package net.sf.michaelo.tomcat.realm;

import internal.org.apache.commons.lang3.ArrayUtils;
import internal.org.apache.commons.lang3.StringUtils;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import javax.naming.CompositeName;
import javax.naming.InvalidNameException;
import javax.naming.Name;
import javax.naming.NameParser;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.PartialResultException;
import javax.naming.ReferralException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapName;
import net.sf.michaelo.dirctxsrc.DirContextSource;
import net.sf.michaelo.tomcat.realm.mapper.SamAccountNameRfc2247Mapper;
import net.sf.michaelo.tomcat.realm.mapper.UserPrincipalNameSearchMapper;
import net.sf.michaelo.tomcat.realm.mapper.UsernameSearchMapper;
import net.sf.michaelo.tomcat.utils.LdapUtils;
import org.apache.catalina.Context;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;

/* loaded from: input_file:net/sf/michaelo/tomcat/realm/ActiveDirectoryRealm.class */
public class ActiveDirectoryRealm extends GSSRealmBase<DirContextSource> {
    private static final UsernameSearchMapper[] USERNAME_SEARCH_MAPPERS = {new SamAccountNameRfc2247Mapper(), new UserPrincipalNameSearchMapper()};
    private static final String[] DEFAULT_ATTRIBUTES = {"userAccountControl", "memberOf", "objectSid;binary"};
    private String[] additionalAttributes;
    protected boolean storeDelegatedCredential;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:net/sf/michaelo/tomcat/realm/ActiveDirectoryRealm$User.class */
    public static class User {
        private final GSSName gssName;
        private final Sid sid;
        private final List<String> roles;
        private final Map<String, Object> additionalAttributes;

        public User(GSSName gSSName, Sid sid, List<String> list, Map<String, Object> map) {
            this.gssName = gSSName;
            this.sid = sid;
            this.roles = list;
            this.additionalAttributes = map;
        }

        public GSSName getGssName() {
            return this.gssName;
        }

        public Sid getSid() {
            return this.sid;
        }

        public List<String> getRoles() {
            return this.roles;
        }

        public Map<String, Object> getAdditionalAttributes() {
            return this.additionalAttributes;
        }
    }

    public String getInfo() {
        return "net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm/2.0";
    }

    protected String getName() {
        return "ActiveDirectoryRealm";
    }

    public void setAdditionalAttributes(String str) {
        this.additionalAttributes = str.split(",");
    }

    public void setStoreDelegatedCredential(boolean z) {
        this.storeDelegatedCredential = z;
    }

    public void init() {
        super.init();
        try {
            DirContext dirContext = null;
            try {
                try {
                    dirContext = lookupResource().getDirContext();
                    try {
                        String str = (String) dirContext.getEnvironment().get("java.naming.referral");
                        if ("follow".equals(str)) {
                            this.logger.warn(this.sm.getString("activeDirectoryRealm.referralFollow"));
                        } else if ("throw".equals(str)) {
                            this.logger.warn(this.sm.getString("activeDirectoryRealm.referralThrow"));
                        }
                        LdapUtils.close(dirContext);
                    } catch (NamingException e) {
                        this.logger.error(this.sm.getString("activeDirectoryRealm.environmentFailed"), e);
                        LdapUtils.close(dirContext);
                    }
                } catch (NamingException e2) {
                    this.logger.error(this.sm.getString("activeDirectoryRealm.obtainFailed", this.resourceName), e2);
                }
            } catch (Throwable th) {
                LdapUtils.close(dirContext);
                throw th;
            }
        } catch (NamingException e3) {
            this.logger.error(this.sm.getString("activeDirectoryealm.lookupFailed", this.resourceName), e3);
        }
    }

    @Override // net.sf.michaelo.tomcat.realm.GSSRealmBase
    public Principal authenticate(GSSName gSSName) {
        return authenticateInternal(gSSName, null);
    }

