package org.jboss.security.negotiation;

import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.acl.Group;
import java.util.HashSet;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import javax.management.ObjectName;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.jboss.security.SimpleGroup;
import org.jboss.security.negotiation.common.CommonLoginModule;
import org.jboss.security.negotiation.prototype.DecodeAction;

/* loaded from: input_file:org/jboss/security/negotiation/AdvancedLdapLoginModule.class */
public class AdvancedLdapLoginModule extends CommonLoginModule {
    private static final String AUTH_TYPE_GSSAPI = "GSSAPI";
    private static final String AUTH_TYPE_SIMPLE = "simple";
    private static final String DEFAULT_LDAP_CTX_FACTORY = "com.sun.jndi.ldap.LdapCtxFactory";
    private static final String DEFAULT_URL = "ldap://localhost:389";
    private static final String DEFAULT_SSL_URL = "ldap://localhost:686";
    private static final String PROTOCOL_SSL = "SSL";
    private static final String OBJECT_SCOPE = "OBJECT_SCOPE";
    private static final String ONELEVEL_SCOPE = "ONELEVEL_SCOPE";
    private static final String SUBTREE_SCOPE = "SUBTREE_SCOPE";
    protected String bindAuthentication;
    protected String bindDn;
    protected String bindCredential;
    protected String jaasSecurityDomain;
    protected String baseCtxDN;
    protected String baseFilter;
    protected SearchControls userSearchControls;
    protected String rolesCtxDN;
    protected String roleFilter;
    protected boolean recurseRoles;
    protected SearchControls roleSearchControls;
    protected String roleAttributeID;
    protected boolean roleAttributeIsDN;
    protected String roleNameAttributeID;
    protected boolean allowEmptyPassword;
    private static final String BIND_AUTHENTICATION = "bindAuthentication";
    private static final String BIND_DN = "bindDN";
    private static final String BIND_CREDENTIAL = "bindCredential";
    private static final String SECURITY_DOMAIN = "jaasSecurityDomain";
    private static final String BASE_CTX_DN = "baseCtxDN";
    private static final String BASE_FILTER = "baseFilter";
    private static final String SEARCH_TIME_LIMIT = "searchTimeLimit";
    private static final String ROLES_CTS_DN = "rolesCtxDN";
    private static final String ROLE_FILTER = "roleFilter";
    private static final String RECURSE_ROLES = "recurseRoles";
    private static final String ROLE_ATTRIBUTE_ID = "roleAttributeID";
    private static final String ROLE_ATTRIBUTE_IS_DN = "roleAttributeIsDN";
    private static final String ROLE_NAME_ATTRIBUTE_ID = "roleNameAttributeID";
    private static final String ROLE_SEARCH_SCOPE = "searchScope";
    private static final String ALLOW_EMPTY_PASSWORD = "allowEmptyPassword";
    private static final String[] ALL_VALID_OPTIONS = {BIND_AUTHENTICATION, BIND_DN, BIND_CREDENTIAL, SECURITY_DOMAIN, BASE_CTX_DN, BASE_FILTER, SEARCH_TIME_LIMIT, ROLES_CTS_DN, ROLE_FILTER, RECURSE_ROLES, ROLE_ATTRIBUTE_ID, ROLE_ATTRIBUTE_IS_DN, ROLE_NAME_ATTRIBUTE_ID, ROLE_SEARCH_SCOPE, ALLOW_EMPTY_PASSWORD, "java.naming.factory.initial", "java.naming.factory.object", "java.naming.factory.state", "java.naming.factory.url.pkgs", "java.naming.provider.url", "java.naming.dns.url", "java.naming.authoritative", "java.naming.batchsize", "java.naming.referral", "java.naming.security.protocol", "java.naming.security.authentication", "java.naming.security.principal", "java.naming.security.credentials", "java.naming.language", "java.naming.applet"};
    protected int searchTimeLimit = 10000;
    private SimpleGroup userRoles = new SimpleGroup("Roles");
    private Set<String> processedRoleDNs = new HashSet();

    /* loaded from: input_file:org/jboss/security/negotiation/AdvancedLdapLoginModule$AuthorizeAction.class */
    private class AuthorizeAction implements PrivilegedAction<Object> {
        private AuthorizeAction() {
        }

