package net.tirasa.connid.bundles.ad;

import com.sun.jndi.ldap.ctl.PasswordExpiredResponseControl;
import java.util.ArrayList;
import java.util.Hashtable;
import javax.naming.AuthenticationException;
import javax.naming.NamingException;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import net.tirasa.adsddl.ntsd.controls.SDFlagsControl;
import net.tirasa.connid.bundles.ad.schema.ADSchema;
import net.tirasa.connid.bundles.ad.util.TrustAllSocketFactory;
import net.tirasa.connid.bundles.ldap.LdapConnection;
import net.tirasa.connid.bundles.ldap.commons.LdapUtil;
import org.apache.directory.api.ldap.model.constants.JndiPropertyConstants;
import org.apache.directory.api.ldap.model.constants.SchemaConstants;
import org.apache.directory.api.ldap.model.url.LdapUrl;
import org.identityconnectors.common.Pair;
import org.identityconnectors.common.StringUtil;
import org.identityconnectors.common.logging.Log;
import org.identityconnectors.common.security.GuardedString;
import org.identityconnectors.framework.common.exceptions.ConnectorException;
import org.identityconnectors.framework.common.exceptions.InvalidCredentialException;

/* loaded from: input_file:WEB-INF/bundles/net.tirasa.connid.bundles.ad-1.3.7-bundle.jar:net/tirasa/connid/bundles/ad/ADConnection.class */
public class ADConnection extends LdapConnection {
    private static final Log LOG;
    private static final String LDAP_CTX_FACTORY = "com.sun.jndi.ldap.LdapCtxFactory";
    private static final String LDAP_CTX_SOCKET_FACTORY = "java.naming.ldap.factory.socket";
    private static final String LDAP_BINARY_ATTRIBUTE = "java.naming.ldap.attributes.binary";
    private LdapContext initCtx;
    private LdapContext syncCtx;
    private final ADSchema schema;
    private final ADConfiguration config;
    static final /* synthetic */ boolean $assertionsDisabled;

    public ADConnection(ADConfiguration aDConfiguration) {
        super(aDConfiguration);
        this.initCtx = null;
        this.syncCtx = null;
        this.config = aDConfiguration;
        this.schema = new ADSchema(this);
    }

    @Override // net.tirasa.connid.bundles.ldap.LdapConnection
    public LdapConnection.AuthenticationResult authenticate(String str, GuardedString guardedString) {
        if (!$assertionsDisabled && str == null) {
            throw new AssertionError();
        }
        if (LOG.isOk()) {
            LOG.ok("Attempting to authenticate {0}", str);
        }
        Pair<LdapConnection.AuthenticationResult, LdapContext> createContext = createContext(str, guardedString);
        if (createContext.second != null) {
            quietClose(createContext.second);
        }
        if (LOG.isOk()) {
            LOG.ok("Authentication result: {0}", createContext.first);
        }
        return createContext.first;
    }

    public ADSchema getADSchema() {
        return this.schema;
    }

    public LdapContext getSyncContext(Control[] controlArr) {
        return cloneContext(controlArr);
    }

    @Override // net.tirasa.connid.bundles.ldap.LdapConnection
    public void close() {
        try {
            super.close();
            quietClose(this.initCtx);
            quietClose(this.syncCtx);
        } finally {
            this.initCtx = null;
            this.syncCtx = null;
        }
    }

    private LdapContext cloneContext(Control[] controlArr) {
        LdapContext ldapContext = null;
        try {
            ldapContext = new InitialLdapContext(new Hashtable(), (Control[]) null);
            ldapContext.setRequestControls(controlArr);
        } catch (NamingException e) {
            LOG.error(e, "Context initialization failed", new Object[0]);
        }
        return ldapContext;
    }

    private static void quietClose(LdapContext ldapContext) {
        if (ldapContext != null) {
            try {
                ldapContext.close();
            } catch (NamingException e) {
                LOG.warn(e, "Failure closing context", new Object[0]);
            }
        }
    }

    @Override // net.tirasa.connid.bundles.ldap.LdapConnection
    public LdapContext getInitialContext() {
        if (this.initCtx != null) {
            return this.initCtx;
        }
        this.initCtx = connect(this.config.getPrincipal(), this.config.getCredentials());
        try {
            this.initCtx.setRequestControls(new Control[]{new SDFlagsControl(4)});
        } catch (NamingException e) {
            LOG.error(e, "Error initializing request controls", new Object[0]);
        }
        return this.initCtx;
    }

    private LdapContext connect(String str, GuardedString guardedString) {
        Pair<LdapConnection.AuthenticationResult, LdapContext> createContext = createContext(str, guardedString);
        if (LOG.isOk()) {
            LOG.ok("Authentication result {0}", createContext.first.getType());
        }
        if (createContext.first.getType().equals(LdapConnection.AuthenticationResultType.SUCCESS)) {
            return createContext.second;
        }
        createContext.first.propagate();
        throw new IllegalStateException("Should never get here");
    }

