package org.apache.hadoop.security;

import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.InetAddress;
import java.net.Socket;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.naming.AuthenticationException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.naming.spi.InitialContextFactory;
import javax.net.SocketFactory;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import org.apache.commons.configuration2.tree.DefaultExpressionEngineSymbols;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.classification.VisibleForTesting;
import org.apache.hadoop.conf.Configurable;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.metrics2.sink.ganglia.AbstractGangliaSink;
import org.apache.hadoop.thirdparty.com.google.common.collect.Iterators;
import org.apache.http.client.methods.HttpTrace;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
@InterfaceStability.Evolving
/* loaded from: input_file:WEB-INF/lib/hadoop-common-3.3.4.206-eep-911.jar:org/apache/hadoop/security/LdapGroupsMapping.class */
public class LdapGroupsMapping implements GroupMappingServiceProvider, Configurable {
    public static final String LDAP_CONFIG_PREFIX = "hadoop.security.group.mapping.ldap";
    public static final String LDAP_URL_KEY = "hadoop.security.group.mapping.ldap.url";
    public static final String LDAP_URL_DEFAULT = "";
    public static final String LDAP_USE_SSL_KEY = "hadoop.security.group.mapping.ldap.ssl";
    public static final String LDAP_KEYSTORE_KEY = "hadoop.security.group.mapping.ldap.ssl.keystore";
    public static final String LDAP_KEYSTORE_DEFAULT = "";
    public static final String LDAP_KEYSTORE_PASSWORD_KEY = "hadoop.security.group.mapping.ldap.ssl.keystore.password";
    public static final String LDAP_KEYSTORE_PASSWORD_DEFAULT = "";
    public static final String LDAP_KEYSTORE_PASSWORD_FILE_KEY = "hadoop.security.group.mapping.ldap.ssl.keystore.password.file";
    public static final String LDAP_KEYSTORE_PASSWORD_FILE_DEFAULT = "";
    public static final String LDAP_TRUSTSTORE_KEY = "hadoop.security.group.mapping.ldap.ssl.truststore";
    public static final String LDAP_TRUSTSTORE_PASSWORD_KEY = "hadoop.security.group.mapping.ldap.ssl.truststore.password";
    public static final String LDAP_TRUSTSTORE_PASSWORD_FILE_KEY = "hadoop.security.group.mapping.ldap.ssl.truststore.password.file";
    public static final String BIND_USERS_KEY = "hadoop.security.group.mapping.ldap.bind.users";
    public static final String BIND_USER_SUFFIX = ".bind.user";
    public static final String BIND_USER_KEY = "hadoop.security.group.mapping.ldap.bind.user";
    public static final String BIND_USER_DEFAULT = "";
    public static final String BIND_PASSWORD_SUFFIX = ".bind.password";
    public static final String BIND_PASSWORD_KEY = "hadoop.security.group.mapping.ldap.bind.password";
    public static final String BIND_PASSWORD_DEFAULT = "";
    public static final String BIND_PASSWORD_FILE_SUFFIX = ".bind.password.file";
    public static final String BIND_PASSWORD_FILE_KEY = "hadoop.security.group.mapping.ldap.bind.password.file";
    public static final String BIND_PASSWORD_FILE_DEFAULT = "";
    public static final String BIND_PASSWORD_ALIAS_SUFFIX = ".bind.password.alias";
    public static final String BIND_PASSWORD_ALIAS_KEY = "hadoop.security.group.mapping.ldap.bind.password.alias";
    public static final String BIND_PASSWORD_ALIAS_DEFAULT = "";
    public static final String BASE_DN_KEY = "hadoop.security.group.mapping.ldap.base";
    public static final String BASE_DN_DEFAULT = "";
    public static final String USER_BASE_DN_KEY = "hadoop.security.group.mapping.ldap.userbase";
    public static final String GROUP_BASE_DN_KEY = "hadoop.security.group.mapping.ldap.groupbase";
    public static final String USER_SEARCH_FILTER_KEY = "hadoop.security.group.mapping.ldap.search.filter.user";
    public static final String USER_SEARCH_FILTER_DEFAULT = "(&(objectClass=user)(sAMAccountName={0}))";
