package org.apache.hadoop.security;

import com.sun.jndi.ldap.LdapCtxFactory;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Hashtable;
import java.util.List;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configurable;
import org.apache.hadoop.conf.Configuration;

@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
@InterfaceStability.Evolving
/* loaded from: input_file:org/apache/hadoop/security/LdapGroupsMapping.class */
public class LdapGroupsMapping implements GroupMappingServiceProvider, Configurable {
    public static final String LDAP_CONFIG_PREFIX = "hadoop.security.group.mapping.ldap";
    public static final String LDAP_URL_KEY = "hadoop.security.group.mapping.ldap.url";
    public static final String LDAP_URL_DEFAULT = "";
    public static final String LDAP_USE_SSL_KEY = "hadoop.security.group.mapping.ldap.ssl";
    public static final String LDAP_KEYSTORE_KEY = "hadoop.security.group.mapping.ldap.ssl.keystore";
    public static final String LDAP_KEYSTORE_DEFAULT = "";
    public static final String LDAP_KEYSTORE_PASSWORD_KEY = "hadoop.security.group.mapping.ldap.ssl.keystore.password";
    public static final String LDAP_KEYSTORE_PASSWORD_DEFAULT = "";
    public static final String LDAP_KEYSTORE_PASSWORD_FILE_KEY = "hadoop.security.group.mapping.ldap.ssl.keystore.password.file";
    public static final String LDAP_KEYSTORE_PASSWORD_FILE_DEFAULT = "";
    public static final String BIND_USER_KEY = "hadoop.security.group.mapping.ldap.bind.user";
    public static final String BIND_USER_DEFAULT = "";
    public static final String BIND_PASSWORD_KEY = "hadoop.security.group.mapping.ldap.bind.password";
    public static final String BIND_PASSWORD_DEFAULT = "";
    public static final String BIND_PASSWORD_FILE_KEY = "hadoop.security.group.mapping.ldap.bind.password.file";
    public static final String BIND_PASSWORD_FILE_DEFAULT = "";
    public static final String BASE_DN_KEY = "hadoop.security.group.mapping.ldap.base";
    public static final String BASE_DN_DEFAULT = "";
    public static final String USER_SEARCH_FILTER_KEY = "hadoop.security.group.mapping.ldap.search.filter.user";
    public static final String USER_SEARCH_FILTER_DEFAULT = "(&(objectClass=user)(sAMAccountName={0}))";
    public static final String GROUP_SEARCH_FILTER_KEY = "hadoop.security.group.mapping.ldap.search.filter.group";
    public static final String GROUP_SEARCH_FILTER_DEFAULT = "(objectClass=group)";
    public static final String GROUP_MEMBERSHIP_ATTR_KEY = "hadoop.security.group.mapping.ldap.search.attr.member";
    public static final String GROUP_MEMBERSHIP_ATTR_DEFAULT = "member";
    public static final String GROUP_NAME_ATTR_KEY = "hadoop.security.group.mapping.ldap.search.attr.group.name";
    public static final String GROUP_NAME_ATTR_DEFAULT = "cn";
    public static final String POSIX_UID_ATTR_KEY = "hadoop.security.group.mapping.ldap.posix.attr.uid.name";
    public static final String POSIX_UID_ATTR_DEFAULT = "uidNumber";
    public static final String POSIX_GID_ATTR_KEY = "hadoop.security.group.mapping.ldap.posix.attr.gid.name";
    public static final String POSIX_GID_ATTR_DEFAULT = "gidNumber";
    public static final String POSIX_GROUP = "posixGroup";
    public static final String POSIX_ACCOUNT = "posixAccount";
    public static final String DIRECTORY_SEARCH_TIMEOUT = "hadoop.security.group.mapping.ldap.directory.search.timeout";
    public static final int DIRECTORY_SEARCH_TIMEOUT_DEFAULT = 10000;
    public static final String CONNECTION_TIMEOUT = "hadoop.security.group.mapping.ldap.connection.timeout.ms";
    public static final int CONNECTION_TIMEOUT_DEFAULT = 60000;
    public static final String READ_TIMEOUT = "hadoop.security.group.mapping.ldap.read.timeout.ms";
    public static final int READ_TIMEOUT_DEFAULT = 60000;
    private DirContext ctx;
    private Configuration conf;
    private String ldapUrl;
    private boolean useSsl;
    private String keystore;
    private String keystorePass;
    private String bindUser;
    private String bindPassword;
    private String baseDN;
    private String groupSearchFilter;
    private String userSearchFilter;
    private String groupMemberAttr;
    private String groupNameAttr;
    private String posixUidAttr;
    private String posixGidAttr;
    private boolean isPosix;
    public static final int RECONNECT_RETRY_COUNT = 3;
    public static final Boolean LDAP_USE_SSL_DEFAULT = false;
    private static final Log LOG = LogFactory.getLog(LdapGroupsMapping.class);
    private static final SearchControls SEARCH_CONTROLS = new SearchControls();

