package org.apache.catalina.realm;

import com.sun.net.ssl.internal.ssl.Provider;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.Security;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.List;
import netscape.ldap.LDAPAttribute;
import netscape.ldap.LDAPConnection;
import netscape.ldap.LDAPEntry;
import netscape.ldap.LDAPException;
import netscape.ldap.LDAPSearchConstraints;
import netscape.ldap.LDAPSearchResults;
import netscape.ldap.LDAPv3;
import netscape.ldap.factory.JSSESocketFactory;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.util.Base64;

/* loaded from: input_file:ldaprealm.jar:org/apache/catalina/realm/LDAPRealm.class */
public class LDAPRealm extends RealmBase {
    protected static final String info = "org.apache.catalina.realm.LDAPRealm/2.0";
    protected static final String name = "LDAPRealm";
    private static String[] NO_ATTRS = {LDAPv3.NO_ATTRS};
    protected boolean authTypeUser = true;
    protected String connectionHost = "localhost";
    protected int connectionPort = 389;
    protected String connectionFailOverType = "serial";
    protected String connectionName = "";
    protected String connectionPassword = "";
    protected String connectionType = "ldap";
    private LDAPConnectionPool ldapPool = null;
    protected String digest = null;
    protected boolean digestBase64Encoded = true;
    protected int poolMin = 5;
    protected int poolMax = 20;
    protected int poolRefresh = 0;
    protected String poolRefreshDN = "";
    protected boolean realmRoleTypeUser = true;
    protected MessageFormat roleAutoFormatMF = null;
    protected String roleAutoFormat = null;
    protected String roleRoot = null;
    protected MessageFormat roleFormat = null;
    protected String[] roleName = null;
    protected String roleSearch = null;
    protected boolean roleSubtree = true;
    protected boolean searchTypeSearch = true;
    protected String searchRoot = "o=airius.com";
    protected String sslTrustStore = "";
    protected String sslTrustStorePassword = "";
    protected MessageFormat userFormat = null;
    protected String userPassword = null;
    protected String userPattern = null;
    private String[] ATTRS_TO_READ = {LDAPv3.NO_ATTRS};

    public String getAuthType() {
        return this.authTypeUser ? "user" : "digest";
    }

    public void setAuthType(String str) {
        String fixValue = fixValue(str, "user");
        if (fixValue.equalsIgnoreCase("user") || fixValue.equalsIgnoreCase("digest")) {
            this.authTypeUser = fixValue.equalsIgnoreCase("user");
        } else {
            this.container.getLogger().warn("invalid value for authType: " + str + "defaulting to user");
            this.authTypeUser = true;
        }
    }

    public String getConnectionHost() {
        return this.connectionHost;
    }

    public void setConnectionHost(String str) {
        this.connectionHost = fixValue(str, "localhost");
    }

    public int getConnectionPort() {
        return this.connectionPort;
    }

    public void setConnectionPort(int i) {
        this.connectionPort = i;
    }

    public String getConnectionFailOverType() {
        return this.connectionFailOverType;
    }

    public void setConnectionFailOverType(String str) {
        this.connectionFailOverType = fixValue(str, "serial");
    }

    public String getConnectionName() {
        return this.connectionName;
    }

    public void setConnectionName(String str) {
        this.connectionName = str;
    }

    public String getConnectionPassword() {
        return this.connectionPassword;
    }

    public void setConnectionPassword(String str) {
        this.connectionPassword = str;
    }

    public String getConnectionType() {
        return this.connectionType;
    }

    public void setConnectionType(String str) {
        String fixValue = fixValue(str, "ldap");
        if (fixValue.equalsIgnoreCase("ldap") || fixValue.equalsIgnoreCase("ldaps")) {
            this.connectionType = fixValue;
        } else {
            this.connectionType = "ldap";
        }
    }

    public String getDigest() {
        return "CRYPT".equalsIgnoreCase(this.digest) ? this.digest : super.getDigest();
    }

    public void setDigest(String str) {
        this.digest = str;
        if ("CRYPT".equalsIgnoreCase(str)) {
            super.setDigest((String) null);
        } else {
            super.setDigest(str);
        }
    }

