package org.opends.server.extensions;

import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.List;
import java.util.concurrent.locks.Lock;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.RealmCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.ietf.jgss.GSSException;
import org.opends.messages.ExtensionMessages;
import org.opends.messages.Message;
import org.opends.server.api.ClientConnection;
import org.opends.server.api.IdentityMapper;
import org.opends.server.core.AccessControlConfigManager;
import org.opends.server.core.BindOperation;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.PasswordPolicyState;
import org.opends.server.loggers.debug.DebugLogger;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.protocols.internal.InternalClientConnection;
import org.opends.server.protocols.ldap.LDAPClientConnection;
import org.opends.server.types.AuthenticationInfo;
import org.opends.server.types.ByteString;
import org.opends.server.types.DN;
import org.opends.server.types.DebugLogLevel;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.LockManager;
import org.opends.server.types.Privilege;
import org.opends.server.types.ResultCode;
import org.opends.server.util.ServerConstants;
import org.opends.server.util.StaticUtils;

/* loaded from: input_file:org/opends/server/extensions/SASLContext.class */
public class SASLContext implements CallbackHandler, PrivilegedExceptionAction<Boolean> {
    private static final DebugTracer TRACER = DebugLogger.getTracer();
    private final IdentityMapper<?> identityMapper;
    private HashMap<String, String> saslProps;
    private String serverFQDN;
    private final String mechanism;
    private String userName;
    private Message cbMsg;
    private BindOperation bindOp;
    private SaslServer saslServer = null;
    private Entry authEntry = null;
    private Entry authzEntry = null;
    private final String confidentiality = "auth-conf";
    private final String integrity = "auth-int";

    private SASLContext(HashMap<String, String> hashMap, String str, String str2, IdentityMapper<?> identityMapper) throws SaslException {
        this.identityMapper = identityMapper;
        this.mechanism = str2;
        this.saslProps = hashMap;
        this.serverFQDN = str;
        if (str2.equals(ServerConstants.SASL_MECHANISM_DIGEST_MD5)) {
            initSASLServer();
        }
    }

    public static SASLContext createSASLContext(HashMap<String, String> hashMap, String str, String str2, IdentityMapper<?> identityMapper) throws SaslException {
        return new SASLContext(hashMap, str, str2, identityMapper);
    }

    private void initSASLServer() throws SaslException {
        this.saslServer = Sasl.createSaslServer(this.mechanism, "ldap", this.serverFQDN, this.saslProps, this);
        if (this.saslServer == null) {
            throw new SaslException(Message.toString(ExtensionMessages.ERR_SASL_CREATE_SASL_SERVER_FAILED.get(this.mechanism, this.serverFQDN)));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] wrap(byte[] bArr, int i, int i2) throws SaslException {
        return this.saslServer.wrap(bArr, i, i2);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] unwrap(byte[] bArr, int i, int i2) throws SaslException {
        return this.saslServer.unwrap(bArr, i, i2);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void dispose() {
        try {
            this.saslServer.dispose();
        } catch (SaslException e) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getBufSize(String str) {
        return Integer.parseInt((String) this.saslServer.getNegotiatedProperty(str));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getSSF() {
        int i;
        if (((String) this.saslServer.getNegotiatedProperty("javax.security.sasl.qop")).equalsIgnoreCase("auth-int")) {
            i = 1;
        } else {
            String str = (String) this.saslServer.getNegotiatedProperty("javax.security.sasl.strength");
            i = str.equalsIgnoreCase("low") ? 40 : str.equalsIgnoreCase("medium") ? 56 : 128;
        }
        return i;
    }

    boolean isBindComplete() {
        return this.saslServer.isComplete();
    }

    private boolean isConfidentialIntegrity() {
        boolean z = false;
        String str = (String) this.saslServer.getNegotiatedProperty("javax.security.sasl.qop");
        if (str.equalsIgnoreCase("auth-conf") || str.equalsIgnoreCase("auth-int")) {
            z = true;
        }
        return z;
    }

