package org.apache.directory.server.core.authn;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.apache.directory.api.ldap.extras.controls.ppolicy.PasswordPolicy;
import org.apache.directory.api.ldap.extras.controls.ppolicy.PasswordPolicyErrorEnum;
import org.apache.directory.api.ldap.extras.controls.ppolicy_impl.PasswordPolicyDecorator;
import org.apache.directory.api.ldap.model.constants.AuthenticationLevel;
import org.apache.directory.api.ldap.model.constants.PasswordPolicySchemaConstants;
import org.apache.directory.api.ldap.model.constants.SchemaConstants;
import org.apache.directory.api.ldap.model.entry.Attribute;
import org.apache.directory.api.ldap.model.entry.BinaryValue;
import org.apache.directory.api.ldap.model.entry.DefaultAttribute;
import org.apache.directory.api.ldap.model.entry.DefaultModification;
import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.directory.api.ldap.model.entry.Modification;
import org.apache.directory.api.ldap.model.entry.ModificationOperation;
import org.apache.directory.api.ldap.model.entry.Value;
import org.apache.directory.api.ldap.model.exception.LdapAuthenticationException;
import org.apache.directory.api.ldap.model.exception.LdapException;
import org.apache.directory.api.ldap.model.exception.LdapNoPermissionException;
import org.apache.directory.api.ldap.model.exception.LdapOperationException;
import org.apache.directory.api.ldap.model.exception.LdapUnwillingToPerformException;
import org.apache.directory.api.ldap.model.message.ResultCodeEnum;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.api.ldap.model.password.PasswordUtil;
import org.apache.directory.api.ldap.model.schema.AttributeType;
import org.apache.directory.api.util.DateUtils;
import org.apache.directory.api.util.StringConstants;
import org.apache.directory.api.util.Strings;
import org.apache.directory.server.constants.ServerDNConstants;
import org.apache.directory.server.core.api.CoreSession;
import org.apache.directory.server.core.api.DirectoryService;
import org.apache.directory.server.core.api.InterceptorEnum;
import org.apache.directory.server.core.api.LdapPrincipal;
import org.apache.directory.server.core.api.authn.ppolicy.CheckQualityEnum;
import org.apache.directory.server.core.api.authn.ppolicy.PasswordPolicyConfiguration;
import org.apache.directory.server.core.api.authn.ppolicy.PasswordPolicyException;
import org.apache.directory.server.core.api.filtering.EntryFilteringCursor;
import org.apache.directory.server.core.api.interceptor.BaseInterceptor;
import org.apache.directory.server.core.api.interceptor.context.AddOperationContext;
import org.apache.directory.server.core.api.interceptor.context.BindOperationContext;
import org.apache.directory.server.core.api.interceptor.context.CompareOperationContext;
import org.apache.directory.server.core.api.interceptor.context.DeleteOperationContext;
import org.apache.directory.server.core.api.interceptor.context.GetRootDseOperationContext;
import org.apache.directory.server.core.api.interceptor.context.HasEntryOperationContext;
import org.apache.directory.server.core.api.interceptor.context.LookupOperationContext;
import org.apache.directory.server.core.api.interceptor.context.ModifyOperationContext;
import org.apache.directory.server.core.api.interceptor.context.MoveAndRenameOperationContext;
import org.apache.directory.server.core.api.interceptor.context.MoveOperationContext;
import org.apache.directory.server.core.api.interceptor.context.OperationContext;
import org.apache.directory.server.core.api.interceptor.context.RenameOperationContext;
import org.apache.directory.server.core.api.interceptor.context.SearchOperationContext;
import org.apache.directory.server.core.api.interceptor.context.UnbindOperationContext;
import org.apache.directory.server.core.authn.ppolicy.PpolicyConfigContainer;
import org.apache.directory.server.core.shared.DefaultCoreSession;
import org.apache.directory.server.i18n.I18n;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/directory/server/core/authn/AuthenticationInterceptor.class */
public class AuthenticationInterceptor extends BaseInterceptor {
    private static final Logger LOG = LoggerFactory.getLogger(AuthenticationInterceptor.class);
    private static final boolean IS_DEBUG = LOG.isDebugEnabled();
    private Set<Authenticator> authenticators;
    private final Map<AuthenticationLevel, Collection<Authenticator>> authenticatorsMapByType;
    private CoreSession adminSession;
    private Set<String> pwdResetSet;
    private AttributeType AT_PWD_RESET;
    private AttributeType AT_PWD_CHANGED_TIME;
    private AttributeType AT_PWD_HISTORY;
    private AttributeType AT_PWD_FAILURE_TIME;
    private AttributeType AT_PWD_ACCOUNT_LOCKED_TIME;
    private AttributeType AT_PWD_LAST_SUCCESS;
    private AttributeType AT_PWD_GRACE_USE_TIME;
    private PpolicyConfigContainer pwdPolicyContainer;
    private AttributeType pwdPolicySubentryAT;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/directory/server/core/authn/AuthenticationInterceptor$PwdModDetailsHolder.class */
    public static class PwdModDetailsHolder {
        private boolean pwdModPresent;
        private boolean isDelete;
        private boolean isAddOrReplace;
        private boolean otherModExists;
        private byte[] newPwd;

        private PwdModDetailsHolder() {
            this.pwdModPresent = false;
            this.isDelete = false;
            this.isAddOrReplace = false;
            this.otherModExists = false;
        }

        public boolean isPwdModPresent() {
            return this.pwdModPresent;
        }

        public void setPwdModPresent(boolean z) {
            this.pwdModPresent = z;
        }

