package org.forgerock.opendj.rest2ldap.servlet;

import java.io.IOException;
import java.io.InputStream;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.StringTokenizer;
import java.util.concurrent.atomic.AtomicReference;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.codehaus.jackson.JsonParser;
import org.codehaus.jackson.map.ObjectMapper;
import org.forgerock.json.fluent.JsonValue;
import org.forgerock.json.fluent.JsonValueException;
import org.forgerock.json.resource.ResourceException;
import org.forgerock.json.resource.servlet.ServletApiVersionAdapter;
import org.forgerock.json.resource.servlet.ServletSynchronizer;
import org.forgerock.opendj.ldap.AuthenticationException;
import org.forgerock.opendj.ldap.AuthorizationException;
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.Connection;
import org.forgerock.opendj.ldap.ConnectionFactory;
import org.forgerock.opendj.ldap.Connections;
import org.forgerock.opendj.ldap.DN;
import org.forgerock.opendj.ldap.EntryNotFoundException;
import org.forgerock.opendj.ldap.LdapException;
import org.forgerock.opendj.ldap.MultipleEntriesFoundException;
import org.forgerock.opendj.ldap.ResultCode;
import org.forgerock.opendj.ldap.SearchScope;
import org.forgerock.opendj.ldap.requests.BindRequest;
import org.forgerock.opendj.ldap.requests.Requests;
import org.forgerock.opendj.ldap.requests.SearchRequest;
import org.forgerock.opendj.ldap.responses.BindResult;
import org.forgerock.opendj.ldap.responses.SearchResultEntry;
import org.forgerock.opendj.ldap.schema.Schema;
import org.forgerock.opendj.rest2ldap.Rest2LDAP;
import org.forgerock.util.AsyncFunction;
import org.forgerock.util.promise.ExceptionHandler;
import org.forgerock.util.promise.Promise;
import org.forgerock.util.promise.ResultHandler;

/* loaded from: input_file:org/forgerock/opendj/rest2ldap/servlet/Rest2LDAPAuthnFilter.class */
public final class Rest2LDAPAuthnFilter implements Filter {
    private static final String INIT_PARAM_CONFIG_FILE = "config-file";
    private static final ObjectMapper JSON_MAPPER = new ObjectMapper().configure(JsonParser.Feature.ALLOW_COMMENTS, true);
    private String altAuthenticationPasswordHeader;
    private String altAuthenticationUsernameHeader;
    private ConnectionFactory bindLDAPConnectionFactory;
    private boolean isEnabled;
    private String saslAuthzIdTemplate;
    private DN searchBaseDN;
    private String searchFilterTemplate;
    private ConnectionFactory searchLDAPConnectionFactory;
    private boolean supportAltAuthentication;
    private ServletApiVersionAdapter syncFactory;
    private AuthenticationMethod authenticationMethod = AuthenticationMethod.SEARCH_SIMPLE;
    private boolean reuseAuthenticatedConnection = true;
    private final Schema schema = Schema.getDefaultSchema();
    private SearchScope searchScope = SearchScope.WHOLE_SUBTREE;
    private boolean supportHTTPBasicAuthentication = true;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/forgerock/opendj/rest2ldap/servlet/Rest2LDAPAuthnFilter$AuthenticationMethod.class */
    public enum AuthenticationMethod {
        SASL_PLAIN,
        SEARCH_SIMPLE,
        SIMPLE
    }

    public void destroy() {
        if (this.searchLDAPConnectionFactory != null) {
            this.searchLDAPConnectionFactory.close();
        }
        if (this.bindLDAPConnectionFactory != null) {
            this.bindLDAPConnectionFactory.close();
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
        String str;
        char[] charArray;
        String format;
        Map<String, Object> singletonMap;
        if (!this.isEnabled) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (!(servletRequest instanceof HttpServletRequest) || !(servletResponse instanceof HttpServletResponse)) {
            throw new ServletException("non-HTTP request or response");
        }
        final HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        final HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        final AtomicReference<Connection> atomicReference = new AtomicReference<>();
        final ServletSynchronizer createServletSynchronizer = this.syncFactory.createServletSynchronizer(httpServletRequest, httpServletResponse);
        createServletSynchronizer.addAsyncListener(new Runnable() { // from class: org.forgerock.opendj.rest2ldap.servlet.Rest2LDAPAuthnFilter.1
            @Override // java.lang.Runnable
            public void run() {
                Rest2LDAPAuthnFilter.this.closeConnection(atomicReference);
            }
        });
        try {
            try {
                String header = this.supportAltAuthentication ? httpServletRequest.getHeader(this.altAuthenticationUsernameHeader) : null;
                String header2 = this.supportAltAuthentication ? httpServletRequest.getHeader(this.altAuthenticationPasswordHeader) : null;