    public boolean getDigestBase64Encoded() {
        return this.digestBase64Encoded;
    }

    public void setDigestBase64Encoded(boolean z) {
        this.digestBase64Encoded = z;
    }

    public int getPoolMin() {
        return this.poolMin;
    }

    public void setPoolMin(int i) {
        if (i < 1) {
            this.poolMin = 1;
        } else {
            this.poolMin = i;
        }
    }

    public int getPoolMax() {
        return this.poolMax;
    }

    public void setPoolMax(int i) {
        if (i < 1) {
            this.poolMax = this.poolMin;
        } else {
            this.poolMax = i;
        }
    }

    public int getPoolRefresh() {
        return this.poolRefresh;
    }

    public void setPoolRefresh(int i) {
        if (this.poolMin < 0) {
            this.poolRefresh = 0;
        } else {
            this.poolRefresh = i;
        }
    }

    public String getPoolRefreshDN() {
        return this.poolRefreshDN;
    }

    public void setPoolRefreshDN(String str) {
        if (str == null || str.length() == 0) {
            this.poolRefreshDN = "";
        } else {
            this.poolRefreshDN = str;
        }
    }

    public String getRealmRoleType() {
        return this.realmRoleTypeUser ? "user" : "list";
    }

    public void setRealmRoleType(String str) {
        String fixValue = fixValue(str, "user");
        if (fixValue.equalsIgnoreCase("user") || fixValue.equalsIgnoreCase("list")) {
            this.realmRoleTypeUser = fixValue.equalsIgnoreCase("user");
        } else {
            this.container.getLogger().warn("invalid value for realmRoleTypeUser: " + this.realmRoleTypeUser + "defaulting to user");
            this.realmRoleTypeUser = true;
        }
    }

    public String getRoleAutoFormat() {
        return this.roleAutoFormat;
    }

    private MessageFormat getRoleAutoFormatMF() {
        return this.roleAutoFormatMF;
    }

    public void setRoleAutoFormat(String str) {
        if (str == null || str.length() == 0) {
            this.roleAutoFormat = null;
            this.roleAutoFormatMF = null;
        } else {
            this.roleAutoFormat = str;
            this.roleAutoFormatMF = new MessageFormat(str);
        }
    }

    public String getRoleBase() {
        return this.roleRoot;
    }

    public void setRoleBase(String str) {
        this.roleRoot = str;
    }

    public String getRoleName() {
        if (this.roleName != null) {
            return this.roleName[0];
        }
        return null;
    }

    public void setRoleName(String str) {
        if (str != null) {
            this.roleName = new String[]{str};
        } else {
            this.roleName = null;
        }
    }

    public String getRoleSearch() {
        return this.roleSearch;
    }

    public void setRoleSearch(String str) {
        this.roleSearch = str;
        if (str == null) {
            this.roleFormat = null;
        } else {
            this.roleFormat = new MessageFormat(str);
        }
    }

    public boolean getRoleSubtree() {
        return this.roleSubtree;
    }

    public void setRoleSubtree(boolean z) {
        this.roleSubtree = z;
    }

    public String getSearchType() {
        return this.searchTypeSearch ? "search" : "buildDN";
    }

    public void setSearchType(String str) {
        String fixValue = fixValue(str, "search");
        if (fixValue.equalsIgnoreCase("search") || fixValue.equalsIgnoreCase("buildDN")) {
            this.searchTypeSearch = fixValue.equalsIgnoreCase("search");
        } else {
            this.container.getLogger().warn("invalid value for searchTypeSearch: " + this.searchTypeSearch + "defaulting to search");
            this.searchTypeSearch = true;
        }
    }

    public String getSearchRoot() {
        return this.searchRoot;
    }

    public void setSearchRoot(String str) {
        this.searchRoot = str;
    }

    public String getSslTrustStore() {
        return this.sslTrustStore;
    }

    public void setSslTrustStore(String str) {
        this.sslTrustStore = fixValue(str, "");
    }

    public String getSslTrustStorePassword() {
        return this.sslTrustStorePassword;
    }

    public void setSslTrustStorePassword(String str) {
        this.sslTrustStorePassword = fixValue(str, "");
    }

