package org.apache.zeppelin.realm;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.PartialResultException;
import javax.naming.SizeLimitExceededException;
import javax.naming.directory.Attribute;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.PagedResultsControl;
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.alias.CredentialProvider;
import org.apache.hadoop.security.alias.CredentialProviderFactory;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.ShiroException;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.crypto.hash.DefaultHashService;
import org.apache.shiro.crypto.hash.Hash;
import org.apache.shiro.crypto.hash.HashRequest;
import org.apache.shiro.crypto.hash.HashService;
import org.apache.shiro.realm.ldap.DefaultLdapRealm;
import org.apache.shiro.realm.ldap.LdapContextFactory;
import org.apache.shiro.realm.ldap.LdapUtils;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.MutablePrincipalCollection;
import org.apache.shiro.subject.PrincipalCollection;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/zeppelin/realm/LdapRealm.class */
public class LdapRealm extends DefaultLdapRealm {
    private static final String SUBJECT_USER_ROLES = "subject.userRoles";
    private static final String SUBJECT_USER_GROUPS = "subject.userGroups";
    private static final String MEMBER_URL = "memberUrl";
    private static final String POSIX_GROUP = "posixGroup";
    private static final String MATCHING_RULE_IN_CHAIN_FORMAT = "(&(objectClass=%s)(%s:1.2.840.113556.1.4.1941:=%s))";
    private static final String DEFAULT_PRINCIPAL_REGEX = "(.*)";
    private static final String MEMBER_SUBSTITUTION_TOKEN = "{0}";
    private static final String HASHING_ALGORITHM = "SHA-1";
    private String searchBase;
    private String userSearchBase;
    private boolean userLowerCase;
    private boolean groupSearchEnableMatchingRuleInChain;
    private String groupSearchBase;
    private String hadoopSecurityCredentialPath;
    private static final String KEYSTORE_PASS = "ldapRealm.systemPassword";
    private boolean authorizationEnabled;
    private String userSearchAttributeName;
    private static final SearchControls SUBTREE_SCOPE = new SearchControls();
    private static final SearchControls ONELEVEL_SCOPE = new SearchControls();
    private static final SearchControls OBJECT_SCOPE = new SearchControls();
    private static final Logger LOGGER = LoggerFactory.getLogger(LdapRealm.class);
    private int pagingSize = 100;
    private String principalRegex = DEFAULT_PRINCIPAL_REGEX;
    private Pattern principalPattern = Pattern.compile(DEFAULT_PRINCIPAL_REGEX);
    private String userDnTemplate = MEMBER_SUBSTITUTION_TOKEN;
    private String userSearchFilter = null;
    private String groupSearchFilter = null;
    private String userSearchAttributeTemplate = MEMBER_SUBSTITUTION_TOKEN;
    private String userSearchScope = "subtree";
    private String groupSearchScope = "subtree";
    private String groupObjectClass = "groupOfNames";
    private String memberAttribute = "member";
    private String groupIdAttribute = "cn";
    private String memberAttributeValuePrefix = "uid=";
    private String memberAttributeValueSuffix = "";
    private final Map<String, String> rolesByGroup = new LinkedHashMap();
    private final List<String> allowedRolesForAuthentication = new ArrayList();
    private final Map<String, List<String>> permissionsByRole = new LinkedHashMap();
    private String userObjectClass = "person";
    private final HashService hashService = new DefaultHashService();

    public void setHadoopSecurityCredentialPath(String str) {
        this.hadoopSecurityCredentialPath = str;
    }

    public LdapRealm() {
        setCredentialsMatcher(new HashedCredentialsMatcher(HASHING_ALGORITHM));
    }

