package hudson.plugins.active_directory;

import com.github.benmanes.caffeine.cache.Cache;
import com4j.COM4J;
import com4j.Com4jObject;
import com4j.ComException;
import com4j.ExecutionException;
import com4j.Variant;
import com4j.typelibs.activeDirectory.IADs;
import com4j.typelibs.activeDirectory.IADsGroup;
import com4j.typelibs.activeDirectory.IADsOpenDSObject;
import com4j.typelibs.activeDirectory.IADsUser;
import com4j.typelibs.ado20.ClassFactory;
import com4j.typelibs.ado20._Command;
import com4j.typelibs.ado20._Connection;
import com4j.typelibs.ado20._Recordset;
import com4j.util.ComObjectCollector;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider;
import hudson.security.GroupDetails;
import hudson.security.SecurityRealm;
import hudson.security.UserMayOrMayNotExistException;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Optional;
import java.util.function.Function;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.BadCredentialsException;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.GrantedAuthorityImpl;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import org.acegisecurity.userdetails.UserDetails;
import org.acegisecurity.userdetails.UsernameNotFoundException;
import org.apache.commons.lang.StringUtils;
import org.springframework.dao.DataAccessException;
import org.springframework.dao.DataAccessResourceFailureException;

/* loaded from: input_file:hudson/plugins/active_directory/ActiveDirectoryAuthenticationProvider.class */
public class ActiveDirectoryAuthenticationProvider extends AbstractActiveDirectoryAuthenticationProvider {
    private final String defaultNamingContext;
    private final _Connection con;
    private CacheConfiguration cache;
    private final Cache<CacheKey, Optional<UserDetails>> userCache;
    private final Cache<String, Optional<GroupDetails>> groupCache;
    private static final int ADS_READONLY_SERVER = 4;

    @SuppressFBWarnings({"MS_SHOULD_BE_FINAL"})
    private static boolean ALLOW_EMPTY_PASSWORD = Boolean.getBoolean(ActiveDirectoryAuthenticationProvider.class.getName() + ".ALLOW_EMPTY_PASSWORD");
    private static final Logger LOGGER = Logger.getLogger(ActiveDirectoryAuthenticationProvider.class.getName());

    public ActiveDirectoryAuthenticationProvider() throws IOException {
        this(null);
    }

    public ActiveDirectoryAuthenticationProvider(ActiveDirectorySecurityRealm activeDirectorySecurityRealm) throws DataAccessException {
        try {
            this.defaultNamingContext = (String) COM4J.getObject(IADs.class, "LDAP://RootDSE", (String) null).get("defaultNamingContext");
            LOGGER.info("Active Directory domain is " + this.defaultNamingContext);
            this.con = ClassFactory.createConnection();
            this.con.provider("ADsDSOObject");
            this.con.open("Active Directory Provider", "", "", -1);
            if (activeDirectorySecurityRealm != null) {
                this.cache = activeDirectorySecurityRealm.cache;
            }
            if (this.cache == null) {
                this.cache = new CacheConfiguration(0, 0);
            }
            if (this.cache.getUserCache() == null || this.cache.getGroupCache() == null) {
                this.cache = new CacheConfiguration(this.cache.getSize(), this.cache.getTtl());
            }
            this.userCache = this.cache.getUserCache();
            this.groupCache = this.cache.getGroupCache();
        } catch (ExecutionException e) {
            throw new DataAccessResourceFailureException("Failed to connect to Active Directory. Does this machine belong to Active Directory?", e);
        }
    }