    public String getUserPassword() {
        if (this.userPassword != null) {
            return this.userPassword;
        }
        return null;
    }

    public void setUserPassword(String str) {
        if (str != null) {
            this.userPassword = str;
        } else {
            this.userPassword = null;
        }
    }

    public String getUserPattern() {
        return this.userPattern;
    }

    public void setUserPattern(String str) {
        this.userPattern = str;
        if (str == null) {
            this.userFormat = null;
        } else {
            this.userFormat = new MessageFormat(str);
        }
    }

    private String fixValue(String str, String str2) {
        return str != null ? str.trim().toLowerCase() : str2;
    }

    public Principal authenticate(String str, String str2) {
        Principal principal;
        LDAPConnection lDAPConn = getLDAPConn();
        try {
            principal = doAuthenticate(lDAPConn, str, str2);
        } catch (LDAPException e) {
            this.container.getLogger().warn("exception in authenticate -> " + e);
            principal = null;
        }
        release(lDAPConn);
        return principal;
    }

    protected Principal doAuthenticate(LDAPConnection lDAPConnection, String str, String str2) throws LDAPException {
        List<String> arrayList;
        try {
            LDAPEntry validateUser = validateUser(lDAPConnection, str, str2);
            if (validateUser == null) {
                return null;
            }
            try {
                if (this.realmRoleTypeUser) {
                    if (this.container.getLogger().isTraceEnabled()) {
                        this.container.getLogger().trace("user authenticated, getting roles from user record");
                    }
                    arrayList = getRoles(validateUser);
                } else {
                    if (this.container.getLogger().isTraceEnabled()) {
                        this.container.getLogger().trace("user authenticated, getting roles from server");
                    }
                    arrayList = getRoles(lDAPConnection, str, validateUser.getDN());
                }
            } catch (LDAPException e) {
                this.container.getLogger().warn("exception getting roles ");
                this.container.getLogger().warn("  " + e.toString());
                arrayList = new ArrayList();
            }
            if (this.roleAutoFormatMF != null) {
                String format = this.roleAutoFormatMF.format(new String[]{null, str});
                arrayList.add(format);
                if (this.container.getLogger().isTraceEnabled()) {
                    this.container.getLogger().trace("auto added role " + format);
                }
            }
            return new GenericPrincipal(this, str, str2, arrayList);
        } catch (LDAPException e2) {
            this.container.getLogger().warn("LDAPRealm exception in authenticate " + e2.toString());
            return null;
        }
    }

    protected String getName() {
        return name;
    }

    protected String getPassword(String str) {
        return null;
    }

    protected Principal getPrincipal(String str) {
        return null;
    }

    protected List<String> getRoles(LDAPConnection lDAPConnection, String str, String str2) throws LDAPException {
        Enumeration stringValues;
        if (this.container.getLogger().isTraceEnabled()) {
            this.container.getLogger().trace("getRoles(" + str2 + ")");
        }
        if (this.authTypeUser) {
            lDAPConnection.bind(this.connectionName, this.connectionPassword);
        }
        ArrayList arrayList = new ArrayList();
        if (this.roleFormat == null || this.roleName == null) {
            return arrayList;
        }
        LDAPSearchConstraints searchConstraints = lDAPConnection.getSearchConstraints();
        searchConstraints.setMaxResults(0);
        searchConstraints.setBatchSize(0);
        int i = 1;
        if (this.roleSubtree) {
            i = 2;
        }
        String format = this.roleFormat.format(new String[]{str2, str});
        if (this.container.getLogger().isTraceEnabled()) {
            this.container.getLogger().trace("  Searching role base '" + this.roleRoot + "' for attribute '" + this.roleName[0] + "'");
            this.container.getLogger().trace("  With filter expression '" + format + "'");
            this.container.getLogger().trace("  For user " + str2);
        }
        LDAPSearchResults search = lDAPConnection.search(this.roleRoot, i, format, this.roleName, false, searchConstraints);
        if (search == null) {
            return arrayList;
        }
        while (search.hasMoreElements()) {
            LDAPAttribute attribute = search.next().getAttribute(this.roleName[0]);
            if (attribute != null && (stringValues = attribute.getStringValues()) != null) {
                while (stringValues.hasMoreElements()) {
                    String str3 = (String) stringValues.nextElement();
                    arrayList.add(str3);
                    if (this.container.getLogger().isTraceEnabled()) {
                        this.container.getLogger().trace("  Found role '" + str3 + "'");
                    }
                }
            }
        }
        if (this.container.getLogger().isTraceEnabled()) {
            this.container.getLogger().trace("  Returning " + arrayList.size() + " roles");
        }
        return arrayList;
    }