    @Override // org.apache.hadoop.security.GroupMappingServiceProvider
    public synchronized List<String> getGroups(String str) {
        for (int i = 0; i < 3; i++) {
            try {
                return doGetGroups(str);
            } catch (NamingException e) {
                LOG.warn("Failed to get groups for user " + str + " (retry=" + i + ") by " + e);
                LOG.trace("TRACE", e);
                this.ctx = null;
            }
        }
        return Collections.emptyList();
    }

    List<String> doGetGroups(String str) throws NamingException {
        ArrayList arrayList = new ArrayList();
        DirContext dirContext = getDirContext();
        NamingEnumeration search = dirContext.search(this.baseDN, this.userSearchFilter, new Object[]{str}, SEARCH_CONTROLS);
        if (search.hasMoreElements()) {
            SearchResult searchResult = (SearchResult) search.nextElement();
            String nameInNamespace = searchResult.getNameInNamespace();
            NamingEnumeration namingEnumeration = null;
            if (this.isPosix) {
                String str2 = null;
                String str3 = null;
                Attribute attribute = searchResult.getAttributes().get(this.posixGidAttr);
                Attribute attribute2 = searchResult.getAttributes().get(this.posixUidAttr);
                if (attribute != null) {
                    str2 = attribute.get().toString();
                }
                if (attribute2 != null) {
                    str3 = attribute2.get().toString();
                }
                if (str3 != null && str2 != null) {
                    namingEnumeration = dirContext.search(this.baseDN, "(&" + this.groupSearchFilter + "(|(" + this.posixGidAttr + "={0})(" + this.groupMemberAttr + "={1})))", new Object[]{str2, str3}, SEARCH_CONTROLS);
                }
            } else {
                namingEnumeration = dirContext.search(this.baseDN, "(&" + this.groupSearchFilter + "(" + this.groupMemberAttr + "={0}))", new Object[]{nameInNamespace}, SEARCH_CONTROLS);
            }
            if (namingEnumeration != null) {
                while (namingEnumeration.hasMoreElements()) {
                    arrayList.add(((SearchResult) namingEnumeration.nextElement()).getAttributes().get(this.groupNameAttr).get().toString());
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("doGetGroups(" + str + ") return " + arrayList);
        }
        return arrayList;
    }

    DirContext getDirContext() throws NamingException {
        if (this.ctx == null) {
            Hashtable hashtable = new Hashtable();
            hashtable.put("java.naming.factory.initial", LdapCtxFactory.class.getName());
            hashtable.put("java.naming.provider.url", this.ldapUrl);
            hashtable.put("java.naming.security.authentication", "simple");
            if (this.useSsl) {
                hashtable.put("java.naming.security.protocol", "ssl");
                System.setProperty("javax.net.ssl.keyStore", this.keystore);
                System.setProperty("javax.net.ssl.keyStorePassword", this.keystorePass);
            }
            hashtable.put("java.naming.security.principal", this.bindUser);
            hashtable.put("java.naming.security.credentials", this.bindPassword);
            hashtable.put("com.sun.jndi.ldap.connect.timeout", this.conf.get(CONNECTION_TIMEOUT, String.valueOf(60000)));
            hashtable.put("com.sun.jndi.ldap.read.timeout", this.conf.get(READ_TIMEOUT, String.valueOf(60000)));
            this.ctx = new InitialDirContext(hashtable);
        }
        return this.ctx;
    }

