package com.ibm.ws.security.javaeesec.identitystore;

import com.ibm.websphere.crypto.PasswordUtil;
import com.ibm.websphere.ras.ProtectedString;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.ras.annotation.Trivial;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.javaeesec.JavaEESecConstants;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.enterprise.inject.Default;
import jakarta.security.enterprise.credential.CallerOnlyCredential;
import jakarta.security.enterprise.credential.Credential;
import jakarta.security.enterprise.credential.UsernamePasswordCredential;
import jakarta.security.enterprise.identitystore.CredentialValidationResult;
import jakarta.security.enterprise.identitystore.IdentityStore;
import jakarta.security.enterprise.identitystore.IdentityStorePermission;
import jakarta.security.enterprise.identitystore.LdapIdentityStoreDefinition;
import java.lang.reflect.UndeclaredThrowableException;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Set;
import javax.naming.InvalidNameException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapName;

@ApplicationScoped
@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Default
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/javaeesec/identitystore/LdapIdentityStore.class */
public class LdapIdentityStore implements IdentityStore {
    private static final TraceComponent tc = Tr.register(LdapIdentityStore.class, "security", "com.ibm.ws.security.javaeesec.internal.resources.JavaEESecMessages");
    private final LdapIdentityStoreDefinitionWrapper idStoreDefinition;
    static final long serialVersionUID = -6976246879957428054L;

    /* JADX INFO: Access modifiers changed from: private */
    @Trivial
    /* loaded from: input_file:com/ibm/ws/security/javaeesec/identitystore/LdapIdentityStore$GetDirContextAction.class */
    public class GetDirContextAction implements PrivilegedExceptionAction<DirContext> {
        private final Hashtable<Object, Object> env;

        private GetDirContextAction(Hashtable<Object, Object> hashtable) {
            this.env = hashtable;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedExceptionAction
        public DirContext run() throws NamingException {
            return new InitialLdapContext(this.env, (Control[]) null);
        }
    }

    @Sensitive
    public LdapIdentityStore(@Sensitive LdapIdentityStoreDefinition ldapIdentityStoreDefinition) {
        this.idStoreDefinition = new LdapIdentityStoreDefinitionWrapper(ldapIdentityStoreDefinition);
    }

    private DirContext bind() throws NamingException {
        return bind(this.idStoreDefinition.getBindDn(), this.idStoreDefinition.getBindDnPassword());
    }

    private DirContext bind(String str, ProtectedString protectedString) throws NamingException {
        Hashtable<Object, Object> hashtable = new Hashtable<>();
        String url = this.idStoreDefinition.getUrl();
        if (url == null || url.isEmpty()) {
            throw new IllegalArgumentException("No URL was provided to the LdapIdentityStore.");
        }
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.provider.url", url);
        if (url != null && url.startsWith("ldaps")) {
            hashtable.put("java.naming.ldap.factory.socket", "com.ibm.ws.ssl.protocol.LibertySSLSocketFactory");
            hashtable.put("java.naming.security.protocol", "ssl");
        }
        if (str != null && !str.isEmpty() && protectedString != null) {
            String passwordDecode = PasswordUtil.passwordDecode(new String(protectedString.getChars()).trim());
            if (passwordDecode == null || passwordDecode.isEmpty()) {
                throw new IllegalArgumentException("An empty password is invalid.");
            }
            hashtable.put("java.naming.security.principal", str);
            hashtable.put("java.naming.security.credentials", passwordDecode);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "JNDI_CALL bind", new Object[]{str, url});
        }
        return getDirContext(hashtable);
    }

    @FFDCIgnore({PrivilegedActionException.class})
    @Sensitive
    private DirContext getDirContext(@Sensitive Hashtable<Object, Object> hashtable) throws NamingException {
        try {
            return (DirContext) AccessController.doPrivileged(new GetDirContextAction(hashtable));
        } catch (PrivilegedActionException e) {
            NamingException exception = e.getException();
            if (exception instanceof NamingException) {
                throw exception;
            }
            if (exception instanceof RuntimeException) {
                throw ((RuntimeException) exception);
            }
            throw new UndeclaredThrowableException(exception);
        }
    }

