package com.pivotal.gemfirexd.internal.impl.jdbc.authentication;

import com.gemstone.gnu.trove.THashSet;
import com.pivotal.gemfirexd.Constants;
import com.pivotal.gemfirexd.Property;
import com.pivotal.gemfirexd.auth.callback.CredentialInitializer;
import com.pivotal.gemfirexd.callbacks.AsyncEventHelper;
import com.pivotal.gemfirexd.internal.engine.distributed.utils.GemFireXDUtils;
import com.pivotal.gemfirexd.internal.engine.distributed.utils.SecurityUtils;
import com.pivotal.gemfirexd.internal.iapi.services.monitor.Monitor;
import com.pivotal.gemfirexd.internal.iapi.services.sanity.SanityManager;
import com.pivotal.gemfirexd.internal.iapi.util.StringUtil;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Properties;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.naming.AuthenticationException;
import javax.naming.Name;
import javax.naming.NameNotFoundException;
import javax.naming.NameParser;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;

/* loaded from: input_file:com/pivotal/gemfirexd/internal/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.class */
public final class LDAPAuthenticationSchemeImpl extends JNDIAuthenticationSchemeBase implements CredentialInitializer {
    private static final String dfltLDAPURL = "ldap://";
    private String searchBaseDN;
    private String leftSearchFilter;
    private String rightSearchFilter;
    private boolean useUserPropertyAsDN;
    private String searchAuthDN;
    private String searchAuthPW;
    private final FileOutputStream traceOut;
    private String searchGroupBase;
    private String searchGroupFilter;
    private String[] searchGroupAttributes;
    private String[] searchGroupUserAttributes;
    private String auth_ldap_search_pw_attr;
    private static final String[] attrDN = {"dn", "distinguishedName"};
    private static final String[] attrGroupDefault = {"member", "uniqueMember"};
    private static final String[] attrGroupUserDefault = {"uid"};
    private static final Pattern groupPattern = Pattern.compile(Constants.LDAP_SEARCH_FILTER_GROUP);
    private static final Pattern userAttrPattern = Pattern.compile("\\((\\w+)=$");

    public LDAPAuthenticationSchemeImpl(JNDIAuthenticationService jNDIAuthenticationService, Properties properties) {
        super(jNDIAuthenticationService, properties);
        this.auth_ldap_search_pw_attr = "AUTH_LDAP_SEARCH_PW";
        this.traceOut = (FileOutputStream) this.initDirContextEnv.get("com.sun.naming.ldap.trace.ber");
    }