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        return super.doGetAuthenticationInfo(authenticationToken);
    }

    protected void onInit() {
        super.onInit();
        if (StringUtils.isEmpty(this.hadoopSecurityCredentialPath) || getContextFactory() == null) {
            return;
        }
        getContextFactory().setSystemPassword(getSystemPassword(this.hadoopSecurityCredentialPath, KEYSTORE_PASS));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String getSystemPassword(String str, String str2) {
        try {
            Configuration configuration = new Configuration();
            configuration.set("hadoop.security.credential.provider.path", str);
            CredentialProvider.CredentialEntry credentialEntry = ((CredentialProvider) CredentialProviderFactory.getProviders(configuration).get(0)).getCredentialEntry(str2);
            String str3 = credentialEntry != null ? new String(credentialEntry.getCredential()) : "";
            if (StringUtils.isEmpty(str3)) {
                throw new ShiroException("Error getting SystemPassword from the provided keystore:" + str2 + ", in path:" + str);
            }
            return str3;
        } catch (IOException e) {
            throw new ShiroException("Error from getting credential entry from keystore", e);
        }
    }

    protected AuthenticationInfo queryForAuthenticationInfo(AuthenticationToken authenticationToken, LdapContextFactory ldapContextFactory) throws NamingException {
        AuthenticationInfo queryForAuthenticationInfo = super.queryForAuthenticationInfo(authenticationToken, ldapContextFactory);
        if (hasAllowedAuthenticationRules(queryForAuthenticationInfo.getPrincipals(), ldapContextFactory)) {
            return queryForAuthenticationInfo;
        }
        throw new NamingException("Principal does not have any of the allowedRolesForAuthentication");
    }

    public AuthorizationInfo queryForAuthorizationInfo(PrincipalCollection principalCollection, LdapContextFactory ldapContextFactory) throws NamingException {
        if (!isAuthorizationEnabled()) {
            return null;
        }
        Set<String> roles = getRoles(principalCollection, ldapContextFactory);
        LOGGER.debug("RolesNames Authorization: {}", roles);
        SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo(roles);
        simpleAuthorizationInfo.setStringPermissions(permsFor(roles));
        return simpleAuthorizationInfo;
    }

    private boolean hasAllowedAuthenticationRules(PrincipalCollection principalCollection, LdapContextFactory ldapContextFactory) {
        boolean isEmpty = this.allowedRolesForAuthentication.isEmpty();
        if (!isEmpty) {
            Set<String> roles = getRoles(principalCollection, ldapContextFactory);
            Iterator<String> it = this.allowedRolesForAuthentication.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                String next = it.next();
                if (roles.contains(next)) {
                    LOGGER.debug("Allowed role for user [{}] found.", next);
                    isEmpty = true;
                    break;
                }
            }
        }
        return isEmpty;
    }

    private Set<String> getRoles(PrincipalCollection principalCollection, LdapContextFactory ldapContextFactory) {
        String str = (String) getAvailablePrincipal(principalCollection);
        LdapContext ldapContext = null;
        try {
            try {
                ldapContext = ldapContextFactory.getSystemLdapContext();
                Set<String> rolesFor = rolesFor(principalCollection, str, ldapContext, ldapContextFactory, SecurityUtils.getSubject().getSession());
                LdapUtils.closeContext(ldapContext);
                return rolesFor;
            } catch (Throwable th) {
                LOGGER.warn("Failed to get roles in current context for " + str, th);
                Set<String> emptySet = Collections.emptySet();
                LdapUtils.closeContext(ldapContext);
                return emptySet;
            }
        } catch (Throwable th2) {
            LdapUtils.closeContext(ldapContext);
            throw th2;
        }
    }