    public static final String GROUP_SEARCH_FILTER_KEY = "hadoop.security.group.mapping.ldap.search.filter.group";
    public static final String GROUP_SEARCH_FILTER_DEFAULT = "(objectClass=group)";
    public static final String MEMBEROF_ATTR_KEY = "hadoop.security.group.mapping.ldap.search.attr.memberof";
    public static final String MEMBEROF_ATTR_DEFAULT = "";
    public static final String GROUP_MEMBERSHIP_ATTR_KEY = "hadoop.security.group.mapping.ldap.search.attr.member";
    public static final String GROUP_MEMBERSHIP_ATTR_DEFAULT = "member";
    public static final String GROUP_NAME_ATTR_KEY = "hadoop.security.group.mapping.ldap.search.attr.group.name";
    public static final String GROUP_NAME_ATTR_DEFAULT = "cn";
    public static final String GROUP_HIERARCHY_LEVELS_KEY = "hadoop.security.group.mapping.ldap.search.group.hierarchy.levels";
    public static final int GROUP_HIERARCHY_LEVELS_DEFAULT = 0;
    public static final String POSIX_UID_ATTR_KEY = "hadoop.security.group.mapping.ldap.posix.attr.uid.name";
    public static final String POSIX_UID_ATTR_DEFAULT = "uidNumber";
    public static final String POSIX_GID_ATTR_KEY = "hadoop.security.group.mapping.ldap.posix.attr.gid.name";
    public static final String POSIX_GID_ATTR_DEFAULT = "gidNumber";
    public static final String POSIX_GROUP = "posixGroup";
    public static final String POSIX_ACCOUNT = "posixAccount";
    public static final String DIRECTORY_SEARCH_TIMEOUT = "hadoop.security.group.mapping.ldap.directory.search.timeout";
    public static final int DIRECTORY_SEARCH_TIMEOUT_DEFAULT = 10000;
    public static final String CONNECTION_TIMEOUT = "hadoop.security.group.mapping.ldap.connection.timeout.ms";
    public static final int CONNECTION_TIMEOUT_DEFAULT = 60000;
    public static final String READ_TIMEOUT = "hadoop.security.group.mapping.ldap.read.timeout.ms";
    public static final int READ_TIMEOUT_DEFAULT = 60000;
    public static final String LDAP_NUM_ATTEMPTS_KEY = "hadoop.security.group.mapping.ldap.num.attempts";
    public static final int LDAP_NUM_ATTEMPTS_DEFAULT = 3;
    public static final String LDAP_NUM_ATTEMPTS_BEFORE_FAILOVER_KEY = "hadoop.security.group.mapping.ldap.num.attempts.before.failover";
    public static final int LDAP_NUM_ATTEMPTS_BEFORE_FAILOVER_DEFAULT = 3;
    public static final String LDAP_CTX_FACTORY_CLASS_KEY = "hadoop.security.group.mapping.ldap.ctx.factory.class";
    public static final String LDAP_CTX_FACTORY_CLASS_DEFAULT = "com.sun.jndi.ldap.LdapCtxFactory";
    private static final String LDAP_SOCKET_FACTORY_ENV_KEY = "java.naming.ldap.factory.socket";
    private DirContext ctx;
    private Configuration conf;
    private Iterator<String> ldapUrls;
    private String currentLdapUrl;
    private boolean useSsl;
    private String keystore;
    private String keystorePass;
    private String truststore;
    private String truststorePass;
    private Iterator<BindUserInfo> bindUsers;
    private BindUserInfo currentBindUser;
    private String userbaseDN;
    private String groupbaseDN;
    private String groupSearchFilter;
    private String userSearchFilter;
    private String memberOfAttr;
    private String groupMemberAttr;
    private String groupNameAttr;
    private int groupHierarchyLevels;
    private String posixUidAttr;
    private String posixGidAttr;
    private boolean isPosix;
    private boolean useOneQuery;
    private int numAttempts;
    private int numAttemptsBeforeFailover;
    private String ldapCtxFactoryClassName;
    public static final Boolean LDAP_USE_SSL_DEFAULT = false;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) LdapGroupsMapping.class);
    static final SearchControls SEARCH_CONTROLS = new SearchControls();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/hadoop-common-3.3.4.206-eep-911.jar:org/apache/hadoop/security/LdapGroupsMapping$BindUserInfo.class */
    public static final class BindUserInfo {
        private final String username;
        private final String password;

