package org.apache.activemq.artemis.spi.core.security.jaas;

import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.naming.AuthenticationException;
import javax.naming.CommunicationException;
import javax.naming.NameParser;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import org.apache.activemq.artemis.core.server.ActiveMQServerLogger;
import org.apache.activemq.artemis.utils.PasswordMaskingUtil;
import org.jboss.logging.Logger;

/* loaded from: input_file:WEB-INF/lib/artemis-server-2.6.4.jar:org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.class */
public class LDAPLoginModule implements LoginModule {
    private static final Logger logger = Logger.getLogger((Class<?>) LDAPLoginModule.class);
    private static final String INITIAL_CONTEXT_FACTORY = "initialContextFactory";
    private static final String CONNECTION_URL = "connectionURL";
    private static final String CONNECTION_USERNAME = "connectionUsername";
    private static final String CONNECTION_PASSWORD = "connectionPassword";
    private static final String CONNECTION_PROTOCOL = "connectionProtocol";
    private static final String AUTHENTICATION = "authentication";
    private static final String USER_BASE = "userBase";
    private static final String USER_SEARCH_MATCHING = "userSearchMatching";
    private static final String USER_SEARCH_SUBTREE = "userSearchSubtree";
    private static final String ROLE_BASE = "roleBase";
    private static final String ROLE_NAME = "roleName";
    private static final String ROLE_SEARCH_MATCHING = "roleSearchMatching";
    private static final String ROLE_SEARCH_SUBTREE = "roleSearchSubtree";
    private static final String USER_ROLE_NAME = "userRoleName";
    private static final String EXPAND_ROLES = "expandRoles";
    private static final String EXPAND_ROLES_MATCHING = "expandRolesMatching";
    private static final String SASL_LOGIN_CONFIG_SCOPE = "saslLoginConfigScope";
    private static final String AUTHENTICATE_USER = "authenticateUser";
    private static final String REFERRAL = "referral";
    private static final String PASSWORD_CODEC = "passwordCodec";
    private static final String CONNECTION_POOL = "connectionPool";
    private static final String CONNECTION_TIMEOUT = "connectionTimeout";
    protected DirContext context;
    private Subject subject;
    private CallbackHandler handler;
    private LDAPLoginProperty[] config;
    private String username;
    private final Set<RolePrincipal> groups = new HashSet();
    private boolean userAuthenticated = false;
    private boolean authenticateUser = true;
    private Subject brokerGssapiIdentity = null;
    private boolean isRoleAttributeSet = false;
    private String roleAttributeName = null;
    private String codecClass = null;

