package org.apache.directory.server.ldap.handlers;

import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.naming.Name;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.spi.InitialContextFactory;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.apache.directory.server.constants.ServerDNConstants;
import org.apache.directory.server.core.DirectoryService;
import org.apache.directory.server.core.authn.LdapPrincipal;
import org.apache.directory.server.core.jndi.ServerLdapContext;
import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
import org.apache.directory.server.kerberos.shared.store.operations.GetPrincipal;
import org.apache.directory.server.ldap.LdapServer;
import org.apache.directory.server.ldap.SessionRegistry;
import org.apache.directory.server.ldap.handlers.bind.MechanismHandler;
import org.apache.directory.server.ldap.handlers.bind.SaslConstants;
import org.apache.directory.server.ldap.handlers.bind.SaslFilter;
import org.apache.directory.server.protocol.shared.ServiceConfigurationException;
import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.constants.JndiPropertyConstants;
import org.apache.directory.shared.ldap.constants.SupportedSaslMechanisms;
import org.apache.directory.shared.ldap.exception.LdapException;
import org.apache.directory.shared.ldap.message.BindRequest;
import org.apache.directory.shared.ldap.message.BindResponse;
import org.apache.directory.shared.ldap.message.LdapResult;
import org.apache.directory.shared.ldap.message.MutableControl;
import org.apache.directory.shared.ldap.message.ResultCodeEnum;
import org.apache.directory.shared.ldap.name.LdapDN;
import org.apache.directory.shared.ldap.util.ExceptionUtils;
import org.apache.mina.common.IoFilterChain;
import org.apache.mina.common.IoSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:resources/libs/apacheds-1.5.3/apacheds-protocol-ldap-1.5.3.jar:org/apache/directory/server/ldap/handlers/DefaultBindHandler.class */
public class DefaultBindHandler extends BindHandler {
    private static final Logger LOG = LoggerFactory.getLogger(BindHandler.class);
    private static final MutableControl[] EMPTY_CONTROL = new MutableControl[0];
    private SessionRegistry registry = null;
    private Map<String, MechanismHandler> handlers = null;
    private DirContext ctx = null;

    @Override // org.apache.directory.server.ldap.handlers.BindHandler
    public void setSaslMechanismHandlers(Map<String, MechanismHandler> map) {
        this.handlers = map;
    }

    public void setSessionRegistry(SessionRegistry sessionRegistry) {
        this.registry = sessionRegistry;
    }

    public void setDirectoryService(DirectoryService directoryService) {
    }

    private Hashtable<String, Object> getEnvironment(BindRequest bindRequest, String str) {
        LdapDN name = bindRequest.getName();
        byte[] credentials = bindRequest.getCredentials();
        if (LOG.isDebugEnabled()) {
            LOG.debug("{} {}", JndiPropertyConstants.JNDI_SECURITY_PRINCIPAL, name);
            LOG.debug("{} {}", JndiPropertyConstants.JNDI_SECURITY_CREDENTIALS, credentials);
            LOG.debug("{} {}", JndiPropertyConstants.JNDI_SECURITY_AUTHENTICATION, str);
        }
        Hashtable<String, Object> environmentByCopy = getSessionRegistry().getEnvironmentByCopy();
        environmentByCopy.put(JndiPropertyConstants.JNDI_SECURITY_PRINCIPAL, name);
        if (credentials != null) {
            environmentByCopy.put(JndiPropertyConstants.JNDI_SECURITY_CREDENTIALS, credentials);
        }
        environmentByCopy.put(JndiPropertyConstants.JNDI_SECURITY_AUTHENTICATION, str);
        if (bindRequest.getControls().containsKey("2.16.840.1.113730.3.4.2")) {
            environmentByCopy.put(JndiPropertyConstants.JNDI_REFERRAL, "ignore");
        } else {
            environmentByCopy.put(JndiPropertyConstants.JNDI_REFERRAL, "throw");
        }
        return environmentByCopy;
    }

