this.cbUsername) || this.cbPassword == null || "".equals(this.cbPassword)) {
                this.cbUsername = null;
                this.cbPassword = null;
                this.groups.clear();
                throw new FailedLoginException();
            }
            try {
                if (!authenticate(this.cbUsername, this.cbPassword)) {
                    throw new FailedLoginException();
                }
                this.loginSucceeded = true;
                return true;
            } catch (LoginException e) {
                this.cbUsername = null;
                this.cbPassword = null;
                this.groups.clear();
                throw e;
            } catch (Exception e2) {
                this.cbUsername = null;
                this.cbPassword = null;
                this.groups.clear();
                throw ((LoginException) new LoginException("LDAP Error").initCause(e2));
            }
        } catch (IOException e3) {
            throw ((LoginException) new LoginException().initCause(e3));
        } catch (UnsupportedCallbackException e4) {
            throw ((LoginException) new LoginException().initCause(e4));
        }
    }

    public boolean commit() throws LoginException {
        if (this.loginSucceeded) {
            if (this.cbUsername != null) {
                this.allPrincipals.add(new GeronimoUserPrincipal(this.cbUsername));
            }
            Iterator<String> it = this.groups.iterator();
            while (it.hasNext()) {
                this.allPrincipals.add(new GeronimoGroupPrincipal(it.next()));
            }
            this.subject.getPrincipals().addAll(this.allPrincipals);
        }
        this.cbUsername = null;
        this.cbPassword = null;
        this.groups.clear();
        return this.loginSucceeded;
    }

    public boolean abort() throws LoginException {
        if (this.loginSucceeded) {
            this.cbUsername = null;
            this.cbPassword = null;
            this.groups.clear();
            this.allPrincipals.clear();
        }
        return this.loginSucceeded;
    }

    public boolean logout() throws LoginException {
        this.loginSucceeded = false;
        this.cbUsername = null;
        this.cbPassword = null;
        this.groups.clear();
        if (!this.subject.isReadOnly()) {
            this.subject.getPrincipals().removeAll(this.allPrincipals);
        }
        this.allPrincipals.clear();
        return true;
    }

    protected void close(DirContext dirContext) {
        try {
            dirContext.close();
        } catch (Exception e) {
            log.error("Failed to close context", e);
        }
    }

    protected boolean authenticate(String str, String str2) throws Exception {
        DirContext open = open();
        try {
            String format = this.userSearchMatchingFormat.format(new String[]{str});
            SearchControls searchControls = new SearchControls();
            if (this.userSearchSubtreeBool) {
                searchControls.setSearchScope(2);
            } else {
                searchControls.setSearchScope(1);
            }
            searchControls.setReturningAttributes(this.userRoleName == null ? new String[0] : new String[]{this.userRoleName});
            NamingEnumeration search = open.search(this.userBase, format, searchControls);
            if (search == null || !search.hasMore()) {
                return false;
            }
            SearchResult searchResult = (SearchResult) search.next();
            if (search.hasMore()) {
            }
            NameParser nameParser = open.getNameParser("");
            String obj = nameParser.parse(open.getNameInNamespace()).addAll(nameParser.parse(this.userBase)).addAll(nameParser.parse(searchResult.getName())).toString();
            Attributes attributes = searchResult.getAttributes();
            if (attributes == null) {
                return false;
            }
            ArrayList<String> arrayList = null;
            if (this.userRoleName != null) {
                arrayList = addAttributeValues(this.userRoleName, attributes, null);
            }
            bindUser(open, obj, str2);
            Iterator<String> it = getRoles(open, obj, str, arrayList).iterator();
            while (it.hasNext()) {
                this.groups.add(it.next());
            }
            return true;
        } catch (NamingException e) {
            close(open);
            throw ((LoginException) new FailedLoginException().initCause(e));
        } catch (CommunicationException e2) {
            close(open);
            throw ((LoginException) new FailedLoginException().initCause(e2));
        }
    }

