package net.sf.michaelo.tomcat.realm;

import internal.org.apache.commons.lang3.ArrayUtils;
import internal.org.apache.commons.lang3.StringUtils;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.Principal;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import javax.naming.CompositeName;
import javax.naming.InvalidNameException;
import javax.naming.Name;
import javax.naming.NameParser;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapName;
import net.sf.michaelo.dirctxsrc.DirContextSource;
import net.sf.michaelo.tomcat.realm.mapper.SamAccountNameRfc2247Mapper;
import net.sf.michaelo.tomcat.realm.mapper.UserPrincipalNameSearchMapper;
import net.sf.michaelo.tomcat.realm.mapper.UsernameSearchMapper;
import net.sf.michaelo.tomcat.utils.LdapUtils;
import org.apache.catalina.util.HexUtils;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:net/sf/michaelo/tomcat/realm/ActiveDirectoryRealm.class */
public class ActiveDirectoryRealm extends GssAwareRealmBase<DirContextSource> {
    private static final UsernameSearchMapper[] USERNAME_SEARCH_MAPPERS = {new SamAccountNameRfc2247Mapper(), new UserPrincipalNameSearchMapper()};
    private String[] strippableRoleNamePrefixes;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:net/sf/michaelo/tomcat/realm/ActiveDirectoryRealm$User.class */
    public static class User {
        private final GSSName gssName;
        private final byte[] sid;
        private final LdapName dn;
        private final List<String> roles;

        public User(GSSName gSSName, byte[] bArr, LdapName ldapName, List<String> list) {
            this.gssName = gSSName;
            this.sid = ArrayUtils.clone(bArr);
            this.dn = (LdapName) ldapName.clone();
            if (list == null || list.isEmpty()) {
                this.roles = Collections.emptyList();
            } else {
                this.roles = Collections.unmodifiableList(list);
            }
        }

        public GSSName getGssName() {
            return this.gssName;
        }

        public byte[] getSid() {
            return ArrayUtils.clone(this.sid);
        }

        public LdapName getDn() {
            return (LdapName) this.dn.clone();
        }

        public List<String> getRoles() {
            return this.roles;
        }
    }

    public String getInfo() {
        return "net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm/0.9";
    }

    protected String getName() {
        return "ActiveDirectoryRealm";
    }

    protected List<String> getRoles(User user) throws NamingException {
        LinkedList linkedList = new LinkedList();
        if (this.logger.isTraceEnabled()) {
            this.logger.trace(String.format("Retrieving roles for user '%s' with DN '%s'", user.getGssName(), user.getDn()));
        }
        Iterator<String> it = user.getRoles().iterator();
        while (it.hasNext()) {
            String substringBetween = StringUtils.substringBetween(it.next(), "CN=", ",");
            if (this.strippableRoleNamePrefixes != null) {
                for (String str : this.strippableRoleNamePrefixes) {
                    if (substringBetween.startsWith(str)) {
                        linkedList.add(StringUtils.substringAfter(substringBetween, str));
                    } else {
                        linkedList.add(substringBetween);
                    }
                }
            } else {
                linkedList.add(substringBetween);
            }
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug(String.format("Found %s roles for user '%s'", Integer.valueOf(linkedList.size()), user.getGssName()));
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.debug(String.format("Found following roles %s for user '%s'", linkedList, user.getGssName()));
        }
        return linkedList;
    }

    public boolean hasRole(Principal principal, String str) {
        if (principal == null || str == null || !(principal instanceof ActiveDirectoryPrincipal)) {
            return false;
        }
        boolean hasRole = ((ActiveDirectoryPrincipal) principal).hasRole(str);
        if (this.logger.isDebugEnabled()) {
            if (hasRole) {
                this.logger.debug(String.format("Principal '%s' does not have role '%s'", principal, str));
            } else {
                this.logger.debug(String.format("Principal '%s' has role '%s'", principal, str));
            }
        }
        return hasRole;
    }

    public void setStrippableRoleNamePrefixes(String str) {
        this.strippableRoleNamePrefixes = StringUtils.split(str, ",");
    }

    @Override // net.sf.michaelo.tomcat.realm.GssAwareRealmBase
    public Principal authenticate(GSSName gSSName, Oid oid, GSSCredential gSSCredential) {
        try {
            try {
                DirContext dirContext = lookupResource().getDirContext();
                ActiveDirectoryPrincipal activeDirectoryPrincipal = null;
                try {
                    try {
                        User user = getUser(dirContext, gSSName);
                        List<String> list = null;
                        if (user != null) {
                            list = getRoles(user);
                        }
                        if (user != null) {
                            activeDirectoryPrincipal = new ActiveDirectoryPrincipal(gSSName, oid, user.getSid(), user.getDn(), gSSCredential, list);
                        }
                        return activeDirectoryPrincipal;
                    } catch (NamingException e) {
                        this.logger.error(String.format("Unable to perform principal search for user '%s'", gSSName), e);
                        throw new RuntimeException((Throwable) e);
                    }
                } finally {
                    LdapUtils.close(dirContext);
                }
            } catch (NamingException e2) {
                this.logger.error(String.format("Could not retrieve DirContext from DirContextSource '%s'", this.resourceName), e2);
                throw new RuntimeException((Throwable) e2);
            }
        } catch (NamingException e3) {
            this.logger.error(String.format("Could not retrieve the DirContextSource '%s' from JNDI context", this.resourceName));
            throw new RuntimeException(String.format("Failed to retrieve resource '%s'", this.resourceName), e3);
        }
    }