        @Override // java.security.PrivilegedAction
        public Object run() {
            try {
                return AdvancedLdapLoginModule.this.innerLogin();
            } catch (LoginException e) {
                return e;
            }
        }
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        addValidOptions(ALL_VALID_OPTIONS);
        super.initialize(subject, callbackHandler, map, map2);
        this.bindAuthentication = (String) map2.get(BIND_AUTHENTICATION);
        this.bindDn = (String) map2.get(BIND_DN);
        this.bindCredential = (String) map2.get(BIND_CREDENTIAL);
        this.jaasSecurityDomain = (String) map2.get(SECURITY_DOMAIN);
        this.baseCtxDN = (String) map2.get(BASE_CTX_DN);
        this.baseFilter = (String) map2.get(BASE_FILTER);
        String str = (String) map2.get(SEARCH_TIME_LIMIT);
        if (str != null) {
            try {
                this.searchTimeLimit = Integer.parseInt(str);
            } catch (NumberFormatException e) {
                this.log.warn("Failed to parse: " + str + ", using searchTimeLimit=" + this.searchTimeLimit);
            }
        }
        this.userSearchControls = new SearchControls();
        this.userSearchControls.setSearchScope(2);
        this.userSearchControls.setReturningAttributes(new String[0]);
        this.userSearchControls.setTimeLimit(this.searchTimeLimit);
        this.rolesCtxDN = (String) map2.get(ROLES_CTS_DN);
        this.roleFilter = (String) map2.get(ROLE_FILTER);
        this.recurseRoles = Boolean.parseBoolean((String) map2.get(RECURSE_ROLES));
        int i = 2;
        String str2 = (String) map2.get(ROLE_SEARCH_SCOPE);
        if (OBJECT_SCOPE.equalsIgnoreCase(str2)) {
            i = 0;
        } else if (ONELEVEL_SCOPE.equalsIgnoreCase(str2)) {
            i = 1;
        }
        if (SUBTREE_SCOPE.equalsIgnoreCase(str2)) {
            i = 2;
        }
        this.roleSearchControls = new SearchControls();
        this.roleSearchControls.setSearchScope(i);
        this.roleSearchControls.setReturningAttributes(new String[0]);
        this.roleSearchControls.setTimeLimit(this.searchTimeLimit);
        this.roleAttributeID = (String) map2.get(ROLE_ATTRIBUTE_ID);
        this.roleAttributeIsDN = Boolean.parseBoolean((String) map2.get(ROLE_ATTRIBUTE_IS_DN));
        this.roleNameAttributeID = (String) map2.get(ROLE_NAME_ATTRIBUTE_ID);
        this.allowEmptyPassword = Boolean.parseBoolean((String) map2.get(ALLOW_EMPTY_PASSWORD));
    }

    public boolean login() throws LoginException {
        Object run;
        AuthorizeAction authorizeAction = new AuthorizeAction();
        if (AUTH_TYPE_GSSAPI.equals(this.bindAuthentication)) {
            this.log.trace("Using GSSAPI to connect to LDAP");
            LoginContext loginContext = new LoginContext(this.jaasSecurityDomain);
            loginContext.login();
            Subject subject = loginContext.getSubject();
            if (this.log.isDebugEnabled()) {
                this.log.debug("Subject = " + subject);
                this.log.debug("Logged in '" + loginContext + "' LoginContext");
            }
            run = Subject.doAs(subject, authorizeAction);
            loginContext.logout();
        } else {
            run = authorizeAction.run();
        }
        if (run instanceof LoginException) {
            throw ((LoginException) run);
        }
        return ((Boolean) run).booleanValue();
    }

    protected Group[] getRoleSets() throws LoginException {
        return new Group[]{this.userRoles};
    }

    protected Boolean innerLogin() throws LoginException {
        processIdentityAndCredential();
        if (this.log.isTraceEnabled()) {
            this.log.trace("Identity - " + getIdentity().getName());
        }
        String str = this.bindCredential;
        if (!AUTH_TYPE_GSSAPI.equals(this.bindAuthentication) && this.jaasSecurityDomain != null && this.jaasSecurityDomain.length() > 0) {
            try {
                str = new String(DecodeAction.decode(str, new ObjectName(this.jaasSecurityDomain)));
            } catch (Exception e) {
                LoginException loginException = new LoginException("Unable to decode bindCredential");
                loginException.initCause(e);
                throw loginException;
            }
        }
        LdapContext ldapContext = null;
        try {
            ldapContext = constructLdapContext(this.bindDn, str, this.bindAuthentication);
            this.log.debug("Obtained LdapContext");
            String findUserDN = findUserDN(ldapContext);
            if (!((CommonLoginModule) this).loginOk) {
                authenticate(findUserDN);
            }
            if (((CommonLoginModule) this).loginOk) {
                rolesSearch(ldapContext, findUserDN);
            }
            if (ldapContext != null) {
                try {
                    ldapContext.close();
                } catch (NamingException e2) {
                    this.log.warn("Error closing context", e2);
                }
            }
            return Boolean.valueOf(((CommonLoginModule) this).loginOk);
        } catch (Throwable th) {
            if (ldapContext != null) {
                try {
                    ldapContext.close();
                } catch (NamingException e3) {
                    this.log.warn("Error closing context", e3);
                }
            }
            throw th;
        }
    }

