package org.apache.directory.server.core.authn;

import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import org.apache.commons.collections.map.LRUMap;
import org.apache.directory.server.core.authz.AciAuthorizationInterceptor;
import org.apache.directory.server.core.authz.DefaultAuthorizationInterceptor;
import org.apache.directory.server.core.collective.CollectiveAttributeInterceptor;
import org.apache.directory.server.core.entry.ClonedServerEntry;
import org.apache.directory.server.core.entry.ServerStringValue;
import org.apache.directory.server.core.event.EventInterceptor;
import org.apache.directory.server.core.exception.ExceptionInterceptor;
import org.apache.directory.server.core.interceptor.context.BindOperationContext;
import org.apache.directory.server.core.interceptor.context.LookupOperationContext;
import org.apache.directory.server.core.normalization.NormalizationInterceptor;
import org.apache.directory.server.core.operational.OperationalAttributeInterceptor;
import org.apache.directory.server.core.schema.SchemaInterceptor;
import org.apache.directory.server.core.subtree.SubentryInterceptor;
import org.apache.directory.server.core.trigger.TriggerInterceptor;
import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.constants.LdapSecurityConstants;
import org.apache.directory.shared.ldap.entry.EntryAttribute;
import org.apache.directory.shared.ldap.entry.Value;
import org.apache.directory.shared.ldap.exception.LdapAuthenticationException;
import org.apache.directory.shared.ldap.name.LdapDN;
import org.apache.directory.shared.ldap.util.ArrayUtils;
import org.apache.directory.shared.ldap.util.Base64;
import org.apache.directory.shared.ldap.util.StringTools;
import org.apache.directory.shared.ldap.util.UnixCrypt;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/directory/server/core/authn/SimpleAuthenticator.class */
public class SimpleAuthenticator extends AbstractAuthenticator {
    private static final Logger LOG = LoggerFactory.getLogger(SimpleAuthenticator.class);
    private static final boolean IS_DEBUG = LOG.isDebugEnabled();
    private final LRUMap credentialCache;
    private static final int DEFAULT_CACHE_SIZE = 100;
    private static final Collection<String> USERLOOKUP_BYPASS;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.directory.server.core.authn.SimpleAuthenticator$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/directory/server/core/authn/SimpleAuthenticator$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$directory$shared$ldap$constants$LdapSecurityConstants = new int[LdapSecurityConstants.values().length];

        static {
            try {
                $SwitchMap$org$apache$directory$shared$ldap$constants$LdapSecurityConstants[LdapSecurityConstants.HASH_METHOD_MD5.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$directory$shared$ldap$constants$LdapSecurityConstants[LdapSecurityConstants.HASH_METHOD_SHA.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$directory$shared$ldap$constants$LdapSecurityConstants[LdapSecurityConstants.HASH_METHOD_SMD5.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apache$directory$shared$ldap$constants$LdapSecurityConstants[LdapSecurityConstants.HASH_METHOD_SSHA.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$apache$directory$shared$ldap$constants$LdapSecurityConstants[LdapSecurityConstants.HASH_METHOD_CRYPT.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/directory/server/core/authn/SimpleAuthenticator$EncryptionMethod.class */
    public class EncryptionMethod {
        private byte[] salt;
        private LdapSecurityConstants algorithm;

        private EncryptionMethod(LdapSecurityConstants ldapSecurityConstants, byte[] bArr) {
            this.algorithm = ldapSecurityConstants;
            this.salt = bArr;
        }

        /* synthetic */ EncryptionMethod(SimpleAuthenticator simpleAuthenticator, LdapSecurityConstants ldapSecurityConstants, byte[] bArr, AnonymousClass1 anonymousClass1) {
            this(ldapSecurityConstants, bArr);
        }
    }

    public SimpleAuthenticator() {
        super(AuthenticationLevel.SIMPLE.toString());
        this.credentialCache = new LRUMap(100);
    }

    public SimpleAuthenticator(int i) {
        super(AuthenticationLevel.SIMPLE.toString());
        this.credentialCache = new LRUMap(i > 0 ? i : 100);
    }

    private LdapPrincipal getStoredPassword(BindOperationContext bindOperationContext) throws Exception {
        LdapPrincipal ldapPrincipal;
        synchronized (this.credentialCache) {
            ldapPrincipal = (LdapPrincipal) this.credentialCache.get(bindOperationContext.getDn().getNormName());
        }
        if (ldapPrincipal == null) {
            byte[] lookupUserPassword = lookupUserPassword(bindOperationContext);
            if (lookupUserPassword == null) {
                lookupUserPassword = ArrayUtils.EMPTY_BYTE_ARRAY;
            }
            ldapPrincipal = new LdapPrincipal(bindOperationContext.getDn(), AuthenticationLevel.SIMPLE, lookupUserPassword);
            synchronized (this.credentialCache) {
                this.credentialCache.put(bindOperationContext.getDn().getNormName(), ldapPrincipal);
            }
        }
        return ldapPrincipal;
    }

