package jenkins.security.plugins.ldap;

import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.DescriptorExtensionList;
import hudson.Extension;
import hudson.Util;
import hudson.model.AbstractDescribableImpl;
import hudson.model.Descriptor;
import hudson.security.LDAPSecurityRealm;
import hudson.util.FormValidation;
import hudson.util.Secret;
import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.UnknownHostException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.InitialDirContext;
import jenkins.model.Jenkins;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.verb.POST;
import org.springframework.security.authentication.AnonymousAuthenticationProvider;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.RememberMeAuthenticationProvider;
import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
import org.springframework.security.ldap.search.LdapUserSearch;
import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;

/* loaded from: input_file:jenkins/security/plugins/ldap/LDAPConfiguration.class */
public class LDAPConfiguration extends AbstractDescribableImpl<LDAPConfiguration> {
    private static final Logger LOGGER = LDAPSecurityRealm.LOGGER;
    public static final int CONNECT_TIMEOUT = Integer.getInteger(LDAPConfiguration.class.getName() + "connect.timeout", 30000).intValue();
    public static final int READ_TIMEOUT = Integer.getInteger(LDAPConfiguration.class.getName() + "read.timeout", 60000).intValue();
    private final String server;
    private final String rootDN;
    private final boolean inhibitInferRootDN;
    private String userSearchBase;
    private String userSearch;
    private String groupSearchBase;
    private String groupSearchFilter;
    private LDAPGroupMembershipStrategy groupMembershipStrategy;
    private final String managerDN;
    private final Secret managerPasswordSecret;
    private String displayNameAttributeName;
    private String mailAddressAttributeName;
    private boolean ignoreIfUnavailable;
    private Map<String, String> extraEnvVars;
    private transient LDAPExtendedTemplate ldapTemplate;
    private transient String id;

    /* loaded from: input_file:jenkins/security/plugins/ldap/LDAPConfiguration$ApplicationContext.class */
    public static final class ApplicationContext {
        public final AuthenticationManager authenticationManager;
        public final LdapUserSearch ldapUserSearch;
        public final LdapAuthoritiesPopulator ldapAuthoritiesPopulator;

        ApplicationContext(AuthenticationManager authenticationManager, LdapUserSearch ldapUserSearch, LdapAuthoritiesPopulator ldapAuthoritiesPopulator) {
            this.authenticationManager = authenticationManager;
            this.ldapUserSearch = ldapUserSearch;
            this.ldapAuthoritiesPopulator = ldapAuthoritiesPopulator;
        }
    }

    @Extension
    /* loaded from: input_file:jenkins/security/plugins/ldap/LDAPConfiguration$LDAPConfigurationDescriptor.class */
    public static final class LDAPConfigurationDescriptor extends Descriptor<LDAPConfiguration> {
        public static final String DEFAULT_DISPLAYNAME_ATTRIBUTE_NAME = "displayname";
        public static final String DEFAULT_MAILADDRESS_ATTRIBUTE_NAME = "mail";
        public static final String DEFAULT_USER_SEARCH = "uid={0}";

        @NonNull
        public String getDisplayName() {
            return "ldap";
        }

