package org.apache.directory.server.core.kerberos;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.directory.server.core.authn.AuthenticationInterceptor;
import org.apache.directory.server.core.authz.AciAuthorizationInterceptor;
import org.apache.directory.server.core.authz.DefaultAuthorizationInterceptor;
import org.apache.directory.server.core.collective.CollectiveAttributeInterceptor;
import org.apache.directory.server.core.entry.ClonedServerEntry;
import org.apache.directory.server.core.entry.DefaultServerAttribute;
import org.apache.directory.server.core.entry.ServerAttribute;
import org.apache.directory.server.core.entry.ServerBinaryValue;
import org.apache.directory.server.core.entry.ServerModification;
import org.apache.directory.server.core.entry.ServerStringValue;
import org.apache.directory.server.core.event.EventInterceptor;
import org.apache.directory.server.core.exception.ExceptionInterceptor;
import org.apache.directory.server.core.interceptor.BaseInterceptor;
import org.apache.directory.server.core.interceptor.NextInterceptor;
import org.apache.directory.server.core.interceptor.context.AddOperationContext;
import org.apache.directory.server.core.interceptor.context.LookupOperationContext;
import org.apache.directory.server.core.interceptor.context.ModifyOperationContext;
import org.apache.directory.server.core.normalization.NormalizationInterceptor;
import org.apache.directory.server.core.operational.OperationalAttributeInterceptor;
import org.apache.directory.server.core.referral.ReferralInterceptor;
import org.apache.directory.server.core.schema.SchemaInterceptor;
import org.apache.directory.server.core.subtree.SubentryInterceptor;
import org.apache.directory.server.core.trigger.TriggerInterceptor;
import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
import org.apache.directory.server.kerberos.shared.crypto.encryption.KerberosKeyFactory;
import org.apache.directory.server.kerberos.shared.crypto.encryption.RandomKeyFactory;
import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
import org.apache.directory.server.kerberos.shared.io.encoder.EncryptionKeyEncoder;
import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
import org.apache.directory.server.kerberos.shared.store.KerberosAttribute;
import org.apache.directory.server.schema.registries.AttributeTypeRegistry;
import org.apache.directory.server.schema.registries.Registries;
import org.apache.directory.shared.ldap.constants.SchemaConstants;
import org.apache.directory.shared.ldap.entry.EntryAttribute;
import org.apache.directory.shared.ldap.entry.Modification;
import org.apache.directory.shared.ldap.entry.ModificationOperation;
import org.apache.directory.shared.ldap.entry.Value;
import org.apache.directory.shared.ldap.exception.LdapAuthenticationException;
import org.apache.directory.shared.ldap.name.LdapDN;
import org.apache.directory.shared.ldap.util.StringTools;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.propertyeditors.CustomBooleanEditor;

/* loaded from: input_file:resources/libs/apacheds-1.5.5/apacheds-interceptor-kerberos-1.5.5.jar:org/apache/directory/server/core/kerberos/KeyDerivationInterceptor.class */
public class KeyDerivationInterceptor extends BaseInterceptor {
    private static final Logger log = LoggerFactory.getLogger(KeyDerivationInterceptor.class);
    public static final String NAME = "keyDerivationService";
    private static final Collection<String> USERLOOKUP_BYPASS;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:resources/libs/apacheds-1.5.5/apacheds-interceptor-kerberos-1.5.5.jar:org/apache/directory/server/core/kerberos/KeyDerivationInterceptor$ModifySubContext.class */
    public class ModifySubContext {
        private String principalName;
        private String userPassword;
        private boolean isPrincipal = false;
        private int newKeyVersionNumber = -1;

        ModifySubContext() {
        }

        boolean isPrincipal() {
            return this.isPrincipal;
        }

        void isPrincipal(boolean z) {
            this.isPrincipal = z;
        }

        String getPrincipalName() {
            return this.principalName;
        }

        void setPrincipalName(String str) {
            this.principalName = str;
        }

        String getUserPassword() {
            return this.userPassword;
        }

        void setUserPassword(String str) {
            this.userPassword = str;
        }

        int getNewKeyVersionNumber() {
            return this.newKeyVersionNumber;
        }

        void setNewKeyVersionNumber(int i) {
            this.newKeyVersionNumber = i;
        }

