package org.geoserver.security.ldap;

import java.text.MessageFormat;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.ldap.AuthenticationException;
import org.springframework.ldap.NamingException;
import org.springframework.ldap.OperationNotSupportedException;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.ldap.core.support.BaseLdapPathContextSource;
import org.springframework.ldap.support.LdapUtils;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.ldap.SpringSecurityLdapTemplate;
import org.springframework.security.ldap.authentication.BindAuthenticator;
import org.springframework.security.ldap.ppolicy.PasswordPolicyControlExtractor;
import org.springframework.security.ldap.ppolicy.PasswordPolicyResponseControl;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/geoserver/security/ldap/GeoserverLdapBindAuthenticator.class */
public class GeoserverLdapBindAuthenticator extends BindAuthenticator {
    private static final Log logger = LogFactory.getLog(GeoserverLdapBindAuthenticator.class);
    private String userFilter;
    private String userFormat;

    public GeoserverLdapBindAuthenticator(BaseLdapPathContextSource baseLdapPathContextSource) {
        super(baseLdapPathContextSource);
        this.userFilter = "";
        this.userFormat = "";
    }

    public void setUserFilter(String str) {
        this.userFilter = str;
    }

    public DirContextOperations authenticate(Authentication authentication) {
        return (this.userFilter == null || this.userFilter.equals("")) ? super.authenticate(authentication) : authenticateUsingFilter(authentication);
    }

    protected DirContextOperations authenticateUsingFilter(Authentication authentication) {
        DirContextOperations dirContextOperations = null;
        Assert.isInstanceOf(UsernamePasswordAuthenticationToken.class, authentication, "Can only process UsernamePasswordAuthenticationToken objects");
        String name = authentication.getName();
        String str = (String) authentication.getCredentials();
        if (this.userFormat != null && !this.userFormat.equals("")) {
            name = MessageFormat.format(this.userFormat, name);
        }
        if (!StringUtils.hasLength(str)) {
            logger.debug("Rejecting empty password for user " + name);
            throw new BadCredentialsException(this.messages.getMessage("BindAuthenticator.emptyPassword", "Empty Password"));
        }
        DirContext dirContext = null;
        String str2 = "";
        try {
            try {
                try {
                    dirContext = getContextSource().getContext(name, str);
                    PasswordPolicyResponseControl extractControl = PasswordPolicyControlExtractor.extractControl(dirContext);
                    logger.debug("Retrieving user object using filter...");
                    SearchControls searchControls = new SearchControls();
                    searchControls.setSearchScope(2);
                    dirContextOperations = SpringSecurityLdapTemplate.searchForSingleEntryInternal(dirContext, searchControls, "", this.userFilter, new Object[]{name, name});
                    str2 = dirContextOperations.getDn().toString();
                    if (extractControl != null) {
                        dirContextOperations.setAttributeValue(extractControl.getID(), extractControl);
                    }
                    LdapUtils.closeContext(dirContext);
                } catch (NamingException e) {
                    if (!(e instanceof AuthenticationException) && !(e instanceof OperationNotSupportedException)) {
                        throw e;
                    }
                    handleBindException(str2, name, e);
                    LdapUtils.closeContext(dirContext);
                }
                if (dirContextOperations == null) {
                    throw new BadCredentialsException(this.messages.getMessage("BindAuthenticator.badCredentials", "Bad credentials"));
                }
                return dirContextOperations;
            } catch (javax.naming.NamingException e2) {
                throw LdapUtils.convertLdapException(e2);
            }
        } catch (Throwable th) {
            LdapUtils.closeContext(dirContext);
            throw th;
        }
    }

    public void setUserFormat(String str) {
        this.userFormat = str;
    }
}
