package hudson.plugins.active_directory;

import hudson.plugins.active_directory.ActiveDirectorySecurityRealm;
import hudson.security.GroupDetails;
import hudson.security.SecurityRealm;
import hudson.security.UserMayOrMayNotExistException;
import hudson.util.Secret;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.AuthenticationServiceException;
import org.acegisecurity.BadCredentialsException;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.GrantedAuthorityImpl;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider;
import org.acegisecurity.userdetails.UserDetails;
import org.acegisecurity.userdetails.UserDetailsService;
import org.acegisecurity.userdetails.UsernameNotFoundException;
import org.springframework.dao.DataAccessException;

/* loaded from: input_file:WEB-INF/classes/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.class */
public class ActiveDirectoryUnixAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider implements UserDetailsService, GroupDetailsService {
    private final String[] domainNames;
    private final String site;
    private final String server;
    private final String bindName;
    private final String bindPassword;
    private final ActiveDirectorySecurityRealm.DesciprotrImpl descriptor;
    private static final Logger LOGGER = Logger.getLogger(ActiveDirectoryUnixAuthenticationProvider.class.getName());

    public ActiveDirectoryUnixAuthenticationProvider(ActiveDirectorySecurityRealm activeDirectorySecurityRealm) {
        if (activeDirectorySecurityRealm.domain == null) {
            throw new IllegalArgumentException("Active Directory domain name is required but it is not set");
        }
        this.domainNames = activeDirectorySecurityRealm.domain.split(",");
        this.site = activeDirectorySecurityRealm.site;
        this.bindName = activeDirectorySecurityRealm.bindName;
        this.server = activeDirectorySecurityRealm.server;
        this.bindPassword = Secret.toString(activeDirectorySecurityRealm.bindPassword);
        this.descriptor = activeDirectorySecurityRealm.m85getDescriptor();
    }

    public UserDetails loadUserByUsername(String str) throws UsernameNotFoundException, DataAccessException {
        throw new UsernameNotFoundException("Active-directory plugin doesn't support user retrieval");
    }

    protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken) throws AuthenticationException {
    }

    protected UserDetails retrieveUser(String str, UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken) throws AuthenticationException {
        UserDetails userDetails = null;
        for (String str2 : this.domainNames) {
            try {
                userDetails = retrieveUser(str, usernamePasswordAuthenticationToken, str2);
            } catch (BadCredentialsException e) {
                LOGGER.log(Level.WARNING, "Credential exception tying to authenticate against " + str2 + " domain", e);
            }
            if (userDetails != null) {
                break;
            }
        }
        if (userDetails != null) {
            return userDetails;
        }
        LOGGER.log(Level.WARNING, "Exhausted all configured domains and could not authenticat against any.");
        throw new BadCredentialsException("Either no such user '" + str + "' or incorrect password");
    }

    private UserDetails retrieveUser(String str, UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken, String str2) throws AuthenticationException {
        ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
        Thread.currentThread().setContextClassLoader(getClass().getClassLoader());
        String str3 = null;
        if (usernamePasswordAuthenticationToken != null) {
            try {
                str3 = (String) usernamePasswordAuthenticationToken.getCredentials();
            } catch (Throwable th) {
                Thread.currentThread().setContextClassLoader(contextClassLoader);
                throw th;
            }
        }
        try {
            UserDetails retrieveUser = retrieveUser(str, str3, str2, this.descriptor.obtainLDAPServer(str2, this.site, this.server), this.server != null ? new SocketInfo(this.server) : null);
            Thread.currentThread().setContextClassLoader(contextClassLoader);
            return retrieveUser;
        } catch (NamingException e) {
            LOGGER.log(Level.WARNING, "Failed to find the LDAP service", e);
            throw new AuthenticationServiceException("Failed to find the LDAP service for the domain " + str2, e);
        }
    }

