package com.hazelcast.security.loginimpl;

import com.hazelcast.config.security.LdapSearchScope;
import com.hazelcast.internal.util.StringUtil;
import com.hazelcast.security.impl.LdapUtils;
import com.hazelcast.security.impl.SecurityUtil;
import java.security.PrivilegedActionException;
import java.util.Properties;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.security.auth.Subject;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;

/* loaded from: input_file:com/hazelcast/security/loginimpl/LdapLoginModule.class */
public class LdapLoginModule extends BasicLdapLoginModule {
    public static final String PLACEHOLDER_LOGIN = "{login}";
    public static final String OPTION_USER_CONTEXT = "userContext";
    public static final String OPTION_USER_FILTER = "userFilter";
    public static final String OPTION_USER_SEARCH_SCOPE = "userSearchScope";
    public static final String OPTION_PASSWORD_ATTRIBUTE = "passwordAttribute";
    public static final String OPTION_SKIP_AUTHENTICATION = "skipAuthentication";
    public static final String OPTION_SECURITY_REALM = "securityRealm";
    public static final String DEFAULT_USER_FILTER = "(uid={login})";
    private LdapSearchScope userSearchScope;
    private String userContext;
    private String userFilter;
    private String passwordAttribute;
    private boolean skipAuthentication;

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.hazelcast.security.loginimpl.BasicLdapLoginModule, com.hazelcast.security.ClusterLoginModule
    public void onInitialize() {
        super.onInitialize();
        this.userSearchScope = getSearchScope(OPTION_USER_SEARCH_SCOPE);
        this.userContext = getStringOption(OPTION_USER_CONTEXT, "");
        this.userFilter = getStringOption(OPTION_USER_FILTER, DEFAULT_USER_FILTER);
        this.passwordAttribute = getStringOption(OPTION_PASSWORD_ATTRIBUTE, null);
        this.skipAuthentication = getBoolOption(OPTION_SKIP_AUTHENTICATION, false);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.hazelcast.security.loginimpl.BasicLdapLoginModule, com.hazelcast.security.ClusterLoginModule
    public boolean onLogin() throws LoginException {
        Subject runAsSubject = SecurityUtil.getRunAsSubject(this.callbackHandler, getStringOption("securityRealm", null));
        if (runAsSubject == null) {
            return super.onLogin();
        }
        try {
            return ((Boolean) Subject.doAs(runAsSubject, () -> {
                return Boolean.valueOf(super.onLogin());
            })).booleanValue();
        } catch (PrivilegedActionException e) {
            if (e.getCause() instanceof LoginException) {
                throw ((LoginException) e.getCause());
            }
            LoginException loginException = new LoginException("PrivilegedAction execution failed");
            loginException.initCause(e.getCause());
            throw loginException;
        }
    }

    @Override // com.hazelcast.security.loginimpl.BasicLdapLoginModule
    protected Attributes setUserDnAndGetAttributes() throws NamingException, FailedLoginException {
        boolean z;
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(this.userSearchScope.toSearchControlValue());
        SearchResult searchResult = null;
        String replacePlaceholders = LdapUtils.replacePlaceholders(this.userFilter, PLACEHOLDER_LOGIN, this.login);
        if (this.logger.isFineEnabled()) {
            this.logger.fine("Searching a user object in LDAP server. Filter: " + replacePlaceholders);
        }
        NamingEnumeration<SearchResult> search = this.ctx.search(this.userContext, replacePlaceholders, searchControls);
        boolean z2 = false;
        while (true) {
            z = z2;
            if (!hasMoreIgnorePartResEx(search) || z) {
                break;
            }
            searchResult = (SearchResult) search.next();
            z2 = searchResult.isRelative();
        }
        if (searchResult == null || !z) {
            throw new FailedLoginException("User not found");
        }
        this.userDN = searchResult.getName();
        if (!StringUtil.isNullOrEmpty(this.userContext)) {
            this.userDN += SimplePropertiesLoginModule.DEFAULT_ROLE_SEPARATOR + this.userContext;
        }
        if (this.logger.isFineEnabled()) {
            this.logger.fine("Matching user object was found. DN: " + this.userDN);
        }
        this.userAttributes = searchResult.getAttributes();
        if (!this.skipAuthentication) {
            verifyPassword();
        }
        return searchResult.getAttributes();
    }

    private void verifyPassword() throws FailedLoginException, NamingException {
        if (this.passwordAttribute == null) {
            this.logger.fine("Verifying user credentials by doing a new LDAP bind.");
            authenticateByNewBind(this.userDN, this.password);
            return;
        }
        if (this.logger.isFineEnabled()) {
            this.logger.fine("Verifying user credentials by comparing provided password against LDAP attribute " + this.passwordAttribute);
        }
        String attributeValue = LdapUtils.getAttributeValue(this.userAttributes, this.passwordAttribute);
        if (attributeValue == null || !attributeValue.equals(this.password)) {
            throw new FailedLoginException("Provided password doesn't match the expected value.");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.hazelcast.security.loginimpl.BasicLdapLoginModule
    public void initAuthentication() throws FailedLoginException {
        if (this.skipAuthentication) {
            this.login = getLastIdentity();
        } else {
            super.initAuthentication();
        }
    }

    @Override // com.hazelcast.security.loginimpl.BasicLdapLoginModule
    protected LdapContext createLdapContext() throws NamingException {
        Properties properties = new Properties();
        properties.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        properties.put("java.naming.referral", "ignore");
        properties.put("java.naming.security.authentication", "simple");
        properties.putAll(this.options);
        logLdapContextProperties(properties);
        return new InitialLdapContext(properties, (Control[]) null);
    }

    private void authenticateByNewBind(String str, String str2) throws FailedLoginException {
        if (StringUtil.isNullOrEmpty(str) || StringUtil.isNullOrEmpty(str2)) {
            throw new FailedLoginException("Anonymous bind is not allowed");
        }
        Properties properties = new Properties();
        properties.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        properties.putAll(this.options);
        properties.setProperty("java.naming.security.authentication", "simple");
        properties.setProperty("java.naming.security.principal", str);
        properties.setProperty("java.naming.security.credentials", str2);
        try {
            logLdapContextProperties(properties);
            new InitialLdapContext(properties, (Control[]) null).close();
        } catch (NamingException e) {
            this.logger.finest(e);
            throw new FailedLoginException("User authentication by LDAP bind failed");
        }
    }
}