    protected Set<String> rolesFor(PrincipalCollection principalCollection, String str, LdapContext ldapContext, LdapContextFactory ldapContextFactory, Session session) throws NamingException {
        String str2;
        NamingEnumeration search;
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        if (getUserLowerCase()) {
            LOGGER.debug("userLowerCase true");
            str2 = str.toLowerCase();
        } else {
            str2 = str;
        }
        String userDnForSearch = getUserDnForSearch(str2);
        int pagingSize = getPagingSize();
        LOGGER.debug("Ldap PagingSize: {}", Integer.valueOf(pagingSize));
        int i = 0;
        try {
            ldapContext.addToEnvironment("java.naming.referral", "ignore");
            ldapContext.setRequestControls(new Control[]{new PagedResultsControl(pagingSize, false)});
            NamingEnumeration namingEnumeration = null;
            SearchControls groupSearchControls = getGroupSearchControls();
            try {
                try {
                    if (this.groupSearchEnableMatchingRuleInChain) {
                        search = ldapContext.search(getGroupSearchBase(), String.format(MATCHING_RULE_IN_CHAIN_FORMAT, this.groupObjectClass, this.memberAttribute, userDnForSearch), groupSearchControls);
                        while (search != null && search.hasMore()) {
                            i++;
                            String obj = ((SearchResult) search.next()).getAttributes().get(getGroupIdAttribute()).get().toString();
                            String roleNameFor = roleNameFor(obj);
                            if (roleNameFor != null) {
                                hashSet.add(roleNameFor);
                            } else {
                                hashSet.add(obj);
                            }
                        }
                    } else {
                        String format = String.format("(objectclass=%1$s)", this.groupObjectClass);
                        if (this.groupSearchFilter != null) {
                            format = expandTemplate(this.groupSearchFilter, str2);
                        }
                        LOGGER.debug("Group SearchBase|SearchFilter|GroupSearchScope: {}|{}|{}", new Object[]{getGroupSearchBase(), format, this.groupSearchScope});
                        search = ldapContext.search(getGroupSearchBase(), format, groupSearchControls);
                        while (search != null && search.hasMore()) {
                            i++;
                            addRoleIfMember(userDnForSearch, (SearchResult) search.next(), hashSet, hashSet2, ldapContextFactory);
                        }
                    }
                    if (search != null) {
                        search.close();
                    }
                } catch (Throwable th) {
                    if (0 != 0) {
                        namingEnumeration.close();
                    }
                    throw th;
                }
            } catch (PartialResultException e) {
                LOGGER.debug("Ignoring PartitalResultException");
                if (0 != 0) {
                    namingEnumeration.close();
                }
            }
            ldapContext.setRequestControls(new Control[]{new PagedResultsControl(pagingSize, (byte[]) null, true)});
        } catch (IOException e2) {
            LOGGER.error("Unabled to setup paged results");
        } catch (SizeLimitExceededException e3) {
            LOGGER.info("Only retrieved first {} groups due to SizeLimitExceededException.", 0);
        }
        session.setAttribute(SUBJECT_USER_ROLES, hashSet);
        session.setAttribute(SUBJECT_USER_GROUPS, hashSet2);
        if (!hashSet2.isEmpty() && (principalCollection instanceof MutablePrincipalCollection)) {
            ((MutablePrincipalCollection) principalCollection).addAll(hashSet2, getName());
        }
        LOGGER.debug("User RoleNames: {}::{}", str2, hashSet);
        return hashSet;
    }

    protected String getUserDnForSearch(String str) {
        return (this.userSearchAttributeName == null || this.userSearchAttributeName.isEmpty()) ? memberDn(str) : getUserDn(str);
    }

