package org.codelibs.spnego;

import java.io.FileInputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Properties;
import java.util.Set;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import java.util.logging.Logger;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import org.codelibs.spnego.SpnegoHttpFilter;

/* loaded from: input_file:org/codelibs/spnego/LdapAccessControl.class */
public class LdapAccessControl implements UserAccessControl {
    private static final Logger LOGGER = Logger.getLogger(SpnegoHttpFilter.Constants.LOGGER_NAME);
    private static final String POLICY_FILE = "spnego.authz.policy.file";
    private static final String SERVER_REALM = "spnego.server.realm";
    private static final String LDAP_FACTORY = "spnego.authz.ldap.factory";
    private static final String LDAP_AUTHN = "spnego.authz.ldap.authn";
    private static final String LDAP_POOL = "spnego.authz.ldap.pool";
    private static final String LDAP_DEECE = "spnego.authz.ldap.deecee";
    private static final String LDAP_URL = "spnego.authz.ldap.url";
    private static final String LDAP_USERNAME = "spnego.authz.ldap.username";
    private static final String KRB5_USERNAME = "spnego.preauth.username";
    private static final String LDAP_PASSWORD = "spnego.authz.ldap.password";
    private static final String KRB5_PASSWORD = "spnego.preauth.password";
    private static final String TTL = "spnego.authz.ttl";
    private static final String UNIQUE = "spnego.authz.unique";
    private static final String PREFIX_FILTER = "spnego.authz.ldap.filter.";
    private static final String PREFIX_NAME = "spnego.authz.resource.name.";
    private static final String PREFIX_TYPE = "spnego.authz.resource.type.";
    private static final String PREFIX_ACCESS = "spnego.authz.resource.access.";
    private static final String HAS = "has";
    private static final String ANY = "any";
    private static final String USER_INFO = "spnego.authz.user.info";
    private static final String USER_INFO_FILTER = "spnego.authz.ldap.user.filter";
    private static final long DEFAULT_TTL = 1200000;
    private static final int MAX_NUM_FILTERS = 200;
    private Hashtable<String, String> environment;
    private SearchControls srchCntrls;
    private String userInfoFilter;
    private final ReentrantReadWriteLock readWriteLock = new ReentrantReadWriteLock();
    private final Lock readLock = this.readWriteLock.readLock();
    private final Lock writeLock = this.readWriteLock.writeLock();
    private final Map<String, Long> matchedList = new HashMap();
    private final Map<String, Long> unMatchedList = new HashMap();
    private final Map<String, UserInfo> userInfoList = new HashMap();
    private String deecee = "";
    private Set<String> policy = new HashSet();
    private long expiration = DEFAULT_TTL;
    private boolean uniqueOnly = true;
    private Map<String, Map<String, String[]>> resources = new HashMap();
    private List<String> userInfoLabels = new ArrayList();

    @Override // org.codelibs.spnego.UserAccessControl
    public void destroy() {
        LOGGER.info(() -> {
            return "destroy()...";
        });
        this.writeLock.lock();
        try {
            this.matchedList.clear();
            this.unMatchedList.clear();
            this.environment.clear();
            this.environment = null;
            this.srchCntrls = null;
            this.deecee = "";
            this.policy.clear();
            this.expiration = DEFAULT_TTL;
            this.resources.clear();
            this.userInfoLabels.clear();
            this.userInfoFilter = null;
        } finally {
            this.writeLock.unlock();
        }
    }

    @Override // org.codelibs.spnego.UserAccessControl
    public boolean anyRole(String str, String... strArr) {
        for (String str2 : strArr) {
            if (hasRole(str, str2)) {
                return true;
            }
        }
        return false;
    }

