package com.hazelcast.webmonitor.security.spi.impl.activedirectory;

import com.hazelcast.security.loginimpl.X509CertificateLoginModule;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.naming.AuthenticationException;
import javax.naming.NamingException;
import javax.naming.OperationNotSupportedException;
import javax.naming.directory.Attribute;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.dao.IncorrectResultSizeDataAccessException;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.ldap.core.DistinguishedName;
import org.springframework.ldap.core.LdapTemplate;
import org.springframework.ldap.core.support.DefaultDirObjectFactory;
import org.springframework.ldap.core.support.LdapContextSource;
import org.springframework.ldap.query.LdapQuery;
import org.springframework.ldap.query.LdapQueryBuilder;
import org.springframework.ldap.support.LdapUtils;
import org.springframework.security.authentication.AccountExpiredException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.CredentialsExpiredException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.ldap.SpringSecurityLdapTemplate;
import org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/classes/com/hazelcast/webmonitor/security/spi/impl/activedirectory/ActiveDirectoryAuthenticationProvider.class
 */
/* loaded from: input_file:com/hazelcast/webmonitor/security/spi/impl/activedirectory/ActiveDirectoryAuthenticationProvider.class */
public final class ActiveDirectoryAuthenticationProvider extends AbstractLdapAuthenticationProvider {
    private static final int USERNAME_NOT_FOUND = 1317;
    private static final int INVALID_PASSWORD = 1326;
    private static final int NOT_PERMITTED = 1328;
    private static final int PASSWORD_EXPIRED = 1330;
    private static final int ACCOUNT_DISABLED = 1331;
    private static final int ACCOUNT_EXPIRED = 1793;
    private static final int PASSWORD_NEEDS_RESET = 1907;
    private static final int ACCOUNT_LOCKED = 1909;
    private static final String LDAP_MATCHING_RULE_BIT_AND = ":1.2.840.113556.1.4.803:";
    private static final String LDAP_MATCHING_RULE_IN_CHAIN = ":1.2.840.113556.1.4.1941:";
    private static final String IS_GROUP = "(objectCategory=group)";
    private final String domain;
    private final String rootDn;
    private final String url;
    private final boolean nestedGroupSearch;
    private final int connTimeout;
    private boolean convertSubErrorCodesToExceptions;
    private String searchFilter = "(&(objectClass=user)(userPrincipalName={0}))";
    private ContextFactory contextFactory = new ContextFactory();
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) ActiveDirectoryAuthenticationProvider.class);
    private static final Pattern SUB_ERROR_CODE = Pattern.compile(".*data\\s([0-9a-f]{3,4}).*");
    private static final String SECURITY_GROUP_FLAG = String.valueOf(Integer.MIN_VALUE);
    private static final String IS_SECURITY_ENABLED = "(groupType:1.2.840.113556.1.4.803:=" + SECURITY_GROUP_FLAG + ")";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/classes/com/hazelcast/webmonitor/security/spi/impl/activedirectory/ActiveDirectoryAuthenticationProvider$ContextFactory.class
     */
    /* loaded from: input_file:com/hazelcast/webmonitor/security/spi/impl/activedirectory/ActiveDirectoryAuthenticationProvider$ContextFactory.class */
    public static class ContextFactory {
        ContextFactory() {
        }

        DirContext createContext(Hashtable<?, ?> hashtable) throws NamingException {
            return new InitialLdapContext(hashtable, (Control[]) null);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ActiveDirectoryAuthenticationProvider(String str, String str2, boolean z, int i) {
        Assert.isTrue(StringUtils.hasText(str2), "Url cannot be empty");
        this.domain = StringUtils.hasText(str) ? str.toLowerCase() : null;
        this.url = str2;
        this.rootDn = this.domain == null ? null : rootDnFromDomain(this.domain);
        this.nestedGroupSearch = z;
        this.connTimeout = i;
    }

    @Override // org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider
    protected DirContextOperations doAuthentication(UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken) {
        String name = usernamePasswordAuthenticationToken.getName();
        DirContext bindAsUser = bindAsUser(name, (String) usernamePasswordAuthenticationToken.getCredentials());
        try {
            try {
                DirContextOperations searchForUser = searchForUser(bindAsUser, name);
                LdapUtils.closeContext(bindAsUser);
                return searchForUser;
            } catch (NamingException e) {
                LOGGER.error("Failed to locate directory entry for authenticated user: {}", name, e);
                throw badCredentials(e);
            }
        } catch (Throwable th) {
            LdapUtils.closeContext(bindAsUser);
            throw th;
        }
    }

