package org.opends.server.extensions;

import java.security.MessageDigest;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.LocalizableMessageDescriptor;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.opendj.config.server.ConfigChangeResult;
import org.forgerock.opendj.config.server.ConfigException;
import org.forgerock.opendj.config.server.ConfigurationChangeListener;
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.DN;
import org.forgerock.opendj.ldap.ResultCode;
import org.forgerock.opendj.ldap.SearchScope;
import org.forgerock.opendj.ldap.schema.AttributeType;
import org.forgerock.opendj.server.config.server.CertificateMapperCfg;
import org.forgerock.opendj.server.config.server.FingerprintCertificateMapperCfg;
import org.opends.messages.ExtensionMessages;
import org.opends.server.api.CertificateMapper;
import org.opends.server.api.LocalBackend;
import org.opends.server.core.BackendConfigManager;
import org.opends.server.core.DirectoryServer;
import org.opends.server.protocols.internal.InternalClientConnection;
import org.opends.server.protocols.internal.InternalSearchOperation;
import org.opends.server.protocols.internal.Requests;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.IndexType;
import org.opends.server.types.InitializationException;
import org.opends.server.types.SearchFilter;
import org.opends.server.types.SearchResultEntry;
import org.opends.server.util.CollectionUtils;
import org.opends.server.util.StaticUtils;
import org.slf4j.Marker;

/* JADX WARN: Classes with same name are omitted:
  input_file:embedded-opendj/opendj.zip:opendj/lib/opendj.jar:org/opends/server/extensions/FingerprintCertificateMapper.class
 */
/* loaded from: input_file:embedded-opendj/opendj.zip:opendj/lib/org.openidentityplatform.opendj.opendj-server-legacy.jar:org/opends/server/extensions/FingerprintCertificateMapper.class */
public class FingerprintCertificateMapper extends CertificateMapper<FingerprintCertificateMapperCfg> implements ConfigurationChangeListener<FingerprintCertificateMapperCfg> {
    private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();
    private FingerprintCertificateMapperCfg currentConfig;
    private String fingerprintAlgorithm;
    private LinkedHashSet<String> requestedAttributes;

    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.opends.server.api.CertificateMapper
    public void initializeCertificateMapper(FingerprintCertificateMapperCfg fingerprintCertificateMapperCfg) throws ConfigException, InitializationException {
        fingerprintCertificateMapperCfg.addFingerprintChangeListener(this);
        this.currentConfig = fingerprintCertificateMapperCfg;
        switch (fingerprintCertificateMapperCfg.getFingerprintAlgorithm()) {
            case MD5:
                this.fingerprintAlgorithm = "MD5";
                break;
            case SHA1:
                this.fingerprintAlgorithm = ExtensionsConstants.AUTH_PASSWORD_SCHEME_NAME_SALTED_SHA_1;
                break;
        }
        Set userBaseDN = fingerprintCertificateMapperCfg.getUserBaseDN();
        if (userBaseDN == null || userBaseDN.isEmpty()) {
            userBaseDN = DirectoryServer.getInstance().getServerContext().getBackendConfigManager().getNamingContexts(BackendConfigManager.NamingContextFilter.PUBLIC, BackendConfigManager.NamingContextFilter.TOP_LEVEL);
        }
        AttributeType fingerprintAttribute = fingerprintCertificateMapperCfg.getFingerprintAttribute();
        BackendConfigManager backendConfigManager = DirectoryServer.getInstance().getServerContext().getBackendConfigManager();
        Iterator<DN> it = userBaseDN.iterator();
        while (it.hasNext()) {
            LocalBackend<?> findLocalBackendForEntry = backendConfigManager.findLocalBackendForEntry(it.next());
            if (findLocalBackendForEntry != null && !findLocalBackendForEntry.isIndexed(fingerprintAttribute, IndexType.EQUALITY)) {
                logger.warn((LocalizableMessageDescriptor.Arg3<LocalizableMessageDescriptor.Arg3<Object, Object, Object>, DN, String>) ExtensionMessages.WARN_SATUACM_ATTR_UNINDEXED, (LocalizableMessageDescriptor.Arg3<Object, Object, Object>) fingerprintCertificateMapperCfg.dn(), (DN) fingerprintAttribute.getNameOrOID(), findLocalBackendForEntry.getBackendID());
            }
        }
        this.requestedAttributes = CollectionUtils.newLinkedHashSet(Marker.ANY_MARKER, Marker.ANY_NON_NULL_MARKER);
    }

