package org.apache.catalina.realm;

import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.naming.AuthenticationException;
import javax.naming.CommunicationException;
import javax.naming.CompositeName;
import javax.naming.InvalidNameException;
import javax.naming.Name;
import javax.naming.NameNotFoundException;
import javax.naming.NameParser;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.PartialResultException;
import javax.naming.ServiceUnavailableException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.StartTlsRequest;
import javax.naming.ldap.StartTlsResponse;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.filters.CorsFilter;
import org.ietf.jgss.GSSCredential;

/* loaded from: input_file:org/apache/catalina/realm/JNDIRealm.class */
public class JNDIRealm extends RealmBase {
    public static final String DEREF_ALIASES = "java.naming.ldap.derefAliases";

    @Deprecated
    protected static final String name = "JNDIRealm";
    protected String alternateURL;
    private String sslSocketFactoryClassName;
    private String cipherSuites;
    private String hostNameVerifierClassName;
    private String sslProtocol;
    protected String authentication = null;
    protected String connectionName = null;
    protected String connectionPassword = null;
    protected String connectionURL = null;
    protected DirContext context = null;
    protected String contextFactory = "com.sun.jndi.ldap.LdapCtxFactory";
    protected String derefAliases = null;
    protected String protocol = null;
    protected boolean adCompat = false;
    protected String referrals = null;
    protected String userBase = CorsFilter.DEFAULT_EXPOSED_HEADERS;
    protected String userSearch = null;
    private boolean userSearchAsUser = false;
    protected MessageFormat userSearchFormat = null;
    protected boolean userSubtree = false;
    protected String userPassword = null;
    protected String userRoleAttribute = null;
    protected String[] userPatternArray = null;
    protected String userPattern = null;
    protected MessageFormat[] userPatternFormatArray = null;
    protected String roleBase = CorsFilter.DEFAULT_EXPOSED_HEADERS;
    protected MessageFormat roleBaseFormat = null;
    protected MessageFormat roleFormat = null;
    protected String userRoleName = null;
    protected String roleName = null;
    protected String roleSearch = null;
    protected boolean roleSubtree = false;
    protected boolean roleNested = false;
    protected boolean roleSearchAsUser = false;
    protected int connectionAttempt = 0;
    protected String commonRole = null;
    protected String connectionTimeout = "5000";
    protected String readTimeout = "5000";
    protected long sizeLimit = 0;
    protected int timeLimit = 0;
    protected boolean useDelegatedCredential = true;
    protected String spnegoDelegationQop = "auth-conf";
    private boolean useStartTls = false;
    private StartTlsResponse tls = null;
    private String[] cipherSuitesArray = null;
    private HostnameVerifier hostnameVerifier = null;
    private SSLSocketFactory sslSocketFactory = null;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/catalina/realm/JNDIRealm$User.class */
    public static class User {
        private final String username;
        private final String dn;
        private final String password;
        private final List<String> roles;
        private final String userRoleId;

        public User(String str, String str2, String str3, List<String> list, String str4) {
            this.username = str;
            this.dn = str2;
            this.password = str3;
            if (list == null) {
                this.roles = Collections.emptyList();
            } else {
                this.roles = Collections.unmodifiableList(list);
            }
            this.userRoleId = str4;
        }

        public String getUserName() {
            return this.username;
        }

        public String getDN() {
            return this.dn;
        }

        public String getPassword() {
            return this.password;
        }

        public List<String> getRoles() {
            return this.roles;
        }

        public String getUserRoleId() {
            return this.userRoleId;
        }
    }

    public String getAuthentication() {
        return this.authentication;
    }

    public void setAuthentication(String str) {
        this.authentication = str;
    }

    public String getConnectionName() {
        return this.connectionName;
    }

    public void setConnectionName(String str) {
        this.connectionName = str;
    }

    public String getConnectionPassword() {
        return this.connectionPassword;
    }

    public void setConnectionPassword(String str) {
        this.connectionPassword = str;
    }

    public String getConnectionURL() {
        return this.connectionURL;
    }

    public void setConnectionURL(String str) {
        this.connectionURL = str;
    }

    public String getContextFactory() {
        return this.contextFactory;
    }

    public void setContextFactory(String str) {
        this.contextFactory = str;
    }

    public String getDerefAliases() {
        return this.derefAliases;
    }

    public void setDerefAliases(String str) {
        this.derefAliases = str;
    }

    public String getProtocol() {
        return this.protocol;
    }

    public void setProtocol(String str) {
        this.protocol = str;
    }

    public boolean getAdCompat() {
        return this.adCompat;
    }

    public void setAdCompat(boolean z) {
        this.adCompat = z;
    }

    public String getReferrals() {
        return this.referrals;
    }

    public void setReferrals(String str) {
        this.referrals = str;
    }

    public String getUserBase() {
        return this.userBase;
    }

    public void setUserBase(String str) {
        this.userBase = str;
    }

    public String getUserSearch() {
        return this.userSearch;
    }

    public void setUserSearch(String str) {
        this.userSearch = str;
        if (str == null) {
            this.userSearchFormat = null;
        } else {
            this.userSearchFormat = new MessageFormat(str);
        }
    }

    public boolean isUserSearchAsUser() {
        return this.userSearchAsUser;
    }

    public void setUserSearchAsUser(boolean z) {
        this.userSearchAsUser = z;
    }

