package hudson.plugins.active_directory;

import com.google.common.cache.Cache;
import com.google.common.util.concurrent.UncheckedExecutionException;
import com4j.CLSCTX;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.Util;
import hudson.plugins.active_directory.ActiveDirectorySecurityRealm;
import hudson.security.GroupDetails;
import hudson.security.SecurityRealm;
import hudson.security.UserMayOrMayNotExistException;
import hudson.util.DaemonThreadFactory;
import hudson.util.NamingThreadFactory;
import hudson.util.TimeUnit2;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.Stack;
import java.util.concurrent.ArrayBlockingQueue;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.ThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.naming.NameNotFoundException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.PartialResultException;
import javax.naming.TimeLimitExceededException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapName;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.AuthenticationServiceException;
import org.acegisecurity.BadCredentialsException;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.GrantedAuthorityImpl;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import org.acegisecurity.userdetails.UserDetails;
import org.acegisecurity.userdetails.UsernameNotFoundException;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang.StringUtils;

/* loaded from: input_file:WEB-INF/lib/active-directory.jar:hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.class */
public class ActiveDirectoryUnixAuthenticationProvider extends AbstractActiveDirectoryAuthenticationProvider {
    private final List<ActiveDirectoryDomain> domains;
    private final String site;
    private final ActiveDirectorySecurityRealm.DescriptorImpl descriptor;
    private GroupLookupStrategy groupLookupStrategy;
    protected static final String DN_FORMATTED = "distinguishedNameFormatted";
    private CacheConfiguration cache;
    private final Cache<String, UserDetails> userCache;
    private final Cache<String, ActiveDirectoryGroupDetails> groupCache;
    private final ExecutorService threadPoolExecutor;
    private Hashtable<String, String> props = new Hashtable<>();
    private static final String DEFAULT_LDAP_CONNECTION_TIMEOUT = "30000";
    private static final String DEFAULT_LDAP_READ_TIMEOUT = "60000";
    private static final String LDAP_CONNECT_TIMEOUT = "com.sun.jndi.ldap.connect.timeout";
    private static final String LDAP_READ_TIMEOUT = "com.sun.jndi.ldap.read.timeout";
    private static final int corePoolSize = Integer.parseInt(System.getProperty("hudson.plugins.active_directory.threadPoolExecutor.corePoolSize", "4"));
    private static final int maxPoolSize = Integer.parseInt(System.getProperty("hudson.plugins.active_directory.threadPoolExecutor.maxPoolSize", "8"));
    private static final long keepAliveTime = Long.parseLong(System.getProperty("hudson.plugins.active_directory.threadPoolExecutor.keepAliveTime", "10000"));
    private static final int queueSize = Integer.parseInt(System.getProperty("hudson.plugins.active_directory.threadPoolExecutor.queueSize", "25"));
    private static final Logger LOGGER = Logger.getLogger(ActiveDirectoryUnixAuthenticationProvider.class.getName());
    private static final String NO_AUTHENTICATION = "������������";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider$4, reason: invalid class name */
    /* loaded from: input_file:WEB-INF/lib/active-directory.jar:hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider$4.class */
    public static /* synthetic */ class AnonymousClass4 {
        static final /* synthetic */ int[] $SwitchMap$hudson$plugins$active_directory$GroupLookupStrategy = new int[GroupLookupStrategy.values().length];

        static {
            try {
                $SwitchMap$hudson$plugins$active_directory$GroupLookupStrategy[GroupLookupStrategy.TOKENGROUPS.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$hudson$plugins$active_directory$GroupLookupStrategy[GroupLookupStrategy.AUTO.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$hudson$plugins$active_directory$GroupLookupStrategy[GroupLookupStrategy.RECURSIVE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$hudson$plugins$active_directory$GroupLookupStrategy[GroupLookupStrategy.CHAIN.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    public ActiveDirectoryUnixAuthenticationProvider(ActiveDirectorySecurityRealm activeDirectorySecurityRealm) {
        this.site = activeDirectorySecurityRealm.site;
        this.domains = activeDirectorySecurityRealm.domains;
        this.groupLookupStrategy = activeDirectorySecurityRealm.getGroupLookupStrategy();
        this.descriptor = activeDirectorySecurityRealm.m93getDescriptor();
        this.cache = activeDirectorySecurityRealm.cache;
        if (this.cache == null) {
            this.cache = new CacheConfiguration(0, 0);