        boolean hasValues() {
            return (this.userPassword == null || this.principalName == null || this.newKeyVersionNumber <= -1) ? false : true;
        }
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void add(NextInterceptor nextInterceptor, AddOperationContext addOperationContext) throws Exception {
        LdapDN dn = addOperationContext.getDn();
        ClonedServerEntry entry = addOperationContext.getEntry();
        if (entry.get(SchemaConstants.USER_PASSWORD_AT) != null && entry.get(KerberosAttribute.KRB5_PRINCIPAL_NAME_AT) != null) {
            log.debug("Adding the entry '{}' for DN '{}'.", entry, dn.getUpName());
            ServerBinaryValue serverBinaryValue = (ServerBinaryValue) entry.get(SchemaConstants.USER_PASSWORD_AT).get();
            String string = serverBinaryValue.getString();
            if (log.isDebugEnabled()) {
                StringBuffer stringBuffer = new StringBuffer();
                stringBuffer.append("'" + string + "' ( ");
                stringBuffer.append(serverBinaryValue);
                stringBuffer.append(" )");
                log.debug("Adding Attribute id : 'userPassword',  Values : [ {} ]", stringBuffer.toString());
            }
            String string2 = entry.get(KerberosAttribute.KRB5_PRINCIPAL_NAME_AT).get().getString();
            log.debug("Got principal '{}' with userPassword '{}'.", string2, string);
            Map<EncryptionType, EncryptionKey> generateKeys = generateKeys(string2, string);
            entry.put(KerberosAttribute.KRB5_PRINCIPAL_NAME_AT, string2);
            entry.put(KerberosAttribute.KRB5_KEY_VERSION_NUMBER_AT, CustomBooleanEditor.VALUE_0);
            entry.put(getKeyAttribute(addOperationContext.getSession().getDirectoryService().getRegistries(), generateKeys));
            log.debug("Adding modified entry '{}' for DN '{}'.", entry, dn.getUpName());
        }
        nextInterceptor.add(addOperationContext);
    }

    @Override // org.apache.directory.server.core.interceptor.BaseInterceptor, org.apache.directory.server.core.interceptor.Interceptor
    public void modify(NextInterceptor nextInterceptor, ModifyOperationContext modifyOperationContext) throws Exception {
        ModifySubContext modifySubContext = new ModifySubContext();
        detectPasswordModification(modifyOperationContext, modifySubContext);
        if (modifySubContext.getUserPassword() != null) {
            lookupPrincipalAttributes(modifyOperationContext, modifySubContext);
        }
        if (modifySubContext.isPrincipal() && modifySubContext.hasValues()) {
            deriveKeys(modifyOperationContext, modifySubContext);
        }
        nextInterceptor.modify(modifyOperationContext);
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:7:0x003f. Please report as an issue. */
    void detectPasswordModification(ModifyOperationContext modifyOperationContext, ModifySubContext modifySubContext) throws Exception {
        Object obj = null;
        for (Modification modification : modifyOperationContext.getModItems()) {
            if (log.isDebugEnabled()) {
                switch (modification.getOperation()) {
                    case ADD_ATTRIBUTE:
                        obj = "Adding";
                        break;
                    case REMOVE_ATTRIBUTE:
                        obj = "Removing";
                        break;
                    case REPLACE_ATTRIBUTE:
                        obj = "Replacing";
                        break;
                }
            }
            ServerAttribute serverAttribute = (ServerAttribute) modification.getAttribute();
            if (serverAttribute.instanceOf(SchemaConstants.USER_PASSWORD_AT)) {
                Value<?> value = serverAttribute.get();
                String str = null;
                if (value instanceof ServerStringValue) {
                    str = ((ServerStringValue) value).getString();
                    log.debug("{} Attribute id : 'userPassword',  Values : [ '{}' ]", obj, str);
                } else if (value instanceof ServerBinaryValue) {
                    str = ((ServerBinaryValue) value).getString();
                    if (log.isDebugEnabled()) {
                        StringBuffer stringBuffer = new StringBuffer();
                        stringBuffer.append("'" + str + "' ( ");
                        stringBuffer.append(StringTools.dumpBytes(((ServerBinaryValue) value).getBytes()).trim());
                        stringBuffer.append(" )");
                        log.debug("{} Attribute id : 'userPassword',  Values : [ {} ]", obj, stringBuffer.toString());
                    }
                }
                modifySubContext.setUserPassword(str);
                log.debug("Got userPassword '{}'.", modifySubContext.getUserPassword());
            }
            if (serverAttribute.instanceOf(KerberosAttribute.KRB5_PRINCIPAL_NAME_AT)) {
                modifySubContext.setPrincipalName(serverAttribute.getString());
                log.debug("Got principal '{}'.", modifySubContext.getPrincipalName());
            }
        }
    }

    void lookupPrincipalAttributes(ModifyOperationContext modifyOperationContext, ModifySubContext modifySubContext) throws Exception {
        LdapDN dn = modifyOperationContext.getDn();
        LookupOperationContext newLookupContext = modifyOperationContext.newLookupContext(dn);
        newLookupContext.setByPassed(USERLOOKUP_BYPASS);
        newLookupContext.setAttrsId(new String[]{SchemaConstants.OBJECT_CLASS_AT, KerberosAttribute.KRB5_PRINCIPAL_NAME_AT, KerberosAttribute.KRB5_KEY_VERSION_NUMBER_AT});
        ClonedServerEntry lookup = modifyOperationContext.lookup(newLookupContext);
        if (lookup == null) {
            throw new LdapAuthenticationException("Failed to authenticate user '" + dn + "'.");
        }
        if (lookup.getOriginalEntry().get(SchemaConstants.OBJECT_CLASS_AT).contains(SchemaConstants.KRB5_PRINCIPAL_OC)) {
            modifySubContext.isPrincipal(true);
            log.debug("DN {} is a Kerberos principal.  Will attempt key derivation.", dn.getUpName());
            if (modifySubContext.getPrincipalName() == null) {
                String string = lookup.getOriginalEntry().get(KerberosAttribute.KRB5_PRINCIPAL_NAME_AT).getString();
                modifySubContext.setPrincipalName(string);
                log.debug("Found principal '{}' from lookup.", string);
            }
            EntryAttribute entryAttribute = lookup.getOriginalEntry().get(KerberosAttribute.KRB5_KEY_VERSION_NUMBER_AT);
            if (entryAttribute == null) {
                modifySubContext.setNewKeyVersionNumber(0);
                log.debug("Key version number was null, setting to 0.");
            } else {
                int intValue = Integer.valueOf(entryAttribute.getString()).intValue();
                int i = intValue + 1;
                modifySubContext.setNewKeyVersionNumber(i);
                log.debug("Found key version number '{}', setting to '{}'.", Integer.valueOf(intValue), Integer.valueOf(i));
            }
        }
    }