    @Override // org.apache.directory.server.core.authn.Authenticator
    public LdapPrincipal authenticate(BindOperationContext bindOperationContext) throws Exception {
        if (IS_DEBUG) {
            LOG.debug("Authenticating {}", bindOperationContext.getDn());
        }
        byte[] credentials = bindOperationContext.getCredentials();
        LdapPrincipal storedPassword = getStoredPassword(bindOperationContext);
        byte[] userPassword = storedPassword.getUserPassword();
        if (Arrays.equals(credentials, userPassword)) {
            if (IS_DEBUG) {
                LOG.debug("{} Authenticated", bindOperationContext.getDn());
            }
            return storedPassword;
        }
        LdapSecurityConstants findAlgorithm = findAlgorithm(userPassword);
        if (findAlgorithm == null) {
            String str = "Password not correct for user '" + bindOperationContext.getDn().getUpName() + "'";
            LOG.info(str);
            throw new LdapAuthenticationException(str);
        }
        EncryptionMethod encryptionMethod = new EncryptionMethod(this, findAlgorithm, null, null);
        if (Arrays.equals(encryptPassword(credentials, encryptionMethod), splitCredentials(userPassword, encryptionMethod))) {
            if (IS_DEBUG) {
                LOG.debug("{} Authenticated", bindOperationContext.getDn());
            }
            return storedPassword;
        }
        String str2 = "Password not correct for user '" + bindOperationContext.getDn().getUpName() + "'";
        LOG.info(str2);
        throw new LdapAuthenticationException(str2);
    }

    private static void split(byte[] bArr, int i, byte[] bArr2, byte[] bArr3) {
        System.arraycopy(bArr, i, bArr2, 0, bArr2.length);
        System.arraycopy(bArr, i + bArr2.length, bArr3, 0, bArr3.length);
    }

    private byte[] splitCredentials(byte[] bArr, EncryptionMethod encryptionMethod) {
        int length = encryptionMethod.algorithm.getName().length() + 2;
        switch (AnonymousClass1.$SwitchMap$org$apache$directory$shared$ldap$constants$LdapSecurityConstants[encryptionMethod.algorithm.ordinal()]) {
            case 1:
            case 2:
                try {
                    return Base64.decode(new String(bArr, length, bArr.length - length, "UTF-8").toCharArray());
                } catch (UnsupportedEncodingException e) {
                    return bArr;
                }
            case 3:
            case 4:
                try {
                    byte[] decode = Base64.decode(new String(bArr, length, bArr.length - length, "UTF-8").toCharArray());
                    encryptionMethod.salt = new byte[8];
                    byte[] bArr2 = new byte[decode.length - encryptionMethod.salt.length];
                    split(decode, 0, bArr2, encryptionMethod.salt);
                    return bArr2;
                } catch (UnsupportedEncodingException e2) {
                    return bArr;
                }
            case 5:
                encryptionMethod.salt = new byte[2];
                byte[] bArr3 = new byte[(bArr.length - encryptionMethod.salt.length) - length];
                split(bArr, length, encryptionMethod.salt, bArr3);
                return bArr3;
            default:
                return bArr;
        }
    }

    private LdapSecurityConstants findAlgorithm(byte[] bArr) {
        if (bArr == null || bArr.length == 0 || bArr[0] != 123) {
            return null;
        }
        int i = 1;
        while (i < bArr.length && bArr[i] != 125) {
            i++;
        }
        if (i >= bArr.length || i == 1) {
            return null;
        }
        return LdapSecurityConstants.getAlgorithm(new String(bArr, 1, i - 1).toLowerCase());
    }

    private static byte[] digest(LdapSecurityConstants ldapSecurityConstants, byte[] bArr, byte[] bArr2) {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(ldapSecurityConstants.getName());
            if (bArr2 == null) {
                return messageDigest.digest(bArr);
            }
            messageDigest.update(bArr);
            messageDigest.update(bArr2);
            return messageDigest.digest();
        } catch (NoSuchAlgorithmException e) {
            return null;
        }
    }

