package org.apache.directory.server.ldap.handlers;

import java.util.Iterator;
import java.util.Map;
import javax.naming.Name;
import javax.naming.NameNotFoundException;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.apache.directory.server.core.DirectoryService;
import org.apache.directory.server.core.authn.LdapPrincipal;
import org.apache.directory.server.core.entry.ClonedServerEntry;
import org.apache.directory.server.core.interceptor.context.BindOperationContext;
import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
import org.apache.directory.server.kerberos.shared.store.operations.GetPrincipal;
import org.apache.directory.server.ldap.LdapProtocolUtils;
import org.apache.directory.server.ldap.LdapService;
import org.apache.directory.server.ldap.LdapSession;
import org.apache.directory.server.ldap.handlers.bind.MechanismHandler;
import org.apache.directory.server.ldap.handlers.bind.SaslConstants;
import org.apache.directory.server.protocol.shared.ServiceConfigurationException;
import org.apache.directory.shared.ldap.constants.SchemaConstants;
import org.apache.directory.shared.ldap.exception.LdapAuthenticationException;
import org.apache.directory.shared.ldap.exception.LdapException;
import org.apache.directory.shared.ldap.message.BindRequest;
import org.apache.directory.shared.ldap.message.BindResponse;
import org.apache.directory.shared.ldap.message.LdapResult;
import org.apache.directory.shared.ldap.message.ResultCodeEnum;
import org.apache.directory.shared.ldap.name.LdapDN;
import org.apache.directory.shared.ldap.util.ExceptionUtils;
import org.apache.directory.shared.ldap.util.StringTools;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:resources/libs/apacheds-1.5.3/apacheds-protocol-ldap-1.5.3.jar:org/apache/directory/server/ldap/handlers/BindHandler.class
 */
/* loaded from: input_file:resources/libs/apacheds-1.5.4/apacheds-protocol-ldap-1.5.4.jar:org/apache/directory/server/ldap/handlers/BindHandler.class */
public class BindHandler extends LdapRequestHandler<BindRequest> {
    private static final Logger LOG = LoggerFactory.getLogger(BindHandler.class);
    private Map<String, MechanismHandler> handlers;

    public void setSaslMechanismHandlers(Map<String, MechanismHandler> map) {
        this.handlers = map;
    }

    /* JADX WARN: Multi-variable type inference failed */
    public void handleSimpleAuth(LdapSession ldapSession, BindRequest bindRequest) throws Exception {
        ResultCodeEnum bestEstimate;
        if (!ldapSession.isAnonymous()) {
            ldapSession.getCoreSession().unbind();
            ldapSession.setAnonymous();
        }
        BindOperationContext bindOperationContext = new BindOperationContext(null);
        bindOperationContext.setDn(bindRequest.getName());
        bindOperationContext.setCredentials(bindRequest.getCredentials());
        LdapProtocolUtils.setRequestControls(bindOperationContext, bindRequest);
        ClonedServerEntry clonedServerEntry = null;
        try {
            try {
                clonedServerEntry = getLdapServer().getDirectoryService().getAdminSession().lookup(bindRequest.getName());
            } catch (Exception e) {
                LdapResult ldapResult = bindRequest.getResultResponse().getLdapResult();
                if (e instanceof LdapException) {
                    bestEstimate = ((LdapException) e).getResultCode();
                    ldapResult.setResultCode(bestEstimate);
                } else {
                    bestEstimate = ResultCodeEnum.getBestEstimate(e, bindRequest.getType());
                    ldapResult.setResultCode(bestEstimate);
                }
                String str = bestEstimate.toString() + ": Bind failed: " + e.getMessage();
                if (LOG.isDebugEnabled()) {
                    str = (str + ":\n" + ExceptionUtils.getStackTrace(e)) + "\n\nBindRequest = \n" + bindRequest.toString();
                }
                Name name = null;
                if (e instanceof LdapAuthenticationException) {
                    name = ((LdapAuthenticationException) e).getResolvedName();
                }
                if (name != null && (bestEstimate == ResultCodeEnum.NO_SUCH_OBJECT || bestEstimate == ResultCodeEnum.ALIAS_PROBLEM || bestEstimate == ResultCodeEnum.INVALID_DN_SYNTAX || bestEstimate == ResultCodeEnum.ALIAS_DEREFERENCING_PROBLEM)) {
                    ldapResult.setMatchedDn(new LdapDN(name));
                }
                ldapResult.setErrorMessage(str);
                ldapSession.getIoSession().write(bindRequest.getResultResponse());
                return;
            }
        } catch (NameNotFoundException e2) {
        }
        if (clonedServerEntry == null || clonedServerEntry.getOriginalEntry().contains(SchemaConstants.OBJECT_CLASS_AT, SchemaConstants.REFERRAL_OC)) {
            LdapResult ldapResult2 = bindRequest.getResultResponse().getLdapResult();
            ldapResult2.setErrorMessage("Bind principalDn points to referral.");
            ldapResult2.setResultCode(ResultCodeEnum.INVALID_CREDENTIALS);
            ldapSession.getIoSession().write(bindRequest.getResultResponse());
            return;
        }
        getLdapServer().getDirectoryService().getOperationManager().bind(bindOperationContext);
        ldapSession.setCoreSession(bindOperationContext.getSession());
        if (!ldapSession.getCoreSession().isAnonymous()) {
            ldapSession.setAuthenticated();
        }
        sendBindSuccess(ldapSession, bindRequest, null);
    }

