package org.springframework.security.ldap.authentication.ad;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Hashtable;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.naming.AuthenticationException;
import javax.naming.NamingException;
import javax.naming.OperationNotSupportedException;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import org.apache.commons.configuration2.tree.DefaultExpressionEngineSymbols;
import org.apache.directory.api.ldap.model.constants.JndiPropertyConstants;
import org.springframework.dao.IncorrectResultSizeDataAccessException;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.ldap.core.DistinguishedName;
import org.springframework.ldap.core.support.DefaultDirObjectFactory;
import org.springframework.ldap.support.LdapUtils;
import org.springframework.security.authentication.AccountExpiredException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.CredentialsExpiredException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.ldap.SpringSecurityLdapTemplate;
import org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:WEB-INF/lib/spring-security-ldap-4.2.8.RELEASE.jar:org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProvider.class */
public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLdapAuthenticationProvider {
    private static final Pattern SUB_ERROR_CODE = Pattern.compile(".*data\\s([0-9a-f]{3,4}).*");
    private static final int USERNAME_NOT_FOUND = 1317;
    private static final int INVALID_PASSWORD = 1326;
    private static final int NOT_PERMITTED = 1328;
    private static final int PASSWORD_EXPIRED = 1330;
    private static final int ACCOUNT_DISABLED = 1331;
    private static final int ACCOUNT_EXPIRED = 1793;
    private static final int PASSWORD_NEEDS_RESET = 1907;
    private static final int ACCOUNT_LOCKED = 1909;
    private final String domain;
    private final String rootDn;
    private final String url;
    private boolean convertSubErrorCodesToExceptions;
    private String searchFilter = "(&(objectClass=user)(userPrincipalName={0}))";
    ContextFactory contextFactory = new ContextFactory();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/spring-security-ldap-4.2.8.RELEASE.jar:org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProvider$ContextFactory.class */
    public static class ContextFactory {
        ContextFactory() {
        }

        DirContext createContext(Hashtable<?, ?> hashtable) throws NamingException {
            return new InitialLdapContext(hashtable, (Control[]) null);
        }
    }

    public ActiveDirectoryLdapAuthenticationProvider(String str, String str2, String str3) {
        Assert.isTrue(StringUtils.hasText(str2), "Url cannot be empty");
        this.domain = StringUtils.hasText(str) ? str.toLowerCase() : null;
        this.url = str2;
        this.rootDn = StringUtils.hasText(str3) ? str3.toLowerCase() : null;
    }

    public ActiveDirectoryLdapAuthenticationProvider(String str, String str2) {
        Assert.isTrue(StringUtils.hasText(str2), "Url cannot be empty");
        this.domain = StringUtils.hasText(str) ? str.toLowerCase() : null;
        this.url = str2;
        this.rootDn = this.domain == null ? null : rootDnFromDomain(this.domain);
    }

    @Override // org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider
    protected DirContextOperations doAuthentication(UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken) {
        String name = usernamePasswordAuthenticationToken.getName();
        DirContext bindAsUser = bindAsUser(name, (String) usernamePasswordAuthenticationToken.getCredentials());
        try {
            try {
                DirContextOperations searchForUser = searchForUser(bindAsUser, name);
                LdapUtils.closeContext(bindAsUser);
                return searchForUser;
            } catch (NamingException e) {
                this.logger.error("Failed to locate directory entry for authenticated user: " + name, e);
                throw badCredentials(e);
            }
        } catch (Throwable th) {
            LdapUtils.closeContext(bindAsUser);
            throw th;
        }
    }

    @Override // org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider
    protected Collection<? extends GrantedAuthority> loadUserAuthorities(DirContextOperations dirContextOperations, String str, String str2) {
        String[] stringAttributes = dirContextOperations.getStringAttributes("memberOf");
        if (stringAttributes == null) {
            this.logger.debug("No values for 'memberOf' attribute.");
            return AuthorityUtils.NO_AUTHORITIES;
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("'memberOf' attribute values: " + Arrays.asList(stringAttributes));
        }
        ArrayList arrayList = new ArrayList(stringAttributes.length);
        for (String str3 : stringAttributes) {
            arrayList.add(new SimpleGrantedAuthority(new DistinguishedName(str3).removeLast().getValue()));
        }
        return arrayList;
    }

    private DirContext bindAsUser(String str, String str2) {
        String str3 = this.url;
        Hashtable<?, ?> hashtable = new Hashtable<>();
        hashtable.put("java.naming.security.authentication", "simple");
        String createBindPrincipal = createBindPrincipal(str);
        hashtable.put("java.naming.security.principal", createBindPrincipal);
        hashtable.put("java.naming.provider.url", str3);
        hashtable.put("java.naming.security.credentials", str2);
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put(JndiPropertyConstants.JNDI_FACTORY_OBJECT, DefaultDirObjectFactory.class.getName());
        try {
            return this.contextFactory.createContext(hashtable);
        } catch (NamingException e) {
            if (!(e instanceof AuthenticationException) && !(e instanceof OperationNotSupportedException)) {
                throw LdapUtils.convertLdapException(e);
            }
            handleBindException(createBindPrincipal, e);
            throw badCredentials(e);
        }
    }

