package com.xpn.xwiki.user.impl.LDAP;

import com.novell.ldap.LDAPException;
import com.xpn.xwiki.XWikiContext;
import com.xpn.xwiki.XWikiException;
import com.xpn.xwiki.doc.XWikiDocument;
import com.xpn.xwiki.plugin.ldap.XWikiLDAPConfig;
import com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection;
import com.xpn.xwiki.plugin.ldap.XWikiLDAPSearchAttribute;
import com.xpn.xwiki.plugin.ldap.XWikiLDAPUtils;
import com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl;
import java.io.UnsupportedEncodingException;
import java.security.Principal;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.securityfilter.realm.SimplePrincipal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/xwiki-platform-legacy-oldcore-4.4.1.jar:com/xpn/xwiki/user/impl/LDAP/XWikiLDAPAuthServiceImpl.class
 */
/* loaded from: input_file:WEB-INF/lib/xwiki-platform-oldcore-4.4.1.jar:com/xpn/xwiki/user/impl/LDAP/XWikiLDAPAuthServiceImpl.class */
public class XWikiLDAPAuthServiceImpl extends XWikiAuthServiceImpl {
    private static final String XWIKI_USER_SPACE = "XWiki";
    private static final String XWIKI_SPACE_NAME_SEP = ".";
    private static final String LDAP_DEFAULT_UID = "cn";
    private static final Logger LOGGER = LoggerFactory.getLogger(XWikiLDAPAuthServiceImpl.class);

    @Override // com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl, com.xpn.xwiki.user.api.XWikiAuthService
    public Principal authenticate(String str, String str2, XWikiContext xWikiContext) throws XWikiException {
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("Starting LDAP authentication");
        }
        if (str == null) {
            if (!LOGGER.isDebugEnabled()) {
                return null;
            }
            LOGGER.debug("The provided user is null. We don't try to authenticate, it probably means the user is in non logged mode.");
            return null;
        }
        if (str.equals("")) {
            xWikiContext.put("message", "nousername");
            if (!LOGGER.isDebugEnabled()) {
                return null;
            }
            LOGGER.debug("LDAP authentication failed: login empty");
            return null;
        }
        if (str2 == null || str2.trim().equals("")) {
            xWikiContext.put("message", "nopassword");
            if (!LOGGER.isDebugEnabled()) {
                return null;
            }
            LOGGER.debug("LDAP authentication failed: password null or empty");
            return null;
        }
        if (isSuperAdmin(str)) {
            return authenticateSuperAdmin(str2, xWikiContext);
        }
        Principal ldapAuthenticate = ldapAuthenticate(str, str2, xWikiContext);
        if (ldapAuthenticate == null) {
            ldapAuthenticate = xwikiAuthenticate(str, str2, xWikiContext);
        }
        if (LOGGER.isDebugEnabled()) {
            if (ldapAuthenticate != null) {
                LOGGER.debug("LDAP authentication succeed with principal [" + ldapAuthenticate.getName() + "]");
            } else {
                LOGGER.debug("LDAP authentication failed for user [" + str + "]");
            }
        }
        return ldapAuthenticate;
    }

    protected String getValidXWikiUserName(String str) {
        return str.replace(".", "");
    }

    protected Principal ldapAuthenticate(String str, String str2, XWikiContext xWikiContext) {
        Principal principal = null;
        String str3 = str;
        int indexOf = str.indexOf("XWiki.");
        if (indexOf != -1) {
            str3 = str.substring(indexOf + 1);
        }
        String validXWikiUserName = getValidXWikiUserName(str3);
        try {
            principal = ldapAuthenticateInContext(str3, validXWikiUserName, str2, xWikiContext, true);
        } catch (Exception e) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Local LDAP authentication failed.", (Throwable) e);
            }
        }
        if (principal == null && !xWikiContext.isMainWiki()) {
            String database = xWikiContext.getDatabase();
            try {
                xWikiContext.setDatabase(xWikiContext.getMainXWiki());
                try {
                    principal = ldapAuthenticateInContext(str3, validXWikiUserName, str2, xWikiContext, false);
                } catch (Exception e2) {
                    if (LOGGER.isDebugEnabled()) {
                        LOGGER.debug("Global LDAP authentication failed.", (Throwable) e2);
                    }
                }
            } finally {
                xWikiContext.setDatabase(database);
            }
        }
        return principal;
    }

