package com.liferay.portal.security.ldap.internal.authenticator;

import com.liferay.admin.kernel.util.Omniadmin;
import com.liferay.portal.kernel.exception.PasswordExpiredException;
import com.liferay.portal.kernel.exception.PortalException;
import com.liferay.portal.kernel.exception.UserLockoutException;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.model.User;
import com.liferay.portal.kernel.security.auth.AuthException;
import com.liferay.portal.kernel.security.auth.Authenticator;
import com.liferay.portal.kernel.security.ldap.LDAPSettings;
import com.liferay.portal.kernel.security.pwd.PasswordEncryptor;
import com.liferay.portal.kernel.service.UserLocalService;
import com.liferay.portal.kernel.util.AutoResetThreadLocal;
import com.liferay.portal.kernel.util.GetterUtil;
import com.liferay.portal.kernel.util.MapUtil;
import com.liferay.portal.kernel.util.Props;
import com.liferay.portal.kernel.util.StringBundler;
import com.liferay.portal.kernel.util.StringUtil;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.portal.security.ldap.PortalLDAP;
import com.liferay.portal.security.ldap.UserConverterKeys;
import com.liferay.portal.security.ldap.authenticator.configuration.LDAPAuthConfiguration;
import com.liferay.portal.security.ldap.configuration.ConfigurationProvider;
import com.liferay.portal.security.ldap.configuration.LDAPServerConfiguration;
import com.liferay.portal.security.ldap.configuration.SystemLDAPConfiguration;
import com.liferay.portal.security.ldap.exportimport.LDAPUserImporter;
import com.liferay.portal.security.ldap.exportimport.configuration.LDAPImportConfiguration;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Map;
import javax.naming.NamingEnumeration;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;

@Component(immediate = true, property = {"key=auth.pipeline.pre"}, service = {Authenticator.class})
/* loaded from: input_file:com/liferay/portal/security/ldap/internal/authenticator/LDAPAuth.class */
public class LDAPAuth implements Authenticator {
    public static final String AUTH_METHOD_BIND = "bind";
    public static final String AUTH_METHOD_PASSWORD_COMPARE = "password-compare";
    public static final String RESULT_PASSWORD_EXP_WARNING = "2.16.840.1.113730.3.4.5";
    public static final String RESULT_PASSWORD_RESET = "2.16.840.1.113730.3.4.4";
    private static final Log _log = LogFactoryUtil.getLog(LDAPAuth.class);
    private boolean _authPipelineEnableLiferayCheck;
    private final ThreadLocal<Map<String, LDAPAuthResult>> _failedLDAPAuthResults = new AutoResetThreadLocal(LDAPAuth.class + "._failedLDAPAuthResultCache", new HashMap());
    private ConfigurationProvider<LDAPAuthConfiguration> _ldapAuthConfigurationProvider;
    private ConfigurationProvider<LDAPImportConfiguration> _ldapImportConfigurationProvider;
    private ConfigurationProvider<LDAPServerConfiguration> _ldapServerConfigurationProvider;
    private LDAPSettings _ldapSettings;
    private LDAPUserImporter _ldapUserImporter;
    private Omniadmin _omniadmin;
    private PasswordEncryptor _passwordEncryptor;
    private PortalLDAP _portalLDAP;
    private Props _props;
    private ConfigurationProvider<SystemLDAPConfiguration> _systemLDAPConfigurationProvider;
    private UserLocalService _userLocalService;

    public int authenticateByEmailAddress(long j, String str, String str2, Map<String, String[]> map, Map<String, String[]> map2) throws AuthException {
        try {
            return authenticate(j, str, "", 0L, str2);
        } catch (Exception e) {
            _log.error(e, e);
            throw new AuthException(e);
        }
    }

    public int authenticateByScreenName(long j, String str, String str2, Map<String, String[]> map, Map<String, String[]> map2) throws AuthException {
        try {
            return authenticate(j, "", str, 0L, str2);
        } catch (Exception e) {
            _log.error(e, e);
            throw new AuthException(e);
        }
    }

    public int authenticateByUserId(long j, long j2, String str, Map<String, String[]> map, Map<String, String[]> map2) throws AuthException {
        try {
            return authenticate(j, "", "", j2, str);
        } catch (Exception e) {
            _log.error(e, e);
            throw new AuthException(e);
        }
    }