                String header3 = this.supportHTTPBasicAuthentication ? httpServletRequest.getHeader("Authorization") : null;
                if (header != null) {
                    if (header2 == null || header.isEmpty() || header2.isEmpty()) {
                        throw ResourceException.getException(401);
                    }
                    str = header;
                    charArray = header2.toCharArray();
                } else {
                    if (header3 == null) {
                        throw ResourceException.getException(401);
                    }
                    StringTokenizer stringTokenizer = new StringTokenizer(header3);
                    String nextToken = stringTokenizer.nextToken();
                    if (nextToken == null || !"BASIC".equalsIgnoreCase(nextToken)) {
                        throw ResourceException.getException(401);
                    }
                    String nextToken2 = stringTokenizer.nextToken();
                    if (nextToken2 == null) {
                        throw ResourceException.getException(401);
                    }
                    String[] split = ByteString.valueOfBase64(nextToken2).toString().split(":");
                    if (split.length != 2) {
                        throw ResourceException.getException(401);
                    }
                    str = split[0];
                    charArray = split[1].toCharArray();
                }
                switch (this.authenticationMethod) {
                    case SIMPLE:
                        LinkedHashMap linkedHashMap = new LinkedHashMap(2);
                        linkedHashMap.put("dn", str);
                        linkedHashMap.put("id", str);
                        doBind(httpServletRequest, httpServletResponse, Requests.newSimpleBindRequest(str, charArray), filterChain, atomicReference, createServletSynchronizer, str, linkedHashMap);
                        break;
                    case SASL_PLAIN:
                        if (this.saslAuthzIdTemplate.startsWith("dn:")) {
                            String dn = DN.format(this.saslAuthzIdTemplate.substring(3), this.schema, new Object[]{str}).toString();
                            format = "dn:" + dn;
                            LinkedHashMap linkedHashMap2 = new LinkedHashMap(2);
                            linkedHashMap2.put("dn", dn);
                            linkedHashMap2.put("id", str);
                            singletonMap = linkedHashMap2;
                        } else {
                            format = String.format(this.saslAuthzIdTemplate, str);
                            singletonMap = Collections.singletonMap("id", str);
                        }
                        doBind(httpServletRequest, httpServletResponse, Requests.newPlainSASLBindRequest(format, charArray), filterChain, atomicReference, createServletSynchronizer, str, singletonMap);
                        break;
                    default:
                        final SearchRequest newSearchRequest = Requests.newSearchRequest(this.searchBaseDN, this.searchScope, org.forgerock.opendj.ldap.Filter.format(this.searchFilterTemplate, new Object[]{str}), new String[]{"1.1"});
                        final String str2 = str;
                        final char[] cArr = charArray;
                        this.searchLDAPConnectionFactory.getConnectionAsync().thenAsync(new AsyncFunction<Connection, SearchResultEntry, LdapException>() { // from class: org.forgerock.opendj.rest2ldap.servlet.Rest2LDAPAuthnFilter.4
                            /* renamed from: apply, reason: merged with bridge method [inline-methods] */
                            public Promise<SearchResultEntry, LdapException> m1apply(Connection connection) throws LdapException {
                                atomicReference.set(connection);
                                return connection.searchSingleEntryAsync(newSearchRequest);
                            }
                        }).thenOnResult(new ResultHandler<SearchResultEntry>() { // from class: org.forgerock.opendj.rest2ldap.servlet.Rest2LDAPAuthnFilter.3
                            public void handleResult(SearchResultEntry searchResultEntry) {
                                ((Connection) atomicReference.get()).close();
                                String dn2 = searchResultEntry.getName().toString();
                                LinkedHashMap linkedHashMap3 = new LinkedHashMap(2);
                                linkedHashMap3.put("dn", dn2);
                                linkedHashMap3.put("id", str2);
                                Rest2LDAPAuthnFilter.this.doBind(httpServletRequest, httpServletResponse, Requests.newSimpleBindRequest(dn2, cArr), filterChain, atomicReference, createServletSynchronizer, str2, linkedHashMap3);
