package com.google.gerrit.server.auth.ldap;

import com.google.common.base.Throwables;
import com.google.common.cache.Cache;
import com.google.common.collect.ImmutableSet;
import com.google.gerrit.common.data.ParameterizedString;
import com.google.gerrit.reviewdb.client.AccountGroup;
import com.google.gerrit.server.account.AccountException;
import com.google.gerrit.server.account.AuthenticationFailedException;
import com.google.gerrit.server.auth.NoSuchUserException;
import com.google.gerrit.server.auth.ldap.LdapQuery;
import com.google.gerrit.server.config.ConfigUtil;
import com.google.gerrit.server.config.GerritServerConfig;
import com.google.gerrit.util.ssl.BlindSSLSocketFactory;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import com.google.inject.name.Named;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.naming.CompositeName;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.PartialResultException;
import javax.naming.directory.Attribute;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.eclipse.jgit.lib.Config;
import org.eclipse.jgit.lib.ConfigConstants;

/* JADX INFO: Access modifiers changed from: package-private */
@Singleton
/* loaded from: input_file:com/google/gerrit/server/auth/ldap/Helper.class */
public class Helper {
    static final String LDAP_UUID = "ldap:";
    private final Cache<String, ImmutableSet<String>> parentGroups;
    private final Config config;
    private final String server;
    private final String username;
    private final String password;
    private final String referral;
    private final boolean sslVerify;
    private final String authentication;
    private volatile LdapSchema ldapSchema;
    private final String readTimeoutMillis;
    private final String connectTimeoutMillis;
    private final boolean useConnectionPooling;
    private final boolean groupsVisibleToAll;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/google/gerrit/server/auth/ldap/Helper$LdapSchema.class */
    public class LdapSchema {
        final LdapType type;
        final ParameterizedString accountFullName;
        final ParameterizedString accountEmailAddress;
        final ParameterizedString accountSshUserName;
        final String accountMemberField;
        final String[] accountMemberFieldArray;
        final List<String> groupBases;
        final SearchScope groupScope;
        final ParameterizedString groupPattern;
        final ParameterizedString groupName;
        final List<LdapQuery> groupMemberQueryList = new ArrayList();
        final List<LdapQuery> accountQueryList = new ArrayList();
        final List<LdapQuery> accountWithMemberOfQueryList = new ArrayList();

        LdapSchema(DirContext dirContext) {
            HashSet hashSet;
            this.type = discoverLdapType(dirContext);
            HashSet hashSet2 = new HashSet();
            this.groupBases = LdapRealm.optionalList(Helper.this.config, "groupBase");
            this.groupScope = LdapRealm.scope(Helper.this.config, "groupScope");
            this.groupPattern = LdapRealm.paramString(Helper.this.config, "groupPattern", this.type.groupPattern());
            this.groupName = LdapRealm.paramString(Helper.this.config, "groupName", this.type.groupName());
            String optdef = LdapRealm.optdef(Helper.this.config, "groupMemberPattern", this.type.groupMemberPattern());
            for (String str : this.groupBases) {
                if (optdef != null) {
                    LdapQuery ldapQuery = new LdapQuery(str, this.groupScope, new ParameterizedString(optdef), Collections.emptySet());
                    if (ldapQuery.getParameters().isEmpty()) {
                        throw new IllegalArgumentException("No variables in ldap.groupMemberPattern");
                    }
                    Iterator<String> it = ldapQuery.getParameters().iterator();
                    while (it.hasNext()) {
                        hashSet2.add(it.next());
                    }
                    this.groupMemberQueryList.add(ldapQuery);
                }
            }
            this.accountFullName = LdapRealm.paramString(Helper.this.config, "accountFullName", this.type.accountFullName());
            if (this.accountFullName != null) {
                hashSet2.addAll(this.accountFullName.getParameterNames());
            }
            this.accountEmailAddress = LdapRealm.paramString(Helper.this.config, "accountEmailAddress", this.type.accountEmailAddress());
            if (this.accountEmailAddress != null) {
                hashSet2.addAll(this.accountEmailAddress.getParameterNames());
            }
            this.accountSshUserName = LdapRealm.paramString(Helper.this.config, "accountSshUserName", this.type.accountSshUserName());
            if (this.accountSshUserName != null) {
                hashSet2.addAll(this.accountSshUserName.getParameterNames());
            }
            this.accountMemberField = LdapRealm.optdef(Helper.this.config, "accountMemberField", this.type.accountMemberField());
            if (this.accountMemberField != null) {
                this.accountMemberFieldArray = new String[]{this.accountMemberField};
            } else {
                this.accountMemberFieldArray = null;
            }
            SearchScope scope = LdapRealm.scope(Helper.this.config, "accountScope");
            String reqdef = LdapRealm.reqdef(Helper.this.config, "accountPattern", this.type.accountPattern());
            if (this.accountMemberField != null) {
                hashSet = new HashSet(hashSet2);
                hashSet.add(this.accountMemberField);
            } else {
                hashSet = null;
            }
            for (String str2 : LdapRealm.requiredList(Helper.this.config, "accountBase")) {
                LdapQuery ldapQuery2 = new LdapQuery(str2, scope, new ParameterizedString(reqdef), hashSet2);
                if (ldapQuery2.getParameters().isEmpty()) {
                    throw new IllegalArgumentException("No variables in ldap.accountPattern");
                }
                this.accountQueryList.add(ldapQuery2);
                if (hashSet != null) {
                    this.accountWithMemberOfQueryList.add(new LdapQuery(str2, scope, new ParameterizedString(reqdef), hashSet));
                }
            }
        }