        public boolean isDelete() {
            return this.isDelete;
        }

        public void setDelete(boolean z) {
            this.isDelete = z;
        }

        public boolean isAddOrReplace() {
            return this.isAddOrReplace;
        }

        public void setAddOrReplace(boolean z) {
            this.isAddOrReplace = z;
        }

        public boolean isOtherModExists() {
            return this.otherModExists;
        }

        public void setOtherModExists(boolean z) {
            this.otherModExists = z;
        }

        public byte[] getNewPwd() {
            return this.newPwd;
        }

        public void setNewPwd(byte[] bArr) {
            this.newPwd = bArr;
        }
    }

    public AuthenticationInterceptor() {
        super(InterceptorEnum.AUTHENTICATION_INTERCEPTOR);
        this.authenticators = new HashSet();
        this.authenticatorsMapByType = new HashMap();
        this.pwdResetSet = new HashSet();
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void init(DirectoryService directoryService) throws LdapException {
        super.init(directoryService);
        this.adminSession = directoryService.getAdminSession();
        this.pwdPolicySubentryAT = this.schemaManager.lookupAttributeTypeRegistry(PasswordPolicySchemaConstants.PWD_POLICY_SUBENTRY_AT);
        if (this.authenticators == null || this.authenticators.size() == 0) {
            setDefaultAuthenticators();
        }
        Iterator<Authenticator> it = this.authenticators.iterator();
        while (it.hasNext()) {
            register(it.next(), directoryService);
        }
        loadPwdPolicyStateAttributeTypes();
    }

    private void setDefaultAuthenticators() {
        if (this.authenticators == null) {
            this.authenticators = new HashSet();
        }
        this.authenticators.clear();
        this.authenticators.add(new AnonymousAuthenticator());
        this.authenticators.add(new SimpleAuthenticator());
        this.authenticators.add(new StrongAuthenticator());
    }

    public Set<Authenticator> getAuthenticators() {
        return this.authenticators;
    }

    public void setAuthenticators(Set<Authenticator> set) {
        if (set == null) {
            this.authenticators.clear();
        } else {
            this.authenticators = set;
        }
    }

    public void setAuthenticators(Authenticator[] authenticatorArr) {
        if (authenticatorArr == null) {
            throw new IllegalArgumentException("The given authenticators set is null");
        }
        this.authenticators.clear();
        this.authenticatorsMapByType.clear();
        for (Authenticator authenticator : authenticatorArr) {
            try {
                register(authenticator, this.directoryService);
            } catch (LdapException e) {
                LOG.error("Cannot register authenticator {}", authenticator);
            }
        }
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void destroy() {
        this.authenticatorsMapByType.clear();
        HashSet hashSet = new HashSet(this.authenticators);
        this.authenticators = new HashSet();
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            ((Authenticator) it.next()).destroy();
        }
    }

    private void register(Authenticator authenticator, DirectoryService directoryService) throws LdapException {
        authenticator.init(directoryService);
        Collection<Authenticator> authenticators = getAuthenticators(authenticator.getAuthenticatorType());
        if (authenticators == null) {
            authenticators = new ArrayList();
            this.authenticatorsMapByType.put(authenticator.getAuthenticatorType(), authenticators);
        }
        authenticators.add(authenticator);
    }

