package com.alfaariss.oa.authentication.password.jndi;

import com.alfaariss.oa.OAException;
import com.alfaariss.oa.UserEvent;
import com.alfaariss.oa.UserException;
import com.alfaariss.oa.api.configuration.IConfigurationManager;
import com.alfaariss.oa.authentication.password.AbstractResourceHandler;
import com.alfaariss.oa.util.ldap.JNDIUtil;
import java.util.Hashtable;
import javax.naming.AuthenticationException;
import javax.naming.CommunicationException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.w3c.dom.Element;

/* loaded from: input_file:com/alfaariss/oa/authentication/password/jndi/JNDIProtocolResource.class */
public class JNDIProtocolResource extends AbstractResourceHandler {
    private final Log _logger = LogFactory.getLog(JNDIProtocolResource.class);
    protected String _sJNDIUrl;
    protected String _sDriver;
    protected String _sBaseDn;
    protected String _sUserDn;
    protected String _sFilter;
    protected String _sPrincipalDn;
    protected String _sPrincipalPwd;
    protected boolean _bSSL;

    public void init(IConfigurationManager iConfigurationManager, Element element) throws OAException {
        super.init(iConfigurationManager, element);
        this._sJNDIUrl = iConfigurationManager.getParam(element, "url");
        if (this._sJNDIUrl == null || this._sJNDIUrl.equals("")) {
            this._logger.error("No url defined for realm: " + this._sResourceRealm);
            throw new OAException(17);
        }
        if (this._sJNDIUrl.length() < 5 || !this._sJNDIUrl.substring(0, 5).equalsIgnoreCase("ldaps")) {
            this._bSSL = false;
            this._logger.info("SSL disabled");
        } else {
            this._bSSL = true;
            this._logger.info("SSL enabled");
        }
        this._sDriver = iConfigurationManager.getParam(element, "driver");
        if (this._sDriver == null || this._sDriver.equals("")) {
            this._logger.error("No driver defined for realm: " + this._sResourceRealm);
            throw new OAException(17);
        }
        Element section = iConfigurationManager.getSection(element, "dn");
        if (section == null) {
            this._logger.error("No dn section defined for realm: " + this._sResourceRealm);
            throw new OAException(17);
        }
        this._sBaseDn = iConfigurationManager.getParam(section, "base");
        if (this._sBaseDn == null || this._sBaseDn.equals("")) {
            this._logger.error("No base dn defined for realm: " + this._sResourceRealm);
            throw new OAException(17);
        }
        this._sFilter = iConfigurationManager.getParam(section, "filter");
        this._sUserDn = iConfigurationManager.getParam(section, "user");
        if ((this._sUserDn == null || this._sUserDn.equals("")) && this._sFilter == null) {
            this._logger.error("No user dn defined for realm: " + this._sResourceRealm);
            throw new OAException(17);
        }
        Element section2 = iConfigurationManager.getSection(element, "security_principal");
        if (section2 == null) {
            this._sPrincipalDn = "";
            this._sPrincipalPwd = "";
            this._logger.info("No 'security_principal' section configured for realm '" + this._sResourceRealm + "', using default");
        } else {
            this._sPrincipalDn = iConfigurationManager.getParam(section2, "dn");
            if (this._sPrincipalDn == null) {
                this._sPrincipalDn = "";
                this._logger.info("No 'dn' item in 'security_principal' section configured for realm '" + this._sResourceRealm + "', using default");
            }
            this._sPrincipalPwd = iConfigurationManager.getParam(section2, "password");
            if (this._sPrincipalPwd == null) {
                this._sPrincipalPwd = "";
                this._logger.info("No 'password' item in 'security_principal' section configured for realm '" + this._sResourceRealm + "', using default: empty");
            }
        }
        if (this._sPrincipalDn.length() <= 0) {
            if (this._sUserDn == null) {
                this._logger.error("Invalid configuration: No security principal dn and user dn available; simple bind is not possible");
                throw new OAException(2);
            }
            this._logger.info("No security principal dn defined for realm '" + this._sResourceRealm + "'. Using simple binding");
            return;
        }
        if (this._sFilter != null) {
            if (this._sUserDn != null) {
                this._logger.error("Invalid configuration: Both user dn and filter are configured");
                throw new OAException(2);
            }
            this._logger.info("Using configured search filter: " + this._sFilter);
        }
    }

