package hudson.security;

import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import java.text.ParseException;
import java.util.GregorianCalendar;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import jenkins.security.plugins.ldap.Messages;
import org.springframework.security.authentication.AccountExpiredException;
import org.springframework.security.authentication.CredentialsExpiredException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.LockedException;

/* loaded from: input_file:hudson/security/UserAttributesHelper.class */
final class UserAttributesHelper {
    private static final String ATTR_USER_ACCOUNT_CONTROL = "userAccountControl";
    private static final String ATTR_ACCOUNT_EXPIRES = "accountExpires";
    private static final String ATTR_LOGIN_DISABLED = "loginDisabled";
    private static final String ATTR_ORACLE_IS_ENABLED = "orclIsEnabled";
    private static final String ATTR_PWD_ACCOUNT_LOCKED_TIME = "pwdAccountLockedTime";
    private static final String ATTR_PWD_START_TIME = "pwdStartTime";
    private static final String ATTR_PWD_END_TIME = "pwdEndTime";
    private static final String ATTR_LOGIN_EXPIRATION_TIME = "loginExpirationTime";
    private static final String ATTR_PWD_LOCKOUT = "pwdLockout";
    private static final String ATTR_LOCKED_BY_INTRUDER = "lockedByIntruder";
    private static final String ATTR_USER_ACCOUNT_CONTROL_COMPUTED = "msDS-User-Account-Control-Computed";
    private static final String ATTR_USER_ACCOUNT_DISABLED = "msDS-UserAccountDisabled";
    private static final String ATTR_USER_PASSWORD_EXPIRED = "msDS-UserPasswordExpired";
    private static final String ACCOUNT_DISABLED = "000001010000Z";
    private static final long ACCOUNT_NO_EXPIRATION = Long.MAX_VALUE;
    private static final int ADS_UF_DISABLED = 2;
    private static final int ADS_UF_LOCK_OUT = 16;
    private static final int ADS_DONT_EXPIRE_PASSWORD = 65536;
    private static final int ADS_UF_PASSWORD_EXPIRED = 8388608;

    public static void checkIfUserEnabled(@NonNull Attributes attributes) throws DisabledException {
        Integer userAccountControl = getUserAccountControl(attributes);
        if (userAccountControl != null && (userAccountControl.intValue() & ADS_UF_DISABLED) == ADS_UF_DISABLED) {
            throw new DisabledException(Messages.UserDetails_Disabled(attributes.get("dn")));
        }
        String stringAttribute = getStringAttribute(attributes, ATTR_USER_ACCOUNT_DISABLED);
        if (stringAttribute != null) {
            if (Boolean.parseBoolean(stringAttribute)) {
                throw new DisabledException(Messages.UserDetails_Disabled(attributes.get("dn")));
            }
            return;
        }
        if (ACCOUNT_DISABLED.equals(getStringAttribute(attributes, ATTR_PWD_ACCOUNT_LOCKED_TIME))) {
            throw new DisabledException(Messages.UserDetails_Disabled(attributes.get("dn")));
        }
        String stringAttribute2 = getStringAttribute(attributes, ATTR_LOGIN_DISABLED);
        if (stringAttribute2 != null) {
            if (Boolean.parseBoolean(stringAttribute2)) {
                throw new DisabledException(Messages.UserDetails_Disabled(attributes.get("dn")));
            }
        } else {
            String stringAttribute3 = getStringAttribute(attributes, ATTR_ORACLE_IS_ENABLED);
            if (stringAttribute3 != null && !stringAttribute3.equalsIgnoreCase("enabled")) {
                throw new DisabledException(Messages.UserDetails_Disabled(attributes.get("dn")));
            }
        }
    }

    public static void checkIfAccountNonExpired(@NonNull Attributes attributes) throws AccountExpiredException {
        String stringAttribute = getStringAttribute(attributes, ATTR_ACCOUNT_EXPIRES);
        if (stringAttribute != null) {
            long parseLong = Long.parseLong(stringAttribute);
            if (parseLong != 0 && parseLong != ACCOUNT_NO_EXPIRATION && parseLong <= getWin32EpochHundredNanos()) {
                throw new AccountExpiredException(Messages.UserDetails_Expired(attributes.get("dn"), stringAttribute));
            }
            return;
        }
        GeneralizedTime now = GeneralizedTime.now();
        GeneralizedTime generalizedTimeAttribute = getGeneralizedTimeAttribute(attributes, ATTR_PWD_START_TIME);
        if (generalizedTimeAttribute != null && generalizedTimeAttribute.isAfter(now)) {
            throw new AccountExpiredException(Messages.UserDetails_Inactive(attributes.get("dn"), generalizedTimeAttribute));
        }
        GeneralizedTime generalizedTimeAttribute2 = getGeneralizedTimeAttribute(attributes, ATTR_PWD_END_TIME);
        if (generalizedTimeAttribute2 != null) {
            if (!generalizedTimeAttribute2.isAfter(now)) {
                throw new AccountExpiredException(Messages.UserDetails_Expired(attributes.get("dn"), generalizedTimeAttribute2));
            }
        } else {
            GeneralizedTime generalizedTimeAttribute3 = getGeneralizedTimeAttribute(attributes, ATTR_LOGIN_EXPIRATION_TIME);
            if (generalizedTimeAttribute3 != null && !generalizedTimeAttribute3.isAfter(now)) {
                throw new AccountExpiredException(Messages.UserDetails_Expired(attributes.get("dn"), generalizedTimeAttribute3));
            }
        }
    }

