package org.apache.directory.server.ldap.support;

import java.util.Collections;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.naming.Name;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.spi.InitialContextFactory;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.apache.directory.server.core.DirectoryService;
import org.apache.directory.server.core.authn.LdapPrincipal;
import org.apache.directory.server.core.jndi.ServerLdapContext;
import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
import org.apache.directory.server.kerberos.shared.store.operations.GetPrincipal;
import org.apache.directory.server.ldap.LdapServer;
import org.apache.directory.server.ldap.SessionRegistry;
import org.apache.directory.server.ldap.support.bind.CramMd5MechanismHandler;
import org.apache.directory.server.ldap.support.bind.DigestMd5MechanismHandler;
import org.apache.directory.server.ldap.support.bind.GssapiMechanismHandler;
import org.apache.directory.server.ldap.support.bind.MechanismHandler;
import org.apache.directory.server.ldap.support.bind.SaslFilter;
import org.apache.directory.server.protocol.shared.ServiceConfigurationException;
import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.exception.LdapException;
import org.apache.directory.shared.ldap.message.BindRequest;
import org.apache.directory.shared.ldap.message.BindResponse;
import org.apache.directory.shared.ldap.message.LdapResult;
import org.apache.directory.shared.ldap.message.MutableControl;
import org.apache.directory.shared.ldap.message.ResultCodeEnum;
import org.apache.directory.shared.ldap.name.LdapDN;
import org.apache.directory.shared.ldap.util.ExceptionUtils;
import org.apache.mina.common.IoFilterChain;
import org.apache.mina.common.IoSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/directory/server/ldap/support/DefaultBindHandler.class */
public class DefaultBindHandler extends BindHandler {
    private static final Logger LOG = LoggerFactory.getLogger(BindHandler.class);
    private static final MutableControl[] EMPTY_CONTROL = new MutableControl[0];
    private DirContext ctx;
    private final Map<String, MechanismHandler> handlers;
    private final SessionRegistry registry;

    public DefaultBindHandler(DirectoryService directoryService, SessionRegistry sessionRegistry) {
        HashMap hashMap = new HashMap();
        hashMap.put("CRAM-MD5", new CramMd5MechanismHandler(directoryService));
        hashMap.put("DIGEST-MD5", new DigestMd5MechanismHandler(directoryService));
        hashMap.put("GSSAPI", new GssapiMechanismHandler(directoryService));
        this.handlers = Collections.unmodifiableMap(hashMap);
        this.registry = sessionRegistry;
    }

    @Override // org.apache.directory.server.ldap.support.BindHandler
    public void setDirectoryService(DirectoryService directoryService) {
    }

    private Hashtable<String, Object> getEnvironment(BindRequest bindRequest, String str) {
        LdapDN name = bindRequest.getName();
        byte[] credentials = bindRequest.getCredentials();
        if (LOG.isDebugEnabled()) {
            LOG.debug("{} {}", "java.naming.security.principal", name);
            LOG.debug("{} {}", "java.naming.security.credentials", credentials);
            LOG.debug("{} {}", "java.naming.security.authentication", str);
        }
        Hashtable<String, Object> environmentByCopy = getSessionRegistry().getEnvironmentByCopy();
        environmentByCopy.put("java.naming.security.principal", name);
        if (credentials != null) {
            environmentByCopy.put("java.naming.security.credentials", credentials);
        }
        environmentByCopy.put("java.naming.security.authentication", str);
        if (bindRequest.getControls().containsKey("2.16.840.1.113730.3.4.2")) {
            environmentByCopy.put("java.naming.referral", "ignore");
        } else {
            environmentByCopy.put("java.naming.referral", "throw");
        }
        return environmentByCopy;
    }