    public boolean getUserSubtree() {
        return this.userSubtree;
    }

    public void setUserSubtree(boolean z) {
        this.userSubtree = z;
    }

    public String getUserRoleName() {
        return this.userRoleName;
    }

    public void setUserRoleName(String str) {
        this.userRoleName = str;
    }

    public String getRoleBase() {
        return this.roleBase;
    }

    public void setRoleBase(String str) {
        this.roleBase = str;
        if (str == null) {
            this.roleBaseFormat = null;
        } else {
            this.roleBaseFormat = new MessageFormat(str);
        }
    }

    public String getRoleName() {
        return this.roleName;
    }

    public void setRoleName(String str) {
        this.roleName = str;
    }

    public String getRoleSearch() {
        return this.roleSearch;
    }

    public void setRoleSearch(String str) {
        this.roleSearch = str;
        if (str == null) {
            this.roleFormat = null;
        } else {
            this.roleFormat = new MessageFormat(str);
        }
    }

    public boolean isRoleSearchAsUser() {
        return this.roleSearchAsUser;
    }

    public void setRoleSearchAsUser(boolean z) {
        this.roleSearchAsUser = z;
    }

    public boolean getRoleSubtree() {
        return this.roleSubtree;
    }

    public void setRoleSubtree(boolean z) {
        this.roleSubtree = z;
    }

    public boolean getRoleNested() {
        return this.roleNested;
    }

    public void setRoleNested(boolean z) {
        this.roleNested = z;
    }

    public String getUserPassword() {
        return this.userPassword;
    }

    public void setUserPassword(String str) {
        this.userPassword = str;
    }

    public String getUserRoleAttribute() {
        return this.userRoleAttribute;
    }

    public void setUserRoleAttribute(String str) {
        this.userRoleAttribute = str;
    }

    public String getUserPattern() {
        return this.userPattern;
    }

    public void setUserPattern(String str) {
        this.userPattern = str;
        if (str == null) {
            this.userPatternArray = null;
            return;
        }
        this.userPatternArray = parseUserPatternString(str);
        int length = this.userPatternArray.length;
        this.userPatternFormatArray = new MessageFormat[length];
        for (int i = 0; i < length; i++) {
            this.userPatternFormatArray[i] = new MessageFormat(this.userPatternArray[i]);
        }
    }

    public String getAlternateURL() {
        return this.alternateURL;
    }

    public void setAlternateURL(String str) {
        this.alternateURL = str;
    }

    public String getCommonRole() {
        return this.commonRole;
    }

    public void setCommonRole(String str) {
        this.commonRole = str;
    }

    public String getConnectionTimeout() {
        return this.connectionTimeout;
    }

    public void setConnectionTimeout(String str) {
        this.connectionTimeout = str;
    }

    public String getReadTimeout() {
        return this.readTimeout;
    }

    public void setReadTimeout(String str) {
        this.readTimeout = str;
    }

    public long getSizeLimit() {
        return this.sizeLimit;
    }

    public void setSizeLimit(long j) {
        this.sizeLimit = j;
    }

    public int getTimeLimit() {
        return this.timeLimit;
    }

    public void setTimeLimit(int i) {
        this.timeLimit = i;
    }

    public boolean isUseDelegatedCredential() {
        return this.useDelegatedCredential;
    }

    public void setUseDelegatedCredential(boolean z) {
        this.useDelegatedCredential = z;
    }

    public String getSpnegoDelegationQop() {
        return this.spnegoDelegationQop;
    }

    public void setSpnegoDelegationQop(String str) {
        this.spnegoDelegationQop = str;
    }

    public boolean getUseStartTls() {
        return this.useStartTls;
    }

    public void setUseStartTls(boolean z) {
        this.useStartTls = z;
    }

    private String[] getCipherSuitesArray() {
        if (this.cipherSuites == null || this.cipherSuitesArray != null) {
            return this.cipherSuitesArray;
        }
        if (this.cipherSuites.trim().isEmpty()) {
            this.containerLog.warn(sm.getString("jndiRealm.emptyCipherSuites"));
            this.cipherSuitesArray = null;
        } else {
            this.cipherSuitesArray = this.cipherSuites.trim().split("\\s*,\\s*");
            this.containerLog.debug(sm.getString("jndiRealm.cipherSuites", Arrays.toString(this.cipherSuitesArray)));
        }
        return this.cipherSuitesArray;
    }

    public void setCipherSuites(String str) {
        this.cipherSuites = str;
    }

    public String getHostnameVerifierClassName() {
        return this.hostnameVerifier == null ? CorsFilter.DEFAULT_EXPOSED_HEADERS : this.hostnameVerifier.getClass().getCanonicalName();
    }

    public void setHostnameVerifierClassName(String str) {
        if (str != null) {
            this.hostNameVerifierClassName = str.trim();
        } else {
            this.hostNameVerifierClassName = null;
        }
    }

    public HostnameVerifier getHostnameVerifier() {
        if (this.hostnameVerifier != null) {
            return this.hostnameVerifier;
        }
        if (this.hostNameVerifierClassName == null || this.hostNameVerifierClassName.equals(CorsFilter.DEFAULT_EXPOSED_HEADERS)) {
            return null;
        }
        try {
            Object constructInstance = constructInstance(this.hostNameVerifierClassName);
            if (!(constructInstance instanceof HostnameVerifier)) {
                throw new IllegalArgumentException(sm.getString("jndiRealm.invalidHostnameVerifier", this.hostNameVerifierClassName));
            }
            this.hostnameVerifier = (HostnameVerifier) constructInstance;
            return this.hostnameVerifier;
        } catch (ReflectiveOperationException | SecurityException e) {
            throw new IllegalArgumentException(sm.getString("jndiRealm.invalidHostnameVerifier", this.hostNameVerifierClassName), e);
        }
    }