    private Pair<LdapConnection.AuthenticationResult, LdapContext> createContext(String str, GuardedString guardedString) {
        ArrayList arrayList = new ArrayList(1);
        Hashtable<?, ?> hashtable = new Hashtable<>();
        hashtable.put(JndiPropertyConstants.JNDI_FACTORY_INITIAL, LDAP_CTX_FACTORY);
        hashtable.put(JndiPropertyConstants.JNDI_PROVIDER_URL, getLdapUrls());
        hashtable.put(JndiPropertyConstants.JNDI_REFERRAL, "follow");
        if (this.config.isSsl()) {
            hashtable.put(JndiPropertyConstants.JNDI_SECURITY_PROTOCOL, "ssl");
            if (this.config.isTrustAllCerts()) {
                hashtable.put("java.naming.ldap.factory.socket", TrustAllSocketFactory.class.getName());
            }
        }
        hashtable.put("java.naming.ldap.attributes.binary", "ntSecurityDescriptor objectGUID objectSID");
        hashtable.put(JndiPropertyConstants.JNDI_SECURITY_AUTHENTICATION, StringUtil.isNotBlank(str) ? "simple" : "none");
        if (LOG.isOk()) {
            LOG.ok("Initial context environment: {0}", hashtable);
        }
        if (StringUtil.isNotBlank(str)) {
            hashtable.put(JndiPropertyConstants.JNDI_SECURITY_PRINCIPAL, str);
            if (guardedString != null) {
                guardedString.access(cArr -> {
                    if (cArr == null || cArr.length == 0) {
                        throw new InvalidCredentialException("Password is blank");
                    }
                    hashtable.put(JndiPropertyConstants.JNDI_SECURITY_CREDENTIALS, new String(cArr));
                });
            }
        }
        arrayList.add(createContext(hashtable));
        return (Pair) arrayList.get(0);
    }

    private Pair<LdapConnection.AuthenticationResult, LdapContext> createContext(Hashtable<?, ?> hashtable) {
        LdapConnection.AuthenticationResult authenticationResult = null;
        InitialLdapContext initialLdapContext = null;
        try {
            initialLdapContext = new InitialLdapContext(hashtable, (Control[]) null);
            if (this.config.isRespectResourcePasswordPolicyChangeAfterReset() && hasPasswordExpiredControl(initialLdapContext.getResponseControls())) {
                authenticationResult = new LdapConnection.AuthenticationResult(LdapConnection.AuthenticationResultType.PASSWORD_EXPIRED);
            }
        } catch (AuthenticationException e) {
            String lowerCase = e.getMessage().toLowerCase();
            authenticationResult = lowerCase.contains("password expired") ? new LdapConnection.AuthenticationResult(LdapConnection.AuthenticationResultType.PASSWORD_EXPIRED, e) : lowerCase.contains("password has expired") ? new LdapConnection.AuthenticationResult(LdapConnection.AuthenticationResultType.PASSWORD_EXPIRED, e) : new LdapConnection.AuthenticationResult(LdapConnection.AuthenticationResultType.FAILED, e);
        } catch (NamingException e2) {
            authenticationResult = new LdapConnection.AuthenticationResult(LdapConnection.AuthenticationResultType.FAILED, e2);
        }
        if (authenticationResult == null) {
            if (!$assertionsDisabled && initialLdapContext == null) {
                throw new AssertionError();
            }
            authenticationResult = new LdapConnection.AuthenticationResult(LdapConnection.AuthenticationResultType.SUCCESS);
        }
        return new Pair<>(authenticationResult, initialLdapContext);
    }

    private static boolean hasPasswordExpiredControl(Control[] controlArr) {
        if (controlArr == null) {
            return false;
        }
        for (Control control : controlArr) {
            if (control instanceof PasswordExpiredResponseControl) {
                return true;
            }
        }
        return false;
    }

    private String getLdapUrls() {
        StringBuilder sb = new StringBuilder();
        sb.append(LdapUrl.LDAP_SCHEME).append(this.config.getHost()).append(':').append(this.config.getPort());
        for (String str : LdapUtil.nullAsEmpty(this.config.getFailover())) {
            sb.append(' ');
            sb.append(str);
        }
        return sb.toString();
    }

    @Override // net.tirasa.connid.bundles.ldap.LdapConnection
    public void test() {
        checkAlive();
    }

    @Override // net.tirasa.connid.bundles.ldap.LdapConnection
    public void checkAlive() {
        try {
            getInitialContext().getAttributes("", new String[]{SchemaConstants.SUBSCHEMA_SUBENTRY_AT}).get(SchemaConstants.SUBSCHEMA_SUBENTRY_AT);
        } catch (NamingException e) {
            throw new ConnectorException((Throwable) e);
        }
    }

    static {
        $assertionsDisabled = !ADConnection.class.desiredAssertionStatus();
        LOG = Log.getLog(ADConnection.class);
    }
}
