package jp.ikedam.jenkins.plugins.ldap_sasl;

import hudson.Extension;
import hudson.Util;
import hudson.model.AutoCompletionCandidates;
import hudson.model.Descriptor;
import hudson.security.AbstractPasswordBasedSecurityRealm;
import hudson.security.GroupDetails;
import hudson.security.SecurityRealm;
import hudson.util.FormValidation;
import java.net.URI;
import java.net.URISyntaxException;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.naming.InvalidNameException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.LdapName;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.AuthenticationServiceException;
import org.acegisecurity.BadCredentialsException;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.GrantedAuthorityImpl;
import org.acegisecurity.userdetails.UserDetails;
import org.acegisecurity.userdetails.UsernameNotFoundException;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.QueryParameter;
import org.springframework.dao.DataAccessException;

/* loaded from: input_file:jp/ikedam/jenkins/plugins/ldap_sasl/LdapSaslSecurityRealm.class */
public class LdapSaslSecurityRealm extends AbstractPasswordBasedSecurityRealm {
    private static final Logger LOGGER = Logger.getLogger(LdapSaslSecurityRealm.class.getName());
    protected static final String SEPERATOR_PATTERN = "[\\s,]+";
    private final List<String> ldapUriList = new ArrayList();
    private final List<String> mechanismList;
    private final int connectionTimeout;
    private final int readTimeout;
    private final String userSearchBase;
    private final String userQueryTemplate;
    private final String groupSearchBase;
    private final String groupPrefix;
    private final String queryUser;
    private final String queryPassword;

    @Extension
    /* loaded from: input_file:jp/ikedam/jenkins/plugins/ldap_sasl/LdapSaslSecurityRealm$DescriptorImpl.class */
    public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
        private static String[] MECH_CANDIDATES = {"DIGEST-MD5", "CRAM-MD5", "PLAIN", "EXTERNAL "};

        public String getDisplayName() {
            return Messages.LdapSaslSecurityRealm_DisplayName();
        }

        public String[] getMechanismCandidates() {
            return MECH_CANDIDATES;
        }

        public AutoCompletionCandidates doAutoCompleteMechanisms(@QueryParameter String str, @QueryParameter String str2) {
            int i;
            AutoCompletionCandidates autoCompletionCandidates = new AutoCompletionCandidates();
            String[] mechanismCandidates = getMechanismCandidates();
            String[] split = str2 != null ? str2.split(LdapSaslSecurityRealm.SEPERATOR_PATTERN) : new String[0];
            for (String str3 : mechanismCandidates) {
                if (StringUtils.isBlank(str) || str3.toLowerCase().startsWith(str.toLowerCase())) {
                    int length = split.length;
                    while (true) {
                        if (i >= length) {
                            autoCompletionCandidates.add(str3);
                            break;
                        }
                        String str4 = split[i];
                        i = (StringUtils.isBlank(str4) || !str4.equals(str3)) ? i + 1 : 0;
                    }
                }
            }
            return autoCompletionCandidates;
        }

        public FormValidation doCheckLdapUriList(@QueryParameter String str) {
            if (StringUtils.isBlank(str)) {
                return FormValidation.error(Messages.LdapSaslSecurityRealm_LdapUriList_empty());
            }
            try {
                URI uri = new URI(StringUtils.trim(str));
                if (StringUtils.isBlank(uri.getScheme()) || !("ldap".equals(uri.getScheme().toLowerCase()) || "ldaps".equals(uri.getScheme().toLowerCase()))) {
                    return FormValidation.error(Messages.LdapSaslSecurityRealm_LdapUriList_invalid("invalid scheme"));
                }
                if (uri.getPort() != -1 && (uri.getPort() < 1 || uri.getPort() > 65535)) {
                    return FormValidation.error(Messages.LdapSaslSecurityRealm_LdapUriList_invalid("Invalid port number"));
                }
                if (!StringUtils.isEmpty(uri.getUserInfo())) {
                    return FormValidation.error(Messages.LdapSaslSecurityRealm_LdapUriList_invalid("Cannot specify a user information."));
                }
                if (!StringUtils.isEmpty(uri.getQuery())) {
                    return FormValidation.error(Messages.LdapSaslSecurityRealm_LdapUriList_invalid("Cannot specify a query."));
                }
                if (!StringUtils.isEmpty(uri.getFragment())) {
                    return FormValidation.error(Messages.LdapSaslSecurityRealm_LdapUriList_invalid("Cannot specify a fragment."));
                }
                String path = uri.getPath();
                if (path != null && path.startsWith("/")) {
                    path = path.substring(1);
                }
                if (!StringUtils.isEmpty(path)) {
                    try {
                        new LdapName(path);
                    } catch (InvalidNameException e) {
                        return FormValidation.error(Messages.LdapSaslSecurityRealm_LdapUriList_invalid(e.getMessage()));
                    }
                }
                return "ldaps".equals(uri.getScheme().toLowerCase()) ? FormValidation.warning(Messages.LdapSaslSecurityRealm_LdapUriList_ldaps()) : FormValidation.ok();
            } catch (URISyntaxException e2) {
                return FormValidation.error(Messages.LdapSaslSecurityRealm_LdapUriList_invalid(e2.getMessage()));
            }
        }

