package org.apache.directory.server.ldap.handlers.request;

import java.util.Map;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.apache.commons.lang.exception.ExceptionUtils;
import org.apache.directory.api.ldap.model.constants.SchemaConstants;
import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.directory.api.ldap.model.exception.LdapAuthenticationException;
import org.apache.directory.api.ldap.model.exception.LdapException;
import org.apache.directory.api.ldap.model.exception.LdapInvalidDnException;
import org.apache.directory.api.ldap.model.exception.LdapUnwillingToPerformException;
import org.apache.directory.api.ldap.model.message.BindRequest;
import org.apache.directory.api.ldap.model.message.BindResponse;
import org.apache.directory.api.ldap.model.message.LdapResult;
import org.apache.directory.api.ldap.model.message.ResultCodeEnum;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.api.util.StringConstants;
import org.apache.directory.api.util.Strings;
import org.apache.directory.server.core.api.DirectoryService;
import org.apache.directory.server.core.api.LdapPrincipal;
import org.apache.directory.server.core.api.OperationEnum;
import org.apache.directory.server.core.api.entry.ClonedServerEntry;
import org.apache.directory.server.core.api.interceptor.context.BindOperationContext;
import org.apache.directory.server.i18n.I18n;
import org.apache.directory.server.ldap.LdapProtocolUtils;
import org.apache.directory.server.ldap.LdapSession;
import org.apache.directory.server.ldap.handlers.LdapRequestHandler;
import org.apache.directory.server.ldap.handlers.bind.MechanismHandler;
import org.apache.directory.server.ldap.handlers.bind.SaslConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:resources/libs/apacheds-service-2.0.0-M11.jar:org/apache/directory/server/ldap/handlers/request/BindRequestHandler.class */
public class BindRequestHandler extends LdapRequestHandler<BindRequest> {
    private static final Logger LOG = LoggerFactory.getLogger(BindRequestHandler.class);
    private Map<String, MechanismHandler> handlers;

    public void setSaslMechanismHandlers(Map<String, MechanismHandler> map) {
        this.handlers = map;
    }

    public void handleSimpleAuth(LdapSession ldapSession, BindRequest bindRequest) throws Exception {
        ResultCodeEnum resultCodeEnum;
        DirectoryService directoryService = this.ldapServer.getDirectoryService();
        if (ldapSession.isAuthenticated()) {
            ldapSession.getCoreSession().unbind();
        }
        ldapSession.setSimpleAuthPending();
        BindOperationContext bindOperationContext = new BindOperationContext(null);
        bindOperationContext.setDn(bindRequest.getDn());
        bindOperationContext.setCredentials(bindRequest.getCredentials());
        bindOperationContext.setIoSession(ldapSession.getIoSession());
        bindOperationContext.setInterceptors(directoryService.getInterceptors(OperationEnum.BIND));
        LdapProtocolUtils.setRequestControls(bindOperationContext, bindRequest);
        try {
            Entry entry = null;
            try {
                try {
                    entry = directoryService.getAdminSession().lookup(bindRequest.getDn(), new String[0]);
                } catch (LdapException e) {
                }
                if (entry == null) {
                    LOG.info("The {} principalDN cannot be found in the server : bind failure.", bindRequest.getName());
                } else if (((ClonedServerEntry) entry).getOriginalEntry().contains(SchemaConstants.OBJECT_CLASS_AT, SchemaConstants.REFERRAL_OC)) {
                    LOG.info("Bind principalDn points to referral.");
                    LdapResult ldapResult = ((BindResponse) bindRequest.getResultResponse()).getLdapResult();
                    ldapResult.setDiagnosticMessage("Bind principalDn points to referral.");
                    ldapResult.setResultCode(ResultCodeEnum.INVALID_CREDENTIALS);
                    ldapSession.getIoSession().write(bindRequest.getResultResponse());
                    if (ldapSession.isAuthenticated()) {
                        return;
                    }
                    ldapSession.setAnonymous();
                    return;
                }
                bindOperationContext.setInterceptors(directoryService.getInterceptors(OperationEnum.BIND));
                directoryService.getOperationManager().bind(bindOperationContext);
                ldapSession.setCoreSession(bindOperationContext.getSession());
                if (ldapSession.getCoreSession().isAnonymous()) {
                    ldapSession.setAnonymous();
                } else {
                    ldapSession.setAuthenticated();
                }
                ((BindResponse) bindRequest.getResultResponse()).addAllControls(bindOperationContext.getResponseControls());
                sendBindSuccess(ldapSession, bindRequest, null);
                if (ldapSession.isAuthenticated()) {
                    return;
                }
                ldapSession.setAnonymous();
            } catch (Exception e2) {
                LdapResult ldapResult2 = ((BindResponse) bindRequest.getResultResponse()).getLdapResult();
                if (e2 instanceof LdapUnwillingToPerformException) {
                    resultCodeEnum = ResultCodeEnum.UNWILLING_TO_PERFORM;
                    ldapResult2.setResultCode(resultCodeEnum);
                } else if (e2 instanceof LdapInvalidDnException) {
                    resultCodeEnum = ResultCodeEnum.INVALID_DN_SYNTAX;
                    ldapResult2.setResultCode(resultCodeEnum);
                } else {
                    resultCodeEnum = ResultCodeEnum.INVALID_CREDENTIALS;
                    ldapResult2.setResultCode(resultCodeEnum);
                }
                String str = resultCodeEnum.toString() + ": Bind failed: " + e2.getLocalizedMessage();
                if (LOG.isDebugEnabled()) {
                    str = (str + ":\n" + ExceptionUtils.getStackTrace(e2)) + "\n\nBindRequest = \n" + bindRequest.toString();
                }
                Dn dn = null;
                if (e2 instanceof LdapAuthenticationException) {
                    dn = ((LdapAuthenticationException) e2).getResolvedDn();
                }
                if (dn != null && (resultCodeEnum == ResultCodeEnum.NO_SUCH_OBJECT || resultCodeEnum == ResultCodeEnum.ALIAS_PROBLEM || resultCodeEnum == ResultCodeEnum.INVALID_DN_SYNTAX || resultCodeEnum == ResultCodeEnum.ALIAS_DEREFERENCING_PROBLEM)) {
                    ldapResult2.setMatchedDn(dn);
                }
                ldapResult2.setDiagnosticMessage(str);
                ((BindResponse) bindRequest.getResultResponse()).addAllControls(bindOperationContext.getResponseControls());
                ldapSession.getIoSession().write(bindRequest.getResultResponse());
                if (ldapSession.isAuthenticated()) {
                    return;
                }
                ldapSession.setAnonymous();
            }
        } catch (Throwable th) {
            if (!ldapSession.isAuthenticated()) {
                ldapSession.setAnonymous();
            }
            throw th;
        }
    }