        private BindUserInfo(String str, String str2) {
            this.username = str;
            this.password = str2;
        }

        public boolean equals(Object obj) {
            if (obj instanceof BindUserInfo) {
                return this.username.equals(((BindUserInfo) obj).username);
            }
            return false;
        }

        public int hashCode() {
            return this.username.hashCode();
        }

        public String toString() {
            return this.username;
        }
    }

    @InterfaceAudience.Private
    /* loaded from: input_file:WEB-INF/lib/hadoop-common-3.3.4.206-eep-911.jar:org/apache/hadoop/security/LdapGroupsMapping$LdapSslSocketFactory.class */
    public static class LdapSslSocketFactory extends SocketFactory {
        private static LdapSslSocketFactory defaultSslFactory;
        private static String keyStoreLocation;
        private static String keyStorePassword;
        private static String trustStoreLocation;
        private static String trustStorePassword;
        private final SSLSocketFactory socketFactory;

        LdapSslSocketFactory(SSLSocketFactory sSLSocketFactory) {
            this.socketFactory = sSLSocketFactory;
        }

        public static synchronized SocketFactory getDefault() {
            if (defaultSslFactory == null) {
                try {
                    SSLContext sSLContext = SSLContext.getInstance("TLS");
                    sSLContext.init(createKeyManagers(), createTrustManagers(), null);
                    defaultSslFactory = new LdapSslSocketFactory(sSLContext.getSocketFactory());
                    LdapGroupsMapping.LOG.info("Successfully instantiated LdapSslSocketFactory with keyStoreLocation = {} and trustStoreLocation = {}", keyStoreLocation, trustStoreLocation);
                } catch (IOException | GeneralSecurityException e) {
                    throw new RuntimeException("Unable to create SSLSocketFactory", e);
                }
            }
            return defaultSslFactory;
        }

        static synchronized void setConfigurations(String str, String str2, String str3, String str4) {
            keyStoreLocation = str;
            keyStorePassword = str2;
            trustStoreLocation = str3;
            trustStorePassword = str4;
        }

        private static KeyManager[] createKeyManagers() throws IOException, GeneralSecurityException {
            if (keyStoreLocation.isEmpty()) {
                return null;
            }
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(createKeyStore(keyStoreLocation, keyStorePassword), getPasswordCharArray(keyStorePassword));
            return keyManagerFactory.getKeyManagers();
        }

        private static TrustManager[] createTrustManagers() throws IOException, GeneralSecurityException {
            if (trustStoreLocation.isEmpty()) {
                return null;
            }
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(createKeyStore(trustStoreLocation, trustStorePassword));
            return trustManagerFactory.getTrustManagers();
        }

        private static KeyStore createKeyStore(String str, String str2) throws IOException, GeneralSecurityException {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            FileInputStream fileInputStream = new FileInputStream(str);
            try {
                keyStore.load(fileInputStream, getPasswordCharArray(str2));
                fileInputStream.close();
                return keyStore;
            } catch (Throwable th) {
                try {
                    fileInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }

        private static char[] getPasswordCharArray(String str) {
            if (str == null || str.isEmpty()) {
                return null;
            }
            return str.toCharArray();
        }