    @Override // org.apache.hadoop.security.GroupMappingServiceProvider
    public void cacheGroupsRefresh() throws IOException {
    }

    @Override // org.apache.hadoop.security.GroupMappingServiceProvider
    public void cacheGroupsAdd(List<String> list) throws IOException {
    }

    @Override // org.apache.hadoop.conf.Configurable
    public synchronized Configuration getConf() {
        return this.conf;
    }

    @Override // org.apache.hadoop.conf.Configurable
    public synchronized void setConf(Configuration configuration) {
        this.ldapUrl = configuration.get(LDAP_URL_KEY, "");
        if (this.ldapUrl == null || this.ldapUrl.isEmpty()) {
            throw new RuntimeException("LDAP URL is not configured");
        }
        this.useSsl = configuration.getBoolean(LDAP_USE_SSL_KEY, LDAP_USE_SSL_DEFAULT.booleanValue());
        this.keystore = configuration.get(LDAP_KEYSTORE_KEY, "");
        this.keystorePass = getPassword(configuration, LDAP_KEYSTORE_PASSWORD_KEY, "");
        if (this.keystorePass.isEmpty()) {
            this.keystorePass = extractPassword(configuration.get(LDAP_KEYSTORE_PASSWORD_FILE_KEY, ""));
        }
        this.bindUser = configuration.get(BIND_USER_KEY, "");
        this.bindPassword = getPassword(configuration, BIND_PASSWORD_KEY, "");
        if (this.bindPassword.isEmpty()) {
            this.bindPassword = extractPassword(configuration.get(BIND_PASSWORD_FILE_KEY, ""));
        }
        this.baseDN = configuration.get(BASE_DN_KEY, "");
        this.groupSearchFilter = configuration.get(GROUP_SEARCH_FILTER_KEY, GROUP_SEARCH_FILTER_DEFAULT);
        this.userSearchFilter = configuration.get(USER_SEARCH_FILTER_KEY, USER_SEARCH_FILTER_DEFAULT);
        this.isPosix = this.groupSearchFilter.contains(POSIX_GROUP) && this.userSearchFilter.contains(POSIX_ACCOUNT);
        this.groupMemberAttr = configuration.get(GROUP_MEMBERSHIP_ATTR_KEY, GROUP_MEMBERSHIP_ATTR_DEFAULT);
        this.groupNameAttr = configuration.get(GROUP_NAME_ATTR_KEY, GROUP_NAME_ATTR_DEFAULT);
        this.posixUidAttr = configuration.get(POSIX_UID_ATTR_KEY, POSIX_UID_ATTR_DEFAULT);
        this.posixGidAttr = configuration.get(POSIX_GID_ATTR_KEY, POSIX_GID_ATTR_DEFAULT);
        SEARCH_CONTROLS.setTimeLimit(configuration.getInt(DIRECTORY_SEARCH_TIMEOUT, 10000));
        SEARCH_CONTROLS.setReturningAttributes(new String[]{this.groupNameAttr, this.posixUidAttr, this.posixGidAttr});
        this.conf = configuration;
    }

    String getPassword(Configuration configuration, String str, String str2) {
        String str3 = str2;
        try {
            char[] password = configuration.getPassword(str);
            if (password != null) {
                str3 = new String(password);
            }
        } catch (IOException e) {
            LOG.warn("Exception while trying to get password for alias " + str + ": ", e);
        }
        return str3;
    }

    String extractPassword(String str) {
        if (str.isEmpty()) {
            return "";
        }
        StringBuilder sb = new StringBuilder();
        try {
            InputStreamReader inputStreamReader = new InputStreamReader(new FileInputStream(str), StandardCharsets.UTF_8);
            Throwable th = null;
            try {
                try {
                    for (int read = inputStreamReader.read(); read > -1; read = inputStreamReader.read()) {
                        sb.append((char) read);
                    }
                    String trim = sb.toString().trim();
                    if (inputStreamReader != null) {
                        if (0 != 0) {
                            try {
                                inputStreamReader.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            inputStreamReader.close();
                        }
                    }
                    return trim;
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw new RuntimeException("Could not read password file: " + str, e);
        }
    }

    static {
        SEARCH_CONTROLS.setSearchScope(2);
    }
}