    private LdapContext getLdapContext(IoSession ioSession, BindRequest bindRequest, Hashtable<String, Object> hashtable) {
        ResultCodeEnum bestEstimate;
        LdapContext ldapContext;
        LdapResult ldapResult = bindRequest.getResultResponse().getLdapResult();
        try {
            if (hashtable.containsKey("server.use.factory.instance")) {
                InitialContextFactory initialContextFactory = (InitialContextFactory) hashtable.get("server.use.factory.instance");
                if (initialContextFactory == null) {
                    LOG.error("The property 'server.use.factory.instance'  was set in env but was null");
                    throw new NullPointerException("server.use.factory.instance was set in env but was null");
                }
                ldapContext = initialContextFactory.getInitialContext(hashtable);
            } else {
                ldapContext = new InitialLdapContext(hashtable, (MutableControl[]) bindRequest.getControls().values().toArray(EMPTY_CONTROL));
            }
        } catch (NamingException e) {
            if (e instanceof LdapException) {
                bestEstimate = ((LdapException) e).getResultCode();
                ldapResult.setResultCode(bestEstimate);
            } else {
                bestEstimate = ResultCodeEnum.getBestEstimate(e, bindRequest.getType());
                ldapResult.setResultCode(bestEstimate);
            }
            String str = "Bind failed: " + e.getMessage();
            if (LOG.isDebugEnabled()) {
                str = (str + ":\n" + ExceptionUtils.getStackTrace(e)) + "\n\nBindRequest = \n" + bindRequest.toString();
                LOG.debug(str);
            }
            if (e.getResolvedName() != null && (bestEstimate == ResultCodeEnum.NO_SUCH_OBJECT || bestEstimate == ResultCodeEnum.ALIAS_PROBLEM || bestEstimate == ResultCodeEnum.INVALID_DN_SYNTAX || bestEstimate == ResultCodeEnum.ALIAS_DEREFERENCING_PROBLEM)) {
                ldapResult.setMatchedDn((LdapDN) e.getResolvedName());
            }
            ldapResult.setErrorMessage(str);
            ioSession.write(bindRequest.getResultResponse());
            ldapContext = null;
        }
        return ldapContext;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void handleSimpleAuth(IoSession ioSession, BindRequest bindRequest) throws NamingException {
        LdapResult ldapResult = bindRequest.getResultResponse().getLdapResult();
        LdapContext ldapContext = getLdapContext(ioSession, bindRequest, getEnvironment(bindRequest, AuthenticationLevel.SIMPLE.toString()));
        if (ldapContext != null) {
            ServerLdapContext serverLdapContext = (ServerLdapContext) ldapContext.lookup("");
            setRequestControls(serverLdapContext, bindRequest);
            getSessionRegistry().setLdapContext(ioSession, serverLdapContext);
            ldapResult.setResultCode(ResultCodeEnum.SUCCESS);
            BindResponse bindResponse = (BindResponse) bindRequest.getResultResponse();
            bindResponse.addAll(serverLdapContext.getResponseControls());
            ioSession.write(bindResponse);
            LOG.debug("Returned SUCCESS message.");
        }
    }

    public void handleSaslAuth(IoSession ioSession, Object obj) throws Exception {
        LdapServer ldapServer = (LdapServer) ioSession.getAttribute(LdapServer.class.toString());
        HashMap hashMap = new HashMap();
        hashMap.put(JndiPropertyConstants.JNDI_SASL_QOP, ldapServer.getSaslQopString());
        hashMap.put("com.sun.security.sasl.digest.realm", getActiveRealms(ldapServer));
        ioSession.setAttribute(SaslConstants.SASL_PROPS, hashMap);
        ioSession.setAttribute("saslHost", ldapServer.getSaslHost());
        ioSession.setAttribute("baseDn", ldapServer.getSearchBaseDn());
        Set<String> supportedMechanisms = ldapServer.getSupportedMechanisms();
        if (supportedMechanisms.contains(SupportedSaslMechanisms.GSSAPI)) {
            try {
                ioSession.setAttribute("saslSubject", getSubject(ldapServer));
            } catch (ServiceConfigurationException e) {
                supportedMechanisms.remove(SupportedSaslMechanisms.GSSAPI);
                LOG.warn(e.getMessage());
            }
        }
        BindRequest bindRequest = (BindRequest) obj;
        if (ldapServer.getSupportedMechanisms().contains(bindRequest.getSaslMechanism())) {
            handleSasl(ioSession, bindRequest);
            return;
        }
        LOG.error("Bind error : {} mechanism not supported. Please check the server.xml configuration file (supportedMechanisms field)", bindRequest.getSaslMechanism());
        LdapResult ldapResult = bindRequest.getResultResponse().getLdapResult();
        ldapResult.setResultCode(ResultCodeEnum.AUTH_METHOD_NOT_SUPPORTED);
        ldapResult.setErrorMessage(bindRequest.getSaslMechanism() + " is not a supported mechanism.");
        ioSession.write(bindRequest.getResultResponse());
    }