                            }
                        }).thenOnException(new ExceptionHandler<LdapException>() { // from class: org.forgerock.opendj.rest2ldap.servlet.Rest2LDAPAuthnFilter.2
                            public void handleException(LdapException ldapException) {
                                LdapException ldapException2 = ldapException;
                                if (atomicReference.get() != null) {
                                    ((Connection) atomicReference.get()).close();
                                    ldapException2 = ((ldapException instanceof EntryNotFoundException) || (ldapException instanceof MultipleEntriesFoundException)) ? LdapException.newLdapException(ResultCode.INVALID_CREDENTIALS, ldapException) : ((ldapException instanceof AuthenticationException) || (ldapException instanceof AuthorizationException)) ? LdapException.newLdapException(ResultCode.CLIENT_SIDE_LOCAL_ERROR, ldapException) : ldapException;
                                }
                                createServletSynchronizer.signalAndComplete(Rest2LDAP.asResourceException(ldapException2));
                            }
                        });
                        break;
                }
                createServletSynchronizer.awaitIfNeeded();
                if (!createServletSynchronizer.isAsync()) {
                    filterChain.doFilter(servletRequest, servletResponse);
                }
                if (createServletSynchronizer.isAsync()) {
                    return;
                }
                closeConnection(atomicReference);
            } catch (Throwable th) {
                createServletSynchronizer.signalAndComplete(th);
                if (createServletSynchronizer.isAsync()) {
                    return;
                }
                closeConnection(atomicReference);
            }
        } catch (Throwable th2) {
            if (!createServletSynchronizer.isAsync()) {
                closeConnection(atomicReference);
            }
            throw th2;
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        String initParameter = filterConfig.getInitParameter(INIT_PARAM_CONFIG_FILE);
        if (initParameter == null) {
            throw new ServletException("Authentication filter initialization parameter 'config-file' not specified");
        }
        InputStream resourceAsStream = filterConfig.getServletContext().getResourceAsStream(initParameter);
        try {
            if (resourceAsStream == null) {
                throw new ServletException("Servlet filter configuration file '" + initParameter + "' not found");
            }
            try {
                Object readValue = JSON_MAPPER.readValue(resourceAsStream, Object.class);
                if (!(readValue instanceof Map)) {
                    throw new ServletException("Servlet filter configuration file '" + initParameter + "' does not contain a valid JSON configuration");
                }
                JsonValue jsonValue = new JsonValue(readValue);
                JsonValue jsonValue2 = jsonValue.get("authenticationFilter");
                if (!jsonValue2.isNull()) {
                    this.supportHTTPBasicAuthentication = jsonValue2.get("supportHTTPBasicAuthentication").required().asBoolean().booleanValue();
                    this.supportAltAuthentication = jsonValue2.get("supportAltAuthentication").required().asBoolean().booleanValue();
                    if (this.supportAltAuthentication) {
                        this.altAuthenticationUsernameHeader = jsonValue2.get("altAuthenticationUsernameHeader").required().asString();
                        this.altAuthenticationPasswordHeader = jsonValue2.get("altAuthenticationPasswordHeader").required().asString();
                    }
                    this.reuseAuthenticatedConnection = jsonValue2.get("reuseAuthenticatedConnection").required().asBoolean().booleanValue();
                    this.authenticationMethod = parseAuthenticationMethod(jsonValue2);
                    switch (this.authenticationMethod) {
                        case SASL_PLAIN:
                            this.saslAuthzIdTemplate = jsonValue2.get("saslAuthzIdTemplate").required().asString();
                            break;
                        case SEARCH_SIMPLE:
                            this.searchBaseDN = DN.valueOf(jsonValue2.get("searchBaseDN").required().asString(), this.schema);
                            this.searchScope = parseSearchScope(jsonValue2);
                            this.searchFilterTemplate = jsonValue2.get("searchFilterTemplate").required().asString();
                            this.searchLDAPConnectionFactory = Rest2LDAP.configureConnectionFactory(jsonValue.get("ldapConnectionFactories").required(), jsonValue2.get("searchLDAPConnectionFactory").required().asString());