    /* JADX WARN: Finally extract failed */
    @Override // org.codelibs.spnego.UserAccessControl
    public boolean hasRole(String str, String str2) {
        String str3 = str + "_attr_" + str2;
        long currentTimeMillis = System.currentTimeMillis();
        try {
            if (!matchedExpired(str3, currentTimeMillis)) {
                return true;
            }
            if (!unMatchedExpired(str3, currentTimeMillis)) {
                return false;
            }
            LOGGER.fine(() -> {
                return "username: " + str + "; role: " + str2;
            });
            this.writeLock.lock();
            try {
                this.matchedList.remove(str3);
                this.unMatchedList.remove(str3);
                int i = 0;
                InitialLdapContext initialLdapContext = new InitialLdapContext(this.environment, (Control[]) null);
                for (String str4 : this.policy) {
                    NamingEnumeration search = initialLdapContext.search(this.deecee, String.format(str4, str, str2), this.srchCntrls);
                    boolean hasMoreElements = search.hasMoreElements();
                    search.close();
                    if (hasMoreElements) {
                        i++;
                        LOGGER.fine(() -> {
                            return "add attribute to matchedList: " + str2;
                        });
                        this.matchedList.put(str3, Long.valueOf(System.currentTimeMillis()));
                        if (!this.uniqueOnly) {
                            break;
                        }
                    }
                    if (i > 1 && this.uniqueOnly) {
                        this.matchedList.remove(str3);
                        throw new IllegalArgumentException("Uniqueness property violated. Found duplicate role/attribute:" + str2 + ". This MAY be caused by an improper policy definition; filter=" + str4 + "; policy=" + this.policy);
                    }
                }
                initialLdapContext.close();
                if (0 == i) {
                    LOGGER.fine(() -> {
                        return "add attribute to unMatchedList: " + str2;
                    });
                    this.unMatchedList.put(str3, Long.valueOf(System.currentTimeMillis()));
                } else {
                    cacheUserInfo(str);
                }
                this.writeLock.unlock();
                return hasRole(str, str2);
            } catch (Throwable th) {
                this.writeLock.unlock();
                throw th;
            }
        } catch (NamingException e) {
            Logger logger = LOGGER;
            Objects.requireNonNull(e);
            logger.severe(e::getMessage);
            throw new IllegalStateException((Throwable) e);
        }
    }

    @Override // org.codelibs.spnego.UserAccessControl
    public boolean hasRole(String str, String str2, String... strArr) {
        if (null == strArr || 0 == strArr.length) {
            LOGGER.severe(() -> {
                return "Must provide at least two parameters";
            });
            throw new IllegalArgumentException("Must provide at least two parameters");
        }
        boolean z = false;
        boolean hasRole = hasRole(str, str2);
        for (String str3 : strArr) {
            z = hasRole && hasRole(str, str3);
            if (z) {
                break;
            }
        }
        return z;
    }

    @Override // org.codelibs.spnego.UserAccessControl
    public boolean anyAccess(String str, String... strArr) {
        for (String str2 : strArr) {
            if (hasAccess(str, str2)) {
                return true;
            }
        }
        return false;
    }

    @Override // org.codelibs.spnego.UserAccessControl
    public boolean hasAccess(String str, String str2) {
        boolean anyRole;
        String str3 = str + "_res_" + str2;
        long currentTimeMillis = System.currentTimeMillis();
        if (!matchedExpired(str3, currentTimeMillis)) {
            return true;
        }
        if (!unMatchedExpired(str3, currentTimeMillis)) {
            return false;
        }
        LOGGER.fine(() -> {
            return "username: " + str + "; resource: " + str2;
        });
        String[] strArr = new String[0];
        this.readLock.lock();
        try {
            if (!this.resources.containsKey(str2)) {
                throw new IllegalArgumentException("Policy not found for user-defined Resource labeled: " + str2);
            }
            boolean containsKey = this.resources.get(str2).containsKey(HAS);
            boolean containsKey2 = this.resources.get(str2).containsKey(ANY);
            if (containsKey) {
                strArr = this.resources.get(str2).get(HAS);
            } else if (containsKey2) {
                strArr = this.resources.get(str2).get(ANY);
            }
            if (containsKey) {
                if (strArr.length > 1) {
                    anyRole = hasRole(str, strArr[0], (String[]) Arrays.copyOfRange(strArr, 1, strArr.length));
                } else {
                    if (strArr.length != 1) {
                        throw new IllegalStateException("No attribute(s) defined for resource: " + str2);
                    }
                    anyRole = hasRole(str, strArr[0]);
                }
            } else {
                if (!containsKey2) {
                    throw new UnsupportedOperationException("Allowed resource.type(s): [any|has]");
                }
                anyRole = anyRole(str, strArr);
            }
            this.writeLock.lock();
            try {
                if (anyRole) {
                    LOGGER.fine(() -> {
                        return "add resource to matchedList: " + str2;
                    });
                    this.matchedList.put(str3, Long.valueOf(currentTimeMillis));
                } else {
                    LOGGER.fine(() -> {
                        return "add resource to unMatchedList: " + str2;
                    });
                    this.unMatchedList.put(str3, Long.valueOf(currentTimeMillis));
                }
                this.writeLock.unlock();
                return anyRole;
            } catch (Throwable th) {
                this.writeLock.unlock();
                throw th;
            }
        } finally {
            this.readLock.unlock();
        }
    }