    private boolean checkMechanism(LdapSession ldapSession, String str) throws Exception {
        if (this.ldapService.getSupportedMechanisms().contains(str)) {
            return true;
        }
        LOG.error("Bind error : {} mechanism not supported. Please check the server.xml configuration file (supportedMechanisms field)", str);
        return false;
    }

    private void generateSaslChallenge(LdapSession ldapSession, SaslServer saslServer, BindRequest bindRequest) {
        LdapResult ldapResult = bindRequest.getResultResponse().getLdapResult();
        if (bindRequest.getCredentials() == null) {
            bindRequest.setCredentials(StringTools.EMPTY_BYTES);
        }
        try {
            byte[] evaluateResponse = saslServer.evaluateResponse(bindRequest.getCredentials());
            if (saslServer.isComplete()) {
                if (evaluateResponse != null) {
                    ldapSession.putSaslProperty(SaslConstants.SASL_CREDS, evaluateResponse);
                }
                sendBindSuccess(ldapSession, bindRequest, evaluateResponse);
            } else {
                LOG.info("Continuation token had length " + evaluateResponse.length);
                ldapResult.setResultCode(ResultCodeEnum.SASL_BIND_IN_PROGRESS);
                BindResponse bindResponse = (BindResponse) bindRequest.getResultResponse();
                bindResponse.setServerSaslCreds(evaluateResponse);
                ldapSession.setAuthPending();
                ldapSession.getIoSession().write(bindResponse);
                LOG.debug("Returning final authentication data to client to complete context.");
            }
        } catch (SaslException e) {
            LOG.error(e.getMessage());
            ldapResult.setResultCode(ResultCodeEnum.INVALID_CREDENTIALS);
            ldapResult.setErrorMessage(ResultCodeEnum.INVALID_CREDENTIALS.toString() + ": " + e.getMessage());
            ldapSession.clearSaslProperties();
            ldapSession.setAnonymous();
            ldapSession.getIoSession().write(bindRequest.getResultResponse());
        }
    }

    private void sendAuthMethNotSupported(LdapSession ldapSession, BindRequest bindRequest) {
        ldapSession.clearSaslProperties();
        ldapSession.setAnonymous();
        LdapResult ldapResult = bindRequest.getResultResponse().getLdapResult();
        ldapResult.setResultCode(ResultCodeEnum.AUTH_METHOD_NOT_SUPPORTED);
        ldapResult.setErrorMessage(ResultCodeEnum.AUTH_METHOD_NOT_SUPPORTED.toString() + ": " + bindRequest.getSaslMechanism() + " is not a supported mechanism.");
        ldapSession.getIoSession().write(bindRequest.getResultResponse());
    }