        @POST
        public FormValidation doCheckServer(@QueryParameter String str, @QueryParameter String str2, @QueryParameter Secret secret, @QueryParameter String str3) {
            String secret2 = Secret.toString(secret);
            if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
                return FormValidation.ok();
            }
            Context context = null;
            try {
                try {
                    try {
                        Hashtable hashtable = new Hashtable();
                        if (StringUtils.isNotBlank(str2) && !"undefined".equals(str2)) {
                            hashtable.put("java.naming.security.principal", str2);
                        }
                        if (StringUtils.isNotBlank(secret2) && !"undefined".equals(secret2)) {
                            hashtable.put("java.naming.security.credentials", secret2);
                        }
                        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
                        hashtable.put("java.naming.provider.url", LDAPSecurityRealm.toProviderUrl(str, str3));
                        hashtable.put("java.naming.referral", "follow");
                        hashtable.put("com.sun.jndi.ldap.connect.timeout", Integer.toString(LDAPConfiguration.CONNECT_TIMEOUT));
                        hashtable.put("com.sun.jndi.ldap.connect.pool", "true");
                        hashtable.put("com.sun.jndi.ldap.read.timeout", Integer.toString(LDAPConfiguration.READ_TIMEOUT));
                        context = new InitialDirContext(hashtable);
                        FormValidation ok = FormValidation.ok();
                        forceClose(context);
                        return ok;
                    } catch (NumberFormatException e) {
                        FormValidation error = FormValidation.error(Messages.LDAPSecurityRealm_InvalidPortNumber());
                        forceClose(context);
                        return error;
                    }
                } catch (NamingException e2) {
                    Matcher matcher = Pattern.compile("(ldaps?://)?([^:]+)(?:\\:(\\d+))?(\\s+(ldaps?://)?([^:]+)(?:\\:(\\d+))?)*").matcher(str.trim());
                    if (!matcher.matches()) {
                        FormValidation error2 = FormValidation.error(Messages.LDAPSecurityRealm_SyntaxOfServerField());
                        forceClose(context);
                        return error2;
                    }
                    try {
                        InetAddress byName = InetAddress.getByName(matcher.group(2));
                        int i = matcher.group(1) != null ? 636 : 389;
                        if (matcher.group(3) != null) {
                            i = Integer.parseInt(matcher.group(3));
                        }
                        new Socket(byName, i).close();
                        FormValidation error3 = FormValidation.error(e2, Messages.LDAPSecurityRealm_UnableToConnect(str, e2));
                        forceClose(context);
                        return error3;
                    } catch (UnknownHostException e3) {
                        FormValidation error4 = FormValidation.error(Messages.LDAPSecurityRealm_UnknownHost(e3.getMessage()));
                        forceClose(context);
                        return error4;
                    } catch (IOException e4) {
                        FormValidation error5 = FormValidation.error(e4, Messages.LDAPSecurityRealm_UnableToConnect(str, e4.getMessage()));
                        forceClose(context);
                        return error5;
                    }
                }
            } catch (Throwable th) {
                forceClose(context);
                throw th;
            }
        }

        private void forceClose(Context context) {
            if (context == null) {
                return;
            }
            try {
                context.close();
            } catch (Exception e) {
                LDAPConfiguration.LOGGER.log(Level.FINE, "fail to close ldap context", (Throwable) e);
            }
        }

        public DescriptorExtensionList<LDAPGroupMembershipStrategy, Descriptor<LDAPGroupMembershipStrategy>> getGroupMembershipStrategies() {
            return Jenkins.get().getDescriptorList(LDAPGroupMembershipStrategy.class);
        }
    }

    @DataBoundConstructor
    public LDAPConfiguration(@NonNull String str, String str2, boolean z, String str3, Secret secret) {
        this.server = str.trim();
        this.managerDN = Util.fixEmpty(str3);
        this.managerPasswordSecret = secret;
        this.inhibitInferRootDN = z;
        if (!z && Util.fixEmptyAndTrim(str2) == null) {
            str2 = Util.fixNull(inferRootDN(str));
        }
        this.rootDN = str2;
        this.displayNameAttributeName = "displayname";
        this.mailAddressAttributeName = "mail";
        this.userSearchBase = "";
        this.userSearch = "uid={0}";
        this.groupMembershipStrategy = new FromGroupSearchLDAPGroupMembershipStrategy("");
        this.groupSearchBase = "";
    }

