package org.jboss.security.auth.callback;

import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import javax.management.ObjectName;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.jboss.as.naming.subsystem.NamingSubsystemModel;
import org.jboss.security.PicketBoxLogger;
import org.jboss.security.PicketBoxMessages;
import org.jboss.security.Util;

/* loaded from: input_file:wildfly.zip:modules/system/layers/base/org/picketbox/main/picketbox-5.0.3.Final-redhat-00007.jar:org/jboss/security/auth/callback/LdapCallbackHandler.class */
public class LdapCallbackHandler extends AbstractCallbackHandler implements CallbackHandler {
    private static final String PASSWORD_ATTRIBUTE_ID = "passwordAttributeID";
    private static final String BIND_DN = "bindDN";
    private static final String BIND_CREDENTIAL = "bindCredential";
    private static final String BASE_CTX_DN = "baseCtxDN";
    private static final String BASE_FILTER_OPT = "baseFilter";
    private static final String SEARCH_TIME_LIMIT_OPT = "searchTimeLimit";
    private static final String SECURITY_DOMAIN_OPT = "jaasSecurityDomain";
    private static final String DISTINGUISHED_NAME_ATTRIBUTE_OPT = "distinguishedNameAttribute";
    protected String bindDN;
    protected String bindCredential;
    protected String distinguishedNameAttribute;
    protected String passwordAttributeID = "userPassword";
    protected int searchTimeLimit = 10000;
    protected boolean isPasswordValidated = false;
    protected Map<String, String> options = new HashMap();

    public void setConfiguration(Map<String, String> map) {
        if (map != null) {
            this.options.putAll(map);
        }
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        if (this.userName == null) {
            this.userName = getUserName(callbackArr);
        }
        for (Callback callback : callbackArr) {
            try {
                handleCallBack(callback);
            } catch (NamingException e) {
                throw new IOException((Throwable) e);
            }
        }
    }

    protected void handleCallBack(Callback callback) throws UnsupportedCallbackException, NamingException {
        if (callback instanceof VerifyPasswordCallback) {
            verifyPassword((VerifyPasswordCallback) callback);
            return;
        }
        if (callback instanceof PasswordCallback) {
            PasswordCallback passwordCallback = (PasswordCallback) callback;
            String bindDN = getBindDN();
            String bindCredential = getBindCredential();
            String str = this.options.get(PASSWORD_ATTRIBUTE_ID);
            if (str != null && str.length() > 0) {
                this.passwordAttributeID = str;
            }
            InitialLdapContext initialLdapContext = null;
            ClassLoader contextClassLoader = SecurityActions.getContextClassLoader();
            if (contextClassLoader != null) {
                try {
                    SecurityActions.setContextClassLoader(null);
                } catch (NamingException e) {
                    safeClose(initialLdapContext);
                    if (contextClassLoader != null) {
                        SecurityActions.setContextClassLoader(contextClassLoader);
                    }
                    throw new RuntimeException((Throwable) e);
                }
            }
            initialLdapContext = constructInitialLdapContext(bindDN, bindCredential);
            String str2 = this.options.get(SEARCH_TIME_LIMIT_OPT);
            if (str2 != null) {
                try {
                    this.searchTimeLimit = Integer.parseInt(str2);
                } catch (NumberFormatException e2) {
                }
            }
            if (this.searchTimeLimit == 0) {
                this.searchTimeLimit = 10000;
            }
            String str3 = this.options.get(BASE_CTX_DN);
            String str4 = this.options.get(BASE_FILTER_OPT);
            SearchControls searchControls = new SearchControls();
            searchControls.setSearchScope(2);
            searchControls.setTimeLimit(this.searchTimeLimit);
            Object[] objArr = {this.userName};
            try {
                try {
                    if (str3 == null) {
                        throw PicketBoxMessages.MESSAGES.invalidNullBaseContextDN();
                    }
                    NamingEnumeration search = initialLdapContext.search(str3, str4, objArr, searchControls);
                    if (!search.hasMore()) {
                        safeClose(search);
                        throw PicketBoxMessages.MESSAGES.failedToFindBaseContextDN(str3);
                    }
                    SearchResult searchResult = (SearchResult) search.next();
                    String name = searchResult.getName();
                    if (!searchResult.isRelative()) {
                        throw PicketBoxMessages.MESSAGES.unableToFollowReferralForAuth(name);
                    }
                    String str5 = name + "," + str3;
                    safeClose(search);
                    NamingEnumeration search2 = initialLdapContext.search(str5, str4, new Object[]{this.userName, str5}, searchControls);
                    while (search2.hasMore()) {
                        NamingEnumeration all = ((SearchResult) search2.next()).getAttributes().getAll();
                        while (all != null && all.hasMoreElements()) {
                            Attribute attribute = (Attribute) all.next();
                            if (this.passwordAttributeID.equalsIgnoreCase(attribute.getID())) {
                                setPasswordCallbackValue(attribute.get(), passwordCallback);
                            }
                        }
                    }
                    safeClose(search2);
                    safeClose(initialLdapContext);
                    if (contextClassLoader != null) {
                        SecurityActions.setContextClassLoader(contextClassLoader);
                    }
                } catch (NamingException e3) {
                    PicketBoxLogger.LOGGER.error(e3);
                    safeClose((NamingEnumeration) null);
                    safeClose(initialLdapContext);
                    if (contextClassLoader != null) {
                        SecurityActions.setContextClassLoader(contextClassLoader);
                    }
                }
            } catch (Throwable th) {
                safeClose((NamingEnumeration) null);
                safeClose(initialLdapContext);
                if (contextClassLoader != null) {
                    SecurityActions.setContextClassLoader(contextClassLoader);
                }
                throw th;
            }
        }
    }

