package org.apache.karaf.jaas.modules.ldap;

import java.io.IOException;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.naming.NamingEnumeration;
import javax.naming.directory.Attribute;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.net.ssl.SSLSocketFactory;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import org.apache.karaf.jaas.boot.principal.RolePrincipal;
import org.apache.karaf.jaas.boot.principal.UserPrincipal;
import org.apache.karaf.jaas.config.KeystoreManager;
import org.apache.karaf.jaas.modules.AbstractKarafLoginModule;
import org.osgi.framework.ServiceReference;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import shaded.org.codehaus.plexus.util.LineOrientedInterpolatingReader;

/* loaded from: input_file:WEB-INF/karaf/system/org/apache/karaf/jaas/org.apache.karaf.jaas.modules/2.4.0.redhat-620001/org.apache.karaf.jaas.modules-2.4.0.redhat-620001.jar:org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.class */
public class LDAPLoginModule extends AbstractKarafLoginModule {
    private static final String DEFAULT_AUTHENTICATION = "simple";
    private static Logger logger = LoggerFactory.getLogger(LDAPLoginModule.class);
    public static final String CONNECTION_URL = "connection.url";
    public static final String CONNECTION_USERNAME = "connection.username";
    public static final String CONNECTION_PASSWORD = "connection.password";
    public static final String USER_BASE_DN = "user.base.dn";
    public static final String USER_FILTER = "user.filter";
    public static final String USER_SEARCH_SUBTREE = "user.search.subtree";
    public static final String ROLE_BASE_DN = "role.base.dn";
    public static final String ROLE_FILTER = "role.filter";
    public static final String ROLE_NAME_ATTRIBUTE = "role.name.attribute";
    public static final String ROLE_SEARCH_SUBTREE = "role.search.subtree";
    public static final String AUTHENTICATION = "authentication";
    public static final String ALLOW_EMPTY_PASSWORDS = "allowEmptyPasswords";
    public static final String INITIAL_CONTEXT_FACTORY = "initial.context.factory";
    public static final String CONTEXT_PREFIX = "context.";
    public static final String SSL = "ssl";
    public static final String SSL_PROVIDER = "ssl.provider";
    public static final String SSL_PROTOCOL = "ssl.protocol";
    public static final String SSL_ALGORITHM = "ssl.algorithm";
    public static final String SSL_KEYSTORE = "ssl.keystore";
    public static final String SSL_KEYALIAS = "ssl.keyalias";
    public static final String SSL_TRUSTSTORE = "ssl.truststore";
    public static final String SSL_TIMEOUT = "ssl.timeout";
    public static final String DEFAULT_INITIAL_CONTEXT_FACTORY = "com.sun.jndi.ldap.LdapCtxFactory";
    private String connectionURL;
    private String connectionUsername;
    private String connectionPassword;
    private String userBaseDN;
    private String userFilter;
    private String roleBaseDN;
    private String roleFilter;
    private String roleNameAttribute;
    private boolean ssl;
    private String sslProvider;
    private String sslProtocol;
    private String sslAlgorithm;
    private String sslKeystore;
    private String sslKeyAlias;
    private String sslTrustStore;
    private boolean userSearchSubtree = true;
    private boolean roleSearchSubtree = true;
    private String authentication = DEFAULT_AUTHENTICATION;
    private boolean allowEmptyPasswords = false;
    private String initialContextFactory = null;
    private int sslTimeout = 10;

    /* loaded from: input_file:WEB-INF/karaf/system/org/apache/karaf/jaas/org.apache.karaf.jaas.modules/2.4.0.redhat-620001/org.apache.karaf.jaas.modules-2.4.0.redhat-620001.jar:org/apache/karaf/jaas/modules/ldap/LDAPLoginModule$ManagedSSLSocketFactory.class */
    public static abstract class ManagedSSLSocketFactory extends SSLSocketFactory {
        private static final ThreadLocal<SSLSocketFactory> factories = new ThreadLocal<>();

        public static void setSocketFactory(SSLSocketFactory sSLSocketFactory) {
            factories.set(sSLSocketFactory);
        }