    public String getServer() {
        return this.server;
    }

    public String getServerUrl() {
        StringBuilder sb = new StringBuilder();
        boolean z = true;
        for (String str : Util.fixNull(this.server).split("\\s+")) {
            if (str.trim().length() != 0) {
                if (z) {
                    z = false;
                } else {
                    sb.append(' ');
                }
                sb.append(addPrefix(str));
            }
        }
        return sb.toString();
    }

    public String getRootDN() {
        return this.rootDN;
    }

    public String getLDAPURL() {
        return LDAPSecurityRealm.toProviderUrl(getServerUrl(), Util.fixNull(this.rootDN));
    }

    public boolean isInhibitInferRootDN() {
        return this.inhibitInferRootDN;
    }

    public String getUserSearchBase() {
        return this.userSearchBase;
    }

    @DataBoundSetter
    public void setUserSearchBase(String str) {
        this.userSearchBase = Util.fixNull(str).trim();
    }

    public String getUserSearch() {
        return this.userSearch;
    }

    @DataBoundSetter
    public void setUserSearch(String str) {
        String fixEmptyAndTrim = Util.fixEmptyAndTrim(str);
        this.userSearch = fixEmptyAndTrim != null ? fixEmptyAndTrim : "uid={0}";
    }

    public String getGroupSearchBase() {
        return this.groupSearchBase;
    }

    @DataBoundSetter
    public void setGroupSearchBase(String str) {
        this.groupSearchBase = Util.fixEmptyAndTrim(str);
    }

    public String getGroupSearchFilter() {
        return this.groupSearchFilter;
    }

    @DataBoundSetter
    public void setGroupSearchFilter(String str) {
        this.groupSearchFilter = Util.fixEmptyAndTrim(str);
    }

    public LDAPGroupMembershipStrategy getGroupMembershipStrategy() {
        return this.groupMembershipStrategy;
    }

    @DataBoundSetter
    public void setGroupMembershipStrategy(LDAPGroupMembershipStrategy lDAPGroupMembershipStrategy) {
        this.groupMembershipStrategy = lDAPGroupMembershipStrategy == null ? new FromGroupSearchLDAPGroupMembershipStrategy("") : lDAPGroupMembershipStrategy;
    }

    public String getManagerDN() {
        return this.managerDN;
    }

    public String getManagerPassword() {
        return Secret.toString(this.managerPasswordSecret);
    }

    public Secret getManagerPasswordSecret() {
        return this.managerPasswordSecret;
    }

    public String getDisplayNameAttributeName() {
        return StringUtils.defaultString(this.displayNameAttributeName, "displayname");
    }

    @DataBoundSetter
    public void setDisplayNameAttributeName(String str) {
        this.displayNameAttributeName = str;
    }

    public String getMailAddressAttributeName() {
        return StringUtils.defaultString(this.mailAddressAttributeName, "mail");
    }

    @DataBoundSetter
    public void setMailAddressAttributeName(String str) {
        this.mailAddressAttributeName = str;
    }

    public boolean isIgnoreIfUnavailable() {
        return this.ignoreIfUnavailable;
    }

    @DataBoundSetter
    public void setIgnoreIfUnavailable(boolean z) {
        this.ignoreIfUnavailable = z;
    }

    public Map<String, String> getExtraEnvVars() {
        return (this.extraEnvVars == null || this.extraEnvVars.isEmpty()) ? Collections.emptyMap() : Collections.unmodifiableMap(this.extraEnvVars);
    }

    @Restricted({NoExternalUse.class})
    public void setExtraEnvVars(Map<String, String> map) {
        this.extraEnvVars = map;
    }

    public LDAPSecurityRealm.EnvironmentProperty[] getEnvironmentProperties() {
        if (this.extraEnvVars == null || this.extraEnvVars.isEmpty()) {
            return new LDAPSecurityRealm.EnvironmentProperty[0];
        }
        LDAPSecurityRealm.EnvironmentProperty[] environmentPropertyArr = new LDAPSecurityRealm.EnvironmentProperty[this.extraEnvVars.size()];
        int i = 0;
        for (Map.Entry<String, String> entry : this.extraEnvVars.entrySet()) {
            int i2 = i;
            i++;
            environmentPropertyArr[i2] = new LDAPSecurityRealm.EnvironmentProperty(entry.getKey(), entry.getValue());
        }
        return environmentPropertyArr;
    }