    public Set<String> getCallerGroups(CredentialValidationResult credentialValidationResult) {
        if (!validationTypes().contains(IdentityStore.ValidationType.PROVIDE_GROUPS)) {
            return new HashSet();
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new IdentityStorePermission(JavaEESecConstants.GET_GROUPS_PERMISSION));
        }
        String callerDn = credentialValidationResult.getCallerDn();
        if (callerDn == null || callerDn.isEmpty()) {
            String name = credentialValidationResult.getCallerPrincipal().getName();
            callerDn = isValidDn(name) ? name : getUserDn(name, getFormattedFilter(this.idStoreDefinition.getCallerSearchFilter(), name, this.idStoreDefinition.getCallerNameAttribute()), getCallerSearchControls());
        }
        if (callerDn == null || callerDn.isEmpty()) {
            return new HashSet();
        }
        try {
            return getGroups(bind(), callerDn);
        } catch (NamingException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.javaeesec.identitystore.LdapIdentityStore", "195", this, new Object[]{credentialValidationResult});
            Tr.error(tc, "JAVAEESEC_ERROR_EXCEPTION_ON_BIND", new Object[]{this.idStoreDefinition.getBindDn(), e});
            throw new IllegalStateException((Throwable) e);
        }
    }

    public CredentialValidationResult validate(Credential credential) {
        String caller;
        DirContext bind;
        if (!(credential instanceof UsernamePasswordCredential) && !(credential instanceof CallerOnlyCredential)) {
            Tr.error(tc, "JAVAEESEC_ERROR_WRONG_CRED", new Object[0]);
            return CredentialValidationResult.NOT_VALIDATED_RESULT;
        }
        if (!credential.isValid()) {
            return CredentialValidationResult.INVALID_RESULT;
        }
        boolean z = false;
        if (credential instanceof UsernamePasswordCredential) {
            caller = ((UsernamePasswordCredential) credential).getCaller();
        } else {
            z = true;
            caller = ((CallerOnlyCredential) credential).getCaller();
        }
        String callerSearchFilter = this.idStoreDefinition.getCallerSearchFilter();
        String callerNameAttribute = this.idStoreDefinition.getCallerNameAttribute();
        String str = null;
        Set<String> hashSet = new HashSet();
        String userDn = isValidDn(caller) ? caller : getUserDn(caller, getFormattedFilter(callerSearchFilter, caller, callerNameAttribute), getCallerSearchControls());
        if (userDn == null) {
            return CredentialValidationResult.INVALID_RESULT;
        }
        if (z) {
            try {
                bind = bind();
            } catch (NamingException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.javaeesec.identitystore.LdapIdentityStore", "251", this, new Object[]{credential});
                Tr.error(tc, "JAVAEESEC_ERROR_EXCEPTION_ON_BIND", new Object[]{this.idStoreDefinition.getBindDn(), e});
                throw new IllegalStateException((Throwable) e);
            }
        } else {
            try {
                bind = bind(userDn, new ProtectedString(((UsernamePasswordCredential) credential).getPassword().getValue()));
            } catch (NamingException e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.javaeesec.identitystore.LdapIdentityStore", "244", this, new Object[]{credential});
                Tr.debug(tc, "JAVAEESEC_ERROR_EXCEPTION_ON_BIND", new Object[]{userDn, e2});
                return CredentialValidationResult.INVALID_RESULT;
            }
        }
        if (bind == null) {
            return CredentialValidationResult.INVALID_RESULT;
        }
        if (callerNameAttribute.equalsIgnoreCase("dn")) {
            str = userDn;
        } else {
            try {
                Attribute attribute = bind.getAttributes(userDn, new String[]{callerNameAttribute}).get(callerNameAttribute);
                if (attribute == null) {
                    Tr.warning(tc, "JAVAEESEC_WARNING_MISSING_CALLER_ATTR", new Object[]{userDn, callerNameAttribute});
                    return CredentialValidationResult.INVALID_RESULT;
                }
                NamingEnumeration all = attribute.getAll();
                while (all.hasMoreElements()) {
                    str = (String) all.nextElement();
                }
            } catch (NamingException e3) {
                FFDCFilter.processException(e3, "com.ibm.ws.security.javaeesec.identitystore.LdapIdentityStore", "274", this, new Object[]{credential});
                Tr.warning(tc, "JAVAEESEC_WARNING_EXCEPTION_ON_GETATTRIBUTES", new Object[]{userDn, callerNameAttribute, e3});
            }
        }
        if (validationTypes().contains(IdentityStore.ValidationType.PROVIDE_GROUPS)) {
            hashSet = getGroups(bind, userDn);
        }
        String replaceFirst = this.idStoreDefinition.getUrl().replaceFirst("(?i)ldaps?:\\/\\/", "");
        if (replaceFirst.endsWith("/")) {
            replaceFirst = replaceFirst.substring(0, replaceFirst.length() - 1);
        }
        return new CredentialValidationResult(replaceFirst, str, userDn, userDn, hashSet);
    }

