package org.apache.qpid.server.security.auth.manager;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.util.Arrays;
import java.util.Collections;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.naming.AuthenticationException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.net.SocketFactory;
import javax.net.ssl.SSLContext;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
import org.apache.qpid.server.model.TrustStore;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.security.auth.UsernamePrincipal;
import org.apache.qpid.server.security.auth.manager.ldap.AbstractLDAPSSLSocketFactory;
import org.apache.qpid.server.security.auth.manager.ldap.LDAPSSLSocketFactoryGenerator;
import org.apache.qpid.server.security.auth.sasl.plain.PlainPasswordCallback;
import org.apache.qpid.server.security.auth.sasl.plain.PlainSaslServer;
import org.apache.qpid.server.util.StringUtil;
import org.apache.qpid.transport.network.security.ssl.SSLUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl.class */
public class SimpleLDAPAuthenticationManagerImpl extends AbstractAuthenticationManager<SimpleLDAPAuthenticationManagerImpl> implements SimpleLDAPAuthenticationManager<SimpleLDAPAuthenticationManagerImpl> {
    private static final Logger _logger = LoggerFactory.getLogger(SimpleLDAPAuthenticationManagerImpl.class);
    private static final List<String> CONNECTIVITY_ATTRS = Collections.unmodifiableList(Arrays.asList(SimpleLDAPAuthenticationManager.PROVIDER_URL, SimpleLDAPAuthenticationManager.PROVIDER_AUTH_URL, SimpleLDAPAuthenticationManager.SEARCH_CONTEXT, SimpleLDAPAuthenticationManager.LDAP_CONTEXT_FACTORY, SimpleLDAPAuthenticationManager.SEARCH_USERNAME, SimpleLDAPAuthenticationManager.SEARCH_PASSWORD, SimpleLDAPAuthenticationManager.TRUST_STORE));
    private static final String JAVA_NAMING_LDAP_FACTORY_SOCKET = "java.naming.ldap.factory.socket";

    @ManagedAttributeField
    private String _providerUrl;

    @ManagedAttributeField
    private String _providerAuthUrl;

    @ManagedAttributeField
    private String _searchContext;

    @ManagedAttributeField
    private String _searchFilter;

    @ManagedAttributeField
    private String _ldapContextFactory;

    @ManagedAttributeField
    private TrustStore _trustStore;

    @ManagedAttributeField
    private boolean _bindWithoutSearch;

    @ManagedAttributeField
    private String _searchUsername;

    @ManagedAttributeField
    private String _searchPassword;
    private Class<? extends SocketFactory> _sslSocketFactoryOverrideClass;