    private void sendInvalidCredentials(LdapSession ldapSession, BindRequest bindRequest, Exception exc) {
        LdapResult ldapResult = bindRequest.getResultResponse().getLdapResult();
        String resultCodeEnum = exc != null ? ResultCodeEnum.INVALID_CREDENTIALS + ": " + exc.getMessage() : ResultCodeEnum.INVALID_CREDENTIALS.toString();
        LOG.error(resultCodeEnum);
        ldapResult.setResultCode(ResultCodeEnum.INVALID_CREDENTIALS);
        ldapResult.setErrorMessage(resultCodeEnum);
        ldapSession.clearSaslProperties();
        ldapSession.setAnonymous();
        ldapSession.getIoSession().write(bindRequest.getResultResponse());
    }

    private void sendBindSuccess(LdapSession ldapSession, BindRequest bindRequest, byte[] bArr) {
        BindResponse bindResponse = (BindResponse) bindRequest.getResultResponse();
        bindResponse.getLdapResult().setResultCode(ResultCodeEnum.SUCCESS);
        bindResponse.setServerSaslCreds(bArr);
        if (ldapSession.getCoreSession().isAnonymous()) {
            ldapSession.setAnonymous();
        } else {
            ldapSession.setAuthenticated();
        }
        MechanismHandler mechanismHandler = (MechanismHandler) ldapSession.getSaslProperty(SaslConstants.SASL_MECH_HANDLER);
        if (mechanismHandler != null) {
            mechanismHandler.cleanup(ldapSession);
        }
        ldapSession.getIoSession().write(bindResponse);
        LOG.debug("Returned SUCCESS message: {}.", bindResponse);
    }

    private void handleSaslAuthPending(LdapSession ldapSession, BindRequest bindRequest, DirectoryService directoryService) throws Exception {
        String saslMechanism = bindRequest.getSaslMechanism();
        if (StringTools.isEmpty(saslMechanism) || !ldapSession.getSaslProperty(SaslConstants.SASL_MECH).equals(saslMechanism)) {
            sendAuthMethNotSupported(ldapSession, bindRequest);
            return;
        }
        MechanismHandler mechanismHandler = this.handlers.get(saslMechanism);
        if (mechanismHandler == null) {
            String str = "Handler unavailable for " + saslMechanism;
            ldapSession.clearSaslProperties();
            ldapSession.setAnonymous();
            LOG.error(str);
            throw new IllegalArgumentException(str);
        }
        SaslServer handleMechanism = mechanismHandler.handleMechanism(ldapSession, bindRequest);
        if (bindRequest.getCredentials() == null) {
            bindRequest.setCredentials(StringTools.EMPTY_BYTES);
        }
        byte[] evaluateResponse = handleMechanism.evaluateResponse(bindRequest.getCredentials());
        if (handleMechanism.isComplete()) {
            if (evaluateResponse != null) {
                ldapSession.putSaslProperty(SaslConstants.SASL_CREDS, evaluateResponse);
            }
            try {
                LdapPrincipal ldapPrincipal = (LdapPrincipal) ldapSession.getSaslProperty(SaslConstants.SASL_AUTHENT_USER);
                ldapSession.setCoreSession(directoryService.getSession(ldapPrincipal.getJndiName(), ldapPrincipal.getUserPassword(), saslMechanism, null));
                ldapSession.setAuthenticated();
                ((MechanismHandler) ldapSession.getSaslProperty(SaslConstants.SASL_MECH_HANDLER)).cleanup(ldapSession);
                sendBindSuccess(ldapSession, bindRequest, evaluateResponse);
            } catch (Exception e) {
                LOG.error("Exception encountered while processing Sasl BindRequest", (Throwable) e);
            }
        }
    }