        }
        if (this.cache.getUserCache() == null || this.cache.getGroupCache() == null) {
            this.cache = new CacheConfiguration(this.cache.getSize(), this.cache.getTtl());
        }
        this.userCache = this.cache.getUserCache();
        this.groupCache = this.cache.getGroupCache();
        this.threadPoolExecutor = new ThreadPoolExecutor(corePoolSize, maxPoolSize, keepAliveTime, TimeUnit.MILLISECONDS, new ArrayBlockingQueue(queueSize), new NamingThreadFactory(new DaemonThreadFactory(), "ActiveDirectory.updateUserCache"), new ThreadPoolExecutor.DiscardPolicy());
        Map<String, String> map = ActiveDirectorySecurityRealm.EnvironmentProperty.toMap(activeDirectorySecurityRealm.environmentProperties);
        this.props.put(LDAP_CONNECT_TIMEOUT, System.getProperty(LDAP_CONNECT_TIMEOUT, DEFAULT_LDAP_CONNECTION_TIMEOUT));
        this.props.put(LDAP_READ_TIMEOUT, System.getProperty(LDAP_READ_TIMEOUT, DEFAULT_LDAP_READ_TIMEOUT));
        this.props.putAll(map);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider
    public UserDetails retrieveUser(String str, UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken) throws AuthenticationException {
        try {
            ArrayList arrayList = new ArrayList();
            ArrayList arrayList2 = new ArrayList();
            for (ActiveDirectoryDomain activeDirectoryDomain : this.domains) {
                try {
                    return retrieveUser(str, usernamePasswordAuthenticationToken, activeDirectoryDomain);
                } catch (UsernameNotFoundException e) {
                    arrayList2.add(e);
                } catch (BadCredentialsException e2) {
                    LOGGER.log(Level.WARNING, String.format("Credential exception trying to authenticate against %s domain", activeDirectoryDomain.getName()), e2);
                    arrayList.add(e2);
                }
            }
            switch (arrayList.size()) {
                case 0:
                    if (arrayList2.size() == 1) {
                        throw ((UsernameNotFoundException) arrayList2.get(0));
                    }
                    if (!Util.filter(arrayList2, UserMayOrMayNotExistException.class).isEmpty()) {
                        throw new MultiCauseUserMayOrMayNotExistException("We can't tell if the user exists or not: " + str, arrayList2);
                    }
                    if (arrayList2.isEmpty()) {
                        throw new AssertionError("No domain is configured");
                    }
                    throw new MultiCauseUserNotFoundException("No such user: " + str, arrayList2);
                case CLSCTX.INPROC_SERVER /* 1 */:
                    throw ((BadCredentialsException) arrayList.get(0));
                default:
                    throw new MultiCauseBadCredentialsException("Either no such user '" + str + "' or incorrect password", arrayList);
            }
        } catch (AuthenticationException e3) {
            LOGGER.log(Level.FINE, String.format("Failed to retrieve user %s", str), e3);
            throw e3;
        }
    }

    @Override // hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider
    protected boolean canRetrieveUserByName(ActiveDirectoryDomain activeDirectoryDomain) {
        return activeDirectoryDomain.getBindName() != null;
    }

    private UserDetails retrieveUser(String str, UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken, ActiveDirectoryDomain activeDirectoryDomain) throws AuthenticationException {
        ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
        Thread.currentThread().setContextClassLoader(getClass().getClassLoader());
        String str2 = NO_AUTHENTICATION;
        if (usernamePasswordAuthenticationToken != null) {
            try {
                str2 = (String) usernamePasswordAuthenticationToken.getCredentials();
            } catch (Throwable th) {
                Thread.currentThread().setContextClassLoader(contextClassLoader);
                throw th;
            }
        }
        UserDetails retrieveUser = retrieveUser(str, str2, activeDirectoryDomain, obtainLDAPServers(activeDirectoryDomain));
        Thread.currentThread().setContextClassLoader(contextClassLoader);
        return retrieveUser;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public List<SocketInfo> obtainLDAPServers(ActiveDirectoryDomain activeDirectoryDomain) throws AuthenticationServiceException {
        try {
            return this.descriptor.obtainLDAPServer(activeDirectoryDomain);
        } catch (NamingException e) {
            LOGGER.log(Level.WARNING, "Failed to find the LDAP service", e);
            throw new AuthenticationServiceException("Failed to find the LDAP service for the domain " + activeDirectoryDomain.getName(), e);
        }
    }

    @SuppressFBWarnings(value = {"ES_COMPARING_PARAMETER_STRING_WITH_EQ"}, justification = "Intentional instance check.")
