package org.opends.server.controls;

import java.io.IOException;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.opendj.io.ASN1;
import org.forgerock.opendj.io.ASN1Writer;
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.DN;
import org.forgerock.opendj.ldap.ResultCode;
import org.forgerock.util.Reject;
import org.opends.messages.ProtocolMessages;
import org.opends.server.api.AuthenticationPolicyState;
import org.opends.server.api.IdentityMapper;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.PasswordPolicyState;
import org.opends.server.types.Control;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.util.StaticUtils;

/* loaded from: input_file:org/opends/server/controls/ProxiedAuthV2Control.class */
public class ProxiedAuthV2Control extends Control {
    public static final ControlDecoder<ProxiedAuthV2Control> DECODER = new Decoder();
    private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();
    private ByteString authorizationID;

    /* loaded from: input_file:org/opends/server/controls/ProxiedAuthV2Control$Decoder.class */
    private static final class Decoder implements ControlDecoder<ProxiedAuthV2Control> {
        private Decoder() {
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.opends.server.controls.ControlDecoder
        public ProxiedAuthV2Control decode(boolean z, ByteString byteString) throws DirectoryException {
            ByteString byteString2;
            if (!z) {
                throw new DirectoryException(ResultCode.PROTOCOL_ERROR, ProtocolMessages.ERR_PROXYAUTH2_CONTROL_NOT_CRITICAL.get());
            }
            if (byteString == null) {
                throw new DirectoryException(ResultCode.PROTOCOL_ERROR, ProtocolMessages.ERR_PROXYAUTH2_NO_CONTROL_VALUE.get());
            }
            try {
                byteString2 = ASN1.getReader(byteString).readOctetString();
            } catch (Exception e) {
                byteString2 = byteString;
                String lowerCase = StaticUtils.toLowerCase(byteString2.toString());
                if (!lowerCase.startsWith("dn:") && !lowerCase.startsWith("u:")) {
                    ProxiedAuthV2Control.logger.traceException(e);
                    throw new DirectoryException(ResultCode.PROTOCOL_ERROR, ProtocolMessages.ERR_PROXYAUTH2_INVALID_AUTHZID.get(lowerCase), e);
                }
            }
            return new ProxiedAuthV2Control(z, byteString2);
        }

        @Override // org.opends.server.controls.ControlDecoder
        public String getOID() {
            return "2.16.840.1.113730.3.4.18";
        }
    }

    public ProxiedAuthV2Control(ByteString byteString) {
        this(true, byteString);
    }

    public ProxiedAuthV2Control(boolean z, ByteString byteString) {
        super("2.16.840.1.113730.3.4.18", z);
        Reject.ifNull(byteString);
        this.authorizationID = byteString;
    }

    @Override // org.opends.server.types.Control
    protected void writeValue(ASN1Writer aSN1Writer) throws IOException {
        aSN1Writer.writeOctetString(this.authorizationID);
    }

    public ByteString getAuthorizationID() {
        return this.authorizationID;
    }

    public Entry getAuthorizationEntry() throws DirectoryException {
        if (this.authorizationID.length() == 0) {
            return null;
        }
        String lowerCase = StaticUtils.toLowerCase(this.authorizationID.toString());
        if (lowerCase.startsWith("dn:")) {
            DN valueOf = DN.valueOf(lowerCase.substring(3));
            if (valueOf.isRootDN()) {
                return null;
            }
            DN actualRootBindDN = DirectoryServer.getActualRootBindDN(valueOf);
            if (actualRootBindDN != null) {
                valueOf = actualRootBindDN;
            }
            Entry entry = DirectoryServer.getEntry(valueOf);
            if (entry == null) {
                throw new DirectoryException(ResultCode.AUTHORIZATION_DENIED, ProtocolMessages.ERR_PROXYAUTH2_NO_SUCH_USER.get(lowerCase));
            }
            checkAccountIsUsable(entry);
            return entry;
        }
        if (!lowerCase.startsWith("u:")) {
            throw new DirectoryException(ResultCode.PROTOCOL_ERROR, ProtocolMessages.ERR_PROXYAUTH2_INVALID_AUTHZID.get(lowerCase));
        }
        if (lowerCase.length() == 2) {
            return null;
        }
        IdentityMapper<?> proxiedAuthorizationIdentityMapper = DirectoryServer.getProxiedAuthorizationIdentityMapper();
        if (proxiedAuthorizationIdentityMapper == null) {
            throw new DirectoryException(ResultCode.AUTHORIZATION_DENIED, ProtocolMessages.ERR_PROXYAUTH2_NO_IDENTITY_MAPPER.get());
        }
        Entry entryForID = proxiedAuthorizationIdentityMapper.getEntryForID(lowerCase.substring(2));
        if (entryForID == null) {
            throw new DirectoryException(ResultCode.AUTHORIZATION_DENIED, ProtocolMessages.ERR_PROXYAUTH2_NO_SUCH_USER.get(lowerCase));
        }
        checkAccountIsUsable(entryForID);
        return entryForID;
    }

    private void checkAccountIsUsable(Entry entry) throws DirectoryException {
        AuthenticationPolicyState forUser = AuthenticationPolicyState.forUser(entry, false);
        if (forUser.isDisabled()) {
            throw new DirectoryException(ResultCode.AUTHORIZATION_DENIED, ProtocolMessages.ERR_PROXYAUTH2_ACCOUNT_DISABLED.get(entry.getName()));
        }
        if (forUser.isPasswordPolicy()) {
            PasswordPolicyState passwordPolicyState = (PasswordPolicyState) forUser;
            if (passwordPolicyState.isAccountExpired()) {
                throw new DirectoryException(ResultCode.AUTHORIZATION_DENIED, ProtocolMessages.ERR_PROXYAUTH2_ACCOUNT_EXPIRED.get(entry.getName()));
            }
            if (passwordPolicyState.isLocked()) {
                throw new DirectoryException(ResultCode.AUTHORIZATION_DENIED, ProtocolMessages.ERR_PROXYAUTH2_ACCOUNT_LOCKED.get(entry.getName()));
            }
            if (passwordPolicyState.isPasswordExpired()) {
                throw new DirectoryException(ResultCode.AUTHORIZATION_DENIED, ProtocolMessages.ERR_PROXYAUTH2_PASSWORD_EXPIRED.get(entry.getName()));
            }
        }
    }

    @Override // org.opends.server.types.Control
    public void toString(StringBuilder sb) {
        sb.append("ProxiedAuthorizationV2Control(authzID=\"");
        sb.append(this.authorizationID);
        sb.append("\")");
    }
}
