package hudson.plugins.active_directory;

import com.sun.jndi.ldap.LdapCtxFactory;
import com4j.typelibs.ado20.ClassFactory;
import groovy.lang.Binding;
import hudson.Extension;
import hudson.Functions;
import hudson.Util;
import hudson.model.Descriptor;
import hudson.model.Hudson;
import hudson.security.GroupDetails;
import hudson.security.SecurityRealm;
import hudson.util.FormValidation;
import hudson.util.Secret;
import hudson.util.spring.BeanBuilder;
import java.io.IOException;
import java.io.PrintWriter;
import java.io.StringWriter;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.StartTlsRequest;
import javax.servlet.ServletException;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.AuthenticationManager;
import org.acegisecurity.BadCredentialsException;
import org.acegisecurity.userdetails.UserDetailsService;
import org.acegisecurity.userdetails.UsernameNotFoundException;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;
import org.springframework.dao.DataAccessException;
import org.springframework.web.context.WebApplicationContext;

/* loaded from: input_file:hudson/plugins/active_directory/ActiveDirectorySecurityRealm.class */
public class ActiveDirectorySecurityRealm extends SecurityRealm {
    public final String domain;
    public final String site;
    public final String bindName;
    public final Secret bindPassword;
    public final String server;
    private static final Logger LOGGER = Logger.getLogger(ActiveDirectorySecurityRealm.class.getName());
    public static String DOMAIN_CONTROLLERS = System.getProperty(ActiveDirectorySecurityRealm.class.getName() + ".domainControllers");

    @Extension
    /* loaded from: input_file:hudson/plugins/active_directory/ActiveDirectorySecurityRealm$DesciprotrImpl.class */
    public static final class DesciprotrImpl extends Descriptor<SecurityRealm> {
        private static boolean WARNED = false;
        private static final List<SocketInfo> CANDIDATES = Arrays.asList(new SocketInfo("_gc._tcp.", 3269), new SocketInfo("_ldap._tcp.", 636));

        public String getDisplayName() {
            return Messages.DisplayName();
        }

        public String getHelpFile() {
            return "/plugin/active-directory/help/realm.html";
        }

        public boolean canDoNativeAuth() {
            if (!Functions.isWindows()) {
                return false;
            }
            try {
                ClassFactory.createConnection().dispose();
                return true;
            } catch (Throwable th) {
                if (WARNED) {
                    return false;
                }
                ActiveDirectorySecurityRealm.LOGGER.log(Level.INFO, "COM4J isn't working. Falling back to non-native authentication", th);
                WARNED = true;
                return false;
            }
        }

