package org.jboss.security.auth.spi;

import java.security.acl.Group;
import java.util.Map;
import java.util.Properties;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import org.jboss.as.naming.subsystem.NamingSubsystemModel;
import org.jboss.security.PicketBoxLogger;
import org.jboss.security.PicketBoxMessages;

/* loaded from: input_file:wildfly.zip:modules/system/layers/base/org/picketbox/main/picketbox-5.0.3.Final-redhat-00007.jar:org/jboss/security/auth/spi/LdapUsersLoginModule.class */
public class LdapUsersLoginModule extends UsernamePasswordLoginModule {
    private static final String BIND_DN = "bindDN";
    private static final String BIND_CREDENTIAL = "bindCredential";
    private static final String BASE_CTX_DN = "baseCtxDN";
    private static final String BASE_FILTER_OPT = "baseFilter";
    private static final String SEARCH_TIME_LIMIT_OPT = "searchTimeLimit";
    private static final String SEARCH_SCOPE_OPT = "searchScope";
    private static final String DISTINGUISHED_NAME_ATTRIBUTE_OPT = "distinguishedNameAttribute";
    private static final String PARSE_USERNAME = "parseUsername";
    private static final String USERNAME_BEGIN_STRING = "usernameBeginString";
    private static final String USERNAME_END_STRING = "usernameEndString";
    private static final String ALLOW_EMPTY_PASSWORDS = "allowEmptyPasswords";
    private static final String[] ALL_VALID_OPTIONS = {BIND_DN, BIND_CREDENTIAL, BASE_CTX_DN, BASE_FILTER_OPT, SEARCH_TIME_LIMIT_OPT, SEARCH_SCOPE_OPT, DISTINGUISHED_NAME_ATTRIBUTE_OPT, PARSE_USERNAME, USERNAME_BEGIN_STRING, USERNAME_END_STRING, ALLOW_EMPTY_PASSWORDS, "java.naming.factory.initial", "java.naming.security.authentication", "java.naming.security.protocol", "java.naming.provider.url", "java.naming.security.principal", "java.naming.security.credentials"};
    protected String bindDN;
    protected String bindCredential;
    protected String baseDN;
    protected String baseFilter;
    protected int searchTimeLimit = 10000;
    protected int searchScope = 2;
    protected String distinguishedNameAttribute;
    protected boolean parseUsername;
    protected String usernameBeginString;
    protected String usernameEndString;
    protected boolean allowEmptyPasswords;

    @Override // org.jboss.security.auth.spi.UsernamePasswordLoginModule
    protected String getUsersPassword() throws LoginException {
        return "";
    }

    @Override // org.jboss.security.auth.spi.AbstractServerLoginModule
    protected Group[] getRoleSets() throws LoginException {
        return new Group[0];
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.jboss.security.auth.spi.UsernamePasswordLoginModule
    public String getUsername() {
        String username = super.getUsername();
        if (this.parseUsername) {
            int i = 0;
            if (this.usernameBeginString != null && !this.usernameBeginString.equals("")) {
                i = username.indexOf(this.usernameBeginString) + this.usernameBeginString.length();
            }
            if (i == -1) {
                i = 0;
            }
            int length = username.length();
            if (this.usernameEndString != null && !this.usernameEndString.equals("")) {
                length = username.substring(i).indexOf(this.usernameEndString);
            }
            username = username.substring(i, length == -1 ? username.length() : length + i);
        }
        return username;
    }

    @Override // org.jboss.security.auth.spi.UsernamePasswordLoginModule, org.jboss.security.auth.spi.AbstractServerLoginModule
    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        addValidOptions(ALL_VALID_OPTIONS);
        super.initialize(subject, callbackHandler, map, map2);
        this.bindDN = (String) map2.get(BIND_DN);
        this.bindCredential = (String) map2.get(BIND_CREDENTIAL);
        if (this.bindCredential != null && org.jboss.security.Util.isPasswordCommand(this.bindCredential)) {
            try {
                this.bindCredential = new String(org.jboss.security.Util.loadPassword(this.bindCredential));
            } catch (Exception e) {
                throw PicketBoxMessages.MESSAGES.failedToDecodeBindCredential(e);
            }
        }
        this.baseDN = (String) map2.get(BASE_CTX_DN);
        this.baseFilter = (String) map2.get(BASE_FILTER_OPT);
        String str = (String) map2.get(SEARCH_TIME_LIMIT_OPT);
        if (str != null) {
            try {
                this.searchTimeLimit = Integer.parseInt(str);
            } catch (NumberFormatException e2) {
                PicketBoxLogger.LOGGER.debugFailureToParseNumberProperty(SEARCH_TIME_LIMIT_OPT, this.searchTimeLimit);
            }
        }
        String str2 = (String) map2.get(SEARCH_SCOPE_OPT);
        if ("OBJECT_SCOPE".equalsIgnoreCase(str2)) {
            this.searchScope = 0;
        } else if ("ONELEVEL_SCOPE".equalsIgnoreCase(str2)) {
            this.searchScope = 1;
        }
        if ("SUBTREE_SCOPE".equalsIgnoreCase(str2)) {
            this.searchScope = 2;
        }
        this.distinguishedNameAttribute = (String) map2.get(DISTINGUISHED_NAME_ATTRIBUTE_OPT);
        if (this.distinguishedNameAttribute == null) {
            this.distinguishedNameAttribute = "distinguishedName";
        }
        this.allowEmptyPasswords = Boolean.valueOf((String) map2.get(ALLOW_EMPTY_PASSWORDS)).booleanValue();
        this.parseUsername = Boolean.valueOf((String) map2.get(PARSE_USERNAME)).booleanValue();
        if (this.parseUsername) {
            this.usernameBeginString = (String) map2.get(USERNAME_BEGIN_STRING);
            this.usernameEndString = (String) map2.get(USERNAME_END_STRING);
        }
    }