    @Override // org.opends.server.api.CertificateMapper
    public void finalizeCertificateMapper() {
        this.currentConfig.removeFingerprintChangeListener(this);
    }

    @Override // org.opends.server.api.CertificateMapper
    public Entry mapCertificateToUser(Certificate[] certificateArr) throws DirectoryException {
        FingerprintCertificateMapperCfg fingerprintCertificateMapperCfg = this.currentConfig;
        AttributeType fingerprintAttribute = fingerprintCertificateMapperCfg.getFingerprintAttribute();
        String str = this.fingerprintAlgorithm;
        if (certificateArr == null || certificateArr.length == 0) {
            throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, ExtensionMessages.ERR_FCM_NO_PEER_CERTIFICATE.get());
        }
        try {
            X509Certificate x509Certificate = (X509Certificate) certificateArr[0];
            try {
                String bytesToColonDelimitedHex = StaticUtils.bytesToColonDelimitedHex(MessageDigest.getInstance(str).digest(x509Certificate.getEncoded()));
                SearchFilter createEqualityFilter = SearchFilter.createEqualityFilter(fingerprintAttribute, ByteString.valueOfUtf8(bytesToColonDelimitedHex));
                Collection userBaseDN = fingerprintCertificateMapperCfg.getUserBaseDN();
                if (userBaseDN == null || userBaseDN.isEmpty()) {
                    userBaseDN = DirectoryServer.getInstance().getServerContext().getBackendConfigManager().getNamingContexts(BackendConfigManager.NamingContextFilter.PUBLIC, BackendConfigManager.NamingContextFilter.TOP_LEVEL);
                }
                SearchResultEntry searchResultEntry = null;
                InternalClientConnection rootConnection = InternalClientConnection.getRootConnection();
                Iterator<DN> it = userBaseDN.iterator();
                while (it.hasNext()) {
                    InternalSearchOperation processSearch = rootConnection.processSearch(Requests.newSearchRequest(it.next(), SearchScope.WHOLE_SUBTREE, createEqualityFilter, new String[0]).setSizeLimit(1).setTimeLimit(10).addAttribute(this.requestedAttributes));
                    switch (processSearch.getResultCode().asEnum()) {
                        case SUCCESS:
                        case NO_SUCH_OBJECT:
                            Iterator<SearchResultEntry> it2 = processSearch.getSearchEntries().iterator();
                            while (it2.hasNext()) {
                                SearchResultEntry next = it2.next();
                                if (searchResultEntry != null) {
                                    throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, ExtensionMessages.ERR_FCM_MULTIPLE_MATCHING_ENTRIES.get(bytesToColonDelimitedHex, searchResultEntry.getName(), next.getName()));
                                }
                                searchResultEntry = next;
                            }
                        case SIZE_LIMIT_EXCEEDED:
                            throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, ExtensionMessages.ERR_FCM_MULTIPLE_SEARCH_MATCHING_ENTRIES.get(bytesToColonDelimitedHex));
                        case TIME_LIMIT_EXCEEDED:
                        case ADMIN_LIMIT_EXCEEDED:
                            throw new DirectoryException(processSearch.getResultCode(), ExtensionMessages.ERR_FCM_INEFFICIENT_SEARCH.get(bytesToColonDelimitedHex, processSearch.getErrorMessage()));
                        default:
                            throw new DirectoryException(processSearch.getResultCode(), ExtensionMessages.ERR_FCM_SEARCH_FAILED.get(bytesToColonDelimitedHex, processSearch.getErrorMessage()));
                    }
                }
                return searchResultEntry;
            } catch (Exception e) {
                logger.traceException(e);
                throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, ExtensionMessages.ERR_FCM_CANNOT_CALCULATE_FINGERPRINT.get(x509Certificate.getSubjectX500Principal().getName("RFC2253"), StaticUtils.getExceptionMessage(e)));
            }
        } catch (Exception e2) {
            logger.traceException(e2);
            throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, ExtensionMessages.ERR_FCM_PEER_CERT_NOT_X509.get(certificateArr[0].getType()));
        }
    }

