package org.opends.server.extensions;

import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.LocalizableMessageDescriptor;
import org.forgerock.i18n.LocalizedIllegalArgumentException;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.opendj.config.server.ConfigChangeResult;
import org.forgerock.opendj.config.server.ConfigException;
import org.forgerock.opendj.config.server.ConfigurationChangeListener;
import org.forgerock.opendj.ldap.AVA;
import org.forgerock.opendj.ldap.DN;
import org.forgerock.opendj.ldap.RDN;
import org.forgerock.opendj.ldap.ResultCode;
import org.forgerock.opendj.ldap.SearchScope;
import org.forgerock.opendj.ldap.schema.AttributeType;
import org.forgerock.opendj.server.config.server.CertificateMapperCfg;
import org.forgerock.opendj.server.config.server.SubjectAttributeToUserAttributeCertificateMapperCfg;
import org.opends.messages.ExtensionMessages;
import org.opends.server.api.CertificateMapper;
import org.opends.server.api.LocalBackend;
import org.opends.server.core.BackendConfigManager;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.ServerContext;
import org.opends.server.protocols.internal.InternalClientConnection;
import org.opends.server.protocols.internal.InternalSearchOperation;
import org.opends.server.protocols.internal.Requests;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.IndexType;
import org.opends.server.types.InitializationException;
import org.opends.server.types.SearchFilter;
import org.opends.server.types.SearchResultEntry;
import org.opends.server.util.CollectionUtils;
import org.opends.server.util.StaticUtils;
import org.slf4j.Marker;

/* JADX WARN: Classes with same name are omitted:
  input_file:embedded-opendj/opendj.zip:opendj/lib/opendj.jar:org/opends/server/extensions/SubjectAttributeToUserAttributeCertificateMapper.class
 */
/* loaded from: input_file:embedded-opendj/opendj.zip:opendj/lib/org.openidentityplatform.opendj.opendj-server-legacy.jar:org/opends/server/extensions/SubjectAttributeToUserAttributeCertificateMapper.class */
public class SubjectAttributeToUserAttributeCertificateMapper extends CertificateMapper<SubjectAttributeToUserAttributeCertificateMapperCfg> implements ConfigurationChangeListener<SubjectAttributeToUserAttributeCertificateMapperCfg> {
    private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();
    private LinkedHashMap<String, AttributeType> attributeMap;
    private SubjectAttributeToUserAttributeCertificateMapperCfg currentConfig;
    private LinkedHashSet<String> requestedAttributes;

    @Override // org.opends.server.api.CertificateMapper
    public void initializeCertificateMapper(SubjectAttributeToUserAttributeCertificateMapperCfg subjectAttributeToUserAttributeCertificateMapperCfg) throws ConfigException, InitializationException {
        subjectAttributeToUserAttributeCertificateMapperCfg.addSubjectAttributeToUserAttributeChangeListener(this);
        this.currentConfig = subjectAttributeToUserAttributeCertificateMapperCfg;
        ConfigChangeResult configChangeResult = new ConfigChangeResult();
        this.attributeMap = buildAttributeMap(subjectAttributeToUserAttributeCertificateMapperCfg, configChangeResult);
        List<LocalizableMessage> messages = configChangeResult.getMessages();
        if (!messages.isEmpty()) {
            throw new ConfigException(messages.iterator().next());
        }
        Set<DN> userBaseDNs = getUserBaseDNs(subjectAttributeToUserAttributeCertificateMapperCfg);
        BackendConfigManager backendConfigManager = getServerContext().getBackendConfigManager();
        for (DN dn : userBaseDNs) {
            for (AttributeType attributeType : this.attributeMap.values()) {
                LocalBackend<?> findLocalBackendForEntry = backendConfigManager.findLocalBackendForEntry(dn);
                if (findLocalBackendForEntry != null && !findLocalBackendForEntry.isIndexed(attributeType, IndexType.EQUALITY)) {
                    logger.warn((LocalizableMessageDescriptor.Arg3<LocalizableMessageDescriptor.Arg3<Object, Object, Object>, DN, String>) ExtensionMessages.WARN_SATUACM_ATTR_UNINDEXED, (LocalizableMessageDescriptor.Arg3<Object, Object, Object>) subjectAttributeToUserAttributeCertificateMapperCfg.dn(), (DN) attributeType.getNameOrOID(), findLocalBackendForEntry.getBackendID());
                }
            }
        }
        this.requestedAttributes = CollectionUtils.newLinkedHashSet(Marker.ANY_MARKER, Marker.ANY_NON_NULL_MARKER);
    }