    private LdapContext getLdapContext(IoSession ioSession, BindRequest bindRequest, Hashtable<String, Object> hashtable) {
        ResultCodeEnum bestEstimate;
        LdapContext ldapContext;
        LdapResult ldapResult = bindRequest.getResultResponse().getLdapResult();
        try {
            if (hashtable.containsKey("server.use.factory.instance")) {
                InitialContextFactory initialContextFactory = (InitialContextFactory) hashtable.get("server.use.factory.instance");
                if (initialContextFactory == null) {
                    LOG.error("The property 'server.use.factory.instance'  was set in env but was null");
                    throw new NullPointerException("server.use.factory.instance was set in env but was null");
                }
                ldapContext = initialContextFactory.getInitialContext(hashtable);
            } else {
                ldapContext = new InitialLdapContext(hashtable, (MutableControl[]) bindRequest.getControls().values().toArray(EMPTY_CONTROL));
            }
        } catch (NamingException e) {
            if (e instanceof LdapException) {
                bestEstimate = e.getResultCode();
                ldapResult.setResultCode(bestEstimate);
            } else {
                bestEstimate = ResultCodeEnum.getBestEstimate(e, bindRequest.getType());
                ldapResult.setResultCode(bestEstimate);
            }
            String str = "Bind failed: " + e.getMessage();
            if (LOG.isDebugEnabled()) {
                str = (str + ":\n" + ExceptionUtils.getStackTrace(e)) + "\n\nBindRequest = \n" + bindRequest.toString();
                LOG.debug(str);
            }
            if (e.getResolvedName() != null && (bestEstimate == ResultCodeEnum.NO_SUCH_OBJECT || bestEstimate == ResultCodeEnum.ALIAS_PROBLEM || bestEstimate == ResultCodeEnum.INVALID_DN_SYNTAX || bestEstimate == ResultCodeEnum.ALIAS_DEREFERENCING_PROBLEM)) {
                ldapResult.setMatchedDn(e.getResolvedName());
            }
            ldapResult.setErrorMessage(str);
            ioSession.write(bindRequest.getResultResponse());
            ldapContext = null;
        }
        return ldapContext;
    }

    private void handleSimpleAuth(IoSession ioSession, BindRequest bindRequest) throws NamingException {
        Set<String> supportedMechanisms = ((LdapServer) ioSession.getAttribute(LdapServer.class.toString())).getSupportedMechanisms();
        LdapResult ldapResult = bindRequest.getResultResponse().getLdapResult();
        if (!supportedMechanisms.contains("SIMPLE")) {
            LOG.error("Bind error : SIMPLE authentication not supported. Please check the server.xml configuration file (supportedMechanisms field)");
            ldapResult.setResultCode(ResultCodeEnum.STRONG_AUTH_REQUIRED);
            ldapResult.setErrorMessage("Simple binds are disabled.");
            ioSession.write(bindRequest.getResultResponse());
            return;
        }
        LdapContext ldapContext = getLdapContext(ioSession, bindRequest, getEnvironment(bindRequest, AuthenticationLevel.SIMPLE.toString()));
        if (ldapContext != null) {
            ServerLdapContext serverLdapContext = (ServerLdapContext) ldapContext.lookup("");
            setRequestControls(serverLdapContext, bindRequest);
            getSessionRegistry().setLdapContext(ioSession, serverLdapContext);
            ldapResult.setResultCode(ResultCodeEnum.SUCCESS);
            BindResponse resultResponse = bindRequest.getResultResponse();
            resultResponse.addAll(serverLdapContext.getResponseControls());
            ioSession.write(resultResponse);
            LOG.debug("Returned SUCCESS message.");
        }
    }

    public void handleSaslAuth(IoSession ioSession, Object obj) throws Exception {
        LdapServer ldapServer = (LdapServer) ioSession.getAttribute(LdapServer.class.toString());
        HashMap hashMap = new HashMap();
        hashMap.put("javax.security.sasl.qop", ldapServer.getSaslQopString());
        hashMap.put("com.sun.security.sasl.digest.realm", getActiveRealms(ldapServer));
        ioSession.setAttribute("saslProps", hashMap);
        ioSession.setAttribute("saslHost", ldapServer.getSaslHost());
        ioSession.setAttribute("baseDn", ldapServer.getSearchBaseDn());
        Set<String> supportedMechanisms = ldapServer.getSupportedMechanisms();
        if (supportedMechanisms.contains("GSSAPI")) {
            try {
                ioSession.setAttribute("saslSubject", getSubject(ldapServer));
            } catch (ServiceConfigurationException e) {
                supportedMechanisms.remove("GSSAPI");
                LOG.warn(e.getMessage());
            }
        }
        BindRequest bindRequest = (BindRequest) obj;
        if (ldapServer.getSupportedMechanisms().contains(bindRequest.getSaslMechanism())) {
            handleSasl(ioSession, bindRequest);
            return;
        }
        LOG.error("Bind error : {} mechanism not supported. Please check the server.xml configuration file (supportedMechanisms field)", bindRequest.getSaslMechanism());
        LdapResult ldapResult = bindRequest.getResultResponse().getLdapResult();
        ldapResult.setResultCode(ResultCodeEnum.AUTH_METHOD_NOT_SUPPORTED);
        ldapResult.setErrorMessage(bindRequest.getSaslMechanism() + " is not a supported mechanism.");
        ioSession.write(bindRequest.getResultResponse());
    }