        @Override // javax.net.SocketFactory
        public Socket createSocket() throws IOException {
            return this.socketFactory.createSocket();
        }

        @Override // javax.net.SocketFactory
        public Socket createSocket(String str, int i) throws IOException {
            return this.socketFactory.createSocket(str, i);
        }

        @Override // javax.net.SocketFactory
        public Socket createSocket(String str, int i, InetAddress inetAddress, int i2) throws IOException {
            return this.socketFactory.createSocket(str, i, inetAddress, i2);
        }

        @Override // javax.net.SocketFactory
        public Socket createSocket(InetAddress inetAddress, int i) throws IOException {
            return this.socketFactory.createSocket(inetAddress, i);
        }

        @Override // javax.net.SocketFactory
        public Socket createSocket(InetAddress inetAddress, int i, InetAddress inetAddress2, int i2) throws IOException {
            return this.socketFactory.createSocket(inetAddress, i, inetAddress2, i2);
        }
    }

    @Override // org.apache.hadoop.security.GroupMappingServiceProvider
    public synchronized List<String> getGroups(String str) {
        int i = 1;
        int i2 = 1;
        while (i2 <= this.numAttempts) {
            try {
                return doGetGroups(str, this.groupHierarchyLevels);
            } catch (NamingException e) {
                LOG.warn("Failed to get groups for user {} (attempt={}/{}) using {}. Exception: ", str, Integer.valueOf(i2), Integer.valueOf(this.numAttempts), this.currentLdapUrl, e);
                LOG.trace(HttpTrace.METHOD_NAME, e);
                if (failover(i, this.numAttemptsBeforeFailover)) {
                    i = 0;
                }
                this.ctx = null;
                i2++;
                i++;
            } catch (AuthenticationException e2) {
                switchBindUser(e2);
                this.ctx = null;
                i2++;
                i++;
            }
        }
        return Collections.emptyList();
    }

    private String getRelativeDistinguishedName(String str) throws NamingException {
        List rdns = new LdapName(str).getRdns();
        if (rdns.isEmpty()) {
            throw new NamingException("DN is empty");
        }
        Rdn rdn = (Rdn) rdns.get(rdns.size() - 1);
        if (rdn.getType().equalsIgnoreCase(this.groupNameAttr)) {
            return (String) rdn.getValue();
        }
        throw new NamingException("Unable to find RDN: The DN " + str + " is malformed.");
    }