    static String dnToLdapUrl(String str) {
        return "LDAP://" + str.replace("/", "\\/");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider
    public UserDetails retrieveUser(String str, UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken) throws AuthenticationException {
        AbstractActiveDirectoryAuthenticationProvider.Password userPassword;
        try {
            if (usernamePasswordAuthenticationToken == null) {
                userPassword = AbstractActiveDirectoryAuthenticationProvider.NoAuthentication.INSTANCE;
            } else {
                String str2 = (String) usernamePasswordAuthenticationToken.getCredentials();
                if (!ALLOW_EMPTY_PASSWORD && StringUtils.isEmpty(str2)) {
                    LOGGER.log(Level.FINE, "Empty password not allowed was tried by user {0}", str);
                    throw new BadCredentialsException("Empty password not allowed");
                }
                userPassword = new AbstractActiveDirectoryAuthenticationProvider.UserPassword(str2);
            }
            CacheKey computeCacheKey = CacheUtil.computeCacheKey(str, userPassword, this.userCache.asMap().keySet());
            AbstractActiveDirectoryAuthenticationProvider.Password password = userPassword;
            Function function = cacheKey -> {
                String dnOfUserOrGroup = getDnOfUserOrGroup(str);
                ComObjectCollector comObjectCollector = new ComObjectCollector();
                COM4J.addListener(comObjectCollector);
                try {
                    IADsOpenDSObject object = COM4J.getObject(IADsOpenDSObject.class, "LDAP:", (String) null);
                    try {
                        IADsUser iADsUser = (IADsUser) (usernamePasswordAuthenticationToken == null ? object.openDSObject(dnToLdapUrl(dnOfUserOrGroup), (String) null, (String) null, ADS_READONLY_SERVER) : object.openDSObject(dnToLdapUrl(dnOfUserOrGroup), dnOfUserOrGroup, ((AbstractActiveDirectoryAuthenticationProvider.UserPassword) password).getPassword(), ADS_READONLY_SERVER)).queryInterface(IADsUser.class);
                        if (iADsUser == null) {
                            Optional empty = Optional.empty();
                            comObjectCollector.disposeAll();
                            COM4J.removeListener(comObjectCollector);
                            return empty;
                        }
                        ArrayList arrayList = new ArrayList();
                        for (Com4jObject com4jObject : iADsUser.groups()) {
                            if (com4jObject != null) {
                                arrayList.add(new GrantedAuthorityImpl(com4jObject.queryInterface(IADsGroup.class).name().substring(3)));
                            }
                        }
                        arrayList.add(SecurityRealm.AUTHENTICATED_AUTHORITY);
                        LOGGER.log(Level.FINE, "Login successful: {0} dn={1}", new Object[]{str, dnOfUserOrGroup});
                        Optional of = Optional.of(new ActiveDirectoryUserDetail(str, "redacted", !isAccountDisabled(iADsUser), true, true, true, (GrantedAuthority[]) arrayList.toArray(new GrantedAuthority[0]), getFullName(iADsUser), getEmailAddress(iADsUser), getTelephoneNumber(iADsUser)).updateUserInfo());
                        comObjectCollector.disposeAll();
                        COM4J.removeListener(comObjectCollector);
                        return of;
                    } catch (ComException e) {
                        String format = String.format("Incorrect password for %s DN=%s: error=%08X", str, dnOfUserOrGroup, Integer.valueOf(e.getHRESULT()));
                        LOGGER.log(Level.FINE, String.format("Login failure: Incorrect password for %s DN=%s: error=%08X", str, dnOfUserOrGroup, Integer.valueOf(e.getHRESULT())), e);
                        throw new BadCredentialsException(format, e);
                    }
                } catch (Throwable th) {
                    comObjectCollector.disposeAll();
                    COM4J.removeListener(comObjectCollector);
                    throw th;
                }
            };
            if (computeCacheKey == null) {
                return (UserDetails) ((Optional) function.apply(null)).orElseThrow(() -> {
                    return new UsernameNotFoundException("User not found: " + str);
                });
            }
            Optional optional = (Optional) this.userCache.get(computeCacheKey, function);
            if (optional == null) {
                throw new UsernameNotFoundException("User not found: " + str);
            }
            return (UserDetails) optional.orElseThrow(() -> {
                return new UsernameNotFoundException("User not found: " + str);
            });
        } catch (Exception e) {
            if (e instanceof AuthenticationException) {
                throw e;
            }
            Throwable cause = e.getCause();
            if (cause instanceof AuthenticationException) {
                throw ((AuthenticationException) cause);
            }
            LOGGER.log(Level.SEVERE, String.format("There was a problem caching user %s", str), (Throwable) e);
            throw new CacheAuthenticationException("Authentication failed because there was a problem caching user " + str, e);
        }
    }