    private static ServerContext getServerContext() {
        return DirectoryServer.getInstance().getServerContext();
    }

    @Override // org.opends.server.api.CertificateMapper
    public void finalizeCertificateMapper() {
        this.currentConfig.removeSubjectAttributeToUserAttributeChangeListener(this);
    }

    @Override // org.opends.server.api.CertificateMapper
    public Entry mapCertificateToUser(Certificate[] certificateArr) throws DirectoryException {
        SubjectAttributeToUserAttributeCertificateMapperCfg subjectAttributeToUserAttributeCertificateMapperCfg = this.currentConfig;
        LinkedHashMap<String, AttributeType> linkedHashMap = this.attributeMap;
        if (certificateArr == null || certificateArr.length == 0) {
            throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, ExtensionMessages.ERR_SATUACM_NO_PEER_CERTIFICATE.get());
        }
        try {
            String name = ((X509Certificate) certificateArr[0]).getSubjectX500Principal().getName("RFC2253");
            try {
                DN valueOf = DN.valueOf(name);
                LinkedList linkedList = new LinkedList();
                Iterator<RDN> it = valueOf.iterator();
                while (it.hasNext()) {
                    Iterator<AVA> it2 = it.next().iterator();
                    while (it2.hasNext()) {
                        AVA next = it2.next();
                        AttributeType attributeType = linkedHashMap.get(normalizeAttributeName(next.getAttributeName()));
                        if (attributeType != null) {
                            linkedList.add(SearchFilter.createEqualityFilter(attributeType, next.getAttributeValue()));
                        }
                    }
                }
                if (linkedList.isEmpty()) {
                    throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, ExtensionMessages.ERR_SATUACM_NO_MAPPABLE_ATTRIBUTES.get(valueOf));
                }
                SearchFilter createANDFilter = SearchFilter.createANDFilter(linkedList);
                Set<DN> userBaseDNs = getUserBaseDNs(subjectAttributeToUserAttributeCertificateMapperCfg);
                SearchResultEntry searchResultEntry = null;
                InternalClientConnection rootConnection = InternalClientConnection.getRootConnection();
                Iterator<DN> it3 = userBaseDNs.iterator();
                while (it3.hasNext()) {
                    InternalSearchOperation processSearch = rootConnection.processSearch(Requests.newSearchRequest(it3.next(), SearchScope.WHOLE_SUBTREE, createANDFilter, new String[0]).setSizeLimit(1).setTimeLimit(10).addAttribute(this.requestedAttributes));
                    switch (processSearch.getResultCode().asEnum()) {
                        case SUCCESS:
                        case NO_SUCH_OBJECT:
                            Iterator<SearchResultEntry> it4 = processSearch.getSearchEntries().iterator();
                            while (it4.hasNext()) {
                                SearchResultEntry next2 = it4.next();
                                if (searchResultEntry != null) {
                                    throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, ExtensionMessages.ERR_SATUACM_MULTIPLE_MATCHING_ENTRIES.get(valueOf, searchResultEntry.getName(), next2.getName()));
                                }
                                searchResultEntry = next2;
                            }
                        case SIZE_LIMIT_EXCEEDED:
                            throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, ExtensionMessages.ERR_SATUACM_MULTIPLE_SEARCH_MATCHING_ENTRIES.get(valueOf));
                        case TIME_LIMIT_EXCEEDED:
                        case ADMIN_LIMIT_EXCEEDED:
                            throw new DirectoryException(processSearch.getResultCode(), ExtensionMessages.ERR_SATUACM_INEFFICIENT_SEARCH.get(valueOf, processSearch.getErrorMessage()));
                        default:
                            throw new DirectoryException(processSearch.getResultCode(), ExtensionMessages.ERR_SATUACM_SEARCH_FAILED.get(valueOf, processSearch.getErrorMessage()));
                    }
                }
                return searchResultEntry;
            } catch (LocalizedIllegalArgumentException e) {
                throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, ExtensionMessages.ERR_SATUACM_CANNOT_DECODE_SUBJECT_AS_DN.get(name, e.getMessageObject()), e);
            }
        } catch (ClassCastException e2) {
            logger.traceException(e2);
            throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, ExtensionMessages.ERR_SATUACM_PEER_CERT_NOT_X509.get(certificateArr[0].getType()));
        }
    }