        public FormValidation doValidate(@QueryParameter(fixEmpty = true) String str, @QueryParameter(fixEmpty = true) String str2, @QueryParameter(fixEmpty = true) String str3, @QueryParameter(fixEmpty = true) String str4, @QueryParameter(fixEmpty = true) String str5) throws IOException, ServletException, NamingException {
            String fixEmptyAndTrim;
            ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
            Thread.currentThread().setContextClassLoader(getClass().getClassLoader());
            try {
                Functions.checkPermission(Hudson.ADMINISTER);
                fixEmptyAndTrim = Util.fixEmptyAndTrim(str);
            } catch (Throwable th) {
                Thread.currentThread().setContextClassLoader(contextClassLoader);
                throw th;
            }
            if (fixEmptyAndTrim == null) {
                FormValidation error = FormValidation.error("No domain name set");
                Thread.currentThread().setContextClassLoader(contextClassLoader);
                return error;
            }
            Secret fromString = Secret.fromString(str4);
            if (str3 != null && fromString == null) {
                FormValidation error2 = FormValidation.error("DN is specified but not password");
                Thread.currentThread().setContextClassLoader(contextClassLoader);
                return error2;
            }
            String[] split = fixEmptyAndTrim.split(",");
            int length = split.length;
            for (int i = 0; i < length; i++) {
                String str6 = split[i];
                if (!str6.endsWith(".")) {
                    str6 = str6 + '.';
                }
                try {
                    ActiveDirectorySecurityRealm.LOGGER.fine("Attempting to resolve " + str6 + " to A record");
                    DirContext createDNSLookupContext = createDNSLookupContext();
                    Attribute attribute = createDNSLookupContext.getAttributes(str6, new String[]{"A"}).get("A");
                    if (attribute == null) {
                        throw new NamingException();
                    }
                    ActiveDirectorySecurityRealm.LOGGER.fine(str6 + " resolved to " + attribute.get());
                    try {
                        List<SocketInfo> obtainLDAPServer = obtainLDAPServer(createDNSLookupContext, str6, str2, str5);
                        if (str3 != null) {
                            try {
                                try {
                                    bind(str3, Secret.toString(fromString), obtainLDAPServer, str5 == null ? null : new SocketInfo(str5)).close();
                                } catch (Exception e) {
                                    FormValidation error3 = FormValidation.error(e, e.getMessage());
                                    Thread.currentThread().setContextClassLoader(contextClassLoader);
                                    return error3;
                                }
                            } catch (BadCredentialsException e2) {
                                FormValidation error4 = FormValidation.error(e2, "Bad bind username or password");
                                Thread.currentThread().setContextClassLoader(contextClassLoader);
                                return error4;
                            }
                        } else {
                            IOException iOException = null;
                            for (SocketInfo socketInfo : obtainLDAPServer) {
                                try {
                                    socketInfo.connect().close();
                                    break;
                                } catch (IOException e3) {
                                    ActiveDirectorySecurityRealm.LOGGER.log(Level.FINE, "Failed to connect to " + socketInfo, (Throwable) e3);
                                    iOException = e3;
                                }
                            }
                            if (iOException != null) {
                                ActiveDirectorySecurityRealm.LOGGER.log(Level.WARNING, "Failed to connect to " + obtainLDAPServer, (Throwable) iOException);
                                FormValidation error5 = FormValidation.error(iOException, "Failed to connect to " + obtainLDAPServer);
                                Thread.currentThread().setContextClassLoader(contextClassLoader);
                                return error5;
                            }
                        }
                    } catch (NamingException e4) {
                        String str7 = str2 == null ? "No LDAP server was found in " + str6 : "No LDAP server was found in the " + str2 + " site of " + str6;
                        ActiveDirectorySecurityRealm.LOGGER.log(Level.WARNING, str7, e4);
                        FormValidation error6 = FormValidation.error(e4, str7);
                        Thread.currentThread().setContextClassLoader(contextClassLoader);
                        return error6;
                    }
                } catch (NamingException e5) {
                    ActiveDirectorySecurityRealm.LOGGER.log(Level.WARNING, "Failed to resolve " + str6 + " to A record", e5);
                    FormValidation error7 = FormValidation.error(e5, str6 + " doesn't look like a valid domain name");
                    Thread.currentThread().setContextClassLoader(contextClassLoader);
                    return error7;
                }
                Thread.currentThread().setContextClassLoader(contextClassLoader);
                throw th;
            }
            FormValidation ok = FormValidation.ok("Success");
            Thread.currentThread().setContextClassLoader(contextClassLoader);
            return ok;
        }

        public DirContext bind(String str, String str2, List<SocketInfo> list, SocketInfo socketInfo) {
            Hashtable<String, String> hashtable = new Hashtable<>();
            hashtable.put("java.naming.referral", "follow");
            Throwable th = null;
            if (socketInfo != null) {
                try {
                    LdapContext bind = bind(str, str2, socketInfo, hashtable);
                    ActiveDirectorySecurityRealm.LOGGER.fine("Bound to " + socketInfo);
                    return bind;
                } catch (NamingException e) {
                    ActiveDirectorySecurityRealm.LOGGER.log(Level.WARNING, "Failed to bind to preferred server " + socketInfo, e);
                    th = e;
                }
            }
            for (SocketInfo socketInfo2 : list) {
                try {
                    LdapContext bind2 = bind(str, str2, socketInfo2, hashtable);
                    ActiveDirectorySecurityRealm.LOGGER.fine("Bound to " + socketInfo2);
                    return bind2;
                } catch (NamingException e2) {
                    ActiveDirectorySecurityRealm.LOGGER.log(Level.WARNING, "Failed to bind to " + socketInfo2, e2);
                    th = e2;
                }
            }
            throw new BadCredentialsException("Either no such user '" + str + "' or incorrect password", th);
        }

