package net.shibboleth.idp.authn.impl;

import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import net.shibboleth.idp.authn.AbstractValidationAction;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.LDAPResponseContext;
import net.shibboleth.idp.authn.context.UsernamePasswordContext;
import net.shibboleth.idp.authn.principal.UsernamePrincipal;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.ldaptive.Credential;
import org.ldaptive.LdapException;
import org.ldaptive.auth.AuthenticationRequest;
import org.ldaptive.auth.AuthenticationResponse;
import org.ldaptive.auth.AuthenticationResultCode;
import org.ldaptive.auth.Authenticator;
import org.ldaptive.jaas.LdapPrincipal;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/authn/impl/ValidateUsernamePasswordAgainstLDAP.class */
public class ValidateUsernamePasswordAgainstLDAP extends AbstractValidationAction {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(ValidateUsernamePasswordAgainstLDAP.class);

    @Nullable
    private UsernamePasswordContext upContext;

    @Nonnull
    private Authenticator authenticator;

    @Nullable
    private String[] returnAttributes;

    @Nullable
    private AuthenticationResponse response;

    @NonnullAfterInit
    public Authenticator getAuthenticator() {
        return this.authenticator;
    }

    public void setAuthenticator(@Nonnull Authenticator authenticator) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.authenticator = (Authenticator) Constraint.isNotNull(authenticator, "Authenticator cannot be null");
    }

    @Nullable
    public String[] getReturnAttributes() {
        return this.returnAttributes;
    }

    public void setReturnAttributes(@Nullable String... strArr) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.returnAttributes = strArr;
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.authenticator == null) {
            throw new ComponentInitializationException("Authenticator cannot be null");
        }
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (authenticationContext.getAttemptedFlow() == null) {
            this.log.debug("{} No attempted flow within authentication context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        this.upContext = authenticationContext.getSubcontext(UsernamePasswordContext.class);
        if (this.upContext == null) {
            this.log.debug("{} No UsernamePasswordContext available within authentication context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "NoCredentials");
            return false;
        }
        if (this.upContext.getUsername() != null && this.upContext.getPassword() != null) {
            return super.doPreExecute(profileRequestContext, authenticationContext);
        }
        this.log.debug("{} No username or password available within UsernamePasswordContext", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, "NoCredentials");
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        try {
            this.log.debug("{} Attempting to authenticate user {}", getLogPrefix(), this.upContext.getUsername());
            this.response = this.authenticator.authenticate(new AuthenticationRequest(this.upContext.getUsername(), new Credential(this.upContext.getPassword()), this.returnAttributes));
            this.log.trace("{} Authentication response {}", getLogPrefix(), this.response);
            if (((Boolean) this.response.getResult()).booleanValue()) {
                this.log.info("{} Login by '{}' succeeded", getLogPrefix(), this.upContext.getUsername());
                authenticationContext.getSubcontext(LDAPResponseContext.class, true).setAuthenticationResponse(this.response);
                if (this.response.getAccountState() != null) {
                    handleWarning(profileRequestContext, authenticationContext, String.format("%s:%s:%s", "ACCOUNT_WARNING", this.response.getResultCode(), this.response.getMessage()), "AccountWarning");
                }
                buildAuthenticationResult(profileRequestContext, authenticationContext);
            } else {
                this.log.info("{} Login by '{}' failed", getLogPrefix(), this.upContext.getUsername());
                authenticationContext.getSubcontext(LDAPResponseContext.class, true).setAuthenticationResponse(this.response);
                if (AuthenticationResultCode.DN_RESOLUTION_FAILURE == this.response.getAuthenticationResultCode() || AuthenticationResultCode.INVALID_CREDENTIAL == this.response.getAuthenticationResultCode()) {
                    handleError(profileRequestContext, authenticationContext, String.format("%s:%s", this.response.getAuthenticationResultCode(), this.response.getMessage()), "InvalidCredentials");
                } else if (this.response.getAccountState() != null) {
                    handleError(profileRequestContext, authenticationContext, String.format("%s:%s:%s", this.response.getAccountState().getError(), this.response.getResultCode(), this.response.getMessage()), "AccountError");
                } else {
                    handleError(profileRequestContext, authenticationContext, String.format("%s:%s", this.response.getResultCode(), this.response.getMessage()), "InvalidCredentials");
                }
            }
        } catch (LdapException e) {
            this.log.warn(getLogPrefix() + " Login by '" + this.upContext.getUsername() + "' produced exception", e);
            handleError(profileRequestContext, authenticationContext, e, "AuthenticationException");
        }
    }

    @Nonnull
    protected Subject populateSubject(@Nonnull Subject subject) {
        subject.getPrincipals().add(new UsernamePrincipal(this.upContext.getUsername()));
        subject.getPrincipals().add(new LdapPrincipal(this.upContext.getUsername(), this.response.getLdapEntry()));
        return subject;
    }
}