    private Collection<Authenticator> getAuthenticators(AuthenticationLevel authenticationLevel) {
        Collection<Authenticator> collection = this.authenticatorsMapByType.get(authenticationLevel);
        if (collection == null || collection.size() <= 0) {
            return null;
        }
        return collection;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v23, types: [byte[], byte[][]] */
    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void add(AddOperationContext addOperationContext) throws LdapException {
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", addOperationContext);
        }
        checkAuthenticated(addOperationContext);
        Entry entry = addOperationContext.getEntry();
        if (!this.directoryService.isPwdPolicyEnabled() || addOperationContext.isReplEvent()) {
            next(addOperationContext);
            return;
        }
        PasswordPolicyConfiguration pwdPolicy = getPwdPolicy(entry);
        boolean hasRequestControl = addOperationContext.hasRequestControl(PasswordPolicy.OID);
        checkPwdReset(addOperationContext);
        if (entry.get(SchemaConstants.USER_PASSWORD_AT) != null) {
            BinaryValue binaryValue = (BinaryValue) entry.get(SchemaConstants.USER_PASSWORD_AT).get();
            try {
                check(entry.getDn().getRdn().getValue().getString(), binaryValue.getValue(), pwdPolicy);
                String generalizedTime = DateUtils.getGeneralizedTime();
                if (pwdPolicy.getPwdMinAge() > 0 || pwdPolicy.getPwdMaxAge() > 0) {
                    Attribute defaultAttribute = new DefaultAttribute(this.AT_PWD_CHANGED_TIME);
                    defaultAttribute.add(generalizedTime);
                    entry.add(defaultAttribute);
                }
                if (pwdPolicy.isPwdMustChange() && addOperationContext.getSession().isAnAdministrator()) {
                    Attribute defaultAttribute2 = new DefaultAttribute(this.AT_PWD_RESET);
                    defaultAttribute2.add("TRUE");
                    entry.add(defaultAttribute2);
                }
                if (pwdPolicy.getPwdInHistory() > 0) {
                    DefaultAttribute defaultAttribute3 = new DefaultAttribute(this.AT_PWD_HISTORY);
                    defaultAttribute3.add((byte[][]) new byte[]{new PasswordHistory(generalizedTime, binaryValue.getValue()).getHistoryValue()});
                    entry.add(defaultAttribute3);
                }
            } catch (PasswordPolicyException e) {
                if (hasRequestControl) {
                    PasswordPolicyDecorator passwordPolicyDecorator = new PasswordPolicyDecorator(this.directoryService.getLdapCodecService(), true);
                    passwordPolicyDecorator.getResponse().setPasswordPolicyError(PasswordPolicyErrorEnum.get(e.getErrorCode()));
                    addOperationContext.addResponseControl(passwordPolicyDecorator);
                }
                throw new LdapOperationException(ResultCodeEnum.CONSTRAINT_VIOLATION, e.getMessage(), e);
            }
        }
        next(addOperationContext);
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void bind(BindOperationContext bindOperationContext) throws LdapException {
        Attribute attribute;
        int pwdGraceAuthNLimit;
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", bindOperationContext);
        }
        if (bindOperationContext.getSession() != null && bindOperationContext.getSession().getEffectivePrincipal() != null && !bindOperationContext.getSession().isAnonymous() && !bindOperationContext.getSession().isAdministrator()) {
            bindOperationContext.setCredentials(null);
        }
        AuthenticationLevel authenticationLevel = bindOperationContext.getAuthenticationLevel();
        if (authenticationLevel == AuthenticationLevel.UNAUTHENT) {
            throw new LdapUnwillingToPerformException(ResultCodeEnum.UNWILLING_TO_PERFORM, "Cannot Bind for Dn " + bindOperationContext.getDn().getName());
        }
        Collection<Authenticator> authenticators = getAuthenticators(authenticationLevel);
        PasswordPolicyException passwordPolicyException = null;
        boolean hasRequestControl = bindOperationContext.hasRequestControl(PasswordPolicy.OID);
        PasswordPolicyDecorator passwordPolicyDecorator = new PasswordPolicyDecorator(this.directoryService.getLdapCodecService(), true);
        boolean z = false;
        if (authenticators == null) {
            LOG.warn("Cannot find any authenticator for level {} : {}", authenticationLevel);
        } else {
            for (Authenticator authenticator : authenticators) {
                try {
                    LdapPrincipal ldapPrincipal = (LdapPrincipal) authenticator.authenticate(bindOperationContext).clone();
                    bindOperationContext.setCredentials(null);
                    ldapPrincipal.setUserPassword(StringConstants.EMPTY_BYTES);
                    bindOperationContext.setSession(new DefaultCoreSession(ldapPrincipal, this.directoryService));
                    z = true;
                    break;
                } catch (LdapAuthenticationException e) {
                    LOG.info("Authenticator {} failed to authenticate: {}", authenticator, bindOperationContext);
                } catch (PasswordPolicyException e2) {
                    passwordPolicyException = e2;
                } catch (Exception e3) {
                    LOG.info("Unexpected failure for Authenticator {} : {}", authenticator, bindOperationContext);
                }
            }
        }
        if (passwordPolicyException != null) {
            if (hasRequestControl) {
                passwordPolicyDecorator.getResponse().setPasswordPolicyError(PasswordPolicyErrorEnum.get(passwordPolicyException.getErrorCode()));
                bindOperationContext.addResponseControl(passwordPolicyDecorator);
            }
            throw passwordPolicyException;
        }
        Dn dn = bindOperationContext.getDn();
        Entry entry = bindOperationContext.getEntry();
        PasswordPolicyConfiguration pwdPolicy = getPwdPolicy(entry);
        if (pwdPolicy != null) {
            entry = this.directoryService.getPartitionNexus().lookup(new LookupOperationContext(this.adminSession, bindOperationContext.getDn(), SchemaConstants.ALL_ATTRIBUTES_ARRAY));
        }
        if (z && entry == null && this.directoryService.isAllowAnonymousAccess()) {
            return;
        }
        if (!z) {
            if (LOG.isInfoEnabled()) {
                LOG.info("Cannot bind to the server ");
            }
            if (pwdPolicy != null && entry != null) {
                Attribute attribute2 = entry.get(this.AT_PWD_FAILURE_TIME);
                if (attribute2 == null) {
                    attribute2 = new DefaultAttribute(this.AT_PWD_FAILURE_TIME);
                } else {
                    purgeFailureTimes(pwdPolicy, attribute2);
                }
                String generalizedTime = DateUtils.getGeneralizedTime();
                attribute2.add(generalizedTime);
                DefaultModification defaultModification = new DefaultModification(ModificationOperation.REPLACE_ATTRIBUTE, attribute2);
                ArrayList arrayList = new ArrayList();
                arrayList.add(defaultModification);
                int size = attribute2.size();
                if (!pwdPolicy.isPwdLockout() || size < pwdPolicy.getPwdMaxFailure()) {