    private boolean checkMechanism(String str) throws Exception {
        if (this.ldapServer.getSupportedMechanisms().contains(str)) {
            return true;
        }
        LOG.error(I18n.err(I18n.ERR_160, str));
        return false;
    }

    private void generateSaslChallengeOrComplete(LdapSession ldapSession, SaslServer saslServer, BindRequest bindRequest) throws Exception {
        LdapResult ldapResult = ((BindResponse) bindRequest.getResultResponse()).getLdapResult();
        if (bindRequest.getCredentials() == null) {
            bindRequest.setCredentials(StringConstants.EMPTY_BYTES);
        }
        try {
            byte[] evaluateResponse = saslServer.evaluateResponse(bindRequest.getCredentials());
            if (saslServer.isComplete()) {
                if (evaluateResponse != null) {
                    ldapSession.putSaslProperty(SaslConstants.SASL_CREDS, evaluateResponse);
                }
                LdapPrincipal ldapPrincipal = (LdapPrincipal) ldapSession.getSaslProperty(SaslConstants.SASL_AUTHENT_USER);
                if (ldapPrincipal != null) {
                    ldapSession.setCoreSession(ldapSession.getLdapServer().getDirectoryService().getSession(ldapPrincipal.getDn(), ldapPrincipal.getUserPassword(), bindRequest.getSaslMechanism(), null));
                }
                ldapSession.setAuthenticated();
                ((MechanismHandler) ldapSession.getSaslProperty(SaslConstants.SASL_MECH_HANDLER)).cleanup(ldapSession);
                sendBindSuccess(ldapSession, bindRequest, evaluateResponse);
            } else {
                LOG.info("Continuation token had length " + evaluateResponse.length);
                ldapResult.setResultCode(ResultCodeEnum.SASL_BIND_IN_PROGRESS);
                BindResponse bindResponse = (BindResponse) bindRequest.getResultResponse();
                bindResponse.setServerSaslCreds(evaluateResponse);
                ldapSession.setSaslAuthPending();
                ldapSession.getIoSession().write(bindResponse);
                LOG.debug("Returning final authentication data to client to complete context.");
            }
        } catch (SaslException e) {
            sendInvalidCredentials(ldapSession, bindRequest, e);
        }
    }

    private void sendAuthMethNotSupported(LdapSession ldapSession, BindRequest bindRequest) {
        ldapSession.clearSaslProperties();
        ldapSession.setAnonymous();
        LdapResult ldapResult = ((BindResponse) bindRequest.getResultResponse()).getLdapResult();
        ldapResult.setResultCode(ResultCodeEnum.AUTH_METHOD_NOT_SUPPORTED);
        ldapResult.setDiagnosticMessage(ResultCodeEnum.AUTH_METHOD_NOT_SUPPORTED.toString() + ": " + bindRequest.getSaslMechanism() + " is not a supported mechanism.");
        ldapSession.getIoSession().write(bindRequest.getResultResponse());
    }