    @Override // org.codelibs.spnego.UserAccessControl
    public boolean hasAccess(String str, String str2, String... strArr) {
        if (null == strArr || 0 == strArr.length) {
            LOGGER.severe(() -> {
                return "Must provide at least two parameters";
            });
            throw new IllegalArgumentException("Must provide at least two parameters");
        }
        boolean z = false;
        boolean hasAccess = hasAccess(str, str2);
        for (String str3 : strArr) {
            z = hasAccess && hasAccess(str, str3);
            if (z) {
                break;
            }
        }
        return z;
    }

    @Override // org.codelibs.spnego.UserAccessControl
    public UserInfo getUserInfo(String str) {
        boolean matchedExpired = matchedExpired(str, System.currentTimeMillis());
        this.readLock.lock();
        if (!matchedExpired) {
            try {
                UserInfo userInfo = this.userInfoList.get(str);
                this.readLock.unlock();
                return userInfo;
            } catch (Throwable th) {
                this.readLock.unlock();
                throw th;
            }
        }
        this.readLock.unlock();
        this.writeLock.lock();
        try {
            try {
                UserInfo cacheUserInfo = cacheUserInfo(str);
                this.writeLock.unlock();
                return cacheUserInfo;
            } catch (NamingException e) {
                String str2 = "Could not get user info for: " + str;
                LOGGER.warning(() -> {
                    return str2;
                });
                throw new IllegalStateException(str2, e);
            }
        } catch (Throwable th2) {
            this.writeLock.unlock();
            throw th2;
        }
    }

