package org.jboss.security.auth.spi;

import java.net.URI;
import java.net.URISyntaxException;
import java.security.Principal;
import java.security.acl.Group;
import java.util.Map;
import java.util.Properties;
import java.util.StringTokenizer;
import javax.management.ObjectName;
import javax.naming.CompositeName;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.ReferralException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import org.jboss.security.PicketBoxLogger;
import org.jboss.security.PicketBoxMessages;
import org.jboss.security.SimpleGroup;
import org.jboss.security.vault.SecurityVaultUtil;
import org.sonatype.plexus.components.sec.dispatcher.SecUtil;

/* loaded from: input_file:wildfly-10.1.0.Final/modules/system/layers/base/org/picketbox/main/picketbox-4.9.6.Final.jar:org/jboss/security/auth/spi/LdapExtLoginModule.class */
public class LdapExtLoginModule extends UsernamePasswordLoginModule {
    private static final String BIND_CREDENTIAL = "bindCredential";
    private static final String SEARCH_SCOPE_OPT = "searchScope";
    protected String bindDN;
    protected String bindCredential;
    protected String baseDN;
    protected String baseFilter;
    protected String rolesCtxDN;
    protected String roleFilter;
    protected String roleAttributeID;
    protected String roleNameAttributeID;
    protected boolean roleAttributeIsDN;
    protected boolean parseRoleNameFromDN;
    protected String distinguishedNameAttribute;
    protected boolean parseUsername;
    protected String usernameBeginString;
    protected String usernameEndString;
    private static final String ROLES_CTX_DN_OPT = "rolesCtxDN";
    private static final String ROLE_ATTRIBUTE_ID_OPT = "roleAttributeID";
    private static final String ROLE_ATTRIBUTE_IS_DN_OPT = "roleAttributeIsDN";
    private static final String ROLE_NAME_ATTRIBUTE_ID_OPT = "roleNameAttributeID";
    private static final String PARSE_ROLE_NAME_FROM_DN_OPT = "parseRoleNameFromDN";
    private static final String BIND_DN = "bindDN";
    private static final String BASE_CTX_DN = "baseCtxDN";
    private static final String BASE_FILTER_OPT = "baseFilter";
    private static final String ROLE_FILTER_OPT = "roleFilter";
    private static final String ROLE_RECURSION = "roleRecursion";
    private static final String DEFAULT_ROLE = "defaultRole";
    private static final String SEARCH_TIME_LIMIT_OPT = "searchTimeLimit";
    private static final String SECURITY_DOMAIN_OPT = "jaasSecurityDomain";
    private static final String DISTINGUISHED_NAME_ATTRIBUTE_OPT = "distinguishedNameAttribute";
    private static final String PARSE_USERNAME = "parseUsername";
    private static final String USERNAME_BEGIN_STRING = "usernameBeginString";
    private static final String USERNAME_END_STRING = "usernameEndString";
    private static final String ALLOW_EMPTY_PASSWORDS = "allowEmptyPasswords";
    private static final String REFERRAL_USER_ATTRIBUTE_ID_TO_CHECK = "referralUserAttributeIDToCheck";
    private static final String[] ALL_VALID_OPTIONS = {ROLES_CTX_DN_OPT, ROLE_ATTRIBUTE_ID_OPT, ROLE_ATTRIBUTE_IS_DN_OPT, ROLE_NAME_ATTRIBUTE_ID_OPT, PARSE_ROLE_NAME_FROM_DN_OPT, BIND_DN, "bindCredential", BASE_CTX_DN, BASE_FILTER_OPT, ROLE_FILTER_OPT, ROLE_RECURSION, DEFAULT_ROLE, SEARCH_TIME_LIMIT_OPT, "searchScope", SECURITY_DOMAIN_OPT, DISTINGUISHED_NAME_ATTRIBUTE_OPT, PARSE_USERNAME, USERNAME_BEGIN_STRING, USERNAME_END_STRING, ALLOW_EMPTY_PASSWORDS, REFERRAL_USER_ATTRIBUTE_ID_TO_CHECK, "java.naming.factory.initial", "java.naming.factory.object", "java.naming.factory.state", "java.naming.factory.url.pkgs", "java.naming.provider.url", "java.naming.dns.url", "java.naming.authoritative", "java.naming.batchsize", "java.naming.referral", "java.naming.security.protocol", "java.naming.security.authentication", "java.naming.security.principal", "java.naming.security.credentials", "java.naming.language", "java.naming.applet"};
    protected int recursion = 0;
    protected int searchTimeLimit = 10000;
    protected int searchScope = 2;
    protected boolean isPasswordValidated = false;
    protected String referralUserAttributeIDToCheck = null;
    private transient SimpleGroup userRoles = new SimpleGroup("Roles");