    protected LdapContext constructLdapContext(String str, Object obj, String str2) throws LoginException {
        Properties createBaseProperties = createBaseProperties();
        if (createBaseProperties.getProperty("java.naming.factory.initial") == null) {
            createBaseProperties.setProperty("java.naming.factory.initial", DEFAULT_LDAP_CTX_FACTORY);
        }
        if (str2 != null && str2.length() > 0) {
            createBaseProperties.setProperty("java.naming.security.authentication", str2);
        } else if (createBaseProperties.getProperty("java.naming.security.authentication") == null) {
            createBaseProperties.setProperty("java.naming.security.authentication", AUTH_TYPE_SIMPLE);
        }
        String property = createBaseProperties.getProperty("java.naming.security.protocol");
        if (((String) this.options.get("java.naming.provider.url")) == null) {
            createBaseProperties.setProperty("java.naming.provider.url", PROTOCOL_SSL.equals(property) ? DEFAULT_SSL_URL : DEFAULT_URL);
        }
        if (str != null) {
            createBaseProperties.setProperty("java.naming.security.principal", str);
        }
        if (obj != null) {
            createBaseProperties.put("java.naming.security.credentials", obj);
        }
        traceLdapEnv(createBaseProperties);
        try {
            return new InitialLdapContext(createBaseProperties, (Control[]) null);
        } catch (NamingException e) {
            LoginException loginException = new LoginException("Unable to create new InitialLdapContext");
            loginException.initCause(e);
            throw loginException;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Properties createBaseProperties() {
        Properties properties = new Properties();
        for (Map.Entry entry : this.options.entrySet()) {
            properties.put(entry.getKey(), entry.getValue());
        }
        return properties;
    }

    protected String findUserDN(LdapContext ldapContext) throws LoginException {
        if (this.baseCtxDN == null) {
            return getIdentity().getName();
        }
        try {
            NamingEnumeration search = ldapContext.search(this.baseCtxDN, this.baseFilter, new Object[]{getIdentity().getName()}, this.userSearchControls);
            if (!search.hasMore()) {
                search.close();
                throw new LoginException("Search of baseDN(" + this.baseCtxDN + ") found no matches");
            }
            SearchResult searchResult = (SearchResult) search.next();
            String name = searchResult.getName();
            if (!searchResult.isRelative()) {
                throw new LoginException("Can't follow referal for authentication: " + name);
            }
            String str = name + "," + this.baseCtxDN;
            search.close();
            if (this.log.isTraceEnabled()) {
                this.log.trace("findUserDN - " + str);
            }
            return str;
        } catch (NamingException e) {
            LoginException loginException = new LoginException("Unable to find user DN");
            loginException.initCause(e);
            throw loginException;
        }
    }