    public void handleSasl(IoSession ioSession, BindRequest bindRequest) throws Exception {
        String saslMechanism = bindRequest.getSaslMechanism();
        if (saslMechanism.equals(SupportedSaslMechanisms.PLAIN)) {
            ioSession.setAttribute(JndiPropertyConstants.JNDI_SECURITY_PRINCIPAL, bindRequest.getName());
            ioSession.setAttribute(JndiPropertyConstants.JNDI_SECURITY_CREDENTIALS, bindRequest.getCredentials());
            getLdapContext(ioSession, bindRequest);
            return;
        }
        MechanismHandler mechanismHandler = this.handlers.get(saslMechanism);
        if (mechanismHandler == null) {
            LOG.error("Handler unavailable for " + saslMechanism);
            throw new IllegalArgumentException("Handler unavailable for " + saslMechanism);
        }
        SaslServer handleMechanism = mechanismHandler.handleMechanism(ioSession, bindRequest);
        LdapResult ldapResult = bindRequest.getResultResponse().getLdapResult();
        if (handleMechanism.isComplete()) {
            return;
        }
        try {
            if (bindRequest.getCredentials() == null) {
                bindRequest.setCredentials(new byte[0]);
            }
            byte[] evaluateResponse = handleMechanism.evaluateResponse(bindRequest.getCredentials());
            if (handleMechanism.isComplete()) {
                if (evaluateResponse != null) {
                    ioSession.setAttribute(SaslConstants.SASL_CREDS, evaluateResponse);
                }
                getLdapContext(ioSession, bindRequest);
            } else {
                LOG.info("Continuation token had length " + evaluateResponse.length);
                ldapResult.setResultCode(ResultCodeEnum.SASL_BIND_IN_PROGRESS);
                BindResponse bindResponse = (BindResponse) bindRequest.getResultResponse();
                bindResponse.setServerSaslCreds(evaluateResponse);
                ioSession.write(bindResponse);
                LOG.debug("Returning final authentication data to client to complete context.");
            }
        } catch (SaslException e) {
            LOG.error(e.getMessage());
            ldapResult.setResultCode(ResultCodeEnum.INVALID_CREDENTIALS);
            ldapResult.setErrorMessage(e.getMessage());
            ioSession.write(bindRequest.getResultResponse());
        }
    }

    private String getActiveRealms(LdapServer ldapServer) {
        StringBuilder sb = new StringBuilder();
        boolean z = true;
        for (String str : ldapServer.getSaslRealms()) {
            if (z) {
                z = false;
            } else {
                sb.append(' ');
            }
            sb.append(str);
        }
        return sb.toString();
    }

