package org.springframework.security.ldap.authentication;

import java.util.Iterator;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.core.log.LogMessage;
import org.springframework.ldap.AuthenticationException;
import org.springframework.ldap.OperationNotSupportedException;
import org.springframework.ldap.core.DirContextAdapter;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.ldap.core.DistinguishedName;
import org.springframework.ldap.core.support.BaseLdapPathContextSource;
import org.springframework.ldap.support.LdapUtils;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.ldap.ppolicy.PasswordPolicyControlExtractor;
import org.springframework.security.ldap.ppolicy.PasswordPolicyResponseControl;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:WEB-INF/lib/spring-security-ldap-5.6.5.jar:org/springframework/security/ldap/authentication/BindAuthenticator.class */
public class BindAuthenticator extends AbstractLdapAuthenticator {
    private static final Log logger = LogFactory.getLog(BindAuthenticator.class);

    public BindAuthenticator(BaseLdapPathContextSource baseLdapPathContextSource) {
        super(baseLdapPathContextSource);
    }

    @Override // org.springframework.security.ldap.authentication.LdapAuthenticator
    public DirContextOperations authenticate(Authentication authentication) {
        DirContextOperations dirContextOperations = null;
        Assert.isInstanceOf((Class<?>) UsernamePasswordAuthenticationToken.class, authentication, "Can only process UsernamePasswordAuthenticationToken objects");
        String name = authentication.getName();
        String str = (String) authentication.getCredentials();
        if (!StringUtils.hasLength(str)) {
            logger.debug(LogMessage.format("Failed to authenticate since no credentials provided", new Object[0]));
            throw new BadCredentialsException(this.messages.getMessage("BindAuthenticator.emptyPassword", "Empty Password"));
        }
        Iterator<String> it = getUserDns(name).iterator();
        while (it.hasNext()) {
            dirContextOperations = bindWithDn(it.next(), name, str);
            if (dirContextOperations != null) {
                break;
            }
        }
        if (dirContextOperations == null) {
            logger.debug(LogMessage.of(() -> {
                return "Failed to bind with any user DNs " + getUserDns(name);
            }));
        }
        if (dirContextOperations == null && getUserSearch() != null) {
            logger.trace("Searching for user using " + getUserSearch());
            DirContextOperations searchForUser = getUserSearch().searchForUser(name);
            dirContextOperations = bindWithDn(searchForUser.getDn().toString(), name, str, searchForUser.getAttributes());
            if (dirContextOperations == null) {
                logger.debug("Failed to find user using " + getUserSearch());
            }
        }
        if (dirContextOperations == null) {
            throw new BadCredentialsException(this.messages.getMessage("BindAuthenticator.badCredentials", "Bad credentials"));
        }
        return dirContextOperations;
    }

    private DirContextOperations bindWithDn(String str, String str2, String str3) {
        return bindWithDn(str, str2, str3, null);
    }

    private DirContextOperations bindWithDn(String str, String str2, String str3, Attributes attributes) {
        BaseLdapPathContextSource baseLdapPathContextSource = (BaseLdapPathContextSource) getContextSource();
        DistinguishedName distinguishedName = new DistinguishedName(str);
        DistinguishedName distinguishedName2 = new DistinguishedName(distinguishedName);
        distinguishedName2.prepend(baseLdapPathContextSource.getBaseLdapPath());
        logger.trace(LogMessage.format("Attempting to bind as %s", distinguishedName2));
        DirContext dirContext = null;
        try {
            try {
                try {
                    dirContext = getContextSource().getContext(distinguishedName2.toString(), str3);
                    PasswordPolicyResponseControl extractControl = PasswordPolicyControlExtractor.extractControl(dirContext);
                    if (attributes == null || attributes.size() == 0) {
                        attributes = dirContext.getAttributes(distinguishedName, getUserAttributes());
                    }
                    DirContextAdapter dirContextAdapter = new DirContextAdapter(attributes, distinguishedName, baseLdapPathContextSource.getBaseLdapPath());
                    if (extractControl != null) {
                        dirContextAdapter.setAttributeValue(extractControl.getID(), extractControl);
                    }
                    logger.debug(LogMessage.format("Bound %s", distinguishedName2));
                    LdapUtils.closeContext(dirContext);
                    return dirContextAdapter;
                } catch (NamingException e) {
                    throw LdapUtils.convertLdapException(e);
                }
            } catch (org.springframework.ldap.NamingException e2) {
                if (!(e2 instanceof AuthenticationException) && !(e2 instanceof OperationNotSupportedException)) {
                    throw e2;
                }
                handleBindException(str, str2, e2);
                LdapUtils.closeContext(dirContext);
                return null;
            }
        } catch (Throwable th) {
            LdapUtils.closeContext(dirContext);
            throw th;
        }
    }

    protected void handleBindException(String str, String str2, Throwable th) {
        logger.trace(LogMessage.format("Failed to bind as %s", str), th);
    }
}