    public void handleSaslAuth(LdapSession ldapSession, BindRequest bindRequest) throws Exception {
        String saslMechanism = bindRequest.getSaslMechanism();
        DirectoryService directoryService = getLdapServer().getDirectoryService();
        if (ldapSession.isAuthenticated()) {
            ldapSession.getCoreSession().unbind();
            ldapSession.setAnonymous();
            ldapSession.clearSaslProperties();
        }
        if (!ldapSession.isAnonymous()) {
            if (ldapSession.isAuthPending()) {
                try {
                    handleSaslAuthPending(ldapSession, bindRequest, directoryService);
                    return;
                } catch (SaslException e) {
                    sendInvalidCredentials(ldapSession, bindRequest, e);
                    return;
                }
            }
            return;
        }
        if (StringTools.isEmpty(saslMechanism)) {
            return;
        }
        if (!checkMechanism(ldapSession, saslMechanism)) {
            sendAuthMethNotSupported(ldapSession, bindRequest);
            return;
        }
        ldapSession.putSaslProperty(SaslConstants.SASL_MECH, saslMechanism);
        MechanismHandler mechanismHandler = this.handlers.get(saslMechanism);
        ldapSession.putSaslProperty(SaslConstants.SASL_MECH_HANDLER, mechanismHandler);
        mechanismHandler.init(ldapSession);
        generateSaslChallenge(ldapSession, mechanismHandler.handleMechanism(ldapSession, bindRequest), bindRequest);
    }

    private String getActiveRealms(LdapService ldapService) {
        StringBuilder sb = new StringBuilder();
        boolean z = true;
        for (String str : ldapService.getSaslRealms()) {
            if (z) {
                z = false;
            } else {
                sb.append(' ');
            }
            sb.append(str);
        }
        return sb.toString();
    }

    private Subject getSubject(LdapService ldapService) throws Exception {
        String saslPrincipal = ldapService.getSaslPrincipal();
        KerberosPrincipal kerberosPrincipal = new KerberosPrincipal(saslPrincipal);
        try {
            PrincipalStoreEntry findPrincipal = findPrincipal(ldapService, new GetPrincipal(kerberosPrincipal));
            if (findPrincipal == null) {
                throw new ServiceConfigurationException("Service principal " + saslPrincipal + " not found at search base DN " + ldapService.getSearchBaseDn() + ".");
            }
            Subject subject = new Subject();
            Iterator<EncryptionType> it = findPrincipal.getKeyMap().keySet().iterator();
            while (it.hasNext()) {
                EncryptionKey encryptionKey = findPrincipal.getKeyMap().get(it.next());
                subject.getPrivateCredentials().add(new KerberosKey(kerberosPrincipal, encryptionKey.getKeyValue(), encryptionKey.getKeyType().getOrdinal(), encryptionKey.getKeyVersion()));
            }
            return subject;
        } catch (ServiceConfigurationException e) {
            throw new ServiceConfigurationException("Service principal " + saslPrincipal + " not found at search base DN " + ldapService.getSearchBaseDn() + ".", e);
        }
    }

    private PrincipalStoreEntry findPrincipal(LdapService ldapService, GetPrincipal getPrincipal) throws Exception {
        return (PrincipalStoreEntry) getPrincipal.execute(ldapService.getDirectoryService().getAdminSession(), null);
    }

    @Override // org.apache.directory.server.ldap.handlers.LdapRequestHandler
    public void handle(LdapSession ldapSession, BindRequest bindRequest) throws Exception {
        LOG.debug("Received: {}", bindRequest);
        if (bindRequest.getVersion3()) {
            if (bindRequest.isSimple()) {
                handleSimpleAuth(ldapSession, bindRequest);
                return;
            } else {
                handleSaslAuth(ldapSession, bindRequest);
                return;
            }
        }
        LOG.error("Bind error : Only LDAP v3 is supported.");
        LdapResult ldapResult = bindRequest.getResultResponse().getLdapResult();
        ldapResult.setResultCode(ResultCodeEnum.PROTOCOL_ERROR);
        ldapResult.setErrorMessage("Only LDAP v3 is supported.");
        ldapSession.getIoSession().write(bindRequest.getResultResponse());
    }
}