        public FormValidation doCheckMechanisms(@QueryParameter String str) {
            if (StringUtils.isBlank(str)) {
                return FormValidation.error(Messages.LdapSaslSecurityRealm_Mechanisms_empty());
            }
            Iterator it = Arrays.asList(str.split(LdapSaslSecurityRealm.SEPERATOR_PATTERN)).iterator();
            while (it.hasNext()) {
                if (!StringUtils.isBlank((String) it.next())) {
                    return FormValidation.ok();
                }
            }
            return FormValidation.error(Messages.LdapSaslSecurityRealm_Mechanisms_empty());
        }
    }

    public List<String> getLdapUriList() {
        return this.ldapUriList;
    }

    public String getValidLdapUris() {
        ArrayList arrayList = new ArrayList();
        DescriptorImpl descriptorImpl = (DescriptorImpl) getDescriptor();
        if (getLdapUriList() != null) {
            for (String str : getLdapUriList()) {
                if (descriptorImpl.doCheckLdapUriList(str).kind != FormValidation.Kind.ERROR) {
                    arrayList.add(str);
                }
            }
        }
        if (arrayList.isEmpty()) {
            return null;
        }
        return StringUtils.join(arrayList, " ");
    }

    public List<String> getMechanismList() {
        return this.mechanismList;
    }

    public String getMechanisms() {
        return StringUtils.join(getMechanismList(), " ");
    }

    public int getConnectionTimeout() {
        return this.connectionTimeout;
    }

    public int getReadTimeout() {
        return this.readTimeout;
    }

    public String getUserSearchBase() {
        return this.userSearchBase;
    }

    public String getUserQueryTemplate() {
        return this.userQueryTemplate;
    }

    public String getGroupSearchBase() {
        return this.groupSearchBase;
    }

    public String getGroupPrefix() {
        return this.groupPrefix;
    }

    public String getQueryUser() {
        return this.queryUser;
    }

    public String getQueryPassword() {
        return this.queryPassword;
    }

    @DataBoundConstructor
    public LdapSaslSecurityRealm(List<String> list, String str, int i, int i2, String str2, String str3, String str4, String str5, String str6, String str7) {
        if (list != null) {
            for (String str8 : list) {
                if (!StringUtils.isBlank(str8)) {
                    this.ldapUriList.add(StringUtils.trim(str8));
                }
            }
        }
        List<String> asList = str != null ? Arrays.asList(str.split(SEPERATOR_PATTERN)) : new ArrayList(0);
        this.mechanismList = new ArrayList();
        for (String str9 : asList) {
            if (!StringUtils.isBlank(str9)) {
                this.mechanismList.add(StringUtils.trim(str9));
            }
        }
        this.connectionTimeout = i;
        this.readTimeout = i2;
        this.userSearchBase = StringUtils.trim(str2);
        this.userQueryTemplate = StringUtils.trim(str3);
        this.groupSearchBase = StringUtils.trim(str4);
        this.groupPrefix = StringUtils.trim(str5);
        this.queryUser = StringUtils.trim(str6);
        this.queryPassword = str7;
    }

    private LdapContext connectToLdap(String str, String str2) throws AuthenticationException {
        String validLdapUris = getValidLdapUris();
        if (StringUtils.isBlank(validLdapUris)) {
            LOGGER.severe("No valid LDAP URI is specified.");
            throw new AuthenticationServiceException("No valid LDAP URI is specified.");
        }
        String mechanisms = getMechanisms();
        if (StringUtils.isBlank(mechanisms)) {
            LOGGER.severe("No valid mechanism is specified.");
            throw new AuthenticationServiceException("No valid mechanism is specified.");
        }
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.provider.url", validLdapUris);
        hashtable.put("java.naming.security.principal", str);
        hashtable.put("java.naming.security.credentials", str2);
        hashtable.put("java.naming.security.authentication", mechanisms);
        hashtable.put("com.sun.jndi.ldap.connect.timeout", Integer.toString(getConnectionTimeout()));
        hashtable.put("com.sun.jndi.ldap.read.timeout", Integer.toString(getReadTimeout()));
        LOGGER.fine("Authenticating with LDAP-SASL:");
        LOGGER.fine(String.format("username=%s", str));
        LOGGER.fine(String.format("servers=%s", validLdapUris));
        LOGGER.fine(String.format("mech=%s", mechanisms));
        try {
            return new InitialLdapContext(hashtable, (Control[]) null);
        } catch (NamingException e) {
            throw new AuthenticationServiceException(String.format("Authentication failed: %s", str), e);
        } catch (javax.naming.AuthenticationException e2) {
            throw new BadCredentialsException(String.format("Authentication failed: %s", str), e2);
        }
    }