                    if (pwdPolicy.getPwdMinDelay() > 0) {
                        int pwdMinDelay = size * pwdPolicy.getPwdMinDelay();
                        int pwdMaxDelay = pwdPolicy.getPwdMaxDelay();
                        if (pwdMinDelay > pwdMaxDelay) {
                            pwdMinDelay = pwdMaxDelay;
                        }
                        try {
                            Thread.sleep(pwdMinDelay * 1000);
                        } catch (InterruptedException e4) {
                            LOG.warn("Interrupted while delaying to send the failed authentication response for the user {}", dn, e4);
                        }
                    }
                } else if (!entry.getDn().equals(new Dn(this.schemaManager, ServerDNConstants.ADMIN_SYSTEM_DN))) {
                    DefaultAttribute defaultAttribute = new DefaultAttribute(this.AT_PWD_ACCOUNT_LOCKED_TIME);
                    if (pwdPolicy.getPwdLockoutDuration() == 0) {
                        defaultAttribute.add("000001010000Z");
                    } else {
                        defaultAttribute.add(generalizedTime);
                    }
                    arrayList.add(new DefaultModification(ModificationOperation.ADD_ATTRIBUTE, defaultAttribute));
                    passwordPolicyDecorator.getResponse().setPasswordPolicyError(PasswordPolicyErrorEnum.ACCOUNT_LOCKED);
                }
                if (!arrayList.isEmpty()) {
                    arrayList.add(new DefaultModification(ModificationOperation.REPLACE_ATTRIBUTE, ENTRY_CSN_AT, this.directoryService.getCSN().toString()));
                    ModifyOperationContext modifyOperationContext = new ModifyOperationContext(this.adminSession);
                    modifyOperationContext.setDn(dn);
                    modifyOperationContext.setEntry(entry);
                    modifyOperationContext.setModItems(arrayList);
                    modifyOperationContext.setPushToEvtInterceptor(true);
                    this.directoryService.getPartitionNexus().modify(modifyOperationContext);
                }
            }
            throw new LdapAuthenticationException(I18n.err(I18n.ERR_229, dn == null ? "" : dn.getName()));
        }
        if (pwdPolicy != null) {
            ArrayList arrayList2 = new ArrayList();
            if (pwdPolicy.getPwdMaxIdle() > 0) {
                DefaultAttribute defaultAttribute2 = new DefaultAttribute(this.AT_PWD_LAST_SUCCESS);
                defaultAttribute2.add(DateUtils.getGeneralizedTime());
                arrayList2.add(new DefaultModification(ModificationOperation.REPLACE_ATTRIBUTE, defaultAttribute2));
            }
            Attribute attribute3 = entry.get(this.AT_PWD_FAILURE_TIME);
            if (attribute3 != null) {
                arrayList2.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, attribute3));
            }
            Attribute attribute4 = entry.get(this.AT_PWD_ACCOUNT_LOCKED_TIME);
            if (attribute4 != null) {
                arrayList2.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, attribute4));
            }
            if (pwdPolicy.getPwdMaxAge() > 0 && pwdPolicy.getPwdGraceAuthNLimit() > 0 && (attribute = entry.get(this.AT_PWD_CHANGED_TIME)) != null && PasswordUtil.isPwdExpired(attribute.getString(), pwdPolicy.getPwdMaxAge())) {
                Attribute attribute5 = entry.get(this.AT_PWD_GRACE_USE_TIME);
                if (attribute5 != null) {
                    pwdGraceAuthNLimit = pwdPolicy.getPwdGraceAuthNLimit() - (attribute5.size() + 1);
                } else {
                    attribute5 = new DefaultAttribute(this.AT_PWD_GRACE_USE_TIME);
                    pwdGraceAuthNLimit = pwdPolicy.getPwdGraceAuthNLimit() - 1;
                }
                passwordPolicyDecorator.getResponse().setGraceAuthNRemaining(pwdGraceAuthNLimit);
                attribute5.add(DateUtils.getGeneralizedTime());
                arrayList2.add(new DefaultModification(ModificationOperation.ADD_ATTRIBUTE, attribute5));
            }
            if (!arrayList2.isEmpty()) {
                arrayList2.add(new DefaultModification(ModificationOperation.REPLACE_ATTRIBUTE, ENTRY_CSN_AT, this.directoryService.getCSN().toString()));
                ModifyOperationContext modifyOperationContext2 = new ModifyOperationContext(this.adminSession);
                modifyOperationContext2.setDn(dn);
                modifyOperationContext2.setEntry(entry);
                modifyOperationContext2.setModItems(arrayList2);
                modifyOperationContext2.setPushToEvtInterceptor(true);
                this.directoryService.getPartitionNexus().modify(modifyOperationContext2);
            }
            if (hasRequestControl) {
                int pwdTimeBeforeExpiry = getPwdTimeBeforeExpiry(entry, pwdPolicy);
                if (pwdTimeBeforeExpiry > 0) {
                    passwordPolicyDecorator.getResponse().setTimeBeforeExpiration(pwdTimeBeforeExpiry);
                }
                if (isPwdMustReset(entry)) {
                    passwordPolicyDecorator.getResponse().setPasswordPolicyError(PasswordPolicyErrorEnum.CHANGE_AFTER_RESET);
                    this.pwdResetSet.add(dn.getNormName());
                }
                bindOperationContext.addResponseControl(passwordPolicyDecorator);
            }
        }
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public boolean compare(CompareOperationContext compareOperationContext) throws LdapException {
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", compareOperationContext);
        }
        checkAuthenticated(compareOperationContext);
        checkPwdReset(compareOperationContext);
        boolean next = next(compareOperationContext);
        invalidateAuthenticatorCaches(compareOperationContext.getDn());
        return next;
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void delete(DeleteOperationContext deleteOperationContext) throws LdapException {
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", deleteOperationContext);
        }
        checkAuthenticated(deleteOperationContext);
        checkPwdReset(deleteOperationContext);
        next(deleteOperationContext);
        invalidateAuthenticatorCaches(deleteOperationContext.getDn());
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public Entry getRootDse(GetRootDseOperationContext getRootDseOperationContext) throws LdapException {
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", getRootDseOperationContext);
        }
        checkAuthenticated(getRootDseOperationContext);
        checkPwdReset(getRootDseOperationContext);
        return next(getRootDseOperationContext);
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public boolean hasEntry(HasEntryOperationContext hasEntryOperationContext) throws LdapException {
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", hasEntryOperationContext);
        }
        checkAuthenticated(hasEntryOperationContext);
        checkPwdReset(hasEntryOperationContext);
        return next(hasEntryOperationContext);
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public Entry lookup(LookupOperationContext lookupOperationContext) throws LdapException {
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", lookupOperationContext);
        }
        checkAuthenticated(lookupOperationContext);
        checkPwdReset(lookupOperationContext);
        return next(lookupOperationContext);
    }