    @Override // com.pivotal.gemfirexd.auth.callback.UserAuthenticator
    public String authenticateUser(String str, String str2, String str3, Properties properties) throws SQLException {
        String encrypted = getEncrypted(str2);
        if (encrypted != null) {
            try {
                str2 = decryptPassword(str, encrypted, null, -1);
            } catch (Exception e) {
                throw getLoginSQLException(e);
            }
        }
        if (str == null || str.length() == 0 || str2 == null || str2.length() == 0) {
            return (str == null || str.length() == 0) ? "Empty user name" : "Empty password";
        }
        DirContext dirContext = null;
        try {
            try {
                try {
                    Properties properties2 = (Properties) this.initDirContextEnv.clone();
                    String str4 = null;
                    if (this.useUserPropertyAsDN) {
                        str4 = this.authenticationService.getProperty("gemfirexd.user.");
                        if (str4 == null) {
                            str4 = this.authenticationService.getProperty("sqlfire.user.");
                        }
                    }
                    if (str4 == ((String) null)) {
                        try {
                            str4 = getDNFromUID(str);
                        } catch (Exception e2) {
                            throw getLoginSQLException(e2);
                        }
                    }
                    if (GemFireXDUtils.TraceAuthentication) {
                        SanityManager.DEBUG_PRINT("TraceAuthentication", "User DN = [" + str4 + ']');
                        GemFireXDUtils.dumpProperties(properties2, "LDAP connection authentication for uid=" + str + " with ", "TraceAuthentication", GemFireXDUtils.TraceAuthentication, null);
                    }
                    properties2.put("java.naming.security.principal", str4);
                    properties2.put("java.naming.security.credentials", str2);
                    DirContext privInitialDirContext = privInitialDirContext(properties2);
                    if (privInitialDirContext != null) {
                        try {
                            privInitialDirContext.close();
                        } catch (NamingException e3) {
                            if (GemFireXDUtils.TraceAuthentication) {
                                SanityManager.DEBUG_PRINT("warning:TraceAuthentication", "Exception occurred while closing the context acquired.", e3);
                            }
                            throw getLoginSQLException(e3);
                        }
                    }
                    if (this.traceOut != null) {
                        try {
                            this.traceOut.flush();
                        } catch (IOException e4) {
                        }
                    }
                    return null;
                } catch (Throwable th) {
                    if (0 != 0) {
                        try {
                            dirContext.close();
                        } catch (NamingException e5) {
                            if (GemFireXDUtils.TraceAuthentication) {
                                SanityManager.DEBUG_PRINT("warning:TraceAuthentication", "Exception occurred while closing the context acquired.", e5);
                            }
                            throw getLoginSQLException(e5);
                        }
                    }
                    if (this.traceOut != null) {
                        try {
                            this.traceOut.flush();
                        } catch (IOException e6) {
                        }
                    }
                    throw th;
                }
            } catch (NameNotFoundException e7) {
                String nameNotFoundException = e7.toString();
                if (0 != 0) {
                    try {
                        dirContext.close();
                    } catch (NamingException e8) {
                        if (GemFireXDUtils.TraceAuthentication) {
                            SanityManager.DEBUG_PRINT("warning:TraceAuthentication", "Exception occurred while closing the context acquired.", e8);
                        }
                        throw getLoginSQLException(e8);
                    }
                }
                if (this.traceOut != null) {
                    try {
                        this.traceOut.flush();
                    } catch (IOException e9) {
                    }
                }
                return nameNotFoundException;
            }
        } catch (NamingException e10) {
            if (0 != 0) {
                try {
                    dirContext.close();
                } catch (NamingException e11) {
                    if (GemFireXDUtils.TraceAuthentication) {
                        SanityManager.DEBUG_PRINT("warning:TraceAuthentication", "Exception occurred while closing the context acquired.", e11);
                    }
                    throw getLoginSQLException(e11);
                }
            }
            if (this.traceOut != null) {
                try {
                    this.traceOut.flush();
                } catch (IOException e12) {
                }
            }
            throw getLoginSQLException(e10);
        } catch (AuthenticationException e13) {
            String authenticationException = e13.toString();
            if (0 != 0) {
                try {
                    dirContext.close();
                } catch (NamingException e14) {
                    if (GemFireXDUtils.TraceAuthentication) {
                        SanityManager.DEBUG_PRINT("warning:TraceAuthentication", "Exception occurred while closing the context acquired.", e14);
                    }
                    throw getLoginSQLException(e14);
                }
            }
            if (this.traceOut != null) {
                try {
                    this.traceOut.flush();
                } catch (IOException e15) {
                }
            }
            return authenticationException;
        }
    }

    private String decryptPassword(String str, String str2, String str3, int i) throws Exception {
        if (GemFireXDUtils.TraceAuthentication) {
            SanityManager.DEBUG_PRINT("TraceAuthentication", "Decrypting password for user " + str);
        }
        return AsyncEventHelper.decryptPassword(str, str2, null, -1);
    }

    private DirContext privInitialDirContext(final Properties properties) throws NamingException {
        try {
            return (InitialDirContext) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.pivotal.gemfirexd.internal.impl.jdbc.authentication.LDAPAuthenticationSchemeImpl.1
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws SecurityException, NamingException {
                    return new InitialDirContext(properties);
                }
            });
        } catch (PrivilegedActionException e) {
            NamingException exception = e.getException();
            if (exception instanceof NamingException) {
                throw exception;
            }
            throw ((SecurityException) exception);
        }
    }