    public void setSslSocketFactoryClassName(String str) {
        this.sslSocketFactoryClassName = str;
    }

    public void setSslProtocol(String str) {
        this.sslProtocol = str;
    }

    private String[] getSupportedSslProtocols() {
        try {
            return SSLContext.getDefault().getSupportedSSLParameters().getProtocols();
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(sm.getString("jndiRealm.exception"), e);
        }
    }

    private Object constructInstance(String str) throws ReflectiveOperationException {
        return Class.forName(str).getConstructor(new Class[0]).newInstance(new Object[0]);
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public Principal authenticate(String str, String str2) {
        Principal authenticate;
        DirContext dirContext = null;
        try {
            dirContext = open();
            try {
                authenticate = authenticate(dirContext, str, str2);
            } catch (NullPointerException | NamingException e) {
                this.containerLog.info(sm.getString("jndiRealm.exception.retry"), e);
                if (dirContext != null) {
                    close(dirContext);
                }
                dirContext = open();
                authenticate = authenticate(dirContext, str, str2);
            }
            release(dirContext);
            return authenticate;
        } catch (NamingException e2) {
            this.containerLog.error(sm.getString("jndiRealm.exception"), e2);
            if (dirContext != null) {
                close(dirContext);
            }
            if (!this.containerLog.isDebugEnabled()) {
                return null;
            }
            this.containerLog.debug("Returning null principal.");
            return null;
        }
    }

    public synchronized Principal authenticate(DirContext dirContext, String str, String str2) throws NamingException {
        if (str == null || str.equals(CorsFilter.DEFAULT_EXPOSED_HEADERS) || str2 == null || str2.equals(CorsFilter.DEFAULT_EXPOSED_HEADERS)) {
            if (!this.containerLog.isDebugEnabled()) {
                return null;
            }
            this.containerLog.debug("username null or empty: returning null principal.");
            return null;
        }
        if (this.userPatternArray == null) {
            User user = getUser(dirContext, str, str2);
            if (user == null || !checkCredentials(dirContext, user, str2)) {
                return null;
            }
            List<String> roles = getRoles(dirContext, user);
            if (this.containerLog.isDebugEnabled()) {
                this.containerLog.debug("Found roles: " + roles.toString());
            }
            return new GenericPrincipal(str, str2, roles);
        }
        for (int i = 0; i < this.userPatternFormatArray.length; i++) {
            User user2 = getUser(dirContext, str, str2, i);
            if (user2 != null) {
                try {
                    if (checkCredentials(dirContext, user2, str2)) {
                        List<String> roles2 = getRoles(dirContext, user2);
                        if (this.containerLog.isDebugEnabled()) {
                            this.containerLog.debug("Found roles: " + roles2.toString());
                        }
                        return new GenericPrincipal(str, str2, roles2);
                    }
                    continue;
                } catch (InvalidNameException e) {
                    this.containerLog.warn(sm.getString("jndiRealm.exception"), e);
                }
            }
        }
        return null;
    }

    protected User getUser(DirContext dirContext, String str) throws NamingException {
        return getUser(dirContext, str, null, -1);
    }

    protected User getUser(DirContext dirContext, String str, String str2) throws NamingException {
        return getUser(dirContext, str, str2, -1);
    }

    protected User getUser(DirContext dirContext, String str, String str2, int i) throws NamingException {
        User userBySearch;
        ArrayList arrayList = new ArrayList();
        if (this.userPassword != null) {
            arrayList.add(this.userPassword);
        }
        if (this.userRoleName != null) {
            arrayList.add(this.userRoleName);
        }
        if (this.userRoleAttribute != null) {
            arrayList.add(this.userRoleAttribute);
        }
        String[] strArr = new String[arrayList.size()];
        arrayList.toArray(strArr);
        if (this.userPatternFormatArray == null || i < 0) {
            boolean isUserSearchAsUser = isUserSearchAsUser();
            if (isUserSearchAsUser) {
                try {
                    userCredentialsAdd(dirContext, str, str2);
                } catch (Throwable th) {
                    if (isUserSearchAsUser) {
                        userCredentialsRemove(dirContext);
                    }
                    throw th;
                }
            }
            userBySearch = getUserBySearch(dirContext, str, strArr);
            if (isUserSearchAsUser) {
                userCredentialsRemove(dirContext);
            }
            if (this.containerLog.isDebugEnabled()) {
                this.containerLog.debug("Found user by search [" + userBySearch + "]");
            }
        } else {
            userBySearch = getUserByPattern(dirContext, str, str2, strArr, i);
            if (this.containerLog.isDebugEnabled()) {
                this.containerLog.debug("Found user by pattern [" + userBySearch + "]");
            }
        }
        return (this.userPassword != null || str2 == null || userBySearch == null) ? userBySearch : new User(userBySearch.getUserName(), userBySearch.getDN(), str2, userBySearch.getRoles(), userBySearch.getUserRoleId());
    }