    protected void authenticate(String str) throws LoginException {
        char[] credential = getCredential();
        if (credential.length == 0 && !this.allowEmptyPassword) {
            this.log.trace("Rejecting empty password.");
            return;
        }
        try {
            constructLdapContext(str, credential, null).close();
            ((CommonLoginModule) this).loginOk = true;
            if (getUseFirstPass()) {
                this.sharedState.put("javax.security.auth.login.name", getIdentity().getName());
                this.sharedState.put("javax.security.auth.login.password", credential);
            }
        } catch (NamingException e) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("Authentication failed - " + e.getMessage());
            }
            LoginException loginException = new LoginException("Authentication failed");
            loginException.initCause(e);
            throw loginException;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void rolesSearch(LdapContext ldapContext, String str) throws LoginException {
        Object[] objArr = {getIdentity().getName(), str};
        NamingEnumeration namingEnumeration = null;
        try {
            try {
                if (this.log.isTraceEnabled()) {
                    this.log.trace("rolesCtxDN=" + this.rolesCtxDN + " roleFilter=" + this.roleFilter + " filterArgs[0]=" + objArr[0] + " filterArgs[1]=" + objArr[1]);
                }
                if (this.roleFilter == null || this.roleFilter.length() <= 0) {
                    obtainRole(ldapContext, str);
                } else {
                    namingEnumeration = ldapContext.search(this.rolesCtxDN, this.roleFilter, objArr, this.roleSearchControls);
                    while (namingEnumeration.hasMore()) {
                        obtainRole(ldapContext, canonicalize(((SearchResult) namingEnumeration.next()).getName()));
                    }
                }
                if (namingEnumeration != null) {
                    try {
                        namingEnumeration.close();
                    } catch (NamingException e) {
                        this.log.warn("Problem closing results", e);
                    }
                }
            } catch (NamingException e2) {
                LoginException loginException = new LoginException("Error finding roles");
                loginException.initCause(e2);
                throw loginException;
            }
        } catch (Throwable th) {
            if (0 != 0) {
                try {
                    namingEnumeration.close();
                } catch (NamingException e3) {
                    this.log.warn("Problem closing results", e3);
                }
            }
            throw th;
        }
    }

    protected void obtainRole(LdapContext ldapContext, String str) throws NamingException, LoginException {
        if (this.log.isTraceEnabled()) {
            this.log.trace("rolesSearch resultDN = " + str);
        }
        Attributes attributes = ldapContext.getAttributes(str, new String[]{this.roleAttributeID});
        if (attributes == null || attributes.size() <= 0) {
            return;
        }
        Attribute attribute = attributes.get(this.roleAttributeID);
        for (int i = 0; i < attribute.size(); i++) {
            String str2 = (String) attribute.get(i);
            if (this.roleAttributeIsDN) {
                loadRoleByRoleNameAttributeID(ldapContext, "\"" + str2 + "\"");
                recurseRolesSearch(ldapContext, str2);
            } else {
                addRole(str2);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void loadRoleByRoleNameAttributeID(LdapContext ldapContext, String str) {
        String[] strArr = {this.roleNameAttributeID};
        boolean isTraceEnabled = this.log.isTraceEnabled();
        if (isTraceEnabled) {
            this.log.trace("Using roleDN: " + str);
        }
        try {
            Attribute attribute = ldapContext.getAttributes(str, strArr).get(this.roleNameAttributeID);
            if (attribute != null) {
                for (int i = 0; i < attribute.size(); i++) {
                    addRole((String) attribute.get(i));
                }
            }
        } catch (NamingException e) {
            if (isTraceEnabled) {
                this.log.trace("Failed to query roleNameAttrName", e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void recurseRolesSearch(LdapContext ldapContext, String str) throws LoginException {
        boolean isTraceEnabled = this.log.isTraceEnabled();
        if (this.recurseRoles) {
            if (this.processedRoleDNs.contains(str)) {
                if (isTraceEnabled) {
                    this.log.trace("Already visited role '" + str + "' ending recursion.");
                }
            } else {
                this.processedRoleDNs.add(str);
                if (isTraceEnabled) {
                    this.log.trace("Recursive search for '" + str + "'");
                }
                rolesSearch(ldapContext, str);
            }
        }
    }

    protected void traceLdapEnv(Properties properties) {
        if (this.log.isTraceEnabled()) {
            Properties properties2 = new Properties();
            properties2.putAll(properties);
            String property = properties2.getProperty("java.naming.security.credentials");
            if (property != null && property.length() > 0) {
                properties2.setProperty("java.naming.security.credentials", "***");
            }
            this.log.trace("Logging into LDAP server, env=" + properties2.toString());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String canonicalize(String str) {
        return str.endsWith("\"") ? str.substring(0, str.length() - 1) + "," + this.rolesCtxDN + "\"" : str + "," + this.rolesCtxDN;
    }

    private void addRole(String str) {
        if (str != null) {
            try {
                Principal createIdentity = super.createIdentity(str);
                if (this.log.isTraceEnabled()) {
                    this.log.trace("Assign user '" + getIdentity().getName() + "' to role " + str);
                }
                this.userRoles.addMember(createIdentity);
            } catch (Exception e) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Failed to create principal: " + str, e);
                }
            }
        }
    }
}