    public boolean authenticate(String str, String str2) throws UserException, OAException {
        try {
            return doBind(constructUsername(str2), str);
        } catch (OAException e) {
            this._logger.error("Error occured during authentication", e);
            throw e;
        } catch (UserException e2) {
            this._logger.debug("Could not authenticate user");
            throw e2;
        } catch (Exception e3) {
            this._logger.fatal("Fatal error occured during authentication", e3);
            throw new OAException(1);
        }
    }

    private boolean doBind(String str, String str2) throws OAException, UserException {
        DirContext dirContext = null;
        boolean z = false;
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.provider.url", this._sJNDIUrl);
        hashtable.put("java.naming.factory.initial", this._sDriver);
        hashtable.put("java.naming.security.authentication", "simple");
        if (this._bSSL) {
            hashtable.put("java.naming.security.protocol", "ssl");
        }
        if (this._sPrincipalDn.length() <= 0) {
            String escapeDN = JNDIUtil.escapeDN(str);
            this._logger.debug("Escaped user: " + escapeDN);
            StringBuffer stringBuffer = new StringBuffer(this._sUserDn);
            stringBuffer.append('=');
            stringBuffer.append(escapeDN);
            stringBuffer.append(", ");
            stringBuffer.append(this._sBaseDn);
            hashtable.put("java.naming.security.principal", stringBuffer.toString());
            hashtable.put("java.naming.security.credentials", str2);
            try {
                try {
                    try {
                        dirContext = new InitialDirContext(hashtable);
                        z = true;
                        if (dirContext != null) {
                            try {
                                dirContext.close();
                            } catch (Exception e) {
                                this._logger.warn("Could not close connection with '" + this._sJNDIUrl + '\'', e);
                            }
                        }
                    } catch (Throwable th) {
                        if (dirContext != null) {
                            try {
                                dirContext.close();
                            } catch (Exception e2) {
                                this._logger.warn("Could not close connection with '" + this._sJNDIUrl + '\'', e2);
                                throw th;
                            }
                        }
                        throw th;
                    }
                } catch (NamingException e3) {
                    this._logger.warn("A naming error has occured", e3);
                    throw new OAException(35);
                }
            } catch (CommunicationException e4) {
                this._logger.warn("A communication error has occured", e4);
                throw new OAException(35);
            } catch (AuthenticationException e5) {
                this._logger.debug("Could not authenticate user (invalid password): " + str, e5);
                if (dirContext != null) {
                    try {
                        dirContext.close();
                    } catch (Exception e6) {
                        this._logger.warn("Could not close connection with '" + this._sJNDIUrl + '\'', e6);
                    }
                }
            }
        } else {
            hashtable.put("java.naming.security.principal", this._sPrincipalDn);
            hashtable.put("java.naming.security.credentials", this._sPrincipalPwd);
            try {
                DirContext initialDirContext = new InitialDirContext(hashtable);
                String resolveSearchQuery = resolveSearchQuery(str);
                SearchControls searchControls = new SearchControls();
                searchControls.setSearchScope(2);
                try {
                    try {
                        NamingEnumeration search = initialDirContext.search(this._sBaseDn, resolveSearchQuery, searchControls);
                        try {
                            initialDirContext.close();
                            initialDirContext = null;
                        } catch (Exception e7) {
                            this._logger.warn("Could not close connection with '" + this._sJNDIUrl + "'", e7);
                        }
                        try {
                            if (!search.hasMoreElements()) {
                                StringBuffer stringBuffer2 = new StringBuffer("User '");
                                stringBuffer2.append(str);
                                stringBuffer2.append("' not found during LDAP search. The filter was: '");
                                stringBuffer2.append(resolveSearchQuery);
                                stringBuffer2.append("'");
                                this._logger.warn(stringBuffer2.toString());
                                throw new UserException(UserEvent.AUTHN_METHOD_NOT_SUPPORTED);
                            }
                            String name = ((SearchResult) search.next()).getName();
                            if (name == null) {