    protected User getUserByPattern(DirContext dirContext, String str, String[] strArr, String str2) throws NamingException {
        if (strArr == null || strArr.length == 0) {
            return new User(str, str2, null, null, null);
        }
        try {
            Attributes attributes = dirContext.getAttributes(str2, strArr);
            if (attributes == null) {
                return null;
            }
            String str3 = null;
            if (this.userPassword != null) {
                str3 = getAttributeValue(this.userPassword, attributes);
            }
            String str4 = null;
            if (this.userRoleAttribute != null) {
                str4 = getAttributeValue(this.userRoleAttribute, attributes);
            }
            ArrayList<String> arrayList = null;
            if (this.userRoleName != null) {
                arrayList = addAttributeValues(this.userRoleName, attributes, null);
            }
            return new User(str, str2, str3, arrayList, str4);
        } catch (NameNotFoundException e) {
            return null;
        }
    }

    protected User getUserByPattern(DirContext dirContext, String str, String str2, String[] strArr, int i) throws NamingException {
        User userByPattern;
        if (str == null || this.userPatternFormatArray[i] == null) {
            return null;
        }
        String format = this.userPatternFormatArray[i].format(new String[]{str});
        try {
            userByPattern = getUserByPattern(dirContext, str, strArr, format);
        } catch (NamingException e) {
            try {
                userCredentialsAdd(dirContext, format, str2);
                userByPattern = getUserByPattern(dirContext, str, strArr, format);
                userCredentialsRemove(dirContext);
            } catch (Throwable th) {
                userCredentialsRemove(dirContext);
                throw th;
            }
        } catch (NameNotFoundException e2) {
            return null;
        }
        return userByPattern;
    }

    protected User getUserBySearch(DirContext dirContext, String str, String[] strArr) throws NamingException {
        if (str == null || this.userSearchFormat == null) {
            return null;
        }
        String format = this.userSearchFormat.format(new String[]{str});
        SearchControls searchControls = new SearchControls();
        if (this.userSubtree) {
            searchControls.setSearchScope(2);
        } else {
            searchControls.setSearchScope(1);
        }
        searchControls.setCountLimit(this.sizeLimit);
        searchControls.setTimeLimit(this.timeLimit);
        if (strArr == null) {
            strArr = new String[0];
        }
        searchControls.setReturningAttributes(strArr);
        NamingEnumeration search = dirContext.search(this.userBase, format, searchControls);
        try {
            if (search != null) {
                try {
                    if (search.hasMore()) {
                        SearchResult searchResult = (SearchResult) search.next();
                        try {
                        } catch (PartialResultException e) {
                            if (!this.adCompat) {
                                throw e;
                            }
                        }
                        if (search.hasMore()) {
                            if (this.containerLog.isInfoEnabled()) {
                                this.containerLog.info("username " + str + " has multiple entries");
                            }
                            if (search != null) {
                                search.close();
                            }
                            return null;
                        }
                        String distinguishedName = getDistinguishedName(dirContext, this.userBase, searchResult);
                        if (this.containerLog.isTraceEnabled()) {
                            this.containerLog.trace("  entry found for " + str + " with dn " + distinguishedName);
                        }
                        Attributes attributes = searchResult.getAttributes();
                        if (attributes == null) {
                            if (search != null) {
                                search.close();
                            }
                            return null;
                        }
                        String str2 = null;
                        if (this.userPassword != null) {
                            str2 = getAttributeValue(this.userPassword, attributes);
                        }
                        String str3 = null;
                        if (this.userRoleAttribute != null) {
                            str3 = getAttributeValue(this.userRoleAttribute, attributes);
                        }
                        ArrayList<String> arrayList = null;
                        if (this.userRoleName != null) {
                            arrayList = addAttributeValues(this.userRoleName, attributes, null);
                        }
                        User user = new User(str, distinguishedName, str2, arrayList, str3);
                        if (search != null) {
                            search.close();
                        }
                        return user;
                    }
                } catch (PartialResultException e2) {
                    if (!this.adCompat) {
                        throw e2;
                    }
                    if (search != null) {
                        search.close();
                    }
                    return null;
                }
            }
            if (search != null) {
                search.close();
            }
            return null;
        } catch (Throwable th) {
            if (search != null) {
                search.close();
            }
            throw th;
        }
    }

    protected boolean checkCredentials(DirContext dirContext, User user, String str) throws NamingException {
        boolean bindAsUser = this.userPassword == null ? bindAsUser(dirContext, user, str) : compareCredentials(dirContext, user, str);
        if (this.containerLog.isTraceEnabled()) {
            if (bindAsUser) {
                this.containerLog.trace(sm.getString("jndiRealm.authenticateSuccess", user.getUserName()));
            } else {
                this.containerLog.trace(sm.getString("jndiRealm.authenticateFailure", user.getUserName()));
            }
        }
        return bindAsUser;
    }

    protected boolean compareCredentials(DirContext dirContext, User user, String str) throws NamingException {
        if (this.containerLog.isTraceEnabled()) {
            this.containerLog.trace("  validating credentials");
        }
        if (user == null || str == null) {
            return false;
        }
        return getCredentialHandler().matches(str, user.getPassword());
    }