    protected List<String> getRoles(LDAPEntry lDAPEntry) {
        ArrayList arrayList = new ArrayList();
        if (this.container.getLogger().isTraceEnabled()) {
            this.container.getLogger().trace("getRoles(" + lDAPEntry.getDN() + ")");
        }
        if (this.roleName == null || this.roleName[0].length() == 0) {
            return arrayList;
        }
        LDAPAttribute attribute = lDAPEntry.getAttribute(this.roleName[0]);
        if (attribute == null) {
            if (this.container.getLogger().isTraceEnabled()) {
                this.container.getLogger().trace("attribute:" + this.roleName[0] + " not present for " + lDAPEntry.getDN());
            }
            return arrayList;
        }
        Enumeration stringValues = attribute.getStringValues();
        if (stringValues == null) {
            return arrayList;
        }
        while (stringValues.hasMoreElements()) {
            arrayList.add((String) stringValues.nextElement());
        }
        if (this.container.getLogger().isTraceEnabled()) {
            this.container.getLogger().trace("  Returning " + arrayList.size() + " roles");
        }
        return arrayList;
    }

    protected LDAPEntry validateUser(LDAPConnection lDAPConnection, String str, String str2) throws LDAPException {
        LDAPEntry next;
        String dn;
        boolean equals;
        if (this.container.getLogger().isTraceEnabled()) {
            this.container.getLogger().trace("getUserDN(" + str + ")");
        }
        if (str == null || this.userFormat == null) {
            return null;
        }
        if (this.container.getLogger().isTraceEnabled()) {
            this.container.getLogger().trace("searchType=" + getSearchType());
        }
        if (this.searchTypeSearch) {
            String format = this.userFormat.format(new String[]{str});
            LDAPSearchConstraints searchConstraints = lDAPConnection.getSearchConstraints();
            searchConstraints.setMaxResults(2);
            searchConstraints.setBatchSize(0);
            if (this.container.getLogger().isTraceEnabled()) {
                this.container.getLogger().trace("searchRoot=" + this.searchRoot);
                this.container.getLogger().trace("searchString=" + format);
                this.container.getLogger().trace("Attributes reading=");
                for (int i = 0; i < this.ATTRS_TO_READ.length; i++) {
                    this.container.getLogger().trace("   " + this.ATTRS_TO_READ[i]);
                }
            }
            LDAPSearchResults search = lDAPConnection.search(this.searchRoot, 2, format, this.ATTRS_TO_READ, false, searchConstraints);
            if (!search.hasMoreElements()) {
                if (!this.container.getLogger().isDebugEnabled()) {
                    return null;
                }
                this.container.getLogger().debug("srch: " + format + " not found");
                return null;
            }
            if (search.getCount() > 1) {
                if (!this.container.getLogger().isDebugEnabled()) {
                    return null;
                }
                this.container.getLogger().debug("More than one matching entry for " + format);
                return null;
            }
            next = search.next();
            if (this.container.getLogger().isTraceEnabled()) {
                this.container.getLogger().trace("found a single entry for user");
            }
            dn = next.getDN();
        } else {
            next = lDAPConnection.read(this.userFormat.format(new String[]{str}), this.ATTRS_TO_READ);
            dn = next.getDN();
        }
        if (this.authTypeUser) {
            if (this.container.getLogger().isTraceEnabled()) {
                this.container.getLogger().trace("authenticating user via server");
            }
            if (str2.length() == 0) {
                if (!this.container.getLogger().isTraceEnabled()) {
                    return null;
                }
                this.container.getLogger().trace("user password is blank-not allowed");
                return null;
            }
            try {
                lDAPConnection.authenticate(dn, str2);
                if (this.container.getLogger().isTraceEnabled()) {
                    this.container.getLogger().trace("user authenticated");
                }
                return next;
            } catch (LDAPException e) {
                if (!this.container.getLogger().isDebugEnabled()) {