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        this.subject = subject;
        this.handler = callbackHandler;
        this.config = new LDAPLoginProperty[]{new LDAPLoginProperty("initialContextFactory", (String) map2.get("initialContextFactory")), new LDAPLoginProperty("connectionURL", (String) map2.get("connectionURL")), new LDAPLoginProperty("connectionUsername", (String) map2.get("connectionUsername")), new LDAPLoginProperty("connectionPassword", (String) map2.get("connectionPassword")), new LDAPLoginProperty("connectionProtocol", (String) map2.get("connectionProtocol")), new LDAPLoginProperty("authentication", (String) map2.get("authentication")), new LDAPLoginProperty(USER_BASE, (String) map2.get(USER_BASE)), new LDAPLoginProperty(USER_SEARCH_MATCHING, (String) map2.get(USER_SEARCH_MATCHING)), new LDAPLoginProperty(USER_SEARCH_SUBTREE, (String) map2.get(USER_SEARCH_SUBTREE)), new LDAPLoginProperty(ROLE_BASE, (String) map2.get(ROLE_BASE)), new LDAPLoginProperty(ROLE_NAME, (String) map2.get(ROLE_NAME)), new LDAPLoginProperty(ROLE_SEARCH_MATCHING, (String) map2.get(ROLE_SEARCH_MATCHING)), new LDAPLoginProperty(ROLE_SEARCH_SUBTREE, (String) map2.get(ROLE_SEARCH_SUBTREE)), new LDAPLoginProperty(USER_ROLE_NAME, (String) map2.get(USER_ROLE_NAME)), new LDAPLoginProperty(EXPAND_ROLES, (String) map2.get(EXPAND_ROLES)), new LDAPLoginProperty(EXPAND_ROLES_MATCHING, (String) map2.get(EXPAND_ROLES_MATCHING)), new LDAPLoginProperty(PASSWORD_CODEC, (String) map2.get(PASSWORD_CODEC)), new LDAPLoginProperty(SASL_LOGIN_CONFIG_SCOPE, (String) map2.get(SASL_LOGIN_CONFIG_SCOPE)), new LDAPLoginProperty(AUTHENTICATE_USER, (String) map2.get(AUTHENTICATE_USER)), new LDAPLoginProperty(REFERRAL, (String) map2.get(REFERRAL)), new LDAPLoginProperty(CONNECTION_POOL, (String) map2.get(CONNECTION_POOL)), new LDAPLoginProperty(CONNECTION_TIMEOUT, (String) map2.get(CONNECTION_TIMEOUT))};
        if (isLoginPropertySet(AUTHENTICATE_USER)) {
            this.authenticateUser = Boolean.valueOf(getLDAPPropertyValue(AUTHENTICATE_USER)).booleanValue();
        }
        this.isRoleAttributeSet = isLoginPropertySet(ROLE_NAME);
        this.roleAttributeName = getLDAPPropertyValue(ROLE_NAME);
        this.codecClass = getLDAPPropertyValue(PASSWORD_CODEC);
    }

    private String getPlainPassword(String str) {
        try {
            return PasswordMaskingUtil.resolveMask(null, str, this.codecClass);
        } catch (Exception e) {
            throw new IllegalArgumentException("Failed to decode password", e);
        }
    }

    public boolean login() throws LoginException {
        if (!this.authenticateUser) {
            return false;
        }
        NameCallback[] nameCallbackArr = {new NameCallback("User name"), new PasswordCallback("Password", false)};
        try {
            this.handler.handle(nameCallbackArr);
            String str = null;
            this.username = nameCallbackArr[0].getName();
            if (this.username == null) {
                return false;
            }
            if (((PasswordCallback) nameCallbackArr[1]).getPassword() != null) {
                str = new String(((PasswordCallback) nameCallbackArr[1]).getPassword());
            }
            if (str == null || (str != null && str.length() == 0)) {
                throw new FailedLoginException("Password cannot be null or empty");
            }
            authenticate(this.username, str);
            this.userAuthenticated = true;
            return true;
        } catch (IOException | UnsupportedCallbackException e) {
            throw ((LoginException) new LoginException().initCause(e));
        }
    }

    public boolean logout() throws LoginException {
        clear();
        return true;
    }

    public boolean commit() throws LoginException {
        boolean z = this.userAuthenticated;
        Set<UserPrincipal> principals = this.subject.getPrincipals(UserPrincipal.class);
        Set<Principal> principals2 = this.subject.getPrincipals();
        if (z) {
            principals2.add(new UserPrincipal(this.username));
        }
        for (UserPrincipal userPrincipal : principals) {
            ArrayList arrayList = new ArrayList();
            try {
                resolveRolesForDN(this.context, resolveDN(userPrincipal.getName(), arrayList), userPrincipal.getName(), arrayList);
            } catch (NamingException e) {
                closeContext();
                FailedLoginException failedLoginException = new FailedLoginException("Error contacting LDAP");
                failedLoginException.initCause(e);
                throw failedLoginException;
            }
        }
        Iterator<RolePrincipal> it = this.groups.iterator();
        while (it.hasNext()) {
            principals2.add(it.next());
        }
        clear();
        return z;
    }

    private void clear() {
        this.username = null;
        this.userAuthenticated = false;
        closeContext();
    }

    public boolean abort() throws LoginException {
        clear();
        return true;
    }