    private NamingEnumeration<SearchResult> lookupPosixGroup(SearchResult searchResult, DirContext dirContext) throws NamingException {
        String str = null;
        String str2 = null;
        Attribute attribute = searchResult.getAttributes().get(this.posixGidAttr);
        Attribute attribute2 = searchResult.getAttributes().get(this.posixUidAttr);
        String str3 = "";
        if (attribute == null) {
            str3 = "Can't find attribute '" + this.posixGidAttr + "'.";
        } else {
            str = attribute.get().toString();
        }
        if (attribute2 == null) {
            str3 = "Can't find attribute '" + this.posixUidAttr + "'.";
        } else {
            str2 = attribute2.get().toString();
        }
        if (str2 == null || str == null) {
            throw new NamingException("The server does not support posixGroups semantics. Reason: " + str3 + " Returned user object: " + searchResult.toString());
        }
        return dirContext.search(this.groupbaseDN, "(&" + this.groupSearchFilter + "(|(" + this.posixGidAttr + "={0})(" + this.groupMemberAttr + "={1})))", new Object[]{str, str2}, SEARCH_CONTROLS);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    public List<String> lookupGroup(SearchResult searchResult, DirContext dirContext, int i) throws NamingException {
        ArrayList arrayList = new ArrayList();
        Set<String> hashSet = new HashSet<>();
        NamingEnumeration<SearchResult> lookupPosixGroup = this.isPosix ? lookupPosixGroup(searchResult, dirContext) : dirContext.search(this.groupbaseDN, "(&" + this.groupSearchFilter + DefaultExpressionEngineSymbols.DEFAULT_INDEX_START + this.groupMemberAttr + "={0}))", new Object[]{searchResult.getNameInNamespace()}, SEARCH_CONTROLS);
        if (lookupPosixGroup != null) {
            while (lookupPosixGroup.hasMoreElements()) {
                getGroupNames((SearchResult) lookupPosixGroup.nextElement(), arrayList, hashSet, i > 0);
            }
            if (i > 0 && !this.isPosix) {
                Set<String> hashSet2 = new HashSet<>(arrayList);
                goUpGroupHierarchy(hashSet, i, hashSet2);
                arrayList = new ArrayList(hashSet2);
            }
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public List<String> doGetGroups(String str, int i) throws NamingException {
        DirContext dirContext = getDirContext();
        List<String> arrayList = new ArrayList();
        NamingEnumeration search = dirContext.search(this.userbaseDN, this.userSearchFilter, new Object[]{str}, SEARCH_CONTROLS);
        if (!search.hasMoreElements()) {
            LOG.debug("doGetGroups({}) returned no groups because the user is not found.", str);
            return arrayList;
        }
        SearchResult searchResult = (SearchResult) search.nextElement();
        if (this.useOneQuery) {
            try {
                Attribute attribute = searchResult.getAttributes().get(this.memberOfAttr);
                if (attribute == null) {
                    throw new NamingException("The user object does not have '" + this.memberOfAttr + "' attribute.Returned user object: " + searchResult.toString());
                }
                NamingEnumeration all = attribute.getAll();
                while (all.hasMore()) {
                    arrayList.add(getRelativeDistinguishedName(all.next().toString()));
                }
            } catch (NamingException e) {
                arrayList.clear();
                LOG.info("Failed to get groups from the first lookup. Initiating the second LDAP query using the user's DN.", e);
            }
        }
        if (arrayList.isEmpty() || i > 0) {
            arrayList = lookupGroup(searchResult, dirContext, i);
        }
        LOG.debug("doGetGroups({}) returned {}", str, arrayList);
        return arrayList;
    }

    void getGroupNames(SearchResult searchResult, Collection<String> collection, Collection<String> collection2, boolean z) throws NamingException {
        Attribute attribute = searchResult.getAttributes().get(this.groupNameAttr);
        if (attribute == null) {
            throw new NamingException("The group object does not have attribute '" + this.groupNameAttr + "'.");
        }
        collection.add(attribute.get().toString());
        if (z) {
            collection2.add(searchResult.getNameInNamespace());
        }
    }

    void goUpGroupHierarchy(Set<String> set, int i, Set<String> set2) throws NamingException {
        if (i <= 0 || set2.isEmpty()) {
            return;
        }
        DirContext dirContext = getDirContext();
        Set<String> hashSet = new HashSet<>();
        StringBuilder sb = new StringBuilder();
        sb.append("(&").append(this.groupSearchFilter).append("(|");
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            sb.append(DefaultExpressionEngineSymbols.DEFAULT_INDEX_START).append(this.groupMemberAttr).append(AbstractGangliaSink.EQUAL).append(it.next()).append(DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        sb.append("))");
        LOG.debug("Ldap group query string: " + sb.toString());
        NamingEnumeration search = dirContext.search(this.groupbaseDN, sb.toString(), SEARCH_CONTROLS);
        while (search.hasMoreElements()) {
            getGroupNames((SearchResult) search.nextElement(), set2, hashSet, true);
        }
        goUpGroupHierarchy(hashSet, i - 1, set2);
    }

    protected boolean failover(int i, int i2) {
        if (i < i2) {
            return false;
        }
        String str = this.currentLdapUrl;
        this.currentLdapUrl = this.ldapUrls.next();
        LOG.info("Reached {} attempts on {}, failing over to {}", Integer.valueOf(i), str, this.currentLdapUrl);
        return true;
    }