                    return null;
                }
                this.container.getLogger().debug("user failed authentication");
                return null;
            }
        }
        if (this.userPassword == null) {
            return null;
        }
        LDAPAttribute attribute = next.getAttribute(this.userPassword);
        if (attribute == null) {
            this.container.getLogger().warn(this.userPassword + " not present, or not able to be read");
            return null;
        }
        Object obj = attribute.getStringValueArray()[0];
        if (obj == null) {
            return null;
        }
        String str3 = obj instanceof byte[] ? new String((byte[]) obj) : obj.toString();
        if (this.container.getLogger().isTraceEnabled()) {
            this.container.getLogger().trace("  validating credentials");
        }
        String str4 = str3;
        if (this.container.getLogger().isDebugEnabled()) {
            this.container.getLogger().debug("password read from ldap server (untouched): " + str4);
        }
        if (str4.startsWith("{")) {
            if (this.container.getLogger().isDebugEnabled()) {
                this.container.getLogger().debug("password contains digest algorithm, digestBase64Encoded is set to " + this.digestBase64Encoded);
            }
            if (this.container.getLogger().isDebugEnabled()) {
                this.container.getLogger().debug("password in directory stored using digest algorithm of " + str4.substring(1, str4.indexOf("}")));
                this.container.getLogger().debug("digest algorithm configured for realm module is " + this.digest);
            }
            str4 = str4.substring(str4.indexOf("}") + 1);
            if (this.container.getLogger().isDebugEnabled()) {
                this.container.getLogger().debug("password fixed up as: " + str4);
            }
        }
        if (!hasMessageDigest()) {
            if (this.container.getLogger().isDebugEnabled()) {
                this.container.getLogger().debug("hasMessageDigest() returned false from RealmBase");
            }
            if ("CRYPT".equalsIgnoreCase(this.digest)) {
                if (this.container.getLogger().isDebugEnabled()) {
                    this.container.getLogger().debug("performing crypt validation on password, digestBase64Encoded=" + this.digestBase64Encoded);
                }
                equals = this.digestBase64Encoded ? LDAPUnixCrypt.matches(str4, new String(Base64.encode(str2.getBytes()))) : LDAPUnixCrypt.matches(str4, str2);
            } else {
                equals = digest(str2).equals(str3);
            }
        } else if (this.digestBase64Encoded) {
            try {
                MessageDigest messageDigest = MessageDigest.getInstance(getDigest());
                messageDigest.reset();
                messageDigest.update(str2.getBytes());
                String str5 = new String(Base64.encode(messageDigest.digest()));
                if (this.container.getLogger().isTraceEnabled()) {
                    this.container.getLogger().trace("password from ldap: " + str4);
                    this.container.getLogger().trace("user entered value digested and base6 encoded: " + str5);
                }
                equals = str5.equals(str4);
                if (this.container.getLogger().isDebugEnabled()) {
                    this.container.getLogger().debug("password validation = " + equals);
                }
            } catch (NoSuchAlgorithmException e2) {
                this.container.getLogger().error("error obtaining digest algorithm " + getDigest() + " ->" + e2.toString());
                return null;
            }
        } else {
            equals = digest(str2).equalsIgnoreCase(str3);
        }
        if (equals) {
            if (this.container.getLogger().isDebugEnabled()) {
                this.container.getLogger().debug("LDAPRealm.authenticateSuccess for " + str);
            }
            return next;
        }
        if (!this.container.getLogger().isDebugEnabled()) {
            return null;
        }
        this.container.getLogger().debug("LDAPRealm.authenticateFailure for " + str);
        return null;
    }

    protected LDAPConnection getLDAPConn() {
        return this.ldapPool.getConnection();
    }

    protected void release(LDAPConnection lDAPConnection) {
        if (lDAPConnection != null) {
            this.ldapPool.close(lDAPConnection);
        }
    }