    public UserDetails retrieveUser(final String str, final String str2, final ActiveDirectoryDomain activeDirectoryDomain, final List<SocketInfo> list) {
        String str3 = str + "@@" + DigestUtils.sha1Hex(str2);
        final String bindName = activeDirectoryDomain.getBindName();
        final String plainText = activeDirectoryDomain.getBindPassword().getPlainText();
        try {
            final ActiveDirectoryUserDetail[] activeDirectoryUserDetailArr = new ActiveDirectoryUserDetail[1];
            UserDetails userDetails = (UserDetails) this.userCache.get(str3, new Callable<UserDetails>() { // from class: hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.concurrent.Callable
                public UserDetails call() throws AuthenticationException {
                    DirContext bind;
                    boolean z = false;
                    if (StringUtils.isEmpty(str2)) {
                        throw new BadCredentialsException("Empty password");
                    }
                    String principalName = ActiveDirectoryUnixAuthenticationProvider.this.getPrincipalName(str, activeDirectoryDomain.getName());
                    String substring = principalName.substring(0, principalName.indexOf(64));
                    if (bindName != null) {
                        try {
                            bind = ActiveDirectoryUnixAuthenticationProvider.this.descriptor.bind(bindName, plainText, list, ActiveDirectoryUnixAuthenticationProvider.this.props);
                            z = false;
                        } catch (BadCredentialsException e) {
                            throw new AuthenticationServiceException("Failed to bind to LDAP server with the bind name/password", e);
                        }
                    } else {
                        if (str2.equals(ActiveDirectoryUnixAuthenticationProvider.NO_AUTHENTICATION)) {
                            z = true;
                        }
                        try {
                            bind = ActiveDirectoryUnixAuthenticationProvider.this.descriptor.bind(principalName, z ? "" : str2, list, ActiveDirectoryUnixAuthenticationProvider.this.props);
                        } catch (BadCredentialsException e2) {
                            if (z) {
                                throw new UserMayOrMayNotExistException("Unable to retrieve the user information without bind DN/password configured");
                            }
                            throw e2;
                        }
                    }
                    try {
                        try {
                            String dc = ActiveDirectoryUnixAuthenticationProvider.toDC(activeDirectoryDomain.getName());
                            Attributes searchOne = new LDAPSearchBuilder(bind, dc).subTreeScope().searchOne("(& (userPrincipalName={0})(objectCategory=user))", principalName);
                            if (searchOne == null) {
                                ActiveDirectoryUnixAuthenticationProvider.LOGGER.log(Level.FINE, "Failed to find {0} in userPrincipalName. Trying sAMAccountName", principalName);
                                searchOne = new LDAPSearchBuilder(bind, dc).subTreeScope().searchOne("(& (sAMAccountName={0})(objectCategory=user))", substring);
                                if (searchOne == null) {
                                    throw new UsernameNotFoundException("Authentication was successful but cannot locate the user information for " + str);
                                }
                            }
                            ActiveDirectoryUnixAuthenticationProvider.LOGGER.fine("Found user " + str + " : " + searchOne);
                            Object obj = searchOne.get(ActiveDirectoryUnixAuthenticationProvider.DN_FORMATTED).get();
                            if (obj == null) {
                                throw new AuthenticationServiceException("No distinguished name for " + str);
                            }
                            String obj2 = obj.toString();
                            String ldapName = new LdapName(obj2).toString();
                            if (bindName != null && !str2.equals(ActiveDirectoryUnixAuthenticationProvider.NO_AUTHENTICATION)) {
                                ActiveDirectoryUnixAuthenticationProvider.LOGGER.log(Level.FINE, "Attempting to validate password for DN={0}", obj2);
                                DirContext bind2 = ActiveDirectoryUnixAuthenticationProvider.this.descriptor.bind(ldapName, str2, list, ActiveDirectoryUnixAuthenticationProvider.this.props);
                                try {
                                    new LDAPSearchBuilder(bind2, dc).searchOne("(& (userPrincipalName={0})(objectCategory=user))", principalName);
