package org.opends.server.extensions;

import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import org.opends.messages.ExtensionMessages;
import org.opends.messages.Message;
import org.opends.server.admin.server.ConfigurationChangeListener;
import org.opends.server.admin.std.server.ExternalSASLMechanismHandlerCfg;
import org.opends.server.admin.std.server.SASLMechanismHandlerCfg;
import org.opends.server.api.ClientConnection;
import org.opends.server.api.SASLMechanismHandler;
import org.opends.server.config.ConfigConstants;
import org.opends.server.config.ConfigException;
import org.opends.server.core.BindOperation;
import org.opends.server.core.DirectoryServer;
import org.opends.server.loggers.debug.DebugLogger;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.protocols.ldap.LDAPClientConnection;
import org.opends.server.types.Attribute;
import org.opends.server.types.AttributeType;
import org.opends.server.types.AttributeValue;
import org.opends.server.types.AttributeValues;
import org.opends.server.types.AuthenticationInfo;
import org.opends.server.types.ByteString;
import org.opends.server.types.ConfigChangeResult;
import org.opends.server.types.DebugLogLevel;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.InitializationException;
import org.opends.server.types.ResultCode;
import org.opends.server.util.ServerConstants;
import org.opends.server.util.StaticUtils;

/* loaded from: input_file:WEB-INF/lib/OpenDS.jar:org/opends/server/extensions/ExternalSASLMechanismHandler.class */
public class ExternalSASLMechanismHandler extends SASLMechanismHandler<ExternalSASLMechanismHandlerCfg> implements ConfigurationChangeListener<ExternalSASLMechanismHandlerCfg> {
    private static final DebugTracer TRACER = DebugLogger.getTracer();
    private AttributeType certificateAttributeType;
    private CertificateValidationPolicy validationPolicy;
    private ExternalSASLMechanismHandlerCfg currentConfig;

    @Override // org.opends.server.api.SASLMechanismHandler
    public void initializeSASLMechanismHandler(ExternalSASLMechanismHandlerCfg externalSASLMechanismHandlerCfg) throws ConfigException, InitializationException {
        externalSASLMechanismHandlerCfg.addExternalChangeListener(this);
        this.currentConfig = externalSASLMechanismHandlerCfg;
        switch (externalSASLMechanismHandlerCfg.getCertificateValidationPolicy()) {
            case NEVER:
                this.validationPolicy = CertificateValidationPolicy.NEVER;
                break;
            case IFPRESENT:
                this.validationPolicy = CertificateValidationPolicy.IFPRESENT;
                break;
            case ALWAYS:
                this.validationPolicy = CertificateValidationPolicy.ALWAYS;
                break;
        }
        this.certificateAttributeType = externalSASLMechanismHandlerCfg.getCertificateAttribute();
        if (this.certificateAttributeType == null) {
            this.certificateAttributeType = DirectoryServer.getAttributeType(ConfigConstants.DEFAULT_VALIDATION_CERT_ATTRIBUTE, true);
        }
        DirectoryServer.registerSASLMechanismHandler(ServerConstants.SASL_MECHANISM_EXTERNAL, this);
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public void finalizeSASLMechanismHandler() {
        this.currentConfig.removeExternalChangeListener(this);
        DirectoryServer.deregisterSASLMechanismHandler(ServerConstants.SASL_MECHANISM_EXTERNAL);
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public void processSASLBind(BindOperation bindOperation) {
        ExternalSASLMechanismHandlerCfg externalSASLMechanismHandlerCfg = this.currentConfig;
        AttributeType attributeType = this.certificateAttributeType;
        CertificateValidationPolicy certificateValidationPolicy = this.validationPolicy;
        ClientConnection clientConnection = bindOperation.getClientConnection();
        if (clientConnection == null) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLEXTERNAL_NO_CLIENT_CONNECTION.get());
            return;
        }
        if (!(clientConnection instanceof LDAPClientConnection)) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLEXTERNAL_NOT_LDAP_CLIENT_INSTANCE.get());
            return;
        }
        Certificate[] clientCertificateChain = ((LDAPClientConnection) clientConnection).getClientCertificateChain();
        if (clientCertificateChain == null || clientCertificateChain.length == 0) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLEXTERNAL_NO_CLIENT_CERT.get());
            return;
        }
        try {
            Entry mapCertificateToUser = DirectoryServer.getCertificateMapper(externalSASLMechanismHandlerCfg.getCertificateMapperDN()).mapCertificateToUser(clientCertificateChain);
            if (mapCertificateToUser == null) {
                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLEXTERNAL_NO_MAPPING.get());
                return;
            }
            bindOperation.setSASLAuthUserEntry(mapCertificateToUser);
            List<Attribute> attribute = mapCertificateToUser.getAttribute(attributeType);
            switch (certificateValidationPolicy) {
                case ALWAYS:
                    if (attribute != null) {
                        try {
                            AttributeValue create = AttributeValues.create(attributeType, ByteString.wrap(clientCertificateChain[0].getEncoded()));
                            boolean z = false;
                            Iterator<Attribute> it = attribute.iterator();
                            while (true) {
                                if (it.hasNext()) {
                                    if (it.next().contains(create)) {
                                        z = true;
                                    }
                                }
                            }
                            if (!z) {
                                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                                bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLEXTERNAL_PEER_CERT_NOT_FOUND.get(String.valueOf(mapCertificateToUser.getDN())));
                                return;
                            }
                        } catch (Exception e) {
                            if (DebugLogger.debugEnabled()) {
                                TRACER.debugCaught(DebugLogLevel.ERROR, e);
                            }
                            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLEXTERNAL_CANNOT_VALIDATE_CERT.get(String.valueOf(mapCertificateToUser.getDN()), StaticUtils.getExceptionMessage(e)));
                            return;
                        }
                    } else if (certificateValidationPolicy == CertificateValidationPolicy.ALWAYS) {
                        bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                        bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLEXTERNAL_NO_CERT_IN_ENTRY.get(String.valueOf(mapCertificateToUser.getDN())));
                        return;
                    }
                    break;
                case IFPRESENT:
                    if (attribute != null) {
                        try {
                            AttributeValue create2 = AttributeValues.create(attributeType, ByteString.wrap(clientCertificateChain[0].getEncoded()));
                            boolean z2 = false;
                            Iterator<Attribute> it2 = attribute.iterator();
                            while (true) {
                                if (it2.hasNext()) {
                                    if (it2.next().contains(create2)) {
                                        z2 = true;
                                    }
                                }
                            }
                            if (!z2) {
                                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                                bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLEXTERNAL_PEER_CERT_NOT_FOUND.get(String.valueOf(mapCertificateToUser.getDN())));
                                return;
                            }
                        } catch (Exception e2) {
                            if (DebugLogger.debugEnabled()) {
                                TRACER.debugCaught(DebugLogLevel.ERROR, e2);
                            }
                            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLEXTERNAL_CANNOT_VALIDATE_CERT.get(String.valueOf(mapCertificateToUser.getDN()), StaticUtils.getExceptionMessage(e2)));
                            return;
                        }
                    }
                    break;
            }
            bindOperation.setAuthenticationInfo(new AuthenticationInfo(mapCertificateToUser, ServerConstants.SASL_MECHANISM_EXTERNAL, bindOperation.getSASLCredentials(), DirectoryServer.isRootDN(mapCertificateToUser.getDN())));
            bindOperation.setResultCode(ResultCode.SUCCESS);
        } catch (DirectoryException e3) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e3);
            }
            bindOperation.setResponseData(e3);
        }
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public boolean isPasswordBased(String str) {
        return false;
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public boolean isSecure(String str) {
        return true;
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public boolean isConfigurationAcceptable(SASLMechanismHandlerCfg sASLMechanismHandlerCfg, List<Message> list) {
        return isConfigurationChangeAcceptable2((ExternalSASLMechanismHandlerCfg) sASLMechanismHandlerCfg, list);
    }