    private byte[] encryptPassword(byte[] bArr, EncryptionMethod encryptionMethod) {
        byte[] bArr2 = encryptionMethod.salt;
        switch (AnonymousClass1.$SwitchMap$org$apache$directory$shared$ldap$constants$LdapSecurityConstants[encryptionMethod.algorithm.ordinal()]) {
            case 1:
            case 3:
                return digest(LdapSecurityConstants.HASH_METHOD_MD5, bArr, bArr2);
            case 2:
            case 4:
                return digest(LdapSecurityConstants.HASH_METHOD_SHA, bArr, bArr2);
            case 5:
                if (bArr2 == null) {
                    bArr2 = new byte[2];
                    SecureRandom secureRandom = new SecureRandom();
                    int nextInt = secureRandom.nextInt(64);
                    int nextInt2 = secureRandom.nextInt(64);
                    bArr2[0] = (byte) (nextInt < 12 ? nextInt + 46 : nextInt < 38 ? (nextInt + 65) - 12 : (nextInt + 97) - 38);
                    bArr2[1] = (byte) (nextInt2 < 12 ? nextInt2 + 46 : nextInt2 < 38 ? (nextInt2 + 65) - 12 : (nextInt2 + 97) - 38);
                }
                return StringTools.getBytesUtf8(UnixCrypt.crypt(StringTools.utf8ToString(bArr), StringTools.utf8ToString(bArr2)).substring(2));
            default:
                return bArr;
        }
    }

    private byte[] lookupUserPassword(BindOperationContext bindOperationContext) throws Exception {
        try {
            LookupOperationContext lookupOperationContext = new LookupOperationContext(getDirectoryService().getAdminSession(), bindOperationContext.getDn());
            lookupOperationContext.setByPassed(USERLOOKUP_BYPASS);
            ClonedServerEntry lookup = getDirectoryService().getOperationManager().lookup(lookupOperationContext);
            if (lookup == null) {
                LdapDN dn = bindOperationContext.getDn();
                throw new LdapAuthenticationException("Failed to lookup user for authentication: " + (dn == null ? "" : dn.getUpName()));
            }
            EntryAttribute entryAttribute = lookup.get("userPassword");
            if (entryAttribute == null) {
                return StringTools.EMPTY_BYTES;
            }
            Value value = entryAttribute.get();
            return value instanceof ServerStringValue ? StringTools.getBytesUtf8((String) value.get()) : (byte[]) value.get();
        } catch (Exception e) {
            LOG.error("Authentication error : " + e.getMessage());
            LdapAuthenticationException ldapAuthenticationException = new LdapAuthenticationException(e.getMessage());
            ldapAuthenticationException.setRootCause(ldapAuthenticationException);
            throw ldapAuthenticationException;
        }
    }

    protected String getAlgorithmForHashedPassword(byte[] bArr) throws IllegalArgumentException {
        String str = null;
        String utf8ToString = StringTools.utf8ToString(bArr);
        int indexOf = utf8ToString.indexOf(125);
        if (utf8ToString.length() > 2 && utf8ToString.charAt(0) == '{' && indexOf > -1) {
            String substring = utf8ToString.substring(1, indexOf);
            if (LdapSecurityConstants.HASH_METHOD_CRYPT.getName().equalsIgnoreCase(substring)) {
                return substring;
            }
            try {
                MessageDigest.getInstance(substring);
                str = substring;
            } catch (NoSuchAlgorithmException e) {
                LOG.warn("Unknown message digest algorithm in password: " + substring, e);
            }
        }
        return str;
    }

    protected String createDigestedPassword(String str, byte[] bArr) throws IllegalArgumentException {
        try {
            if (LdapSecurityConstants.HASH_METHOD_CRYPT.getName().equalsIgnoreCase(str)) {
                return '{' + str + '}' + Arrays.toString(StringTools.getBytesUtf8(UnixCrypt.crypt(StringTools.utf8ToString(bArr), "").substring(2)));
            }
            return '{' + str + '}' + new String(Base64.encode(MessageDigest.getInstance(str).digest(bArr)));
        } catch (NoSuchAlgorithmException e) {
            LOG.error("Cannot create a digested password for algorithm '{}'", str);
            throw new IllegalArgumentException(e.getMessage());
        }
    }

    @Override // org.apache.directory.server.core.authn.AbstractAuthenticator, org.apache.directory.server.core.authn.Authenticator
    public void invalidateCache(LdapDN ldapDN) {
        synchronized (this.credentialCache) {
            this.credentialCache.remove(ldapDN.getNormName());
        }
    }

    static {
        HashSet hashSet = new HashSet();
        hashSet.add(NormalizationInterceptor.class.getName());
        hashSet.add(AuthenticationInterceptor.class.getName());
        hashSet.add(AciAuthorizationInterceptor.class.getName());
        hashSet.add(DefaultAuthorizationInterceptor.class.getName());
        hashSet.add(ExceptionInterceptor.class.getName());
        hashSet.add(OperationalAttributeInterceptor.class.getName());
        hashSet.add(SchemaInterceptor.class.getName());
        hashSet.add(SubentryInterceptor.class.getName());
        hashSet.add(CollectiveAttributeInterceptor.class.getName());
        hashSet.add(EventInterceptor.class.getName());
        hashSet.add(TriggerInterceptor.class.getName());
        USERLOOKUP_BYPASS = Collections.unmodifiableCollection(hashSet);
    }
}