                                this._logger.warn("no user dn was returned for '" + str + "'.");
                                throw new OAException(35);
                            }
                            StringBuffer stringBuffer3 = new StringBuffer(name);
                            stringBuffer3.append(",");
                            stringBuffer3.append(this._sBaseDn);
                            hashtable.put("java.naming.security.principal", stringBuffer3.toString());
                            hashtable.put("java.naming.security.credentials", str2);
                            try {
                                try {
                                    try {
                                        try {
                                            initialDirContext = new InitialDirContext(hashtable);
                                            z = true;
                                            if (initialDirContext != null) {
                                                try {
                                                    initialDirContext.close();
                                                } catch (Exception e8) {
                                                    this._logger.warn("Could not close connection with '" + this._sJNDIUrl + "'.", e8);
                                                }
                                            }
                                        } catch (Throwable th2) {
                                            if (initialDirContext != null) {
                                                try {
                                                    initialDirContext.close();
                                                } catch (Exception e9) {
                                                    this._logger.warn("Could not close connection with '" + this._sJNDIUrl + "'.", e9);
                                                    throw th2;
                                                }
                                            }
                                            throw th2;
                                        }
                                    } catch (CommunicationException e10) {
                                        this._logger.warn("A communication error has occured", e10);
                                        throw new OAException(35);
                                    }
                                } catch (AuthenticationException e11) {
                                    this._logger.debug("Could not authenticate user (invalid password): " + str, e11);
                                    if (initialDirContext != null) {
                                        try {
                                            initialDirContext.close();
                                        } catch (Exception e12) {
                                            this._logger.warn("Could not close connection with '" + this._sJNDIUrl + "'.", e12);
                                        }
                                    }
                                }
                            } catch (NamingException e13) {
                                this._logger.warn("A naming error has occured", e13);
                                throw new OAException(35);
                            }
                        } catch (NamingException e14) {
                            this._logger.warn("failed to fetch profile of user '" + str + "'.", e14);
                            throw new OAException(35);
                        }
                    } catch (Throwable th3) {
                        try {
                            initialDirContext.close();
                        } catch (Exception e15) {
                            this._logger.warn("Could not close connection with '" + this._sJNDIUrl + "'", e15);
                        }
                        throw th3;
                    }
                } catch (NamingException e16) {
                    this._logger.warn("User id not found in password backend for user: " + str, e16);
                    throw new UserException(UserEvent.AUTHN_METHOD_NOT_SUPPORTED);
                }
            } catch (CommunicationException e17) {
                this._logger.warn("A communication error has occured", e17);
                throw new OAException(35);
            } catch (AuthenticationException e18) {
                this._logger.warn("Could not bind to LDAP server", e18);
                throw new OAException(33);
            } catch (NamingException e19) {
                this._logger.warn("A naming error has occured", e19);
                throw new OAException(35);
            }
        }
        return z;
    }

    private String resolveSearchQuery(String str) {
        String escapeLDAPSearchFilter = JNDIUtil.escapeLDAPSearchFilter(str);
        if (this._sFilter != null) {
            return this._sFilter.replaceAll("\\?", escapeLDAPSearchFilter);
        }
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("(");
        stringBuffer.append(this._sUserDn);
        stringBuffer.append("=");
        stringBuffer.append(escapeLDAPSearchFilter);
        stringBuffer.append(")");
        return stringBuffer.toString();
    }
}