    @Override // net.sf.michaelo.tomcat.realm.GSSRealmBase
    public Principal authenticate(GSSContext gSSContext) {
        if (gSSContext == null) {
            throw new NullPointerException("gssContext cannot be null");
        }
        if (!gSSContext.isEstablished()) {
            throw new IllegalStateException("gssContext is not fully established");
        }
        GSSCredential gSSCredential = null;
        try {
            GSSName srcName = gSSContext.getSrcName();
            if (this.storeDelegatedCredential) {
                if (gSSContext.getCredDelegState()) {
                    gSSCredential = gSSContext.getDelegCred();
                } else if (this.logger.isDebugEnabled()) {
                    this.logger.debug(this.sm.getString("activeDirectoryRealm.credentialNotDelegable", srcName));
                }
            }
            return authenticateInternal(srcName, gSSCredential);
        } catch (GSSException e) {
            this.logger.error(this.sm.getString("realm.inquireFailed"), e);
            return null;
        }
    }

    private Principal authenticateInternal(GSSName gSSName, GSSCredential gSSCredential) {
        if (gSSName == null) {
            throw new NullPointerException("gssName cannot be null");
        }
        try {
            try {
                DirContext dirContext = lookupResource().getDirContext();
                if (gSSName.isAnonymous()) {
                    return new ActiveDirectoryPrincipal(gSSName, Sid.ANONYMOUS_SID, gSSCredential);
                }
                ActiveDirectoryPrincipal activeDirectoryPrincipal = null;
                try {
                    try {
                        User user = getUser(dirContext, gSSName);
                        if (user != null) {
                            if (user.getSid().equals(Sid.NULL_SID)) {
                                activeDirectoryPrincipal = new ActiveDirectoryPrincipal(gSSName, user.getSid(), gSSCredential);
                            } else {
                                activeDirectoryPrincipal = new ActiveDirectoryPrincipal(gSSName, user.getSid(), gSSCredential, getRoles(dirContext, user), user.getAdditionalAttributes());
                            }
                        }
                        LdapUtils.close(dirContext);
                    } catch (NamingException e) {
                        this.logger.error(this.sm.getString("activeDirectoryRealm.principalSearchFailed", gSSName), e);
                        LdapUtils.close(dirContext);
                    }
                    return activeDirectoryPrincipal;
                } catch (Throwable th) {
                    LdapUtils.close(dirContext);
                    throw th;
                }
            } catch (NamingException e2) {
                this.logger.error(this.sm.getString("activeDirectoryRealm.obtainFailed", this.resourceName), e2);
                return null;
            }
        } catch (NamingException e3) {
            this.logger.error(this.sm.getString("activeDirectoryealm.lookupFailed", this.resourceName), e3);
            return null;
        }
    }

    public boolean hasRole(Principal principal, String str) {
        if (principal == null || str == null || !(principal instanceof ActiveDirectoryPrincipal)) {
            return false;
        }
        ActiveDirectoryPrincipal activeDirectoryPrincipal = (ActiveDirectoryPrincipal) principal;
        boolean hasRole = this.container instanceof Context ? activeDirectoryPrincipal.hasRole(this.container.findRoleMapping(str)) : activeDirectoryPrincipal.hasRole(str);
        if (this.logger.isDebugEnabled()) {
            if (hasRole) {
                this.logger.debug(this.sm.getString("activeDirectoryRealm.hasRole", principal, str));
            } else {
                this.logger.debug(this.sm.getString("activeDirectoryRealm.hasNotRole", principal, str));
            }
        }
        return hasRole;
    }