    @CheckForNull
    protected String resolveUserDn(LdapContext ldapContext, String str) {
        if (StringUtils.isBlank(getUserQueryTemplate())) {
            LOGGER.fine("Disabled resolving user DN as not configured.");
            return null;
        }
        try {
            SearchControls searchControls = new SearchControls();
            searchControls.setSearchScope(2);
            String expandUsername = expandUsername(getUserQueryTemplate(), str);
            LOGGER.fine(String.format("Searching users base=%s, query=%s", getUserSearchBase(), expandUsername));
            NamingEnumeration search = ldapContext.search(Util.fixNull(getUserSearchBase()), expandUsername, searchControls);
            if (!search.hasMoreElements()) {
                LOGGER.warning(String.format("User not found: %s", str));
                return null;
            }
            String nameInNamespace = ((SearchResult) search.nextElement()).getNameInNamespace();
            if (search.hasMoreElements()) {
                LOGGER.warning(String.format("User found more than one: %s", str));
                return null;
            }
            search.close();
            return nameInNamespace;
        } catch (NamingException e) {
            LOGGER.log(Level.SEVERE, String.format("Failed to search user %s", str), e);
            return null;
        }
    }

    private String expandUsername(String str, String str2) {
        HashMap hashMap = new HashMap();
        hashMap.put("uid", str2);
        return Util.replaceMacro(str, hashMap);
    }

    @Nonnull
    protected List<GrantedAuthority> resolveGroup(LdapContext ldapContext, String str) {
        ArrayList arrayList = new ArrayList();
        if (str == null) {
            LOGGER.fine("Group cannot be resolved: DN of the user is not resolved!");
            return arrayList;
        }
        try {
            SearchControls searchControls = new SearchControls();
            searchControls.setSearchScope(2);
            LOGGER.fine(String.format("Searching groups base=%s, dn=%s", getGroupSearchBase(), str));
            NamingEnumeration search = ldapContext.search(Util.fixNull(getGroupSearchBase()), getGroupSearchQuery(str), searchControls);
            while (search.hasMoreElements()) {
                String obj = ((SearchResult) search.nextElement()).getAttributes().get("cn").get().toString();
                if (getGroupPrefix() != null) {
                    obj = getGroupPrefix() + obj;
                }
                arrayList.add(new GrantedAuthorityImpl(obj));
                LOGGER.fine(String.format("group: %s", obj));
            }
            search.close();
        } catch (NamingException e) {
            LOGGER.log(Level.WARNING, String.format("Failed to search groups for %s", str), e);
        }
        return arrayList;
    }

    protected String getGroupSearchQuery(String str) {
        return MessageFormat.format("(| (& (objectClass=groupOfUniqueNames) (uniqueMember={0}))(& (objectClass=groupOfNames) (member={0})))", str);
    }

    protected UserDetails createUserDetails(LdapContext ldapContext, String str, boolean z) {
        String resolveUserDn = resolveUserDn(ldapContext, str);
        if (resolveUserDn == null && !z) {
            return null;
        }
        LOGGER.fine(String.format("User DN is %s", resolveUserDn));
        List<GrantedAuthority> resolveGroup = resolveGroup(ldapContext, resolveUserDn);
        LOGGER.fine("Authenticating succeeded.");
        return new LdapUser(str, "", resolveUserDn, true, true, true, true, (GrantedAuthority[]) resolveGroup.toArray(new GrantedAuthority[0]));
    }

    protected UserDetails authenticate(String str, String str2) throws AuthenticationException {
        return createUserDetails(connectToLdap(str, str2), str, true);
    }

    public UserDetails loadUserByUsername(String str) throws UsernameNotFoundException, DataAccessException {
        if (StringUtils.isBlank(getQueryUser()) || getQueryPassword() == null) {
            return null;
        }
        return createUserDetails(connectToLdap(getQueryUser(), getQueryPassword()), str, false);
    }

    public GroupDetails loadGroupByGroupname(String str) throws UsernameNotFoundException, DataAccessException {
        return null;
    }
}