        private LdapContext bind(String str, String str2, SocketInfo socketInfo, Hashtable<String, String> hashtable) throws NamingException {
            String str3 = "ldap://" + socketInfo + '/';
            String name = Thread.currentThread().getName();
            Thread.currentThread().setName("Connecting to " + str3 + " : " + name);
            try {
                LdapContext ldapCtxInstance = LdapCtxFactory.getLdapCtxInstance(str3, hashtable);
                try {
                    try {
                        ldapCtxInstance.addToEnvironment("java.naming.ldap.factory.socket", TrustAllSocketFactory.class.getName());
                        ldapCtxInstance.extendedOperation(new StartTlsRequest()).negotiate();
                        ActiveDirectorySecurityRealm.LOGGER.fine("Connection upgraded to TLS");
                    } catch (NamingException e) {
                        ActiveDirectorySecurityRealm.LOGGER.log(Level.FINE, "Failed to start TLS. Authentication will be done via plain-text LDAP", e);
                        ldapCtxInstance.addToEnvironment("java.naming.ldap.factory.socket", (Object) null);
                    }
                } catch (IOException e2) {
                    ActiveDirectorySecurityRealm.LOGGER.log(Level.FINE, "Failed to start TLS. Authentication will be done via plain-text LDAP", (Throwable) e2);
                    ldapCtxInstance.addToEnvironment("java.naming.ldap.factory.socket", (Object) null);
                }
                ldapCtxInstance.addToEnvironment("java.naming.security.principal", str);
                ldapCtxInstance.addToEnvironment("java.naming.security.credentials", str2);
                Thread.currentThread().setName(name);
                return ldapCtxInstance;
            } catch (Throwable th) {
                Thread.currentThread().setName(name);
                throw th;
            }
        }

        public DirContext createDNSLookupContext() throws NamingException {
            Hashtable hashtable = new Hashtable();
            hashtable.put("java.naming.factory.initial", "com.sun.jndi.dns.DnsContextFactory");
            hashtable.put("java.naming.provider.url", "dns:");
            return new InitialDirContext(hashtable);
        }

        public List<SocketInfo> obtainLDAPServer(String str, String str2, String str3) throws NamingException {
            return obtainLDAPServer(createDNSLookupContext(), str, str2, str3);
        }

        public List<SocketInfo> obtainLDAPServer(DirContext dirContext, String str, String str2, String str3) throws NamingException {
            if (ActiveDirectorySecurityRealm.DOMAIN_CONTROLLERS != null) {
                ArrayList arrayList = new ArrayList();
                for (String str4 : ActiveDirectorySecurityRealm.DOMAIN_CONTROLLERS.split(",")) {
                    String[] split = str4.trim().split(":");
                    if (split.length != 2) {
                        throw new NamingException("Invalid domain controller override: " + str4);
                    }
                    arrayList.add(new SocketInfo(split[0], Integer.parseInt(split[1])));
                }
                return arrayList;
            }
            String str5 = null;
            Attribute attribute = null;
            NamingException namingException = null;
            Iterator<SocketInfo> it = CANDIDATES.iterator();
            while (it.hasNext()) {
                str5 = it.next().host + (str2 != null ? str2 + "._sites." : "") + str;
                ActiveDirectorySecurityRealm.LOGGER.fine("Attempting to resolve " + str5 + " to SRV record");
                try {
                    attribute = dirContext.getAttributes(str5, new String[]{"SRV"}).get("SRV");
                } catch (NamingException e) {
                    namingException = e;
                }
                if (attribute != null) {
                    break;
                }
            }
            int i = -1;
            ArrayList arrayList2 = new ArrayList();
            if (str3 != null) {
                arrayList2.add(new SocketInfo(str3));
            }
            if (attribute != null) {
                NamingEnumeration all = attribute.getAll();
                while (all.hasMoreElements()) {
                    String obj = all.next().toString();
                    ActiveDirectorySecurityRealm.LOGGER.fine("SRV record found: " + obj);
                    String[] split2 = obj.split(" ");
                    int parseInt = Integer.parseInt(split2[0]);
                    if (i == -1 || parseInt < i) {
                        i = parseInt;
                        arrayList2.clear();
                    }
                    if (i == parseInt) {
                        String str6 = split2[3];
                        if (str6.endsWith(".")) {
                            str6 = str6.substring(0, str6.length() - 1);
                        }
                        arrayList2.add(new SocketInfo(str6, Integer.parseInt(split2[2])));
                    }
                }
            }
            if (!arrayList2.isEmpty()) {
                ActiveDirectorySecurityRealm.LOGGER.fine(str5 + " resolved to " + arrayList2);
                return arrayList2;
            }
            NamingException namingException2 = new NamingException("No SRV record found for " + str5);
            if (namingException != null) {
                namingException2.initCause(namingException);
            }
            throw namingException2;
        }
    }