        LdapType discoverLdapType(DirContext dirContext) {
            try {
                return LdapType.guessType(dirContext);
            } catch (NamingException e) {
                LdapRealm.log.warn("Cannot discover type of LDAP server at " + Helper.this.server + ", assuming the server is RFC 2307 compliant.", e);
                return LdapType.RFC_2307;
            }
        }
    }

    @Inject
    Helper(@GerritServerConfig Config config, @Named("ldap_groups_byinclude") Cache<String, ImmutableSet<String>> cache) {
        this.config = config;
        this.server = LdapRealm.optional(config, "server");
        this.username = LdapRealm.optional(config, "username");
        this.password = LdapRealm.optional(config, "password", "");
        this.referral = LdapRealm.optional(config, "referral", "ignore");
        this.sslVerify = config.getBoolean("ldap", "sslverify", true);
        this.groupsVisibleToAll = config.getBoolean("ldap", "groupsVisibleToAll", false);
        this.authentication = LdapRealm.optional(config, "authentication", "simple");
        String optional = LdapRealm.optional(config, "readTimeout");
        if (optional != null) {
            this.readTimeoutMillis = Long.toString(ConfigUtil.getTimeUnit(optional, 0L, TimeUnit.MILLISECONDS));
        } else {
            this.readTimeoutMillis = null;
        }
        String optional2 = LdapRealm.optional(config, "connectTimeout");
        if (optional2 != null) {
            this.connectTimeoutMillis = Long.toString(ConfigUtil.getTimeUnit(optional2, 0L, TimeUnit.MILLISECONDS));
        } else {
            this.connectTimeoutMillis = null;
        }
        this.parentGroups = cache;
        this.useConnectionPooling = LdapRealm.optional(config, "useConnectionPooling", false);
    }

    private Properties createContextProperties() {
        Properties properties = new Properties();
        properties.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        properties.put("java.naming.provider.url", this.server);
        if (this.server.startsWith("ldaps:") && !this.sslVerify) {
            properties.put("java.naming.ldap.factory.socket", BlindSSLSocketFactory.class.getName());
        }
        if (this.readTimeoutMillis != null) {
            properties.put("com.sun.jndi.ldap.read.timeout", this.readTimeoutMillis);
        }
        if (this.connectTimeoutMillis != null) {
            properties.put("com.sun.jndi.ldap.connect.timeout", this.connectTimeoutMillis);
        }
        if (this.useConnectionPooling) {
            properties.put("com.sun.jndi.ldap.connect.pool", ConfigConstants.CONFIG_KEY_TRUE);
        }
        return properties;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public DirContext open() throws NamingException, LoginException {
        Properties createContextProperties = createContextProperties();
        createContextProperties.put("java.naming.security.authentication", this.authentication);
        createContextProperties.put("java.naming.referral", this.referral);
        if ("GSSAPI".equals(this.authentication)) {
            return kerberosOpen(createContextProperties);
        }
        if (this.username != null) {
            createContextProperties.put("java.naming.security.principal", this.username);
            createContextProperties.put("java.naming.security.credentials", this.password);
        }
        return new InitialDirContext(createContextProperties);
    }