    private void addRoleIfMember(String str, SearchResult searchResult, Set<String> set, Set<String> set2, LdapContextFactory ldapContextFactory) throws NamingException {
        NamingEnumeration namingEnumeration = null;
        NamingEnumeration namingEnumeration2 = null;
        try {
            LdapName ldapName = new LdapName(str);
            String obj = searchResult.getAttributes().get(getGroupIdAttribute()).get().toString();
            namingEnumeration = searchResult.getAttributes().getAll();
            while (namingEnumeration.hasMore()) {
                Attribute attribute = (Attribute) namingEnumeration.next();
                if (this.memberAttribute.equalsIgnoreCase(attribute.getID())) {
                    namingEnumeration2 = attribute.getAll();
                    while (true) {
                        if (!namingEnumeration2.hasMore()) {
                            break;
                        }
                        String obj2 = namingEnumeration2.next().toString();
                        if (!this.memberAttribute.equalsIgnoreCase(MEMBER_URL)) {
                            if (this.groupObjectClass.equalsIgnoreCase(POSIX_GROUP)) {
                                obj2 = memberDn(obj2);
                            }
                            if (ldapName.equals(new LdapName(obj2))) {
                                set2.add(obj);
                                String roleNameFor = roleNameFor(obj);
                                if (roleNameFor != null) {
                                    set.add(roleNameFor);
                                } else {
                                    set.add(obj);
                                }
                            }
                        } else if (isUserMemberOfDynamicGroup(ldapName, obj2, ldapContextFactory)) {
                            set2.add(obj);
                            String roleNameFor2 = roleNameFor(obj);
                            if (roleNameFor2 != null) {
                                set.add(roleNameFor2);
                            } else {
                                set.add(obj);
                            }
                        }
                    }
                }
            }
            if (namingEnumeration != null) {
                try {
                    namingEnumeration.close();
                } finally {
                    if (namingEnumeration2 != null) {
                        namingEnumeration2.close();
                    }
                }
            }
        } catch (Throwable th) {
            if (namingEnumeration != null) {
                try {
                    namingEnumeration.close();
                } finally {
                    if (namingEnumeration2 != null) {
                        namingEnumeration2.close();
                    }
                }
            }
            if (namingEnumeration2 != null) {
                namingEnumeration2.close();
            }
            throw th;
        }
    }

    private String memberDn(String str) {
        return this.memberAttributeValuePrefix + str + this.memberAttributeValueSuffix;
    }

    public Map<String, String> getListRoles() {
        Map<String, String> rolesByGroup = getRolesByGroup();
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, String> entry : rolesByGroup.entrySet()) {
            hashMap.put(entry.getValue(), entry.getKey());
        }
        return hashMap;
    }

    private String roleNameFor(String str) {
        return !this.rolesByGroup.isEmpty() ? this.rolesByGroup.get(str) : str;
    }

    private Set<String> permsFor(Set<String> set) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        for (String str : set) {
            List<String> list = this.permissionsByRole.get(str);
            LOGGER.debug("PermsForRole: {}", str);
            LOGGER.debug("PermByRole: {}", list);
            if (list != null) {
                linkedHashSet.addAll(list);
            }
        }
        return linkedHashSet;
    }

    public String getSearchBase() {
        return this.searchBase;
    }

    public void setSearchBase(String str) {
        this.searchBase = str;
    }

    public String getUserSearchBase() {
        return (this.userSearchBase == null || this.userSearchBase.isEmpty()) ? this.searchBase : this.userSearchBase;
    }

    public void setUserSearchBase(String str) {
        this.userSearchBase = str;
    }

    public int getPagingSize() {
        return this.pagingSize;
    }

    public void setPagingSize(int i) {
        this.pagingSize = i;
    }

    public String getGroupSearchBase() {
        return (this.groupSearchBase == null || this.groupSearchBase.isEmpty()) ? this.searchBase : this.groupSearchBase;
    }

    public void setGroupSearchBase(String str) {
        this.groupSearchBase = str;
    }

    public String getGroupObjectClass() {
        return this.groupObjectClass;
    }

    public void setGroupObjectClass(String str) {
        this.groupObjectClass = str;
    }

    public String getMemberAttribute() {
        return this.memberAttribute;
    }

    public void setMemberAttribute(String str) {
        this.memberAttribute = str;
    }

    public String getGroupIdAttribute() {
        return this.groupIdAttribute;
    }

    public void setGroupIdAttribute(String str) {
        this.groupIdAttribute = str;
    }