    @DataBoundConstructor
    public ActiveDirectorySecurityRealm(String str, String str2, String str3, String str4, String str5) {
        this.domain = Util.fixEmpty(str);
        this.site = Util.fixEmpty(str2);
        this.bindName = Util.fixEmpty(str3);
        this.bindPassword = Secret.fromString(Util.fixEmpty(str4));
        String fixEmpty = Util.fixEmpty(str5);
        if (fixEmpty != null && !fixEmpty.contains(":")) {
            fixEmpty = fixEmpty + ":3268";
        }
        this.server = fixEmpty;
    }

    public SecurityRealm.SecurityComponents createSecurityComponents() {
        BeanBuilder beanBuilder = new BeanBuilder(getClass().getClassLoader());
        Binding binding = new Binding();
        binding.setVariable("realm", this);
        beanBuilder.parse(getClass().getResourceAsStream("ActiveDirectory.groovy"), binding);
        WebApplicationContext createApplicationContext = beanBuilder.createApplicationContext();
        return new SecurityRealm.SecurityComponents((AuthenticationManager) findBean(AuthenticationManager.class, createApplicationContext), (UserDetailsService) findBean(UserDetailsService.class, createApplicationContext));
    }

    /* renamed from: getDescriptor, reason: merged with bridge method [inline-methods] */
    public DesciprotrImpl m2getDescriptor() {
        return (DesciprotrImpl) super.getDescriptor();
    }

    public void doAuthTest(StaplerRequest staplerRequest, StaplerResponse staplerResponse, @QueryParameter String str, @QueryParameter String str2) throws IOException, ServletException {
        Hudson.getInstance().checkPermission(Hudson.ADMINISTER);
        StringWriter stringWriter = new StringWriter();
        PrintWriter printWriter = new PrintWriter(stringWriter);
        ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
        Thread.currentThread().setContextClassLoader(getClass().getClassLoader());
        try {
            try {
                UserDetailsService userDetailsService = getSecurityComponents().userDetails;
                if (userDetailsService instanceof ActiveDirectoryUnixAuthenticationProvider) {
                    ActiveDirectoryUnixAuthenticationProvider activeDirectoryUnixAuthenticationProvider = (ActiveDirectoryUnixAuthenticationProvider) userDetailsService;
                    DesciprotrImpl m2getDescriptor = m2getDescriptor();
                    try {
                        printWriter.println("Domain=" + this.domain + " site=" + this.site);
                        List<SocketInfo> obtainLDAPServer = m2getDescriptor.obtainLDAPServer(this.domain, this.site, this.server);
                        printWriter.println("List of domain controllers: " + obtainLDAPServer);
                        SocketInfo socketInfo = this.server != null ? new SocketInfo(this.server) : null;
                        for (SocketInfo socketInfo2 : obtainLDAPServer) {
                            printWriter.println("Trying a domain controller at " + socketInfo2);
                            try {
                                printWriter.println("Authenticated as " + activeDirectoryUnixAuthenticationProvider.retrieveUser(str, str2, this.domain, Collections.singletonList(socketInfo2), socketInfo));
                            } catch (AuthenticationException e) {
                                e.printStackTrace(printWriter);
                            }
                        }
                    } catch (NamingException e2) {
                        printWriter.println("Failing to resolve domain controllers");
                        e2.printStackTrace(printWriter);
                    }
                } else {
                    printWriter.println("Using Windows ADSI. No diagnostics available.");
                }
                Thread.currentThread().setContextClassLoader(contextClassLoader);
            } catch (Exception e3) {
                e3.printStackTrace(printWriter);
                Thread.currentThread().setContextClassLoader(contextClassLoader);
            }
            staplerRequest.setAttribute("output", stringWriter.toString());
            staplerRequest.getView(this, "test.jelly").forward(staplerRequest, staplerResponse);
        } catch (Throwable th) {
            Thread.currentThread().setContextClassLoader(contextClassLoader);
            throw th;
        }
    }

    public GroupDetails loadGroupByGroupname(String str) throws UsernameNotFoundException, DataAccessException {
        return getSecurityComponents().userDetails.loadGroupByGroupname(str);
    }
}
