package com.hazelcast.security.loginimpl;

import com.hazelcast.config.security.LdapRoleMappingMode;
import com.hazelcast.config.security.LdapSearchScope;
import com.hazelcast.internal.util.StringUtil;
import com.hazelcast.security.ClusterLoginModule;
import com.hazelcast.security.impl.LdapUtils;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Properties;
import java.util.Set;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.LdapName;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import org.opensaml.soap.wssecurity.Password;

/* loaded from: input_file:WEB-INF/lib/hazelcast-jet-enterprise-4.3.jar:com/hazelcast/security/loginimpl/BasicLdapLoginModule.class */
public class BasicLdapLoginModule extends ClusterLoginModule {
    public static final String PLACEHOLDER_DN = "{memberDN}";
    public static final String OPTION_USER_NAME_ATTRIBUTE = "userNameAttribute";
    public static final String OPTION_PARSE_DN = "parseDN";
    public static final String OPTION_ROLE_MAPPING_MODE = "roleMappingMode";
    public static final String OPTION_ROLE_MAPPING_ATTRIBUTE = "roleMappingAttribute";
    public static final String OPTION_ROLE_CONTEXT = "roleContext";
    public static final String OPTION_ROLE_FILTER = "roleFilter";
    public static final String OPTION_ROLE_RECURSION_MAX_DEPTH = "roleRecursionMaxDepth";
    public static final String OPTION_ROLE_NAME_ATTRIBUTE = "roleNameAttribute";
    public static final String OPTION_ROLE_SEARCH_SCOPE = "roleSearchScope";
    public static final String DEFAULT_USER_NAME_ATTRIBUTE = "uid";
    public static final boolean DEFAULT_PARSE_DN = false;
    public static final int DEFAULT_ROLE_RECURSION_MAX_DEPTH = 1;
    protected String name;
    protected String login;
    protected String password;
    protected String userDN;
    protected String userNameAttribute;
    protected String roleMappingAttribute;
    protected LdapRoleMappingMode roleMappingMode;
    protected String roleNameAttribute;
    protected String roleFilter;
    protected String roleContext;
    protected LdapSearchScope roleSearchScope;
    protected boolean parseFromDN;
    protected int maxRecursionDepth;
    protected Attributes userAttributes;
    protected LdapContext ctx;
    protected Set<String> visitedRoleDns;

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.hazelcast.security.ClusterLoginModule
    public void onInitialize() {
        super.onInitialize();
        this.userNameAttribute = getStringOption(OPTION_USER_NAME_ATTRIBUTE, DEFAULT_USER_NAME_ATTRIBUTE);
        this.roleNameAttribute = getStringOption(OPTION_ROLE_NAME_ATTRIBUTE, null);
        this.roleMappingAttribute = getStringOption(OPTION_ROLE_MAPPING_ATTRIBUTE, null);
        this.roleMappingMode = getRoleMappingMode(OPTION_ROLE_MAPPING_MODE);
        this.roleFilter = getStringOption(OPTION_ROLE_FILTER, "(" + this.roleMappingAttribute + "=" + PLACEHOLDER_DN + ")");
        this.roleContext = getStringOption(OPTION_ROLE_CONTEXT, "");
        this.roleSearchScope = getSearchScope(OPTION_ROLE_SEARCH_SCOPE);
        this.parseFromDN = getBoolOption(OPTION_PARSE_DN, false);
        this.maxRecursionDepth = getIntOption(OPTION_ROLE_RECURSION_MAX_DEPTH, 1);
        this.visitedRoleDns = new HashSet();
        verifyOptions();
    }