    protected boolean bindAsUser(DirContext dirContext, User user, String str) throws NamingException {
        String dn;
        if (str == null || user == null || (dn = user.getDN()) == null) {
            return false;
        }
        if (this.containerLog.isTraceEnabled()) {
            this.containerLog.trace("  validating credentials by binding as the user");
        }
        userCredentialsAdd(dirContext, dn, str);
        boolean z = false;
        try {
            if (this.containerLog.isTraceEnabled()) {
                this.containerLog.trace("  binding as " + dn);
            }
            dirContext.getAttributes(CorsFilter.DEFAULT_EXPOSED_HEADERS, (String[]) null);
            z = true;
        } catch (AuthenticationException e) {
            if (this.containerLog.isTraceEnabled()) {
                this.containerLog.trace("  bind attempt failed");
            }
        }
        userCredentialsRemove(dirContext);
        return z;
    }

    private void userCredentialsAdd(DirContext dirContext, String str, String str2) throws NamingException {
        dirContext.addToEnvironment("java.naming.security.principal", str);
        dirContext.addToEnvironment("java.naming.security.credentials", str2);
    }

    private void userCredentialsRemove(DirContext dirContext) throws NamingException {
        if (this.connectionName != null) {
            dirContext.addToEnvironment("java.naming.security.principal", this.connectionName);
        } else {
            dirContext.removeFromEnvironment("java.naming.security.principal");
        }
        if (this.connectionPassword != null) {
            dirContext.addToEnvironment("java.naming.security.credentials", this.connectionPassword);
        } else {
            dirContext.removeFromEnvironment("java.naming.security.credentials");
        }
    }

    protected List<String> getRoles(DirContext dirContext, User user) throws NamingException {
        String str;
        if (user == null) {
            return null;
        }
        String dn = user.getDN();
        String userName = user.getUserName();
        String userRoleId = user.getUserRoleId();
        if (dn == null || userName == null) {
            return null;
        }
        if (this.containerLog.isTraceEnabled()) {
            this.containerLog.trace("  getRoles(" + dn + ")");
        }
        ArrayList arrayList = new ArrayList();
        List<String> roles = user.getRoles();
        if (roles != null) {
            arrayList.addAll(roles);
        }
        if (this.commonRole != null) {
            arrayList.add(this.commonRole);
        }
        if (this.containerLog.isTraceEnabled()) {
            this.containerLog.trace("  Found " + arrayList.size() + " user internal roles");
            this.containerLog.trace("  Found user internal roles " + arrayList.toString());
        }
        if (this.roleFormat == null || this.roleName == null) {
            return arrayList;
        }
        String format = this.roleFormat.format(new String[]{doRFC2254Encoding(dn), userName, userRoleId});
        SearchControls searchControls = new SearchControls();
        if (this.roleSubtree) {
            searchControls.setSearchScope(2);
        } else {
            searchControls.setSearchScope(1);
        }
        searchControls.setReturningAttributes(new String[]{this.roleName});
        if (this.roleBaseFormat != null) {
            Name parse = dirContext.getNameParser(CorsFilter.DEFAULT_EXPOSED_HEADERS).parse(dn);
            String[] strArr = new String[parse.size()];
            for (int i = 0; i < parse.size(); i++) {
                strArr[i] = parse.get(i);
            }
            str = this.roleBaseFormat.format(strArr);
        } else {
            str = CorsFilter.DEFAULT_EXPOSED_HEADERS;
        }
        NamingEnumeration<SearchResult> searchAsUser = searchAsUser(dirContext, user, str, format, searchControls, isRoleSearchAsUser());
        if (searchAsUser == null) {
            return arrayList;
        }
        HashMap hashMap = new HashMap();
        while (searchAsUser.hasMore()) {
            try {
                try {
                    SearchResult searchResult = (SearchResult) searchAsUser.next();
                    Attributes attributes = searchResult.getAttributes();
                    if (attributes != null) {
                        String distinguishedName = getDistinguishedName(dirContext, this.roleBase, searchResult);
                        String attributeValue = getAttributeValue(this.roleName, attributes);
                        if (attributeValue != null && distinguishedName != null) {
                            hashMap.put(distinguishedName, attributeValue);
                        }
                    }
                } catch (PartialResultException e) {
                    if (!this.adCompat) {
                        throw e;
                    }
                    searchAsUser.close();
                }
            } catch (Throwable th) {
                searchAsUser.close();
                throw th;
            }
        }
        searchAsUser.close();
        if (this.containerLog.isTraceEnabled()) {
            Set<Map.Entry> entrySet = hashMap.entrySet();
            this.containerLog.trace("  Found " + entrySet.size() + " direct roles");
            for (Map.Entry entry : entrySet) {
                this.containerLog.trace("  Found direct role " + ((String) entry.getKey()) + " -> " + ((String) entry.getValue()));
            }
        }
        if (getRoleNested()) {
            HashMap hashMap2 = new HashMap(hashMap);
            loop3: while (true) {
                HashMap hashMap3 = hashMap2;
                if (hashMap3.isEmpty()) {
                    break;
                }
                HashMap hashMap4 = new HashMap();
                for (Map.Entry entry2 : hashMap3.entrySet()) {
                    String format2 = this.roleFormat.format(new String[]{(String) entry2.getKey(), (String) entry2.getValue(), (String) entry2.getValue()});
                    if (this.containerLog.isTraceEnabled()) {
                        this.containerLog.trace("Perform a nested group search with base " + this.roleBase + " and filter " + format2);
                    }
                    NamingEnumeration<SearchResult> searchAsUser2 = searchAsUser(dirContext, user, this.roleBase, format2, searchControls, isRoleSearchAsUser());
                    while (searchAsUser2.hasMore()) {
                        try {
                            try {
                                SearchResult searchResult2 = (SearchResult) searchAsUser2.next();
                                Attributes attributes2 = searchResult2.getAttributes();
                                if (attributes2 != null) {
                                    String distinguishedName2 = getDistinguishedName(dirContext, this.roleBase, searchResult2);
                                    String attributeValue2 = getAttributeValue(this.roleName, attributes2);
                                    if (attributeValue2 != null && distinguishedName2 != null && !hashMap.keySet().contains(distinguishedName2)) {
                                        hashMap.put(distinguishedName2, attributeValue2);
                                        hashMap4.put(distinguishedName2, attributeValue2);
                                        if (this.containerLog.isTraceEnabled()) {
                                            this.containerLog.trace("  Found nested role " + distinguishedName2 + " -> " + attributeValue2);
                                        }
                                    }
                                }
                            } catch (PartialResultException e2) {
                                if (!this.adCompat) {
                                    throw e2;
                                }
                                searchAsUser2.close();
                            }
                        } catch (Throwable th2) {
                            searchAsUser2.close();
                            throw th2;
                        }
                    }
                    searchAsUser2.close();
                }
                hashMap2 = hashMap4;
            }
        }
        arrayList.addAll(hashMap.values());
        return arrayList;
    }