    @Override // org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider
    protected Collection<? extends GrantedAuthority> loadUserAuthorities(DirContextOperations dirContextOperations, String str, String str2) {
        String[] stringAttributes = dirContextOperations.getStringAttributes("memberOf");
        HashSet hashSet = new HashSet();
        if (stringAttributes == null) {
            LOGGER.debug("No values for 'memberOf' attribute.");
        } else {
            LOGGER.debug("'memberOf' attribute values: {}", Arrays.asList(stringAttributes));
            for (String str3 : stringAttributes) {
                hashSet.add(new SimpleGrantedAuthority(new DistinguishedName(str3).removeLast().getValue()));
            }
        }
        LdapTemplate ldapTemplate = new LdapTemplate(createLdapContextSource(str, str2));
        ldapTemplate.setIgnorePartialResultException(true);
        if (this.nestedGroupSearch) {
            hashSet.addAll(getAdditionalRoles(dirContextOperations, ldapTemplate));
        }
        return hashSet;
    }

    private LdapContextSource createLdapContextSource(String str, String str2) {
        LdapContextSource ldapContextSource = new LdapContextSource();
        ldapContextSource.setUrl(this.url);
        ldapContextSource.setUserDn(createBindPrincipal(str));
        ldapContextSource.setPassword(str2);
        ldapContextSource.setBase(this.rootDn);
        ldapContextSource.setReferral("follow");
        ldapContextSource.afterPropertiesSet();
        return ldapContextSource;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v26, types: [java.util.List] */
    private Set<GrantedAuthority> getAdditionalRoles(DirContextOperations dirContextOperations, LdapTemplate ldapTemplate) {
        HashSet hashSet = new HashSet();
        String str = "(&(objectCategory=group)" + IS_SECURITY_ENABLED + "(member" + LDAP_MATCHING_RULE_IN_CHAIN + "={0}))";
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        LdapQuery filter = LdapQueryBuilder.query().filter(str, dirContextOperations.getDn());
        ArrayList arrayList = new ArrayList();
        try {
            arrayList = ldapTemplate.search("", filter.filter().toString(), searchControls, attributes -> {
                Attribute attribute = attributes.get(X509CertificateLoginModule.DEFAULT_ROLE_ATTRIBUTE);
                if (attribute != null) {
                    return attribute.get().toString();
                }
                return null;
            });
        } catch (Exception e) {
            LOGGER.error("LDAP search of nested groups failed.", (Throwable) e);
        }
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            hashSet.add(new SimpleGrantedAuthority((String) it.next()));
        }
        LOGGER.debug("Authorities after LDAP search of nested groups: {}", hashSet);
        return hashSet;
    }

    private DirContext bindAsUser(String str, String str2) {
        LOGGER.debug("Binding as user {}", str);
        String str3 = this.url;
        Hashtable<?, ?> hashtable = new Hashtable<>();
        hashtable.put("java.naming.security.authentication", "simple");
        String createBindPrincipal = createBindPrincipal(str);
        hashtable.put("java.naming.security.principal", createBindPrincipal);
        hashtable.put("java.naming.provider.url", str3);
        hashtable.put("java.naming.security.credentials", str2);
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.factory.object", DefaultDirObjectFactory.class.getName());
        hashtable.put("java.naming.referral", "ignore");
        hashtable.put("com.sun.jndi.ldap.connect.timeout", String.valueOf(this.connTimeout));
        hashtable.put("com.sun.jndi.ldap.read.timeout", String.valueOf(this.connTimeout));
        try {
            return this.contextFactory.createContext(hashtable);
        } catch (NamingException e) {
            throw LdapUtils.convertLdapException(e);
        } catch (AuthenticationException | OperationNotSupportedException e2) {
            handleBindException(createBindPrincipal, e2);
            throw badCredentials(e2);
        }
    }

    private void handleBindException(String str, NamingException namingException) {
        LOGGER.debug("Authentication for {} failed.", str, namingException);
        int parseSubErrorCode = parseSubErrorCode(namingException.getMessage());
        if (parseSubErrorCode <= 0) {
            LOGGER.debug("Failed to locate AD-specific sub-error code in message");
            return;
        }
        LOGGER.info("Active Directory authentication failed: {}", subCodeToLogMessage(parseSubErrorCode));
        if (this.convertSubErrorCodesToExceptions) {
            raiseExceptionForErrorCode(parseSubErrorCode, namingException);
        }
    }