    private ByteString evaluateResponse(ByteString byteString) throws SaslException {
        if (byteString == null) {
            byteString = ByteString.empty();
        }
        byte[] evaluateResponse = this.saslServer.evaluateResponse(byteString.toByteArray());
        return evaluateResponse == null ? ByteString.empty() : ByteString.wrap(evaluateResponse);
    }

    private void handleError(Message message) {
        dispose();
        this.bindOp.getClientConnection().setSASLAuthStateInfo(null);
        if (this.cbMsg != null) {
            this.bindOp.setAuthFailureReason(this.cbMsg);
        } else {
            this.bindOp.setAuthFailureReason(message);
        }
        this.bindOp.setResultCode(ResultCode.INVALID_CREDENTIALS);
    }

    private boolean hasPrivilege(AuthenticationInfo authenticationInfo) {
        boolean z = true;
        if (!new InternalClientConnection(authenticationInfo).hasPrivilege(Privilege.PROXIED_AUTH, this.bindOp)) {
            setCallbackMsg(ExtensionMessages.ERR_SASL_AUTHZID_INSUFFICIENT_PRIVILEGES.get(String.valueOf(this.authEntry.getDN())));
            z = false;
        }
        return z;
    }

    private boolean hasPermission(AuthenticationInfo authenticationInfo) {
        boolean z = true;
        Entry entry = this.authzEntry;
        if (entry == null) {
            try {
                entry = DirectoryServer.getEntry(DN.nullDN());
            } catch (DirectoryException e) {
                return false;
            }
        }
        if (!AccessControlConfigManager.getInstance().getAccessControlHandler().mayProxy(authenticationInfo.getAuthenticationEntry(), entry, this.bindOp)) {
            setCallbackMsg(ExtensionMessages.ERR_SASL_AUTHZID_INSUFFICIENT_ACCESS.get(String.valueOf(this.authEntry.getDN())));
            z = false;
        }
        return z;
    }

    private void setCallbackMsg(Message message) {
        this.cbMsg = message;
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
        for (Callback callback : callbackArr) {
            if (callback instanceof NameCallback) {
                nameCallback((NameCallback) callback);
            } else if (callback instanceof PasswordCallback) {
                passwordCallback((PasswordCallback) callback);
            } else if (callback instanceof RealmCallback) {
                realmCallback((RealmCallback) callback);
            } else {
                if (!(callback instanceof AuthorizeCallback)) {
                    throw new UnsupportedCallbackException(callback, ExtensionMessages.INFO_SASL_UNSUPPORTED_CALLBACK.get(this.mechanism, String.valueOf(callback)).toString());
                }
                authorizeCallback((AuthorizeCallback) callback);
            }
        }
    }

    private void realmCallback(RealmCallback realmCallback) {
    }

    private void authorizeCallback(AuthorizeCallback authorizeCallback) {
        String authorizationID = authorizeCallback.getAuthorizationID();
        if (this.authEntry == null) {
            String authenticationID = authorizeCallback.getAuthenticationID();
            try {
                this.authEntry = this.identityMapper.getEntryForID(authenticationID);
                if (this.authEntry == null) {
                    setCallbackMsg(ExtensionMessages.ERR_SASL_AUTHENTRY_NO_MAPPED_ENTRY.get(authenticationID));
                    authorizeCallback.setAuthorized(false);
                    return;
                }
                this.userName = authenticationID;
            } catch (DirectoryException e) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e);
                }
                setCallbackMsg(ExtensionMessages.ERR_SASL_CANNOT_MAP_AUTHENTRY.get(authenticationID, e.getMessage()));
                authorizeCallback.setAuthorized(false);
                return;
            }
        }
        if (authorizationID.length() == 0) {
            setCallbackMsg(ExtensionMessages.ERR_SASLDIGESTMD5_EMPTY_AUTHZID.get());
            authorizeCallback.setAuthorized(false);
        } else if (authorizationID.equals(this.userName)) {
            this.authzEntry = this.authEntry;
            authorizeCallback.setAuthorized(true);
        } else if (StaticUtils.toLowerCase(authorizationID).startsWith("dn:")) {
            authzDNCheck(authorizeCallback);
        } else {
            authzIDCheck(authorizeCallback);
        }
    }