    public static void checkIfCredentialsNonExpired(@NonNull Attributes attributes) throws CredentialsExpiredException {
        Integer userAccountControl = getUserAccountControl(attributes);
        if (userAccountControl != null) {
            if ((userAccountControl.intValue() & ADS_DONT_EXPIRE_PASSWORD) == ADS_DONT_EXPIRE_PASSWORD) {
                return;
            }
            if ((userAccountControl.intValue() & ADS_UF_PASSWORD_EXPIRED) == ADS_UF_PASSWORD_EXPIRED) {
                throw new CredentialsExpiredException(Messages.UserDetails_CredentialsExpired(attributes.get("dn")));
            }
        }
        if (Boolean.parseBoolean(getStringAttribute(attributes, ATTR_USER_PASSWORD_EXPIRED))) {
            throw new CredentialsExpiredException(Messages.UserDetails_CredentialsExpired(attributes.get("dn")));
        }
    }

    public static void checkIfAccountNonLocked(@NonNull Attributes attributes) throws LockedException {
        Integer userAccountControl = getUserAccountControl(attributes);
        if (userAccountControl != null && (userAccountControl.intValue() & ADS_UF_LOCK_OUT) == ADS_UF_LOCK_OUT) {
            throw new LockedException(Messages.UserDetails_Locked(attributes.get("dn")));
        }
        String stringAttribute = getStringAttribute(attributes, ATTR_PWD_LOCKOUT);
        if (stringAttribute != null) {
            if (Boolean.parseBoolean(stringAttribute)) {
                throw new LockedException(Messages.UserDetails_Locked(attributes.get("dn")));
            }
        } else if (Boolean.parseBoolean(getStringAttribute(attributes, ATTR_LOCKED_BY_INTRUDER))) {
            throw new LockedException(Messages.UserDetails_Locked(attributes.get("dn")));
        }
    }

    private static long getWin32EpochHundredNanos() {
        return TimeUnit.NANOSECONDS.convert(new GregorianCalendar().getTime().getTime() - new GregorianCalendar(1601, 0, 1).getTime().getTime(), TimeUnit.MILLISECONDS) * 100;
    }

    @CheckForNull
    private static Integer getUserAccountControl(@NonNull Attributes attributes) {
        String stringAttribute = getStringAttribute(attributes, ATTR_USER_ACCOUNT_CONTROL);
        String stringAttribute2 = getStringAttribute(attributes, ATTR_USER_ACCOUNT_CONTROL_COMPUTED);
        if (stringAttribute != null) {
            return stringAttribute2 == null ? Integer.valueOf(Integer.parseInt(stringAttribute)) : Integer.valueOf(Integer.parseInt(stringAttribute) | Integer.parseInt(stringAttribute2));
        }
        if (stringAttribute2 == null) {
            return null;
        }
        return Integer.valueOf(Integer.parseInt(stringAttribute2));
    }

    @CheckForNull
    private static GeneralizedTime getGeneralizedTimeAttribute(@NonNull Attributes attributes, @NonNull String str) {
        String stringAttribute = getStringAttribute(attributes, str);
        if (stringAttribute == null) {
            return null;
        }
        try {
            return GeneralizedTime.parse(stringAttribute);
        } catch (ParseException e) {
            LDAPSecurityRealm.LOGGER.log(Level.WARNING, e, () -> {
                return "Invalid format found parsing generalized time attribute " + str + " with value '" + stringAttribute + "'";
            });
            return null;
        }
    }

    @CheckForNull
    private static String getStringAttribute(@NonNull Attributes attributes, @NonNull String str) {
        Attribute attribute = attributes.get(str);
        if (attribute == null || attribute.size() == 0) {
            return null;
        }
        try {
            Object obj = attribute.get();
            if (obj == null) {
                return null;
            }
            return obj.toString();
        } catch (NamingException e) {
            return null;
        }
    }

    private UserAttributesHelper() {
        throw new UnsupportedOperationException();
    }
}
