package org.fcrepo.server.security.jaas.auth.module;

import com.mysql.jdbc.NonRegisteringDriver;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.text.MessageFormat;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import org.fcrepo.server.security.jaas.auth.UserPrincipal;
import org.fcrepo.server.security.jaas.util.Base64;
import org.mulgara.store.jxunit.DebugPrint;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/fcrepo-security-jaas-3.7.0.jar:org/fcrepo/server/security/jaas/auth/module/LdapModule.class */
public class LdapModule implements LoginModule {
    private static final Logger logger = LoggerFactory.getLogger(LdapModule.class);
    private static final String LDAP_PASSWORD_REGEX = "\\{(.+)\\}(.+)";
    private static final Pattern LDAP_PASSWORD_PATTERN = Pattern.compile(LDAP_PASSWORD_REGEX);
    private Subject subject = null;
    private CallbackHandler handler = null;
    private Map<String, ?> options = null;
    private String username = null;
    private UserPrincipal principal = null;
    private Map<String, Set<String>> attributes = null;
    private boolean debug = false;
    private boolean successLogin = false;

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        this.subject = subject;
        this.handler = callbackHandler;
        this.options = map2;
        String str = (String) this.options.get(DebugPrint.DEBUG);
        if (str != null && "true".equalsIgnoreCase(str)) {
            this.debug = true;
        }
        this.attributes = new HashMap();
        if (this.debug) {
            logger.debug("login module initialised: " + getClass().getName());
        }
    }

    public boolean login() throws LoginException {
        boolean z;
        if (this.debug) {
            logger.debug(getClass().getName() + " login called.");
        }
        NameCallback[] nameCallbackArr = {new NameCallback("username"), new PasswordCallback(NonRegisteringDriver.PASSWORD_PROPERTY_KEY, false)};
        try {
            this.handler.handle(nameCallbackArr);
            this.username = nameCallbackArr[0].getName();
            char[] password = ((PasswordCallback) nameCallbackArr[1]).getPassword();
            if (isEmpty(password)) {
                try {
                    z = Boolean.valueOf(getOption("allow.anonymous", false)).booleanValue();
                } catch (Exception e) {
                    z = false;
                }
                if (!z) {
                    return false;
                }
            }
            this.successLogin = authenticate(this.username, new String(password));
            return this.successLogin;
        } catch (IOException e2) {
            e2.printStackTrace();
            throw new LoginException("IOException occured: " + e2.getMessage());
        } catch (UnsupportedCallbackException e3) {
            e3.printStackTrace();
            throw new LoginException("UnsupportedCallbackException encountered: " + e3.getMessage());
        }
    }

    public boolean commit() throws LoginException {
        if (!this.successLogin) {
            return false;
        }
        try {
            this.subject.getPrincipals().add(this.principal);
            this.subject.getPublicCredentials().add(this.attributes);
            return true;
        } catch (Exception e) {
            logger.error(e.getMessage(), (Throwable) e);
            return false;
        }
    }

    public boolean abort() throws LoginException {
        try {
            clear();
            return true;
        } catch (Exception e) {
            logger.error(e.getMessage(), (Throwable) e);
            return false;
        }
    }

    public boolean logout() throws LoginException {
        try {
            clear();
            return true;
        } catch (Exception e) {
            logger.error(e.getMessage(), (Throwable) e);
            return false;
        }
    }

    private void clear() {
        this.subject.getPrincipals().clear();
        this.subject.getPublicCredentials().clear();
        this.subject.getPrivateCredentials().clear();
        this.principal = null;
        this.username = null;
    }

    private boolean authenticate(String str, String str2) {
        try {
            String option = getOption("host.url", true);
            String option2 = getOption("auth.type", true);
            String option3 = getOption("bind.mode", true);
            String[] strArr = null;
            String option4 = getOption("attrs.fetch", false);
            if (option4 != null && !"".equals(option4)) {
                strArr = option4.split(" *, *");
            } else if (0 == 0 || strArr.length == 0) {
                strArr = new String[]{"cn", "sn", "mail", "displayName"};
            }
            Hashtable<String, String> hashtable = new Hashtable<>();
            hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
            hashtable.put("java.naming.security.authentication", option2);
            hashtable.put("java.naming.provider.url", option);
            if ("bind".equals(option3)) {
                if (this.debug) {
                    logger.debug("authenticating with mode: " + option3);
                }
                return bind(str, str2, hashtable, strArr);
            }
            if ("bind-search-compare".equals(option3)) {
                if (this.debug) {
                    logger.debug("authenticating with mode: " + option3);
                }
                return bindSearchX(str, str2, hashtable, strArr, false);
            }
            if (!"bind-search-bind".equals(option3)) {
                return false;
            }
            if (this.debug) {
                logger.debug("authenticating with mode: " + option3);
            }
            return bindSearchX(str, str2, hashtable, strArr, true);
        } catch (Exception e) {
            logger.error(e.getMessage());
            return false;
        } catch (NamingException e2) {
            logger.error(e2.getMessage());
            return false;
        }
    }