    private void authzIDCheck(AuthorizeCallback authorizeCallback) {
        String authorizationID = authorizeCallback.getAuthorizationID();
        String lowerCase = StaticUtils.toLowerCase(authorizationID);
        authorizeCallback.setAuthorized(true);
        String substring = lowerCase.startsWith("u:") ? authorizationID.substring(2) : authorizationID;
        if (substring.length() == 0) {
            this.authzEntry = null;
        } else {
            try {
                this.authzEntry = this.identityMapper.getEntryForID(substring);
                if (this.authzEntry == null) {
                    setCallbackMsg(ExtensionMessages.ERR_SASL_AUTHZID_NO_MAPPED_ENTRY.get(authorizationID));
                    authorizeCallback.setAuthorized(false);
                    return;
                }
            } catch (DirectoryException e) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e);
                }
                setCallbackMsg(ExtensionMessages.ERR_SASL_AUTHZID_NO_MAPPED_ENTRY.get(authorizationID));
                authorizeCallback.setAuthorized(false);
                return;
            }
        }
        if (this.authzEntry == null || !this.authzEntry.getDN().equals(this.authEntry.getDN())) {
            AuthenticationInfo authenticationInfo = new AuthenticationInfo(this.authEntry, DirectoryServer.isRootDN(this.authEntry.getDN()));
            if (hasPrivilege(authenticationInfo)) {
                authorizeCallback.setAuthorized(hasPermission(authenticationInfo));
            } else {
                authorizeCallback.setAuthorized(false);
            }
        }
    }

    private void authzDNCheck(AuthorizeCallback authorizeCallback) {
        String authorizationID = authorizeCallback.getAuthorizationID();
        authorizeCallback.setAuthorized(true);
        try {
            DN decode = DN.decode(authorizationID.substring(3));
            DN actualRootBindDN = DirectoryServer.getActualRootBindDN(decode);
            if (actualRootBindDN != null) {
                decode = actualRootBindDN;
            }
            if (decode.equals(this.authEntry.getDN())) {
                return;
            }
            if (decode.isNullDN()) {
                this.authzEntry = null;
            } else {
                try {
                    Entry entry = DirectoryServer.getEntry(decode);
                    this.authzEntry = entry;
                    if (entry == null) {
                        setCallbackMsg(ExtensionMessages.ERR_SASL_AUTHZID_NO_SUCH_ENTRY.get(String.valueOf(decode)));
                        authorizeCallback.setAuthorized(false);
                        return;
                    }
                } catch (DirectoryException e) {
                    if (DebugLogger.debugEnabled()) {
                        TRACER.debugCaught(DebugLogLevel.ERROR, e);
                    }
                    setCallbackMsg(ExtensionMessages.ERR_SASL_AUTHZID_CANNOT_GET_ENTRY.get(String.valueOf(decode), e.getMessageObject()));
                    authorizeCallback.setAuthorized(false);
                    return;
                }
            }
            AuthenticationInfo authenticationInfo = new AuthenticationInfo(this.authEntry, DirectoryServer.isRootDN(this.authEntry.getDN()));
            if (hasPrivilege(authenticationInfo)) {
                authorizeCallback.setAuthorized(hasPermission(authenticationInfo));
            } else {
                authorizeCallback.setAuthorized(false);
            }
        } catch (DirectoryException e2) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e2);
            }
            setCallbackMsg(ExtensionMessages.ERR_SASL_AUTHZID_INVALID_DN.get(authorizationID, e2.getMessageObject()));
            authorizeCallback.setAuthorized(false);
        }
    }