    protected void closeContext() {
        if (this.context != null) {
            try {
                this.context.close();
                this.context = null;
            } catch (Exception e) {
                ActiveMQServerLogger.LOGGER.failedToCloseContext(e);
            }
        }
    }

    protected boolean authenticate(String str, String str2) throws LoginException {
        ArrayList arrayList = new ArrayList();
        try {
            String resolveDN = resolveDN(str, arrayList);
            if (!bindUser(this.context, resolveDN, str2)) {
                throw new FailedLoginException("Password does not match for user: " + str);
            }
            resolveRolesForDN(this.context, resolveDN, str, arrayList);
            return true;
        } catch (CommunicationException e) {
            closeContext();
            FailedLoginException failedLoginException = new FailedLoginException("Error contacting LDAP");
            failedLoginException.initCause(e);
            throw failedLoginException;
        } catch (NamingException e2) {
            closeContext();
            FailedLoginException failedLoginException2 = new FailedLoginException("Error contacting LDAP");
            failedLoginException2.initCause(e2);
            throw failedLoginException2;
        }
    }

    private void resolveRolesForDN(DirContext dirContext, String str, String str2, List<String> list) throws NamingException {
        addRoles(dirContext, str, str2, list);
        if (logger.isDebugEnabled()) {
            logger.debug("Roles " + list + " for user " + str2);
        }
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            this.groups.add(new RolePrincipal(it.next()));
        }
    }

    private String resolveDN(String str, List<String> list) throws FailedLoginException {
        String substring;
        Attribute attribute;
        if (logger.isDebugEnabled()) {
            logger.debug("Create the LDAP initial context.");
        }
        try {
            openContext();
            if (!isLoginPropertySet(USER_SEARCH_MATCHING)) {
                return null;
            }
            MessageFormat messageFormat = new MessageFormat(getLDAPPropertyValue(USER_SEARCH_MATCHING));
            boolean booleanValue = Boolean.valueOf(getLDAPPropertyValue(USER_SEARCH_SUBTREE)).booleanValue();
            try {
                String format = messageFormat.format(new String[]{doRFC2254Encoding(str)});
                SearchControls searchControls = new SearchControls();
                if (booleanValue) {
                    searchControls.setSearchScope(2);
                } else {
                    searchControls.setSearchScope(1);
                }
                ArrayList arrayList = new ArrayList();
                if (isLoginPropertySet(USER_ROLE_NAME)) {
                    arrayList.add(getLDAPPropertyValue(USER_ROLE_NAME));
                }
                String[] strArr = new String[arrayList.size()];
                arrayList.toArray(strArr);
                searchControls.setReturningAttributes(strArr);
                if (logger.isDebugEnabled()) {
                    logger.debug("Get the user DN.");
                    logger.debug("Looking for the user in LDAP with ");
                    logger.debug("  base DN: " + getLDAPPropertyValue(USER_BASE));
                    logger.debug("  filter: " + format);
                }
                try {
                    NamingEnumeration namingEnumeration = (NamingEnumeration) Subject.doAs(this.brokerGssapiIdentity, () -> {
                        return this.context.search(getLDAPPropertyValue(USER_BASE), format, searchControls);
                    });
                    if (namingEnumeration == null || !namingEnumeration.hasMore()) {
                        throw new FailedLoginException("User " + str + " not found in LDAP.");
                    }
                    SearchResult searchResult = (SearchResult) namingEnumeration.next();
                    if (namingEnumeration.hasMore()) {
                    }
                    if (searchResult.isRelative()) {
                        logger.debug("LDAP returned a relative name: " + searchResult.getName());
                        NameParser nameParser = this.context.getNameParser("");
                        substring = nameParser.parse(this.context.getNameInNamespace()).addAll(nameParser.parse(getLDAPPropertyValue(USER_BASE))).addAll(nameParser.parse(searchResult.getName())).toString();
                    } else {
                        logger.debug("LDAP returned an absolute name: " + searchResult.getName());
                        try {
                            String path = new URI(searchResult.getName()).getPath();
                            substring = path.startsWith("/") ? path.substring(1) : path;
                        } catch (URISyntaxException e) {
                            closeContext();
                            FailedLoginException failedLoginException = new FailedLoginException("Error parsing absolute name as URI.");
                            failedLoginException.initCause(e);
                            throw failedLoginException;
                        }
                    }
                    if (logger.isDebugEnabled()) {
                        logger.debug("Using DN [" + substring + "] for binding.");
                    }
                    Attributes attributes = searchResult.getAttributes();
                    if (attributes == null) {
                        throw new FailedLoginException("User found, but LDAP entry malformed: " + str);
                    }
                    if (isLoginPropertySet(USER_ROLE_NAME) && (attribute = attributes.get(getLDAPPropertyValue(USER_ROLE_NAME))) != null) {
                        NamingEnumeration all = attribute.getAll();
                        while (all.hasMore()) {
                            String str2 = (String) all.next();
                            if (this.isRoleAttributeSet) {
                                LdapName ldapName = new LdapName(str2);
                                for (int i = 0; i < ldapName.size(); i++) {
                                    Rdn rdn = ldapName.getRdn(i);
                                    if (this.roleAttributeName.equals(rdn.getType())) {
                                        list.add((String) rdn.getValue());
                                    }
                                }
                            } else {
                                list.add(str2);
                            }
                        }
                    }
                    return substring;
                } catch (PrivilegedActionException e2) {
                    Exception exception = e2.getException();
                    FailedLoginException failedLoginException2 = new FailedLoginException("Error executing search query to resolve DN");
                    failedLoginException2.initCause(exception);
                    throw failedLoginException2;
                }
            } catch (NamingException e3) {
                closeContext();
                FailedLoginException failedLoginException3 = new FailedLoginException("Error contacting LDAP");
                failedLoginException3.initCause(e3);
                throw failedLoginException3;
            } catch (CommunicationException e4) {
                closeContext();
                FailedLoginException failedLoginException4 = new FailedLoginException("Error contacting LDAP");
                failedLoginException4.initCause(e4);
                throw failedLoginException4;
            }
        } catch (Exception e5) {
            FailedLoginException failedLoginException5 = new FailedLoginException("Error opening LDAP connection");
            failedLoginException5.initCause(e5);
            throw failedLoginException5;
        }
    }