    @DataBoundSetter
    public void setEnvironmentProperties(LDAPSecurityRealm.EnvironmentProperty[] environmentPropertyArr) {
        this.extraEnvVars = (environmentPropertyArr == null || environmentPropertyArr.length == 0) ? null : LDAPSecurityRealm.EnvironmentProperty.toMap(Arrays.asList(environmentPropertyArr));
    }

    public String getId() {
        if (StringUtils.isEmpty(this.id)) {
            this.id = generateId();
        }
        return this.id;
    }

    public boolean isConfiguration(String str) {
        return getId().equals(str);
    }

    private String inferRootDN(String str) {
        try {
            Hashtable hashtable = new Hashtable();
            if (this.managerDN != null) {
                hashtable.put("java.naming.security.principal", this.managerDN);
                hashtable.put("java.naming.security.credentials", getManagerPassword());
            }
            hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
            hashtable.put("java.naming.provider.url", LDAPSecurityRealm.toProviderUrl(getServerUrl(), ""));
            Attributes attributes = new InitialDirContext(hashtable).getAttributes("");
            Attribute attribute = attributes.get("defaultNamingContext");
            if (attribute != null && attribute.get() != null) {
                return attribute.get().toString();
            }
            Attribute attribute2 = attributes.get("namingcontexts");
            if (attribute2 != null) {
                return attribute2.get().toString();
            }
            LOGGER.warning("namingcontexts attribute not found in root DSE of " + str);
            return null;
        } catch (NamingException e) {
            LOGGER.log(Level.WARNING, "Failed to connect to LDAP to infer Root DN for " + str, e);
            return null;
        }
    }

    private static String addPrefix(String str) {
        return str.contains("://") ? str : "ldap://" + str;
    }

    private String generateId() {
        return generateId(this.server, this.rootDN, this.userSearchBase, this.userSearch);
    }

    @Restricted({NoExternalUse.class})
    static String generateId(String str, String str2, String str3, String str4) {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("MD5");
            messageDigest.update(normalizeServer(str).getBytes(StandardCharsets.UTF_8));
            String normalizeUserSearchBase = normalizeUserSearchBase(str2, str3);
            if (StringUtils.isNotBlank(normalizeUserSearchBase)) {
                messageDigest.update(normalizeUserSearchBase.getBytes(StandardCharsets.UTF_8));
            } else {
                messageDigest.update(new byte[]{0});
            }
            if (StringUtils.isNotBlank(str4)) {
                messageDigest.update(str4.getBytes(StandardCharsets.UTF_8));
            } else {
                messageDigest.update("uid={0}".getBytes(StandardCharsets.UTF_8));
            }
            return Base64.getEncoder().encodeToString(messageDigest.digest());
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalArgumentException(e);
        }
    }

    private static String normalizeUserSearchBase(String str, String str2) {
        if (StringUtils.isBlank(str) && StringUtils.isBlank(str2)) {
            return "";
        }
        if (StringUtils.isBlank(str)) {
            return str2;
        }
        if (StringUtils.isBlank(str2)) {
            return str;
        }
        return str2.trim() + "," + str.trim();
    }