                            break;
                    }
                    this.bindLDAPConnectionFactory = Rest2LDAP.configureConnectionFactory(jsonValue.get("ldapConnectionFactories").required(), jsonValue2.get("bindLDAPConnectionFactory").required().asString());
                    this.syncFactory = ServletApiVersionAdapter.getInstance(filterConfig.getServletContext());
                    this.isEnabled = true;
                }
            } catch (Exception e) {
                throw new ServletException("Servlet filter configuration file '" + initParameter + "' could not be read: " + e.getMessage());
            } catch (ServletException e2) {
                throw e2;
            }
        } finally {
            try {
                resourceAsStream.close();
            } catch (Exception e3) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void closeConnection(AtomicReference<Connection> atomicReference) {
        Connection connection = atomicReference.get();
        if (connection != null) {
            connection.close();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void doBind(final HttpServletRequest httpServletRequest, final ServletResponse servletResponse, final BindRequest bindRequest, final FilterChain filterChain, final AtomicReference<Connection> atomicReference, final ServletSynchronizer servletSynchronizer, final String str, final Map<String, Object> map) {
        this.bindLDAPConnectionFactory.getConnectionAsync().thenAsync(new AsyncFunction<Connection, BindResult, LdapException>() { // from class: org.forgerock.opendj.rest2ldap.servlet.Rest2LDAPAuthnFilter.7
            /* renamed from: apply, reason: merged with bridge method [inline-methods] */
            public Promise<BindResult, LdapException> m2apply(Connection connection) throws LdapException {
                atomicReference.set(connection);
                return connection.bindAsync(bindRequest);
            }
        }).thenOnResult(new ResultHandler<BindResult>() { // from class: org.forgerock.opendj.rest2ldap.servlet.Rest2LDAPAuthnFilter.6
            public void handleResult(BindResult bindResult) {
                if (Rest2LDAPAuthnFilter.this.reuseAuthenticatedConnection) {
                    httpServletRequest.setAttribute(Rest2LDAPContextFactory.ATTRIBUTE_AUTHN_CONNECTION, Connections.uncloseable((Connection) atomicReference.get()));
                }
                httpServletRequest.setAttribute("org.forgerock.authentication.principal", str);
                httpServletRequest.setAttribute("org.forgerock.authentication.context", map);
                servletSynchronizer.signal();
                if (servletSynchronizer.isAsync()) {
                    try {
                        filterChain.doFilter(httpServletRequest, servletResponse);
                        if (servletResponse.isCommitted()) {
                            servletSynchronizer.signalAndComplete();
                        }
                    } catch (Throwable th) {
                        servletSynchronizer.signalAndComplete(Rest2LDAP.asResourceException(th));
                    }
                }
            }
        }).thenOnException(new ExceptionHandler<LdapException>() { // from class: org.forgerock.opendj.rest2ldap.servlet.Rest2LDAPAuthnFilter.5
            public void handleException(LdapException ldapException) {
                servletSynchronizer.signalAndComplete(Rest2LDAP.asResourceException(ldapException));
            }
        });
    }

    private AuthenticationMethod parseAuthenticationMethod(JsonValue jsonValue) {
        if (!jsonValue.isDefined("method")) {
            return AuthenticationMethod.SEARCH_SIMPLE;
        }
        String asString = jsonValue.get("method").asString();
        if ("simple".equalsIgnoreCase(asString)) {
            return AuthenticationMethod.SIMPLE;
        }
        if ("sasl-plain".equalsIgnoreCase(asString)) {
            return AuthenticationMethod.SASL_PLAIN;
        }
        if ("search-simple".equalsIgnoreCase(asString)) {
            return AuthenticationMethod.SEARCH_SIMPLE;
        }
        throw new JsonValueException(jsonValue, "Illegal authentication method: must be either 'simple', 'sasl-plain', or 'search-simple'");
    }

    private SearchScope parseSearchScope(JsonValue jsonValue) {
        if (!jsonValue.isDefined("searchScope")) {
            return SearchScope.WHOLE_SUBTREE;
        }
        String asString = jsonValue.get("searchScope").asString();
        if ("sub".equalsIgnoreCase(asString)) {
            return SearchScope.WHOLE_SUBTREE;
        }
        if ("one".equalsIgnoreCase(asString)) {
            return SearchScope.SINGLE_LEVEL;
        }
        throw new JsonValueException(jsonValue, "Illegal search scope: must be either 'sub' or 'one'");
    }
}