    private DirContext kerberosOpen(final Properties properties) throws LoginException, NamingException {
        LoginContext loginContext = new LoginContext("KerberosLogin");
        loginContext.login();
        try {
            try {
                DirContext dirContext = (DirContext) Subject.doAs(loginContext.getSubject(), new PrivilegedExceptionAction<DirContext>() { // from class: com.google.gerrit.server.auth.ldap.Helper.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public DirContext run() throws NamingException {
                        return new InitialDirContext(properties);
                    }
                });
                loginContext.logout();
                return dirContext;
            } catch (PrivilegedActionException e) {
                Throwables.propagateIfPossible(e.getException(), NamingException.class);
                Throwables.propagateIfPossible(e.getException(), RuntimeException.class);
                LdapRealm.log.warn("Internal error", (Throwable) e.getException());
                loginContext.logout();
                return null;
            }
        } catch (Throwable th) {
            loginContext.logout();
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public DirContext authenticate(String str, String str2) throws AccountException {
        Properties createContextProperties = createContextProperties();
        createContextProperties.put("java.naming.security.authentication", "simple");
        createContextProperties.put("java.naming.security.principal", str);
        createContextProperties.put("java.naming.security.credentials", str2);
        createContextProperties.put("java.naming.referral", this.referral);
        try {
            return new InitialDirContext(createContextProperties);
        } catch (NamingException e) {
            throw new AuthenticationFailedException("Incorrect username or password", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public LdapSchema getSchema(DirContext dirContext) {
        if (this.ldapSchema == null) {
            synchronized (this) {
                if (this.ldapSchema == null) {
                    this.ldapSchema = new LdapSchema(dirContext);
                }
            }
        }
        return this.ldapSchema;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public LdapQuery.Result findAccount(LdapSchema ldapSchema, DirContext dirContext, String str, boolean z) throws NamingException, AccountException {
        HashMap hashMap = new HashMap();
        hashMap.put("username", str);
        Iterator<LdapQuery> it = ((!z || ldapSchema.type.accountMemberField() == null) ? ldapSchema.accountQueryList : ldapSchema.accountWithMemberOfQueryList).iterator();
        while (it.hasNext()) {
            List<LdapQuery.Result> query = it.next().query(dirContext, hashMap);
            if (query.size() == 1) {
                return query.get(0);
            }
            if (query.size() > 1) {
                throw new AccountException("Duplicate users: " + str);
            }
        }
        throw new NoSuchUserException(str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Set<AccountGroup.UUID> queryForGroups(DirContext dirContext, String str, LdapQuery.Result result) throws NamingException {
        LdapSchema schema = getSchema(dirContext);
        HashSet hashSet = new HashSet();
        if (!schema.groupMemberQueryList.isEmpty()) {
            HashMap hashMap = new HashMap();
            if (result == null) {
                try {
                    result = findAccount(schema, dirContext, str, false);
                } catch (AccountException e) {
                    return Collections.emptySet();
                }
            }
            for (String str2 : schema.groupMemberQueryList.get(0).getParameters()) {
                hashMap.put(str2, result.get(str2));
            }
            hashMap.put("username", str);
            Iterator<LdapQuery> it = schema.groupMemberQueryList.iterator();
            while (it.hasNext()) {
                Iterator<LdapQuery.Result> it2 = it.next().query(dirContext, hashMap).iterator();
                while (it2.hasNext()) {
                    recursivelyExpandGroups(hashSet, schema, dirContext, it2.next().getDN());
                }
            }
        }
        if (schema.accountMemberField != null) {
            if (result == null || result.getAll(schema.accountMemberField) == null) {
                try {
                    result = findAccount(schema, dirContext, str, true);
                } catch (AccountException e2) {
                    return Collections.emptySet();
                }
            }
            Attribute all = result.getAll(schema.accountMemberField);
            if (all != null) {
                NamingEnumeration all2 = all.getAll();
                while (all2.hasMore()) {
                    try {
                        recursivelyExpandGroups(hashSet, schema, dirContext, (String) all2.next());
                    } catch (PartialResultException e3) {
                    }
                }
            }
        }
        HashSet hashSet2 = new HashSet();
        Iterator<String> it3 = hashSet.iterator();
        while (it3.hasNext()) {
            hashSet2.add(new AccountGroup.UUID(LDAP_UUID + it3.next()));
        }
        return hashSet2.isEmpty() ? Collections.emptySet() : ImmutableSet.copyOf((Collection) hashSet2);
    }

    private void recursivelyExpandGroups(Set<String> set, LdapSchema ldapSchema, DirContext dirContext, String str) {
        if (!set.add(str) || ldapSchema.accountMemberField == null) {
            return;
        }
        ImmutableSet<String> ifPresent = this.parentGroups.getIfPresent(str);
        if (ifPresent == null) {
            ImmutableSet.Builder builder = ImmutableSet.builder();
            try {
                Attribute attribute = dirContext.getAttributes(new CompositeName().add(str), ldapSchema.accountMemberFieldArray).get(ldapSchema.accountMemberField);
                if (attribute != null) {
                    NamingEnumeration all = attribute.getAll();
                    while (all.hasMore()) {
                        try {
                            builder.add((ImmutableSet.Builder) all.next());
                        } catch (PartialResultException e) {
                        }
                    }
                }
            } catch (NamingException e2) {
                LdapRealm.log.warn("Could not find group " + str, e2);
            }
            ifPresent = builder.build();
            this.parentGroups.put(str, ifPresent);
        }
        Iterator it = ifPresent.iterator();
        while (it.hasNext()) {
            recursivelyExpandGroups(set, ldapSchema, dirContext, (String) it.next());
        }
    }

    public boolean groupsVisibleToAll() {
        return this.groupsVisibleToAll;
    }
}