    private void handleBindException(String str, NamingException namingException) {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Authentication for " + str + " failed:" + namingException);
        }
        int parseSubErrorCode = parseSubErrorCode(namingException.getMessage());
        if (parseSubErrorCode <= 0) {
            this.logger.debug("Failed to locate AD-specific sub-error code in message");
            return;
        }
        this.logger.info("Active Directory authentication failed: " + subCodeToLogMessage(parseSubErrorCode));
        if (this.convertSubErrorCodesToExceptions) {
            raiseExceptionForErrorCode(parseSubErrorCode, namingException);
        }
    }

    private int parseSubErrorCode(String str) {
        Matcher matcher = SUB_ERROR_CODE.matcher(str);
        if (matcher.matches()) {
            return Integer.parseInt(matcher.group(1), 16);
        }
        return -1;
    }

    private void raiseExceptionForErrorCode(int i, NamingException namingException) {
        ActiveDirectoryAuthenticationException activeDirectoryAuthenticationException = new ActiveDirectoryAuthenticationException(Integer.toHexString(i), namingException.getMessage(), namingException);
        switch (i) {
            case 1330:
                throw new CredentialsExpiredException(this.messages.getMessage("LdapAuthenticationProvider.credentialsExpired", "User credentials have expired"), activeDirectoryAuthenticationException);
            case 1331:
                throw new DisabledException(this.messages.getMessage("LdapAuthenticationProvider.disabled", "User is disabled"), activeDirectoryAuthenticationException);
            case ACCOUNT_EXPIRED /* 1793 */:
                throw new AccountExpiredException(this.messages.getMessage("LdapAuthenticationProvider.expired", "User account has expired"), activeDirectoryAuthenticationException);
            case ACCOUNT_LOCKED /* 1909 */:
                throw new LockedException(this.messages.getMessage("LdapAuthenticationProvider.locked", "User account is locked"), activeDirectoryAuthenticationException);
            default:
                throw badCredentials(activeDirectoryAuthenticationException);
        }
    }

    private String subCodeToLogMessage(int i) {
        switch (i) {
            case USERNAME_NOT_FOUND /* 1317 */:
                return "User was not found in directory";
            case INVALID_PASSWORD /* 1326 */:
                return "Supplied password was invalid";
            case NOT_PERMITTED /* 1328 */:
                return "User not permitted to logon at this time";
            case 1330:
                return "Password has expired";
            case 1331:
                return "Account is disabled";
            case ACCOUNT_EXPIRED /* 1793 */:
                return "Account expired";
            case PASSWORD_NEEDS_RESET /* 1907 */:
                return "User must reset password";
            case ACCOUNT_LOCKED /* 1909 */:
                return "Account locked";
            default:
                return "Unknown (error code " + Integer.toHexString(i) + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END;
        }
    }

    private BadCredentialsException badCredentials() {
        return new BadCredentialsException(this.messages.getMessage("LdapAuthenticationProvider.badCredentials", "Bad credentials"));
    }

    private BadCredentialsException badCredentials(Throwable th) {
        return (BadCredentialsException) badCredentials().initCause(th);
    }

    private DirContextOperations searchForUser(DirContext dirContext, String str) throws NamingException {
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        String createBindPrincipal = createBindPrincipal(str);
        try {
            return SpringSecurityLdapTemplate.searchForSingleEntryInternal(dirContext, searchControls, this.rootDn != null ? this.rootDn : searchRootFromPrincipal(createBindPrincipal), this.searchFilter, new Object[]{createBindPrincipal, str});
        } catch (IncorrectResultSizeDataAccessException e) {
            if (e.getActualSize() != 0) {
                throw e;
            }
            throw badCredentials(new UsernameNotFoundException("User " + str + " not found in directory.", e));
        }
    }

    private String searchRootFromPrincipal(String str) {
        int lastIndexOf = str.lastIndexOf(64);
        if (lastIndexOf >= 0) {
            return rootDnFromDomain(str.substring(lastIndexOf + 1, str.length()));
        }
        this.logger.debug("User principal '" + str + "' does not contain the domain, and no domain has been configured");
        throw badCredentials();
    }

    private String rootDnFromDomain(String str) {
        String[] strArr = StringUtils.tokenizeToStringArray(str, ".");
        StringBuilder sb = new StringBuilder();
        for (String str2 : strArr) {
            if (sb.length() > 0) {
                sb.append(',');
            }
            sb.append("dc=").append(str2);
        }
        return sb.toString();
    }

    String createBindPrincipal(String str) {
        return (this.domain == null || str.toLowerCase().endsWith(this.domain)) ? str : str + "@" + this.domain;
    }

    public void setConvertSubErrorCodesToExceptions(boolean z) {
        this.convertSubErrorCodesToExceptions = z;
    }

    public void setSearchFilter(String str) {
        Assert.hasText(str, "searchFilter must have text");
        this.searchFilter = str;
    }
}