    @Override // org.codelibs.spnego.UserAccessControl
    public void init(Properties properties) {
        LOGGER.info(() -> {
            return "init()...";
        });
        this.readLock.lock();
        try {
            if (this.environment != null) {
                throw new IllegalStateException("LdapAccessControl already initialized");
            }
            String property = properties.getProperty(POLICY_FILE, "");
            Properties properties2 = new Properties();
            if (!property.isEmpty()) {
                try {
                    LOGGER.info(() -> {
                        return "policy file: " + property;
                    });
                    FileInputStream fileInputStream = new FileInputStream(property);
                    try {
                        properties2.load(fileInputStream);
                        fileInputStream.close();
                    } catch (Throwable th) {
                        fileInputStream.close();
                        throw th;
                    }
                } catch (IOException e) {
                    throw new IllegalArgumentException("Policy File NOT Found: " + property, e);
                }
            }
            Hashtable<String, String> hashtable = new Hashtable<>();
            hashtable.put("java.naming.factory.initial", properties2.getProperty(LDAP_FACTORY, properties.getProperty(LDAP_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory")));
            hashtable.put("java.naming.security.authentication", properties2.getProperty(LDAP_AUTHN, properties.getProperty(LDAP_AUTHN, "Simple")));
            hashtable.put("com.sun.jndi.ldap.connect.pool", properties2.getProperty(LDAP_POOL, properties.getProperty(LDAP_POOL, "true")));
            String property2 = properties2.getProperty(LDAP_DEECE, properties.getProperty(LDAP_DEECE, ""));
            if (property2.isEmpty()) {
                String property3 = properties.getProperty(SERVER_REALM, properties2.getProperty(SERVER_REALM, ""));
                if (property3.trim().isEmpty()) {
                    throw new IllegalArgumentException("MUST provide the serve's deecee.  specify a value for the spnego.authz.ldap.deecee property.");
                }
                property2 = "DC=" + property3.replaceAll("\\.", ",DC=");
            }
            String str = property2;
            LOGGER.info(() -> {
                return str;
            });
            if (properties2.getProperty(LDAP_URL, properties.getProperty(LDAP_URL, "")).isEmpty()) {
                LOGGER.severe(() -> {
                    return "Must provide a value for the spnego.authz.ldap.url parameter";
                });
                throw new IllegalStateException("Must provide a value for the spnego.authz.ldap.url parameter");
            }
            hashtable.put("java.naming.provider.url", properties2.getProperty(LDAP_URL, properties.getProperty(LDAP_URL)));
            LOGGER.info(() -> {
                return "ldap provider url: " + ((String) hashtable.get("java.naming.provider.url"));
            });
            if (properties2.getProperty(LDAP_USERNAME, properties.getProperty(LDAP_USERNAME, properties.getProperty("spnego.preauth.username", properties2.getProperty("spnego.preauth.username", "")))).isEmpty()) {
                LOGGER.severe(() -> {
                    return "Must provide a username to use for connecting to the LDAP server";
                });
                throw new IllegalArgumentException("Must provide a username to use for connecting to the LDAP server");
            }
            if (properties2.getProperty(LDAP_PASSWORD, properties.getProperty(LDAP_PASSWORD, properties.getProperty("spnego.preauth.password", properties2.getProperty("spnego.preauth.password", "")))).isEmpty()) {
                LOGGER.severe(() -> {
                    return "Must provide a password to use for connecting to the LDAP server";
                });
                throw new IllegalArgumentException("Must provide a password to use for connecting to the LDAP server");
            }
            hashtable.put("java.naming.security.principal", properties2.getProperty(LDAP_USERNAME, properties.getProperty(LDAP_USERNAME, properties.getProperty("spnego.preauth.username", properties2.getProperty("spnego.preauth.username")))));
            hashtable.put("java.naming.security.credentials", properties2.getProperty(LDAP_PASSWORD, properties.getProperty(LDAP_PASSWORD, properties.getProperty("spnego.preauth.password", properties2.getProperty("spnego.preauth.password")))));
            LOGGER.info(() -> {
                return "ldap security principal: " + ((String) hashtable.get("java.naming.security.principal"));
            });
            long parseLong = Long.parseLong(properties2.getProperty(TTL, properties.getProperty(TTL, "-1")));
            LOGGER.info(() -> {
                return "spnego.authz.ttl: " + parseLong;
            });
            this.uniqueOnly = Boolean.parseBoolean(properties2.getProperty(UNIQUE, properties.getProperty(UNIQUE, "true")));
            LOGGER.info(() -> {
                return "uniqueness property enabled: " + this.uniqueOnly;
            });
            this.writeLock.lock();
            try {
                this.deecee = property2;
                loadPolicies(properties2, properties);
                loadResourceNames(properties2, properties);
                if (parseLong < 1) {
                    this.expiration = DEFAULT_TTL;
                } else {
                    this.expiration = parseLong * 60 * 1000;
                }
                LOGGER.info(() -> {
                    return "cache expiration in millis: " + this.expiration;
                });
                this.srchCntrls = new SearchControls();
                this.srchCntrls.setSearchScope(2);
                this.environment = hashtable;
                String[] split = properties2.getProperty(USER_INFO, properties.getProperty(USER_INFO, "")).split(",");
                LOGGER.info(() -> {
                    return "UserInfo label count: " + split.length;
                });
                for (String str2 : split) {
                    LOGGER.info(() -> {
                        return str2;
                    });
                    this.userInfoLabels.add(str2.trim());
                }
                this.userInfoFilter = properties2.getProperty(USER_INFO_FILTER, properties.getProperty(USER_INFO_FILTER, ""));
                LOGGER.info(() -> {
                    return "UserInfo filter: " + this.userInfoFilter;
                });
                this.writeLock.unlock();
            } catch (Throwable th2) {
                this.writeLock.unlock();
                throw th2;
            }
        } finally {
            this.readLock.unlock();
        }
    }

    private boolean matchedExpired(String str, long j) {
        boolean containsKey = this.matchedList.containsKey(str);
        boolean z = true;
        this.readLock.lock();
        if (containsKey) {
            try {
                z = j - this.matchedList.get(str).longValue() > this.expiration;
            } finally {
                this.readLock.unlock();
            }
        }
        return !containsKey || z;
    }

    private boolean unMatchedExpired(String str, long j) {
        boolean containsKey = this.unMatchedList.containsKey(str);
        boolean z = true;
        this.readLock.lock();
        if (containsKey) {
            try {
                z = j - this.unMatchedList.get(str).longValue() > this.expiration;
            } finally {
                this.readLock.unlock();
            }
        }
        return !containsKey || z;
    }