    protected void addRoles(DirContext dirContext, String str, String str2, List<String> list) throws NamingException {
        if (isLoginPropertySet(ROLE_SEARCH_MATCHING)) {
            MessageFormat messageFormat = new MessageFormat(getLDAPPropertyValue(ROLE_SEARCH_MATCHING));
            boolean booleanValue = Boolean.valueOf(getLDAPPropertyValue(ROLE_SEARCH_SUBTREE)).booleanValue();
            boolean booleanValue2 = Boolean.valueOf(getLDAPPropertyValue(EXPAND_ROLES)).booleanValue();
            String format = messageFormat.format(new String[]{doRFC2254Encoding(str), doRFC2254Encoding(str2)});
            SearchControls searchControls = new SearchControls();
            if (booleanValue) {
                searchControls.setSearchScope(2);
            } else {
                searchControls.setSearchScope(1);
            }
            if (logger.isDebugEnabled()) {
                logger.debug("Get user roles.");
                logger.debug("Looking for the user roles in LDAP with ");
                logger.debug("  base DN: " + getLDAPPropertyValue(ROLE_BASE));
                logger.debug("  filter: " + format);
            }
            HashSet hashSet = new HashSet();
            LinkedList linkedList = new LinkedList();
            try {
                NamingEnumeration namingEnumeration = (NamingEnumeration) Subject.doAs(this.brokerGssapiIdentity, () -> {
                    return dirContext.search(getLDAPPropertyValue(ROLE_BASE), format, searchControls);
                });
                while (namingEnumeration.hasMore()) {
                    SearchResult searchResult = (SearchResult) namingEnumeration.next();
                    if (booleanValue2) {
                        hashSet.add(searchResult.getNameInNamespace());
                        linkedList.add(searchResult.getNameInNamespace());
                    }
                    addRoleAttribute(searchResult, list);
                }
                if (booleanValue2) {
                    MessageFormat messageFormat2 = new MessageFormat(getLDAPPropertyValue(EXPAND_ROLES_MATCHING));
                    while (!linkedList.isEmpty()) {
                        String format2 = messageFormat2.format(new String[]{(String) linkedList.remove()});
                        if (logger.isDebugEnabled()) {
                            logger.debug("Get 'expanded' user roles.");
                            logger.debug("Looking for the 'expanded' user roles in LDAP with ");
                            logger.debug("  base DN: " + getLDAPPropertyValue(ROLE_BASE));
                            logger.debug("  filter: " + format2);
                        }
                        try {
                            NamingEnumeration namingEnumeration2 = (NamingEnumeration) Subject.doAs(this.brokerGssapiIdentity, () -> {
                                return dirContext.search(getLDAPPropertyValue(ROLE_BASE), format2, searchControls);
                            });
                            while (namingEnumeration2.hasMore()) {
                                SearchResult searchResult2 = (SearchResult) namingEnumeration2.next();
                                String nameInNamespace = searchResult2.getNameInNamespace();
                                if (!hashSet.contains(nameInNamespace)) {
                                    addRoleAttribute(searchResult2, list);
                                    hashSet.add(nameInNamespace);
                                    linkedList.add(nameInNamespace);
                                }
                            }
                        } catch (PrivilegedActionException e) {
                            Exception exception = e.getException();
                            NamingException namingException = new NamingException("Error executing search query to expand roles");
                            namingException.initCause(exception);
                            throw namingException;
                        }
                    }
                }
            } catch (PrivilegedActionException e2) {
                Exception exception2 = e2.getException();
                NamingException namingException2 = new NamingException("Error executing search query to resolve roles");
                namingException2.initCause(exception2);
                throw namingException2;
            }
        }
    }

