package org.opends.server.extensions;

import java.util.ArrayList;
import java.util.List;
import java.util.concurrent.locks.Lock;
import org.opends.server.admin.server.ConfigurationChangeListener;
import org.opends.server.admin.std.server.PlainSASLMechanismHandlerCfg;
import org.opends.server.api.IdentityMapper;
import org.opends.server.api.SASLMechanismHandler;
import org.opends.server.config.ConfigException;
import org.opends.server.core.BindOperation;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.PasswordPolicyState;
import org.opends.server.loggers.debug.DebugLogger;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.messages.ExtensionsMessages;
import org.opends.server.messages.MessageHandler;
import org.opends.server.protocols.asn1.ASN1OctetString;
import org.opends.server.protocols.internal.InternalClientConnection;
import org.opends.server.types.AuthenticationInfo;
import org.opends.server.types.ConfigChangeResult;
import org.opends.server.types.DN;
import org.opends.server.types.DebugLogLevel;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.InitializationException;
import org.opends.server.types.LockManager;
import org.opends.server.types.Privilege;
import org.opends.server.types.ResultCode;
import org.opends.server.util.ServerConstants;
import org.opends.server.util.StaticUtils;

/* loaded from: input_file:org/opends/server/extensions/PlainSASLMechanismHandler.class */
public class PlainSASLMechanismHandler extends SASLMechanismHandler<PlainSASLMechanismHandlerCfg> implements ConfigurationChangeListener<PlainSASLMechanismHandlerCfg> {
    private static final DebugTracer TRACER = DebugLogger.getTracer();
    private DN configEntryDN;
    private IdentityMapper identityMapper;
    private PlainSASLMechanismHandlerCfg currentConfig;