    @Override // org.jboss.security.auth.spi.UsernamePasswordLoginModule, org.jboss.security.auth.spi.AbstractServerLoginModule
    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        addValidOptions(ALL_VALID_OPTIONS);
        super.initialize(subject, callbackHandler, map, map2);
    }

    @Override // org.jboss.security.auth.spi.UsernamePasswordLoginModule
    protected String getUsersPassword() throws LoginException {
        return "";
    }

    @Override // org.jboss.security.auth.spi.AbstractServerLoginModule
    protected Group[] getRoleSets() throws LoginException {
        if (!this.isPasswordValidated && getIdentity() != this.unauthenticatedIdentity) {
            try {
                String username = getUsername();
                PicketBoxLogger.LOGGER.traceBindingLDAPUsername(username);
                createLdapInitContext(username, null);
                defaultRole();
            } catch (Exception e) {
                LoginException loginException = new LoginException();
                loginException.initCause(e);
                throw loginException;
            }
        }
        return new Group[]{this.userRoles};
    }

    @Override // org.jboss.security.auth.spi.UsernamePasswordLoginModule
    protected boolean validatePassword(String str, String str2) {
        this.isPasswordValidated = true;
        boolean z = false;
        if (str != null) {
            if (str.length() == 0) {
                boolean z2 = false;
                String str3 = (String) this.options.get(ALLOW_EMPTY_PASSWORDS);
                if (str3 != null) {
                    z2 = Boolean.valueOf(str3).booleanValue();
                }
                if (!z2) {
                    PicketBoxLogger.LOGGER.traceRejectingEmptyPassword();
                    return false;
                }
            }
            try {
                createLdapInitContext(getUsername(), str);
                defaultRole();
                z = true;
            } catch (Throwable th) {
                super.setValidateError(th);
            }
        }
        return z;
    }

    private void defaultRole() {
        String str = (String) this.options.get(DEFAULT_ROLE);
        if (str != null) {
            try {
                if (str.equals("")) {
                    return;
                }
                Principal createIdentity = super.createIdentity(str);
                PicketBoxLogger.LOGGER.traceAssignUserToRole(str);
                this.userRoles.addMember(createIdentity);
            } catch (Exception e) {
                PicketBoxLogger.LOGGER.debugFailureToCreatePrincipal(str, e);
            }
        }
    }