    private void invalidateAuthenticatorCaches(Dn dn) {
        Iterator<AuthenticationLevel> it = this.authenticatorsMapByType.keySet().iterator();
        while (it.hasNext()) {
            Iterator<Authenticator> it2 = getAuthenticators(it.next()).iterator();
            while (it2.hasNext()) {
                it2.next().invalidateCache(dn);
            }
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v69, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r1v75, types: [byte[], byte[][]] */
    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void modify(ModifyOperationContext modifyOperationContext) throws LdapException {
        DefaultModification defaultModification;
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", modifyOperationContext);
        }
        checkAuthenticated(modifyOperationContext);
        if (!this.directoryService.isPwdPolicyEnabled() || modifyOperationContext.isReplEvent()) {
            next(modifyOperationContext);
            invalidateAuthenticatorCaches(modifyOperationContext.getDn());
            return;
        }
        PasswordPolicyConfiguration pwdPolicy = getPwdPolicy(modifyOperationContext.getEntry());
        boolean hasRequestControl = modifyOperationContext.hasRequestControl(PasswordPolicy.OID);
        Dn dn = modifyOperationContext.getSession().getAuthenticatedPrincipal().getDn();
        PwdModDetailsHolder pwdModDetails = getPwdModDetails(modifyOperationContext, pwdPolicy);
        if (!pwdModDetails.isPwdModPresent()) {
            next(modifyOperationContext);
            return;
        }
        if (this.pwdResetSet.contains(dn.getNormName()) && !pwdModDetails.isDelete() && pwdModDetails.isOtherModExists()) {
            if (hasRequestControl) {
                PasswordPolicyDecorator passwordPolicyDecorator = new PasswordPolicyDecorator(this.directoryService.getLdapCodecService(), true);
                passwordPolicyDecorator.getResponse().setPasswordPolicyError(PasswordPolicyErrorEnum.CHANGE_AFTER_RESET);
                modifyOperationContext.addResponseControl(passwordPolicyDecorator);
            }
            throw new LdapNoPermissionException("Password should be reset before making any changes to this entry");
        }
        if (pwdPolicy.isPwdSafeModify() && !pwdModDetails.isDelete() && pwdModDetails.isAddOrReplace() && !pwdModDetails.isDelete()) {
            LOG.debug("trying to update password attribute without the supplying the old password");
            if (hasRequestControl) {
                PasswordPolicyDecorator passwordPolicyDecorator2 = new PasswordPolicyDecorator(this.directoryService.getLdapCodecService(), true);
                passwordPolicyDecorator2.getResponse().setPasswordPolicyError(PasswordPolicyErrorEnum.MUST_SUPPLY_OLD_PASSWORD);
                modifyOperationContext.addResponseControl(passwordPolicyDecorator2);
            }
            throw new LdapNoPermissionException("trying to update password attribute without the supplying the old password");
        }
        if (!pwdPolicy.isPwdAllowUserChange() && !modifyOperationContext.getSession().isAnAdministrator()) {
            if (hasRequestControl) {
                PasswordPolicyDecorator passwordPolicyDecorator3 = new PasswordPolicyDecorator(this.directoryService.getLdapCodecService(), true);
                passwordPolicyDecorator3.getResponse().setPasswordPolicyError(PasswordPolicyErrorEnum.PASSWORD_MOD_NOT_ALLOWED);
                modifyOperationContext.addResponseControl(passwordPolicyDecorator3);
            }
            throw new LdapNoPermissionException();
        }
        Entry entry = modifyOperationContext.getEntry();
        boolean z = false;
        ArrayList arrayList = new ArrayList();
        if (pwdModDetails.isAddOrReplace()) {
            if (isPwdTooYoung(entry, pwdPolicy)) {
                if (hasRequestControl) {
                    PasswordPolicyDecorator passwordPolicyDecorator4 = new PasswordPolicyDecorator(this.directoryService.getLdapCodecService(), true);
                    passwordPolicyDecorator4.getResponse().setPasswordPolicyError(PasswordPolicyErrorEnum.PASSWORD_TOO_YOUNG);
                    modifyOperationContext.addResponseControl(passwordPolicyDecorator4);
                }
                throw new LdapOperationException(ResultCodeEnum.CONSTRAINT_VIOLATION, "password is too young to update");
            }
            byte[] newPwd = pwdModDetails.getNewPwd();
            try {
                check(entry.getDn().getRdn().getValue().getString(), newPwd, pwdPolicy);
                int pwdInHistory = pwdPolicy.getPwdInHistory();
                DefaultModification defaultModification2 = null;
                DefaultModification defaultModification3 = null;
                String generalizedTime = DateUtils.getGeneralizedTime();
                if (pwdInHistory > 0) {
                    Attribute attribute = entry.get(this.AT_PWD_HISTORY);
                    if (attribute == null) {
                        attribute = new DefaultAttribute(this.AT_PWD_HISTORY);
                    }
                    ArrayList arrayList2 = new ArrayList();
                    Iterator<Value<?>> it = attribute.iterator();
                    while (it.hasNext()) {
                        PasswordHistory passwordHistory = new PasswordHistory(Strings.utf8ToString(it.next().getBytes()));
                        if (Arrays.equals(newPwd, passwordHistory.getPassword())) {
                            if (hasRequestControl) {
                                PasswordPolicyDecorator passwordPolicyDecorator5 = new PasswordPolicyDecorator(this.directoryService.getLdapCodecService(), true);
                                passwordPolicyDecorator5.getResponse().setPasswordPolicyError(PasswordPolicyErrorEnum.PASSWORD_IN_HISTORY);
                                modifyOperationContext.addResponseControl(passwordPolicyDecorator5);
                            }
                            throw new LdapOperationException(ResultCodeEnum.CONSTRAINT_VIOLATION, "invalid reuse of password present in password history");
                        }
                        arrayList2.add(passwordHistory);
                    }
                    if (arrayList2.size() >= pwdInHistory) {
                        Collections.sort(arrayList2);
                        PasswordHistory passwordHistory2 = (PasswordHistory) arrayList2.toArray()[pwdInHistory - 1];