    protected Principal xwikiAuthenticate(String str, String str2, XWikiContext xWikiContext) throws XWikiException {
        Principal principal = null;
        if ("1".equals(XWikiLDAPConfig.getInstance().getLDAPParam("ldap_trylocal", "0", xWikiContext))) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Trying authentication against XWiki DB");
            }
            principal = super.authenticate(str, str2, xWikiContext);
        }
        return principal;
    }

    protected Principal ldapAuthenticateInContext(String str, String str2, String str3, XWikiContext xWikiContext) throws XWikiException, UnsupportedEncodingException, LDAPException {
        return ldapAuthenticateInContext(str, str2, str3, xWikiContext, false);
    }

    protected Principal ldapAuthenticateInContext(String str, String str2, String str3, XWikiContext xWikiContext, boolean z) throws XWikiException, UnsupportedEncodingException, LDAPException {
        XWikiLDAPConfig xWikiLDAPConfig = XWikiLDAPConfig.getInstance();
        XWikiLDAPConnection xWikiLDAPConnection = new XWikiLDAPConnection();
        XWikiLDAPUtils xWikiLDAPUtils = new XWikiLDAPUtils(xWikiLDAPConnection);
        xWikiLDAPUtils.setUidAttributeName(xWikiLDAPConfig.getLDAPParam(XWikiLDAPConfig.PREF_LDAP_UID, LDAP_DEFAULT_UID, xWikiContext));
        xWikiLDAPUtils.setGroupClasses(xWikiLDAPConfig.getGroupClasses(xWikiContext));
        xWikiLDAPUtils.setGroupMemberFields(xWikiLDAPConfig.getGroupMemberFields(xWikiContext));
        xWikiLDAPUtils.setBaseDN(xWikiLDAPConfig.getLDAPParam("ldap_base_DN", "", xWikiContext));
        xWikiLDAPUtils.setUserSearchFormatString(xWikiLDAPConfig.getLDAPParam("ldap_user_search_fmt", "({0}={1})", xWikiContext));
        if (!xWikiLDAPConfig.isLDAPEnabled(xWikiContext)) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("LDAP authentication failed: LDAP not activ");
            }
            return null;
        }
        if (!xWikiLDAPConnection.open(str, str3, xWikiContext)) {
            throw new XWikiException(8, XWikiException.ERROR_XWIKI_USER_INIT, "Bind to LDAP server failed.");
        }
        XWikiDocument userProfileByUid = xWikiLDAPUtils.getUserProfileByUid(str2, str, xWikiContext);
        String str4 = null;
        String lDAPParam = xWikiLDAPConfig.getLDAPParam("ldap_user_group", "", xWikiContext);
        if (lDAPParam.length() > 0) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Checking if the user belongs to the user group: " + lDAPParam);
            }
            str4 = xWikiLDAPUtils.isUidInGroup(str, lDAPParam, xWikiContext);
            if (str4 == null) {
                throw new XWikiException(8, XWikiException.ERROR_XWIKI_USER_INIT, "LDAP user {0} does not belong to LDAP group {1}.", null, new Object[]{str, lDAPParam});
            }
        }
        String lDAPParam2 = xWikiLDAPConfig.getLDAPParam("ldap_exclude_group", "", xWikiContext);
        if (lDAPParam2.length() > 0) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Checking if the user does not belongs to the exclude group: " + lDAPParam2);
            }
            if (xWikiLDAPUtils.isUidInGroup(str, lDAPParam2, xWikiContext) != null) {
                throw new XWikiException(8, XWikiException.ERROR_XWIKI_USER_INIT, "LDAP user {0} should not belong to LDAP group {1}.", null, new Object[]{str, lDAPParam});
            }
        }
        List<XWikiLDAPSearchAttribute> list = null;
        if (str4 == null) {
            list = xWikiLDAPUtils.searchUserAttributesByUid(str, xWikiLDAPUtils.getAttributeNameTable(xWikiContext));
            if (list != null) {
                Iterator<XWikiLDAPSearchAttribute> it = list.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    XWikiLDAPSearchAttribute next = it.next();
                    if (LDAPProfileXClass.LDAP_XFIELD_DN.equals(next.name)) {
                        str4 = next.value;
                        break;
                    }
                }
            }
        }
        if (str4 == null) {
            throw new XWikiException(8, XWikiException.ERROR_XWIKI_USER_INIT, "Can't find LDAP user DN for [" + str + "]");
        }
        if (!"1".equals(xWikiLDAPConfig.getLDAPParam("ldap_validate_password", "0", xWikiContext))) {
            String lDAPBindDN = xWikiLDAPConfig.getLDAPBindDN(xWikiContext);
            String lDAPBindDN2 = xWikiLDAPConfig.getLDAPBindDN(str, str3, xWikiContext);
            if (lDAPBindDN.equals(lDAPBindDN2)) {
                xWikiLDAPConnection.bind(str4, str3);
                xWikiLDAPConnection.bind(lDAPBindDN2, xWikiLDAPConfig.getLDAPBindPassword(str, str3, xWikiContext));
            }
        } else if (!xWikiLDAPConnection.checkPassword(str4, str3, xWikiLDAPConfig.getLDAPParam("ldap_password_field", "userPassword", xWikiContext))) {
            LOGGER.debug("Password comparison failed, are you really sure you need validate_password ? If you don't enable it, it does not mean user credentials are not validated. The goal of this property is to bypass standard LDAP bind which is usually bad unless you really know what you do.");
            throw new XWikiException(8, XWikiException.ERROR_XWIKI_USER_INIT, "LDAP authentication failed: could not validate the password: wrong password for " + str4);
        }
        boolean isNew = userProfileByUid.isNew();
        syncUser(userProfileByUid, list, str4, str, xWikiLDAPUtils, xWikiContext);
        SimplePrincipal simplePrincipal = z ? new SimplePrincipal(userProfileByUid.getFullName()) : new SimplePrincipal(xWikiContext.getDatabase() + ":" + userProfileByUid.getFullName());
        try {
            syncGroupsMembership(userProfileByUid.getFullName(), str4, isNew, xWikiLDAPUtils, xWikiContext);
        } catch (XWikiException e) {
            LOGGER.error("Failed to synchronise user's groups membership", (Throwable) e);
        }
        return simplePrincipal;
    }

