package org.eclipse.jetty.security.jaas.spi;

import ch.qos.logback.core.testUtil.CoreTestConstants;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Hashtable;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Properties;
import javax.naming.AuthenticationException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import org.eclipse.jetty.security.UserPrincipal;
import org.eclipse.jetty.security.jaas.callback.ObjectCallback;
import org.eclipse.jetty.security.jaas.spi.AbstractLoginModule;
import org.eclipse.jetty.util.StringUtil;
import org.eclipse.jetty.util.TypeUtil;
import org.eclipse.jetty.util.security.Credential;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/jetty-security-12.0.8.jar:org/eclipse/jetty/security/jaas/spi/LdapLoginModule.class */
public class LdapLoginModule extends AbstractLoginModule {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) LdapLoginModule.class);
    private String _hostname;
    private int _port;
    private String _authenticationMethod;
    private String _contextFactory;
    private String _bindDn;
    private String _bindPassword;
    private String _userBaseDn;
    private String _roleBaseDn;
    private boolean _debug;
    private DirContext _rootContext;
    private String _userObjectClass = "inetOrgPerson";
    private String _userRdnAttribute = "uid";
    private String _userIdAttribute = "cn";
    private String _userPasswordAttribute = "userPassword";
    private String _roleObjectClass = "groupOfUniqueNames";
    private String _roleMemberAttribute = "uniqueMember";
    private String _roleNameAttribute = "roleName";
    private boolean _forceBindingLogin = false;
    private boolean _useLdaps = false;

    /* loaded from: input_file:BOOT-INF/lib/jetty-security-12.0.8.jar:org/eclipse/jetty/security/jaas/spi/LdapLoginModule$LDAPBindingUser.class */
    public class LDAPBindingUser extends AbstractLoginModule.JAASUser {
        DirContext _context;
        String _userDn;

        public LDAPBindingUser(UserPrincipal userPrincipal, DirContext dirContext, String str) {
            super(userPrincipal);
            this._context = dirContext;
            this._userDn = str;
        }

        @Override // org.eclipse.jetty.security.jaas.spi.AbstractLoginModule.JAASUser
        public List<String> doFetchRoles() throws Exception {
            return LdapLoginModule.this.getUserRolesByDn(this._context, this._userDn);
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/jetty-security-12.0.8.jar:org/eclipse/jetty/security/jaas/spi/LdapLoginModule$LDAPUser.class */
    public class LDAPUser extends AbstractLoginModule.JAASUser {
        Attributes attributes;

        public LDAPUser(UserPrincipal userPrincipal, Attributes attributes) {
            super(userPrincipal);
            this.attributes = attributes;
        }

        @Override // org.eclipse.jetty.security.jaas.spi.AbstractLoginModule.JAASUser
        public List<String> doFetchRoles() throws Exception {
            return LdapLoginModule.this.getUserRoles(LdapLoginModule.this._rootContext, getUserName(), this.attributes);
        }
    }

    @Override // org.eclipse.jetty.security.jaas.spi.AbstractLoginModule
    public AbstractLoginModule.JAASUser getUser(String str) throws Exception {
        Attributes userAttributes = getUserAttributes(str);
        String userCredentials = getUserCredentials(userAttributes);
        if (userCredentials == null) {
            return null;
        }
        return new LDAPUser(new UserPrincipal(str, Credential.getCredential(convertCredentialLdapToJetty(userCredentials))), userAttributes);
    }

    protected String doRFC2254Encoding(String str) {
        StringBuffer stringBuffer = new StringBuffer(str.length());
        for (int i = 0; i < str.length(); i++) {
            char charAt = str.charAt(i);
            switch (charAt) {
                case 0:
                    stringBuffer.append("\\00");
                    break;
                case '(':
                    stringBuffer.append("\\28");
                    break;
                case ')':
                    stringBuffer.append("\\29");
                    break;
                case '*':
                    stringBuffer.append("\\2a");
                    break;
                case '\\':
                    stringBuffer.append("\\5c");
                    break;
                default:
                    stringBuffer.append(charAt);
                    break;
            }
        }
        return stringBuffer.toString();
    }

    private Attributes getUserAttributes(String str) throws LoginException {
        return findUser(str).getAttributes();
    }

    private String getUserCredentials(Attributes attributes) throws LoginException {
        String str = null;
        Attribute attribute = attributes.get(this._userPasswordAttribute);
        if (attribute != null) {
            try {
                str = new String((byte[]) attribute.get());
            } catch (NamingException e) {
                LOG.debug("no password available under attribute: {}", this._userPasswordAttribute);
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("user cred is: {}", str);
        }
        return str;
    }

    private List<String> getUserRoles(DirContext dirContext, String str, Attributes attributes) throws LoginException, NamingException {
        String str2 = str;
        Attribute attribute = attributes.get(this._userRdnAttribute);
        if (attribute != null) {
            try {
                str2 = (String) attribute.get();
            } catch (NamingException e) {
            }
        }
        return getUserRolesByDn(dirContext, findUser(dirContext, "({0}={1})", new Object[]{this._userRdnAttribute, str2}).getNameInNamespace());
    }