        public static SSLSocketFactory getDefault() {
            SSLSocketFactory sSLSocketFactory = factories.get();
            if (sSLSocketFactory == null) {
                throw new IllegalStateException("No SSLSocketFactory parameters have been set!");
            }
            return sSLSocketFactory;
        }
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        super.initialize(subject, callbackHandler, map2);
        this.connectionURL = (String) map2.get(CONNECTION_URL);
        this.connectionUsername = (String) map2.get(CONNECTION_USERNAME);
        this.connectionPassword = (String) map2.get(CONNECTION_PASSWORD);
        this.userBaseDN = (String) map2.get(USER_BASE_DN);
        this.userFilter = (String) map2.get(USER_FILTER);
        this.userSearchSubtree = Boolean.parseBoolean((String) map2.get(USER_SEARCH_SUBTREE));
        this.roleBaseDN = (String) map2.get(ROLE_BASE_DN);
        this.roleFilter = (String) map2.get(ROLE_FILTER);
        this.roleNameAttribute = (String) map2.get(ROLE_NAME_ATTRIBUTE);
        this.roleSearchSubtree = Boolean.parseBoolean((String) map2.get(ROLE_SEARCH_SUBTREE));
        this.initialContextFactory = (String) map2.get(INITIAL_CONTEXT_FACTORY);
        if (this.initialContextFactory == null) {
            this.initialContextFactory = DEFAULT_INITIAL_CONTEXT_FACTORY;
        }
        this.authentication = (String) map2.get(AUTHENTICATION);
        if (this.authentication == null) {
            this.authentication = DEFAULT_AUTHENTICATION;
        }
        this.allowEmptyPasswords = Boolean.parseBoolean((String) map2.get(ALLOW_EMPTY_PASSWORDS));
        if (this.connectionURL == null || this.connectionURL.trim().length() == 0) {
            logger.error("No LDAP URL specified.");
        } else if (!this.connectionURL.startsWith("ldap:") && !this.connectionURL.startsWith("ldaps:")) {
            logger.error("Invalid LDAP URL: " + this.connectionURL);
        }
        if (map2.get(SSL) != null) {
            this.ssl = Boolean.parseBoolean((String) map2.get(SSL));
        } else {
            this.ssl = this.connectionURL.startsWith("ldaps:");
        }
        this.sslProvider = (String) map2.get(SSL_PROVIDER);
        this.sslProtocol = (String) map2.get(SSL_PROTOCOL);
        this.sslAlgorithm = (String) map2.get(SSL_ALGORITHM);
        this.sslKeystore = (String) map2.get(SSL_KEYSTORE);
        this.sslKeyAlias = (String) map2.get(SSL_KEYALIAS);
        this.sslTrustStore = (String) map2.get(SSL_TRUSTSTORE);
        if (map2.get(SSL_TIMEOUT) != null) {
            this.sslTimeout = ((Integer) map2.get(SSL_TIMEOUT)).intValue();
        }
    }

    public boolean login() throws LoginException {
        ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
        try {
            boolean doLogin = doLogin();
            ManagedSSLSocketFactory.setSocketFactory(null);
            Thread.currentThread().setContextClassLoader(contextClassLoader);
            return doLogin;
        } catch (Throwable th) {
            ManagedSSLSocketFactory.setSocketFactory(null);
            Thread.currentThread().setContextClassLoader(contextClassLoader);
            throw th;
        }
    }