    @Override // com.pivotal.gemfirexd.internal.impl.jdbc.authentication.JNDIAuthenticationSchemeBase
    protected void setJNDIProviderProperties() {
        String group;
        if (this.initDirContextEnv.getProperty("java.naming.factory.initial") == ((String) null)) {
            this.initDirContextEnv.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        }
        if (this.initDirContextEnv.getProperty("java.naming.provider.url") == ((String) null)) {
            String property = this.authenticationService.getProperty(Property.AUTH_LDAP_SERVER);
            if (property == ((String) null)) {
                Monitor.logTextMessage("A011", Property.AUTH_LDAP_SERVER);
                this.providerURL = "ldap:///";
            } else if (property.startsWith(dfltLDAPURL) || property.startsWith("ldaps://")) {
                this.providerURL = property;
            } else if (property.startsWith("//")) {
                this.providerURL = "ldap:" + property;
            } else {
                this.providerURL = dfltLDAPURL + property;
            }
            this.initDirContextEnv.put("java.naming.provider.url", this.providerURL);
        }
        if (this.initDirContextEnv.getProperty("java.naming.security.authentication") == ((String) null)) {
            this.initDirContextEnv.put("java.naming.security.authentication", "simple");
        }
        String property2 = this.authenticationService.getProperty(Property.AUTH_LDAP_SEARCH_BASE);
        if (property2 != ((String) null)) {
            this.searchBaseDN = property2;
        } else {
            this.searchBaseDN = "";
        }
        this.searchAuthDN = this.authenticationService.getProperty(Property.AUTH_LDAP_SEARCH_DN);
        this.searchAuthPW = this.authenticationService.getProperty(Property.AUTH_LDAP_SEARCH_PW);
        this.searchGroupUserAttributes = attrGroupUserDefault;
        String property3 = this.authenticationService.getProperty(Property.AUTH_LDAP_SEARCH_FILTER);
        if (property3 == ((String) null)) {
            this.leftSearchFilter = "(&(objectClass=inetOrgPerson)(uid=";
            this.rightSearchFilter = "))";
        } else if (StringUtil.SQLEqualsIgnoreCase(property3, Constants.LDAP_LOCAL_USER_DN)) {
            this.leftSearchFilter = "(&(objectClass=inetOrgPerson)(uid=";
            this.rightSearchFilter = "))";
            this.useUserPropertyAsDN = true;
        } else if (property3.indexOf(Constants.LDAP_SEARCH_FILTER_USERNAME) != -1) {
            this.leftSearchFilter = property3.substring(0, property3.indexOf(Constants.LDAP_SEARCH_FILTER_USERNAME));
            this.rightSearchFilter = property3.substring(property3.indexOf(Constants.LDAP_SEARCH_FILTER_USERNAME) + Constants.LDAP_SEARCH_FILTER_USERNAME.length());
            Matcher matcher = userAttrPattern.matcher(this.leftSearchFilter);
            if (matcher.find() && (group = matcher.group(1)) != null && !attributeExists(group, this.searchGroupUserAttributes)) {
                int length = this.searchGroupUserAttributes.length;
                String[] strArr = (String[]) Arrays.copyOf(this.searchGroupUserAttributes, length + 1);
                strArr[length] = group;
                this.searchGroupUserAttributes = strArr;
            }
        } else {
            this.leftSearchFilter = "(&(" + property3 + ")(objectClass=inetOrgPerson)(uid=";
            this.rightSearchFilter = "))";
        }
        String property4 = this.authenticationService.getProperty(Property.AUTH_LDAP_GROUP_SEARCH_BASE);
        if (property4 != null) {
            this.searchGroupBase = property4;
        } else {
            this.searchGroupBase = this.searchBaseDN;
        }
        String property5 = this.authenticationService.getProperty(Property.AUTH_LDAP_GROUP_SEARCH_FILTER);
        if (property5 != null) {
            this.searchGroupFilter = property5;
        } else {
            this.searchGroupFilter = "(&(|(objectClass=group)(objectClass=groupOfNames)(objectClass=groupOfMembers)(objectClass=groupOfUniqueNames))(|(cn=%GROUP%)(name=%GROUP%)))";
        }
        String property6 = this.authenticationService.getProperty(Property.AUTH_LDAP_GROUP_MEMBER_ATTRIBUTES);
        if (property6 != null) {
            this.searchGroupAttributes = property6.split(",");
            for (int i = 0; i < this.searchGroupAttributes.length; i++) {
                this.searchGroupAttributes[i] = this.searchGroupAttributes[i].trim();
            }
        } else {
            this.searchGroupAttributes = attrGroupDefault;
        }
        if (SanityManager.DEBUG_ON("TraceAuthentication")) {
            SanityManager.GET_DEBUG_STREAM().println("\n\n+ LDAP Authentication Configuration:\n   - provider URL [" + this.providerURL + "]\n   - search base [" + this.searchBaseDN + "]\n   - search filter to be [" + this.leftSearchFilter + "<uid>" + this.rightSearchFilter + "]\n   - use local DN [" + (this.useUserPropertyAsDN ? "true" : "false") + "]\n   - group search base [" + this.searchGroupBase + "]\n   - group search filter [" + this.searchGroupFilter + "]\n   - group search attributes " + Arrays.toString(this.searchGroupAttributes) + "\n   - group user attributes " + Arrays.toString(this.searchGroupUserAttributes) + '\n');
        }
        if (SanityManager.DEBUG_ON("TraceAuthentication")) {
            FileOutputStream fileOutputStream = null;
            try {
                fileOutputStream = (FileOutputStream) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.pivotal.gemfirexd.internal.impl.jdbc.authentication.LDAPAuthenticationSchemeImpl.2
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws SecurityException, IOException {
                        return new FileOutputStream("GemFireXDLDAP.out");
                    }
                });
            } catch (PrivilegedActionException e) {
            }
            if (fileOutputStream != null) {
                this.initDirContextEnv.put("com.sun.naming.ldap.trace.ber", fileOutputStream);
            }
        }
    }