    /* JADX WARN: Finally extract failed */
    @Override // com.hazelcast.security.ClusterLoginModule
    protected boolean onLogin() throws LoginException {
        Callback nameCallback = new NameCallback("Name");
        PasswordCallback passwordCallback = new PasswordCallback(Password.ELEMENT_LOCAL_NAME, false);
        try {
            this.callbackHandler.handle(new Callback[]{nameCallback, passwordCallback});
            char[] password = passwordCallback.getPassword();
            this.login = nameCallback.getName();
            this.password = password == null ? null : new String(password);
            passwordCallback.clearPassword();
            if (StringUtil.isNullOrEmpty(this.password) || StringUtil.isNullOrEmpty(this.login)) {
                throw new FailedLoginException("Both the login name and the password have to be provided.");
            }
            try {
                this.ctx = createLdapContext();
                try {
                    this.userAttributes = setUserDnAndGetAttributes();
                    this.name = LdapUtils.getAttributeValue(this.userAttributes, this.userNameAttribute);
                    if (!isSkipRole()) {
                        switch (this.roleMappingMode) {
                            case ATTRIBUTE:
                                addRolesFromAttribute();
                                break;
                            case DIRECT:
                                addRolesDirectMapping(1, LdapUtils.getAttributeValues(this.userAttributes, this.roleMappingAttribute));
                                break;
                            case REVERSE:
                                addRolesReverseMapping(1, this.userDN);
                                break;
                            default:
                                throw new LoginException("Unexpected Role Mapping mode");
                        }
                    }
                    this.ctx.close();
                    return true;
                } catch (Throwable th) {
                    this.ctx.close();
                    throw th;
                }
            } catch (NamingException e) {
                this.logger.finest(e);
                throw new FailedLoginException("Naming problem occured: " + e.getMessage());
            }
        } catch (IOException | UnsupportedCallbackException e2) {
            this.logger.finest(e2);
            throw new FailedLoginException("Handling callbacks failed.. " + e2.getMessage());
        }
    }

    protected void verifyOptions() {
        this.logger.finest("Verifying provided options and credentials");
        checkOptionInMappingMode(OPTION_PARSE_DN, LdapRoleMappingMode.ATTRIBUTE);
        checkOptionInMappingMode(OPTION_ROLE_CONTEXT, LdapRoleMappingMode.REVERSE);
        checkOptionInMappingMode(OPTION_ROLE_FILTER, LdapRoleMappingMode.REVERSE);
        checkOptionInMappingMode(OPTION_ROLE_RECURSION_MAX_DEPTH, LdapRoleMappingMode.DIRECT, LdapRoleMappingMode.REVERSE);
    }

    private void checkOptionInMappingMode(String str, LdapRoleMappingMode... ldapRoleMappingModeArr) {
        if (this.logger.isWarningEnabled()) {
            if (getStringOption(str, null) != null) {
                boolean z = false;
                for (LdapRoleMappingMode ldapRoleMappingMode : ldapRoleMappingModeArr) {
                    z |= this.roleMappingMode == ldapRoleMappingMode;
                }
                if (z) {
                    return;
                }
                this.logger.warning("Login module option " + str + " is not supported when roleMappingMode==" + this.roleMappingMode.toString() + ". It's only supported in following mapping mode(s): " + Arrays.toString(ldapRoleMappingModeArr));
            }
        }
    }

    protected Attributes setUserDnAndGetAttributes() throws NamingException, FailedLoginException {
        this.userDN = this.login;
        return this.ctx.getAttributes(this.userDN);
    }

    protected LdapContext createLdapContext() throws NamingException {
        Properties properties = new Properties();
        properties.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        properties.putAll(this.options);
        properties.put("java.naming.security.authentication", "simple");
        properties.put("java.naming.security.principal", this.login);
        properties.put("java.naming.security.credentials", this.password);
        logLdapContextProperties(properties);
        return new InitialLdapContext(properties, (Control[]) null);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void logLdapContextProperties(Properties properties) {
        this.logger.fine("Creating an LDAP context");
        if (this.logger.isFinestEnabled()) {
            Properties properties2 = properties;
            if (properties2.containsKey("java.naming.security.credentials")) {
                properties2 = new Properties();
                properties2.putAll(properties);
                properties2.put("java.naming.security.credentials", "***");
            }
            this.logger.finest("LDAP context properties: " + properties2);
        }
    }

