package org.apache.directory.server.ldap.handlers.sasl.external.certificate;

import java.security.cert.Certificate;
import javax.net.ssl.SSLSession;
import javax.security.sasl.SaslException;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.apache.directory.api.ldap.model.constants.AuthenticationLevel;
import org.apache.directory.api.ldap.model.constants.JndiPropertyConstants;
import org.apache.directory.api.ldap.model.constants.SupportedSaslMechanisms;
import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.directory.api.ldap.model.entry.Value;
import org.apache.directory.api.ldap.model.exception.LdapAuthenticationException;
import org.apache.directory.api.ldap.model.filter.EqualityNode;
import org.apache.directory.api.ldap.model.message.BindRequest;
import org.apache.directory.api.ldap.model.message.SearchScope;
import org.apache.directory.api.util.Strings;
import org.apache.directory.server.core.api.CoreSession;
import org.apache.directory.server.core.api.DirectoryService;
import org.apache.directory.server.core.api.LdapPrincipal;
import org.apache.directory.server.core.api.OperationEnum;
import org.apache.directory.server.core.api.OperationManager;
import org.apache.directory.server.core.api.filtering.EntryFilteringCursor;
import org.apache.directory.server.core.api.interceptor.context.BindOperationContext;
import org.apache.directory.server.core.api.interceptor.context.SearchOperationContext;
import org.apache.directory.server.ldap.LdapServer;
import org.apache.directory.server.ldap.LdapSession;
import org.apache.directory.server.ldap.handlers.sasl.AbstractSaslServer;
import org.apache.directory.server.ldap.handlers.sasl.SaslConstants;
import org.apache.mina.filter.ssl.SslFilter;

/* loaded from: input_file:apacheds-protocol-ldap-2.0.0.AM26.jar:org/apache/directory/server/ldap/handlers/sasl/external/certificate/ExternalSaslServer.class */
public final class ExternalSaslServer extends AbstractSaslServer {
    private NegotiationState state;

    /* loaded from: input_file:apacheds-protocol-ldap-2.0.0.AM26.jar:org/apache/directory/server/ldap/handlers/sasl/external/certificate/ExternalSaslServer$NegotiationState.class */
    private enum NegotiationState {
        INITIALIZED,
        COMPLETED
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ExternalSaslServer(LdapSession ldapSession, CoreSession coreSession, BindRequest bindRequest) {
        super(ldapSession, coreSession, bindRequest);
        this.state = NegotiationState.INITIALIZED;
    }

    public String getMechanismName() {
        return SupportedSaslMechanisms.EXTERNAL;
    }

    public byte[] evaluateResponse(byte[] bArr) throws SaslException {
        try {
            Certificate[] peerCertificates = ((SSLSession) getLdapSession().getIoSession().getAttribute(SslFilter.SSL_SESSION)).getPeerCertificates();
            if (null == peerCertificates || 1 > peerCertificates.length) {
                throw new SaslException("No peer certificate provided - cancel bind.");
            }
            getLdapSession().setCoreSession(authenticate(peerCertificates[0]));
            this.state = NegotiationState.COMPLETED;
            return Strings.EMPTY_BYTES;
        } catch (Exception e) {
            throw new SaslException("Error authentication using client certificate: " + ExceptionUtils.getStackTrace(e), e);
        }
    }

    public boolean isComplete() {
        return this.state == NegotiationState.COMPLETED;
    }

    private CoreSession authenticate(Certificate certificate) throws Exception {
        LdapSession ldapSession = getLdapSession();
        DirectoryService directoryService = getAdminSession().getDirectoryService();
        LdapServer ldapServer = ldapSession.getLdapServer();
        OperationManager operationManager = directoryService.getOperationManager();
        EqualityNode equalityNode = new EqualityNode(directoryService.getSchemaManager().getAttributeType("userCertificate"), new Value(certificate.getEncoded()));
        SearchOperationContext searchOperationContext = new SearchOperationContext(directoryService.getAdminSession());
        searchOperationContext.setDn(directoryService.getDnFactory().create(ldapServer.getSearchBaseDn()));
        searchOperationContext.setScope(SearchScope.SUBTREE);
        searchOperationContext.setFilter(equalityNode);
        searchOperationContext.setSizeLimit(1L);
        searchOperationContext.setNoAttributes(true);
        EntryFilteringCursor search = operationManager.search(searchOperationContext);
        Throwable th = null;
        try {
            if (!search.next()) {
                throw new LdapAuthenticationException("Cannot authenticate user cert=" + certificate);
            }
            Entry entry = search.get();
            BindOperationContext bindOperationContext = new BindOperationContext(ldapSession.getCoreSession());
            bindOperationContext.setDn(entry.getDn());
            bindOperationContext.setSaslMechanism(getMechanismName());
            bindOperationContext.setSaslAuthId(getBindRequest().getName());
            bindOperationContext.setIoSession(ldapSession.getIoSession());
            bindOperationContext.setInterceptors(directoryService.getInterceptors(OperationEnum.BIND));
            operationManager.bind(bindOperationContext);
            ldapSession.putSaslProperty(SaslConstants.SASL_AUTHENT_USER, new LdapPrincipal(directoryService.getSchemaManager(), entry.getDn(), AuthenticationLevel.STRONG));
            getLdapSession().putSaslProperty(JndiPropertyConstants.JNDI_SECURITY_PRINCIPAL, getBindRequest().getName());
            CoreSession session = bindOperationContext.getSession();
            if (search != null) {
                if (0 != 0) {
                    try {
                        search.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    search.close();
                }
            }
            return session;
        } catch (Throwable th3) {
            if (search != null) {
                if (0 != 0) {
                    try {
                        search.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    search.close();
                }
            }
            throw th3;
        }
    }
}