                                    ActiveDirectoryUnixAuthenticationProvider.this.closeQuietly(bind2);
                                } catch (Throwable th) {
                                    ActiveDirectoryUnixAuthenticationProvider.this.closeQuietly(bind2);
                                    throw th;
                                }
                            }
                            Set resolveGroups = ActiveDirectoryUnixAuthenticationProvider.this.resolveGroups(dc, ldapName, bind);
                            resolveGroups.add(SecurityRealm.AUTHENTICATED_AUTHORITY);
                            activeDirectoryUserDetailArr[0] = new ActiveDirectoryUserDetail(str, str2, true, true, true, true, (GrantedAuthority[]) resolveGroups.toArray(new GrantedAuthority[resolveGroups.size()]), ActiveDirectoryUnixAuthenticationProvider.this.getStringAttribute(searchOne, "displayName"), ActiveDirectoryUnixAuthenticationProvider.this.getStringAttribute(searchOne, "mail"), ActiveDirectoryUnixAuthenticationProvider.this.getStringAttribute(searchOne, "telephoneNumber"));
                            UserDetails userDetails2 = activeDirectoryUserDetailArr[0];
                            ActiveDirectoryUnixAuthenticationProvider.this.closeQuietly(bind);
                            return userDetails2;
                        } catch (Throwable th2) {
                            ActiveDirectoryUnixAuthenticationProvider.this.closeQuietly(bind);
                            throw th2;
                        }
                    } catch (NamingException e3) {
                        if (z && e3.getMessage().contains("successful bind must be completed") && e3.getMessage().contains("000004DC")) {
                            throw new UserMayOrMayNotExistException("Unable to retrieve the user information without bind DN/password configured");
                        }
                        ActiveDirectoryUnixAuthenticationProvider.LOGGER.log(Level.WARNING, String.format("Failed to retrieve user information for %s", str), e3);
                        throw new BadCredentialsException("Failed to retrieve user information for " + str, e3);
                    }
                }
            });
            if (activeDirectoryUserDetailArr[0] != null) {
                this.threadPoolExecutor.execute(new Runnable() { // from class: hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.2
                    @Override // java.lang.Runnable
                    public void run() {
                        String name = Thread.currentThread().getName();
                        Thread.currentThread().setName(name + " updating-cache-for-user-" + activeDirectoryUserDetailArr[0].getUsername());
                        ActiveDirectoryUnixAuthenticationProvider.LOGGER.log(Level.FINEST, "Starting the cache update {0}", new Date());
                        try {
                            long currentTimeMillis = System.currentTimeMillis();
                            activeDirectoryUserDetailArr[0].updateUserInfo();
                            ActiveDirectoryUnixAuthenticationProvider.LOGGER.log(Level.FINEST, "Finished the cache update {0}", new Date());
                            ActiveDirectoryUnixAuthenticationProvider.LOGGER.log(Level.FINE, "The cache for user {0} took {1} msec", new Object[]{activeDirectoryUserDetailArr[0].getUsername(), String.valueOf(System.currentTimeMillis() - currentTimeMillis)});
                            Thread.currentThread().setName(name);
                        } catch (Throwable th) {
                            Thread.currentThread().setName(name);
                            throw th;
                        }
                    }
                });
            }
            if (str2 == null || str2.equals(NO_AUTHENTICATION) || userDetails == null || str2.equals(userDetails.getPassword())) {
                return userDetails;
            }
            throw new BadCredentialsException("Failed to retrieve user information from the cache for " + str);
        } catch (UncheckedExecutionException e) {
            AuthenticationException cause = e.getCause();
            if (cause instanceof AuthenticationException) {
                throw cause;
            }
            throw new CacheAuthenticationException("Authentication failed because there was a problem caching user " + str, e);
        } catch (ExecutionException e2) {
            LOGGER.log(Level.SEVERE, "There was a problem caching user " + str, (Throwable) e2);
            throw new CacheAuthenticationException("Authentication failed because there was a problem caching user " + str, e2);
        }
    }

    @Override // hudson.plugins.active_directory.GroupDetailsService
