package net.shibboleth.idp.authn.impl;

import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import net.shibboleth.idp.authn.AbstractUsernamePasswordCredentialValidator;
import net.shibboleth.idp.authn.CredentialValidator;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.LDAPResponseContext;
import net.shibboleth.idp.authn.context.UsernamePasswordContext;
import net.shibboleth.shared.annotation.constraint.NonnullAfterInit;
import net.shibboleth.shared.annotation.constraint.ThreadSafeAfterInit;
import net.shibboleth.shared.component.ComponentInitializationException;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.apache.velocity.VelocityContext;
import org.ldaptive.Credential;
import org.ldaptive.LdapException;
import org.ldaptive.ResultCode;
import org.ldaptive.auth.AuthenticationRequest;
import org.ldaptive.auth.AuthenticationResponse;
import org.ldaptive.auth.AuthenticationResultCode;
import org.ldaptive.auth.Authenticator;
import org.ldaptive.auth.User;
import org.ldaptive.jaas.LdapPrincipal;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;

@ThreadSafeAfterInit
/* loaded from: input_file:net/shibboleth/idp/authn/impl/LDAPCredentialValidator.class */
public class LDAPCredentialValidator extends AbstractUsernamePasswordCredentialValidator {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(LDAPCredentialValidator.class);

    @NonnullAfterInit
    private Authenticator authenticator;

    @Nullable
    private String[] returnAttributes;

    @Nullable
    private Function<ProfileRequestContext, char[]> passwordLookupStrategy;
    static final /* synthetic */ boolean $assertionsDisabled;

    @NonnullAfterInit
    public Authenticator getAuthenticator() {
        return this.authenticator;
    }

    public void setAuthenticator(@Nonnull Authenticator authenticator) {
        checkSetterPreconditions();
        this.authenticator = (Authenticator) Constraint.isNotNull(authenticator, "Authenticator cannot be null");
    }

    @Nullable
    public String[] getReturnAttributes() {
        return this.returnAttributes;
    }

    public void setReturnAttributes(@Nullable String... strArr) {
        checkSetterPreconditions();
        this.returnAttributes = strArr;
    }

    public void setPasswordLookupStrategy(@Nullable Function<ProfileRequestContext, char[]> function) {
        checkSetterPreconditions();
        this.passwordLookupStrategy = function;
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.authenticator == null) {
            throw new ComponentInitializationException("Authenticator cannot be null");
        }
    }

    protected void doDestroy() {
        super.doDestroy();
    }

    @Nullable
    protected Subject doValidate(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull UsernamePasswordContext usernamePasswordContext, @Nullable CredentialValidator.WarningHandler warningHandler, @Nullable CredentialValidator.ErrorHandler errorHandler) throws Exception {
        char[] charArray;
        String str;
        LdapException ldapException;
        String transformedUsername = usernamePasswordContext.getTransformedUsername();
        this.log.debug("{} Attempting to authenticate user {}", getLogPrefix(), transformedUsername);
        VelocityContext velocityContext = new VelocityContext();
        velocityContext.put("usernamePasswordContext", usernamePasswordContext);
        if (this.passwordLookupStrategy != null) {
            charArray = this.passwordLookupStrategy.apply(profileRequestContext);
        } else {
            String password = usernamePasswordContext.getPassword();
            if (!$assertionsDisabled && password == null) {
                throw new AssertionError();
            }
            charArray = password.toCharArray();
        }
        try {
            AuthenticationResponse authenticate = this.authenticator.authenticate(new AuthenticationRequest(new User(transformedUsername, velocityContext), new Credential(charArray), this.returnAttributes));
            this.log.debug("{} Authentication response {}", getLogPrefix(), authenticate);
            authenticationContext.ensureSubcontext(LDAPResponseContext.class).setAuthenticationResponse(authenticate);
            if (authenticate.isSuccess()) {
                this.log.info("{} Login by '{}' succeeded", getLogPrefix(), transformedUsername);
                if (authenticate.getAccountState() != null) {
                    String error = authenticate.getAccountState().getError();
                    if (warningHandler != null) {
                        Object[] objArr = new Object[3];
                        objArr[0] = error != null ? error : "ACCOUNT_WARNING";
                        objArr[1] = authenticate.getResultCode();
                        objArr[2] = authenticate.getDiagnosticMessage();
                        warningHandler.handleWarning(profileRequestContext, authenticationContext, String.format("%s:%s:%s", objArr), "AccountWarning");
                    }
                }
                return populateSubject(usernamePasswordContext, authenticate);
            }
            if (AuthenticationResultCode.DN_RESOLUTION_FAILURE == authenticate.getAuthenticationResultCode() || AuthenticationResultCode.INVALID_CREDENTIAL == authenticate.getAuthenticationResultCode()) {
                str = "InvalidCredentials";
                ldapException = new LdapException(String.format("%s:%s", authenticate.getAuthenticationResultCode(), authenticate.getDiagnosticMessage()));
            } else if (authenticate.getAccountState() != null) {
                str = "AccountError";
                ldapException = new LdapException(authenticate.getResultCode(), String.format("%s:%s:%s", authenticate.getAccountState().getError(), authenticate.getResultCode(), authenticate.getDiagnosticMessage()));
            } else if (authenticate.getResultCode() == ResultCode.INVALID_CREDENTIALS) {
                str = "InvalidCredentials";
                ldapException = new LdapException(authenticate.getResultCode(), String.format("%s:%s", authenticate.getResultCode(), authenticate.getDiagnosticMessage()));
            } else {
                str = "AuthenticationException";
                ldapException = new LdapException(authenticate.getResultCode(), String.format("%s:%s", authenticate.getResultCode(), authenticate.getDiagnosticMessage()));
            }
            this.log.info("{} Login by '{}' failed", new Object[]{getLogPrefix(), transformedUsername, ldapException});
            if (errorHandler != null) {
                errorHandler.handleError(profileRequestContext, authenticationContext, ldapException, str);
            }
            throw ldapException;
        } catch (LdapException e) {
            this.log.error("{} Error attempting LDAP authentication for '{}'", new Object[]{getLogPrefix(), transformedUsername, e});
            if (errorHandler != null) {
                errorHandler.handleError(profileRequestContext, authenticationContext, e, "AuthenticationException");
            }
            throw e;
        }
    }

    @Nonnull
    protected Subject populateSubject(@Nonnull UsernamePasswordContext usernamePasswordContext, @Nonnull AuthenticationResponse authenticationResponse) {
        Subject subject = new Subject();
        subject.getPrincipals().add(new LdapPrincipal(usernamePasswordContext.getTransformedUsername(), authenticationResponse.getLdapEntry()));
        return super.populateSubject(subject, usernamePasswordContext);
    }

    static {
        $assertionsDisabled = !LDAPCredentialValidator.class.desiredAssertionStatus();
    }
}