    private String getTelephoneNumber(IADsUser iADsUser) {
        try {
            Object telephoneNumber = iADsUser.telephoneNumber();
            if (telephoneNumber == null) {
                return null;
            }
            return telephoneNumber.toString();
        } catch (ComException e) {
            if (e.getHRESULT() == -2147463155) {
                return null;
            }
            throw e;
        }
    }

    private String getEmailAddress(IADsUser iADsUser) {
        try {
            return iADsUser.emailAddress();
        } catch (ComException e) {
            if (e.getHRESULT() == -2147463155) {
                return null;
            }
            throw e;
        }
    }

    private String getFullName(IADsUser iADsUser) {
        try {
            return iADsUser.fullName();
        } catch (ComException e) {
            if (e.getHRESULT() == -2147463155) {
                return null;
            }
            throw e;
        }
    }

    private boolean isAccountDisabled(IADsUser iADsUser) {
        try {
            return iADsUser.accountDisabled();
        } catch (ComException e) {
            if (e.getHRESULT() == -2147463155) {
                return false;
            }
            throw e;
        }
    }

    private String getDnOfUserOrGroup(String str) throws UsernameNotFoundException {
        _Command createCommand = ClassFactory.createCommand();
        createCommand.activeConnection(this.con);
        createCommand.commandText("<LDAP://" + this.defaultNamingContext + ">;(sAMAccountName=" + str + ");distinguishedName;subTree");
        _Recordset execute = createCommand.execute((Object) null, Variant.getMissing(), -1);
        if (execute.eof()) {
            throw new UsernameNotFoundException("No such user or group: " + str);
        }
        return execute.fields().item("distinguishedName").value().toString();
    }

    @Override // hudson.plugins.active_directory.GroupDetailsService
    public GroupDetails loadGroupByGroupname(String str) {
        try {
            Optional optional = (Optional) this.groupCache.get(str, str2 -> {
                ComObjectCollector comObjectCollector = new ComObjectCollector();
                COM4J.addListener(comObjectCollector);
                try {
                    try {
                        try {
                            if (COM4J.getObject(IADsOpenDSObject.class, "LDAP:", (String) null).openDSObject(dnToLdapUrl(getDnOfUserOrGroup(str)), (String) null, (String) null, ADS_READONLY_SERVER).queryInterface(IADsGroup.class) == null) {
                                throw new UserMayOrMayNotExistException(str);
                            }
                            Optional of = Optional.of(new ActiveDirectoryGroupDetails(str));
                            comObjectCollector.disposeAll();
                            COM4J.removeListener(comObjectCollector);
                            return of;
                        } catch (ComException e) {
                            LOGGER.log(Level.WARNING, String.format("Failed to figure out details of AD group: %s", str), e);
                            throw new UserMayOrMayNotExistException(str);
                        }
                    } catch (UsernameNotFoundException e2) {
                        Optional empty = Optional.empty();
                        comObjectCollector.disposeAll();
                        COM4J.removeListener(comObjectCollector);
                        return empty;
                    }
                } catch (Throwable th) {
                    comObjectCollector.disposeAll();
                    COM4J.removeListener(comObjectCollector);
                    throw th;
                }
            });
            if (optional == null) {
                throw new UsernameNotFoundException("Failed to get the DN of the group " + str);
            }
            return (GroupDetails) optional.orElseThrow(() -> {
                return new UsernameNotFoundException("Failed to get the DN of the group " + str);
            });
        } catch (Exception e) {
            if (e instanceof AuthenticationException) {
                throw e;
            }
            Throwable cause = e.getCause();
            if (cause instanceof AuthenticationException) {
                throw ((AuthenticationException) cause);
            }
            LOGGER.log(Level.SEVERE, String.format("There was a problem caching group %s", str), (Throwable) e);
            throw new CacheAuthenticationException("Authentication failed because there was a problem caching group " + str, e);
        }
    }
}