    private boolean bind(String str, String str2, Hashtable<String, String> hashtable, String[] strArr) throws Exception {
        String format = MessageFormat.format(getOption("bind.filter", true), str);
        if (this.debug) {
            logger.debug("authenticating user: {}", format);
        }
        hashtable.put("java.naming.security.principal", format);
        hashtable.put("java.naming.security.credentials", str2);
        makePrincipal(str, new InitialDirContext(hashtable).getAttributes(format, strArr));
        return true;
    }

    private boolean bindSearchX(String str, String str2, Hashtable<String, String> hashtable, String[] strArr, boolean z) throws Exception {
        String option = getOption("bind.user", true);
        String option2 = getOption("bind.pass", true);
        String option3 = getOption("search.base", true);
        String option4 = getOption("search.filter", true);
        hashtable.put("java.naming.security.principal", option);
        hashtable.put("java.naming.security.credentials", option2);
        try {
            InitialDirContext initialDirContext = new InitialDirContext(hashtable);
            String[] strArr2 = null;
            if (strArr == null) {
                strArr2 = new String[]{"userPassword"};
            } else if (!Arrays.asList(strArr).contains("userPassword")) {
                strArr2 = new String[strArr.length + 1];
                for (int i = 0; i < strArr.length; i++) {
                    strArr2[i] = strArr[i];
                }
                strArr2[strArr.length] = "userPassword";
            }
            SearchControls searchControls = new SearchControls();
            searchControls.setSearchScope(2);
            searchControls.setReturningAttributes(strArr2);
            searchControls.setDerefLinkFlag(true);
            searchControls.setReturningObjFlag(false);
            searchControls.setTimeLimit(5000);
            NamingEnumeration search = initialDirContext.search(option3, MessageFormat.format(option4, str), searchControls);
            if (!search.hasMore()) {
                logger.warn("no valid user found.");
                return false;
            }
            SearchResult searchResult = (SearchResult) search.next();
            if (this.debug) {
                logger.debug("authenticating user: {}", searchResult.getNameInNamespace());
            }
            if (z) {
                Hashtable hashtable2 = new Hashtable();
                hashtable2.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
                hashtable2.put("java.naming.security.authentication", getOption("auth.type", true));
                hashtable2.put("java.naming.provider.url", getOption("host.url", true));
                hashtable2.put("java.naming.security.principal", searchResult.getNameInNamespace());
                hashtable2.put("java.naming.security.credentials", str2);
                try {
                    new InitialDirContext(hashtable2);
                } catch (NamingException e) {
                    logger.error("failed to authenticate user: " + searchResult.getNameInNamespace());
                    throw e;
                }
            } else {
                Attribute attribute = searchResult.getAttributes().get("userPassword");
                if (attribute == null) {
                    logger.error("unable to read userPassword attribute for: {}", searchResult.getNameInNamespace());
                    return false;
                }
                if (!passwordsMatch(str2, new String((byte[]) attribute.get()))) {
                    return false;
                }
            }
            makePrincipal(str, searchResult.getAttributes());
            return true;
        } catch (NamingException e2) {
            logger.error("Failed to bind as bindUser: {}", option);
            throw e2;
        }
    }

    private void makePrincipal(String str, Attributes attributes) throws NamingException {
        this.principal = new UserPrincipal(str);
        NamingEnumeration all = attributes.getAll();
        while (all.hasMore()) {
            Attribute attribute = (Attribute) all.next();
            NamingEnumeration all2 = attribute.getAll();
            while (all2.hasMore()) {
                Object next = all2.next();
                if (next instanceof String) {
                    Set<String> set = this.attributes.get(attribute.getID());
                    if (set == null) {
                        set = new HashSet();
                        this.attributes.put(attribute.getID(), set);
                    }
                    set.add((String) next);
                    if (this.debug) {
                        logger.debug("added to principal: {}/{}", attribute.getID(), next);
                    }
                }
            }
        }
    }

    private static boolean isEmpty(char[] cArr) {
        if (cArr.length == 0) {
            return true;
        }
        boolean z = true;
        for (char c : cArr) {
            z &= Character.isWhitespace(c);
        }
        return z;
    }

    private static boolean passwordsMatch(String str, String str2) {
        boolean equals;
        Matcher matcher = LDAP_PASSWORD_PATTERN.matcher(str2);
        if (matcher.find() && matcher.groupCount() == 2) {
            String group = matcher.group(1);
            String group2 = matcher.group(2);
            if (logger.isDebugEnabled()) {
                logger.debug("Encoding: {}, Password: {}", group, group2);
            }
            try {
                equals = new String(group2).equals(new String(Base64.encodeBytesToBytes(MessageDigest.getInstance(group.toUpperCase()).digest(str.getBytes()))));
            } catch (NoSuchAlgorithmException e) {
                logger.error("Unsupported Algorithm used: {}", group);
                logger.error(e.getMessage());
                return false;
            }
        } else {
            equals = str.equals(str2);
        }
        return equals;
    }

    private String getOption(String str, boolean z) throws Exception {
        String str2 = (String) this.options.get(str);
        if (z && (str2 == null || "".equals(str2))) {
            throw new Exception("Missing required option in JAAS Config file: " + str);
        }
        return str2;
    }
}