    @Restricted({NoExternalUse.class})
    static String normalizeServer(String str) {
        String[] split = Util.fixNull(str).split("\\s+");
        ArrayList arrayList = new ArrayList(split.length);
        for (String str2 : split) {
            if (!StringUtils.isBlank(str2)) {
                String addPrefix = addPrefix(str2);
                try {
                    URI uri = new URI(addPrefix);
                    if (uri.getPort() < 0) {
                        uri = new URI(uri.getScheme(), uri.getUserInfo(), uri.getHost(), 389, uri.getPath(), uri.getQuery(), uri.getFragment());
                    }
                    arrayList.add(uri.toString());
                } catch (URISyntaxException e) {
                    LOGGER.warning("Unable to parse " + addPrefix + " into an URI");
                }
            }
        }
        Collections.sort(arrayList);
        return StringUtils.join(arrayList, ' ');
    }

    @Restricted({NoExternalUse.class})
    public ApplicationContext createApplicationContext(LDAPSecurityRealm lDAPSecurityRealm) {
        FixedDefaultSpringSecurityContextSource fixedDefaultSpringSecurityContextSource = new FixedDefaultSpringSecurityContextSource(getLDAPURL());
        if (getManagerDN() != null) {
            fixedDefaultSpringSecurityContextSource.setUserDn(getManagerDN());
            fixedDefaultSpringSecurityContextSource.setPassword(getManagerPassword());
        }
        fixedDefaultSpringSecurityContextSource.setReferral("follow");
        HashMap hashMap = new HashMap();
        hashMap.put("com.sun.jndi.ldap.connect.pool", "true");
        hashMap.put("com.sun.jndi.ldap.connect.timeout", Integer.toString(CONNECT_TIMEOUT));
        hashMap.put("com.sun.jndi.ldap.read.timeout", Integer.toString(READ_TIMEOUT));
        hashMap.putAll(getExtraEnvVars());
        fixedDefaultSpringSecurityContextSource.setBaseEnvironmentProperties(hashMap);
        fixedDefaultSpringSecurityContextSource.afterPropertiesSet();
        LdapUserSearch filterBasedLdapUserSearch = new FilterBasedLdapUserSearch(getUserSearchBase(), getUserSearch(), fixedDefaultSpringSecurityContextSource);
        filterBasedLdapUserSearch.setSearchSubtree(true);
        filterBasedLdapUserSearch.setReturningAttributes(new String[]{"*", "+"});
        BindAuthenticator2 bindAuthenticator2 = new BindAuthenticator2(fixedDefaultSpringSecurityContextSource);
        bindAuthenticator2.setUserSearch(filterBasedLdapUserSearch);
        LdapAuthoritiesPopulator authoritiesPopulatorImpl = new LDAPSecurityRealm.AuthoritiesPopulatorImpl(fixedDefaultSpringSecurityContextSource, getGroupSearchBase(), getGroupMembershipStrategy());
        authoritiesPopulatorImpl.setSearchSubtree(true);
        authoritiesPopulatorImpl.setGroupSearchFilter("(| (member={0}) (uniqueMember={0}) (memberUid={1}))");
        if (lDAPSecurityRealm.isDisableRolePrefixing()) {
            authoritiesPopulatorImpl.setRolePrefix("");
            authoritiesPopulatorImpl.setConvertToUpperCase(false);
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(new LDAPSecurityRealm.LdapAuthenticationProviderImpl(bindAuthenticator2, authoritiesPopulatorImpl, getGroupMembershipStrategy()));
        arrayList.add(new RememberMeAuthenticationProvider(Jenkins.get().getSecretKey()));
        arrayList.add(new AnonymousAuthenticationProvider("anonymous"));
        ProviderManager providerManager = new ProviderManager(arrayList);
        this.ldapTemplate = new LDAPExtendedTemplate(fixedDefaultSpringSecurityContextSource);
        if (this.groupMembershipStrategy != null) {
            this.groupMembershipStrategy.setAuthoritiesPopulator(authoritiesPopulatorImpl);
        }
        return new ApplicationContext(providerManager, filterBasedLdapUserSearch, authoritiesPopulatorImpl);
    }

    @Restricted({NoExternalUse.class})
    public LDAPExtendedTemplate getLdapTemplate() {
        return this.ldapTemplate;
    }
}
