package hudson.plugins.active_directory;

import com.sun.jndi.ldap.LdapCtxFactory;
import com4j.typelibs.ado20.ClassFactory;
import groovy.lang.Binding;
import hudson.Extension;
import hudson.Functions;
import hudson.Util;
import hudson.model.Descriptor;
import hudson.model.Hudson;
import hudson.security.AbstractPasswordBasedSecurityRealm;
import hudson.security.GroupDetails;
import hudson.security.SecurityRealm;
import hudson.security.TokenBasedRememberMeServices2;
import hudson.util.FormValidation;
import hudson.util.Secret;
import hudson.util.spring.BeanBuilder;
import java.io.IOException;
import java.io.PrintWriter;
import java.io.StringWriter;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.naming.AuthenticationException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.ldap.Control;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.StartTlsRequest;
import javax.net.ssl.SSLSocketFactory;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.acegisecurity.Authentication;
import org.acegisecurity.AuthenticationManager;
import org.acegisecurity.BadCredentialsException;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import org.acegisecurity.userdetails.UserDetails;
import org.acegisecurity.userdetails.UserDetailsService;
import org.acegisecurity.userdetails.UsernameNotFoundException;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;
import org.springframework.dao.DataAccessException;
import org.springframework.web.context.WebApplicationContext;

/* loaded from: input_file:hudson/plugins/active_directory/ActiveDirectorySecurityRealm.class */
public class ActiveDirectorySecurityRealm extends AbstractPasswordBasedSecurityRealm {
    public final String domain;
    public final String site;
    public final String bindName;
    public final Secret bindPassword;
    public final String server;
    private static final Logger LOGGER = Logger.getLogger(ActiveDirectorySecurityRealm.class.getName());
    public static String DOMAIN_CONTROLLERS = System.getProperty(ActiveDirectorySecurityRealm.class.getName() + ".domainControllers");
    public static boolean FORCE_LDAPS = Boolean.getBoolean(ActiveDirectorySecurityRealm.class.getName() + ".forceLdaps");

    @Extension
    /* loaded from: input_file:hudson/plugins/active_directory/ActiveDirectorySecurityRealm$DescriptorImpl.class */
    public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
        private static boolean WARNED = false;
        private static final List<String> CANDIDATES = Arrays.asList("_gc._tcp.", "_ldap._tcp.");

        /* JADX INFO: Access modifiers changed from: package-private */
        /* renamed from: hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl$1PrioritizedSocketInfo, reason: invalid class name */
        /* loaded from: input_file:hudson/plugins/active_directory/ActiveDirectorySecurityRealm$DescriptorImpl$1PrioritizedSocketInfo.class */
        public class C1PrioritizedSocketInfo implements Comparable<C1PrioritizedSocketInfo> {
            SocketInfo socket;
            int priority;

            C1PrioritizedSocketInfo(SocketInfo socketInfo, int i) {
                this.socket = socketInfo;
                this.priority = i;
            }

            @Override // java.lang.Comparable
            public int compareTo(C1PrioritizedSocketInfo c1PrioritizedSocketInfo) {
                return c1PrioritizedSocketInfo.priority - this.priority;
            }
        }

        public String getDisplayName() {
            return Messages.DisplayName();
        }

        public String getHelpFile() {
            return "/plugin/active-directory/help/realm.html";
        }

        public boolean canDoNativeAuth() {
            if (!Functions.isWindows()) {
                return false;
            }
            try {
                ClassFactory.createConnection().dispose();
                return true;
            } catch (Throwable th) {
                if (WARNED) {
                    return false;
                }
                ActiveDirectorySecurityRealm.LOGGER.log(Level.INFO, "COM4J isn't working. Falling back to non-native authentication", th);
                WARNED = true;
                return false;
            }
        }