    protected User getUser(DirContext dirContext, GSSName gSSName) throws NamingException {
        String[] strArr = DEFAULT_ATTRIBUTES;
        if (ArrayUtils.isNotEmpty(this.additionalAttributes)) {
            strArr = (String[]) ArrayUtils.addAll(DEFAULT_ATTRIBUTES, this.additionalAttributes);
        }
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(strArr);
        String str = null;
        NamingEnumeration namingEnumeration = null;
        for (UsernameSearchMapper usernameSearchMapper : USERNAME_SEARCH_MAPPERS) {
            String simpleName = usernameSearchMapper.getClass().getSimpleName();
            UsernameSearchMapper.MappedValues map = usernameSearchMapper.map(dirContext, gSSName);
            str = getRelativeName(dirContext, map.getSearchBase());
            String searchAttributeName = map.getSearchAttributeName();
            String searchUsername = map.getSearchUsername();
            String format = String.format("(&(|(sAMAccountType=805306368)(sAMAccountType=805306369))(%s={0}))", searchAttributeName);
            if (this.logger.isDebugEnabled()) {
                this.logger.debug(this.sm.getString("activeDirectoryRealm.usernameSearch", searchUsername, str, searchAttributeName, simpleName));
            }
            try {
                namingEnumeration = dirContext.search(str, format, new Object[]{searchUsername}, searchControls);
                try {
                } catch (PartialResultException e) {
                    this.logger.debug(this.sm.getString("activeDirectoryRealm.user.partialResultException", simpleName, e.getRemainingName()));
                    LdapUtils.close((NamingEnumeration<?>) namingEnumeration);
                    namingEnumeration = null;
                }
            } catch (ReferralException e2) {
                this.logger.warn(this.sm.getString("activeDirectoryRealm.user.referralException", simpleName, e2.getRemainingName(), e2.getReferralInfo()));
            }
            if (namingEnumeration.hasMore()) {
                break;
            }
            if (this.logger.isDebugEnabled()) {
                this.logger.debug(this.sm.getString("activeDirectoryRealm.userNotMapped", gSSName, simpleName));
            }
            LdapUtils.close((NamingEnumeration<?>) namingEnumeration);
            namingEnumeration = null;
        }
        if (namingEnumeration == null) {
            this.logger.info(this.sm.getString("activeDirectoryRealm.userNotFound", gSSName));
            return new User(gSSName, Sid.NULL_SID, null, null);
        }
        SearchResult searchResult = (SearchResult) namingEnumeration.next();
        if (namingEnumeration.hasMore()) {
            this.logger.error(this.sm.getString("activeDirectoryRealm.duplicateUser", gSSName));
            LdapUtils.close((NamingEnumeration<?>) namingEnumeration);
            return null;
        }
        Attributes attributes = searchResult.getAttributes();
        if ((Integer.parseInt((String) attributes.get("userAccountControl").get()) & 2) == 2) {
            this.logger.warn(this.sm.getString("activeDirectoryRealm.userFoundButDisabled", gSSName));
            LdapUtils.close((NamingEnumeration<?>) namingEnumeration);
            return null;
        }
        LdapName distinguishedName = getDistinguishedName(dirContext, str, searchResult);
        Sid sid = new Sid((byte[]) attributes.get("objectSid;binary").get());
        if (this.logger.isDebugEnabled()) {
            this.logger.debug(this.sm.getString("activeDirectoryRealm.userFound", gSSName, distinguishedName, sid));
        }
        Attribute attribute = attributes.get("memberOf");
        LinkedList linkedList = new LinkedList();
        if (attribute != null && attribute.size() > 0) {
            NamingEnumeration all = attribute.getAll();
            while (all.hasMore()) {
                linkedList.add((String) all.next());
            }
            LdapUtils.close((NamingEnumeration<?>) all);
        }
        Map emptyMap = Collections.emptyMap();
        if (ArrayUtils.isNotEmpty(this.additionalAttributes)) {
            emptyMap = new HashMap();
            for (String str2 : this.additionalAttributes) {
                Attribute attribute2 = attributes.get(str2);
                if (attribute2 != null && attribute2.size() > 0) {
                    if (attribute2.size() > 1) {
                        ArrayList arrayList = new ArrayList(attribute2.size());
                        NamingEnumeration all2 = attribute2.getAll();
                        while (all2.hasMore()) {
                            arrayList.add(all2.next());
                        }
                        LdapUtils.close((NamingEnumeration<?>) all2);
                        emptyMap.put(str2, Collections.unmodifiableList(arrayList));
                    } else {
                        emptyMap.put(str2, attribute2.get());
                    }
                }
            }
        }
        LdapUtils.close((NamingEnumeration<?>) namingEnumeration);
        return new User(gSSName, sid, linkedList, emptyMap);
    }