    /* loaded from: input_file:org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerImpl$SimpleLDAPPlainCallbackHandler.class */
    private class SimpleLDAPPlainCallbackHandler implements CallbackHandler {
        private SimpleLDAPPlainCallbackHandler() {
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            String str = null;
            String str2 = null;
            AuthenticationResult authenticationResult = null;
            for (Callback callback : callbackArr) {
                if (callback instanceof NameCallback) {
                    try {
                        str = SimpleLDAPAuthenticationManagerImpl.this.getNameFromId(((NameCallback) callback).getDefaultName());
                    } catch (NamingException e) {
                        SimpleLDAPAuthenticationManagerImpl._logger.warn("SASL Authentication Exception", e);
                    }
                    if (str2 != null) {
                        authenticationResult = SimpleLDAPAuthenticationManagerImpl.this.doLDAPNameAuthentication(str, str2);
                    }
                } else if (callback instanceof PlainPasswordCallback) {
                    str2 = ((PlainPasswordCallback) callback).getPlainPassword();
                    if (str != null) {
                        authenticationResult = SimpleLDAPAuthenticationManagerImpl.this.doLDAPNameAuthentication(str, str2);
                        if (authenticationResult.getStatus() == AuthenticationResult.AuthenticationStatus.SUCCESS) {
                            ((PlainPasswordCallback) callback).setAuthenticated(true);
                        }
                    }
                } else {
                    if (!(callback instanceof AuthorizeCallback)) {
                        throw new UnsupportedCallbackException(callback);
                    }
                    ((AuthorizeCallback) callback).setAuthorized(authenticationResult != null && authenticationResult.getStatus() == AuthenticationResult.AuthenticationStatus.SUCCESS);
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @ManagedObjectFactoryConstructor
    public SimpleLDAPAuthenticationManagerImpl(Map<String, Object> map, Broker broker) {
        super(map, broker);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void validateOnCreate() {
        super.validateOnCreate();
        validateInitialDirContext(this._trustStore == null ? null : createSslSocketFactoryOverrideClass(this._trustStore), this._providerUrl, this._searchUsername, this._searchPassword);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void validateChange(ConfiguredObject<?> configuredObject, Set<String> set) {
        super.validateChange(configuredObject, set);
        if (Collections.disjoint(set, CONNECTIVITY_ATTRS)) {
            return;
        }
        SimpleLDAPAuthenticationManager simpleLDAPAuthenticationManager = (SimpleLDAPAuthenticationManager) configuredObject;
        TrustStore trustStore = simpleLDAPAuthenticationManager.getTrustStore();
        validateInitialDirContext(trustStore == null ? null : createSslSocketFactoryOverrideClass(trustStore), simpleLDAPAuthenticationManager.getProviderUrl(), simpleLDAPAuthenticationManager.getSearchUsername(), simpleLDAPAuthenticationManager.getSearchPassword());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.security.auth.manager.AbstractAuthenticationManager, org.apache.qpid.server.model.AbstractConfiguredObject
    public void onOpen() {
        super.onOpen();
        this._sslSocketFactoryOverrideClass = this._trustStore == null ? null : createSslSocketFactoryOverrideClass(this._trustStore);
    }

    @Override // org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager
    public String getProviderUrl() {
        return this._providerUrl;
    }

    @Override // org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager
    public String getProviderAuthUrl() {
        return this._providerAuthUrl;
    }

    @Override // org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager
    public String getSearchContext() {
        return this._searchContext;
    }

    @Override // org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager
    public String getSearchFilter() {
        return this._searchFilter;
    }

    @Override // org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager
    public String getLdapContextFactory() {
        return this._ldapContextFactory;
    }

    @Override // org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager
    public TrustStore getTrustStore() {
        return this._trustStore;
    }

    @Override // org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager
    public String getSearchUsername() {
        return this._searchUsername;
    }

    @Override // org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager
    public String getSearchPassword() {
        return this._searchPassword;
    }

    @Override // org.apache.qpid.server.model.AuthenticationProvider
    public List<String> getMechanisms() {
        return Collections.singletonList("PLAIN");
    }

    @Override // org.apache.qpid.server.model.AuthenticationProvider
    public SaslServer createSaslServer(String str, String str2, Principal principal) throws SaslException {
        if ("PLAIN".equals(str)) {
            return new PlainSaslServer(new SimpleLDAPPlainCallbackHandler());
        }
        throw new SaslException("Unknown mechanism: " + str);
    }

    @Override // org.apache.qpid.server.model.AuthenticationProvider
    public AuthenticationResult authenticate(SaslServer saslServer, byte[] bArr) {
        byte[] bArr2;
        if (bArr != null) {
            bArr2 = bArr;
        } else {
            try {
                bArr2 = new byte[0];
            } catch (SaslException e) {
                return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, (Exception) e);
            }
        }
        byte[] evaluateResponse = saslServer.evaluateResponse(bArr2);
        if (!saslServer.isComplete()) {
            return new AuthenticationResult(evaluateResponse, AuthenticationResult.AuthenticationStatus.CONTINUE);
        }
        String authorizationID = saslServer.getAuthorizationID();
        _logger.debug("Authenticated as {}", authorizationID);
        return new AuthenticationResult(new UsernamePrincipal(authorizationID));
    }