    @Override // org.opends.server.api.CertificateMapper
    public boolean isConfigurationAcceptable(CertificateMapperCfg certificateMapperCfg, List<LocalizableMessage> list) {
        return isConfigurationChangeAcceptable2((FingerprintCertificateMapperCfg) certificateMapperCfg, list);
    }

    /* renamed from: isConfigurationChangeAcceptable, reason: avoid collision after fix types in other method */
    public boolean isConfigurationChangeAcceptable2(FingerprintCertificateMapperCfg fingerprintCertificateMapperCfg, List<LocalizableMessage> list) {
        return true;
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.forgerock.opendj.config.server.ConfigurationChangeListener
    public ConfigChangeResult applyConfigurationChange(FingerprintCertificateMapperCfg fingerprintCertificateMapperCfg) {
        ConfigChangeResult configChangeResult = new ConfigChangeResult();
        String str = null;
        switch (fingerprintCertificateMapperCfg.getFingerprintAlgorithm()) {
            case MD5:
                str = "MD5";
                break;
            case SHA1:
                str = ExtensionsConstants.AUTH_PASSWORD_SCHEME_NAME_SALTED_SHA_1;
                break;
        }
        if (configChangeResult.getResultCode() == ResultCode.SUCCESS) {
            this.fingerprintAlgorithm = str;
            this.currentConfig = fingerprintCertificateMapperCfg;
        }
        Set userBaseDN = fingerprintCertificateMapperCfg.getUserBaseDN();
        BackendConfigManager backendConfigManager = DirectoryServer.getInstance().getServerContext().getBackendConfigManager();
        if (userBaseDN == null || userBaseDN.isEmpty()) {
            userBaseDN = backendConfigManager.getNamingContexts(BackendConfigManager.NamingContextFilter.PUBLIC, BackendConfigManager.NamingContextFilter.TOP_LEVEL);
        }
        AttributeType fingerprintAttribute = fingerprintCertificateMapperCfg.getFingerprintAttribute();
        Iterator<DN> it = userBaseDN.iterator();
        while (it.hasNext()) {
            LocalBackend<?> findLocalBackendForEntry = backendConfigManager.findLocalBackendForEntry(it.next());
            if (findLocalBackendForEntry != null && !findLocalBackendForEntry.isIndexed(fingerprintAttribute, IndexType.EQUALITY)) {
                LocalizableMessage localizableMessage = ExtensionMessages.WARN_SATUACM_ATTR_UNINDEXED.get(fingerprintCertificateMapperCfg.dn(), fingerprintAttribute.getNameOrOID(), findLocalBackendForEntry.getBackendID());
                configChangeResult.addMessage(localizableMessage);
                logger.error(localizableMessage);
            }
        }
        return configChangeResult;
    }

    @Override // org.forgerock.opendj.config.server.ConfigurationChangeListener
    public /* bridge */ /* synthetic */ boolean isConfigurationChangeAcceptable(FingerprintCertificateMapperCfg fingerprintCertificateMapperCfg, List list) {
        return isConfigurationChangeAcceptable2(fingerprintCertificateMapperCfg, (List<LocalizableMessage>) list);
    }
}