        public FormValidation doValidate(@QueryParameter(fixEmpty = true) String str, @QueryParameter(fixEmpty = true) String str2, @QueryParameter(fixEmpty = true) String str3, @QueryParameter(fixEmpty = true) String str4, @QueryParameter(fixEmpty = true) String str5) throws IOException, ServletException, NamingException {
            ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
            Thread.currentThread().setContextClassLoader(getClass().getClassLoader());
            try {
                Functions.checkPermission(Hudson.ADMINISTER);
                String fixEmptyAndTrim = Util.fixEmptyAndTrim(str);
                if (canDoNativeAuth() && fixEmptyAndTrim == null) {
                    try {
                        new ActiveDirectoryAuthenticationProvider();
                        FormValidation ok = FormValidation.ok("OK");
                        Thread.currentThread().setContextClassLoader(contextClassLoader);
                        return ok;
                    } catch (Exception e) {
                        FormValidation error = FormValidation.error(e, "Failed to contact Active Directory");
                        Thread.currentThread().setContextClassLoader(contextClassLoader);
                        return error;
                    }
                }
                if (fixEmptyAndTrim == null) {
                    FormValidation error2 = FormValidation.error("No domain name set");
                    Thread.currentThread().setContextClassLoader(contextClassLoader);
                    return error2;
                }
                Secret fromString = Secret.fromString(str4);
                if (str3 != null && fromString == null) {
                    FormValidation error3 = FormValidation.error("DN is specified but not password");
                    Thread.currentThread().setContextClassLoader(contextClassLoader);
                    return error3;
                }
                String[] split = fixEmptyAndTrim.split(",");
                int length = split.length;
                for (int i = 0; i < length; i++) {
                    String str6 = split[i];
                    if (!str6.endsWith(".")) {
                        str6 = str6 + '.';
                    }
                    try {
                        ActiveDirectorySecurityRealm.LOGGER.fine("Attempting to resolve " + str6 + " to NS record");
                        DirContext createDNSLookupContext = createDNSLookupContext();
                        Attribute attribute = createDNSLookupContext.getAttributes(str6, new String[]{"NS"}).get("NS");
                        if (attribute == null) {
                            ActiveDirectorySecurityRealm.LOGGER.fine("Attempting to resolve " + str6 + " to A record");
                            if (createDNSLookupContext.getAttributes(str6, new String[]{"A"}).get("A") == null) {
                                throw new NamingException(str6 + " doesn't look like a domain name");
                            }
                        }
                        ActiveDirectorySecurityRealm.LOGGER.log(Level.FINE, "{0} resolved to {1}", new Object[]{str6, attribute});
                        try {
                            List<SocketInfo> obtainLDAPServer = obtainLDAPServer(createDNSLookupContext, str6, str2, str5);
                            if (str3 != null) {
                                try {
                                    try {
                                        try {
                                            DirContext bind = bind(str3, Secret.toString(fromString), obtainLDAPServer);
                                            try {
                                                new LDAPSearchBuilder(bind, ActiveDirectoryUnixAuthenticationProvider.toDC(str6)).searchOne("(objectClass=user)", new Object[0]);
                                                bind.close();
                                            } finally {
                                            }
                                        } catch (BadCredentialsException e2) {
                                            FormValidation error4 = FormValidation.error(e2, "Bad bind username or password");
                                            Thread.currentThread().setContextClassLoader(contextClassLoader);
                                            return error4;
                                        }
                                    } catch (AuthenticationException e3) {
                                        FormValidation error5 = FormValidation.error(e3, "Bad bind username or password");
                                        Thread.currentThread().setContextClassLoader(contextClassLoader);
                                        return error5;
                                    }
                                } catch (Exception e4) {
                                    FormValidation error6 = FormValidation.error(e4, e4.getMessage());
                                    Thread.currentThread().setContextClassLoader(contextClassLoader);
                                    return error6;
                                }
                            } else {
                                IOException iOException = null;
                                for (SocketInfo socketInfo : obtainLDAPServer) {
                                    try {
                                        socketInfo.connect().close();
                                        break;
                                    } catch (IOException e5) {
                                        ActiveDirectorySecurityRealm.LOGGER.log(Level.FINE, "Failed to connect to " + socketInfo, (Throwable) e5);
                                        iOException = e5;
                                    }
                                }
                                if (iOException != null) {
                                    ActiveDirectorySecurityRealm.LOGGER.log(Level.WARNING, "Failed to connect to " + obtainLDAPServer, (Throwable) iOException);
                                    FormValidation error7 = FormValidation.error(iOException, "Failed to connect to " + obtainLDAPServer);
                                    Thread.currentThread().setContextClassLoader(contextClassLoader);
                                    return error7;
                                }
                            }
                        } catch (NamingException e6) {
                            String str7 = str2 == null ? "No LDAP server was found in " + str6 : "No LDAP server was found in the " + str2 + " site of " + str6;
                            ActiveDirectorySecurityRealm.LOGGER.log(Level.WARNING, str7, e6);
                            FormValidation error8 = FormValidation.error(e6, str7);
                            Thread.currentThread().setContextClassLoader(contextClassLoader);
                            return error8;
                        }
                    } catch (NamingException e7) {
                        ActiveDirectorySecurityRealm.LOGGER.log(Level.WARNING, "Failed to resolve " + str6 + " to A record", e7);
                        FormValidation error9 = FormValidation.error(e7, str6 + " doesn't look like a valid domain name");
                        Thread.currentThread().setContextClassLoader(contextClassLoader);
                        return error9;
                    }
                }
                FormValidation ok2 = FormValidation.ok("Success");
                Thread.currentThread().setContextClassLoader(contextClassLoader);
                return ok2;
            } catch (Throwable th) {
                Thread.currentThread().setContextClassLoader(contextClassLoader);
                throw th;
            }
            Thread.currentThread().setContextClassLoader(contextClassLoader);
            throw th;
        }