    protected String doRFC2254Encoding(String str) {
        StringBuffer stringBuffer = new StringBuffer(str.length());
        for (int i = 0; i < str.length(); i++) {
            char charAt = str.charAt(i);
            switch (charAt) {
                case 0:
                    stringBuffer.append("\\00");
                    break;
                case '(':
                    stringBuffer.append("\\28");
                    break;
                case ')':
                    stringBuffer.append("\\29");
                    break;
                case '*':
                    stringBuffer.append("\\2a");
                    break;
                case '\\':
                    stringBuffer.append("\\5c");
                    break;
                default:
                    stringBuffer.append(charAt);
                    break;
            }
        }
        return stringBuffer.toString();
    }

    protected boolean bindUser(DirContext dirContext, String str, String str2) throws NamingException {
        boolean z;
        if (logger.isDebugEnabled()) {
            logger.debug("Binding the user.");
        }
        dirContext.addToEnvironment("java.naming.security.principal", str);
        dirContext.addToEnvironment("java.naming.security.credentials", str2);
        try {
            dirContext.getAttributes("", (String[]) null);
            z = true;
            if (logger.isDebugEnabled()) {
                logger.debug("User " + str + " successfully bound.");
            }
        } catch (AuthenticationException e) {
            z = false;
            if (logger.isDebugEnabled()) {
                logger.debug("Authentication failed for dn=" + str);
            }
        }
        if (isLoginPropertySet("connectionUsername")) {
            dirContext.addToEnvironment("java.naming.security.principal", getLDAPPropertyValue("connectionUsername"));
        } else {
            dirContext.removeFromEnvironment("java.naming.security.principal");
        }
        if (isLoginPropertySet("connectionPassword")) {
            dirContext.addToEnvironment("java.naming.security.credentials", getPlainPassword(getLDAPPropertyValue("connectionPassword")));
        } else {
            dirContext.removeFromEnvironment("java.naming.security.credentials");
        }
        return z;
    }