    @Override // org.apache.qpid.server.security.auth.manager.UsernamePasswordAuthenticationProvider
    public AuthenticationResult authenticate(String str, String str2) {
        try {
            AuthenticationResult doLDAPNameAuthentication = doLDAPNameAuthentication(getNameFromId(str), str2);
            return doLDAPNameAuthentication.getStatus() == AuthenticationResult.AuthenticationStatus.SUCCESS ? new AuthenticationResult(new UsernamePrincipal(str)) : doLDAPNameAuthentication;
        } catch (NamingException e) {
            return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, (Exception) e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public AuthenticationResult doLDAPNameAuthentication(String str, String str2) {
        if (str == null) {
            return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.CONTINUE);
        }
        Hashtable<String, Object> createInitialDirContextEnvironment = createInitialDirContextEnvironment(this._providerAuthUrl == null ? this._providerUrl : this._providerAuthUrl);
        createInitialDirContextEnvironment.put("java.naming.security.authentication", "simple");
        createInitialDirContextEnvironment.put("java.naming.security.principal", str);
        createInitialDirContextEnvironment.put("java.naming.security.credentials", str2);
        InitialDirContext initialDirContext = null;
        try {
            try {
                initialDirContext = createInitialDirContext(createInitialDirContextEnvironment, this._sslSocketFactoryOverrideClass);
                AuthenticationResult authenticationResult = new AuthenticationResult(new UsernamePrincipal(str));
                if (initialDirContext != null) {
                    closeSafely(initialDirContext);
                }
                return authenticationResult;
            } catch (NamingException e) {
                AuthenticationResult authenticationResult2 = new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, (Exception) e);
                if (initialDirContext != null) {
                    closeSafely(initialDirContext);
                }
                return authenticationResult2;
            } catch (AuthenticationException e2) {
                AuthenticationResult authenticationResult3 = new AuthenticationResult(AuthenticationResult.AuthenticationStatus.CONTINUE);
                if (initialDirContext != null) {
                    closeSafely(initialDirContext);
                }
                return authenticationResult3;
            }
        } catch (Throwable th) {
            if (initialDirContext != null) {
                closeSafely(initialDirContext);
            }
            throw th;
        }
    }

    private Hashtable<String, Object> createInitialDirContextEnvironment(String str) {
        Hashtable<String, Object> hashtable = new Hashtable<>();
        hashtable.put("java.naming.factory.initial", this._ldapContextFactory);
        hashtable.put("java.naming.provider.url", str);
        return hashtable;
    }

    private InitialDirContext createInitialDirContext(Hashtable<String, Object> hashtable, Class<? extends SocketFactory> cls) throws NamingException {
        ClassLoader classLoader = null;
        boolean z = false;
        if (String.valueOf(hashtable.get("java.naming.provider.url")).trim().toLowerCase().startsWith("ldaps:") && cls != null) {
            try {
                classLoader = Thread.currentThread().getContextClassLoader();
                hashtable.put(JAVA_NAMING_LDAP_FACTORY_SOCKET, cls.getName());
                Thread.currentThread().setContextClassLoader(cls.getClassLoader());
                z = true;
            } catch (Throwable th) {
                if (z) {
                    Thread.currentThread().setContextClassLoader(classLoader);
                }
                throw th;
            }
        }
        InitialDirContext initialDirContext = new InitialDirContext(hashtable);
        if (z) {
            Thread.currentThread().setContextClassLoader(classLoader);
        }
        return initialDirContext;
    }