    private void passwordCallback(PasswordCallback passwordCallback) {
        if (this.authEntry == null) {
            setCallbackMsg(ExtensionMessages.ERR_SASL_NO_MATCHING_ENTRIES.get(this.userName));
            return;
        }
        try {
            List<ByteString> clearPasswords = new PasswordPolicyState(this.authEntry, false).getClearPasswords();
            if (clearPasswords == null || clearPasswords.isEmpty()) {
                setCallbackMsg(ExtensionMessages.ERR_SASL_NO_REVERSIBLE_PASSWORDS.get(this.mechanism, String.valueOf(this.authEntry.getDN())));
            } else {
                passwordCallback.setPassword(clearPasswords.get(0).toString().toCharArray());
            }
        } catch (Exception e) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }
            setCallbackMsg(ExtensionMessages.ERR_SASL_CANNOT_GET_REVERSIBLE_PASSWORDS.get(String.valueOf(this.authEntry.getDN()), this.mechanism, String.valueOf(e)));
        }
    }

    private void nameCallback(NameCallback nameCallback) {
        this.userName = nameCallback.getDefaultName();
        String lowerCase = StaticUtils.toLowerCase(this.userName);
        if (lowerCase.startsWith("dn:")) {
            try {
                DN decode = DN.decode(this.userName.substring(3));
                if (decode.isNullDN()) {
                    setCallbackMsg(ExtensionMessages.ERR_SASL_USERNAME_IS_NULL_DN.get(this.mechanism));
                    return;
                }
                DN actualRootBindDN = DirectoryServer.getActualRootBindDN(decode);
                if (actualRootBindDN != null) {
                    decode = actualRootBindDN;
                }
                getAuthEntry(decode);
            } catch (DirectoryException e) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e);
                }
                setCallbackMsg(ExtensionMessages.ERR_SASL_CANNOT_DECODE_USERNAME_AS_DN.get(this.mechanism, this.userName, e.getMessageObject()));
                return;
            }
        } else {
            String str = this.userName;
            if (lowerCase.startsWith("u:")) {
                if (lowerCase.equals("u:")) {
                    setCallbackMsg(ExtensionMessages.ERR_SASL_ZERO_LENGTH_USERNAME.get(this.mechanism, this.mechanism));
                    return;
                }
                str = this.userName.substring(2);
            }
            try {
                this.authEntry = this.identityMapper.getEntryForID(str);
            } catch (DirectoryException e2) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e2);
                }
                setCallbackMsg(ExtensionMessages.ERR_SASLDIGESTMD5_CANNOT_MAP_USERNAME.get(String.valueOf(this.userName), e2.getMessageObject()));
                return;
            }
        }
        if (this.authEntry == null) {
        }
    }

