package org.opends.server.extensions;

import java.security.cert.Certificate;
import java.util.Iterator;
import java.util.List;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.opendj.config.Configuration;
import org.forgerock.opendj.config.server.ConfigChangeResult;
import org.forgerock.opendj.config.server.ConfigException;
import org.forgerock.opendj.config.server.ConfigurationChangeListener;
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.ResultCode;
import org.forgerock.opendj.ldap.schema.AttributeType;
import org.forgerock.opendj.reactive.LDAPClientConnection2;
import org.forgerock.opendj.server.config.meta.ExternalSASLMechanismHandlerCfgDefn;
import org.forgerock.opendj.server.config.server.ExternalSASLMechanismHandlerCfg;
import org.forgerock.opendj.server.config.server.SASLMechanismHandlerCfg;
import org.opends.messages.ExtensionMessages;
import org.opends.server.api.ClientConnection;
import org.opends.server.api.SASLMechanismHandler;
import org.opends.server.config.ConfigConstants;
import org.opends.server.core.BindOperation;
import org.opends.server.core.DirectoryServer;
import org.opends.server.types.Attribute;
import org.opends.server.types.AuthenticationInfo;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.InitializationException;
import org.opends.server.util.ServerConstants;
import org.opends.server.util.StaticUtils;

/* loaded from: input_file:org/opends/server/extensions/ExternalSASLMechanismHandler.class */
public class ExternalSASLMechanismHandler extends SASLMechanismHandler<ExternalSASLMechanismHandlerCfg> implements ConfigurationChangeListener<ExternalSASLMechanismHandlerCfg> {
    private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();
    private AttributeType certificateAttributeType;
    private CertificateValidationPolicy validationPolicy;
    private ExternalSASLMechanismHandlerCfg currentConfig;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.opends.server.extensions.ExternalSASLMechanismHandler$1, reason: invalid class name */
    /* loaded from: input_file:org/opends/server/extensions/ExternalSASLMechanismHandler$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$forgerock$opendj$server$config$meta$ExternalSASLMechanismHandlerCfgDefn$CertificateValidationPolicy;

        static {
            try {
                $SwitchMap$org$opends$server$extensions$CertificateValidationPolicy[CertificateValidationPolicy.ALWAYS.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$opends$server$extensions$CertificateValidationPolicy[CertificateValidationPolicy.IFPRESENT.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            $SwitchMap$org$forgerock$opendj$server$config$meta$ExternalSASLMechanismHandlerCfgDefn$CertificateValidationPolicy = new int[ExternalSASLMechanismHandlerCfgDefn.CertificateValidationPolicy.values().length];
            try {
                $SwitchMap$org$forgerock$opendj$server$config$meta$ExternalSASLMechanismHandlerCfgDefn$CertificateValidationPolicy[ExternalSASLMechanismHandlerCfgDefn.CertificateValidationPolicy.NEVER.ordinal()] = 1;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$forgerock$opendj$server$config$meta$ExternalSASLMechanismHandlerCfgDefn$CertificateValidationPolicy[ExternalSASLMechanismHandlerCfgDefn.CertificateValidationPolicy.IFPRESENT.ordinal()] = 2;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public void initializeSASLMechanismHandler(ExternalSASLMechanismHandlerCfg externalSASLMechanismHandlerCfg) throws ConfigException, InitializationException {
        externalSASLMechanismHandlerCfg.addExternalChangeListener(this);
        this.currentConfig = externalSASLMechanismHandlerCfg;
        this.validationPolicy = toCertificateValidationPolicy(externalSASLMechanismHandlerCfg);
        this.certificateAttributeType = externalSASLMechanismHandlerCfg.getCertificateAttribute();
        if (this.certificateAttributeType == null) {
            this.certificateAttributeType = DirectoryServer.getInstance().getServerContext().getSchema().getAttributeType(ConfigConstants.DEFAULT_VALIDATION_CERT_ATTRIBUTE);
        }
        DirectoryServer.registerSASLMechanismHandler(ServerConstants.SASL_MECHANISM_EXTERNAL, this);
    }