    protected ArrayList<String> getRoles(DirContext dirContext, String str, String str2, ArrayList<String> arrayList) throws NamingException {
        if (arrayList == null) {
            arrayList = new ArrayList<>();
        }
        if (this.roleName == null || "".equals(this.roleName)) {
            return arrayList;
        }
        String format = this.roleSearchMatchingFormat.format(new String[]{doRFC2254Encoding(str), str2});
        SearchControls searchControls = new SearchControls();
        if (this.roleSearchSubtreeBool) {
            searchControls.setSearchScope(2);
        } else {
            searchControls.setSearchScope(1);
        }
        searchControls.setReturningAttributes(new String[]{this.roleName});
        NamingEnumeration search = dirContext.search(this.roleBase, format, searchControls);
        while (search.hasMore()) {
            Attributes attributes = ((SearchResult) search.next()).getAttributes();
            if (attributes != null) {
                arrayList = addAttributeValues(this.roleName, attributes, arrayList);
            }
        }
        return arrayList;
    }

    protected String doRFC2254Encoding(String str) {
        StringBuilder sb = new StringBuilder(str.length());
        for (int i = 0; i < str.length(); i++) {
            char charAt = str.charAt(i);
            switch (charAt) {
                case 0:
                    sb.append("\\00");
                    break;
                case '(':
                    sb.append("\\28");
                    break;
                case ')':
                    sb.append("\\29");
                    break;
                case '*':
                    sb.append("\\2a");
                    break;
                case '\\':
                    sb.append("\\5c");
                    break;
                default:
                    sb.append(charAt);
                    break;
            }
        }
        return sb.toString();
    }

    protected void bindUser(DirContext dirContext, String str, String str2) throws NamingException, FailedLoginException {
        dirContext.addToEnvironment("java.naming.security.principal", str);
        dirContext.addToEnvironment("java.naming.security.credentials", str2);
        try {
            try {
                dirContext.getAttributes("", (String[]) null);
                if (this.connectionUsername != null) {
                    dirContext.addToEnvironment("java.naming.security.principal", this.connectionUsername);
                } else {
                    dirContext.removeFromEnvironment("java.naming.security.principal");
                }
                if (this.connectionPassword != null) {
                    dirContext.addToEnvironment("java.naming.security.credentials", this.connectionPassword);
                } else {
                    dirContext.removeFromEnvironment("java.naming.security.credentials");
                }
            } catch (AuthenticationException e) {
                log.debug("Authentication failed for dn=" + str);
                throw new FailedLoginException();
            }
        } catch (Throwable th) {
            if (this.connectionUsername != null) {
                dirContext.addToEnvironment("java.naming.security.principal", this.connectionUsername);
            } else {
                dirContext.removeFromEnvironment("java.naming.security.principal");
            }
            if (this.connectionPassword != null) {
                dirContext.addToEnvironment("java.naming.security.credentials", this.connectionPassword);
            } else {
                dirContext.removeFromEnvironment("java.naming.security.credentials");
            }
            throw th;
        }
    }

    private ArrayList<String> addAttributeValues(String str, Attributes attributes, ArrayList<String> arrayList) throws NamingException {
        if (str == null || attributes == null) {
            return arrayList;
        }
        if (arrayList == null) {
            arrayList = new ArrayList<>();
        }
        Attribute attribute = attributes.get(str);
        if (attribute == null) {
            return arrayList;
        }
        NamingEnumeration all = attribute.getAll();
        while (all.hasMore()) {
            arrayList.add((String) all.next());
        }
        return arrayList;
    }

    protected DirContext open() throws NamingException {
        if (this.context != null) {
            return this.context;
        }
        try {
            Hashtable hashtable = new Hashtable();
            hashtable.put("java.naming.factory.initial", this.initialContextFactory);
            if (this.connectionUsername != null && this.connectionUsername.length() > 0) {
                hashtable.put("java.naming.security.principal", this.connectionUsername);
            }
            if (this.connectionPassword != null && this.connectionPassword.length() > 0) {
                hashtable.put("java.naming.security.credentials", this.connectionPassword);
            }
            hashtable.put("java.naming.security.protocol", this.connectionProtocol == null ? "" : this.connectionProtocol);
            hashtable.put("java.naming.provider.url", this.connectionURL == null ? "" : this.connectionURL);
            hashtable.put("java.naming.security.authentication", this.authentication == null ? "" : this.authentication);
            hashtable.put("java.naming.referral", this.followReferrals ? "follow" : "ignore");
            this.context = new InitialDirContext(hashtable);
            return this.context;
        } catch (NamingException e) {
            log.error("Failed to open context", e);
            throw e;
        }
    }
}