    public UserDetails retrieveUser(String str, String str2, String str3, List<SocketInfo> list, SocketInfo socketInfo) {
        String str4;
        DirContext bind;
        if (this.bindName != null) {
            try {
                str4 = str;
                bind = this.descriptor.bind(this.bindName, this.bindPassword, list, socketInfo);
            } catch (BadCredentialsException e) {
                throw new AuthenticationServiceException("Failed to bind to LDAP server with the bind name/password", e);
            }
        } else {
            String principalName = getPrincipalName(str, str3);
            str4 = principalName.substring(0, principalName.indexOf(64));
            bind = this.descriptor.bind(principalName, str2, list, socketInfo);
        }
        try {
            SearchControls searchControls = new SearchControls();
            searchControls.setSearchScope(2);
            NamingEnumeration search = bind.search(toDC(str3), "(& (userPrincipalName={0})(objectClass=user))", new Object[]{str4}, searchControls);
            if (!search.hasMore()) {
                LOGGER.fine("Failed to find " + str4 + " in userPrincipalName. Trying sAMAccountName");
                search = bind.search(toDC(str3), "(& (sAMAccountName={0})(objectClass=user))", new Object[]{str4}, searchControls);
                if (!search.hasMore()) {
                    throw new BadCredentialsException("Authentication was successful but cannot locate the user information for " + str);
                }
            }
            SearchResult searchResult = (SearchResult) search.next();
            if (this.bindName != null) {
                Object obj = searchResult.getAttributes().get("distinguishedName").get();
                if (obj == null) {
                    throw new BadCredentialsException("No distinguished name for " + str);
                }
                LOGGER.fine("Attempting to validate password for DN=" + obj);
                DirContext bind2 = this.descriptor.bind(obj.toString(), str2, list, socketInfo);
                bind2.search(toDC(str3), "(& (userPrincipalName={0})(objectClass=user))", new Object[]{str4}, searchControls).close();
                bind2.close();
            }
            Set<GrantedAuthority> resolveGroups = resolveGroups(searchResult.getAttributes(), bind);
            resolveGroups.add(SecurityRealm.AUTHENTICATED_AUTHORITY);
            bind.close();
            return new ActiveDirectoryUserDetail(str4, str2, true, true, true, true, (GrantedAuthority[]) resolveGroups.toArray(new GrantedAuthority[resolveGroups.size()]));
        } catch (NamingException e2) {
            LOGGER.log(Level.WARNING, "Failed to retrieve user information for " + str, e2);
            throw new BadCredentialsException("Failed to retrieve user information for " + str, e2);
        }
    }

    private String getPrincipalName(String str, String str2) {
        int indexOf = str.indexOf(92);
        return indexOf > 0 ? str.substring(indexOf + 1) + '@' + str.substring(0, indexOf) + '.' + str2 : str.contains("@") ? str + '.' + str2 : str + '@' + str2;
    }

    private Set<GrantedAuthority> resolveGroups(Attributes attributes, DirContext dirContext) throws NamingException {
        HashSet hashSet = new HashSet();
        LinkedList linkedList = new LinkedList();
        linkedList.add(attributes);
        while (!linkedList.isEmpty()) {
            Attributes attributes2 = (Attributes) linkedList.removeFirst();
            Attribute attribute = attributes2.get("memberOf");
            if (attribute != null) {
                for (int i = 0; i < attribute.size(); i++) {
                    if (LOGGER.isLoggable(Level.FINE)) {
                        LOGGER.fine(attributes2.get("CN").get() + " is a member of " + attribute.get(i));
                    }
                    Attributes attributes3 = dirContext.getAttributes("\"" + attribute.get(i) + '\"', new String[]{"CN", "memberOf"});
                    if (hashSet.add(new GrantedAuthorityImpl(attributes3.get("CN").get().toString()))) {
                        linkedList.add(attributes3);
                    }
                }
            }
        }
        return hashSet;
    }

    private static String toDC(String str) {
        StringBuilder sb = new StringBuilder();
        for (String str2 : str.split("\\.")) {
            if (str2.length() != 0) {
                if (sb.length() > 0) {
                    sb.append(",");
                }
                sb.append("DC=").append(str2);
            }
        }
        return sb.toString();
    }

    @Override // hudson.plugins.active_directory.GroupDetailsService
    public GroupDetails loadGroupByGroupname(String str) {
        throw new UserMayOrMayNotExistException(str);
    }
}