    protected void syncUser(XWikiDocument xWikiDocument, List<XWikiLDAPSearchAttribute> list, String str, String str2, XWikiLDAPUtils xWikiLDAPUtils, XWikiContext xWikiContext) throws XWikiException {
        xWikiLDAPUtils.syncUser(xWikiDocument, list, str, str2, xWikiContext);
    }

    protected void syncGroupsMembership(String str, String str2, boolean z, XWikiLDAPUtils xWikiLDAPUtils, XWikiContext xWikiContext) throws XWikiException {
        XWikiLDAPConfig xWikiLDAPConfig = XWikiLDAPConfig.getInstance();
        Map<String, Set<String>> groupMappings = xWikiLDAPConfig.getGroupMappings(xWikiContext);
        if (groupMappings.size() > 0) {
            if (!xWikiLDAPConfig.getLDAPParam("ldap_mode_group_sync", "always", xWikiContext).equalsIgnoreCase("create") || z) {
                syncGroupsMembership(str, str2, groupMappings, xWikiLDAPUtils, xWikiContext);
            }
        }
    }

    protected void syncGroupsMembership(String str, String str2, Map<String, Set<String>> map, XWikiLDAPUtils xWikiLDAPUtils, XWikiContext xWikiContext) throws XWikiException {
        xWikiLDAPUtils.syncGroupsMembership(str, str2, map, xWikiContext);
    }
}
