package org.cloudfoundry.identity.uaa.provider.ldap;

import java.util.Arrays;
import java.util.Iterator;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.ldap.NameNotFoundException;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.ldap.core.support.BaseLdapPathContextSource;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.encoding.LdapShaPasswordEncoder;
import org.springframework.security.authentication.encoding.PasswordEncoder;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.codec.Utf8;
import org.springframework.security.ldap.SpringSecurityLdapTemplate;
import org.springframework.security.ldap.authentication.AbstractLdapAuthenticator;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-3.3.0.2.jar:org/cloudfoundry/identity/uaa/provider/ldap/PasswordComparisonAuthenticator.class */
public class PasswordComparisonAuthenticator extends AbstractLdapAuthenticator {
    private static final Log logger = LogFactory.getLog(PasswordComparisonAuthenticator.class);
    private boolean localCompare;
    private String passwordAttributeName;
    private PasswordEncoder passwordEncoder;

    public PasswordComparisonAuthenticator(BaseLdapPathContextSource baseLdapPathContextSource) {
        super(baseLdapPathContextSource);
        this.passwordEncoder = new LdapShaPasswordEncoder();
    }

    @Override // org.springframework.security.ldap.authentication.LdapAuthenticator
    public DirContextOperations authenticate(Authentication authentication) {
        DirContextOperations dirContextOperations = null;
        String name = authentication.getName();
        String str = (String) authentication.getCredentials();
        SpringSecurityLdapTemplate springSecurityLdapTemplate = new SpringSecurityLdapTemplate(getContextSource());
        Iterator<String> it = getUserDns(name).iterator();
        while (it.hasNext()) {
            try {
                dirContextOperations = springSecurityLdapTemplate.retrieveEntry(it.next(), getUserAttributes());
            } catch (NameNotFoundException e) {
            }
            if (dirContextOperations != null) {
                break;
            }
        }
        if (dirContextOperations == null && getUserSearch() != null) {
            dirContextOperations = getUserSearch().searchForUser(name);
        }
        if (dirContextOperations == null) {
            throw new UsernameNotFoundException("User not found: " + name);
        }
        if (logger.isDebugEnabled()) {
            logger.debug("Performing LDAP compare of password attribute '" + this.passwordAttributeName + "' for user '" + dirContextOperations.getDn() + "'");
        }
        if (isLocalCompare()) {
            localCompareAuthenticate(dirContextOperations, str);
        } else {
            searchAuthenticate(dirContextOperations, Utf8.encode(this.passwordEncoder.encodePassword(str, null)), springSecurityLdapTemplate);
        }
        return dirContextOperations;
    }

    public DirContextOperations localCompareAuthenticate(DirContextOperations dirContextOperations, String str) {
        boolean z = false;
        try {
            Attribute attribute = dirContextOperations.getAttributes().get(getPasswordAttributeName());
            if (attribute.size() == 0) {
                throw new AuthenticationCredentialsNotFoundException("Missing " + getPasswordAttributeName() + " attribute.");
            }
            for (int i = 0; attribute != null && !z && i < attribute.size(); i++) {
                Object obj = attribute.get(i);
                if (obj != null && (obj instanceof byte[])) {
                    z = this.passwordEncoder instanceof DynamicPasswordComparator ? ((DynamicPasswordComparator) this.passwordEncoder).comparePasswords(str.getBytes(), (byte[]) obj) : Arrays.equals(Utf8.encode(this.passwordEncoder.encodePassword(str, null)), (byte[]) obj);
                }
            }
            if (z) {
                return dirContextOperations;
            }
            throw new BadCredentialsException("Bad credentials");
        } catch (NamingException e) {
            throw new BadCredentialsException("Bad credentials", e);
        }
    }

    public DirContextOperations searchAuthenticate(DirContextOperations dirContextOperations, byte[] bArr, SpringSecurityLdapTemplate springSecurityLdapTemplate) {
        if (logger.isDebugEnabled()) {
            logger.debug("Performing LDAP compare of password attribute '" + this.passwordAttributeName + "' for user '" + dirContextOperations.getDn() + "'");
        }
        if (springSecurityLdapTemplate.compare(dirContextOperations.getDn().toString(), this.passwordAttributeName, bArr)) {
            return dirContextOperations;
        }
        throw new BadCredentialsException(this.messages.getMessage("PasswordComparisonAuthenticator.badCredentials", "Bad credentials"));
    }

    public void setPasswordAttributeName(String str) {
        this.passwordAttributeName = str;
    }

    public String getPasswordAttributeName() {
        return this.passwordAttributeName;
    }

    public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
        this.passwordEncoder = passwordEncoder;
    }

    public PasswordEncoder getPasswordEncoder() {
        return this.passwordEncoder;
    }

    public boolean isLocalCompare() {
        return this.localCompare;
    }

    public void setLocalCompare(boolean z) {
        this.localCompare = z;
    }
}