    @Override // org.jboss.security.auth.spi.UsernamePasswordLoginModule
    protected boolean validatePassword(String str, String str2) {
        boolean z = false;
        if (str != null) {
            if (str.length() == 0 && !this.allowEmptyPasswords) {
                PicketBoxLogger.LOGGER.traceRejectingEmptyPassword();
                return false;
            }
            try {
                z = createLdapInitContext(getUsername(), str);
            } catch (Throwable th) {
                super.setValidateError(th);
            }
        }
        return z;
    }

    private boolean createLdapInitContext(String str, Object obj) throws Exception {
        InitialLdapContext initialLdapContext = null;
        ClassLoader contextClassLoader = SecurityActions.getContextClassLoader();
        try {
            if (contextClassLoader != null) {
                try {
                    SecurityActions.setContextClassLoader(null);
                } catch (Exception e) {
                    throw e;
                }
            }
            initialLdapContext = constructInitialLdapContext(this.bindDN, this.bindCredential);
            bindDNAuthentication(initialLdapContext, str, obj, this.baseDN, this.baseFilter);
            if (initialLdapContext != null) {
                initialLdapContext.close();
            }
            if (contextClassLoader == null) {
                return true;
            }
            SecurityActions.setContextClassLoader(contextClassLoader);
            return true;
        } catch (Throwable th) {
            if (initialLdapContext != null) {
                initialLdapContext.close();
            }
            if (contextClassLoader != null) {
                SecurityActions.setContextClassLoader(contextClassLoader);
            }
            throw th;
        }
    }

    private InitialLdapContext constructInitialLdapContext(String str, Object obj) throws NamingException {
        Properties properties = new Properties();
        for (Map.Entry entry : this.options.entrySet()) {
            properties.put(entry.getKey(), entry.getValue());
        }
        if (properties.getProperty("java.naming.factory.initial") == null) {
            properties.setProperty("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        }
        if (properties.getProperty("java.naming.security.authentication") == null) {
            properties.setProperty("java.naming.security.authentication", NamingSubsystemModel.SIMPLE);
        }
        String property = properties.getProperty("java.naming.security.protocol");
        String str2 = (String) this.options.get("java.naming.provider.url");
        if (str2 == null) {
            str2 = "ldap://localhost:" + ((property == null || !property.equals("ssl")) ? "389" : "636");
        }
        properties.setProperty("java.naming.provider.url", str2);
        if (str != null) {
            properties.setProperty("java.naming.security.principal", str);
        }
        if (obj != null) {
            properties.put("java.naming.security.credentials", obj);
        }
        traceLDAPEnv(properties);
        return new InitialLdapContext(properties, (Control[]) null);
    }

    protected String bindDNAuthentication(InitialLdapContext initialLdapContext, String str, Object obj, String str2, String str3) throws NamingException {
        Attribute attribute;
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(this.searchScope);
        searchControls.setTimeLimit(this.searchTimeLimit);
        searchControls.setReturningAttributes(new String[]{this.distinguishedNameAttribute});
        NamingEnumeration search = initialLdapContext.search(str2, str3, new Object[]{str}, searchControls);
        if (!search.hasMore()) {
            search.close();
            throw PicketBoxMessages.MESSAGES.failedToFindBaseContextDN(str2);
        }
        SearchResult searchResult = (SearchResult) search.next();
        String name = searchResult.getName();
        String str4 = null;
        Attributes attributes = searchResult.getAttributes();
        if (attributes != null && (attribute = attributes.get(this.distinguishedNameAttribute)) != null) {
            str4 = (String) attribute.get();
        }
        if (str4 == null) {
            if (!searchResult.isRelative()) {
                throw PicketBoxMessages.MESSAGES.unableToFollowReferralForAuth(name);
            }
            str4 = name + ("".equals(str2) ? "" : "," + str2);
        }
        search.close();
        constructInitialLdapContext(str4, obj).close();
        return str4;
    }

    private void traceLDAPEnv(Properties properties) {
        Properties properties2 = new Properties();
        properties2.putAll(properties);
        if (properties2.containsKey("java.naming.security.credentials")) {
            properties2.setProperty("java.naming.security.credentials", "******");
        }
        if (properties2.containsKey(BIND_CREDENTIAL)) {
            properties2.setProperty(BIND_CREDENTIAL, "******");
        }
        PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(properties2);
    }
}