    @Override // org.opends.server.api.SASLMechanismHandler
    public void initializeSASLMechanismHandler(PlainSASLMechanismHandlerCfg plainSASLMechanismHandlerCfg) throws ConfigException, InitializationException {
        plainSASLMechanismHandlerCfg.addPlainChangeListener(this);
        this.currentConfig = plainSASLMechanismHandlerCfg;
        this.configEntryDN = plainSASLMechanismHandlerCfg.dn();
        DN identityMapperDN = plainSASLMechanismHandlerCfg.getIdentityMapperDN();
        this.identityMapper = DirectoryServer.getIdentityMapper(identityMapperDN);
        if (this.identityMapper == null) {
            throw new ConfigException(ExtensionsMessages.MSGID_SASLPLAIN_NO_SUCH_IDENTITY_MAPPER, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLPLAIN_NO_SUCH_IDENTITY_MAPPER, String.valueOf(identityMapperDN), String.valueOf(this.configEntryDN)));
        }
        DirectoryServer.registerSASLMechanismHandler(ServerConstants.SASL_MECHANISM_PLAIN, this);
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public void finalizeSASLMechanismHandler() {
        this.currentConfig.removePlainChangeListener(this);
        DirectoryServer.deregisterSASLMechanismHandler(ServerConstants.SASL_MECHANISM_PLAIN);
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public void processSASLBind(BindOperation bindOperation) {
        Entry entry;
        IdentityMapper identityMapper = this.identityMapper;
        ASN1OctetString sASLCredentials = bindOperation.getSASLCredentials();
        if (sASLCredentials == null) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLPLAIN_NO_SASL_CREDENTIALS, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLPLAIN_NO_SASL_CREDENTIALS));
            return;
        }
        String stringValue = sASLCredentials.stringValue();
        int length = stringValue.length();
        int indexOf = stringValue.indexOf(0);
        if (indexOf < 0) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLPLAIN_NO_NULLS_IN_CREDENTIALS, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLPLAIN_NO_NULLS_IN_CREDENTIALS));
            return;
        }
        String substring = indexOf > 0 ? stringValue.substring(0, indexOf) : null;
        int indexOf2 = stringValue.indexOf(0, indexOf + 1);
        if (indexOf2 < 0) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLPLAIN_NO_SECOND_NULL, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLPLAIN_NO_SECOND_NULL));
            return;
        }
        if (indexOf2 == indexOf + 1) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLPLAIN_ZERO_LENGTH_AUTHCID, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLPLAIN_ZERO_LENGTH_AUTHCID));
            return;
        }
        if (indexOf2 == length - 1) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLPLAIN_ZERO_LENGTH_PASSWORD, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLPLAIN_ZERO_LENGTH_PASSWORD));
            return;
        }
        String substring2 = stringValue.substring(indexOf + 1, indexOf2);
        String substring3 = stringValue.substring(indexOf2 + 1);
        String lowerCase = StaticUtils.toLowerCase(substring2);
        if (lowerCase.startsWith("dn:")) {
            try {
                DN decode = DN.decode(substring2.substring(3));
                if (decode.isNullDN()) {
                    bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                    bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLPLAIN_AUTHCID_IS_NULL_DN, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLPLAIN_AUTHCID_IS_NULL_DN));
                    return;
                }
                DN actualRootBindDN = DirectoryServer.getActualRootBindDN(decode);
                if (actualRootBindDN != null) {
                    decode = actualRootBindDN;
                }
                Lock lock = null;
                for (int i = 0; i < 3; i++) {
                    lock = LockManager.lockRead(decode);
                    if (lock != null) {
                        break;
                    }
                }
                try {
                    if (lock == null) {
                        bindOperation.setResultCode(DirectoryServer.getServerErrorResultCode());
                        bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLPLAIN_CANNOT_LOCK_ENTRY, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLPLAIN_CANNOT_LOCK_ENTRY, String.valueOf(decode)));
                        return;
                    }
                    try {
                        entry = DirectoryServer.getEntry(decode);
                        LockManager.unlock(decode, lock);
                    } catch (DirectoryException e) {
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugCaught(DebugLogLevel.ERROR, e);
                        }
                        bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                        bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLPLAIN_CANNOT_GET_ENTRY_BY_DN, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLPLAIN_CANNOT_GET_ENTRY_BY_DN, String.valueOf(decode), e.getErrorMessage()));
                        LockManager.unlock(decode, lock);
                        return;
                    }
                } catch (Throwable th) {
                    LockManager.unlock(decode, lock);
                    throw th;
                }
            } catch (DirectoryException e2) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e2);
                }
                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLPLAIN_CANNOT_DECODE_AUTHCID_AS_DN, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLPLAIN_CANNOT_DECODE_AUTHCID_AS_DN, substring2, e2.getErrorMessage()));
                return;
            }
        } else {
            if (lowerCase.startsWith("u:")) {
                substring2 = substring2.substring(2);
            }
            try {
                entry = identityMapper.getEntryForID(substring2);
            } catch (DirectoryException e3) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e3);
                }
                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLPLAIN_CANNOT_MAP_USERNAME, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLPLAIN_CANNOT_MAP_USERNAME, String.valueOf(substring2), e3.getErrorMessage()));
                return;
            }
        }
        if (entry == null) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLPLAIN_NO_MATCHING_ENTRIES, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLPLAIN_NO_MATCHING_ENTRIES, substring2));
            return;
        }
        bindOperation.setSASLAuthUserEntry(entry);
        Entry entry2 = entry;
        if (substring != null) {
            String lowerCase2 = StaticUtils.toLowerCase(substring);
            if (lowerCase2.startsWith("dn:")) {
                try {
                    DN decode2 = DN.decode(substring.substring(3));
                    DN actualRootBindDN2 = DirectoryServer.getActualRootBindDN(decode2);
                    if (actualRootBindDN2 != null) {
                        decode2 = actualRootBindDN2;
                    }
                    if (!decode2.equals(entry.getDN())) {
                        if (!new InternalClientConnection(new AuthenticationInfo(entry, DirectoryServer.isRootDN(entry.getDN()))).hasPrivilege(Privilege.PROXIED_AUTH, bindOperation)) {
                            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLPLAIN_AUTHZID_INSUFFICIENT_PRIVILEGES, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLPLAIN_AUTHZID_INSUFFICIENT_PRIVILEGES, String.valueOf(entry.getDN())));
                            return;
                        }
                        if (decode2.isNullDN()) {
                            entry2 = null;
                        } else {
                            try {
                                entry2 = DirectoryServer.getEntry(decode2);
                                if (entry2 == null) {
                                    bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                                    bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLPLAIN_AUTHZID_NO_SUCH_ENTRY, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLPLAIN_AUTHZID_NO_SUCH_ENTRY, String.valueOf(decode2)));
                                    return;
                                }
                            } catch (DirectoryException e4) {
                                if (DebugLogger.debugEnabled()) {
                                    TRACER.debugCaught(DebugLogLevel.ERROR, e4);
                                }
                                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                                bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLPLAIN_AUTHZID_CANNOT_GET_ENTRY, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLPLAIN_AUTHZID_CANNOT_GET_ENTRY, String.valueOf(decode2), e4.getErrorMessage()));
                                return;
                            }
                        }
                    }
                } catch (DirectoryException e5) {
                    if (DebugLogger.debugEnabled()) {
                        TRACER.debugCaught(DebugLogLevel.ERROR, e5);
                    }
                    bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                    bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLPLAIN_AUTHZID_INVALID_DN, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLPLAIN_AUTHZID_INVALID_DN, substring, e5.getErrorMessage()));
                    return;
                }
            } else {
                String substring4 = lowerCase2.startsWith("u:") ? substring.substring(2) : substring;
                if (substring4.length() == 0) {
                    entry2 = null;
                } else {
                    try {
                        entry2 = identityMapper.getEntryForID(substring4);
                        if (entry2 == null) {
                            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLPLAIN_AUTHZID_NO_MAPPED_ENTRY, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLPLAIN_AUTHZID_NO_MAPPED_ENTRY, substring));
                            return;
                        }
                    } catch (DirectoryException e6) {
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugCaught(DebugLogLevel.ERROR, e6);
                        }
                        bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                        bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLPLAIN_AUTHZID_CANNOT_MAP_AUTHZID, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLPLAIN_AUTHZID_CANNOT_MAP_AUTHZID, substring, e6.getErrorMessage()));
                        return;
                    }
                }
                if ((entry2 == null || !entry2.getDN().equals(entry.getDN())) && !new InternalClientConnection(new AuthenticationInfo(entry, DirectoryServer.isRootDN(entry.getDN()))).hasPrivilege(Privilege.PROXIED_AUTH, bindOperation)) {
                    bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                    bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLPLAIN_AUTHZID_INSUFFICIENT_PRIVILEGES, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLPLAIN_AUTHZID_INSUFFICIENT_PRIVILEGES, String.valueOf(entry.getDN())));
                    return;
                }
            }
        }
        try {
            if (new PasswordPolicyState(entry, false, false).passwordMatches(new ASN1OctetString(substring3))) {
                bindOperation.setResultCode(ResultCode.SUCCESS);
                bindOperation.setAuthenticationInfo(new AuthenticationInfo(entry, entry2, ServerConstants.SASL_MECHANISM_PLAIN, DirectoryServer.isRootDN(entry.getDN())));
            } else {
                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLPLAIN_INVALID_PASSWORD, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLPLAIN_INVALID_PASSWORD));
            }
        } catch (Exception e7) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e7);
            }
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLPLAIN_CANNOT_CHECK_PASSWORD_VALIDITY, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLPLAIN_CANNOT_CHECK_PASSWORD_VALIDITY, String.valueOf(entry.getDN()), String.valueOf(e7)));
        }
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public boolean isPasswordBased(String str) {
        return true;
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public boolean isSecure(String str) {
        return false;
    }

