package org.opends.server.extensions;

import java.util.List;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.LocalizedIllegalArgumentException;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.opendj.config.server.ConfigChangeResult;
import org.forgerock.opendj.config.server.ConfigException;
import org.forgerock.opendj.config.server.ConfigurationChangeListener;
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.DN;
import org.forgerock.opendj.ldap.ResultCode;
import org.forgerock.opendj.server.config.server.PlainSASLMechanismHandlerCfg;
import org.forgerock.opendj.server.config.server.SASLMechanismHandlerCfg;
import org.opends.messages.CoreMessages;
import org.opends.messages.ExtensionMessages;
import org.opends.server.api.AuthenticationPolicyState;
import org.opends.server.api.IdentityMapper;
import org.opends.server.api.SASLMechanismHandler;
import org.opends.server.core.BindOperation;
import org.opends.server.core.DirectoryServer;
import org.opends.server.protocols.internal.InternalClientConnection;
import org.opends.server.types.AuthenticationInfo;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.InitializationException;
import org.opends.server.types.Privilege;
import org.opends.server.util.StaticUtils;

/* loaded from: input_file:WEB-INF/lib/opendj.jar:org/opends/server/extensions/PlainSASLMechanismHandler.class */
public class PlainSASLMechanismHandler extends SASLMechanismHandler<PlainSASLMechanismHandlerCfg> implements ConfigurationChangeListener<PlainSASLMechanismHandlerCfg> {
    private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();
    private IdentityMapper<?> identityMapper;
    private PlainSASLMechanismHandlerCfg currentConfig;