                        DefaultAttribute defaultAttribute = new DefaultAttribute(this.AT_PWD_HISTORY);
                        defaultAttribute.add((byte[][]) new byte[]{passwordHistory2.getHistoryValue()});
                        defaultModification2 = new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, defaultAttribute);
                    }
                    attribute.add((byte[][]) new byte[]{new PasswordHistory(generalizedTime, newPwd).getHistoryValue()});
                    defaultModification3 = new DefaultModification(ModificationOperation.REPLACE_ATTRIBUTE, attribute);
                }
                next(modifyOperationContext);
                invalidateAuthenticatorCaches(modifyOperationContext.getDn());
                entry = this.directoryService.getPartitionNexus().lookup(new LookupOperationContext(this.adminSession, modifyOperationContext.getDn(), SchemaConstants.ALL_ATTRIBUTES_ARRAY));
                if (pwdPolicy.getPwdMinAge() > 0 || pwdPolicy.getPwdMaxAge() > 0) {
                    DefaultAttribute defaultAttribute2 = new DefaultAttribute(this.AT_PWD_CHANGED_TIME);
                    defaultAttribute2.add(generalizedTime);
                    arrayList.add(new DefaultModification(ModificationOperation.REPLACE_ATTRIBUTE, defaultAttribute2));
                }
                if (defaultModification3 != null) {
                    arrayList.add(defaultModification3);
                }
                if (defaultModification2 != null) {
                    arrayList.add(defaultModification2);
                }
                if (pwdPolicy.isPwdMustChange()) {
                    DefaultAttribute defaultAttribute3 = new DefaultAttribute(this.AT_PWD_RESET);
                    if (modifyOperationContext.getSession().isAnAdministrator()) {
                        defaultAttribute3.add("TRUE");
                        defaultModification = new DefaultModification(ModificationOperation.REPLACE_ATTRIBUTE, defaultAttribute3);
                    } else {
                        defaultModification = new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, defaultAttribute3);
                        z = true;
                    }
                    arrayList.add(defaultModification);
                }
            } catch (PasswordPolicyException e) {
                if (hasRequestControl) {
                    PasswordPolicyDecorator passwordPolicyDecorator6 = new PasswordPolicyDecorator(this.directoryService.getLdapCodecService(), true);
                    passwordPolicyDecorator6.getResponse().setPasswordPolicyError(PasswordPolicyErrorEnum.get(e.getErrorCode()));
                    modifyOperationContext.addResponseControl(passwordPolicyDecorator6);
                }
                throw new LdapOperationException(ResultCodeEnum.CONSTRAINT_VIOLATION, e.getMessage(), e);
            }
        }
        Attribute attribute2 = entry.get(this.AT_PWD_FAILURE_TIME);
        if (attribute2 != null) {
            arrayList.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, attribute2));
        }
        Attribute attribute3 = entry.get(this.AT_PWD_GRACE_USE_TIME);
        if (attribute3 != null) {
            arrayList.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, attribute3));
        }
        if (pwdModDetails.isDelete()) {
            Attribute attribute4 = entry.get(this.AT_PWD_HISTORY);
            if (attribute4 != null) {
                arrayList.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, attribute4));
            }
            Attribute attribute5 = entry.get(this.AT_PWD_CHANGED_TIME);
            if (attribute5 != null) {
                arrayList.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, attribute5));
            }
            Attribute attribute6 = entry.get(this.AT_PWD_RESET);
            if (attribute6 != null) {
                arrayList.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, attribute6));
            }
            Attribute attribute7 = entry.get(this.AT_PWD_ACCOUNT_LOCKED_TIME);
            if (attribute7 != null) {
                arrayList.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, attribute7));
            }
        }
        ModifyOperationContext modifyOperationContext2 = new ModifyOperationContext(this.adminSession);
        modifyOperationContext2.setDn(modifyOperationContext.getDn());
        modifyOperationContext2.setModItems(arrayList);
        this.directoryService.getPartitionNexus().modify(modifyOperationContext2);
        if (z || pwdModDetails.isDelete()) {
            this.pwdResetSet.remove(dn.getNormName());
        }
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void move(MoveOperationContext moveOperationContext) throws LdapException {
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", moveOperationContext);
        }
        checkAuthenticated(moveOperationContext);
        checkPwdReset(moveOperationContext);
        next(moveOperationContext);
        invalidateAuthenticatorCaches(moveOperationContext.getDn());
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void moveAndRename(MoveAndRenameOperationContext moveAndRenameOperationContext) throws LdapException {
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", moveAndRenameOperationContext);
        }
        checkAuthenticated(moveAndRenameOperationContext);
        checkPwdReset(moveAndRenameOperationContext);
        next(moveAndRenameOperationContext);
        invalidateAuthenticatorCaches(moveAndRenameOperationContext.getDn());
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void rename(RenameOperationContext renameOperationContext) throws LdapException {
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", renameOperationContext);
        }
        checkAuthenticated(renameOperationContext);
        checkPwdReset(renameOperationContext);
        next(renameOperationContext);
        invalidateAuthenticatorCaches(renameOperationContext.getDn());
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public EntryFilteringCursor search(SearchOperationContext searchOperationContext) throws LdapException {
        if (IS_DEBUG) {
            LOG.debug("Operation Context: {}", searchOperationContext);
        }
        checkAuthenticated(searchOperationContext);
        checkPwdReset(searchOperationContext);
        return next(searchOperationContext);
    }

