package org.opends.server.protocols.http.authz;

import java.util.HashMap;
import org.forgerock.http.Filter;
import org.forgerock.http.Handler;
import org.forgerock.http.filter.Filters;
import org.forgerock.http.protocol.Request;
import org.forgerock.http.protocol.Response;
import org.forgerock.opendj.adapter.server3x.Adapters;
import org.forgerock.opendj.ldap.Connection;
import org.forgerock.opendj.ldap.ConnectionFactory;
import org.forgerock.opendj.ldap.LdapException;
import org.forgerock.opendj.ldap.ResultCode;
import org.forgerock.opendj.ldap.requests.Requests;
import org.forgerock.opendj.rest2ldap.AuthenticatedConnectionContext;
import org.forgerock.opendj.rest2ldap.authz.AuthenticationStrategy;
import org.forgerock.opendj.rest2ldap.authz.Authorization;
import org.forgerock.opendj.rest2ldap.authz.ConditionalFilters;
import org.forgerock.opendj.rest2ldap.authz.CredentialExtractors;
import org.forgerock.opendj.server.config.server.HTTPBasicAuthorizationMechanismCfg;
import org.forgerock.services.context.Context;
import org.forgerock.services.context.SecurityContext;
import org.forgerock.util.Reject;
import org.forgerock.util.Utils;
import org.forgerock.util.promise.NeverThrowsException;
import org.forgerock.util.promise.Promise;
import org.forgerock.util.promise.Promises;
import org.opends.server.api.IdentityMapper;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.ServerContext;
import org.opends.server.protocols.http.HttpLogContext;
import org.opends.server.protocols.http.LDAPContext;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;

/* loaded from: input_file:org/opends/server/protocols/http/authz/HttpBasicAuthorizationMechanism.class */
final class HttpBasicAuthorizationMechanism extends HttpAuthorizationMechanism<HTTPBasicAuthorizationMechanismCfg> {
    private static final CloseConnectionFilter CLOSE_CONNECTION = new CloseConnectionFilter();
    private static final int HTTP_BASIC_PRIORITY = 500;
    private final ConditionalFilters.ConditionalFilter delegate;

    /* loaded from: input_file:org/opends/server/protocols/http/authz/HttpBasicAuthorizationMechanism$CloseConnectionFilter.class */
    private static final class CloseConnectionFilter implements Filter {
        private CloseConnectionFilter() {
        }

        @Override // org.forgerock.http.Filter
        public Promise<Response, NeverThrowsException> filter(final Context context, Request request, Handler handler) {
            return handler.handle(context, request).thenAlways(new Runnable() { // from class: org.opends.server.protocols.http.authz.HttpBasicAuthorizationMechanism.CloseConnectionFilter.1
                @Override // java.lang.Runnable
                public void run() {
                    Utils.closeSilently(((AuthenticatedConnectionContext) context.asContext(AuthenticatedConnectionContext.class)).getConnection());
                }
            });
        }
    }

    /* loaded from: input_file:org/opends/server/protocols/http/authz/HttpBasicAuthorizationMechanism$IdentityMapperAuthenticationStrategy.class */
    private static final class IdentityMapperAuthenticationStrategy implements AuthenticationStrategy {
        private final ConnectionFactory rootConnectionFactory;
        private final IdentityMapper<?> identityMapper;

        IdentityMapperAuthenticationStrategy(ConnectionFactory connectionFactory, IdentityMapper<?> identityMapper) {
            this.rootConnectionFactory = (ConnectionFactory) Reject.checkNotNull(connectionFactory, "rootConnectionFactory cannot be null");
            this.identityMapper = (IdentityMapper) Reject.checkNotNull(identityMapper, "identityMapper cannot be null");
        }

        @Override // org.forgerock.opendj.rest2ldap.authz.AuthenticationStrategy
        public Promise<SecurityContext, LdapException> authenticate(String str, String str2, Context context) {
            ((HttpLogContext) context.asContext(HttpLogContext.class)).setAuthUser(str);
            try {
                Entry mappedIdentity = getMappedIdentity(str);
                doBind(mappedIdentity.getName().toString(), str2);
                AuthenticatedConnectionContext authenticatedConnectionContext = new AuthenticatedConnectionContext(context, ((LDAPContext) context.asContext(LDAPContext.class)).getInternalConnectionFactory().getAuthenticatedConnection(mappedIdentity));
                HashMap hashMap = new HashMap();
                hashMap.put(SecurityContext.AUTHZID_DN, mappedIdentity.getName().toString());
                return Promises.newResultPromise(new SecurityContext(authenticatedConnectionContext, str, hashMap));
            } catch (LdapException e) {
                return Promises.newExceptionPromise(e);
            }
        }

        private Entry getMappedIdentity(String str) throws LdapException {
            try {
                Entry entryForID = this.identityMapper.getEntryForID(str);
                if (entryForID != null) {
                    return entryForID;
                }
                throw LdapException.newLdapException(ResultCode.INVALID_CREDENTIALS);
            } catch (DirectoryException e) {
                throw LdapException.newLdapException(ResultCode.OPERATIONS_ERROR, e);
            }
        }

        private void doBind(String str, String str2) throws LdapException {
            Connection connection = this.rootConnectionFactory.getConnection();
            Throwable th = null;
            try {
                try {
                    if (!connection.bind(Requests.newSimpleBindRequest(str, str2.toCharArray())).isSuccess()) {
                        throw LdapException.newLdapException(ResultCode.INVALID_CREDENTIALS);
                    }
                    if (connection != null) {
                        if (0 == 0) {
                            connection.close();
                            return;
                        }
                        try {
                            connection.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } catch (Throwable th4) {
                if (connection != null) {
                    if (th != null) {
                        try {
                            connection.close();
                        } catch (Throwable th5) {
                            th.addSuppressed(th5);
                        }
                    } else {
                        connection.close();
                    }
                }
                throw th4;
            }
        }
    }

    HttpBasicAuthorizationMechanism(HTTPBasicAuthorizationMechanismCfg hTTPBasicAuthorizationMechanismCfg, ServerContext serverContext) {
        super(hTTPBasicAuthorizationMechanismCfg.dn(), 500);
        ConditionalFilters.ConditionalFilter newConditionalHttpBasicAuthenticationFilter = Authorization.newConditionalHttpBasicAuthenticationFilter(new IdentityMapperAuthenticationStrategy(Adapters.newRootConnectionFactory(), DirectoryServer.getIdentityMapper(hTTPBasicAuthorizationMechanismCfg.getIdentityMapperDN())), hTTPBasicAuthorizationMechanismCfg.isAltAuthenticationEnabled() ? CredentialExtractors.newCustomHeaderExtractor(hTTPBasicAuthorizationMechanismCfg.getAltUsernameHeader(), hTTPBasicAuthorizationMechanismCfg.getAltPasswordHeader()) : CredentialExtractors.httpBasicExtractor());
        this.delegate = ConditionalFilters.newConditionalFilter(Filters.chainOf(newConditionalHttpBasicAuthenticationFilter.getFilter(), CLOSE_CONNECTION), newConditionalHttpBasicAuthenticationFilter.getCondition());
    }

    @Override // org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
    ConditionalFilters.ConditionalFilter getDelegate() {
        return this.delegate;
    }
}