    public void setMemberAttributeValueTemplate(String str) {
        if (!org.apache.shiro.util.StringUtils.hasText(str)) {
            throw new IllegalArgumentException("User DN template cannot be null or empty.");
        }
        int indexOf = str.indexOf(MEMBER_SUBSTITUTION_TOKEN);
        if (indexOf < 0) {
            throw new IllegalArgumentException("Member attribute value template must contain the '{0}' replacement token to understand how to parse the group members.");
        }
        String substring = str.substring(0, indexOf);
        String substring2 = str.substring(substring.length() + MEMBER_SUBSTITUTION_TOKEN.length());
        this.memberAttributeValuePrefix = substring;
        this.memberAttributeValueSuffix = substring2;
    }

    public void setAllowedRolesForAuthentication(List<String> list) {
        this.allowedRolesForAuthentication.addAll(list);
    }

    public void setRolesByGroup(Map<String, String> map) {
        this.rolesByGroup.putAll(map);
    }

    public Map<String, String> getRolesByGroup() {
        return this.rolesByGroup;
    }

    public void setPermissionsByRole(String str) {
        this.permissionsByRole.putAll(parsePermissionByRoleString(str));
    }

    public Map<String, List<String>> getPermissionsByRole() {
        return this.permissionsByRole;
    }

    public boolean isAuthorizationEnabled() {
        return this.authorizationEnabled;
    }

    public void setAuthorizationEnabled(boolean z) {
        this.authorizationEnabled = z;
    }

    public String getUserSearchAttributeName() {
        return this.userSearchAttributeName;
    }

    public void setUserSearchAttributeName(String str) {
        if (str != null) {
            str = str.trim();
        }
        this.userSearchAttributeName = str;
    }

    public String getUserObjectClass() {
        return this.userObjectClass;
    }

    public void setUserObjectClass(String str) {
        this.userObjectClass = str;
    }

    private Map<String, List<String>> parsePermissionByRoleString(String str) {
        HashMap hashMap = new HashMap();
        StringTokenizer stringTokenizer = new StringTokenizer(str, ";");
        while (stringTokenizer.hasMoreTokens()) {
            StringTokenizer stringTokenizer2 = new StringTokenizer(stringTokenizer.nextToken(), "=");
            if (stringTokenizer2.countTokens() == 2) {
                String trim = stringTokenizer2.nextToken().trim();
                StringTokenizer stringTokenizer3 = new StringTokenizer(stringTokenizer2.nextToken().trim(), ",");
                ArrayList arrayList = new ArrayList();
                while (stringTokenizer3.hasMoreTokens()) {
                    arrayList.add(stringTokenizer3.nextToken().trim());
                }
                hashMap.put(trim, arrayList);
            }
        }
        return hashMap;
    }

    boolean isUserMemberOfDynamicGroup(LdapName ldapName, String str, LdapContextFactory ldapContextFactory) throws NamingException {
        if (str == null) {
            return false;
        }
        String[] split = str.split("\\?");
        if (split.length < 4) {
            return false;
        }
        String substring = split[0].substring(split[0].lastIndexOf(47) + 1);
        String str2 = split[2];
        String str3 = split[3];
        LdapName ldapName2 = new LdapName(substring);
        if ("base".equalsIgnoreCase(str2)) {
            LOGGER.debug("DynamicGroup SearchScope base");
            return false;
        }
        if (!ldapName.toString().endsWith(ldapName2.toString())) {
            return false;
        }
        if ("one".equalsIgnoreCase(str2) && ldapName.size() != ldapName2.size() - 1) {
            LOGGER.debug("DynamicGroup SearchScope one");
            return false;
        }
        LdapContext systemLdapContext = ldapContextFactory.getSystemLdapContext();
        NamingEnumeration namingEnumeration = null;
        try {
            namingEnumeration = systemLdapContext.search(ldapName, str3, "sub".equalsIgnoreCase(str2) ? SUBTREE_SCOPE : ONELEVEL_SCOPE);
            if (namingEnumeration.hasMore()) {
                if (namingEnumeration != null) {
                    try {
                        namingEnumeration.close();
                    } finally {
                    }
                }
                return true;
            }
            if (namingEnumeration != null) {
                try {
                    namingEnumeration.close();
                } finally {
                    LdapUtils.closeContext(systemLdapContext);
                }
            }
            LdapUtils.closeContext(systemLdapContext);
            return false;
        } catch (Throwable th) {
            if (namingEnumeration != null) {
                try {
                    namingEnumeration.close();
                } finally {
                    LdapUtils.closeContext(systemLdapContext);
                }
            }
            LdapUtils.closeContext(systemLdapContext);
            throw th;
        }
    }