    private String getUserDn(String str, String str2, SearchControls searchControls) {
        String str3 = null;
        String callerSearchBase = this.idStoreDefinition.getCallerSearchBase();
        if (callerSearchBase == null || callerSearchBase.isEmpty()) {
            str3 = this.idStoreDefinition.getCallerNameAttribute() + "=" + str + "," + this.idStoreDefinition.getCallerBaseDn();
        } else {
            try {
                DirContext bind = bind();
                try {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "JNDI_CALL search", new Object[]{callerSearchBase, str2, printControls(searchControls)});
                    }
                    NamingEnumeration search = bind.search(new LdapName(callerSearchBase), str2, searchControls);
                    if (search.hasMoreElements()) {
                        str3 = ((SearchResult) search.nextElement()).getNameInNamespace();
                        if (search.hasMoreElements()) {
                            Tr.warning(tc, "JAVAEESEC_WARNING_MULTI_CALLER_LDAP", new Object[]{str, str2, callerSearchBase});
                            return null;
                        }
                    }
                } catch (NamingException e) {
                    FFDCFilter.processException(e, "com.ibm.ws.security.javaeesec.identitystore.LdapIdentityStore", "336", this, new Object[]{str, str2, searchControls});
                    Tr.error(tc, "JAVAEESEC_ERROR_EXCEPTION_ON_SEARCH", new Object[]{str, str2, callerSearchBase, e});
                    throw new IllegalStateException((Throwable) e);
                }
            } catch (NamingException e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.javaeesec.identitystore.LdapIdentityStore", "320", this, new Object[]{str, str2, searchControls});
                Tr.error(tc, "JAVAEESEC_ERROR_EXCEPTION_ON_BIND", new Object[]{this.idStoreDefinition.getBindDn(), e2});
                throw new IllegalStateException((Throwable) e2);
            }
        }
        return str3;
    }

    private Set<String> getGroups(DirContext dirContext, String str) {
        String groupSearchBase = this.idStoreDefinition.getGroupSearchBase();
        String groupSearchFilter = this.idStoreDefinition.getGroupSearchFilter();
        return (groupSearchBase.isEmpty() || groupSearchFilter.isEmpty()) ? getGroupsByMembership(dirContext, str) : getGroupsByMember(dirContext, str, groupSearchBase, groupSearchFilter);
    }

    private Set<String> getGroupsByMember(DirContext dirContext, String str, String str2, String str3) {
        String groupNameAttribute = this.idStoreDefinition.getGroupNameAttribute();
        SearchControls searchControls = new SearchControls(getSearchScope(this.idStoreDefinition.getGroupSearchScope()), Long.valueOf(this.idStoreDefinition.getMaxResults()).longValue(), this.idStoreDefinition.getReadTimeout(), new String[]{groupNameAttribute}, false, false);
        String formattedFilter = getFormattedFilter(str3, str, this.idStoreDefinition.getGroupMemberAttribute());
        HashSet hashSet = new HashSet();
        try {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "JNDI_CALL search", new Object[]{str2, formattedFilter, printControls(searchControls)});
            }
            NamingEnumeration search = dirContext.search(new LdapName(str2), formattedFilter, searchControls);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Iterate through the search results", new Object[0]);
            }
            while (search.hasMoreElements()) {
                SearchResult searchResult = (SearchResult) search.nextElement();
                String nameInNamespace = searchResult.getNameInNamespace();
                if (groupNameAttribute.equalsIgnoreCase("dn")) {
                    hashSet.add(nameInNamespace);
                } else {
                    Attribute attribute = searchResult.getAttributes().get(groupNameAttribute);
                    if (attribute == null) {
                        Tr.warning(tc, "JAVAEESEC_WARNING_MISSING_GROUP_ATTR", new Object[]{nameInNamespace, groupNameAttribute});
                    } else {
                        NamingEnumeration all = attribute.getAll();
                        if (all.hasMoreElements()) {
                            hashSet.add((String) all.nextElement());
                        }
                    }
                }
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "getGroupsByMember", new Object[]{hashSet});
            }
            return hashSet;
        } catch (NamingException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.javaeesec.identitystore.LdapIdentityStore", "415", this, new Object[]{dirContext, str, str2, str3});
            Tr.error(tc, "JAVAEESEC_ERROR_EXCEPTION_ON_GROUP_SEARCH", new Object[]{str, e});
            throw new IllegalStateException((Throwable) e);
        }
    }

