package com.liferay.portal.security.auth;

import com.liferay.portal.NoSuchUserException;
import com.liferay.portal.PasswordExpiredException;
import com.liferay.portal.UserLockoutException;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.util.GetterUtil;
import com.liferay.portal.kernel.util.StringUtil;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.portal.model.User;
import com.liferay.portal.security.ldap.LDAPSettingsUtil;
import com.liferay.portal.security.ldap.PortalLDAPImporterUtil;
import com.liferay.portal.security.ldap.PortalLDAPUtil;
import com.liferay.portal.security.pwd.PwdEncryptor;
import com.liferay.portal.service.UserLocalServiceUtil;
import com.liferay.portal.util.PrefsPropsUtil;
import com.liferay.portal.util.PropsValues;
import com.liferay.portlet.admin.util.OmniadminUtil;
import com.liferay.portlet.usersadmin.search.UserDisplayTerms;
import java.util.Hashtable;
import java.util.Map;
import javax.naming.NamingEnumeration;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;

/* loaded from: input_file:com/liferay/portal/security/auth/LDAPAuth.class */
public class LDAPAuth implements Authenticator {
    public static final String AUTH_METHOD_BIND = "bind";
    public static final String AUTH_METHOD_PASSWORD_COMPARE = "password-compare";
    public static final String RESULT_PASSWORD_EXP_WARNING = "2.16.840.1.113730.3.4.5";
    public static final String RESULT_PASSWORD_RESET = "2.16.840.1.113730.3.4.4";
    private static Log _log = LogFactoryUtil.getLog(LDAPAuth.class);

    public int authenticateByEmailAddress(long j, String str, String str2, Map<String, String[]> map, Map<String, String[]> map2) throws AuthException {
        try {
            return authenticate(j, str, "", 0L, str2);
        } catch (Exception e) {
            _log.error(e, e);
            throw new AuthException(e);
        }
    }

    public int authenticateByScreenName(long j, String str, String str2, Map<String, String[]> map, Map<String, String[]> map2) throws AuthException {
        try {
            return authenticate(j, "", str, 0L, str2);
        } catch (Exception e) {
            _log.error(e, e);
            throw new AuthException(e);
        }
    }

    public int authenticateByUserId(long j, long j2, String str, Map<String, String[]> map, Map<String, String[]> map2) throws AuthException {
        try {
            return authenticate(j, "", "", j2, str);
        } catch (Exception e) {
            _log.error(e, e);
            throw new AuthException(e);
        }
    }

    protected LDAPAuthResult authenticate(LdapContext ldapContext, long j, Attributes attributes, String str, String str2) throws Exception {
        Attribute attribute;
        LDAPAuthResult lDAPAuthResult = new LDAPAuthResult();
        String string = PrefsPropsUtil.getString(j, "ldap.auth.method");
        InitialLdapContext initialLdapContext = null;
        if (string.equals(AUTH_METHOD_BIND)) {
            try {
                try {
                    Hashtable environment = ldapContext.getEnvironment();
                    environment.put("java.naming.security.principal", str);
                    environment.put("java.naming.security.credentials", str2);
                    environment.put("java.naming.referral", PrefsPropsUtil.getString(j, "ldap.referral"));
                    environment.put("com.sun.jndi.ldap.connect.pool", "false");
                    initialLdapContext = new InitialLdapContext(environment, (Control[]) null);
                    Control[] responseControls = initialLdapContext.getResponseControls();
                    lDAPAuthResult.setAuthenticated(true);
                    lDAPAuthResult.setResponseControl(responseControls);
                    if (initialLdapContext != null) {
                        initialLdapContext.close();
                    }
                } catch (Exception e) {
                    if (_log.isDebugEnabled()) {
                        _log.debug("Failed to bind to the LDAP server with userDN " + str + " and password " + str2);
                    }
                    _log.error("Failed to bind to the LDAP server", e);
                    lDAPAuthResult.setAuthenticated(false);
                    lDAPAuthResult.setErrorMessage(e.getMessage());
                    if (initialLdapContext != null) {
                        initialLdapContext.close();
                    }
                }
            } catch (Throwable th) {
                if (initialLdapContext != null) {
                    initialLdapContext.close();
                }
                throw th;
            }
        } else if (string.equals(AUTH_METHOD_PASSWORD_COMPARE) && (attribute = attributes.get("userPassword")) != null) {
            String str3 = new String((byte[]) attribute.get());
            String str4 = str2;
            String string2 = PrefsPropsUtil.getString(j, "ldap.auth.password.encryption.algorithm");
            if (Validator.isNotNull(string2)) {
                str4 = "{" + string2 + "}" + PwdEncryptor.encrypt(string2, str2, str3);
            }
            if (str3.equals(str4)) {
                lDAPAuthResult.setAuthenticated(true);
            } else {
                lDAPAuthResult.setAuthenticated(false);
                if (_log.isWarnEnabled()) {
                    _log.warn("Passwords do not match for userDN " + str);
                }
            }
        }
        return lDAPAuthResult;
    }