    private NamingEnumeration<SearchResult> searchAsUser(DirContext dirContext, User user, String str, String str2, SearchControls searchControls, boolean z) throws NamingException {
        if (z) {
            try {
                userCredentialsAdd(dirContext, user.getDN(), user.getPassword());
            } catch (Throwable th) {
                if (z) {
                    userCredentialsRemove(dirContext);
                }
                throw th;
            }
        }
        NamingEnumeration<SearchResult> search = dirContext.search(str, str2, searchControls);
        if (z) {
            userCredentialsRemove(dirContext);
        }
        return search;
    }

    private String getAttributeValue(String str, Attributes attributes) throws NamingException {
        Attribute attribute;
        Object obj;
        if (this.containerLog.isTraceEnabled()) {
            this.containerLog.trace("  retrieving attribute " + str);
        }
        if (str == null || attributes == null || (attribute = attributes.get(str)) == null || (obj = attribute.get()) == null) {
            return null;
        }
        return obj instanceof byte[] ? new String((byte[]) obj) : obj.toString();
    }

    private ArrayList<String> addAttributeValues(String str, Attributes attributes, ArrayList<String> arrayList) throws NamingException {
        if (this.containerLog.isTraceEnabled()) {
            this.containerLog.trace("  retrieving values for attribute " + str);
        }
        if (str == null || attributes == null) {
            return arrayList;
        }
        if (arrayList == null) {
            arrayList = new ArrayList<>();
        }
        Attribute attribute = attributes.get(str);
        if (attribute == null) {
            return arrayList;
        }
        NamingEnumeration all = attribute.getAll();
        while (all.hasMore()) {
            try {
                try {
                    arrayList.add((String) all.next());
                } catch (PartialResultException e) {
                    if (!this.adCompat) {
                        throw e;
                    }
                    all.close();
                }
            } catch (Throwable th) {
                all.close();
                throw th;
            }
        }
        all.close();
        return arrayList;
    }

    protected void close(DirContext dirContext) {
        if (dirContext == null) {
            return;
        }
        if (this.tls != null) {
            try {
                this.tls.close();
            } catch (IOException e) {
                this.containerLog.error(sm.getString("jndiRealm.tlsClose"), e);
            }
        }
        try {
            if (this.containerLog.isDebugEnabled()) {
                this.containerLog.debug("Closing directory context");
            }
            dirContext.close();
        } catch (NamingException e2) {
            this.containerLog.error(sm.getString("jndiRealm.close"), e2);
        }
        this.context = null;
    }

    @Override // org.apache.catalina.realm.RealmBase
    @Deprecated
    protected String getName() {
        return name;
    }

    @Override // org.apache.catalina.realm.RealmBase
    protected String getPassword(String str) {
        String userPassword = getUserPassword();
        if (userPassword == null || userPassword.isEmpty()) {
            return null;
        }
        try {
            User user = getUser(open(), str, null);
            if (user == null) {
                return null;
            }
            return user.getPassword();
        } catch (NamingException e) {
            return null;
        }
    }

    @Override // org.apache.catalina.realm.RealmBase
    protected Principal getPrincipal(String str) {
        return getPrincipal(str, null);
    }