    private String getFormattedFilter(String str, String str2, String str3) {
        String replaceAll = str.replaceAll("%v", "%s");
        if ((!replaceAll.startsWith("(") || !replaceAll.endsWith(")")) && !replaceAll.isEmpty()) {
            replaceAll = "(" + replaceAll + ")";
        }
        return replaceAll.contains("%s") ? String.format(replaceAll, str2) : "(&" + replaceAll + "(" + str3 + "=" + str2 + "))";
    }

    private Set<String> getGroupsByMembership(DirContext dirContext, String str) {
        String groupMemberOfAttribute = this.idStoreDefinition.getGroupMemberOfAttribute();
        String groupNameAttribute = this.idStoreDefinition.getGroupNameAttribute();
        HashSet<String> hashSet = new HashSet();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "JNDI_CALL getAttributes", new Object[]{str, groupMemberOfAttribute});
        }
        try {
            Attribute attribute = dirContext.getAttributes(str, new String[]{groupMemberOfAttribute}).get(groupMemberOfAttribute);
            if (attribute != null) {
                NamingEnumeration all = attribute.getAll();
                while (all.hasMoreElements()) {
                    hashSet.add((String) all.nextElement());
                }
            }
        } catch (NamingException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.javaeesec.identitystore.LdapIdentityStore", "475", this, new Object[]{dirContext, str});
            Tr.warning(tc, "JAVAEESEC_WARNING_EXCEPTION_ON_GETATTRIBUTES", new Object[]{str, groupMemberOfAttribute, e});
        }
        if (groupNameAttribute.equalsIgnoreCase("dn")) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "getGroupsByMembership", new Object[]{hashSet});
            }
            return hashSet;
        }
        HashSet hashSet2 = new HashSet();
        r17 = null;
        for (String str2 : hashSet) {
            try {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "JNDI_CALL getAttributes", new Object[]{str2, groupNameAttribute});
                }
                Attribute attribute2 = dirContext.getAttributes(str2, new String[]{groupNameAttribute}).get(groupNameAttribute);
                if (attribute2 == null) {
                    Tr.warning(tc, "JAVAEESEC_WARNING_MISSING_GROUP_ATTR", new Object[]{str2, groupNameAttribute});
                } else {
                    NamingEnumeration all2 = attribute2.getAll();
                    if (all2.hasMoreElements()) {
                        hashSet2.add((String) all2.nextElement());
                    }
                }
            } catch (NamingException e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.javaeesec.identitystore.LdapIdentityStore", "506", this, new Object[]{dirContext, str});
                Tr.warning(tc, "JAVAEESEC_WARNING_EXCEPTION_ON_GETATTRIBUTES", new Object[]{str2, groupNameAttribute, e2});
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "getGroupsByMembership", new Object[]{hashSet2});
        }
        return hashSet2;
    }

    @FFDCIgnore({InvalidNameException.class})
    private boolean isValidDn(String str) {
        try {
            new LdapName(str).toString();
            return true;
        } catch (InvalidNameException e) {
            return false;
        }
    }

    private SearchControls getCallerSearchControls() {
        return new SearchControls(getSearchScope(this.idStoreDefinition.getCallerSearchScope()), Long.valueOf(this.idStoreDefinition.getMaxResults()).longValue(), this.idStoreDefinition.getReadTimeout(), new String[]{this.idStoreDefinition.getCallerNameAttribute()}, false, false);
    }

    private String printControls(SearchControls searchControls) {
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("[searchScope: ").append(searchControls.getSearchScope());
        stringBuffer.append(", timeLimit: ").append(searchControls.getTimeLimit());
        stringBuffer.append(", countLimit: ").append(searchControls.getCountLimit());
        stringBuffer.append(", returningObjFlag: ").append(searchControls.getReturningObjFlag());
        stringBuffer.append(", returningAttributes: ").append(searchControls.getReturningAttributes()[0]).append("]");
        return stringBuffer.toString();
    }

    private int getSearchScope(LdapIdentityStoreDefinition.LdapSearchScope ldapSearchScope) {
        return ldapSearchScope == LdapIdentityStoreDefinition.LdapSearchScope.ONE_LEVEL ? 1 : 2;
    }

    public int priority() {
        return this.idStoreDefinition.getPriority();
    }

    public Set<IdentityStore.ValidationType> validationTypes() {
        return this.idStoreDefinition.getUseFor();
    }
}