    public String getPrincipalRegex() {
        return this.principalRegex;
    }

    public void setPrincipalRegex(String str) {
        if (str == null || str.trim().isEmpty()) {
            this.principalPattern = Pattern.compile(DEFAULT_PRINCIPAL_REGEX);
            this.principalRegex = DEFAULT_PRINCIPAL_REGEX;
        } else {
            String trim = str.trim();
            this.principalPattern = Pattern.compile(trim);
            this.principalRegex = trim;
        }
    }

    public String getUserSearchAttributeTemplate() {
        return this.userSearchAttributeTemplate;
    }

    public void setUserSearchAttributeTemplate(String str) {
        this.userSearchAttributeTemplate = str == null ? null : str.trim();
    }

    public String getUserSearchFilter() {
        return this.userSearchFilter;
    }

    public void setUserSearchFilter(String str) {
        this.userSearchFilter = str == null ? null : str.trim();
    }

    public String getGroupSearchFilter() {
        return this.groupSearchFilter;
    }

    public void setGroupSearchFilter(String str) {
        this.groupSearchFilter = str == null ? null : str.trim();
    }

    public boolean getUserLowerCase() {
        return this.userLowerCase;
    }

    public void setUserLowerCase(boolean z) {
        this.userLowerCase = z;
    }

    public String getUserSearchScope() {
        return this.userSearchScope;
    }

    public void setUserSearchScope(String str) {
        this.userSearchScope = str == null ? null : str.trim().toLowerCase();
    }

    public String getGroupSearchScope() {
        return this.groupSearchScope;
    }

    public void setGroupSearchScope(String str) {
        this.groupSearchScope = str == null ? null : str.trim().toLowerCase();
    }

    public boolean isGroupSearchEnableMatchingRuleInChain() {
        return this.groupSearchEnableMatchingRuleInChain;
    }

    public void setGroupSearchEnableMatchingRuleInChain(boolean z) {
        this.groupSearchEnableMatchingRuleInChain = z;
    }

    private SearchControls getUserSearchControls() {
        SearchControls searchControls = SUBTREE_SCOPE;
        if ("onelevel".equalsIgnoreCase(this.userSearchScope)) {
            searchControls = ONELEVEL_SCOPE;
        } else if ("object".equalsIgnoreCase(this.userSearchScope)) {
            searchControls = OBJECT_SCOPE;
        }
        return searchControls;
    }

    protected SearchControls getGroupSearchControls() {
        SearchControls searchControls = SUBTREE_SCOPE;
        if ("onelevel".equalsIgnoreCase(this.groupSearchScope)) {
            searchControls = ONELEVEL_SCOPE;
        } else if ("object".equalsIgnoreCase(this.groupSearchScope)) {
            searchControls = OBJECT_SCOPE;
        }
        return searchControls;
    }

    public void setUserDnTemplate(String str) throws IllegalArgumentException {
        this.userDnTemplate = str;
    }

    private String matchPrincipal(String str) {
        Matcher matcher = this.principalPattern.matcher(str);
        if (matcher.matches()) {
            return matcher.group();
        }
        throw new IllegalArgumentException("Principal " + str + " does not match " + this.principalRegex);
    }