        public DirContext bind(String str, String str2, List<SocketInfo> list) {
            Hashtable<String, String> hashtable = new Hashtable<>();
            hashtable.put("java.naming.referral", "follow");
            hashtable.put("java.naming.ldap.attributes.binary", "tokenGroups objectSid");
            hashtable.put("java.naming.ldap.factory.socket", TrustAllSocketFactory.class.getName());
            Throwable th = null;
            for (SocketInfo socketInfo : list) {
                try {
                    LdapContext bind = bind(str, str2, socketInfo, hashtable);
                    ActiveDirectorySecurityRealm.LOGGER.fine("Bound to " + socketInfo);
                    return bind;
                } catch (AuthenticationException e) {
                    ActiveDirectorySecurityRealm.LOGGER.log(Level.WARNING, "Failed to authenticate while binding to " + socketInfo, e);
                    throw new BadCredentialsException("Either no such user '" + str + "' or incorrect password", e);
                } catch (NamingException e2) {
                    ActiveDirectorySecurityRealm.LOGGER.log(Level.WARNING, "Failed to bind to " + socketInfo, e2);
                    th = e2;
                }
            }
            throw new BadCredentialsException("Either no such user '" + str + "' or incorrect password", th);
        }

        private void customizeLdapProperty(Hashtable<String, String> hashtable, String str) {
            String property = System.getProperty(str, null);
            if (property != null) {
                hashtable.put(str, property);
            }
        }

        private void customizeLdapProperties(Hashtable<String, String> hashtable) {
            customizeLdapProperty(hashtable, "com.sun.jndi.ldap.connect.timeout");
            customizeLdapProperty(hashtable, "com.sun.jndi.ldap.read.timeout");
        }

        private LdapContext bind(String str, String str2, SocketInfo socketInfo, Hashtable<String, String> hashtable) throws NamingException {
            String str3 = (ActiveDirectorySecurityRealm.FORCE_LDAPS ? "ldaps://" : "ldap://") + socketInfo + '/';
            String name = Thread.currentThread().getName();
            Thread.currentThread().setName("Connecting to " + str3 + " : " + name);
            ActiveDirectorySecurityRealm.LOGGER.fine("Connecting to " + str3);
            try {
                hashtable.put("java.naming.provider.url", str3);
                hashtable.put("java.naming.ldap.version", "3");
                customizeLdapProperties(hashtable);
                LdapContext ldapCtxInstance = LdapCtxFactory.getLdapCtxInstance(str3, hashtable);
                if (!ActiveDirectorySecurityRealm.FORCE_LDAPS) {
                    try {
                        try {
                            ldapCtxInstance.extendedOperation(new StartTlsRequest()).negotiate((SSLSocketFactory) TrustAllSocketFactory.getDefault());
                            ActiveDirectorySecurityRealm.LOGGER.fine("Connection upgraded to TLS");
                        } catch (NamingException e) {
                            ActiveDirectorySecurityRealm.LOGGER.log(Level.FINE, "Failed to start TLS. Authentication will be done via plain-text LDAP", e);
                            ldapCtxInstance.removeFromEnvironment("java.naming.ldap.factory.socket");
                        }
                    } catch (IOException e2) {
                        ActiveDirectorySecurityRealm.LOGGER.log(Level.FINE, "Failed to start TLS. Authentication will be done via plain-text LDAP", (Throwable) e2);
                        ldapCtxInstance.removeFromEnvironment("java.naming.ldap.factory.socket");
                    }
                }
                if (str == null || str2 == null || str2.equals("")) {
                    ldapCtxInstance.addToEnvironment("java.naming.security.authentication", "none");
                    ActiveDirectorySecurityRealm.LOGGER.fine("Binding anonymously to " + str3);
                } else {
                    ldapCtxInstance.addToEnvironment("java.naming.security.principal", str);
                    ldapCtxInstance.addToEnvironment("java.naming.security.credentials", str2);
                    ActiveDirectorySecurityRealm.LOGGER.fine("Binding as " + str + " to " + str3);
                }
                ldapCtxInstance.reconnect((Control[]) null);
                Thread.currentThread().setName(name);
                return ldapCtxInstance;
            } catch (Throwable th) {
                Thread.currentThread().setName(name);
                throw th;
            }
        }

