package org.jboss.security.auth.spi;

import java.security.Principal;
import java.security.acl.Group;
import java.util.Arrays;
import java.util.Map;
import java.util.Properties;
import javax.management.ObjectName;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import org.jboss.security.PicketBoxLogger;
import org.jboss.security.SimpleGroup;
import org.jboss.security.vault.SecurityVaultUtil;

/* loaded from: input_file:m2repo/org/picketbox/picketbox/5.0.3.Final/picketbox-5.0.3.Final.jar:org/jboss/security/auth/spi/LdapLoginModule.class */
public class LdapLoginModule extends UsernamePasswordLoginModule {
    private static final String PRINCIPAL_DN_PREFIX_OPT = "principalDNPrefix";
    private static final String PRINCIPAL_DN_SUFFIX_OPT = "principalDNSuffix";
    private static final String ROLES_CTX_DN_OPT = "rolesCtxDN";
    private static final String USER_ROLES_CTX_DN_ATTRIBUTE_ID_OPT = "userRolesCtxDNAttributeName";
    private static final String UID_ATTRIBUTE_ID_OPT = "uidAttributeID";
    private static final String ROLE_ATTRIBUTE_ID_OPT = "roleAttributeID";
    private static final String MATCH_ON_USER_DN_OPT = "matchOnUserDN";
    private static final String ROLE_ATTRIBUTE_IS_DN_OPT = "roleAttributeIsDN";
    private static final String ROLE_NAME_ATTRIBUTE_ID_OPT = "roleNameAttributeID";
    private static final String SEARCH_TIME_LIMIT_OPT = "searchTimeLimit";
    private static final String SEARCH_SCOPE_OPT = "searchScope";
    private static final String SECURITY_DOMAIN_OPT = "jaasSecurityDomain";
    private static final String ALLOW_EMPTY_PASSWORDS = "allowEmptyPasswords";
    private static final String[] ALL_VALID_OPTIONS = {PRINCIPAL_DN_PREFIX_OPT, PRINCIPAL_DN_SUFFIX_OPT, ROLES_CTX_DN_OPT, USER_ROLES_CTX_DN_ATTRIBUTE_ID_OPT, UID_ATTRIBUTE_ID_OPT, ROLE_ATTRIBUTE_ID_OPT, MATCH_ON_USER_DN_OPT, ROLE_ATTRIBUTE_IS_DN_OPT, ROLE_NAME_ATTRIBUTE_ID_OPT, SEARCH_TIME_LIMIT_OPT, SEARCH_SCOPE_OPT, SECURITY_DOMAIN_OPT, ALLOW_EMPTY_PASSWORDS, "java.naming.factory.initial", "java.naming.factory.object", "java.naming.factory.state", "java.naming.factory.url.pkgs", "java.naming.provider.url", "java.naming.dns.url", "java.naming.authoritative", "java.naming.batchsize", "java.naming.referral", "java.naming.security.protocol", "java.naming.security.authentication", "java.naming.security.principal", "java.naming.security.credentials", "java.naming.language", "java.naming.applet"};
    private transient SimpleGroup userRoles = new SimpleGroup("Roles");

    @Override // org.jboss.security.auth.spi.UsernamePasswordLoginModule, org.jboss.security.auth.spi.AbstractServerLoginModule
    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        addValidOptions(ALL_VALID_OPTIONS);
        super.initialize(subject, callbackHandler, map, map2);
    }

    @Override // org.jboss.security.auth.spi.UsernamePasswordLoginModule
    protected String getUsersPassword() throws LoginException {
        return "";
    }

    @Override // org.jboss.security.auth.spi.AbstractServerLoginModule
    protected Group[] getRoleSets() throws LoginException {
        return new Group[]{this.userRoles};
    }

    @Override // org.jboss.security.auth.spi.UsernamePasswordLoginModule
    protected boolean validatePassword(String str, String str2) {
        boolean z = false;
        if (str != null) {
            if (str.length() == 0) {
                boolean z2 = false;
                String str3 = (String) this.options.get(ALLOW_EMPTY_PASSWORDS);
                if (str3 != null) {
                    z2 = Boolean.valueOf(str3).booleanValue();
                }
                if (!z2) {
                    PicketBoxLogger.LOGGER.traceRejectingEmptyPassword();
                    return false;
                }
            }
            try {
                createLdapInitContext(getUsername(), str);
                z = true;
            } catch (Throwable th) {
                super.setValidateError(th);
            }
        }
        return z;
    }