    @Override // org.opends.server.api.SASLMechanismHandler
    public void initializeSASLMechanismHandler(PlainSASLMechanismHandlerCfg plainSASLMechanismHandlerCfg) throws ConfigException, InitializationException {
        plainSASLMechanismHandlerCfg.addPlainChangeListener(this);
        this.currentConfig = plainSASLMechanismHandlerCfg;
        this.identityMapper = DirectoryServer.getIdentityMapper(plainSASLMechanismHandlerCfg.getIdentityMapperDN());
        DirectoryServer.registerSASLMechanismHandler("PLAIN", this);
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public void finalizeSASLMechanismHandler() {
        this.currentConfig.removePlainChangeListener(this);
        DirectoryServer.deregisterSASLMechanismHandler("PLAIN");
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public void processSASLBind(BindOperation bindOperation) {
        Entry entry;
        String str = null;
        ByteString sASLCredentials = bindOperation.getSASLCredentials();
        if (sASLCredentials == null) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLPLAIN_NO_SASL_CREDENTIALS.get());
            return;
        }
        String byteString = sASLCredentials.toString();
        int length = byteString.length();
        int indexOf = byteString.indexOf(0);
        if (indexOf < 0) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLPLAIN_NO_NULLS_IN_CREDENTIALS.get());
            return;
        }
        if (indexOf > 0) {
            str = byteString.substring(0, indexOf);
        }
        int indexOf2 = byteString.indexOf(0, indexOf + 1);
        if (indexOf2 < 0) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLPLAIN_NO_SECOND_NULL.get());
            return;
        }
        if (indexOf2 == indexOf + 1) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLPLAIN_ZERO_LENGTH_AUTHCID.get());
            return;
        }
        if (indexOf2 == length - 1) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLPLAIN_ZERO_LENGTH_PASSWORD.get());
            return;
        }
        String substring = byteString.substring(indexOf + 1, indexOf2);
        String substring2 = byteString.substring(indexOf2 + 1);
        String lowerCase = StaticUtils.toLowerCase(substring);
        if (lowerCase.startsWith("dn:")) {
            try {
                DN valueOf = DN.valueOf(substring.substring(3));
                if (valueOf.isRootDN()) {
                    bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                    bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLPLAIN_AUTHCID_IS_NULL_DN.get());
                    return;
                }
                DN actualRootBindDN = DirectoryServer.getActualRootBindDN(valueOf);
                if (actualRootBindDN != null) {
                    valueOf = actualRootBindDN;
                }
                try {
                    entry = DirectoryServer.getEntry(valueOf);
                } catch (DirectoryException e) {
                    logger.traceException(e);
                    bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                    bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLPLAIN_CANNOT_GET_ENTRY_BY_DN.get(valueOf, e.getMessageObject()));
                    return;
                }
            } catch (LocalizedIllegalArgumentException e2) {
                logger.traceException(e2);
                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLPLAIN_CANNOT_DECODE_AUTHCID_AS_DN.get(substring, e2.getMessageObject()));
                return;
            }
        } else {
            if (lowerCase.startsWith("u:")) {
                substring = substring.substring(2);
            }
            try {
                entry = this.identityMapper.getEntryForID(substring);
            } catch (DirectoryException e3) {
                logger.traceException(e3);
                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLPLAIN_CANNOT_MAP_USERNAME.get(substring, e3.getMessageObject()));
                return;
            }
        }
        if (entry == null) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLPLAIN_NO_MATCHING_ENTRIES.get(substring));
            return;
        }
        bindOperation.setSASLAuthUserEntry(entry);
        Entry entry2 = entry;
        if (str != null) {
            String lowerCase2 = StaticUtils.toLowerCase(str);
            if (lowerCase2.startsWith("dn:")) {
                try {
                    DN valueOf2 = DN.valueOf(str.substring(3));
                    DN actualRootBindDN2 = DirectoryServer.getActualRootBindDN(valueOf2);
                    if (actualRootBindDN2 != null) {
                        valueOf2 = actualRootBindDN2;
                    }
                    if (!valueOf2.equals(entry.getName())) {
                        if (!new InternalClientConnection(new AuthenticationInfo(entry, DirectoryServer.isRootDN(entry.getName()))).hasPrivilege(Privilege.PROXIED_AUTH, bindOperation)) {
                            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLPLAIN_AUTHZID_INSUFFICIENT_PRIVILEGES.get(entry.getName()));
                            return;
                        }
                        if (valueOf2.isRootDN()) {
                            entry2 = null;
                        } else {
                            try {
                                entry2 = DirectoryServer.getEntry(valueOf2);
                                if (entry2 == null) {
                                    bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                                    bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLPLAIN_AUTHZID_NO_SUCH_ENTRY.get(valueOf2));
                                    return;
                                }
                            } catch (DirectoryException e4) {
                                logger.traceException(e4);
                                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                                bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLPLAIN_AUTHZID_CANNOT_GET_ENTRY.get(valueOf2, e4.getMessageObject()));
                                return;
                            }
                        }
                    }
                } catch (LocalizedIllegalArgumentException e5) {
                    logger.traceException(e5);
                    bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                    bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLPLAIN_AUTHZID_INVALID_DN.get(str, e5.getMessageObject()));
                    return;
                }
            } else {
                String substring3 = lowerCase2.startsWith("u:") ? str.substring(2) : str;
                if (substring3.length() == 0) {
                    entry2 = null;
                } else {
                    try {
                        entry2 = this.identityMapper.getEntryForID(substring3);
                        if (entry2 == null) {
                            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLPLAIN_AUTHZID_NO_MAPPED_ENTRY.get(str));
                            return;
                        }
                    } catch (DirectoryException e6) {
                        logger.traceException(e6);
                        bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                        bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLPLAIN_AUTHZID_CANNOT_MAP_AUTHZID.get(str, e6.getMessageObject()));
                        return;
                    }
                }
                if ((entry2 == null || !entry2.getName().equals(entry.getName())) && !new InternalClientConnection(new AuthenticationInfo(entry, DirectoryServer.isRootDN(entry.getName()))).hasPrivilege(Privilege.PROXIED_AUTH, bindOperation)) {
                    bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                    bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLPLAIN_AUTHZID_INSUFFICIENT_PRIVILEGES.get(entry.getName()));
                    return;
                }
            }
        }
        try {
            AuthenticationPolicyState forUser = AuthenticationPolicyState.forUser(entry, false);
            if (forUser.isDisabled()) {
                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                bindOperation.setAuthFailureReason(CoreMessages.ERR_BIND_OPERATION_ACCOUNT_DISABLED.get());
            } else if (forUser.passwordMatches(ByteString.valueOfUtf8(substring2))) {
                bindOperation.setResultCode(ResultCode.SUCCESS);
                bindOperation.setAuthenticationInfo(new AuthenticationInfo(entry, entry2, "PLAIN", bindOperation.getSASLCredentials(), DirectoryServer.isRootDN(entry.getName())));
            } else {
                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLPLAIN_INVALID_PASSWORD.get());
            }
        } catch (Exception e7) {
            logger.traceException(e7);
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLPLAIN_CANNOT_CHECK_PASSWORD_VALIDITY.get(entry.getName(), e7));
        }
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public boolean isPasswordBased(String str) {
        return true;
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public boolean isSecure(String str) {
        return false;
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public boolean isConfigurationAcceptable(SASLMechanismHandlerCfg sASLMechanismHandlerCfg, List<LocalizableMessage> list) {
        return isConfigurationChangeAcceptable2((PlainSASLMechanismHandlerCfg) sASLMechanismHandlerCfg, list);
    }

    /* renamed from: isConfigurationChangeAcceptable, reason: avoid collision after fix types in other method */
    public boolean isConfigurationChangeAcceptable2(PlainSASLMechanismHandlerCfg plainSASLMechanismHandlerCfg, List<LocalizableMessage> list) {
        return true;
    }

    @Override // org.forgerock.opendj.config.server.ConfigurationChangeListener
    public ConfigChangeResult applyConfigurationChange(PlainSASLMechanismHandlerCfg plainSASLMechanismHandlerCfg) {
        ConfigChangeResult configChangeResult = new ConfigChangeResult();
        this.identityMapper = DirectoryServer.getIdentityMapper(plainSASLMechanismHandlerCfg.getIdentityMapperDN());
        this.currentConfig = plainSASLMechanismHandlerCfg;
        return configChangeResult;
    }

    @Override // org.forgerock.opendj.config.server.ConfigurationChangeListener
    public /* bridge */ /* synthetic */ boolean isConfigurationChangeAcceptable(PlainSASLMechanismHandlerCfg plainSASLMechanismHandlerCfg, List list) {
        return isConfigurationChangeAcceptable2(plainSASLMechanismHandlerCfg, (List<LocalizableMessage>) list);
    }
}