        public DirContext createDNSLookupContext() throws NamingException {
            Hashtable hashtable = new Hashtable();
            hashtable.put("java.naming.factory.initial", "com.sun.jndi.dns.DnsContextFactory");
            hashtable.put("java.naming.provider.url", "dns:");
            return new InitialDirContext(hashtable);
        }

        public List<SocketInfo> obtainLDAPServer(String str, String str2, String str3) throws NamingException {
            return obtainLDAPServer(createDNSLookupContext(), str, str2, str3);
        }

        public List<SocketInfo> obtainLDAPServer(DirContext dirContext, String str, String str2, String str3) throws NamingException {
            ArrayList arrayList = new ArrayList();
            if (str3 == null) {
                str3 = ActiveDirectorySecurityRealm.DOMAIN_CONTROLLERS;
            }
            if (str3 != null) {
                for (String str4 : str3.split(",")) {
                    arrayList.add(new SocketInfo(str4.trim()));
                }
                return arrayList;
            }
            String str5 = null;
            Attribute attribute = null;
            NamingException namingException = null;
            Iterator<String> it = CANDIDATES.iterator();
            while (it.hasNext()) {
                str5 = it.next() + (str2 != null ? str2 + "._sites." : "") + str;
                ActiveDirectorySecurityRealm.LOGGER.fine("Attempting to resolve " + str5 + " to SRV record");
                try {
                    attribute = dirContext.getAttributes(str5, new String[]{"SRV"}).get("SRV");
                } catch (NumberFormatException e) {
                    namingException = (NamingException) new NamingException("JDK IPv6 bug encountered").initCause(e);
                } catch (NamingException e2) {
                    namingException = e2;
                }
                if (attribute != null) {
                    break;
                }
            }
            if (attribute != null) {
                ArrayList arrayList2 = new ArrayList();
                NamingEnumeration all = attribute.getAll();
                while (all.hasMoreElements()) {
                    String obj = all.next().toString();
                    ActiveDirectorySecurityRealm.LOGGER.fine("SRV record found: " + obj);
                    String[] split = obj.split(" ");
                    String str6 = split[3];
                    if (str6.endsWith(".")) {
                        str6 = str6.substring(0, str6.length() - 1);
                    }
                    int parseInt = Integer.parseInt(split[2]);
                    if (ActiveDirectorySecurityRealm.FORCE_LDAPS) {
                        if (parseInt == 389) {
                            parseInt = 636;
                        }
                        if (parseInt == 3268) {
                            parseInt = 3269;
                        }
                    }
                    arrayList2.add(new C1PrioritizedSocketInfo(new SocketInfo(str6, parseInt), Integer.parseInt(split[0])));
                }
                Collections.sort(arrayList2);
                Iterator it2 = arrayList2.iterator();
                while (it2.hasNext()) {
                    arrayList.add(((C1PrioritizedSocketInfo) it2.next()).socket);
                }
            }
            if (!arrayList.isEmpty()) {
                ActiveDirectorySecurityRealm.LOGGER.fine(str5 + " resolved to " + arrayList);
                return arrayList;
            }
            NamingException namingException2 = new NamingException("No SRV record found for " + str5);
            if (namingException != null) {
                namingException2.initCause(namingException);
            }
            throw namingException2;
        }
    }

    @DataBoundConstructor
    public ActiveDirectorySecurityRealm(String str, String str2, String str3, String str4, String str5) {
        this.domain = Util.fixEmpty(str);
        this.site = Util.fixEmpty(str2);
        this.bindName = Util.fixEmpty(str3);
        this.bindPassword = Secret.fromString(Util.fixEmpty(str4));
        String fixEmpty = Util.fixEmpty(str5);
        if (fixEmpty != null && !fixEmpty.contains(":")) {
            fixEmpty = fixEmpty + ":3268";
        }
        this.server = fixEmpty;
    }

