package com.teklabs.throng.integration.ldap;

import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.commons.lang.StringUtils;

/* loaded from: input_file:com/teklabs/throng/integration/ldap/Ldap.class */
public class Ldap {
    public static final String DEFAULT_USER_OBJECT_CLASS = "inetOrgPerson";
    public static final String DEFAULT_LOGIN_ATTRIBUTE = "uid";
    private LdapContextFactory ldapContextFactory;
    private String baseDN = null;
    private String loginAttribute = DEFAULT_LOGIN_ATTRIBUTE;
    private String userObjectClass = DEFAULT_USER_OBJECT_CLASS;

    public Ldap(LdapContextFactory ldapContextFactory) {
        if (ldapContextFactory == null) {
            throw new IllegalArgumentException("LDAP context factory is not set");
        }
        this.ldapContextFactory = ldapContextFactory;
    }

    public void testConnection() throws NamingException {
        if (StringUtils.isBlank(this.ldapContextFactory.getUsername()) && isSasl()) {
            LdapHelper.LOG.warn("Unable to test connection, if using SASL and no username specified");
        } else {
            LdapHelper.LOG.debug("Test connection");
            this.ldapContextFactory.getInitialDirContext();
        }
    }

    public boolean authenticate(String str, String str2) throws NamingException {
        String principal = isSasl() ? str : getPrincipal(str);
        return "GSSAPI".equals(this.ldapContextFactory.getAuthentication()) ? StringUtils.isNotBlank(principal) && checkPasswordUsingGssapi(principal, str2) : StringUtils.isNotBlank(principal) && checkPasswordUsingBind(principal, str2);
    }

    private boolean isSasl() {
        return "DIGEST-MD5".equals(this.ldapContextFactory.getAuthentication()) || "CRAM-MD5".equals(this.ldapContextFactory.getAuthentication()) || "GSSAPI".equals(this.ldapContextFactory.getAuthentication());
    }

    private boolean checkPasswordUsingGssapi(String str, String str2) {
        Configuration.setConfiguration(new Krb5LoginConfiguration());
        try {
            LoginContext loginContext = new LoginContext(getClass().getName(), new CallbackHandlerImpl(str, str2));
            loginContext.login();
            try {
                loginContext.logout();
                return true;
            } catch (LoginException e) {
                LdapHelper.LOG.warn("Logout fails", e);
                return true;
            }
        } catch (LoginException e2) {
            LdapHelper.LOG.debug("Password is not valid for principal: " + str, e2);
            return false;
        }
    }

    private boolean checkPasswordUsingBind(String str, String str2) {
        boolean z;
        InitialDirContext initialDirContext = null;
        try {
            try {
                initialDirContext = this.ldapContextFactory.getInitialDirContext(str, str2);
                initialDirContext.getAttributes("");
                z = true;
                LdapHelper.closeContext(initialDirContext);
            } catch (NamingException e) {
                if (LdapHelper.LOG.isDebugEnabled()) {
                    LdapHelper.LOG.debug("Password is not valid for principal: " + str, e);
                }
                z = false;
                LdapHelper.closeContext(initialDirContext);
            }
            return z;
        } catch (Throwable th) {
            LdapHelper.closeContext(initialDirContext);
            throw th;
        }
    }

    private String getPrincipal(String str) throws NamingException {
        if (this.baseDN == null) {
            throw new IllegalArgumentException("LDAP BaseDN is not set");
        }
        InitialDirContext initialDirContext = null;
        try {
            if (LdapHelper.LOG.isDebugEnabled()) {
                LdapHelper.LOG.debug("Search principal: " + str);
            }
            initialDirContext = this.ldapContextFactory.getInitialDirContext();
            String str2 = "(&(objectClass=" + this.userObjectClass + ")(" + this.loginAttribute + "={0}))";
            if (LdapHelper.LOG.isDebugEnabled()) {
                LdapHelper.LOG.debug("LDAP request: " + str2);
            }
            SearchControls searchControls = new SearchControls();
            searchControls.setSearchScope(2);
            searchControls.setReturningAttributes(new String[0]);
            searchControls.setReturningObjFlag(true);
            NamingEnumeration search = initialDirContext.search(this.baseDN, str2, new String[]{str}, searchControls);
            String str3 = null;
            if (search.hasMore()) {
                str3 = ((SearchResult) search.next()).getNameInNamespace();
                if (str3 != null && search.hasMore()) {
                    str3 = null;
                    LdapHelper.LOG.error("Login '" + str + "' is not unique in LDAP (see attribute " + this.loginAttribute + ")");
                }
            }
            String str4 = str3;
            LdapHelper.closeContext(initialDirContext);
            return str4;
        } catch (Throwable th) {
            LdapHelper.closeContext(initialDirContext);
            throw th;
        }
    }

    public String getLoginAttribute() {
        return this.loginAttribute;
    }

    public void setLoginAttribute(String str) {
        this.loginAttribute = str;
    }

    public String getUserObjectClass() {
        return this.userObjectClass;
    }

    public void setUserObjectClass(String str) {
        this.userObjectClass = str;
    }

    public String getBaseDN() {
        return this.baseDN;
    }

    public void setBaseDN(String str) {
        this.baseDN = str;
    }
}