    @Override // org.apache.directory.server.core.api.interceptor.BaseInterceptor, org.apache.directory.server.core.api.interceptor.Interceptor
    public void unbind(UnbindOperationContext unbindOperationContext) throws LdapException {
        next(unbindOperationContext);
        if (this.directoryService.isPwdPolicyEnabled()) {
            return;
        }
        this.pwdResetSet.remove(unbindOperationContext.getDn().getNormName());
    }

    private void checkAuthenticated(OperationContext operationContext) throws LdapException {
        if (!operationContext.getSession().isAnonymous() || this.directoryService.isAllowAnonymousAccess() || operationContext.getDn().isEmpty()) {
            return;
        }
        String err = I18n.err(I18n.ERR_5, operationContext.getName());
        LOG.error(err);
        throw new LdapNoPermissionException(err);
    }

    public void loadPwdPolicyStateAttributeTypes() throws LdapException {
        this.AT_PWD_RESET = this.schemaManager.lookupAttributeTypeRegistry(PasswordPolicySchemaConstants.PWD_RESET_AT);
        PWD_POLICY_STATE_ATTRIBUTE_TYPES.add(this.AT_PWD_RESET);
        this.AT_PWD_CHANGED_TIME = this.schemaManager.lookupAttributeTypeRegistry(PasswordPolicySchemaConstants.PWD_CHANGED_TIME_AT);
        PWD_POLICY_STATE_ATTRIBUTE_TYPES.add(this.AT_PWD_CHANGED_TIME);
        this.AT_PWD_HISTORY = this.schemaManager.lookupAttributeTypeRegistry(PasswordPolicySchemaConstants.PWD_HISTORY_AT);
        PWD_POLICY_STATE_ATTRIBUTE_TYPES.add(this.AT_PWD_HISTORY);
        this.AT_PWD_FAILURE_TIME = this.schemaManager.lookupAttributeTypeRegistry(PasswordPolicySchemaConstants.PWD_FAILURE_TIME_AT);
        PWD_POLICY_STATE_ATTRIBUTE_TYPES.add(this.AT_PWD_FAILURE_TIME);
        this.AT_PWD_ACCOUNT_LOCKED_TIME = this.schemaManager.lookupAttributeTypeRegistry(PasswordPolicySchemaConstants.PWD_ACCOUNT_LOCKED_TIME_AT);
        PWD_POLICY_STATE_ATTRIBUTE_TYPES.add(this.AT_PWD_ACCOUNT_LOCKED_TIME);
        this.AT_PWD_LAST_SUCCESS = this.schemaManager.lookupAttributeTypeRegistry(PasswordPolicySchemaConstants.PWD_LAST_SUCCESS_AT);
        PWD_POLICY_STATE_ATTRIBUTE_TYPES.add(this.AT_PWD_LAST_SUCCESS);
        this.AT_PWD_GRACE_USE_TIME = this.schemaManager.lookupAttributeTypeRegistry(PasswordPolicySchemaConstants.PWD_GRACE_USE_TIME_AT);
        PWD_POLICY_STATE_ATTRIBUTE_TYPES.add(this.AT_PWD_GRACE_USE_TIME);
        PWD_POLICY_STATE_ATTRIBUTE_TYPES.add(this.schemaManager.lookupAttributeTypeRegistry(PasswordPolicySchemaConstants.PWD_POLICY_SUBENTRY_AT));
    }

    private void check(String str, byte[] bArr, PasswordPolicyConfiguration passwordPolicyConfiguration) throws LdapException {
        CheckQualityEnum pwdCheckQuality = passwordPolicyConfiguration.getPwdCheckQuality();
        if (pwdCheckQuality == CheckQualityEnum.NO_CHECK) {
            return;
        }
        if (PasswordUtil.findAlgorithm(bArr) != null) {
            if (pwdCheckQuality != CheckQualityEnum.CHECK_ACCEPT) {
                throw new PasswordPolicyException("cannot verify the quality of the non-cleartext passwords", PasswordPolicyErrorEnum.INSUFFICIENT_PASSWORD_QUALITY.getValue());
            }
        } else {
            String utf8ToString = Strings.utf8ToString(bArr);
            validatePasswordLength(utf8ToString, passwordPolicyConfiguration);
            passwordPolicyConfiguration.getPwdValidator().validate(utf8ToString, str);
        }
    }

    private void validatePasswordLength(String str, PasswordPolicyConfiguration passwordPolicyConfiguration) throws PasswordPolicyException {
        int pwdMaxLength = passwordPolicyConfiguration.getPwdMaxLength();
        int pwdMinLength = passwordPolicyConfiguration.getPwdMinLength();
        int length = str.length();
        if (pwdMaxLength > 0 && length > pwdMaxLength) {
            throw new PasswordPolicyException("Password should not have more than " + pwdMaxLength + " characters", PasswordPolicyErrorEnum.INSUFFICIENT_PASSWORD_QUALITY.getValue());
        }
        if (pwdMinLength > 0 && length < pwdMinLength) {
            throw new PasswordPolicyException("Password should have a minmum of " + pwdMinLength + " characters", PasswordPolicyErrorEnum.PASSWORD_TOO_SHORT.getValue());
        }
    }