    private boolean createLdapInitContext(String str, Object obj) throws Exception {
        this.bindDN = (String) this.options.get(BIND_DN);
        this.bindCredential = (String) this.options.get("bindCredential");
        if (this.bindCredential != null && org.jboss.security.Util.isPasswordCommand(this.bindCredential)) {
            this.bindCredential = new String(org.jboss.security.Util.loadPassword(this.bindCredential));
        }
        String str2 = (String) this.options.get(SECURITY_DOMAIN_OPT);
        if (str2 != null) {
            this.bindCredential = new String(DecodeAction.decode(this.bindCredential, new ObjectName(str2)));
        }
        if (this.bindCredential != null && SecurityVaultUtil.isVaultFormat(this.bindCredential)) {
            this.bindCredential = SecurityVaultUtil.getValueAsString(this.bindCredential);
        }
        this.baseDN = (String) this.options.get(BASE_CTX_DN);
        this.baseFilter = (String) this.options.get(BASE_FILTER_OPT);
        this.roleFilter = (String) this.options.get(ROLE_FILTER_OPT);
        this.roleAttributeID = (String) this.options.get(ROLE_ATTRIBUTE_ID_OPT);
        if (this.roleAttributeID == null) {
            this.roleAttributeID = "role";
        }
        this.roleAttributeIsDN = Boolean.valueOf((String) this.options.get(ROLE_ATTRIBUTE_IS_DN_OPT)).booleanValue();
        this.roleNameAttributeID = (String) this.options.get(ROLE_NAME_ATTRIBUTE_ID_OPT);
        if (this.roleNameAttributeID == null) {
            this.roleNameAttributeID = "name";
        }
        this.referralUserAttributeIDToCheck = (String) this.options.get(REFERRAL_USER_ATTRIBUTE_ID_TO_CHECK);
        this.parseRoleNameFromDN = Boolean.valueOf((String) this.options.get(PARSE_ROLE_NAME_FROM_DN_OPT)).booleanValue();
        this.rolesCtxDN = (String) this.options.get(ROLES_CTX_DN_OPT);
        try {
            this.recursion = Integer.parseInt((String) this.options.get(ROLE_RECURSION));
        } catch (NumberFormatException e) {
            PicketBoxLogger.LOGGER.debugFailureToParseNumberProperty(ROLE_RECURSION, 0L);
            this.recursion = 0;
        }
        String str3 = (String) this.options.get(SEARCH_TIME_LIMIT_OPT);
        if (str3 != null) {
            try {
                this.searchTimeLimit = Integer.parseInt(str3);
            } catch (NumberFormatException e2) {
                PicketBoxLogger.LOGGER.debugFailureToParseNumberProperty(SEARCH_TIME_LIMIT_OPT, this.searchTimeLimit);
            }
        }
        String str4 = (String) this.options.get("searchScope");
        if ("OBJECT_SCOPE".equalsIgnoreCase(str4)) {
            this.searchScope = 0;
        } else if ("ONELEVEL_SCOPE".equalsIgnoreCase(str4)) {
            this.searchScope = 1;
        }
        if ("SUBTREE_SCOPE".equalsIgnoreCase(str4)) {
            this.searchScope = 2;
        }
        this.distinguishedNameAttribute = (String) this.options.get(DISTINGUISHED_NAME_ATTRIBUTE_OPT);
        if (this.distinguishedNameAttribute == null) {
            this.distinguishedNameAttribute = "distinguishedName";
        }
        InitialLdapContext initialLdapContext = null;
        try {
            try {
                initialLdapContext = constructInitialLdapContext(this.bindDN, this.bindCredential);
                String bindDNAuthentication = bindDNAuthentication(initialLdapContext, str, obj, this.baseDN, this.baseFilter);
                SearchControls searchControls = new SearchControls();
                searchControls.setSearchScope(this.searchScope);
                searchControls.setTimeLimit(this.searchTimeLimit);
                searchControls.setReturningAttributes(this.referralUserAttributeIDToCheck != null ? new String[]{this.roleAttributeID, this.referralUserAttributeIDToCheck} : new String[]{this.roleAttributeID});
                rolesSearch(initialLdapContext, searchControls, str, bindDNAuthentication, this.recursion, 0);
                if (initialLdapContext == null) {
                    return true;
                }
                initialLdapContext.close();
                return true;
            } catch (Exception e3) {
                throw e3;
            }
        } catch (Throwable th) {
            if (initialLdapContext != null) {
                initialLdapContext.close();
            }
            throw th;
        }
    }

    protected String bindDNAuthentication(InitialLdapContext initialLdapContext, String str, Object obj, String str2, String str3) throws NamingException {
        Attribute attribute;
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setTimeLimit(this.searchTimeLimit);
        searchControls.setReturningAttributes(new String[]{this.distinguishedNameAttribute});
        NamingEnumeration namingEnumeration = null;
        Object[] objArr = {str};
        InitialLdapContext initialLdapContext2 = initialLdapContext;
        boolean z = true;
        SearchResult searchResult = null;
        while (z) {
            try {
                namingEnumeration = initialLdapContext2.search(str2, str3, objArr, searchControls);
                if (namingEnumeration.hasMore()) {
                    searchResult = (SearchResult) namingEnumeration.next();
                }
                z = false;
            } catch (ReferralException e) {
                initialLdapContext2 = (LdapContext) e.getReferralContext();
                if (namingEnumeration != null) {
                    namingEnumeration.close();
                }
            }
        }
        if (searchResult == null) {
            namingEnumeration.close();
            throw PicketBoxMessages.MESSAGES.failedToFindBaseContextDN(str2);
        }
        String name = searchResult.getName();
        String str4 = null;
        Attributes attributes = searchResult.getAttributes();
        if (attributes != null && (attribute = attributes.get(this.distinguishedNameAttribute)) != null) {
            str4 = (String) attribute.get();
        }
        namingEnumeration.close();
        if (str4 == null) {
            if (searchResult.isRelative()) {
                str4 = new CompositeName(name).get(0) + ("".equals(str2) ? "" : "," + str2);
                if (this.isPasswordValidated) {
                    constructInitialLdapContext(str4, obj).close();
                }
            } else {
                str4 = bindDNReferralAuthentication(searchResult.getName(), obj);
                if (str4 == null) {
                    throw PicketBoxMessages.MESSAGES.unableToFollowReferralForAuth(name);
                }
            }
        } else if (this.isPasswordValidated) {
            constructInitialLdapContext(str4, obj).close();
        }
        return str4;
    }