    protected List<String> getRoles(DirContext dirContext, User user) throws NamingException {
        LinkedList linkedList = new LinkedList();
        if (this.logger.isDebugEnabled()) {
            this.logger.debug(this.sm.getString("activeDirectoryRealm.retrievingRoles", user.getGssName()));
        }
        for (String str : user.getRoles()) {
            try {
                Attributes attributes = dirContext.getAttributes(getRelativeName(dirContext, str), new String[]{"groupType", "objectSid;binary", "sIDHistory;binary"});
                if ((Integer.parseInt((String) attributes.get("groupType").get()) & Integer.MIN_VALUE) != 0) {
                    String sid = new Sid((byte[]) attributes.get("objectSid;binary").get()).toString();
                    Attribute attribute = attributes.get("sIDHistory;binary");
                    LinkedList linkedList2 = new LinkedList();
                    if (attribute != null) {
                        NamingEnumeration all = attribute.getAll();
                        while (all.hasMore()) {
                            linkedList2.add(new Sid((byte[]) all.next()).toString());
                        }
                        LdapUtils.close((NamingEnumeration<?>) all);
                    }
                    linkedList.add(sid);
                    linkedList.addAll(linkedList2);
                    if (this.logger.isTraceEnabled()) {
                        if (linkedList2.isEmpty()) {
                            this.logger.trace(this.sm.getString("activeDirectoryRealm.foundRoleConverted", str, sid));
                        } else {
                            this.logger.trace(this.sm.getString("activeDirectoryRealm.foundRoleConverted.withSidHistory", str, sid, linkedList2));
                        }
                    }
                } else if (this.logger.isTraceEnabled()) {
                    this.logger.trace(this.sm.getString("activeDirectoryRealm.skippingDistributionRole", str));
                }
            } catch (ReferralException e) {
                this.logger.warn(this.sm.getString("activeDirectoryRealm.role.referralException", str, e.getRemainingName(), e.getReferralInfo()));
            } catch (PartialResultException e2) {
                this.logger.debug(this.sm.getString("activeDirectoryRealm.role.partialResultException", str, e2.getRemainingName()));
            }
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug(this.sm.getString("activeDirectoryRealm.foundRolesCount", Integer.valueOf(linkedList.size()), user.getGssName()));
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace(this.sm.getString("activeDirectoryRealm.foundRoles", user.getGssName(), linkedList));
        }
        return linkedList;
    }

    protected LdapName getDistinguishedName(DirContext dirContext, String str, SearchResult searchResult) throws NamingException {
        if (searchResult.isRelative()) {
            NameParser nameParser = dirContext.getNameParser(StringUtils.EMPTY);
            Name parse = nameParser.parse(dirContext.getNameInNamespace());
            Name parse2 = nameParser.parse(str);
            return parse.addAll(parse2).addAll(nameParser.parse(new CompositeName(searchResult.getName()).get(0)));
        }
        String name = searchResult.getName();
        try {
            NameParser nameParser2 = dirContext.getNameParser(StringUtils.EMPTY);
            String path = new URI(name).getPath();
            if (path.length() < 1) {
                throw new InvalidNameException(this.sm.getString("activeDirectoryRealm.unparseableName", name));
            }
            return nameParser2.parse(path.substring(1));
        } catch (URISyntaxException e) {
            throw new InvalidNameException(this.sm.getString("activeDirectoryRealm.unparseableName", name));
        }
    }

    protected String getRelativeName(DirContext dirContext, String str) throws NamingException {
        NameParser nameParser = dirContext.getNameParser(StringUtils.EMPTY);
        Name parse = nameParser.parse(dirContext.getNameInNamespace());
        Name parse2 = nameParser.parse(str);
        while (Math.min(parse2.size(), parse.size()) != 0 && parse2.get(0).equals(parse.get(0))) {
            parse2.remove(0);
            parse.remove(0);
        }
        while (Math.min(parse2.size(), parse.size()) != 0) {
            int size = parse.size() - 1;
            if (!parse2.get(0).equals(parse.get(size))) {
                break;
            }
            parse2.remove(0);
            parse.remove(size);
        }
        return parse2.toString();
    }
}