    protected boolean doLogin() throws LoginException {
        DirContext dirContext;
        NameCallback[] nameCallbackArr = {new NameCallback("Username: "), new PasswordCallback("Password: ", false)};
        try {
            this.callbackHandler.handle(nameCallbackArr);
            this.user = nameCallbackArr[0].getName();
            char[] password = ((PasswordCallback) nameCallbackArr[1]).getPassword();
            if ("none".equals(this.authentication) && (this.user != null || password != null)) {
                logger.debug("Changing from authentication = none to simple since user or password was specified.");
                this.authentication = DEFAULT_AUTHENTICATION;
            }
            if (!"none".equals(this.authentication) && !this.allowEmptyPasswords && (password == null || password.length == 0)) {
                throw new LoginException("Empty passwords not allowed");
            }
            if (password == null) {
                password = new char[0];
            }
            String str = new String(password);
            this.principals = new HashSet();
            Hashtable hashtable = new Hashtable();
            logger.debug("Create the LDAP initial context.");
            for (String str2 : this.options.keySet()) {
                if (str2.startsWith(CONTEXT_PREFIX)) {
                    hashtable.put(str2.substring(CONTEXT_PREFIX.length()), this.options.get(str2));
                }
            }
            hashtable.put("java.naming.factory.initial", this.initialContextFactory);
            hashtable.put("java.naming.provider.url", this.connectionURL);
            if (this.connectionUsername != null && this.connectionUsername.trim().length() > 0) {
                logger.debug("Bound access requested.");
                hashtable.put("java.naming.security.authentication", this.authentication);
                hashtable.put("java.naming.security.principal", this.connectionUsername);
                hashtable.put("java.naming.security.credentials", this.connectionPassword);
            }
            if (this.ssl) {
                setupSsl(hashtable);
            }
            logger.debug("Get the user DN.");
            DirContext dirContext2 = null;
            try {
                try {
                    logger.debug("Initialize the JNDI LDAP Dir Context.");
                    InitialDirContext initialDirContext = new InitialDirContext(hashtable);
                    logger.debug("Define the subtree scope search control.");
                    SearchControls searchControls = new SearchControls();
                    if (this.userSearchSubtree) {
                        searchControls.setSearchScope(2);
                    } else {
                        searchControls.setSearchScope(1);
                    }
                    logger.debug("Looking for the user in LDAP with ");
                    logger.debug("  base DN: " + this.userBaseDN);
                    this.userFilter = this.userFilter.replaceAll(Pattern.quote("%u"), Matcher.quoteReplacement(this.user));
                    this.userFilter = this.userFilter.replace(LineOrientedInterpolatingReader.DEFAULT_ESCAPE_SEQ, "\\\\");
                    logger.debug("  filter: " + this.userFilter);
                    NamingEnumeration search = initialDirContext.search(this.userBaseDN, this.userFilter, searchControls);
                    if (!search.hasMore()) {
                        logger.warn("User " + this.user + " not found in LDAP.");
                        if (initialDirContext != null) {
                            try {
                                initialDirContext.close();
                            } catch (Exception e) {
                            }
                        }
                        return false;
                    }
                    logger.debug("Get the user DN.");
                    SearchResult searchResult = (SearchResult) search.next();
                    String replace = searchResult.getNameInNamespace().replace("," + this.userBaseDN, "");
                    String nameInNamespace = searchResult.getNameInNamespace();
                    search.close();
                    if (initialDirContext != null) {
                        try {
                            initialDirContext.close();
                        } catch (Exception e2) {
                        }
                    }
                    DirContext dirContext3 = null;
                    try {
                        try {
                            logger.debug("Bind user (authentication).");
                            hashtable.put("java.naming.security.authentication", this.authentication);
                            logger.debug("Set the security principal for " + replace + "," + this.userBaseDN);
                            hashtable.put("java.naming.security.principal", replace + "," + this.userBaseDN);
                            hashtable.put("java.naming.security.credentials", str);
                            logger.debug("Binding the user.");
                            dirContext3 = new InitialDirContext(hashtable);
                            logger.debug("User " + this.user + " successfully bound.");
                            dirContext3.close();
                            if (dirContext3 != null) {
                                try {
                                    dirContext3.close();
                                } catch (Exception e3) {
                                }
                            }
                            this.principals.add(new UserPrincipal(this.user));
                            dirContext = null;
                            try {
                                try {
                                    logger.debug("Get user roles.");
                                    if (this.connectionUsername != null && this.connectionUsername.trim().length() > 0) {
                                        hashtable.put("java.naming.security.authentication", this.authentication);
                                        hashtable.put("java.naming.security.principal", this.connectionUsername);
                                        hashtable.put("java.naming.security.credentials", this.connectionPassword);
                                    }
                                    dirContext = new InitialDirContext(hashtable);
                                    SearchControls searchControls2 = new SearchControls();
                                    if (this.roleSearchSubtree) {
                                        searchControls2.setSearchScope(2);
                                    } else {
                                        searchControls2.setSearchScope(1);
                                    }
                                    if (this.roleNameAttribute != null) {
                                        searchControls2.setReturningAttributes(new String[]{this.roleNameAttribute});
                                    }
                                    logger.debug("Looking for the user roles in LDAP with ");
                                    logger.debug("  base DN: " + this.roleBaseDN);
                                    this.roleFilter = this.roleFilter.replaceAll(Pattern.quote("%u"), Matcher.quoteReplacement(this.user));
                                    this.roleFilter = this.roleFilter.replaceAll(Pattern.quote("%dn"), Matcher.quoteReplacement(replace));
                                    this.roleFilter = this.roleFilter.replaceAll(Pattern.quote("%fqdn"), Matcher.quoteReplacement(replace + "," + this.userBaseDN));
                                    this.roleFilter = this.roleFilter.replaceAll(Pattern.quote("%nsdn"), Matcher.quoteReplacement(nameInNamespace));
                                    this.roleFilter = this.roleFilter.replace(LineOrientedInterpolatingReader.DEFAULT_ESCAPE_SEQ, "\\\\");
                                    logger.debug("  filter: " + this.roleFilter);
                                    NamingEnumeration search2 = dirContext.search(this.roleBaseDN, this.roleFilter, searchControls2);
                                    while (search2.hasMore()) {
                                        Attribute attribute = ((SearchResult) search2.next()).getAttributes().get(this.roleNameAttribute);
                                        if (attribute != null) {
                                            for (int i = 0; i < attribute.size(); i++) {
                                                String str3 = (String) attribute.get(i);
                                                if (str3 != null) {
                                                    this.principals.add(new RolePrincipal(str3));
                                                }
                                            }
                                        }
                                    }
                                    if (dirContext == null) {
                                        return true;
                                    }
                                    try {
                                        dirContext.close();
                                        return true;
                                    } catch (Exception e4) {
                                        return true;
                                    }
                                } finally {
                                    if (dirContext != null) {
                                        try {
                                            dirContext.close();
                                        } catch (Exception e5) {
                                        }
                                    }
                                }
                            } catch (Exception e6) {
                                throw new LoginException("Can't get user " + this.user + " roles: " + e6.getMessage());
                            }
                        } catch (Exception e7) {
                            logger.warn("User " + this.user + " authentication failed.", (Throwable) e7);
                            if (dirContext != null) {
                                try {
                                    dirContext.close();
                                } catch (Exception e8) {
                                }
                            }
                            return false;
                        }
                    } catch (Throwable th) {
                        if (dirContext3 != null) {
                            try {
                                dirContext3.close();
                            } catch (Exception e9) {
                            }
                        }
                        throw th;
                    }
                } catch (Throwable th2) {
                    if (0 != 0) {
                        try {
                            dirContext2.close();
                        } catch (Exception e10) {
                        }
                    }
                    throw th2;
                }
            } catch (Exception e11) {
                throw new LoginException("Can't connect to the LDAP server: " + e11.getMessage());
            }
        } catch (IOException e12) {
            throw new LoginException(e12.getMessage());
        } catch (UnsupportedCallbackException e13) {
            throw new LoginException(e13.getMessage() + " not available to obtain information from user.");
        }
    }