    void deriveKeys(ModifyOperationContext modifyOperationContext, ModifySubContext modifySubContext) throws Exception {
        List<Modification> modItems = modifyOperationContext.getModItems();
        String principalName = modifySubContext.getPrincipalName();
        String userPassword = modifySubContext.getUserPassword();
        int newKeyVersionNumber = modifySubContext.getNewKeyVersionNumber();
        log.debug("Got principal '{}' with userPassword '{}'.", principalName, userPassword);
        Map<EncryptionType, EncryptionKey> generateKeys = generateKeys(principalName, userPassword);
        ArrayList arrayList = new ArrayList();
        Iterator<Modification> it = modItems.iterator();
        while (it.hasNext()) {
            arrayList.add(it.next());
        }
        AttributeTypeRegistry attributeTypeRegistry = modifyOperationContext.getSession().getDirectoryService().getRegistries().getAttributeTypeRegistry();
        arrayList.add(new ServerModification(ModificationOperation.REPLACE_ATTRIBUTE, new DefaultServerAttribute(KerberosAttribute.KRB5_PRINCIPAL_NAME_AT, attributeTypeRegistry.lookup(KerberosAttribute.KRB5_PRINCIPAL_NAME_AT), principalName)));
        arrayList.add(new ServerModification(ModificationOperation.REPLACE_ATTRIBUTE, new DefaultServerAttribute(KerberosAttribute.KRB5_KEY_VERSION_NUMBER_AT, attributeTypeRegistry.lookup(KerberosAttribute.KRB5_KEY_VERSION_NUMBER_AT), Integer.toString(newKeyVersionNumber))));
        arrayList.add(new ServerModification(ModificationOperation.REPLACE_ATTRIBUTE, getKeyAttribute(modifyOperationContext.getSession().getDirectoryService().getRegistries(), generateKeys)));
        modifyOperationContext.setModItems(arrayList);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v3, types: [byte[], byte[][]] */
    private ServerAttribute getKeyAttribute(Registries registries, Map<EncryptionType, EncryptionKey> map) throws Exception {
        DefaultServerAttribute defaultServerAttribute = new DefaultServerAttribute(KerberosAttribute.KRB5_KEY_AT, registries.getAttributeTypeRegistry().lookup(KerberosAttribute.KRB5_KEY_AT));
        Iterator<EncryptionKey> it = map.values().iterator();
        while (it.hasNext()) {
            try {
                defaultServerAttribute.add((byte[][]) new byte[]{EncryptionKeyEncoder.encode(it.next())});
            } catch (IOException e) {
                log.error("Error encoding EncryptionKey.", (Throwable) e);
            }
        }
        return defaultServerAttribute;
    }

    private Map<EncryptionType, EncryptionKey> generateKeys(String str, String str2) {
        if (!str2.equalsIgnoreCase("randomKey")) {
            return KerberosKeyFactory.getKerberosKeys(str, str2);
        }
        try {
            return RandomKeyFactory.getRandomKeys();
        } catch (KerberosException e) {
            log.debug(e.getMessage(), (Throwable) e);
            return null;
        }
    }

    static {
        HashSet hashSet = new HashSet();
        hashSet.add(NormalizationInterceptor.class.getName());
        hashSet.add(AuthenticationInterceptor.class.getName());
        hashSet.add(ReferralInterceptor.class.getName());
        hashSet.add(AciAuthorizationInterceptor.class.getName());
        hashSet.add(DefaultAuthorizationInterceptor.class.getName());
        hashSet.add(ExceptionInterceptor.class.getName());
        hashSet.add(OperationalAttributeInterceptor.class.getName());
        hashSet.add(SchemaInterceptor.class.getName());
        hashSet.add(SubentryInterceptor.class.getName());
        hashSet.add(CollectiveAttributeInterceptor.class.getName());
        hashSet.add(EventInterceptor.class.getName());
        hashSet.add(TriggerInterceptor.class.getName());
        USERLOOKUP_BYPASS = Collections.unmodifiableCollection(hashSet);
    }
}