    private void loadPolicies(Properties properties, Properties properties2) {
        for (int i = 0; i <= MAX_NUM_FILTERS; i++) {
            int i2 = i + 1;
            String trim = properties.getProperty(PREFIX_FILTER + i2, properties2.getProperty(PREFIX_FILTER + i2, "")).trim();
            if (MAX_NUM_FILTERS == i) {
                String str = "Over the max number of filters allowed: " + i;
                LOGGER.severe(() -> {
                    return str;
                });
                throw new IllegalArgumentException(str);
            }
            if (trim.isEmpty()) {
                break;
            }
            this.policy.add(trim);
        }
        if (this.policy.isEmpty()) {
            LOGGER.severe(() -> {
                return "Must specify at least one spnego.authz.ldap.filter.1";
            });
            throw new IllegalStateException("Must specify at least one spnego.authz.ldap.filter.1");
        }
    }

    private void loadResourceNames(Properties properties, Properties properties2) {
        this.resources = new HashMap();
        for (int i = 0; i <= MAX_NUM_FILTERS; i++) {
            int i2 = i + 1;
            HashMap hashMap = new HashMap();
            String trim = properties2.getProperty(PREFIX_NAME + i2, properties.getProperty(PREFIX_NAME + i2, "")).trim();
            String property = properties2.getProperty(PREFIX_TYPE + i2, properties.getProperty(PREFIX_TYPE + i2, "").toLowerCase().trim());
            String[] split = properties2.getProperty(PREFIX_ACCESS + i2, properties.getProperty(PREFIX_ACCESS + i2, "")).trim().split(",");
            for (int i3 = 0; i3 < split.length; i3++) {
                split[i3] = split[i3].trim();
            }
            hashMap.put(property, split);
            if (MAX_NUM_FILTERS == i) {
                String str = "Over the max number of resources allowed: " + i;
                LOGGER.severe(() -> {
                    return str;
                });
                throw new IllegalArgumentException(str);
            }
            if (trim.isEmpty()) {
                return;
            }
            this.resources.put(trim, hashMap);
        }
    }

    private UserInfo cacheUserInfo(String str) throws NamingException {
        if (null == this.userInfoFilter || this.userInfoFilter.isEmpty() || this.userInfoLabels.isEmpty()) {
            LOGGER.info(() -> {
                return "spnego.authz.ldap.user.filter was empty OR no value(s) specified for the spnego.authz.user.info property";
            });
            return null;
        }
        InitialLdapContext initialLdapContext = new InitialLdapContext(this.environment, (Control[]) null);
        NamingEnumeration search = initialLdapContext.search(this.deecee, String.format(this.userInfoFilter, str), this.srchCntrls);
        boolean z = false;
        final HashMap hashMap = new HashMap();
        while (search.hasMoreElements()) {
            z = true;
            NamingEnumeration all = ((SearchResult) search.nextElement()).getAttributes().getAll();
            while (all.hasMore()) {
                Attribute attribute = (Attribute) all.next();
                String id = attribute.getID();
                ArrayList arrayList = new ArrayList();
                if (this.userInfoLabels.contains(id)) {
                    hashMap.put(id, arrayList);
                    NamingEnumeration all2 = attribute.getAll();
                    while (all2.hasMore()) {
                        arrayList.add(all2.next().toString());
                    }
                }
            }
        }
        search.close();
        initialLdapContext.close();
        if (!z) {
            throw new IllegalArgumentException("UserInfo not found. . This MAY be caused by an incorrect spnego.authz.ldap.user.filter definition; filter=" + this.userInfoFilter + "; policy=" + this.policy);
        }
        LOGGER.fine(() -> {
            return "add to cache userInfoList";
        });
        UserInfo userInfo = new UserInfo() { // from class: org.codelibs.spnego.LdapAccessControl.1
            private final Map<String, List<String>> info;
            private final String labels;

            {
                this.info = hashMap;
                this.labels = LdapAccessControl.this.userInfoLabels.toString();
            }

            @Override // org.codelibs.spnego.UserInfo
            public List<String> getInfo(String str2) {
                if (hasInfo(str2)) {
                    return new ArrayList(this.info.get(str2));
                }
                throw new NullPointerException("UserInfo label not found or not in user store: " + str2 + " - labels specified in property file: " + this.labels);
            }

            @Override // org.codelibs.spnego.UserInfo
            public List<String> getLabels() {
                return new ArrayList(this.info.keySet());
            }

            @Override // org.codelibs.spnego.UserInfo
            public boolean hasInfo(String str2) {
                return this.info.containsKey(str2);
            }
        };
        this.userInfoList.put(str, userInfo);
        return userInfo;
    }
}