    protected void switchBindUser(AuthenticationException authenticationException) {
        BindUserInfo bindUserInfo = this.currentBindUser;
        this.currentBindUser = this.bindUsers.next();
        if (bindUserInfo.equals(this.currentBindUser)) {
            return;
        }
        LOG.info("Switched from {} to {} after an AuthenticationException: {}", bindUserInfo, this.currentBindUser, authenticationException.getMessage());
    }

    private DirContext getDirContext() throws NamingException {
        if (this.ctx == null) {
            Hashtable hashtable = new Hashtable();
            hashtable.put("java.naming.factory.initial", this.ldapCtxFactoryClassName);
            hashtable.put("java.naming.provider.url", this.currentLdapUrl);
            hashtable.put("java.naming.security.authentication", "simple");
            if (this.useSsl) {
                hashtable.put("java.naming.security.protocol", "ssl");
                LdapSslSocketFactory.setConfigurations(this.keystore, this.keystorePass, this.truststore, this.truststorePass);
                hashtable.put(LDAP_SOCKET_FACTORY_ENV_KEY, LdapSslSocketFactory.class.getName());
            }
            hashtable.put("java.naming.security.principal", this.currentBindUser.username);
            hashtable.put("java.naming.security.credentials", this.currentBindUser.password);
            hashtable.put("com.sun.jndi.ldap.connect.timeout", this.conf.get(CONNECTION_TIMEOUT, String.valueOf(60000)));
            hashtable.put("com.sun.jndi.ldap.read.timeout", this.conf.get(READ_TIMEOUT, String.valueOf(60000)));
            if (Thread.currentThread().getContextClassLoader() == null) {
                try {
                    Thread.currentThread().setContextClassLoader(getClass().getClassLoader());
                    this.ctx = new InitialDirContext(hashtable);
                    Thread.currentThread().setContextClassLoader(null);
                } catch (Throwable th) {
                    Thread.currentThread().setContextClassLoader(null);
                    throw th;
                }
            } else {
                this.ctx = new InitialDirContext(hashtable);
            }
        }
        return this.ctx;
    }

    @Override // org.apache.hadoop.security.GroupMappingServiceProvider
    public void cacheGroupsRefresh() {
    }

    @Override // org.apache.hadoop.security.GroupMappingServiceProvider
    public void cacheGroupsAdd(List<String> list) {
    }

    @Override // org.apache.hadoop.conf.Configurable
    public synchronized Configuration getConf() {
        return this.conf;
    }