    @Activate
    protected void activate(Map<String, Object> map) {
        this._authPipelineEnableLiferayCheck = GetterUtil.getBoolean(this._props.get("auth.pipeline.enable.liferay.check"));
    }

    protected LDAPAuthResult authenticate(LdapContext ldapContext, long j, Attributes attributes, String str, String str2) throws Exception {
        LDAPAuthResult lDAPAuthResult = null;
        LDAPAuthConfiguration configuration = this._ldapAuthConfigurationProvider.getConfiguration(j);
        String method = configuration.method();
        SystemLDAPConfiguration configuration2 = this._systemLDAPConfigurationProvider.getConfiguration(j);
        if (method.equals(AUTH_METHOD_BIND)) {
            Hashtable environment = ldapContext.getEnvironment();
            environment.put("java.naming.referral", configuration2.referral());
            environment.put("java.naming.security.credentials", str2);
            environment.put("java.naming.security.principal", str);
            environment.put("com.sun.jndi.ldap.connect.pool", "false");
            LDAPAuthResult failedLDAPAuthResult = getFailedLDAPAuthResult(environment);
            if (failedLDAPAuthResult != null) {
                return failedLDAPAuthResult;
            }
            lDAPAuthResult = new LDAPAuthResult();
            InitialLdapContext initialLdapContext = null;
            try {
                try {
                    initialLdapContext = new InitialLdapContext(environment, (Control[]) null);
                    Control[] responseControls = initialLdapContext.getResponseControls();
                    lDAPAuthResult.setAuthenticated(true);
                    lDAPAuthResult.setResponseControl(responseControls);
                    if (initialLdapContext != null) {
                        initialLdapContext.close();
                    }
                } catch (Exception e) {
                    if (_log.isDebugEnabled()) {
                        _log.debug("Failed to bind to the LDAP server with userDN " + str + " and password " + str2, e);
                    }
                    lDAPAuthResult.setAuthenticated(false);
                    lDAPAuthResult.setErrorMessage(e.getMessage());
                    setFailedLDAPAuthResult(environment, lDAPAuthResult);
                    if (initialLdapContext != null) {
                        initialLdapContext.close();
                    }
                }
            } catch (Throwable th) {
                if (initialLdapContext != null) {
                    initialLdapContext.close();
                }
                throw th;
            }
        } else if (method.equals(AUTH_METHOD_PASSWORD_COMPARE)) {
            lDAPAuthResult = new LDAPAuthResult();
            Attribute attribute = attributes.get("userPassword");
            if (attribute != null) {
                String str3 = new String((byte[]) attribute.get());
                String removeEncryptionAlgorithm = removeEncryptionAlgorithm(str3);
                String passwordEncryptionAlgorithm = configuration.passwordEncryptionAlgorithm();
                if (Validator.isNotNull(passwordEncryptionAlgorithm)) {
                    removeEncryptionAlgorithm = this._passwordEncryptor.encrypt(passwordEncryptionAlgorithm, str2, str3);
                }
                if (str3.equals(removeEncryptionAlgorithm)) {
                    lDAPAuthResult.setAuthenticated(true);
                } else {
                    lDAPAuthResult.setAuthenticated(false);
                    if (_log.isDebugEnabled()) {
                        _log.debug("Passwords do not match for userDN " + str);
                    }
                }
            }
        }
        return lDAPAuthResult;
    }