    private Subject getSubject(LdapServer ldapServer) {
        String saslPrincipal = ldapServer.getSaslPrincipal();
        KerberosPrincipal kerberosPrincipal = new KerberosPrincipal(saslPrincipal);
        try {
            PrincipalStoreEntry findPrincipal = findPrincipal(ldapServer, new GetPrincipal(kerberosPrincipal));
            if (findPrincipal == null) {
                throw new ServiceConfigurationException("Service principal " + saslPrincipal + " not found at search base DN " + ldapServer.getSearchBaseDn() + ".");
            }
            Subject subject = new Subject();
            Iterator<EncryptionType> it = findPrincipal.getKeyMap().keySet().iterator();
            while (it.hasNext()) {
                EncryptionKey encryptionKey = findPrincipal.getKeyMap().get(it.next());
                subject.getPrivateCredentials().add(new KerberosKey(kerberosPrincipal, encryptionKey.getKeyValue(), encryptionKey.getKeyType().getOrdinal(), encryptionKey.getKeyVersion()));
            }
            return subject;
        } catch (ServiceConfigurationException e) {
            throw new ServiceConfigurationException("Service principal " + saslPrincipal + " not found at search base DN " + ldapServer.getSearchBaseDn() + ".", e);
        }
    }

    private PrincipalStoreEntry findPrincipal(LdapServer ldapServer, GetPrincipal getPrincipal) {
        if (this.ctx == null) {
            try {
                LdapDN ldapDN = new LdapDN(ServerDNConstants.ADMIN_SYSTEM_DN);
                ldapDN.normalize(ldapServer.getDirectoryService().getRegistries().getAttributeTypeRegistry().getNormalizerMapping());
                this.ctx = ldapServer.getDirectoryService().getJndiContext(new LdapPrincipal(ldapDN, AuthenticationLevel.SIMPLE), ldapServer.getSearchBaseDn());
            } catch (NamingException e) {
                throw new ServiceConfigurationException("Failed to get initial context " + ldapServer.getSearchBaseDn(), e);
            }
        }
        return (PrincipalStoreEntry) getPrincipal.execute(this.ctx, (Name) null);
    }

    private Hashtable<String, Object> getEnvironment(IoSession ioSession, BindRequest bindRequest) {
        Object attribute = ioSession.getAttribute(JndiPropertyConstants.JNDI_SECURITY_PRINCIPAL);
        Object attribute2 = ioSession.getAttribute(JndiPropertyConstants.JNDI_SECURITY_CREDENTIALS);
        String authenticationLevel = getAuthenticationLevel(bindRequest.getSaslMechanism());
        LOG.debug("{} {}", JndiPropertyConstants.JNDI_SECURITY_PRINCIPAL, attribute);
        LOG.debug("{} {}", JndiPropertyConstants.JNDI_SECURITY_CREDENTIALS, attribute2);
        LOG.debug("{} {}", JndiPropertyConstants.JNDI_SECURITY_AUTHENTICATION, authenticationLevel);
        Hashtable<String, Object> environmentByCopy = this.registry.getEnvironmentByCopy();
        environmentByCopy.put(JndiPropertyConstants.JNDI_SECURITY_PRINCIPAL, attribute);
        if (attribute2 != null) {
            environmentByCopy.put(JndiPropertyConstants.JNDI_SECURITY_CREDENTIALS, attribute2);
        }
        environmentByCopy.put(JndiPropertyConstants.JNDI_SECURITY_AUTHENTICATION, authenticationLevel);
        if (bindRequest.getControls().containsKey("2.16.840.1.113730.3.4.2")) {
            environmentByCopy.put(JndiPropertyConstants.JNDI_REFERRAL, "ignore");
        } else {
            environmentByCopy.put(JndiPropertyConstants.JNDI_REFERRAL, "throw");
        }
        return environmentByCopy;
    }