    protected void verifyPassword(VerifyPasswordCallback verifyPasswordCallback) throws NamingException {
        String value = verifyPasswordCallback.getValue();
        if (SecurityActions.getContextClassLoader() != null) {
            SecurityActions.setContextClassLoader(null);
        }
        bindDNAuthentication(constructInitialLdapContext(this.bindDN, this.bindCredential), this.userName, value, this.options.get(BASE_CTX_DN), this.options.get(BASE_FILTER_OPT));
        verifyPasswordCallback.setVerified(true);
    }

    protected String getBindDN() {
        String str = this.options.get(BIND_DN);
        if (str == null || str.length() == 0) {
            PicketBoxLogger.LOGGER.traceBindDNNotFound();
        }
        return str;
    }

    protected String getBindCredential() {
        String str = this.options.get(BIND_CREDENTIAL);
        if (Util.isPasswordCommand(str)) {
            try {
                str = new String(Util.loadPassword(str));
            } catch (Exception e) {
                PicketBoxLogger.LOGGER.errorDecryptingBindCredential(e);
            }
        }
        String str2 = this.options.get(SECURITY_DOMAIN_OPT);
        if (str2 != null) {
            try {
                str = new String(DecodeAction.decode(str, new ObjectName(str2)));
            } catch (Exception e2) {
                PicketBoxLogger.LOGGER.errorDecryptingBindCredential(e2);
            }
        }
        return str;
    }

    protected void setPasswordCallbackValue(Object obj, PasswordCallback passwordCallback) {
        if (obj instanceof String) {
            passwordCallback.setPassword(((String) obj).toCharArray());
        } else if (obj instanceof char[]) {
            passwordCallback.setPassword((char[]) obj);
        } else {
            if (!(obj instanceof byte[])) {
                throw PicketBoxMessages.MESSAGES.invalidPasswordType(obj != null ? obj.getClass() : null);
            }
            passwordCallback.setPassword(new String((byte[]) obj).toCharArray());
        }
    }

    private InitialLdapContext constructInitialLdapContext(String str, Object obj) throws NamingException {
        Properties properties = new Properties();
        for (Map.Entry<String, String> entry : this.options.entrySet()) {
            properties.put(entry.getKey(), entry.getValue());
        }
        if (properties.getProperty("java.naming.factory.initial") == null) {
            properties.setProperty("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        }
        if (properties.getProperty("java.naming.security.authentication") == null) {
            properties.setProperty("java.naming.security.authentication", NamingSubsystemModel.SIMPLE);
        }
        String property = properties.getProperty("java.naming.security.protocol");
        String str2 = this.options.get("java.naming.provider.url");
        if (str2 == null) {
            str2 = "ldap://localhost:" + ((property == null || !property.equals("ssl")) ? "389" : "636");
        }
        properties.setProperty("java.naming.provider.url", str2);
        this.distinguishedNameAttribute = this.options.get(DISTINGUISHED_NAME_ATTRIBUTE_OPT);
        if (this.distinguishedNameAttribute == null) {
            this.distinguishedNameAttribute = "distinguishedName";
        }
        if (str != null) {
            properties.setProperty("java.naming.security.principal", str);
        }
        if (obj != null) {
            properties.put("java.naming.security.credentials", obj);
        }
        traceLDAPEnv(properties);
        return new InitialLdapContext(properties, (Control[]) null);
    }

    protected String bindDNAuthentication(InitialLdapContext initialLdapContext, String str, Object obj, String str2, String str3) throws NamingException {
        Attribute attribute;
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setTimeLimit(this.searchTimeLimit);
        searchControls.setReturningAttributes(new String[]{this.distinguishedNameAttribute});
        NamingEnumeration search = initialLdapContext.search(str2, str3, new Object[]{str}, searchControls);
        if (!search.hasMore()) {
            search.close();
            throw PicketBoxMessages.MESSAGES.failedToFindBaseContextDN(str2);
        }
        SearchResult searchResult = (SearchResult) search.next();
        String name = searchResult.getName();
        String str4 = null;
        Attributes attributes = searchResult.getAttributes();
        if (attributes != null && (attribute = attributes.get(this.distinguishedNameAttribute)) != null) {
            str4 = (String) attribute.get();
        }
        if (str4 == null) {
            if (!searchResult.isRelative()) {
                throw PicketBoxMessages.MESSAGES.unableToFollowReferralForAuth(name);
            }
            str4 = name + ("".equals(str2) ? "" : "," + str2);
        }
        safeClose(search);
        safeClose(constructInitialLdapContext(str4, obj));
        return str4;
    }

    private void traceLDAPEnv(Properties properties) {
        Properties properties2 = new Properties();
        properties2.putAll(properties);
        if (properties2.containsKey("java.naming.security.credentials")) {
            properties2.setProperty("java.naming.security.credentials", "******");
        }
        if (properties2.containsKey(BIND_CREDENTIAL)) {
            properties2.setProperty(BIND_CREDENTIAL, "******");
        }
        PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(properties2);
    }

    protected void safeClose(NamingEnumeration namingEnumeration) {
        if (namingEnumeration != null) {
            try {
                namingEnumeration.close();
            } catch (NamingException e) {
            }
        }
    }

    protected void safeClose(InitialLdapContext initialLdapContext) {
        if (initialLdapContext != null) {
            try {
                initialLdapContext.close();
            } catch (NamingException e) {
            }
        }
    }
}