    /* renamed from: isConfigurationChangeAcceptable, reason: avoid collision after fix types in other method */
    public boolean isConfigurationChangeAcceptable2(ExternalSASLMechanismHandlerCfg externalSASLMechanismHandlerCfg, List<Message> list) {
        return true;
    }

    @Override // org.opends.server.admin.server.ConfigurationChangeListener
    public ConfigChangeResult applyConfigurationChange(ExternalSASLMechanismHandlerCfg externalSASLMechanismHandlerCfg) {
        ResultCode resultCode = ResultCode.SUCCESS;
        ArrayList arrayList = new ArrayList();
        CertificateValidationPolicy certificateValidationPolicy = CertificateValidationPolicy.ALWAYS;
        switch (externalSASLMechanismHandlerCfg.getCertificateValidationPolicy()) {
            case NEVER:
                certificateValidationPolicy = CertificateValidationPolicy.NEVER;
                break;
            case IFPRESENT:
                certificateValidationPolicy = CertificateValidationPolicy.IFPRESENT;
                break;
            case ALWAYS:
                certificateValidationPolicy = CertificateValidationPolicy.ALWAYS;
                break;
        }
        AttributeType certificateAttribute = externalSASLMechanismHandlerCfg.getCertificateAttribute();
        if (certificateAttribute == null) {
            certificateAttribute = DirectoryServer.getAttributeType(ConfigConstants.DEFAULT_VALIDATION_CERT_ATTRIBUTE, true);
        }
        if (resultCode == ResultCode.SUCCESS) {
            this.validationPolicy = certificateValidationPolicy;
            this.certificateAttributeType = certificateAttribute;
            this.currentConfig = externalSASLMechanismHandlerCfg;
        }
        return new ConfigChangeResult(resultCode, false, arrayList);
    }

    @Override // org.opends.server.admin.server.ConfigurationChangeListener
    public /* bridge */ /* synthetic */ boolean isConfigurationChangeAcceptable(ExternalSASLMechanismHandlerCfg externalSASLMechanismHandlerCfg, List list) {
        return isConfigurationChangeAcceptable2(externalSASLMechanismHandlerCfg, (List<Message>) list);
    }
}