    private int parseSubErrorCode(String str) {
        Matcher matcher = SUB_ERROR_CODE.matcher(str);
        if (matcher.matches()) {
            return Integer.parseInt(matcher.group(1), 16);
        }
        return -1;
    }

    private void raiseExceptionForErrorCode(int i, NamingException namingException) {
        switch (i) {
            case PASSWORD_EXPIRED /* 1330 */:
                throw new CredentialsExpiredException(this.messages.getMessage("LdapAuthenticationProvider.credentialsExpired", "User credentials have expired"), namingException);
            case ACCOUNT_DISABLED /* 1331 */:
                throw new DisabledException(this.messages.getMessage("LdapAuthenticationProvider.disabled", "User is disabled"), namingException);
            case 1793:
                throw new AccountExpiredException(this.messages.getMessage("LdapAuthenticationProvider.expired", "User account has expired"), namingException);
            case ACCOUNT_LOCKED /* 1909 */:
                throw new LockedException(this.messages.getMessage("LdapAuthenticationProvider.locked", "User account is locked"), namingException);
            default:
                throw badCredentials(namingException);
        }
    }

    private String subCodeToLogMessage(int i) {
        switch (i) {
            case USERNAME_NOT_FOUND /* 1317 */:
                return "User was not found in directory";
            case INVALID_PASSWORD /* 1326 */:
                return "Supplied password was invalid";
            case NOT_PERMITTED /* 1328 */:
                return "User not permitted to logon at this time";
            case PASSWORD_EXPIRED /* 1330 */:
                return "Password has expired";
            case ACCOUNT_DISABLED /* 1331 */:
                return "Account is disabled";
            case 1793:
                return "Account expired";
            case PASSWORD_NEEDS_RESET /* 1907 */:
                return "User must reset password";
            case ACCOUNT_LOCKED /* 1909 */:
                return "Account locked";
            default:
                return "Unknown (error code " + Integer.toHexString(i) + ")";
        }
    }

    private BadCredentialsException badCredentials() {
        return new BadCredentialsException(this.messages.getMessage("LdapAuthenticationProvider.badCredentials", "Bad credentials"));
    }

    private BadCredentialsException badCredentials(Throwable th) {
        return (BadCredentialsException) badCredentials().initCause(th);
    }

    private DirContextOperations searchForUser(DirContext dirContext, String str) throws NamingException {
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        String createBindPrincipal = createBindPrincipal(str);
        String searchRootFromPrincipal = this.rootDn != null ? this.rootDn : searchRootFromPrincipal(createBindPrincipal);
        try {
            LOGGER.debug("Searching for bindPrincipal {} and user {}. Search root = {}.", createBindPrincipal, str, searchRootFromPrincipal);
            return SpringSecurityLdapTemplate.searchForSingleEntryInternal(dirContext, searchControls, searchRootFromPrincipal, this.searchFilter, new Object[]{createBindPrincipal, str});
        } catch (IncorrectResultSizeDataAccessException e) {
            if (e.getActualSize() != 0) {
                throw e;
            }
            throw badCredentials(new UsernameNotFoundException("User " + str + " not found in directory.", e));
        }
    }

    private String searchRootFromPrincipal(String str) {
        int lastIndexOf = str.lastIndexOf(64);
        if (lastIndexOf >= 0) {
            return rootDnFromDomain(str.substring(lastIndexOf + 1));
        }
        LOGGER.debug("User principal '{}' does not contain the domain, and no domain has been configured", str);
        throw badCredentials();
    }

    private String rootDnFromDomain(String str) {
        String[] strArr = StringUtils.tokenizeToStringArray(str, ".");
        StringBuilder sb = new StringBuilder();
        for (String str2 : strArr) {
            if (sb.length() > 0) {
                sb.append(',');
            }
            sb.append("dc=").append(str2);
        }
        return sb.toString();
    }

    private String createBindPrincipal(String str) {
        LOGGER.debug("Creating bind principal for {}", str);
        String str2 = (this.domain == null || str.contains("@")) ? str : str + "@" + this.domain;
        LOGGER.debug("Bind principal = {}", str2);
        return str2;
    }

    public void setConvertSubErrorCodesToExceptions(boolean z) {
        this.convertSubErrorCodesToExceptions = z;
    }

    public void setSearchFilter(String str) {
        Assert.hasText(str, "searchFilter must have text");
        this.searchFilter = str;
    }
}