    private String bindDNReferralAuthentication(String str, Object obj) throws NamingException {
        try {
            URI uri = new URI(str);
            String substring = uri.getPath().substring(1);
            new InitialLdapContext(constructLdapContextEnvironment(uri.getScheme() + SecUtil.PROTOCOL_DELIM + uri.getAuthority(), substring, obj), (Control[]) null).close();
            return substring;
        } catch (URISyntaxException e) {
            throw PicketBoxMessages.MESSAGES.unableToParseReferralAbsoluteName(e, str);
        }
    }

    protected void rolesSearch(LdapContext ldapContext, SearchControls searchControls, String str, String str2, int i, int i2) throws NamingException {
        Attributes attributesFromReferralEntity;
        if (this.rolesCtxDN == null || this.roleFilter == null) {
            return;
        }
        LdapContext ldapContext2 = ldapContext;
        Object[] objArr = {str, sanitizeDN(str2)};
        boolean z = true;
        while (z) {
            NamingEnumeration search = ldapContext2.search(this.rolesCtxDN, this.roleFilter, objArr, searchControls);
            while (search.hasMore()) {
                try {
                    try {
                        SearchResult searchResult = (SearchResult) search.next();
                        String canonicalize = searchResult.isRelative() ? canonicalize(searchResult.getName()) : searchResult.getNameInNamespace();
                        if (i2 == 0 && this.roleAttributeIsDN && this.roleNameAttributeID != null) {
                            if (this.parseRoleNameFromDN) {
                                parseRole(canonicalize);
                            } else {
                                Attributes attributes = searchResult.isRelative() ? ldapContext2.getAttributes(quoteDN(canonicalize), new String[]{this.roleNameAttributeID}) : getAttributesFromReferralEntity(searchResult, str, str2);
                                Attribute attribute = attributes != null ? attributes.get(this.roleNameAttributeID) : null;
                                if (attribute != null) {
                                    for (int i3 = 0; i3 < attribute.size(); i3++) {
                                        addRole((String) attribute.get(i3));
                                    }
                                }
                            }
                        }
                        String[] strArr = {this.roleAttributeID};
                        if (searchResult.isRelative()) {
                            attributesFromReferralEntity = searchResult.getAttributes();
                            if (attributesFromReferralEntity.size() == 0) {
                                attributesFromReferralEntity = ldapContext2.getAttributes(quoteDN(canonicalize), strArr);
                            }
                        } else {
                            attributesFromReferralEntity = getAttributesFromReferralEntity(searchResult, str, str2);
                        }
                        if (attributesFromReferralEntity != null && attributesFromReferralEntity.size() > 0) {
                            Attribute attribute2 = attributesFromReferralEntity.get(this.roleAttributeID);
                            for (int i4 = 0; i4 < attribute2.size(); i4++) {
                                String str3 = (String) attribute2.get(i4);
                                if (this.roleAttributeIsDN && this.parseRoleNameFromDN) {
                                    parseRole(str3);
                                } else if (this.roleAttributeIsDN) {
                                    String quoteDN = quoteDN(str3);
                                    try {
                                        Attributes attributes2 = searchResult.isRelative() ? ldapContext2.getAttributes(quoteDN, new String[]{this.roleNameAttributeID}) : getAttributesFromReferralEntity(searchResult, str, str2);
                                        Attribute attribute3 = attributes2 != null ? attributes2.get(this.roleNameAttributeID) : null;
                                        if (attribute3 != null) {
                                            for (int i5 = 0; i5 < attribute3.size(); i5++) {
                                                addRole((String) attribute3.get(i5));
                                            }
                                        }
                                    } catch (NamingException e) {
                                        PicketBoxLogger.LOGGER.debugFailureToQueryLDAPAttribute(this.roleNameAttributeID, quoteDN, e);
                                    }
                                } else {
                                    addRole(str3);
                                }
                            }
                        }
                        if (i2 < i) {
                            rolesSearch(ldapContext2, searchControls, str, canonicalize, i, i2 + 1);
                        }
                    } catch (ReferralException e2) {
                        ldapContext2 = (LdapContext) e2.getReferralContext();
                        if (search != null) {
                            search.close();
                        }
                    }
                } catch (Throwable th) {
                    if (search != null) {
                        search.close();
                    }
                    throw th;
                }
            }
            z = false;
            if (search != null) {
                search.close();
            }
        }
    }

    private String sanitizeDN(String str) {
        return (str != null && str.startsWith("\"") && str.endsWith("\"")) ? str.substring(1, str.length() - 1) : str;
    }

    private String quoteDN(String str) {
        return (str == null || str.startsWith("\"") || str.endsWith("\"") || str.indexOf("/") <= -1) ? str : "\"" + str + "\"";
    }