    protected void setupSsl(Hashtable hashtable) throws LoginException {
        ServiceReference<?> serviceReference = null;
        try {
            try {
                logger.debug("Setting up SSL");
                hashtable.put("java.naming.security.protocol", SSL);
                hashtable.put("java.naming.ldap.factory.socket", ManagedSSLSocketFactory.class.getName());
                serviceReference = this.bundleContext.getServiceReference(KeystoreManager.class.getName());
                ManagedSSLSocketFactory.setSocketFactory(((KeystoreManager) this.bundleContext.getService(serviceReference)).createSSLFactory(this.sslProvider, this.sslProtocol, this.sslAlgorithm, this.sslKeystore, this.sslKeyAlias, this.sslTrustStore, this.sslTimeout));
                Thread.currentThread().setContextClassLoader(ManagedSSLSocketFactory.class.getClassLoader());
                this.bundleContext.ungetService(serviceReference);
            } catch (Exception e) {
                throw new LoginException("Unable to setup SSL support for LDAP: " + e.getMessage());
            }
        } catch (Throwable th) {
            this.bundleContext.ungetService(serviceReference);
            throw th;
        }
    }

    public boolean abort() throws LoginException {
        return true;
    }

    public boolean logout() throws LoginException {
        this.subject.getPrincipals().removeAll(this.principals);
        this.principals.clear();
        return true;
    }
}