    @Override // org.apache.catalina.realm.RealmBase
    protected Principal getPrincipal(String str, GSSCredential gSSCredential) {
        Principal principal;
        DirContext dirContext = null;
        try {
            dirContext = open();
            try {
                principal = getPrincipal(dirContext, str, gSSCredential);
            } catch (CommunicationException | ServiceUnavailableException e) {
                this.containerLog.info(sm.getString("jndiRealm.exception.retry"), e);
                if (dirContext != null) {
                    close(dirContext);
                }
                dirContext = open();
                principal = getPrincipal(dirContext, str, gSSCredential);
            }
            release(dirContext);
            return principal;
        } catch (NamingException e2) {
            this.containerLog.error(sm.getString("jndiRealm.exception"), e2);
            if (dirContext == null) {
                return null;
            }
            close(dirContext);
            return null;
        }
    }

    protected synchronized Principal getPrincipal(DirContext dirContext, String str, GSSCredential gSSCredential) throws NamingException {
        List<String> list = null;
        Hashtable<?, ?> hashtable = null;
        if (gSSCredential != null) {
            try {
                if (isUseDelegatedCredential()) {
                    hashtable = dirContext.getEnvironment();
                    dirContext.addToEnvironment("java.naming.security.authentication", "GSSAPI");
                    dirContext.addToEnvironment("javax.security.sasl.server.authentication", "true");
                    dirContext.addToEnvironment("javax.security.sasl.qop", this.spnegoDelegationQop);
                }
            } finally {
                restoreEnvironmentParameter(dirContext, "java.naming.security.authentication", hashtable);
                restoreEnvironmentParameter(dirContext, "javax.security.sasl.server.authentication", hashtable);
                restoreEnvironmentParameter(dirContext, "javax.security.sasl.qop", hashtable);
            }
        }
        User user = getUser(dirContext, str);
        if (user != null) {
            list = getRoles(dirContext, user);
        }
        if (user != null) {
            return new GenericPrincipal(user.getUserName(), user.getPassword(), list, null, null, gSSCredential);
        }
        return null;
    }

    private void restoreEnvironmentParameter(DirContext dirContext, String str, Hashtable<?, ?> hashtable) {
        try {
            dirContext.removeFromEnvironment(str);
            if (hashtable != null && hashtable.containsKey(str)) {
                dirContext.addToEnvironment(str, hashtable.get(str));
            }
        } catch (NamingException e) {
        }
    }

    protected DirContext open() throws NamingException {
        if (this.context != null) {
            return this.context;
        }
        try {
            try {
                this.context = createDirContext(getDirectoryContextEnvironment());
                this.connectionAttempt = 0;
            } catch (Exception e) {
                this.connectionAttempt = 1;
                this.containerLog.info(sm.getString("jndiRealm.exception.retry"), e);
                this.context = createDirContext(getDirectoryContextEnvironment());
                this.connectionAttempt = 0;
            }
            return this.context;
        } catch (Throwable th) {
            this.connectionAttempt = 0;
            throw th;
        }
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean isAvailable() {
        return this.context != null;
    }

    private DirContext createDirContext(Hashtable<String, String> hashtable) throws NamingException {
        return this.useStartTls ? createTlsDirContext(hashtable) : new InitialDirContext(hashtable);
    }

    private SSLSocketFactory getSSLSocketFactory() {
        if (this.sslSocketFactory != null) {
            return this.sslSocketFactory;
        }
        SSLSocketFactory createSSLContextFactoryFromProtocol = (this.sslSocketFactoryClassName == null || this.sslSocketFactoryClassName.trim().equals(CorsFilter.DEFAULT_EXPOSED_HEADERS)) ? createSSLContextFactoryFromProtocol(this.sslProtocol) : createSSLSocketFactoryFromClassName(this.sslSocketFactoryClassName);
        this.sslSocketFactory = createSSLContextFactoryFromProtocol;
        return createSSLContextFactoryFromProtocol;
    }

    private SSLSocketFactory createSSLSocketFactoryFromClassName(String str) {
        try {
            if (constructInstance(str) instanceof SSLSocketFactory) {
                return this.sslSocketFactory;
            }
            throw new IllegalArgumentException(sm.getString("jndiRealm.invalidSslSocketFactory", str));
        } catch (ReflectiveOperationException | SecurityException e) {
            throw new IllegalArgumentException(sm.getString("jndiRealm.invalidSslSocketFactory", str), e);
        }
    }

    private SSLSocketFactory createSSLContextFactoryFromProtocol(String str) {
        SSLContext sSLContext;
        try {
            if (str != null) {
                sSLContext = SSLContext.getInstance(str);
                sSLContext.init(null, null, null);
            } else {
                sSLContext = SSLContext.getDefault();
            }
            return sSLContext.getSocketFactory();
        } catch (KeyManagementException | NoSuchAlgorithmException e) {
            throw new IllegalArgumentException(sm.getString("jndiRealm.invalidSslProtocol", str, Arrays.asList(getSupportedSslProtocols())), e);
        }
    }

    private DirContext createTlsDirContext(Hashtable<String, String> hashtable) throws NamingException {
        HashMap hashMap = new HashMap();
        for (String str : Arrays.asList("java.naming.security.authentication", "java.naming.security.credentials", "java.naming.security.principal", "java.naming.security.protocol")) {
            String remove = hashtable.remove(str);
            if (remove != null) {
                hashMap.put(str, remove);
            }
        }
        LdapContext ldapContext = null;
        try {
            ldapContext = new InitialLdapContext(hashtable, (Control[]) null);
            this.tls = ldapContext.extendedOperation(new StartTlsRequest());
            if (getHostnameVerifier() != null) {
                this.tls.setHostnameVerifier(getHostnameVerifier());
            }
            if (getCipherSuitesArray() != null) {
                this.tls.setEnabledCipherSuites(getCipherSuitesArray());
            }
            try {
                this.containerLog.debug(sm.getString("jndiRealm.negotiatedTls", this.tls.negotiate(getSSLSocketFactory()).getProtocol()));
                if (ldapContext != null) {
                    for (Map.Entry entry : hashMap.entrySet()) {
                        ldapContext.addToEnvironment((String) entry.getKey(), entry.getValue());
                    }
                }
                return ldapContext;
            } catch (IOException e) {
                throw new NamingException(e.getMessage());
            }
        } catch (Throwable th) {
            if (ldapContext != null) {
                for (Map.Entry entry2 : hashMap.entrySet()) {
                    ldapContext.addToEnvironment((String) entry2.getKey(), entry2.getValue());
                }
            }
            throw th;
        }
    }