    @Override // org.opends.server.api.CertificateMapper
    public boolean isConfigurationAcceptable(CertificateMapperCfg certificateMapperCfg, List<LocalizableMessage> list) {
        return isConfigurationChangeAcceptable2((SubjectAttributeToUserAttributeCertificateMapperCfg) certificateMapperCfg, list);
    }

    /* renamed from: isConfigurationChangeAcceptable, reason: avoid collision after fix types in other method */
    public boolean isConfigurationChangeAcceptable2(SubjectAttributeToUserAttributeCertificateMapperCfg subjectAttributeToUserAttributeCertificateMapperCfg, List<LocalizableMessage> list) {
        ConfigChangeResult configChangeResult = new ConfigChangeResult();
        buildAttributeMap(subjectAttributeToUserAttributeCertificateMapperCfg, configChangeResult);
        list.addAll(configChangeResult.getMessages());
        return ResultCode.SUCCESS.equals(configChangeResult.getResultCode());
    }

    @Override // org.forgerock.opendj.config.server.ConfigurationChangeListener
    public ConfigChangeResult applyConfigurationChange(SubjectAttributeToUserAttributeCertificateMapperCfg subjectAttributeToUserAttributeCertificateMapperCfg) {
        ConfigChangeResult configChangeResult = new ConfigChangeResult();
        LinkedHashMap<String, AttributeType> buildAttributeMap = buildAttributeMap(subjectAttributeToUserAttributeCertificateMapperCfg, configChangeResult);
        Set<DN> userBaseDNs = getUserBaseDNs(subjectAttributeToUserAttributeCertificateMapperCfg);
        BackendConfigManager backendConfigManager = getServerContext().getBackendConfigManager();
        for (DN dn : userBaseDNs) {
            for (AttributeType attributeType : buildAttributeMap.values()) {
                LocalBackend<?> findLocalBackendForEntry = backendConfigManager.findLocalBackendForEntry(dn);
                if (findLocalBackendForEntry != null && !findLocalBackendForEntry.isIndexed(attributeType, IndexType.EQUALITY)) {
                    LocalizableMessage localizableMessage = ExtensionMessages.WARN_SATUACM_ATTR_UNINDEXED.get(subjectAttributeToUserAttributeCertificateMapperCfg.dn(), attributeType.getNameOrOID(), findLocalBackendForEntry.getBackendID());
                    configChangeResult.addMessage(localizableMessage);
                    logger.error(localizableMessage);
                }
            }
        }
        if (configChangeResult.getResultCode() == ResultCode.SUCCESS) {
            this.attributeMap = buildAttributeMap;
            this.currentConfig = subjectAttributeToUserAttributeCertificateMapperCfg;
        }
        return configChangeResult;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private Set<DN> getUserBaseDNs(SubjectAttributeToUserAttributeCertificateMapperCfg subjectAttributeToUserAttributeCertificateMapperCfg) {
        Set userBaseDN = subjectAttributeToUserAttributeCertificateMapperCfg.getUserBaseDN();
        if (userBaseDN == null || userBaseDN.isEmpty()) {
            userBaseDN = getServerContext().getBackendConfigManager().getNamingContexts(BackendConfigManager.NamingContextFilter.PUBLIC, BackendConfigManager.NamingContextFilter.TOP_LEVEL);
        }
        return userBaseDN;
    }