    private Attributes getAttributesFromReferralEntity(SearchResult searchResult, String... strArr) throws NamingException {
        Attributes attributes = searchResult.getAttributes();
        boolean z = false;
        if (this.referralUserAttributeIDToCheck != null) {
            Attribute attribute = attributes.get(this.referralUserAttributeIDToCheck);
            int i = 0;
            loop0: while (true) {
                if (attribute == null || i >= attribute.size()) {
                    break;
                }
                String str = (String) attribute.get(i);
                for (String str2 : strArr) {
                    if (str2.equals(str)) {
                        z = true;
                        break loop0;
                    }
                }
                i++;
            }
        }
        if (z) {
            return attributes;
        }
        return null;
    }

    private InitialLdapContext constructInitialLdapContext(String str, Object obj) throws NamingException {
        String str2 = (String) this.options.get("java.naming.security.protocol");
        String str3 = (String) this.options.get("java.naming.provider.url");
        if (str3 == null) {
            str3 = "ldap://localhost:" + ((str2 == null || !str2.equals("ssl")) ? "389" : "636");
        }
        return new InitialLdapContext(constructLdapContextEnvironment(str3, str, obj), (Control[]) null);
    }

    private Properties constructLdapContextEnvironment(String str, String str2, Object obj) {
        Properties properties = new Properties();
        for (Map.Entry entry : this.options.entrySet()) {
            properties.put(entry.getKey(), entry.getValue());
        }
        if (properties.getProperty("java.naming.factory.initial") == null) {
            properties.setProperty("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        }
        if (properties.getProperty("java.naming.security.authentication") == null) {
            properties.setProperty("java.naming.security.authentication", "simple");
        }
        if (str != null) {
            properties.setProperty("java.naming.provider.url", str);
        }
        if (str2 != null) {
            properties.setProperty("java.naming.security.principal", str2);
        }
        if (obj != null) {
            properties.put("java.naming.security.credentials", obj);
        }
        traceLDAPEnv(properties);
        return properties;
    }

    private void traceLDAPEnv(Properties properties) {
        Properties properties2 = new Properties();
        properties2.putAll(properties);
        if (properties2.containsKey("java.naming.security.credentials")) {
            properties2.setProperty("java.naming.security.credentials", "******");
        }
        if (properties2.containsKey("bindCredential")) {
            properties2.setProperty("bindCredential", "******");
        }
        PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(properties2);
    }

    private String canonicalize(String str) {
        int length = str.length();
        String str2 = "" + ("".equals(this.rolesCtxDN) ? "" : "," + this.rolesCtxDN);
        return str.endsWith("\"") ? str.substring(0, length - 1) + str2 + "\"" : str + str2;
    }

    private void addRole(String str) {
        if (str != null) {
            try {
                Principal createIdentity = super.createIdentity(str);
                PicketBoxLogger.LOGGER.traceAssignUserToRole(str);
                this.userRoles.addMember(createIdentity);
            } catch (Exception e) {
                PicketBoxLogger.LOGGER.debugFailureToCreatePrincipal(str, e);
            }
        }
    }

    private void parseRole(String str) {
        parseRole(str, this.roleNameAttributeID);
    }

    private void parseRole(String str, String str2) {
        StringTokenizer stringTokenizer = new StringTokenizer(str, ",");
        while (stringTokenizer != null && stringTokenizer.hasMoreTokens()) {
            String nextToken = stringTokenizer.nextToken();
            if (nextToken.indexOf(str2) > -1) {
                StringTokenizer stringTokenizer2 = new StringTokenizer(nextToken, "=");
                stringTokenizer2.nextToken();
                addRole(stringTokenizer2.nextToken());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.jboss.security.auth.spi.UsernamePasswordLoginModule
    public String getUsername() {
        String username = super.getUsername();
        this.parseUsername = Boolean.valueOf((String) this.options.get(PARSE_USERNAME)).booleanValue();
        if (this.parseUsername) {
            this.usernameBeginString = (String) this.options.get(USERNAME_BEGIN_STRING);
            this.usernameEndString = (String) this.options.get(USERNAME_END_STRING);
            int i = -1;
            if (this.usernameBeginString != null && !this.usernameBeginString.equals("")) {
                i = username.indexOf(this.usernameBeginString);
            }
            int length = i == -1 ? 0 : i + this.usernameBeginString.length();
            if (this.usernameEndString == null || this.usernameEndString.equals("")) {
                return username.substring(length, username.length());
            }
            int indexOf = username.indexOf(this.usernameEndString, length);
            if (indexOf == -1) {
                indexOf = username.length();
            }
            username = username.substring(length, indexOf);
        }
        return username;
    }
}