    /* JADX WARN: Finally extract failed */
    private void createLdapInitContext(String str, Object obj) throws Exception {
        Properties properties = new Properties();
        for (Map.Entry entry : this.options.entrySet()) {
            properties.put(entry.getKey(), entry.getValue());
        }
        if (properties.getProperty("java.naming.factory.initial") == null) {
            properties.setProperty("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        }
        if (properties.getProperty("java.naming.security.authentication") == null) {
            properties.setProperty("java.naming.security.authentication", "simple");
        }
        String property = properties.getProperty("java.naming.security.protocol");
        String str2 = (String) this.options.get("java.naming.provider.url");
        if (str2 == null) {
            str2 = "ldap://localhost:" + ((property == null || !property.equals("ssl")) ? "389" : "636");
        }
        String str3 = (String) this.options.get("java.naming.security.principal");
        String str4 = (String) this.options.get("java.naming.security.credentials");
        String str5 = (String) this.options.get(SECURITY_DOMAIN_OPT);
        if (str5 != null) {
            str4 = new String(DecodeAction.decode(str4, new ObjectName(str5)));
        }
        if (str4 != null && SecurityVaultUtil.isVaultFormat(str4)) {
            str4 = SecurityVaultUtil.getValueAsString(str4);
        }
        String str6 = (String) this.options.get(PRINCIPAL_DN_PREFIX_OPT);
        if (str6 == null) {
            str6 = "";
        }
        String str7 = (String) this.options.get(PRINCIPAL_DN_SUFFIX_OPT);
        if (str7 == null) {
            str7 = "";
        }
        boolean booleanValue = Boolean.valueOf((String) this.options.get(MATCH_ON_USER_DN_OPT)).booleanValue();
        String str8 = str6 + str + str7;
        properties.setProperty("java.naming.provider.url", str2);
        properties.setProperty("java.naming.security.principal", str8);
        properties.put("java.naming.security.credentials", obj);
        traceLDAPEnv(properties);
        InitialLdapContext initialLdapContext = null;
        ClassLoader contextClassLoader = SecurityActions.getContextClassLoader();
        if (contextClassLoader != null) {
            try {
                SecurityActions.setContextClassLoader(null);
            } finally {
                if (initialLdapContext != null) {
                    initialLdapContext.close();
                }
                if (contextClassLoader != null) {
                    SecurityActions.setContextClassLoader(contextClassLoader);
                }
            }
        }
        initialLdapContext = new InitialLdapContext(properties, (Control[]) null);
        if (PicketBoxLogger.LOGGER.isTraceEnabled()) {
            PicketBoxLogger.LOGGER.traceSuccessfulLogInToLDAP(initialLdapContext.toString());
        }
        if (str3 != null) {
            try {
                initialLdapContext.close();
            } catch (NamingException e) {
                PicketBoxLogger.LOGGER.warnProblemClosingOriginalLdapContextDuringRebind(e);
            }
            PicketBoxLogger.LOGGER.traceRebindWithConfiguredPrincipal(str3);
            properties.setProperty("java.naming.security.principal", str3);
            properties.put("java.naming.security.credentials", str4);
            initialLdapContext = new InitialLdapContext(properties, (Control[]) null);
        }
        String str9 = (String) this.options.get(ROLES_CTX_DN_OPT);
        String str10 = (String) this.options.get(USER_ROLES_CTX_DN_ATTRIBUTE_ID_OPT);
        if (str10 != null) {
            try {
                Attributes attributes = initialLdapContext.getAttributes(str8, new String[]{str10});
                if (attributes.get(str10) != null) {
                    str9 = attributes.get(str10).get().toString();
                    PicketBoxLogger.LOGGER.traceFoundUserRolesContextDN(str9);
                }
            } catch (NamingException e2) {
                PicketBoxLogger.LOGGER.debugFailureToQueryLDAPAttribute(str10, str8, e2);
            }
        }
        if (str9 != null) {
            String str11 = (String) this.options.get(UID_ATTRIBUTE_ID_OPT);
            if (str11 == null) {
                str11 = "uid";
            }
            String str12 = (String) this.options.get(ROLE_ATTRIBUTE_ID_OPT);
            if (str12 == null) {
                str12 = "roles";
            }
            StringBuffer stringBuffer = new StringBuffer("(");
            stringBuffer.append(str11);
            stringBuffer.append("={0})");
            String str13 = str;
            if (booleanValue) {
                str13 = str8;
            }
            String[] strArr = {str12};
            boolean booleanValue2 = Boolean.valueOf((String) this.options.get(ROLE_ATTRIBUTE_IS_DN_OPT)).booleanValue();