    private List<String> getUserRolesByDn(DirContext dirContext, String str) throws NamingException {
        Attribute attribute;
        ArrayList arrayList = new ArrayList();
        if (dirContext == null || this._roleBaseDn == null || this._roleMemberAttribute == null || this._roleObjectClass == null) {
            return arrayList;
        }
        SearchControls searchControls = new SearchControls();
        searchControls.setDerefLinkFlag(true);
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(new String[]{this._roleNameAttribute});
        NamingEnumeration search = dirContext.search(this._roleBaseDn, "(&(objectClass={0})({1}={2}))", new Object[]{this._roleObjectClass, this._roleMemberAttribute, str}, searchControls);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Found user roles?: {}", Boolean.valueOf(search.hasMoreElements()));
        }
        while (search.hasMoreElements()) {
            Attributes attributes = ((SearchResult) search.nextElement()).getAttributes();
            if (attributes != null && (attribute = attributes.get(this._roleNameAttribute)) != null) {
                NamingEnumeration all = attribute.getAll();
                while (all.hasMore()) {
                    arrayList.add(all.next().toString());
                }
            }
        }
        return arrayList;
    }

    @Override // org.eclipse.jetty.security.jaas.spi.AbstractLoginModule
    public boolean login() throws LoginException {
        boolean credentialLogin;
        try {
            if (getCallbackHandler() == null) {
                throw new LoginException("No callback handler");
            }
            NameCallback[] configureCallbacks = configureCallbacks();
            getCallbackHandler().handle(configureCallbacks);
            String name = configureCallbacks[0].getName();
            Object object = ((ObjectCallback) configureCallbacks[1]).getObject();
            if (name == null || object == null) {
                setAuthenticated(false);
                return isAuthenticated();
            }
            if (this._forceBindingLogin) {
                credentialLogin = bindingLogin(name, object);
            } else {
                AbstractLoginModule.JAASUser user = getUser(name);
                if (user == null) {
                    setAuthenticated(false);
                    return false;
                }
                setCurrentUser(user);
                credentialLogin = object instanceof String ? credentialLogin(Credential.getCredential((String) object)) : credentialLogin(object);
            }
            if (credentialLogin) {
                getCurrentUser().fetchRoles();
            }
            return credentialLogin;
        } catch (AuthenticationException e) {
            if (!this._debug) {
                return false;
            }
            LOG.info("Login failure", e);
            return false;
        } catch (IOException e2) {
            if (this._debug) {
                LOG.info("Login failure", (Throwable) e2);
            }
            throw new LoginException("IO Error performing login.");
        } catch (UnsupportedCallbackException e3) {
            throw new LoginException("Error obtaining callback information.");
        } catch (LoginException e4) {
            throw e4;
        } catch (Exception e5) {
            if (this._debug) {
                LOG.info("Login failure", (Throwable) e5);
            }
            throw new LoginException("Error obtaining user info");
        }
    }

    protected boolean credentialLogin(Object obj) throws LoginException {
        setAuthenticated(getCurrentUser().checkCredential(obj));
        return isAuthenticated();
    }

    public boolean bindingLogin(String str, Object obj) throws LoginException {
        String nameInNamespace = findUser(str).getNameInNamespace();
        LOG.info("Attempting authentication: {}", nameInNamespace);
        Hashtable<Object, Object> environment = getEnvironment();
        if (nameInNamespace == null || "".equals(nameInNamespace)) {
            throw new FailedLoginException("username may not be empty");
        }
        environment.put("java.naming.security.principal", nameInNamespace);
        if (obj == null || "".equals(obj)) {
            throw new FailedLoginException("password may not be empty");
        }
        environment.put("java.naming.security.credentials", obj);
        try {
            setCurrentUser(new LDAPBindingUser(new UserPrincipal(str, null), new InitialDirContext(environment), nameInNamespace));
            setAuthenticated(true);
            return true;
        } catch (NamingException e) {
            throw new FailedLoginException(e.getMessage());
        } catch (AuthenticationException e2) {
            throw new FailedLoginException(e2.getMessage());
        }
    }

    private SearchResult findUser(String str) throws LoginException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Searching for user {} with filter: '{}' from base dn: {}", str, "(&(objectClass={0})({1}={2}))", this._userBaseDn);
        }
        return findUser(this._rootContext, "(&(objectClass={0})({1}={2}))", new Object[]{this._userObjectClass, this._userIdAttribute, str});
    }

    private SearchResult findUser(DirContext dirContext, String str, Object[] objArr) throws LoginException {
        SearchControls searchControls = new SearchControls();
        searchControls.setDerefLinkFlag(true);
        searchControls.setSearchScope(2);
        try {
            NamingEnumeration search = this._rootContext.search(this._userBaseDn, str, objArr, searchControls);
            if (LOG.isDebugEnabled()) {
                LOG.debug("Found user?: {}", Boolean.valueOf(search.hasMoreElements()));
            }
            if (!search.hasMoreElements()) {
                throw new FailedLoginException("User not found.");
            }
            SearchResult searchResult = (SearchResult) search.nextElement();
            if (search.hasMoreElements()) {
                throw new FailedLoginException("Search result contains ambiguous entries");
            }
            return searchResult;
        } catch (NamingException e) {
            throw new FailedLoginException(e.getMessage());
        }
    }