    private String getDNFromUID(String str) throws Exception {
        Properties properties;
        boolean z;
        if (this.searchAuthDN != ((String) null)) {
            properties = (Properties) this.initDirContextEnv.clone();
            properties.put("java.naming.security.principal", this.searchAuthDN);
            properties.put("java.naming.security.credentials", getSearchAuthPwd());
        } else {
            properties = this.initDirContextEnv;
        }
        if (GemFireXDUtils.TraceAuthentication) {
            GemFireXDUtils.dumpProperties(properties, "Initializing DN for uid=" + str + " with ", "TraceAuthentication", GemFireXDUtils.TraceAuthentication, null);
        }
        DirContext privInitialDirContext = privInitialDirContext(properties);
        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(2);
        searchControls.setReturningAttributes(attrDN);
        String str2 = this.leftSearchFilter + str + this.rightSearchFilter;
        if (GemFireXDUtils.TraceAuthentication) {
            SanityManager.DEBUG_PRINT("TraceAuthentication", "Searching for DN for uid=" + str + ", baseDN=" + this.searchBaseDN + ", searchFilter=" + str2);
        }
        NamingEnumeration search = privInitialDirContext.search(this.searchBaseDN, str2, searchControls);
        if (search == null || !search.hasMore()) {
            throw new NameNotFoundException();
        }
        SearchResult searchResult = (SearchResult) search.next();
        if (GemFireXDUtils.TraceAuthentication) {
            SanityManager.DEBUG_PRINT("TraceAuthentication", "First User DN obtained=" + searchResult.getName());
        }
        try {
            z = search.hasMore();
        } catch (NamingException e) {
            z = false;
        }
        if (z) {
            if (SanityManager.DEBUG_ON("TraceAuthentication")) {
                SanityManager.GET_DEBUG_STREAM().println(" - LDAP Authentication request failure: search filter [" + str2 + "], retrieve more than one occurence in LDAP server [" + this.providerURL + "]");
            }
            throw new NameNotFoundException();
        }
        NameParser nameParser = privInitialDirContext.getNameParser(this.searchBaseDN);
        Name parse = nameParser.parse(this.searchBaseDN);
        if (parse == ((Name) null)) {
            throw new NameNotFoundException();
        }
        parse.addAll(nameParser.parse(searchResult.getName()));
        return parse.toString();
    }

    private String getEncrypted(String str) {
        if (str == null || !str.startsWith(AuthenticationServiceBase.ID_PATTERN_LDAP_SCHEME_V1)) {
            return null;
        }
        return str.substring(AuthenticationServiceBase.ID_PATTERN_LDAP_SCHEME_V1.length());
    }

    private String getSearchAuthPwd() throws Exception {
        String encrypted = getEncrypted(this.searchAuthPW);
        return encrypted != null ? decryptPassword(this.auth_ldap_search_pw_attr, encrypted, null, -1) : this.searchAuthPW;
    }