    private void getLdapContext(IoSession ioSession, BindRequest bindRequest) {
        ResultCodeEnum bestEstimate;
        Hashtable<String, Object> environment = getEnvironment(ioSession, bindRequest);
        LdapResult ldapResult = bindRequest.getResultResponse().getLdapResult();
        try {
            LdapContext initialLdapContext = new InitialLdapContext(environment, (MutableControl[]) bindRequest.getControls().values().toArray(EMPTY_CONTROL));
            this.registry.setLdapContext(ioSession, initialLdapContext);
            bindRequest.getResultResponse().addAll(initialLdapContext.getResponseControls());
            returnSuccess(ioSession, bindRequest);
        } catch (NamingException e) {
            if (e instanceof LdapException) {
                bestEstimate = ((LdapException) e).getResultCode();
                ldapResult.setResultCode(bestEstimate);
            } else {
                bestEstimate = ResultCodeEnum.getBestEstimate(e, bindRequest.getType());
                ldapResult.setResultCode(bestEstimate);
            }
            String str = "Bind failed: " + e.getMessage();
            if (LOG.isDebugEnabled()) {
                str = (str + ":\n" + ExceptionUtils.getStackTrace(e)) + "\n\nBindRequest = \n" + bindRequest.toString();
            }
            if (e.getResolvedName() != null && (bestEstimate == ResultCodeEnum.NO_SUCH_OBJECT || bestEstimate == ResultCodeEnum.ALIAS_PROBLEM || bestEstimate == ResultCodeEnum.INVALID_DN_SYNTAX || bestEstimate == ResultCodeEnum.ALIAS_DEREFERENCING_PROBLEM)) {
                ldapResult.setMatchedDn((LdapDN) e.getResolvedName());
            }
            ldapResult.setErrorMessage(str);
            ioSession.write(bindRequest.getResultResponse());
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r3v0, types: [org.apache.mina.common.IoFilter, org.apache.directory.server.ldap.handlers.bind.SaslFilter] */
    private void returnSuccess(IoSession ioSession, BindRequest bindRequest) {
        LdapResult ldapResult = bindRequest.getResultResponse().getLdapResult();
        byte[] bArr = (byte[]) ioSession.getAttribute(SaslConstants.SASL_CREDS);
        ldapResult.setResultCode(ResultCodeEnum.SUCCESS);
        BindResponse bindResponse = (BindResponse) bindRequest.getResultResponse();
        bindResponse.setServerSaslCreds(bArr);
        String saslMechanism = bindRequest.getSaslMechanism();
        if (saslMechanism.equals(SupportedSaslMechanisms.DIGEST_MD5) || saslMechanism.equals(SupportedSaslMechanisms.GSSAPI)) {
            LOG.debug("Inserting SaslFilter to engage negotiated security layer.");
            IoFilterChain filterChain = ioSession.getFilterChain();
            if (!filterChain.contains("SASL")) {
                filterChain.addBefore("codec", "SASL", new SaslFilter((SaslServer) ioSession.getAttribute("saslContext")));
            }
            ioSession.setAttribute(SaslFilter.DISABLE_SECURITY_LAYER_ONCE, Boolean.TRUE);
        }
        ioSession.write(bindResponse);
        LOG.debug("Returned SUCCESS message.");
    }

    private String getAuthenticationLevel(String str) {
        return str.equals(SupportedSaslMechanisms.PLAIN) ? AuthenticationLevel.SIMPLE.toString() : AuthenticationLevel.STRONG.toString();
    }

    protected void bindMessageReceived(IoSession ioSession, BindRequest bindRequest) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("User {} is binding", bindRequest.getName());
            if (bindRequest.isSimple()) {
                LOG.debug("Using simple authentication.");
            } else {
                LOG.debug("Using SASL authentication with mechanism:  {}", bindRequest.getSaslMechanism());
            }
        }
        if (!isConfidentialityRequirementSatisfied(ioSession)) {
            LdapResult ldapResult = bindRequest.getResultResponse().getLdapResult();
            ldapResult.setResultCode(ResultCodeEnum.CONFIDENTIALITY_REQUIRED);
            ldapResult.setErrorMessage("Confidentiality (TLS secured connection) is required.");
            ioSession.write(bindRequest.getResultResponse());
            return;
        }
        if (bindRequest.getVersion3()) {
            if (bindRequest.isSimple()) {
                handleSimpleAuth(ioSession, bindRequest);
                return;
            } else {
                handleSaslAuth(ioSession, bindRequest);
                return;
            }
        }
        LOG.error("Bind error : Only LDAP v3 is supported.");
        LdapResult ldapResult2 = bindRequest.getResultResponse().getLdapResult();
        ldapResult2.setResultCode(ResultCodeEnum.PROTOCOL_ERROR);
        ldapResult2.setErrorMessage("Only LDAP v3 is supported.");
        ioSession.write(bindRequest.getResultResponse());
    }
}