    public void handleSasl(IoSession ioSession, BindRequest bindRequest) throws Exception {
        String saslMechanism = bindRequest.getSaslMechanism();
        if (saslMechanism.equals("SIMPLE")) {
            ioSession.setAttribute("java.naming.security.principal", bindRequest.getName());
            ioSession.setAttribute("java.naming.security.credentials", bindRequest.getCredentials());
            getLdapContext(ioSession, bindRequest);
            return;
        }
        MechanismHandler mechanismHandler = this.handlers.get(saslMechanism);
        if (mechanismHandler == null) {
            LOG.error("Handler unavailable for " + saslMechanism);
            throw new IllegalArgumentException("Handler unavailable for " + saslMechanism);
        }
        SaslServer handleMechanism = mechanismHandler.handleMechanism(ioSession, bindRequest);
        LdapResult ldapResult = bindRequest.getResultResponse().getLdapResult();
        if (handleMechanism.isComplete()) {
            return;
        }
        try {
            if (bindRequest.getCredentials() == null) {
                bindRequest.setCredentials(new byte[0]);
            }
            byte[] evaluateResponse = handleMechanism.evaluateResponse(bindRequest.getCredentials());
            if (handleMechanism.isComplete()) {
                ioSession.setAttribute("saslCreds", evaluateResponse);
                getLdapContext(ioSession, bindRequest);
            } else {
                LOG.info("Continuation token had length " + evaluateResponse.length);
                ldapResult.setResultCode(ResultCodeEnum.SASL_BIND_IN_PROGRESS);
                BindResponse resultResponse = bindRequest.getResultResponse();
                resultResponse.setServerSaslCreds(evaluateResponse);
                ioSession.write(resultResponse);
                LOG.debug("Returning final authentication data to client to complete context.");
            }
        } catch (SaslException e) {
            LOG.error(e.getMessage());
            ldapResult.setResultCode(ResultCodeEnum.INVALID_CREDENTIALS);
            ldapResult.setErrorMessage(e.getMessage());
            ioSession.write(bindRequest.getResultResponse());
        }
    }

    private String getActiveRealms(LdapServer ldapServer) {
        StringBuilder sb = new StringBuilder();
        boolean z = true;
        for (String str : ldapServer.getSaslRealms()) {
            if (z) {
                z = false;
            } else {
                sb.append(' ');
            }
            sb.append(str);
        }
        return sb.toString();
    }

    private Subject getSubject(LdapServer ldapServer) throws ServiceConfigurationException {
        String saslPrincipal = ldapServer.getSaslPrincipal();
        KerberosPrincipal kerberosPrincipal = new KerberosPrincipal(saslPrincipal);
        try {
            PrincipalStoreEntry findPrincipal = findPrincipal(ldapServer, new GetPrincipal(kerberosPrincipal));
            if (findPrincipal == null) {
                throw new ServiceConfigurationException("Service principal " + saslPrincipal + " not found at search base DN " + ldapServer.getSearchBaseDn() + ".");
            }
            Subject subject = new Subject();
            Iterator it = findPrincipal.getKeyMap().keySet().iterator();
            while (it.hasNext()) {
                EncryptionKey encryptionKey = (EncryptionKey) findPrincipal.getKeyMap().get(it.next());
                subject.getPrivateCredentials().add(new KerberosKey(kerberosPrincipal, encryptionKey.getKeyValue(), encryptionKey.getKeyType().getOrdinal(), encryptionKey.getKeyVersion()));
            }
            return subject;
        } catch (Exception e) {
            throw new ServiceConfigurationException("Service principal " + saslPrincipal + " not found at search base DN " + ldapServer.getSearchBaseDn() + ".", e);
        }
    }

    private PrincipalStoreEntry findPrincipal(LdapServer ldapServer, GetPrincipal getPrincipal) throws Exception {
        if (this.ctx == null) {
            try {
                this.ctx = ldapServer.getDirectoryService().getJndiContext(new LdapPrincipal(new LdapDN("uid=admin,ou=system"), AuthenticationLevel.SIMPLE), ldapServer.getSearchBaseDn());
            } catch (NamingException e) {
                throw new ServiceConfigurationException("Failed to get initial context " + ldapServer.getSearchBaseDn(), e);
            }
        }
        return (PrincipalStoreEntry) getPrincipal.execute(this.ctx, (Name) null);
    }

    private Hashtable<String, Object> getEnvironment(IoSession ioSession, BindRequest bindRequest) {
        Object attribute = ioSession.getAttribute("java.naming.security.principal");
        Object attribute2 = ioSession.getAttribute("java.naming.security.credentials");
        String authenticationLevel = getAuthenticationLevel(bindRequest.getSaslMechanism());
        LOG.debug("{} {}", "java.naming.security.principal", attribute);
        LOG.debug("{} {}", "java.naming.security.credentials", attribute2);
        LOG.debug("{} {}", "java.naming.security.authentication", authenticationLevel);
        Hashtable<String, Object> environmentByCopy = this.registry.getEnvironmentByCopy();
        environmentByCopy.put("java.naming.security.principal", attribute);
        if (attribute2 != null) {
            environmentByCopy.put("java.naming.security.credentials", attribute2);
        }
        environmentByCopy.put("java.naming.security.authentication", authenticationLevel);
        if (bindRequest.getControls().containsKey("2.16.840.1.113730.3.4.2")) {
            environmentByCopy.put("java.naming.referral", "ignore");
        } else {
            environmentByCopy.put("java.naming.referral", "throw");
        }
        return environmentByCopy;
    }