    protected int authenticate(long j, long j2, String str, String str2, long j3, String str3) throws Exception {
        LdapContext context = this._portalLDAP.getContext(j, j2);
        if (context == null) {
            if (!_log.isDebugEnabled()) {
                return -1;
            }
            _log.debug("No LDAP server configuration available for LDAP server " + j + " and company " + j2);
            return -1;
        }
        NamingEnumeration namingEnumeration = null;
        try {
            try {
                String baseDN = this._ldapServerConfigurationProvider.getConfiguration(j2, j).baseDN();
                String authSearchFilter = this._ldapSettings.getAuthSearchFilter(j, j2, str, str2, String.valueOf(j3));
                NamingEnumeration search = context.search(baseDN, authSearchFilter, new SearchControls(2, 1L, 0, new String[]{StringUtil.toLowerCase(GetterUtil.getString(this._ldapSettings.getUserMappings(j, j2).getProperty(UserConverterKeys.SCREEN_NAME)))}, false, false));
                if (!search.hasMoreElements()) {
                    if (_log.isDebugEnabled()) {
                        _log.debug("No results found with search filter: " + authSearchFilter);
                    }
                    if (search != null) {
                        search.close();
                    }
                    context.close();
                    return 0;
                }
                if (_log.isDebugEnabled()) {
                    _log.debug("Found results with search filter: " + authSearchFilter);
                }
                String nameInNamespace = this._portalLDAP.getNameInNamespace(j, j2, (SearchResult) search.nextElement());
                Attributes userAttributes = this._portalLDAP.getUserAttributes(j, j2, context, nameInNamespace);
                LDAPAuthResult authenticate = authenticate(context, j2, userAttributes, nameInNamespace, str3);
                if (!authenticate.isAuthenticated()) {
                    str3 = "";
                }
                User importUser = this._ldapUserImporter.importUser(j, j2, context, userAttributes, str3);
                String errorMessage = authenticate.getErrorMessage();
                if (errorMessage != null) {
                    SystemLDAPConfiguration configuration = this._systemLDAPConfigurationProvider.getConfiguration(j2);
                    for (String str4 : configuration.errorUserLockoutKeywords()) {
                        if (errorMessage.contains(str4)) {
                            throw new UserLockoutException.LDAPLockout(nameInNamespace, errorMessage);
                        }
                    }
                    for (String str5 : configuration.errorPasswordExpiredKeywords()) {
                        if (errorMessage.contains(str5)) {
                            throw new PasswordExpiredException();
                        }
                    }
                }
                if (authenticate.isAuthenticated()) {
                    if (authenticate.getResponseControl().equals(RESULT_PASSWORD_RESET)) {
                        this._userLocalService.updatePasswordReset(importUser.getUserId(), true);
                    }
                    if (search != null) {
                        search.close();
                    }
                    context.close();
                    return 1;
                }
                if (_log.isDebugEnabled()) {
                    StringBundler stringBundler = new StringBundler(10);
                    stringBundler.append("Uanble to authenticate with ");
                    stringBundler.append(nameInNamespace);
                    stringBundler.append(" on LDAP server ");
                    stringBundler.append(j);
                    stringBundler.append(", company ");
                    stringBundler.append(j2);
                    stringBundler.append(", and LDAP context ");
                    stringBundler.append(context);
                    stringBundler.append(": ");
                    stringBundler.append(errorMessage);
                    _log.debug(stringBundler.toString());
                }
                if (search != null) {
                    search.close();
                }
                context.close();
                return -1;
            } catch (Exception e) {
                if ((e instanceof PasswordExpiredException) || (e instanceof UserLockoutException)) {
                    throw e;
                }
                _log.error("Problem accessing LDAP server", e);
                if (0 != 0) {
                    namingEnumeration.close();
                }
                context.close();
                return -1;
            }
        } catch (Throwable th) {
            if (0 != 0) {
                namingEnumeration.close();
            }
            context.close();
            throw th;
        }
    }