    private LinkedHashMap<String, AttributeType> buildAttributeMap(SubjectAttributeToUserAttributeCertificateMapperCfg subjectAttributeToUserAttributeCertificateMapperCfg, ConfigChangeResult configChangeResult) {
        LinkedHashMap<String, AttributeType> linkedHashMap = new LinkedHashMap<>();
        for (String str : subjectAttributeToUserAttributeCertificateMapperCfg.getSubjectAttributeMapping()) {
            String lowerCase = StaticUtils.toLowerCase(str);
            int indexOf = lowerCase.indexOf(58);
            if (indexOf <= 0) {
                configChangeResult.setResultCodeIfSuccess(ResultCode.CONSTRAINT_VIOLATION);
                configChangeResult.addMessage(ExtensionMessages.ERR_SATUACM_INVALID_MAP_FORMAT.get(subjectAttributeToUserAttributeCertificateMapperCfg.dn(), str));
                return null;
            }
            String trim = lowerCase.substring(0, indexOf).trim();
            String trim2 = lowerCase.substring(indexOf + 1).trim();
            if (trim.length() == 0 || trim2.length() == 0) {
                configChangeResult.setResultCodeIfSuccess(ResultCode.CONSTRAINT_VIOLATION);
                configChangeResult.addMessage(ExtensionMessages.ERR_SATUACM_INVALID_MAP_FORMAT.get(subjectAttributeToUserAttributeCertificateMapperCfg.dn(), str));
                return null;
            }
            String normalizeAttributeName = normalizeAttributeName(trim);
            if (linkedHashMap.containsKey(normalizeAttributeName)) {
                configChangeResult.setResultCodeIfSuccess(ResultCode.CONSTRAINT_VIOLATION);
                configChangeResult.addMessage(ExtensionMessages.ERR_SATUACM_DUPLICATE_CERT_ATTR.get(subjectAttributeToUserAttributeCertificateMapperCfg.dn(), normalizeAttributeName));
                return null;
            }
            AttributeType attributeType = getServerContext().getSchema().getAttributeType(trim2);
            if (attributeType.isPlaceHolder()) {
                configChangeResult.setResultCodeIfSuccess(ResultCode.CONSTRAINT_VIOLATION);
                configChangeResult.addMessage(ExtensionMessages.ERR_SATUACM_NO_SUCH_ATTR.get(str, subjectAttributeToUserAttributeCertificateMapperCfg.dn(), trim2));
                return null;
            }
            if (linkedHashMap.values().contains(attributeType)) {
                configChangeResult.setResultCodeIfSuccess(ResultCode.CONSTRAINT_VIOLATION);
                configChangeResult.addMessage(ExtensionMessages.ERR_SATUACM_DUPLICATE_USER_ATTR.get(subjectAttributeToUserAttributeCertificateMapperCfg.dn(), attributeType.getNameOrOID()));
                return null;
            }
            linkedHashMap.put(normalizeAttributeName, attributeType);
        }
        return linkedHashMap;
    }

    private static String normalizeAttributeName(String str) {
        return StaticUtils.toLowerCase(getServerContext().getSchema().getAttributeType(str).getNameOrOID());
    }

    @Override // org.forgerock.opendj.config.server.ConfigurationChangeListener
    public /* bridge */ /* synthetic */ boolean isConfigurationChangeAcceptable(SubjectAttributeToUserAttributeCertificateMapperCfg subjectAttributeToUserAttributeCertificateMapperCfg, List list) {
        return isConfigurationChangeAcceptable2(subjectAttributeToUserAttributeCertificateMapperCfg, (List<LocalizableMessage>) list);
    }
}