    private void getLdapContext(IoSession ioSession, BindRequest bindRequest) throws Exception {
        ResultCodeEnum bestEstimate;
        Hashtable<String, Object> environment = getEnvironment(ioSession, bindRequest);
        LdapResult ldapResult = bindRequest.getResultResponse().getLdapResult();
        try {
            LdapContext initialLdapContext = new InitialLdapContext(environment, (MutableControl[]) bindRequest.getControls().values().toArray(EMPTY_CONTROL));
            this.registry.setLdapContext(ioSession, initialLdapContext);
            bindRequest.getResultResponse().addAll(initialLdapContext.getResponseControls());
            returnSuccess(ioSession, bindRequest);
        } catch (NamingException e) {
            if (e instanceof LdapException) {
                bestEstimate = e.getResultCode();
                ldapResult.setResultCode(bestEstimate);
            } else {
                bestEstimate = ResultCodeEnum.getBestEstimate(e, bindRequest.getType());
                ldapResult.setResultCode(bestEstimate);
            }
            String str = "Bind failed: " + e.getMessage();
            if (LOG.isDebugEnabled()) {
                str = (str + ":\n" + ExceptionUtils.getStackTrace(e)) + "\n\nBindRequest = \n" + bindRequest.toString();
            }
            if (e.getResolvedName() != null && (bestEstimate == ResultCodeEnum.NO_SUCH_OBJECT || bestEstimate == ResultCodeEnum.ALIAS_PROBLEM || bestEstimate == ResultCodeEnum.INVALID_DN_SYNTAX || bestEstimate == ResultCodeEnum.ALIAS_DEREFERENCING_PROBLEM)) {
                ldapResult.setMatchedDn(e.getResolvedName());
            }
            ldapResult.setErrorMessage(str);
            ioSession.write(bindRequest.getResultResponse());
        }
    }

    private void returnSuccess(IoSession ioSession, BindRequest bindRequest) throws Exception {
        LdapResult ldapResult = bindRequest.getResultResponse().getLdapResult();
        byte[] bArr = (byte[]) ioSession.getAttribute("saslCreds");
        ldapResult.setResultCode(ResultCodeEnum.SUCCESS);
        BindResponse resultResponse = bindRequest.getResultResponse();
        resultResponse.setServerSaslCreds(bArr);
        String saslMechanism = bindRequest.getSaslMechanism();
        if (saslMechanism.equals("DIGEST-MD5") || saslMechanism.equals("GSSAPI")) {
            LOG.debug("Inserting SaslFilter to engage negotiated security layer.");
            IoFilterChain filterChain = ioSession.getFilterChain();
            if (!filterChain.contains("SASL")) {
                filterChain.addBefore("codec", "SASL", new SaslFilter((SaslServer) ioSession.getAttribute(MechanismHandler.SASL_CONTEXT)));
            }
            ioSession.setAttribute(SaslFilter.DISABLE_SECURITY_LAYER_ONCE, Boolean.TRUE);
        }
        ioSession.write(resultResponse);
        LOG.debug("Returned SUCCESS message.");
    }

    private String getAuthenticationLevel(String str) {
        return str.equals("SIMPLE") ? AuthenticationLevel.SIMPLE.toString() : AuthenticationLevel.STRONG.toString();
    }

    @Override // org.apache.directory.server.ldap.support.BindHandler
    protected void bindMessageReceived(IoSession ioSession, BindRequest bindRequest) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("User {} is binding", bindRequest.getName());
            if (bindRequest.isSimple()) {
                LOG.debug("Using simple authentication.");
            } else {
                LOG.debug("Using SASL authentication with mechanism:  {}", bindRequest.getSaslMechanism());
            }
        }
        if (bindRequest.getVersion3()) {
            if (bindRequest.isSimple()) {
                handleSimpleAuth(ioSession, bindRequest);
                return;
            } else {
                handleSaslAuth(ioSession, bindRequest);
                return;
            }
        }
        LOG.error("Bind error : Only LDAP v3 is supported.");
        LdapResult ldapResult = bindRequest.getResultResponse().getLdapResult();
        ldapResult.setResultCode(ResultCodeEnum.PROTOCOL_ERROR);
        ldapResult.setErrorMessage("Only LDAP v3 is supported.");
        ioSession.write(bindRequest.getResultResponse());
    }
}