    protected String getUserDn(String str) throws IllegalArgumentException, IllegalStateException {
        String matchPrincipal = matchPrincipal(str);
        String userSearchBase = getUserSearchBase();
        String userSearchAttributeName = getUserSearchAttributeName();
        if (userSearchBase == null || userSearchBase.isEmpty() || (userSearchAttributeName == null && this.userSearchFilter == null && !"object".equalsIgnoreCase(this.userSearchScope))) {
            String expandTemplate = expandTemplate(this.userDnTemplate, matchPrincipal);
            LOGGER.debug("LDAP UserDN and Principal: {},{}", expandTemplate, str);
            return expandTemplate;
        }
        String expandTemplate2 = expandTemplate(getUserSearchBase(), matchPrincipal);
        String format = this.userSearchFilter == null ? userSearchAttributeName == null ? String.format("(objectclass=%1$s)", getUserObjectClass()) : String.format("(&(objectclass=%1$s)(%2$s=%3$s))", getUserObjectClass(), userSearchAttributeName, expandTemplate(getUserSearchAttributeTemplate(), matchPrincipal)) : expandTemplate(this.userSearchFilter, matchPrincipal);
        SearchControls userSearchControls = getUserSearchControls();
        NamingEnumeration namingEnumeration = null;
        try {
            try {
                try {
                    LdapContext systemLdapContext = getContextFactory().getSystemLdapContext();
                    LOGGER.debug("SearchBase,SearchFilter,UserSearchScope: {},{},{}", new Object[]{expandTemplate2, format, this.userSearchScope});
                    NamingEnumeration search = systemLdapContext.search(expandTemplate2, format, userSearchControls);
                    if (!search.hasMore()) {
                        throw new IllegalArgumentException("Illegal principal name: " + str);
                    }
                    String nameInNamespace = ((SearchResult) search.next()).getNameInNamespace();
                    LOGGER.debug("UserDN Returned,Principal: {},{}", nameInNamespace, str);
                    if (search != null) {
                        try {
                            search.close();
                        } catch (NamingException e) {
                            LdapUtils.closeContext(systemLdapContext);
                        } catch (Throwable th) {
                            LdapUtils.closeContext(systemLdapContext);
                            throw th;
                        }
                    }
                    LdapUtils.closeContext(systemLdapContext);
                    return nameInNamespace;
                } catch (NamingException e2) {
                    throw new IllegalArgumentException("Hit NamingException: " + e2.getMessage());
                }
            } catch (javax.naming.AuthenticationException e3) {
                LOGGER.error("AuthenticationException in getUserDn", e3);
                throw new IllegalArgumentException("Illegal principal name: " + str);
            }
        } catch (Throwable th2) {
            if (0 != 0) {
                try {
                    namingEnumeration.close();
                } catch (NamingException e4) {
                    LdapUtils.closeContext((LdapContext) null);
                    throw th2;
                } catch (Throwable th3) {
                    LdapUtils.closeContext((LdapContext) null);
                    throw th3;
                }
            }
            LdapUtils.closeContext((LdapContext) null);
            throw th2;
        }
    }

    protected AuthenticationInfo createAuthenticationInfo(AuthenticationToken authenticationToken, Object obj, Object obj2, LdapContext ldapContext) throws NamingException {
        Hash computeHash = this.hashService.computeHash(new HashRequest.Builder().setSource(authenticationToken.getCredentials()).setAlgorithmName(HASHING_ALGORITHM).build());
        return new SimpleAuthenticationInfo(authenticationToken.getPrincipal(), computeHash.toHex(), computeHash.getSalt(), getName());
    }

    protected static final String expandTemplate(String str, String str2) {
        return str.replace(MEMBER_SUBSTITUTION_TOKEN, str2);
    }

    static {
        SUBTREE_SCOPE.setSearchScope(2);
        ONELEVEL_SCOPE.setSearchScope(1);
        OBJECT_SCOPE.setSearchScope(0);
    }
}