    private void resolveDNForGroup(DirContext dirContext, String str, String str2, String[] strArr, boolean z, String str3, List<String> list) throws NamingException {
        SearchControls searchControls = new SearchControls();
        if (z) {
            searchControls.setSearchScope(2);
        } else {
            searchControls.setSearchScope(0);
        }
        searchControls.setReturningAttributes(strArr);
        NamingEnumeration search = dirContext.search(str, str2, searchControls);
        if (search == null || !search.hasMore()) {
            throw new NameNotFoundException("Lookup for LDAP group = " + str3 + " failed. Filter=" + str2 + " DN: " + str);
        }
        do {
            Attributes attributes = ((SearchResult) search.next()).getAttributes();
            if (attributes != null) {
                NamingEnumeration all = attributes.getAll();
                while (all.hasMore()) {
                    try {
                        NamingEnumeration all2 = ((Attribute) all.next()).getAll();
                        while (all2.hasMore()) {
                            try {
                                String str4 = (String) all2.next();
                                if (str4 != null) {
                                    if (str4.indexOf(61) >= 0) {
                                        LdapName ldapName = new LdapName(str4);
                                        if (!ldapName.isEmpty()) {
                                            Rdn rdn = ldapName.getRdn(ldapName.size() - 1);
                                            if (attributeExists(rdn.getType(), this.searchGroupUserAttributes)) {
                                                str4 = rdn.getValue().toString();
                                            } else {
                                                if (z) {
                                                    str2 = "(objectClass=*)";
                                                    int length = strArr.length;
                                                    int length2 = this.searchGroupUserAttributes.length;
                                                    strArr = (String[]) Arrays.copyOf(strArr, length + length2);
                                                    System.arraycopy(this.searchGroupUserAttributes, 0, strArr, length, length2);
                                                }
                                                if (GemFireXDUtils.TraceAuthentication) {
                                                    SanityManager.DEBUG_PRINT("TraceAuthentication", "Searching DN " + str4 + " in LDAP group = " + str3 + " filter = " + str2 + " attributes = " + Arrays.toString(strArr));
                                                }
                                                resolveDNForGroup(dirContext, str4, str2, strArr, false, str3, list);
                                            }
                                        }
                                    }
                                    String trim = str4.trim();
                                    if (trim.length() > 0) {
                                        String SQLToUpperCase = StringUtil.SQLToUpperCase(trim);
                                        if (GemFireXDUtils.TraceAuthentication) {
                                            SanityManager.DEBUG_PRINT("TraceAuthentication", "Found member " + SQLToUpperCase + " in LDAP group = " + str3);
                                        }
                                        list.add(SQLToUpperCase);
                                    }
                                }
                            } catch (NamingException e) {
                            }
                        }
                    } catch (NamingException e2) {
                    }
                }
            }
            try {
            } catch (NamingException e3) {
                return;
            }
        } while (search.hasMore());
    }

    private boolean attributeExists(String str, String[] strArr) {
        for (String str2 : strArr) {
            if (str.equalsIgnoreCase(str2)) {
                return true;
            }
        }
        return false;
    }

    public Set<String> getLDAPGroupMembers(String str) throws Exception {
        Properties properties;
        if (this.searchAuthDN != ((String) null)) {
            properties = (Properties) this.initDirContextEnv.clone();
            properties.put("java.naming.security.principal", this.searchAuthDN);
            properties.put("java.naming.security.credentials", getSearchAuthPwd());
        } else {
            properties = this.initDirContextEnv;
        }
        if (GemFireXDUtils.TraceAuthentication) {
            SanityManager.DEBUG_PRINT("TraceAuthentication", "Initializing search for LDAP group=" + str);
        }
        DirContext privInitialDirContext = privInitialDirContext(properties);
        String replaceAll = groupPattern.matcher(this.searchGroupFilter).replaceAll(str);
        if (GemFireXDUtils.TraceAuthentication) {
            SanityManager.DEBUG_PRINT("TraceAuthentication", "Searching for LDAP group=" + str + ", groupBase=" + this.searchGroupBase + ", searchFilter=" + replaceAll);
        }
        ArrayList arrayList = new ArrayList();
        resolveDNForGroup(privInitialDirContext, this.searchGroupBase, replaceAll, this.searchGroupAttributes, true, str, arrayList);
        privInitialDirContext.close();
        return new THashSet(arrayList);
    }

    public String toString() {
        return Constants.AUTHENTICATION_PROVIDER_LDAP;
    }

    @Override // com.pivotal.gemfirexd.auth.callback.CredentialInitializer
    public Properties getCredentials(Properties properties) throws SQLException {
        return SecurityUtils.getCredentials(properties);
    }
}