    protected int authenticate(long j, long j2, String str, String str2, long j3, String str3) throws Exception {
        String propertyPostfix = LDAPSettingsUtil.getPropertyPostfix(j2);
        LdapContext context = PortalLDAPUtil.getContext(j2, j);
        try {
            if (context == null) {
                return -1;
            }
            try {
                NamingEnumeration search = context.search(PrefsPropsUtil.getString(j, "ldap.base.dn" + propertyPostfix), LDAPSettingsUtil.getAuthSearchFilter(j2, j, str, str2, String.valueOf(j3)), new SearchControls(2, 1L, 0, new String[]{GetterUtil.getString(LDAPSettingsUtil.getUserMappings(j2, j).getProperty(UserDisplayTerms.SCREEN_NAME)).toLowerCase()}, false, false));
                if (!search.hasMoreElements()) {
                    if (_log.isDebugEnabled()) {
                        _log.debug("Search filter did not return any results");
                    }
                    if (context == null) {
                        return 0;
                    }
                    context.close();
                    return 0;
                }
                if (_log.isDebugEnabled()) {
                    _log.debug("Search filter returned at least one result");
                }
                String nameInNamespace = PortalLDAPUtil.getNameInNamespace(j2, j, (SearchResult) search.nextElement());
                Attributes userAttributes = PortalLDAPUtil.getUserAttributes(j2, j, context, nameInNamespace);
                LDAPAuthResult lDAPAuthResult = null;
                if (PropsValues.LDAP_IMPORT_USER_PASSWORD_ENABLED) {
                    lDAPAuthResult = authenticate(context, j, userAttributes, nameInNamespace, str3);
                    String errorMessage = lDAPAuthResult.getErrorMessage();
                    if (errorMessage != null) {
                        if (errorMessage.indexOf(PrefsPropsUtil.getString(j, "ldap.error.user.lockout")) != -1) {
                            throw new UserLockoutException();
                        }
                        if (errorMessage.indexOf(PrefsPropsUtil.getString(j, "ldap.error.password.expired")) != -1) {
                            throw new PasswordExpiredException();
                        }
                    }
                    if (!lDAPAuthResult.isAuthenticated() && PropsValues.LDAP_IMPORT_USER_PASSWORD_ENABLED) {
                        if (context == null) {
                            return -1;
                        }
                        context.close();
                        return -1;
                    }
                }
                User importLDAPUser = PortalLDAPImporterUtil.importLDAPUser(j2, j, context, userAttributes, str3);
                if (lDAPAuthResult != null && lDAPAuthResult.getResponseControl().equals(RESULT_PASSWORD_RESET)) {
                    UserLocalServiceUtil.updatePasswordReset(importLDAPUser.getUserId(), true);
                }
                search.close();
                if (context == null) {
                    return 1;
                }
                context.close();
                return 1;
            } catch (Exception e) {
                if ((e instanceof PasswordExpiredException) || (e instanceof UserLockoutException)) {
                    throw e;
                }
                _log.error("Problem accessing LDAP server", e);
                if (context == null) {
                    return -1;
                }
                context.close();
                return -1;
            }
        } catch (Throwable th) {
            if (context != null) {
                context.close();
            }
            throw th;
        }
    }

    protected int authenticate(long j, String str, String str2, long j2, String str3) throws Exception {
        if (!AuthSettingsUtil.isLDAPAuthEnabled(j)) {
            if (!_log.isDebugEnabled()) {
                return 1;
            }
            _log.debug("Authenticator is not enabled");
            return 1;
        }
        if (_log.isDebugEnabled()) {
            _log.debug("Authenticator is enabled");
        }
        for (long j3 : StringUtil.split(PrefsPropsUtil.getString(j, "ldap.server.ids"), 0L)) {
            int authenticate = authenticate(j, j3, str, str2, j2, str3);
            if (authenticate == 1) {
                return authenticate;
            }
        }
        for (int i = 0; !Validator.isNull(PrefsPropsUtil.getString(j, "ldap.base.provider.url" + LDAPSettingsUtil.getPropertyPostfix(i))); i++) {
            int authenticate2 = authenticate(j, i, str, str2, j2, str3);
            if (authenticate2 == 1) {
                return authenticate2;
            }
        }
        return authenticateRequired(j, j2, str, str2, true, -1);
    }

    protected int authenticateOmniadmin(long j, String str, String str2, long j2) throws Exception {
        if (!PropsValues.AUTH_PIPELINE_ENABLE_LIFERAY_CHECK) {
            return -1;
        }
        if (j2 > 0) {
            return OmniadminUtil.isOmniadmin(j2) ? 1 : -1;
        }
        if (Validator.isNotNull(str)) {
            try {
                return OmniadminUtil.isOmniadmin(UserLocalServiceUtil.getUserByEmailAddress(j, str).getUserId()) ? 1 : -1;
            } catch (NoSuchUserException unused) {
                return -1;
            }
        }
        if (!Validator.isNotNull(str2)) {
            return -1;
        }
        try {
            return OmniadminUtil.isOmniadmin(UserLocalServiceUtil.getUserByScreenName(j, str2).getUserId()) ? 1 : -1;
        } catch (NoSuchUserException unused2) {
            return -1;
        }
    }

    protected int authenticateRequired(long j, long j2, String str, String str2, boolean z, int i) throws Exception {
        if (!(z && authenticateOmniadmin(j, str, str2, j2) == 1) && PrefsPropsUtil.getBoolean(j, "ldap.auth.required")) {
            return i;
        }
        return 1;
    }
}