    protected User getUser(DirContext dirContext, GSSName gSSName) throws NamingException {
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(new String[]{"memberOf", "objectSid;binary"});
        String str = null;
        NamingEnumeration namingEnumeration = null;
        for (UsernameSearchMapper usernameSearchMapper : USERNAME_SEARCH_MAPPERS) {
            UsernameSearchMapper.MappedValues map = usernameSearchMapper.map(dirContext, gSSName);
            str = getRelativeName(dirContext, map.getSearchBase());
            String searchAttributeName = map.getSearchAttributeName();
            String searchUsername = map.getSearchUsername();
            namingEnumeration = dirContext.search(str, String.format("(&(objectClass=user)(%s={0})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", searchAttributeName), new Object[]{searchUsername}, searchControls);
            if (namingEnumeration != null && namingEnumeration.hasMore()) {
                break;
            }
            if (this.logger.isDebugEnabled()) {
                this.logger.debug(String.format("Username '%s' in search base '%s' and search attribute '%s' with mapper '%s' not found, trying fallback", searchUsername, str, searchAttributeName, StringUtils.substringAfterLast(usernameSearchMapper.getClass().getName(), ".")));
            }
            LdapUtils.close((NamingEnumeration<?>) namingEnumeration);
        }
        if (namingEnumeration == null || !namingEnumeration.hasMore()) {
            this.logger.info(String.format("User '%s' not found", gSSName));
            return null;
        }
        SearchResult searchResult = (SearchResult) namingEnumeration.next();
        if (namingEnumeration.hasMore()) {
            this.logger.warn(String.format("User '%s' has multiple entries", gSSName));
            return null;
        }
        LdapName distinguishedName = getDistinguishedName(dirContext, str, searchResult);
        if (this.logger.isDebugEnabled()) {
            this.logger.debug(String.format("Entry found for user '%s' with DN '%s'", gSSName, distinguishedName));
        }
        byte[] bArr = (byte[]) searchResult.getAttributes().get("objectSid;binary").get();
        if (this.logger.isDebugEnabled()) {
            this.logger.debug(String.format("Found SID '%s' for user '%s'", HexUtils.convert(bArr), gSSName));
        }
        NamingEnumeration all = searchResult.getAttributes().get("memberOf").getAll();
        LinkedList linkedList = new LinkedList();
        while (all.hasMoreElements()) {
            linkedList.add((String) all.nextElement());
        }
        LdapUtils.close((NamingEnumeration<?>) all);
        return new User(gSSName, bArr, distinguishedName, linkedList);
    }

    protected LdapName getDistinguishedName(DirContext dirContext, String str, SearchResult searchResult) throws NamingException {
        if (searchResult.isRelative()) {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace(String.format("Search returned relative name '%s'", searchResult.getName()));
            }
            NameParser nameParser = dirContext.getNameParser(StringUtils.EMPTY);
            return nameParser.parse(dirContext.getNameInNamespace()).addAll(nameParser.parse(str)).addAll(nameParser.parse(new CompositeName(searchResult.getName()).get(0)));
        }
        String name = searchResult.getName();
        if (this.logger.isTraceEnabled()) {
            this.logger.trace(String.format("Search returned absolute name '%s'", searchResult.getName()));
        }
        try {
            NameParser nameParser2 = dirContext.getNameParser(StringUtils.EMPTY);
            String path = new URI(name).getPath();
            if (path.length() < 1) {
                throw new InvalidNameException(String.format("Search returned unparseable absolute name '%s'", name));
            }
            return nameParser2.parse(path.substring(1));
        } catch (URISyntaxException e) {
            throw new InvalidNameException(String.format("Search returned unparseable absolute name '%s'", name));
        }
    }

    protected String getRelativeName(DirContext dirContext, String str) throws NamingException {
        NameParser nameParser = dirContext.getNameParser(StringUtils.EMPTY);
        Name parse = nameParser.parse(dirContext.getNameInNamespace());
        Name parse2 = nameParser.parse(str);
        while (Math.min(parse2.size(), parse.size()) != 0 && parse2.get(0).equals(parse.get(0))) {
            parse2.remove(0);
            parse.remove(0);
        }
        while (Math.min(parse2.size(), parse.size()) != 0) {
            int size = parse.size() - 1;
            if (!parse2.get(0).equals(parse.get(size))) {
                break;
            }
            parse2.remove(0);
            parse.remove(size);
        }
        return parse2.toString();
    }
}