    private Class<? extends SocketFactory> createSslSocketFactoryOverrideClass(TrustStore trustStore) {
        String createUniqueJavaName = new StringUtil().createUniqueJavaName(getName() + "_" + trustStore.getName());
        try {
            SSLContext tryGetSSLContext = SSLUtil.tryGetSSLContext();
            tryGetSSLContext.init(null, trustStore.getTrustManagers(), null);
            Class<? extends AbstractLDAPSSLSocketFactory> createSubClass = LDAPSSLSocketFactoryGenerator.createSubClass(createUniqueJavaName, tryGetSSLContext.getSocketFactory());
            _logger.debug("Connection to Directory will use custom SSL socket factory : {}", createSubClass);
            return createSubClass;
        } catch (GeneralSecurityException e) {
            _logger.error("Exception creating SSLContext", e);
            throw new IllegalConfigurationException("Error creating SSLContext with trust store : " + trustStore.getName(), e);
        }
    }

    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public String toString() {
        return "SimpleLDAPAuthenticationManagerImpl [id=" + getId() + ", name=" + getName() + ", providerUrl=" + this._providerUrl + ", providerAuthUrl=" + this._providerAuthUrl + ", searchContext=" + this._searchContext + ", state=" + getState() + ", searchFilter=" + this._searchFilter + ", ldapContextFactory=" + this._ldapContextFactory + ", bindWithoutSearch=" + this._bindWithoutSearch + ", trustStore=" + this._trustStore + ", searchUsername=" + this._searchUsername + "]";
    }

    private void validateInitialDirContext(Class<? extends SocketFactory> cls, String str, String str2, String str3) {
        Hashtable<String, Object> createInitialDirContextEnvironment = createInitialDirContextEnvironment(str);
        setupSearchContext(createInitialDirContextEnvironment, str2, str3);
        InitialDirContext initialDirContext = null;
        try {
            try {
                initialDirContext = createInitialDirContext(createInitialDirContextEnvironment, cls);
                closeSafely(initialDirContext);
            } catch (NamingException e) {
                _logger.error("Failed to establish connectivity to the ldap server for " + str, e);
                throw new IllegalConfigurationException("Failed to establish connectivity to the ldap server.", e);
            }
        } catch (Throwable th) {
            closeSafely(initialDirContext);
            throw th;
        }
    }

    private void setupSearchContext(Hashtable<String, Object> hashtable, String str, String str2) {
        if (this._searchUsername == null || this._searchUsername.trim().length() <= 0) {
            hashtable.put("java.naming.security.authentication", "none");
            return;
        }
        hashtable.put("java.naming.security.authentication", "simple");
        hashtable.put("java.naming.security.principal", str);
        hashtable.put("java.naming.security.credentials", str2);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String getNameFromId(String str) throws NamingException {
        if (isBindWithoutSearch()) {
            return str;
        }
        Hashtable<String, Object> createInitialDirContextEnvironment = createInitialDirContextEnvironment(this._providerUrl);
        setupSearchContext(createInitialDirContextEnvironment, this._searchUsername, this._searchPassword);
        InitialDirContext createInitialDirContext = createInitialDirContext(createInitialDirContextEnvironment, this._sslSocketFactoryOverrideClass);
        try {
            SearchControls searchControls = new SearchControls();
            searchControls.setReturningAttributes(new String[0]);
            searchControls.setCountLimit(1L);
            searchControls.setSearchScope(2);
            String str2 = null;
            NamingEnumeration search = createInitialDirContext.search(this._searchContext, this._searchFilter, new String[]{str}, searchControls);
            if (search.hasMore()) {
                str2 = ((SearchResult) search.next()).getNameInNamespace();
            }
            return str2;
        } finally {
            closeSafely(createInitialDirContext);
        }
    }

    @Override // org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager
    public boolean isBindWithoutSearch() {
        return this._bindWithoutSearch;
    }

    private void closeSafely(InitialDirContext initialDirContext) {
        if (initialDirContext != null) {
            try {
                initialDirContext.close();
            } catch (Exception e) {
                _logger.warn("Exception closing InitialDirContext", e);
            }
        }
    }
}