    private int getPwdTimeBeforeExpiry(Entry entry, PasswordPolicyConfiguration passwordPolicyConfiguration) throws LdapException {
        int pwdExpireWarning;
        if (passwordPolicyConfiguration.getPwdMaxAge() == 0 || (pwdExpireWarning = passwordPolicyConfiguration.getPwdExpireWarning()) <= 0) {
            return 0;
        }
        int time = ((int) (DateUtils.getDate(DateUtils.getGeneralizedTime()).getTime() - DateUtils.getDate(entry.get(this.AT_PWD_CHANGED_TIME).getString()).getTime())) / org.apache.commons.lang.time.DateUtils.MILLIS_IN_SECOND;
        if (time <= passwordPolicyConfiguration.getPwdMaxAge() && time >= passwordPolicyConfiguration.getPwdMaxAge() - pwdExpireWarning) {
            return passwordPolicyConfiguration.getPwdMaxAge() - time;
        }
        return 0;
    }

    private boolean isPwdTooYoung(Entry entry, PasswordPolicyConfiguration passwordPolicyConfiguration) throws LdapException {
        Attribute attribute;
        return (passwordPolicyConfiguration.getPwdMinAge() == 0 || (attribute = entry.get(this.AT_PWD_CHANGED_TIME)) == null || DateUtils.getDate(attribute.getString()).getTime() + (((long) passwordPolicyConfiguration.getPwdMinAge()) * 1000) <= DateUtils.getDate(DateUtils.getGeneralizedTime()).getTime()) ? false : true;
    }

    private boolean isPwdMustReset(Entry entry) throws LdapException {
        boolean z = false;
        Attribute attribute = entry.get(this.AT_PWD_RESET);
        if (attribute != null) {
            z = Boolean.parseBoolean(attribute.getString());
        }
        return z;
    }

    private PwdModDetailsHolder getPwdModDetails(ModifyOperationContext modifyOperationContext, PasswordPolicyConfiguration passwordPolicyConfiguration) throws LdapException {
        PwdModDetailsHolder pwdModDetailsHolder = new PwdModDetailsHolder();
        for (Modification modification : modifyOperationContext.getModItems()) {
            Attribute attribute = modification.getAttribute();
            if (attribute.getUpId().equalsIgnoreCase(passwordPolicyConfiguration.getPwdAttribute())) {
                pwdModDetailsHolder.setPwdModPresent(true);
                ModificationOperation operation = modification.getOperation();
                if (operation == ModificationOperation.REMOVE_ATTRIBUTE) {
                    pwdModDetailsHolder.setDelete(true);
                } else if (operation == ModificationOperation.REPLACE_ATTRIBUTE || operation == ModificationOperation.ADD_ATTRIBUTE) {
                    pwdModDetailsHolder.setAddOrReplace(true);
                    pwdModDetailsHolder.setNewPwd(attribute.getBytes());
                }
            } else {
                pwdModDetailsHolder.setOtherModExists(true);
            }
        }
        return pwdModDetailsHolder;
    }

    private void checkPwdReset(OperationContext operationContext) throws LdapException {
        if (this.directoryService.isPwdPolicyEnabled()) {
            return;
        }
        if (this.pwdResetSet.contains(operationContext.getSession().getAuthenticatedPrincipal().getDn().getNormName())) {
            if (operationContext.hasRequestControl(PasswordPolicy.OID)) {
                PasswordPolicyDecorator passwordPolicyDecorator = new PasswordPolicyDecorator(this.directoryService.getLdapCodecService(), true);
                passwordPolicyDecorator.getResponse().setPasswordPolicyError(PasswordPolicyErrorEnum.CHANGE_AFTER_RESET);
                operationContext.addResponseControl(passwordPolicyDecorator);
            }
            throw new LdapNoPermissionException("password needs to be reset before performing this operation");
        }
    }

    public PasswordPolicyConfiguration getPwdPolicy(Entry entry) throws LdapException {
        Attribute attribute;
        if (this.pwdPolicyContainer == null) {
            return null;
        }
        return (!this.pwdPolicyContainer.hasCustomConfigs() || (attribute = entry.get(this.pwdPolicySubentryAT)) == null) ? this.pwdPolicyContainer.getDefaultPolicy() : this.pwdPolicyContainer.getPolicyConfig(this.directoryService.getDnFactory().create(attribute.getString()));
    }

    public void setPwdPolicies(PpolicyConfigContainer ppolicyConfigContainer) {
        this.pwdPolicyContainer = ppolicyConfigContainer;
    }

    public boolean isPwdPolicyEnabled() {
        return this.pwdPolicyContainer != null && (this.pwdPolicyContainer.getDefaultPolicy() != null || this.pwdPolicyContainer.hasCustomConfigs());
    }

    public PpolicyConfigContainer getPwdPolicyContainer() {
        return this.pwdPolicyContainer;
    }

    public void setPwdPolicyContainer(PpolicyConfigContainer ppolicyConfigContainer) {
        this.pwdPolicyContainer = ppolicyConfigContainer;
    }

    private void purgeFailureTimes(PasswordPolicyConfiguration passwordPolicyConfiguration, Attribute attribute) {
        long pwdFailureCountInterval = passwordPolicyConfiguration.getPwdFailureCountInterval();
        if (pwdFailureCountInterval == 0) {
            return;
        }
        long j = pwdFailureCountInterval * 1000;
        long time = DateUtils.getDate(DateUtils.getGeneralizedTime()).getTime();
        Iterator<Value<?>> it = attribute.iterator();
        while (it.hasNext()) {
            if (time >= DateUtils.getDate(it.next().getString()).getTime() + j) {
                it.remove();
            }
        }
    }
}