    @Override // org.eclipse.jetty.security.jaas.spi.AbstractLoginModule
    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        super.initialize(subject, callbackHandler, map, map2);
        this._hostname = (String) map2.get("hostname");
        this._port = Integer.parseInt((String) map2.get("port"));
        this._contextFactory = (String) map2.get("contextFactory");
        this._bindDn = (String) map2.get("bindDn");
        this._bindPassword = (String) map2.get("bindPassword");
        this._authenticationMethod = (String) map2.get("authenticationMethod");
        this._userBaseDn = (String) map2.get("userBaseDn");
        this._roleBaseDn = (String) map2.get("roleBaseDn");
        if (map2.containsKey("forceBindingLogin")) {
            this._forceBindingLogin = Boolean.parseBoolean((String) map2.get("forceBindingLogin"));
        }
        if (map2.containsKey("useLdaps")) {
            this._useLdaps = Boolean.parseBoolean((String) map2.get("useLdaps"));
        }
        this._userObjectClass = getOption(map2, "userObjectClass", this._userObjectClass);
        this._userRdnAttribute = getOption(map2, "userRdnAttribute", this._userRdnAttribute);
        this._userIdAttribute = getOption(map2, "userIdAttribute", this._userIdAttribute);
        this._userPasswordAttribute = getOption(map2, "userPasswordAttribute", this._userPasswordAttribute);
        this._roleObjectClass = getOption(map2, "roleObjectClass", this._roleObjectClass);
        this._roleMemberAttribute = getOption(map2, "roleMemberAttribute", this._roleMemberAttribute);
        this._roleNameAttribute = getOption(map2, "roleNameAttribute", this._roleNameAttribute);
        this._debug = Boolean.parseBoolean(String.valueOf(getOption(map2, "debug", Boolean.toString(this._debug))));
        try {
            this._rootContext = new InitialDirContext(getEnvironment());
        } catch (NamingException e) {
            throw new IllegalStateException("Unable to establish root context", e);
        }
    }

    @Override // org.eclipse.jetty.security.jaas.spi.AbstractLoginModule
    public boolean commit() throws LoginException {
        try {
            this._rootContext.close();
            return super.commit();
        } catch (NamingException e) {
            throw new LoginException("error closing root context: " + e.getMessage());
        }
    }

    @Override // org.eclipse.jetty.security.jaas.spi.AbstractLoginModule
    public boolean abort() throws LoginException {
        try {
            this._rootContext.close();
            return super.abort();
        } catch (NamingException e) {
            throw new LoginException("error closing root context: " + e.getMessage());
        }
    }

    private String getOption(Map<String, ?> map, String str, String str2) {
        Object obj = map.get(str);
        return obj == null ? str2 : (String) obj;
    }

    public Hashtable<Object, Object> getEnvironment() {
        Properties properties = new Properties();
        properties.put(CoreTestConstants.JAVA_NAMING_FACTORY_INITIAL, this._contextFactory);
        if (this._hostname != null) {
            properties.put("java.naming.provider.url", (this._useLdaps ? "ldaps://" : "ldap://") + this._hostname + (this._port == 0 ? "" : ":" + this._port) + "/");
        }
        if (this._authenticationMethod != null) {
            properties.put("java.naming.security.authentication", this._authenticationMethod);
        }
        if (this._bindDn != null) {
            properties.put("java.naming.security.principal", this._bindDn);
        }
        if (this._bindPassword != null) {
            properties.put("java.naming.security.credentials", this._bindPassword);
        }
        return properties;
    }

    public static String convertCredentialLdapToJetty(String str) {
        if (str == null) {
            return null;
        }
        return str.toUpperCase(Locale.ENGLISH).startsWith("{MD5}") ? "MD5:" + base64ToHex(str.substring("{MD5}".length(), str.length())) : str.toUpperCase(Locale.ENGLISH).startsWith("{CRYPT}") ? "CRYPT:" + str.substring("{CRYPT}".length(), str.length()) : str;
    }

    private static String base64ToHex(String str) {
        return TypeUtil.toString(Base64.getDecoder().decode(str), 16);
    }

    private static String hexToBase64(String str) {
        return Base64.getEncoder().encodeToString(StringUtil.fromHexString(str));
    }
}