    public GroupDetails loadGroupByGroupname(final String str) {
        try {
            return (GroupDetails) this.groupCache.get(str, new Callable<ActiveDirectoryGroupDetails>() { // from class: hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.3
                /* JADX WARN: Can't rename method to resolve collision */
                /* JADX WARN: Finally extract failed */
                @Override // java.util.concurrent.Callable
                public ActiveDirectoryGroupDetails call() {
                    DirContext bind;
                    String dc;
                    Attributes searchOne;
                    for (ActiveDirectoryDomain activeDirectoryDomain : ActiveDirectoryUnixAuthenticationProvider.this.domains) {
                        if (activeDirectoryDomain == null) {
                            throw new UserMayOrMayNotExistException("Unable to retrieve group information without bind DN/password configured");
                        }
                        ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
                        Thread.currentThread().setContextClassLoader(getClass().getClassLoader());
                        try {
                            try {
                                bind = ActiveDirectoryUnixAuthenticationProvider.this.descriptor.bind(activeDirectoryDomain.getBindName(), activeDirectoryDomain.getBindPassword().getPlainText(), ActiveDirectoryUnixAuthenticationProvider.this.obtainLDAPServers(activeDirectoryDomain));
                                try {
                                    try {
                                        dc = ActiveDirectoryUnixAuthenticationProvider.toDC(activeDirectoryDomain.getName());
                                        searchOne = new LDAPSearchBuilder(bind, dc).subTreeScope().searchOne("(& (cn={0})(objectCategory=group))", str);
                                    } catch (NamingException e) {
                                        ActiveDirectoryUnixAuthenticationProvider.LOGGER.log(Level.WARNING, String.format("Failed to retrieve user information for %s", str), e);
                                        throw new BadCredentialsException("Failed to retrieve user information for " + str, e);
                                    }
                                } catch (Throwable th) {
                                    ActiveDirectoryUnixAuthenticationProvider.this.closeQuietly(bind);
                                    throw th;
                                }
                            } catch (Throwable th2) {
                                Thread.currentThread().setContextClassLoader(contextClassLoader);
                                throw th2;
                            }
                        } catch (UsernameNotFoundException e2) {
                            ActiveDirectoryUnixAuthenticationProvider.LOGGER.log(Level.WARNING, String.format("Failed to find the group %s in %s domain", str, activeDirectoryDomain.getName()), e2);
                            Thread.currentThread().setContextClassLoader(contextClassLoader);
                        } catch (AuthenticationException e3) {
                            ActiveDirectoryUnixAuthenticationProvider.LOGGER.log(Level.WARNING, String.format("Failed to find the group %s in %s domain", str, activeDirectoryDomain.getName()), e3);
                            Thread.currentThread().setContextClassLoader(contextClassLoader);
                        }
                        if (searchOne == null) {
                            ActiveDirectoryUnixAuthenticationProvider.LOGGER.log(Level.FINE, "Failed to find {0} in cn. Trying sAMAccountName", str);
                            searchOne = new LDAPSearchBuilder(bind, dc).subTreeScope().searchOne("(& (sAMAccountName={0})(objectCategory=group))", str);
                            if (searchOne == null) {
                                ActiveDirectoryUnixAuthenticationProvider.this.closeQuietly(bind);
                                Thread.currentThread().setContextClassLoader(contextClassLoader);
                            }
                        }
                        ActiveDirectoryUnixAuthenticationProvider.LOGGER.log(Level.FINE, "Found group {0} : {1}", new Object[]{str, searchOne});
                        ActiveDirectoryGroupDetails activeDirectoryGroupDetails = new ActiveDirectoryGroupDetails(str);
                        ActiveDirectoryUnixAuthenticationProvider.this.closeQuietly(bind);
                        Thread.currentThread().setContextClassLoader(contextClassLoader);
                        return activeDirectoryGroupDetails;
                    }
