package org.springframework.security.ldap.authentication;

import java.util.Iterator;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.ldap.NameNotFoundException;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.ldap.core.support.BaseLdapPathContextSource;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.encoding.LdapShaPasswordEncoder;
import org.springframework.security.authentication.encoding.PasswordEncoder;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.codec.Utf8;
import org.springframework.security.ldap.SpringSecurityLdapTemplate;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/spring-security-ldap-3.2.6.RELEASE.jar:org/springframework/security/ldap/authentication/PasswordComparisonAuthenticator.class */
public final class PasswordComparisonAuthenticator extends AbstractLdapAuthenticator {
    private static final Log logger = LogFactory.getLog(PasswordComparisonAuthenticator.class);
    private PasswordEncoder passwordEncoder;
    private String passwordAttributeName;
    private boolean usePasswordAttrCompare;

    public PasswordComparisonAuthenticator(BaseLdapPathContextSource baseLdapPathContextSource) {
        super(baseLdapPathContextSource);
        this.passwordEncoder = new LdapShaPasswordEncoder();
        this.passwordAttributeName = "userPassword";
        this.usePasswordAttrCompare = false;
    }

    @Override // org.springframework.security.ldap.authentication.LdapAuthenticator
    public DirContextOperations authenticate(Authentication authentication) {
        Assert.isInstanceOf(UsernamePasswordAuthenticationToken.class, authentication, "Can only process UsernamePasswordAuthenticationToken objects");
        DirContextOperations dirContextOperations = null;
        String name2 = authentication.getName();
        String str = (String) authentication.getCredentials();
        SpringSecurityLdapTemplate springSecurityLdapTemplate = new SpringSecurityLdapTemplate(getContextSource());
        Iterator<String> it = getUserDns(name2).iterator();
        while (it.hasNext()) {
            try {
                dirContextOperations = springSecurityLdapTemplate.retrieveEntry(it.next(), getUserAttributes());
            } catch (NameNotFoundException e) {
            }
            if (dirContextOperations != null) {
                break;
            }
        }
        if (dirContextOperations == null && getUserSearch() != null) {
            dirContextOperations = getUserSearch().searchForUser(name2);
        }
        if (dirContextOperations == null) {
            throw new UsernameNotFoundException("User not found: " + name2, name2);
        }
        if (logger.isDebugEnabled()) {
            logger.debug("Performing LDAP compare of password attribute '" + this.passwordAttributeName + "' for user '" + dirContextOperations.getDn() + "'");
        }
        if ((!this.usePasswordAttrCompare || !isPasswordAttrCompare(dirContextOperations, str)) && !isLdapPasswordCompare(dirContextOperations, springSecurityLdapTemplate, str)) {
            throw new BadCredentialsException(this.messages.getMessage("PasswordComparisonAuthenticator.badCredentials", "Bad credentials"));
        }
        return dirContextOperations;
    }

    private boolean isPasswordAttrCompare(DirContextOperations dirContextOperations, String str) {
        return this.passwordEncoder.isPasswordValid(new String((byte[]) dirContextOperations.getObjectAttribute(this.passwordAttributeName)), str, null);
    }

    private boolean isLdapPasswordCompare(DirContextOperations dirContextOperations, SpringSecurityLdapTemplate springSecurityLdapTemplate, String str) {
        return springSecurityLdapTemplate.compare(dirContextOperations.getDn().toString(), this.passwordAttributeName, Utf8.encode(this.passwordEncoder.encodePassword(str, null)));
    }

    public void setPasswordAttributeName(String str) {
        Assert.hasLength(str, "passwordAttributeName must not be empty or null");
        this.passwordAttributeName = str;
    }

    private void setPasswordEncoder(PasswordEncoder passwordEncoder) {
        Assert.notNull(passwordEncoder, "passwordEncoder must not be null.");
        this.passwordEncoder = passwordEncoder;
    }

    public void setPasswordEncoder(Object obj) {
        if (obj instanceof PasswordEncoder) {
            this.usePasswordAttrCompare = false;
            setPasswordEncoder((PasswordEncoder) obj);
        } else {
            if (!(obj instanceof org.springframework.security.crypto.password.PasswordEncoder)) {
                throw new IllegalArgumentException("passwordEncoder must be a PasswordEncoder instance");
            }
            final org.springframework.security.crypto.password.PasswordEncoder passwordEncoder = (org.springframework.security.crypto.password.PasswordEncoder) obj;
            setPasswordEncoder(new PasswordEncoder() { // from class: org.springframework.security.ldap.authentication.PasswordComparisonAuthenticator.1
                @Override // org.springframework.security.authentication.encoding.PasswordEncoder
                public String encodePassword(String str, Object obj2) {
                    checkSalt(obj2);
                    return passwordEncoder.encode(str);
                }

                @Override // org.springframework.security.authentication.encoding.PasswordEncoder
                public boolean isPasswordValid(String str, String str2, Object obj2) {
                    checkSalt(obj2);
                    return passwordEncoder.matches(str2, str);
                }

                private void checkSalt(Object obj2) {
                    Assert.isNull(obj2, "Salt value must be null when used with crypto module PasswordEncoder");
                }
            });
            this.usePasswordAttrCompare = true;
        }
    }
}