    private CertificateValidationPolicy toCertificateValidationPolicy(ExternalSASLMechanismHandlerCfg externalSASLMechanismHandlerCfg) {
        switch (AnonymousClass1.$SwitchMap$org$forgerock$opendj$server$config$meta$ExternalSASLMechanismHandlerCfgDefn$CertificateValidationPolicy[externalSASLMechanismHandlerCfg.getCertificateValidationPolicy().ordinal()]) {
            case 1:
                return CertificateValidationPolicy.NEVER;
            case 2:
                return CertificateValidationPolicy.IFPRESENT;
            default:
                return CertificateValidationPolicy.ALWAYS;
        }
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public void finalizeSASLMechanismHandler() {
        this.currentConfig.removeExternalChangeListener(this);
        DirectoryServer.deregisterSASLMechanismHandler(ServerConstants.SASL_MECHANISM_EXTERNAL);
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public void processSASLBind(BindOperation bindOperation) {
        ExternalSASLMechanismHandlerCfg externalSASLMechanismHandlerCfg = this.currentConfig;
        AttributeType attributeType = this.certificateAttributeType;
        CertificateValidationPolicy certificateValidationPolicy = this.validationPolicy;
        ClientConnection clientConnection = bindOperation.getClientConnection();
        if (clientConnection == null) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLEXTERNAL_NO_CLIENT_CONNECTION.get());
            return;
        }
        if (!(clientConnection instanceof LDAPClientConnection2)) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLEXTERNAL_NOT_LDAP_CLIENT_INSTANCE.get());
            return;
        }
        Certificate[] clientCertificateChain = ((LDAPClientConnection2) clientConnection).getClientCertificateChain();
        if (clientCertificateChain == null || clientCertificateChain.length == 0) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLEXTERNAL_NO_CLIENT_CERT.get());
            return;
        }
        try {
            Entry mapCertificateToUser = DirectoryServer.getCertificateMapper(externalSASLMechanismHandlerCfg.getCertificateMapperDN()).mapCertificateToUser(clientCertificateChain);
            if (mapCertificateToUser == null) {
                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLEXTERNAL_NO_MAPPING.get());
                return;
            }
            bindOperation.setSASLAuthUserEntry(mapCertificateToUser);
            List<Attribute> allAttributes = mapCertificateToUser.getAllAttributes(attributeType);
            switch (certificateValidationPolicy) {
                case ALWAYS:
                    if (!allAttributes.isEmpty()) {
                        try {
                            if (!findAttributeValue(allAttributes, ByteString.wrap(clientCertificateChain[0].getEncoded()))) {
                                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                                bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLEXTERNAL_PEER_CERT_NOT_FOUND.get(mapCertificateToUser.getName()));
                                return;
                            }
                        } catch (Exception e) {
                            logger.traceException(e);
                            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLEXTERNAL_CANNOT_VALIDATE_CERT.get(mapCertificateToUser.getName(), StaticUtils.getExceptionMessage(e)));
                            return;
                        }
                    } else if (certificateValidationPolicy == CertificateValidationPolicy.ALWAYS) {
                        bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                        bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLEXTERNAL_NO_CERT_IN_ENTRY.get(mapCertificateToUser.getName()));
                        return;
                    }
                    break;
                case IFPRESENT:
                    if (!allAttributes.isEmpty()) {
                        try {
                            if (!findAttributeValue(allAttributes, ByteString.wrap(clientCertificateChain[0].getEncoded()))) {
                                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                                bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLEXTERNAL_PEER_CERT_NOT_FOUND.get(mapCertificateToUser.getName()));
                                return;
                            }
                        } catch (Exception e2) {
                            logger.traceException(e2);
                            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLEXTERNAL_CANNOT_VALIDATE_CERT.get(mapCertificateToUser.getName(), StaticUtils.getExceptionMessage(e2)));
                            return;
                        }
                    }
                    break;
            }
            bindOperation.setAuthenticationInfo(new AuthenticationInfo(mapCertificateToUser, ServerConstants.SASL_MECHANISM_EXTERNAL, DirectoryServer.isRootDN(mapCertificateToUser.getName())));
            bindOperation.setResultCode(ResultCode.SUCCESS);
        } catch (DirectoryException e3) {
            logger.traceException(e3);
            bindOperation.setResponseData(e3);
        }
    }

    private boolean findAttributeValue(List<Attribute> list, ByteString byteString) {
        Iterator<Attribute> it = list.iterator();
        while (it.hasNext()) {
            if (it.next().contains(byteString)) {
                return true;
            }
        }
        return false;
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public boolean isPasswordBased(String str) {
        return false;
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public boolean isSecure(String str) {
        return true;
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public boolean isConfigurationAcceptable(SASLMechanismHandlerCfg sASLMechanismHandlerCfg, List<LocalizableMessage> list) {
        return isConfigurationChangeAcceptable((ExternalSASLMechanismHandlerCfg) sASLMechanismHandlerCfg, list);
    }

    public boolean isConfigurationChangeAcceptable(ExternalSASLMechanismHandlerCfg externalSASLMechanismHandlerCfg, List<LocalizableMessage> list) {
        return true;
    }

    public ConfigChangeResult applyConfigurationChange(ExternalSASLMechanismHandlerCfg externalSASLMechanismHandlerCfg) {
        ConfigChangeResult configChangeResult = new ConfigChangeResult();
        CertificateValidationPolicy certificateValidationPolicy = toCertificateValidationPolicy(externalSASLMechanismHandlerCfg);
        AttributeType certificateAttribute = externalSASLMechanismHandlerCfg.getCertificateAttribute();
        if (certificateAttribute == null) {
            certificateAttribute = DirectoryServer.getInstance().getServerContext().getSchema().getAttributeType(ConfigConstants.DEFAULT_VALIDATION_CERT_ATTRIBUTE);
        }
        if (configChangeResult.getResultCode() == ResultCode.SUCCESS) {
            this.validationPolicy = certificateValidationPolicy;
            this.certificateAttributeType = certificateAttribute;
            this.currentConfig = externalSASLMechanismHandlerCfg;
        }
        return configChangeResult;
    }

    public /* bridge */ /* synthetic */ boolean isConfigurationChangeAcceptable(Configuration configuration, List list) {
        return isConfigurationChangeAcceptable((ExternalSASLMechanismHandlerCfg) configuration, (List<LocalizableMessage>) list);
    }
}