    private void addRoleAttribute(SearchResult searchResult, List<String> list) throws NamingException {
        if (!this.isRoleAttributeSet) {
            list.add(searchResult.getNameInNamespace());
            return;
        }
        Attribute attribute = searchResult.getAttributes().get(this.roleAttributeName);
        if (attribute != null) {
            list.add((String) attribute.get());
        }
    }

    protected void openContext() throws Exception {
        if (this.context == null) {
            try {
                Hashtable hashtable = new Hashtable();
                hashtable.put("java.naming.factory.initial", getLDAPPropertyValue("initialContextFactory"));
                hashtable.put("java.naming.security.protocol", getLDAPPropertyValue("connectionProtocol"));
                hashtable.put("java.naming.provider.url", getLDAPPropertyValue("connectionURL"));
                hashtable.put("java.naming.security.authentication", getLDAPPropertyValue("authentication"));
                if (isLoginPropertySet(CONNECTION_POOL)) {
                    hashtable.put("com.sun.jndi.ldap.connect.pool", getLDAPPropertyValue(CONNECTION_POOL));
                }
                if (isLoginPropertySet(CONNECTION_TIMEOUT)) {
                    hashtable.put("com.sun.jndi.ldap.connect.timeout", getLDAPPropertyValue(CONNECTION_TIMEOUT));
                }
                String lDAPPropertyValue = getLDAPPropertyValue(REFERRAL) != null ? getLDAPPropertyValue(REFERRAL) : "ignore";
                hashtable.put("java.naming.referral", lDAPPropertyValue);
                if (logger.isDebugEnabled()) {
                    logger.debug("Referral handling: " + lDAPPropertyValue);
                }
                if ("GSSAPI".equalsIgnoreCase(getLDAPPropertyValue("authentication"))) {
                    String lDAPPropertyValue2 = isLoginPropertySet(SASL_LOGIN_CONFIG_SCOPE) ? getLDAPPropertyValue(SASL_LOGIN_CONFIG_SCOPE) : "broker-sasl-gssapi";
                    try {
                        LoginContext loginContext = new LoginContext(lDAPPropertyValue2);
                        loginContext.login();
                        this.brokerGssapiIdentity = loginContext.getSubject();
                    } catch (LoginException e) {
                        e.printStackTrace();
                        FailedLoginException failedLoginException = new FailedLoginException("Error contacting LDAP using GSSAPI in JAAS loginConfigScope: " + lDAPPropertyValue2);
                        failedLoginException.initCause(e);
                        throw failedLoginException;
                    }
                } else {
                    if (!isLoginPropertySet("connectionUsername")) {
                        throw new NamingException("Empty username is not allowed");
                    }
                    hashtable.put("java.naming.security.principal", getLDAPPropertyValue("connectionUsername"));
                    if (!isLoginPropertySet("connectionPassword")) {
                        throw new NamingException("Empty password is not allowed");
                    }
                    hashtable.put("java.naming.security.credentials", getPlainPassword(getLDAPPropertyValue("connectionPassword")));
                }
                try {
                    this.context = (DirContext) Subject.doAs(this.brokerGssapiIdentity, () -> {
                        return new InitialDirContext(hashtable);
                    });
                } catch (PrivilegedActionException e2) {
                    throw e2.getException();
                }
            } catch (NamingException e3) {
                closeContext();
                ActiveMQServerLogger.LOGGER.failedToOpenContext(e3);
                throw e3;
            }
        }
    }

    private String getLDAPPropertyValue(String str) {
        for (LDAPLoginProperty lDAPLoginProperty : this.config) {
            if (lDAPLoginProperty.getPropertyName().equals(str)) {
                return lDAPLoginProperty.getPropertyValue();
            }
        }
        return null;
    }

    private boolean isLoginPropertySet(String str) {
        for (LDAPLoginProperty lDAPLoginProperty : this.config) {
            if (lDAPLoginProperty.getPropertyName().equals(str) && lDAPLoginProperty.getPropertyValue() != null && !"".equals(lDAPLoginProperty.getPropertyValue())) {
                return true;
            }
        }
        return false;
    }
}