    protected int authenticate(long j, String str, String str2, long j2, String str3) throws Exception {
        if (!this._ldapAuthConfigurationProvider.getConfiguration(j).enabled()) {
            if (!_log.isDebugEnabled()) {
                return 1;
            }
            _log.debug("Authenticator is not enabled");
            return 1;
        }
        if (_log.isDebugEnabled()) {
            _log.debug("Authenticator is enabled");
        }
        long preferredLDAPServer = getPreferredLDAPServer(j, str, str2, j2);
        int authenticateAgainstPreferredLDAPServer = authenticateAgainstPreferredLDAPServer(j, preferredLDAPServer, str, str2, j2, str3);
        LDAPImportConfiguration configuration = this._ldapImportConfigurationProvider.getConfiguration(j);
        if (authenticateAgainstPreferredLDAPServer == 1) {
            if (_log.isDebugEnabled()) {
                _log.debug("Found preferred LDAP server");
            }
            if (configuration.importUserPasswordEnabled()) {
                if (_log.isDebugEnabled()) {
                    _log.debug("Import user password enabled");
                }
                return authenticateAgainstPreferredLDAPServer;
            }
            if (!_log.isDebugEnabled()) {
                return 2;
            }
            _log.debug("Import user password disabled");
            return 2;
        }
        for (LDAPServerConfiguration lDAPServerConfiguration : this._ldapServerConfigurationProvider.getConfigurations(j)) {
            if (preferredLDAPServer != lDAPServerConfiguration.ldapServerId()) {
                int authenticate = authenticate(lDAPServerConfiguration.ldapServerId(), j, str, str2, j2, str3);
                if (authenticate == 1) {
                    if (configuration.importUserPasswordEnabled()) {
                        return authenticate;
                    }
                    return 2;
                }
            } else if (_log.isDebugEnabled()) {
                _log.debug("Bypassing preferred LDAP server");
            }
        }
        return authenticateRequired(j, j2, str, str2, true, -1);
    }

    protected int authenticateAgainstPreferredLDAPServer(long j, long j2, String str, String str2, long j3, String str3) throws Exception {
        if (j2 >= 0 && !Validator.isNull(this._ldapServerConfigurationProvider.getConfiguration(j, j2).baseProviderURL())) {
            return authenticate(j2, j, str, str2, j3, str3);
        }
        return 0;
    }

    protected int authenticateOmniadmin(long j, String str, String str2, long j2) throws Exception {
        User fetchUserByScreenName;
        if (!this._authPipelineEnableLiferayCheck) {
            return -1;
        }
        if (j2 > 0) {
            return this._omniadmin.isOmniadmin(j2) ? 1 : -1;
        }
        if (!Validator.isNotNull(str)) {
            return (Validator.isNotNull(str2) && (fetchUserByScreenName = this._userLocalService.fetchUserByScreenName(j, str2)) != null && this._omniadmin.isOmniadmin(fetchUserByScreenName)) ? 1 : -1;
        }
        User fetchUserByEmailAddress = this._userLocalService.fetchUserByEmailAddress(j, str);
        return (fetchUserByEmailAddress == null || !this._omniadmin.isOmniadmin(fetchUserByEmailAddress)) ? -1 : 1;
    }

    protected int authenticateRequired(long j, long j2, String str, String str2, boolean z, int i) throws Exception {
        if (!(z && authenticateOmniadmin(j, str, str2, j2) == 1) && this._ldapAuthConfigurationProvider.getConfiguration(j).required()) {
            return i;
        }
        return 1;
    }

    protected LDAPAuthResult getFailedLDAPAuthResult(Map<String, Object> map) {
        return this._failedLDAPAuthResults.get().get(getKey(map));
    }

    protected String getKey(Map<String, Object> map) {
        StringBundler stringBundler = new StringBundler(5);
        stringBundler.append(MapUtil.getString(map, "java.naming.provider.url"));
        stringBundler.append("#");
        stringBundler.append(MapUtil.getString(map, "java.naming.security.principal"));
        stringBundler.append("#");
        stringBundler.append(MapUtil.getString(map, "java.naming.security.credentials"));
        return stringBundler.toString();
    }