    protected Hashtable<String, String> getDirectoryContextEnvironment() {
        Hashtable<String, String> hashtable = new Hashtable<>();
        if (this.containerLog.isDebugEnabled() && this.connectionAttempt == 0) {
            this.containerLog.debug("Connecting to URL " + this.connectionURL);
        } else if (this.containerLog.isDebugEnabled() && this.connectionAttempt > 0) {
            this.containerLog.debug("Connecting to URL " + this.alternateURL);
        }
        hashtable.put("java.naming.factory.initial", this.contextFactory);
        if (this.connectionName != null) {
            hashtable.put("java.naming.security.principal", this.connectionName);
        }
        if (this.connectionPassword != null) {
            hashtable.put("java.naming.security.credentials", this.connectionPassword);
        }
        if (this.connectionURL != null && this.connectionAttempt == 0) {
            hashtable.put("java.naming.provider.url", this.connectionURL);
        } else if (this.alternateURL != null && this.connectionAttempt > 0) {
            hashtable.put("java.naming.provider.url", this.alternateURL);
        }
        if (this.authentication != null) {
            hashtable.put("java.naming.security.authentication", this.authentication);
        }
        if (this.protocol != null) {
            hashtable.put("java.naming.security.protocol", this.protocol);
        }
        if (this.referrals != null) {
            hashtable.put("java.naming.referral", this.referrals);
        }
        if (this.derefAliases != null) {
            hashtable.put(DEREF_ALIASES, this.derefAliases);
        }
        if (this.connectionTimeout != null) {
            hashtable.put("com.sun.jndi.ldap.connect.timeout", this.connectionTimeout);
        }
        if (this.readTimeout != null) {
            hashtable.put("com.sun.jndi.ldap.read.timeout", this.readTimeout);
        }
        return hashtable;
    }

    protected void release(DirContext dirContext) {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.util.LifecycleBase
    public void startInternal() throws LifecycleException {
        try {
            open();
        } catch (NamingException e) {
            this.containerLog.error(sm.getString("jndiRealm.open"), e);
        }
        super.startInternal();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.util.LifecycleBase
    public void stopInternal() throws LifecycleException {
        super.stopInternal();
        close(this.context);
    }

    protected String[] parseUserPatternString(String str) {
        int i;
        if (str == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        int indexOf = str.indexOf(40);
        if (indexOf == -1) {
            return new String[]{str};
        }
        while (indexOf > -1) {
            while (true) {
                if (str.charAt(indexOf + 1) == '|' || (indexOf != 0 && str.charAt(indexOf - 1) == '\\')) {
                    indexOf = str.indexOf(40, indexOf + 1);
                }
            }
            int indexOf2 = str.indexOf(41, indexOf + 1);
            while (true) {
                i = indexOf2;
                if (str.charAt(i - 1) == '\\') {
                    indexOf2 = str.indexOf(41, i + 1);
                }
            }
            arrayList.add(str.substring(indexOf + 1, i));
            indexOf = str.indexOf(40, i + 1);
        }
        return (String[]) arrayList.toArray(new String[0]);
    }

    protected String doRFC2254Encoding(String str) {
        StringBuilder sb = new StringBuilder(str.length());
        for (int i = 0; i < str.length(); i++) {
            char charAt = str.charAt(i);
            switch (charAt) {
                case 0:
                    sb.append("\\00");
                    break;
                case '(':
                    sb.append("\\28");
                    break;
                case ')':
                    sb.append("\\29");
                    break;
                case '*':
                    sb.append("\\2a");
                    break;
                case '\\':
                    sb.append("\\5c");
                    break;
                default:
                    sb.append(charAt);
                    break;
            }
        }
        return sb.toString();
    }

    protected String getDistinguishedName(DirContext dirContext, String str, SearchResult searchResult) throws NamingException {
        String name2 = searchResult.getName();
        if (searchResult.isRelative()) {
            if (this.containerLog.isTraceEnabled()) {
                this.containerLog.trace("  search returned relative name: " + name2);
            }
            NameParser nameParser = dirContext.getNameParser(CorsFilter.DEFAULT_EXPOSED_HEADERS);
            return nameParser.parse(dirContext.getNameInNamespace()).addAll(nameParser.parse(str)).addAll(nameParser.parse(new CompositeName(name2).get(0))).toString();
        }
        if (this.containerLog.isTraceEnabled()) {
            this.containerLog.trace("  search returned absolute name: " + name2);
        }
        try {
            NameParser nameParser2 = dirContext.getNameParser(CorsFilter.DEFAULT_EXPOSED_HEADERS);
            String path = new URI(name2).getPath();
            if (path.length() < 1) {
                throw new InvalidNameException("Search returned unparseable absolute name: " + name2);
            }
            return nameParser2.parse(path.substring(1)).toString();
        } catch (URISyntaxException e) {
            throw new InvalidNameException("Search returned unparseable absolute name: " + name2);
        }
    }
}