    private void getAuthEntry(DN dn) {
        Lock lock = null;
        for (int i = 0; i < 3; i++) {
            lock = LockManager.lockRead(dn);
            if (lock != null) {
                break;
            }
        }
        try {
            if (lock == null) {
                setCallbackMsg(ExtensionMessages.INFO_SASL_CANNOT_LOCK_ENTRY.get(String.valueOf(dn)));
                return;
            }
            try {
                this.authEntry = DirectoryServer.getEntry(dn);
                LockManager.unlock(dn, lock);
            } catch (DirectoryException e) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e);
                }
                setCallbackMsg(ExtensionMessages.ERR_SASL_CANNOT_GET_ENTRY_BY_DN.get(String.valueOf(dn), ServerConstants.SASL_MECHANISM_DIGEST_MD5, e.getMessageObject()));
                LockManager.unlock(dn, lock);
            }
        } catch (Throwable th) {
            LockManager.unlock(dn, lock);
            throw th;
        }
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // java.security.PrivilegedExceptionAction
    public Boolean run() {
        ClientConnection clientConnection = this.bindOp.getClientConnection();
        if (this.saslServer == null) {
            try {
                initSASLServer();
            } catch (SaslException e) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e);
                }
                GSSException cause = e.getCause();
                Message message = cause != null ? ExtensionMessages.ERR_SASL_CONTEXT_CREATE_ERROR.get(ServerConstants.SASL_MECHANISM_GSSAPI, GSSAPISASLMechanismHandler.getGSSExceptionMessage(cause)) : ExtensionMessages.ERR_SASL_CONTEXT_CREATE_ERROR.get(ServerConstants.SASL_MECHANISM_GSSAPI, StaticUtils.getExceptionMessage(e));
                clientConnection.setSASLAuthStateInfo(null);
                this.bindOp.setAuthFailureReason(message);
                this.bindOp.setResultCode(ResultCode.INVALID_CREDENTIALS);
                return false;
            }
        }
        ByteString sASLCredentials = this.bindOp.getSASLCredentials();
        clientConnection.setSASLAuthStateInfo(null);
        try {
            ByteString evaluateResponse = evaluateResponse(sASLCredentials);
            if (isBindComplete()) {
                this.bindOp.setResultCode(ResultCode.SUCCESS);
                this.bindOp.setSASLAuthUserEntry(this.authEntry);
                this.bindOp.setAuthenticationInfo(new AuthenticationInfo(this.authEntry, this.authzEntry, this.mechanism, sASLCredentials, DirectoryServer.isRootDN(this.authEntry.getDN())));
                if (isConfidentialIntegrity()) {
                    ((LDAPClientConnection) clientConnection).setSASLPendingProvider(SASLByteChannel.getSASLByteChannel(clientConnection, this.mechanism, this));
                } else {
                    dispose();
                    clientConnection.setSASLAuthStateInfo(null);
                }
            } else {
                this.bindOp.setServerSASLCredentials(evaluateResponse);
                clientConnection.setSASLAuthStateInfo(this);
                this.bindOp.setResultCode(ResultCode.SASL_BIND_IN_PROGRESS);
            }
            return true;
        } catch (SaslException e2) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e2);
            }
            handleError(ExtensionMessages.ERR_SASL_PROTOCOL_ERROR.get(this.mechanism, StaticUtils.getExceptionMessage(e2)));
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void performAuthentication(LoginContext loginContext, BindOperation bindOperation) {
        this.bindOp = bindOperation;
        try {
            Subject.doAs(loginContext.getSubject(), this);
        } catch (PrivilegedActionException e) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }
            handleError(ExtensionMessages.ERR_SASL_PROTOCOL_ERROR.get(this.mechanism, StaticUtils.getExceptionMessage(e)));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void evaluateInitialStage(BindOperation bindOperation) {
        this.bindOp = bindOperation;
        ClientConnection clientConnection = bindOperation.getClientConnection();
        try {
            ByteString evaluateResponse = evaluateResponse(ByteString.empty());
            bindOperation.setResultCode(ResultCode.SASL_BIND_IN_PROGRESS);
            bindOperation.setServerSASLCredentials(evaluateResponse);
            clientConnection.setSASLAuthStateInfo(this);
        } catch (SaslException e) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }
            handleError(ExtensionMessages.ERR_SASL_PROTOCOL_ERROR.get(this.mechanism, StaticUtils.getExceptionMessage(e)));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void evaluateFinalStage(BindOperation bindOperation) {
        this.bindOp = bindOperation;
        ByteString sASLCredentials = bindOperation.getSASLCredentials();
        if (sASLCredentials == null || sASLCredentials.length() == 0) {
            handleError(ExtensionMessages.ERR_SASL_NO_CREDENTIALS.get(this.mechanism, this.mechanism));
            return;
        }
        ClientConnection clientConnection = bindOperation.getClientConnection();
        clientConnection.setSASLAuthStateInfo(null);
        try {
            ByteString evaluateResponse = evaluateResponse(sASLCredentials);
            bindOperation.setResultCode(ResultCode.SUCCESS);
            bindOperation.setServerSASLCredentials(evaluateResponse);
            bindOperation.setSASLAuthUserEntry(this.authEntry);
            bindOperation.setAuthenticationInfo(new AuthenticationInfo(this.authEntry, this.authzEntry, this.mechanism, sASLCredentials, DirectoryServer.isRootDN(this.authEntry.getDN())));
            if (isConfidentialIntegrity()) {
                ((LDAPClientConnection) clientConnection).setSASLPendingProvider(SASLByteChannel.getSASLByteChannel(clientConnection, this.mechanism, this));
            } else {
                dispose();
                clientConnection.setSASLAuthStateInfo(null);
            }
        } catch (SaslException e) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }
            handleError(ExtensionMessages.ERR_SASL_PROTOCOL_ERROR.get(this.mechanism, StaticUtils.getExceptionMessage(e)));
        }
    }
}