    /* renamed from: isConfigurationChangeAcceptable, reason: avoid collision after fix types in other method */
    public boolean isConfigurationChangeAcceptable2(PlainSASLMechanismHandlerCfg plainSASLMechanismHandlerCfg, List<String> list) {
        boolean z = true;
        DN identityMapperDN = plainSASLMechanismHandlerCfg.getIdentityMapperDN();
        if (DirectoryServer.getIdentityMapper(identityMapperDN) == null) {
            list.add(MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLPLAIN_NO_SUCH_IDENTITY_MAPPER, String.valueOf(identityMapperDN), String.valueOf(this.configEntryDN)));
            z = false;
        }
        return z;
    }

    @Override // org.opends.server.admin.server.ConfigurationChangeListener
    public ConfigChangeResult applyConfigurationChange(PlainSASLMechanismHandlerCfg plainSASLMechanismHandlerCfg) {
        ResultCode resultCode = ResultCode.SUCCESS;
        ArrayList arrayList = new ArrayList();
        DN identityMapperDN = plainSASLMechanismHandlerCfg.getIdentityMapperDN();
        IdentityMapper identityMapper = DirectoryServer.getIdentityMapper(identityMapperDN);
        if (identityMapper == null) {
            if (resultCode == ResultCode.SUCCESS) {
                resultCode = ResultCode.CONSTRAINT_VIOLATION;
            }
            arrayList.add(MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLPLAIN_NO_SUCH_IDENTITY_MAPPER, String.valueOf(identityMapperDN), String.valueOf(this.configEntryDN)));
        }
        if (resultCode == ResultCode.SUCCESS) {
            this.identityMapper = identityMapper;
            this.currentConfig = plainSASLMechanismHandlerCfg;
        }
        return new ConfigChangeResult(resultCode, false, arrayList);
    }

    @Override // org.opends.server.admin.server.ConfigurationChangeListener
    public /* bridge */ /* synthetic */ boolean isConfigurationChangeAcceptable(PlainSASLMechanismHandlerCfg plainSASLMechanismHandlerCfg, List list) {
        return isConfigurationChangeAcceptable2(plainSASLMechanismHandlerCfg, (List<String>) list);
    }
}