            String str14 = (String) this.options.get(ROLE_NAME_ATTRIBUTE_ID_OPT);
            if (str14 == null) {
                str14 = "name";
            }
            int i = 2;
            int i2 = 10000;
            String str15 = (String) this.options.get(SEARCH_TIME_LIMIT_OPT);
            if (str15 != null) {
                try {
                    i2 = Integer.parseInt(str15);
                } catch (NumberFormatException e3) {
                    PicketBoxLogger.LOGGER.debugFailureToParseNumberProperty(SEARCH_TIME_LIMIT_OPT, i2);
                }
            }
            String str16 = (String) this.options.get(SEARCH_SCOPE_OPT);
            if ("OBJECT_SCOPE".equalsIgnoreCase(str16)) {
                i = 0;
            } else if ("ONELEVEL_SCOPE".equalsIgnoreCase(str16)) {
                i = 1;
            }
            if ("SUBTREE_SCOPE".equalsIgnoreCase(str16)) {
                i = 2;
            }
            NamingEnumeration namingEnumeration = null;
            try {
                try {
                    SearchControls searchControls = new SearchControls();
                    searchControls.setSearchScope(i);
                    searchControls.setReturningAttributes(strArr);
                    searchControls.setTimeLimit(i2);
                    Object[] objArr = {str13};
                    if (PicketBoxLogger.LOGGER.isTraceEnabled()) {
                        PicketBoxLogger.LOGGER.traceRolesDNSearch(str9, stringBuffer.toString(), str13, Arrays.toString(strArr), i, i2);
                    }
                    namingEnumeration = initialLdapContext.search(str9, stringBuffer.toString(), objArr, searchControls);
                    while (namingEnumeration.hasMore()) {
                        SearchResult searchResult = (SearchResult) namingEnumeration.next();
                        PicketBoxLogger.LOGGER.traceCheckSearchResult(searchResult.getName());
                        Attribute attribute = searchResult.getAttributes().get(str12);
                        if (attribute != null) {
                            for (int i3 = 0; i3 < attribute.size(); i3++) {
                                Object obj2 = attribute.get(i3);
                                if (booleanValue2) {
                                    String obj3 = obj2.toString();
                                    String[] strArr2 = {str14};
                                    PicketBoxLogger.LOGGER.traceFollowRoleDN(obj3);
                                    try {
                                        Attribute attribute2 = initialLdapContext.getAttributes(obj3, strArr2).get(str14);
                                        if (attribute2 != null) {
                                            for (int i4 = 0; i4 < attribute2.size(); i4++) {
                                                addRole((String) attribute2.get(i4));
                                            }
                                        }
                                    } catch (NamingException e4) {
                                        PicketBoxLogger.LOGGER.debugFailureToQueryLDAPAttribute(str14, obj3, e4);
                                    }
                                } else {
                                    addRole(obj2.toString());
                                }
                            }
                        } else {
                            PicketBoxLogger.LOGGER.debugFailureToFindAttrInSearchResult(str12, searchResult.getName());
                        }
                    }
                    if (namingEnumeration != null) {
                        namingEnumeration.close();
                    }
                } catch (Throwable th) {
                    if (0 != 0) {
                        namingEnumeration.close();
                    }
                    throw th;
                }
            } catch (NamingException e5) {
                PicketBoxLogger.LOGGER.debugFailureToExecuteRolesDNSearch(e5);
                if (namingEnumeration != null) {
                    namingEnumeration.close();
                }
            }
        }
    }

    private void addRole(String str) {
        if (str != null) {
            try {
                Principal createIdentity = super.createIdentity(str);
                PicketBoxLogger.LOGGER.traceAssignUserToRole(str);
                this.userRoles.addMember(createIdentity);
            } catch (Exception e) {
                PicketBoxLogger.LOGGER.debugFailureToCreatePrincipal(str, e);
            }
        }
    }

    private void traceLDAPEnv(Properties properties) {
        Properties properties2 = new Properties();
        properties2.putAll(properties);
        if (properties2.containsKey("java.naming.security.credentials")) {
            properties2.setProperty("java.naming.security.credentials", "******");
        }
        PicketBoxLogger.LOGGER.traceLDAPConnectionEnv(properties2);
    }
}