    private void sendInvalidCredentials(LdapSession ldapSession, BindRequest bindRequest, Exception exc) {
        LdapResult ldapResult = ((BindResponse) bindRequest.getResultResponse()).getLdapResult();
        String resultCodeEnum = exc != null ? ResultCodeEnum.INVALID_CREDENTIALS + ": " + exc.getLocalizedMessage() : ResultCodeEnum.INVALID_CREDENTIALS.toString();
        LOG.error(resultCodeEnum);
        ldapResult.setResultCode(ResultCodeEnum.INVALID_CREDENTIALS);
        ldapResult.setDiagnosticMessage(resultCodeEnum);
        ldapSession.clearSaslProperties();
        ldapSession.setAnonymous();
        ldapSession.getIoSession().write(bindRequest.getResultResponse());
    }

    private void sendBindSuccess(LdapSession ldapSession, BindRequest bindRequest, byte[] bArr) {
        BindResponse bindResponse = (BindResponse) bindRequest.getResultResponse();
        bindResponse.getLdapResult().setResultCode(ResultCodeEnum.SUCCESS);
        bindResponse.setServerSaslCreds(bArr);
        if (ldapSession.getCoreSession().isAnonymous()) {
            ldapSession.setAnonymous();
        } else {
            ldapSession.setAuthenticated();
        }
        MechanismHandler mechanismHandler = (MechanismHandler) ldapSession.getSaslProperty(SaslConstants.SASL_MECH_HANDLER);
        if (mechanismHandler != null) {
            mechanismHandler.cleanup(ldapSession);
        }
        ldapSession.getIoSession().write(bindResponse);
        LOG.debug("Returned SUCCESS message: {}.", bindResponse);
    }

    private void handleSaslAuthPending(LdapSession ldapSession, BindRequest bindRequest) throws Exception {
        String saslMechanism = bindRequest.getSaslMechanism();
        if (Strings.isEmpty(saslMechanism) || !ldapSession.getSaslProperty(SaslConstants.SASL_MECH).equals(saslMechanism)) {
            sendAuthMethNotSupported(ldapSession, bindRequest);
            return;
        }
        MechanismHandler mechanismHandler = this.handlers.get(saslMechanism);
        if (mechanismHandler != null) {
            generateSaslChallengeOrComplete(ldapSession, mechanismHandler.handleMechanism(ldapSession, bindRequest), bindRequest);
            return;
        }
        String err = I18n.err(I18n.ERR_161, saslMechanism);
        ldapSession.clearSaslProperties();
        ldapSession.setAnonymous();
        LOG.error(err);
        throw new IllegalArgumentException(err);
    }

    public void handleSaslAuth(LdapSession ldapSession, BindRequest bindRequest) throws Exception {
        String saslMechanism = bindRequest.getSaslMechanism();
        if (ldapSession.isAuthenticated()) {
            ldapSession.getCoreSession().unbind();
            ldapSession.setAnonymous();
            ldapSession.clearSaslProperties();
        }
        if (!ldapSession.isAnonymous()) {
            if (ldapSession.isAuthPending()) {
                try {
                    handleSaslAuthPending(ldapSession, bindRequest);
                    return;
                } catch (SaslException e) {
                    sendInvalidCredentials(ldapSession, bindRequest, e);
                    return;
                }
            }
            return;
        }
        if (!checkMechanism(saslMechanism)) {
            sendAuthMethNotSupported(ldapSession, bindRequest);
            return;
        }
        ldapSession.putSaslProperty(SaslConstants.SASL_MECH, saslMechanism);
        MechanismHandler mechanismHandler = this.handlers.get(saslMechanism);
        ldapSession.putSaslProperty(SaslConstants.SASL_MECH_HANDLER, mechanismHandler);
        mechanismHandler.init(ldapSession);
        generateSaslChallengeOrComplete(ldapSession, mechanismHandler.handleMechanism(ldapSession, bindRequest), bindRequest);
    }

    @Override // org.apache.directory.server.ldap.handlers.LdapRequestHandler
    public void handle(LdapSession ldapSession, BindRequest bindRequest) throws Exception {
        LOG.debug("Received: {}", bindRequest);
        if (bindRequest.getVersion3()) {
            if (bindRequest.isSimple()) {
                handleSimpleAuth(ldapSession, bindRequest);
                return;
            } else {
                handleSaslAuth(ldapSession, bindRequest);
                return;
            }
        }
        LOG.error(I18n.err(I18n.ERR_162, new Object[0]));
        LdapResult ldapResult = ((BindResponse) bindRequest.getResultResponse()).getLdapResult();
        ldapResult.setResultCode(ResultCodeEnum.PROTOCOL_ERROR);
        ldapResult.setDiagnosticMessage(I18n.err(I18n.ERR_163, new Object[0]));
        ldapSession.getIoSession().write(bindRequest.getResultResponse());
    }
}