    protected long getPreferredLDAPServer(long j, String str, String str2, long j2) throws PortalException {
        User fetchUserByScreenName;
        if (j2 > 0) {
            fetchUserByScreenName = this._userLocalService.fetchUserById(j2);
        } else if (Validator.isNotNull(str)) {
            fetchUserByScreenName = this._userLocalService.fetchUserByEmailAddress(j, str);
        } else {
            if (!Validator.isNotNull(str2)) {
                if (!_log.isDebugEnabled()) {
                    return -1L;
                }
                _log.debug("Unable to get preferred LDAP server");
                return -1L;
            }
            fetchUserByScreenName = this._userLocalService.fetchUserByScreenName(j, str2);
        }
        if (fetchUserByScreenName != null) {
            if (_log.isDebugEnabled()) {
                _log.debug("Using LDAP server " + fetchUserByScreenName.getLdapServerId() + " to authenticate user " + j2);
            }
            return fetchUserByScreenName.getLdapServerId();
        }
        if (!_log.isDebugEnabled()) {
            return -1L;
        }
        _log.debug("Unable to get user " + j2);
        return -1L;
    }

    protected String removeEncryptionAlgorithm(String str) {
        int indexOf;
        if (_log.isDebugEnabled()) {
            _log.debug("Removing encryption algorithm");
        }
        int indexOf2 = str.indexOf("{");
        if (indexOf2 != -1 && (indexOf = str.indexOf("}")) != -1) {
            return str.substring(indexOf2, indexOf + 1);
        }
        return str;
    }

    @Reference(target = "(factoryPid=com.liferay.portal.security.ldap.authenticator.configuration.LDAPAuthConfiguration)", unbind = "-")
    protected void setConfigurationProvider(ConfigurationProvider<LDAPAuthConfiguration> configurationProvider) {
        this._ldapAuthConfigurationProvider = configurationProvider;
    }

    protected void setFailedLDAPAuthResult(Map<String, Object> map, LDAPAuthResult lDAPAuthResult) {
        Map<String, LDAPAuthResult> map2 = this._failedLDAPAuthResults.get();
        String key = getKey(map);
        if (map2.containsKey(key)) {
            return;
        }
        map2.put(key, lDAPAuthResult);
    }

    @Reference(target = "(factoryPid=com.liferay.portal.security.ldap.exportimport.configuration.LDAPImportConfiguration)", unbind = "-")
    protected void setLDAPImportConfigurationProvider(ConfigurationProvider<LDAPImportConfiguration> configurationProvider) {
        this._ldapImportConfigurationProvider = configurationProvider;
    }

    @Reference(target = "(factoryPid=com.liferay.portal.security.ldap.configuration.LDAPServerConfiguration)", unbind = "-")
    protected void setLDAPServerConfigurationProvider(ConfigurationProvider<LDAPServerConfiguration> configurationProvider) {
        this._ldapServerConfigurationProvider = configurationProvider;
    }

    @Reference(unbind = "-")
    protected void setLdapSettings(LDAPSettings lDAPSettings) {
        this._ldapSettings = lDAPSettings;
    }

    @Reference(unbind = "-")
    protected void setLdapUserImporter(LDAPUserImporter lDAPUserImporter) {
        this._ldapUserImporter = lDAPUserImporter;
    }

    @Reference(unbind = "-")
    protected void setOmniadmin(Omniadmin omniadmin) {
        this._omniadmin = omniadmin;
    }

    @Reference(unbind = "-")
    protected void setPasswordEncryptor(PasswordEncryptor passwordEncryptor) {
        this._passwordEncryptor = passwordEncryptor;
    }

    @Reference(unbind = "-")
    protected void setPortalLDAP(PortalLDAP portalLDAP) {
        this._portalLDAP = portalLDAP;
    }

    @Reference(unbind = "-")
    protected void setProps(Props props) {
        this._props = props;
    }

    @Reference(target = "(factoryPid=com.liferay.portal.security.ldap.configuration.SystemLDAPConfiguration)", unbind = "-")
    protected void setSystemLDAPConfigurationProvider(ConfigurationProvider<SystemLDAPConfiguration> configurationProvider) {
        this._systemLDAPConfigurationProvider = configurationProvider;
    }

    @Reference(unbind = "-")
    protected void setUserLocalService(UserLocalService userLocalService) {
        this._userLocalService = userLocalService;
    }
}