    public SecurityRealm.SecurityComponents createSecurityComponents() {
        BeanBuilder beanBuilder = new BeanBuilder(getClass().getClassLoader());
        Binding binding = new Binding();
        binding.setVariable("realm", this);
        beanBuilder.parse(getClass().getResourceAsStream("ActiveDirectory.groovy"), binding);
        WebApplicationContext createApplicationContext = beanBuilder.createApplicationContext();
        UserDetailsService userDetailsService = (UserDetailsService) findBean(UserDetailsService.class, createApplicationContext);
        TokenBasedRememberMeServices2 tokenBasedRememberMeServices2 = new TokenBasedRememberMeServices2() { // from class: hudson.plugins.active_directory.ActiveDirectorySecurityRealm.1
            public Authentication autoLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
                try {
                    return super.autoLogin(httpServletRequest, httpServletResponse);
                } catch (Exception e) {
                    cancelCookie(httpServletRequest, httpServletResponse, "Failed to handle remember-me cookie: " + Functions.printThrowable(e));
                    return null;
                }
            }
        };
        tokenBasedRememberMeServices2.setUserDetailsService(userDetailsService);
        tokenBasedRememberMeServices2.setKey(Hudson.getInstance().getSecretKey());
        tokenBasedRememberMeServices2.setParameter("remember_me");
        return new SecurityRealm.SecurityComponents((AuthenticationManager) findBean(AuthenticationManager.class, createApplicationContext), userDetailsService, tokenBasedRememberMeServices2);
    }

    /* renamed from: getDescriptor, reason: merged with bridge method [inline-methods] */
    public DescriptorImpl m4getDescriptor() {
        return (DescriptorImpl) super.getDescriptor();
    }

    public void doAuthTest(StaplerRequest staplerRequest, StaplerResponse staplerResponse, @QueryParameter String str, @QueryParameter String str2) throws IOException, ServletException {
        Hudson.getInstance().checkPermission(Hudson.ADMINISTER);
        StringWriter stringWriter = new StringWriter();
        PrintWriter printWriter = new PrintWriter(stringWriter);
        ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
        Thread.currentThread().setContextClassLoader(getClass().getClassLoader());
        try {
            try {
                AbstractActiveDirectoryAuthenticationProvider authenticationProvider = getAuthenticationProvider();
                if (authenticationProvider instanceof ActiveDirectoryUnixAuthenticationProvider) {
                    ActiveDirectoryUnixAuthenticationProvider activeDirectoryUnixAuthenticationProvider = (ActiveDirectoryUnixAuthenticationProvider) authenticationProvider;
                    DescriptorImpl m4getDescriptor = m4getDescriptor();
                    for (String str3 : this.domain.split(",")) {
                        try {
                            printWriter.println("Domain=" + str3 + " site=" + this.site);
                            List<SocketInfo> obtainLDAPServer = m4getDescriptor.obtainLDAPServer(str3, this.site, this.server);
                            printWriter.println("List of domain controllers: " + obtainLDAPServer);
                            for (SocketInfo socketInfo : obtainLDAPServer) {
                                printWriter.println("Trying a domain controller at " + socketInfo);
                                try {
                                    printWriter.println("Authenticated as " + activeDirectoryUnixAuthenticationProvider.retrieveUser(str, str2, str3, Collections.singletonList(socketInfo)));
                                } catch (org.acegisecurity.AuthenticationException e) {
                                    e.printStackTrace(printWriter);
                                }
                            }
                        } catch (NamingException e2) {
                            printWriter.println("Failing to resolve domain controllers");
                            e2.printStackTrace(printWriter);
                        }
                    }
                } else {
                    printWriter.println("Using Windows ADSI. No diagnostics available.");
                }
                Thread.currentThread().setContextClassLoader(contextClassLoader);
            } catch (Throwable th) {
                Thread.currentThread().setContextClassLoader(contextClassLoader);
                throw th;
            }
        } catch (Exception e3) {
            e3.printStackTrace(printWriter);
            Thread.currentThread().setContextClassLoader(contextClassLoader);
        }
        staplerRequest.setAttribute("output", stringWriter.toString());
        staplerRequest.getView(this, "test.jelly").forward(staplerRequest, staplerResponse);
    }

    public GroupDetails loadGroupByGroupname(String str) throws UsernameNotFoundException, DataAccessException {
        return getAuthenticationProvider().loadGroupByGroupname(str);
    }

    public AbstractActiveDirectoryAuthenticationProvider getAuthenticationProvider() {
        return (AbstractActiveDirectoryAuthenticationProvider) getSecurityComponents().userDetails;
    }

    public UserDetails loadUserByUsername(String str) throws UsernameNotFoundException, DataAccessException {
        return getAuthenticationProvider().loadUserByUsername(str);
    }

    protected UserDetails authenticate(String str, String str2) throws org.acegisecurity.AuthenticationException {
        return getAuthenticationProvider().retrieveUser(str, new UsernamePasswordAuthenticationToken(str, str2));
    }
}