    public void start() throws LifecycleException {
        LDAPConnection lDAPConnection;
        super.start();
        this.container.getLogger().info("*********");
        this.container.getLogger().info("LDAPRealm module for tomcat version org.apache.catalina.realm.LDAPRealm/2.0");
        this.container.getLogger().info("*********");
        this.container.getLogger().debug("connectionhost=" + this.connectionHost);
        this.container.getLogger().debug("connectionport=" + this.connectionPort);
        this.container.getLogger().debug("connectionname=" + this.connectionName);
        if (this.container.getLogger().isTraceEnabled()) {
            this.container.getLogger().trace("connectionpass=" + this.connectionPassword);
        } else {
            this.container.getLogger().debug("connectionpass=***** (hidden set trace to see)");
        }
        this.container.getLogger().debug("connectiontype=" + this.connectionType);
        try {
            if (this.connectionType.equalsIgnoreCase("ldaps")) {
                Security.addProvider(new Provider());
                Security.setProperty("ssl.LDAPRealmTrustManager.file", this.sslTrustStore);
                Security.setProperty("ssl.LDAPRealmTrustManager.password", this.sslTrustStorePassword);
                Security.setProperty("ssl.LDAPRealmTrustManager.debug", this.container.getLogger().isDebugEnabled() ? "on" : "off");
                this.container.getLogger().debug("setting up ssl connection and socket factory for ldaps");
                lDAPConnection = new LDAPConnection(new JSSESocketFactory(null, new LDAPRealmSSLSocketFactory()));
            } else {
                this.container.getLogger().debug("setting up connection for ldap");
                lDAPConnection = new LDAPConnection();
            }
            lDAPConnection.connect(this.connectionHost, this.connectionPort, this.connectionName, this.connectionPassword);
            this.container.getLogger().debug("connected via " + this.connectionType + " to " + this.connectionHost);
            this.container.getLogger().debug("setting up connection pool for " + this.connectionType);
            this.ldapPool = new LDAPConnectionPool(this.poolMin, this.poolMax, lDAPConnection);
            this.container.getLogger().debug("LDAPConnection pool has been setup");
            if (this.container.getLogger().isDebugEnabled()) {
                this.ldapPool.setDebug(true);
            }
            lDAPConnection.disconnect();
            if (this.poolRefresh > 0 && this.poolRefreshDN.length() > 0) {
                this.ldapPool.setRefresh(this.poolRefresh, this.poolRefreshDN);
                this.container.getLogger().info("refresh of pooled connections set to every " + this.poolRefresh + " minute(s)");
                this.container.getLogger().info("using a DN of " + this.poolRefreshDN);
            }
            if (this.authTypeUser) {
                if (!this.realmRoleTypeUser) {
                    this.ATTRS_TO_READ = new String[]{LDAPv3.NO_ATTRS};
                } else if (this.roleName == null) {
                    this.ATTRS_TO_READ = new String[]{LDAPv3.NO_ATTRS};
                } else {
                    this.ATTRS_TO_READ = new String[]{this.roleName[0]};
                }
            } else if (!this.realmRoleTypeUser) {
                this.ATTRS_TO_READ = new String[]{this.userPassword};
            } else if (this.roleName == null) {
                this.ATTRS_TO_READ = new String[]{this.userPassword};
            } else {
                this.ATTRS_TO_READ = new String[]{this.userPassword, this.roleName[0]};
            }
            if (this.realmRoleTypeUser || this.roleRoot != null) {
                return;
            }
            this.container.getLogger().debug("did not specify root to search for roles roleRoot, using " + this.searchRoot);
            this.roleRoot = this.searchRoot;
        } catch (LDAPException e) {
            throw new LifecycleException("LDAPRealm.open - Error opening directory connection " + e.toString());
        }
    }

    public void stop() throws LifecycleException {
        this.container.getLogger().info("stop method called in LDAPRealm");
        if (this.ldapPool != null) {
            this.container.getLogger().info("shutting down LDAPConnection pool....");
            this.ldapPool.destroy();
        }
        this.ldapPool = null;
        super.stop();
    }
}