    private void addRolesFromAttribute() throws NamingException {
        if (this.logger.isFineEnabled()) {
            this.logger.fine("Searching role names in user attribute: " + this.roleMappingAttribute);
        }
        for (String str : LdapUtils.getAttributeValues(this.userAttributes, this.roleMappingAttribute)) {
            if (this.parseFromDN) {
                Iterator<String> it = LdapUtils.getAttributeValues(new LdapName(str), this.roleNameAttribute).iterator();
                while (it.hasNext()) {
                    addRole(it.next());
                }
            } else {
                addRole(str);
            }
        }
    }

    private void addRolesDirectMapping(int i, Collection<String> collection) throws NamingException {
        if (i > this.maxRecursionDepth) {
            if (this.logger.isFineEnabled()) {
                this.logger.fine("The roleRecursionMaxDepth==" + this.maxRecursionDepth + " was reached.");
                return;
            }
            return;
        }
        for (String str : collection) {
            if (!this.visitedRoleDns.contains(str)) {
                this.visitedRoleDns.add(str);
                if (this.logger.isFineEnabled()) {
                    this.logger.fine("Searching roles within LDAP object: " + str);
                }
                Attributes attributes = this.ctx.getAttributes(new LdapName(str));
                Iterator<String> it = LdapUtils.getAttributeValues(attributes, this.roleNameAttribute).iterator();
                while (it.hasNext()) {
                    addRole(it.next());
                }
                if (i < this.maxRecursionDepth) {
                    addRolesDirectMapping(i + 1, LdapUtils.getAttributeValues(attributes, this.roleMappingAttribute));
                }
            }
        }
    }

    private void addRolesReverseMapping(int i, String str) throws NamingException {
        if (i > this.maxRecursionDepth) {
            if (this.logger.isFineEnabled()) {
                this.logger.fine("The roleRecursionMaxDepth==" + this.maxRecursionDepth + " was reached.");
                return;
            }
            return;
        }
        if (this.visitedRoleDns.contains(str)) {
            return;
        }
        this.visitedRoleDns.add(str);
        if (this.logger.isFineEnabled()) {
            this.logger.fine("Searching roles which contains mapping to LDAP object: " + str);
        }
        String replacePlaceholders = LdapUtils.replacePlaceholders(this.roleFilter, PLACEHOLDER_DN, str);
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(this.roleSearchScope.toSearchControlValue());
        if (this.logger.isFineEnabled()) {
            this.logger.fine("Searching role objects with reverse mapping using filter: " + replacePlaceholders);
        }
        NamingEnumeration search = this.ctx.search(this.roleContext, replacePlaceholders, searchControls);
        while (search.hasMore()) {
            SearchResult searchResult = (SearchResult) search.next();
            if (searchResult.isRelative()) {
                Iterator<String> it = LdapUtils.getAttributeValues(searchResult.getAttributes(), this.roleNameAttribute).iterator();
                while (it.hasNext()) {
                    addRole(it.next());
                }
                if (i < this.maxRecursionDepth) {
                    String name = searchResult.getName();
                    if (!StringUtil.isNullOrEmpty(this.roleContext)) {
                        name = name + "," + this.roleContext;
                    }
                    addRolesReverseMapping(i + 1, name);
                }
            }
        }
        search.close();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public LdapSearchScope getSearchScope(String str) {
        return LdapSearchScope.getSearchScope(getStringOption(str, null));
    }

    private LdapRoleMappingMode getRoleMappingMode(String str) {
        return LdapRoleMappingMode.getRoleMappingMode(getStringOption(str, null));
    }

    @Override // com.hazelcast.security.ClusterLoginModule
    protected String getName() {
        return this.name;
    }
}