                    ActiveDirectoryUnixAuthenticationProvider.LOGGER.log(Level.WARNING, "Exhausted all configured domains and could not authenticate against any");
                    throw new UserMayOrMayNotExistException(str);
                }
            });
        } catch (ExecutionException e) {
            LOGGER.log(Level.SEVERE, String.format("There was a problem caching group %s", str), (Throwable) e);
            throw new CacheAuthenticationException("Authentication failed because there was a problem caching group " + str, e);
        } catch (UncheckedExecutionException e2) {
            AuthenticationException cause = e2.getCause();
            if (cause instanceof AuthenticationException) {
                throw cause;
            }
            throw new CacheAuthenticationException("Authentication failed because there was a problem caching group " + str, e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void closeQuietly(DirContext dirContext) {
        if (dirContext != null) {
            try {
                dirContext.close();
            } catch (NamingException e) {
                LOGGER.log(Level.INFO, "Failed to close DirContext: " + dirContext, e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String getStringAttribute(Attributes attributes, String str) throws NamingException {
        Object obj;
        Attribute attribute = attributes.get(str);
        if (attribute == null || (obj = attribute.get()) == null) {
            return null;
        }
        return obj.toString();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String getPrincipalName(String str, String str2) {
        int indexOf = str.indexOf(92);
        return indexOf > 0 ? str.substring(indexOf + 1) + '@' + str2 : str.contains("@") ? str : str + '@' + str2;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Set<GrantedAuthority> resolveGroups(String str, String str2, DirContext dirContext) throws NamingException {
        if (str2.contains("/")) {
            str2 = str2.replace("/", "\\/");
        }
        HashSet hashSet = new HashSet();
        LOGGER.log(Level.FINER, "Looking up group of {0}", str2);
        Attributes attributes = dirContext.getAttributes(str2, new String[]{"tokenGroups", "memberOf", "CN"});
        Attribute attribute = attributes.get("tokenGroups");
        if (attribute == null) {
            LOGGER.log(Level.FINE, "Failed to retrieve tokenGroups for {0}", str2);
        } else {
            StringBuilder sb = new StringBuilder("(|");
            ArrayList arrayList = new ArrayList();
            NamingEnumeration all = attribute.getAll();
            while (all.hasMore()) {
                byte[] bArr = (byte[]) all.next();
                sb.append("(objectSid={" + arrayList.size() + "})");
                arrayList.add(bArr);
            }
            all.close();
            sb.append(")");
            NamingEnumeration<SearchResult> search = new LDAPSearchBuilder(dirContext, str).subTreeScope().returns("cn").search(sb.toString(), arrayList.toArray());
            parseMembers(str2, hashSet, search);
            search.close();
        }
        LOGGER.fine("Stage 2: looking up via memberOf");
        while (true) {
            switch (AnonymousClass4.$SwitchMap$hudson$plugins$active_directory$GroupLookupStrategy[this.groupLookupStrategy.ordinal()]) {
                case CLSCTX.INPROC_SERVER /* 1 */:
                    return hashSet;
                case CLSCTX.INPROC_HANDLER /* 2 */:
                    long nanoTime = System.nanoTime();
                    boolean z = false;
                    long j = 0;
                    try {
                        z = chainGroupLookup(str, str2, dirContext, hashSet);
                        j = TimeUnit2.NANOSECONDS.toSeconds(System.nanoTime() - nanoTime);
                    } catch (NamingException e) {
                        if (!e.getMessage().contains("LDAP response read timed out")) {
                            throw e;
                        }
                        LOGGER.log(Level.WARNING, "LDAP response read time out. AD will fall back to recursive lookup", e);
                    } catch (TimeLimitExceededException e2) {
                        LOGGER.log(Level.WARNING, "The LDAP request did not terminate within the specified time limit. AD will fall back to recursive lookup", e2);
                    }
                    if (!z && j >= 10) {
                        LOGGER.log(Level.WARNING, "Group lookup via Active Directory's 'LDAP_MATCHING_RULE_IN_CHAIN' extension timed out after {0} seconds. Falling back to recursive group lookup strategy for this and future queries", Long.valueOf(j));
                        this.groupLookupStrategy = GroupLookupStrategy.RECURSIVE;
                        break;
                    } else {
                        if (z && j >= 10) {
                            LOGGER.log(Level.WARNING, "Group lookup via Active Directory's 'LDAP_MATCHING_RULE_IN_CHAIN' extension matched user's groups but took {0} seconds to run. Switching to recursive lookup for future group lookup queries", Long.valueOf(j));
                            this.groupLookupStrategy = GroupLookupStrategy.RECURSIVE;
                            return hashSet;
                        }
                        if (!z) {
                            LOGGER.log(Level.WARNING, "Group lookup via Active Directory's 'LDAP_MATCHING_RULE_IN_CHAIN' extension failed. Falling back to recursive group lookup strategy for this and future queries");
                            this.groupLookupStrategy = GroupLookupStrategy.RECURSIVE;
                            break;
                        } else {
                            this.groupLookupStrategy = GroupLookupStrategy.CHAIN;
                            return hashSet;
                        }
                    }
                    break;
                case 3:
                    recursiveGroupLookup(dirContext, attributes, hashSet);
                    return hashSet;
                case CLSCTX.LOCAL_SERVER /* 4 */:
                    chainGroupLookup(str, str2, dirContext, hashSet);
                    return hashSet;
            }
        }
    }

    private boolean chainGroupLookup(String str, String str2, DirContext dirContext, Set<GrantedAuthority> set) throws NamingException {
        NamingEnumeration<SearchResult> search = new LDAPSearchBuilder(dirContext, str).subTreeScope().returns("cn").search("(member:1.2.840.113556.1.4.1941:={0})", str2);
        try {
            if (!search.hasMore()) {
                return false;
            }
            parseMembers(str2, set, search);
            search.close();
            return true;
        } finally {
            search.close();
        }
    }

    private void recursiveGroupLookup(DirContext dirContext, Attributes attributes, Set<GrantedAuthority> set) throws NamingException {
        Stack stack = new Stack();
        stack.push(attributes);
        while (!stack.isEmpty()) {
            Attributes attributes2 = (Attributes) stack.pop();
            LOGGER.finer("Looking up group of " + attributes2);
            Attribute attribute = attributes2.get("memberOf");
            if (attribute != null) {
                for (int i = 0; i < attribute.size(); i++) {
                    try {
                        LOGGER.log(Level.FINE, "Trying to get the CN of {0}", attribute.get(i));
                        Attributes attributes3 = dirContext.getAttributes(new LdapName(attribute.get(i).toString()), new String[]{"CN", "memberOf"});
                        Attribute attribute2 = attributes3.get("CN");
                        if (attribute2 == null) {
                            LOGGER.fine("Failed to obtain CN of " + attribute.get(i));
                        } else {
                            if (LOGGER.isLoggable(Level.FINE)) {
                                LOGGER.fine(attribute2.get() + " is a member of " + attribute.get(i));
                            }
                            if (set.add(new GrantedAuthorityImpl(attribute2.get().toString()))) {
                                stack.add(attributes3);
                            }
                        }
                    } catch (NameNotFoundException e) {
                        LOGGER.fine("Failed to obtain CN of " + attribute.get(i));
                    }
                }
            }
        }
    }

    private void parseMembers(String str, Set<GrantedAuthority> set, NamingEnumeration<SearchResult> namingEnumeration) throws NamingException {
        while (namingEnumeration.hasMore()) {
            try {
                Attribute attribute = ((SearchResult) namingEnumeration.next()).getAttributes().get("cn");
                if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.fine(str + " is a member of " + attribute);
                }
                set.add(new GrantedAuthorityImpl(attribute.get().toString()));
            } catch (PartialResultException e) {
                LOGGER.log(Level.WARNING, String.format("JENKINS-42687 Might be more members for user  %s", str), e);
                return;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String toDC(String str) {
        StringBuilder sb = new StringBuilder();
        for (String str2 : str.split("\\.")) {
            if (str2.length() != 0) {
                if (sb.length() > 0) {
                    sb.append(",");
                }
                sb.append("DC=").append(str2);
            }
        }
        return sb.toString();
    }
}