    @Override // org.apache.hadoop.conf.Configurable
    public synchronized void setConf(Configuration configuration) {
        this.conf = configuration;
        String[] strings = configuration.getStrings(LDAP_URL_KEY, "");
        if (strings == null || strings.length == 0) {
            throw new RuntimeException("LDAP URL(s) are not configured");
        }
        this.ldapUrls = Iterators.cycle(strings);
        this.currentLdapUrl = this.ldapUrls.next();
        this.useSsl = configuration.getBoolean(LDAP_USE_SSL_KEY, LDAP_USE_SSL_DEFAULT.booleanValue());
        if (this.useSsl) {
            loadSslConf(configuration);
        }
        initializeBindUsers();
        String trimmed = configuration.getTrimmed(BASE_DN_KEY, "");
        this.userbaseDN = configuration.getTrimmed(USER_BASE_DN_KEY, trimmed);
        LOG.debug("Usersearch baseDN: {}", this.userbaseDN);
        this.groupbaseDN = configuration.getTrimmed(GROUP_BASE_DN_KEY, trimmed);
        LOG.debug("Groupsearch baseDN: {}", this.groupbaseDN);
        this.groupSearchFilter = configuration.get(GROUP_SEARCH_FILTER_KEY, GROUP_SEARCH_FILTER_DEFAULT);
        this.userSearchFilter = configuration.get(USER_SEARCH_FILTER_KEY, USER_SEARCH_FILTER_DEFAULT);
        this.isPosix = this.groupSearchFilter.contains(POSIX_GROUP) && this.userSearchFilter.contains(POSIX_ACCOUNT);
        this.memberOfAttr = configuration.get(MEMBEROF_ATTR_KEY, "");
        this.useOneQuery = !this.memberOfAttr.isEmpty();
        this.groupMemberAttr = configuration.get(GROUP_MEMBERSHIP_ATTR_KEY, GROUP_MEMBERSHIP_ATTR_DEFAULT);
        this.groupNameAttr = configuration.get(GROUP_NAME_ATTR_KEY, GROUP_NAME_ATTR_DEFAULT);
        this.groupHierarchyLevels = configuration.getInt(GROUP_HIERARCHY_LEVELS_KEY, 0);
        this.posixUidAttr = configuration.get(POSIX_UID_ATTR_KEY, POSIX_UID_ATTR_DEFAULT);
        this.posixGidAttr = configuration.get(POSIX_GID_ATTR_KEY, POSIX_GID_ATTR_DEFAULT);
        SEARCH_CONTROLS.setTimeLimit(configuration.getInt(DIRECTORY_SEARCH_TIMEOUT, 10000));
        SEARCH_CONTROLS.setReturningAttributes(this.useOneQuery ? new String[]{this.groupNameAttr, this.posixUidAttr, this.posixGidAttr, this.memberOfAttr} : new String[]{this.groupNameAttr, this.posixUidAttr, this.posixGidAttr});
        Class cls = configuration.getClass(LDAP_CTX_FACTORY_CLASS_KEY, null, InitialContextFactory.class);
        if (cls != null) {
            this.ldapCtxFactoryClassName = cls.getName();
        } else {
            this.ldapCtxFactoryClassName = LDAP_CTX_FACTORY_CLASS_DEFAULT;
        }
        this.numAttempts = configuration.getInt(LDAP_NUM_ATTEMPTS_KEY, 3);
        this.numAttemptsBeforeFailover = configuration.getInt(LDAP_NUM_ATTEMPTS_BEFORE_FAILOVER_KEY, 3);
    }

    public Iterator<String> getLdapUrls() {
        return this.ldapUrls;
    }

    private void loadSslConf(Configuration configuration) {
        this.keystore = configuration.get(LDAP_KEYSTORE_KEY, "");
        this.keystorePass = getPassword(configuration, LDAP_KEYSTORE_PASSWORD_KEY, "");
        if (this.keystorePass.isEmpty()) {
            this.keystorePass = extractPassword(configuration.get(LDAP_KEYSTORE_PASSWORD_FILE_KEY, ""));
        }
        this.truststore = configuration.get(LDAP_TRUSTSTORE_KEY, "");
        this.truststorePass = getPasswordFromCredentialProviders(configuration, LDAP_TRUSTSTORE_PASSWORD_KEY, "");
        if (this.truststorePass.isEmpty()) {
            this.truststorePass = extractPassword(configuration.get(LDAP_TRUSTSTORE_PASSWORD_FILE_KEY, ""));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getPasswordFromCredentialProviders(Configuration configuration, String str, String str2) {
        String str3 = str2;
        try {
            char[] passwordFromCredentialProviders = configuration.getPasswordFromCredentialProviders(str);
            if (passwordFromCredentialProviders != null) {
                str3 = new String(passwordFromCredentialProviders);
            }
        } catch (IOException e) {
            LOG.warn("Exception while trying to get password for alias {}: ", str, e);
        }
        return str3;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Deprecated
    public String getPassword(Configuration configuration, String str, String str2) {
        String str3 = str2;
        try {
            char[] password = configuration.getPassword(str);
            if (password != null) {
                str3 = new String(password);
            }
        } catch (IOException e) {
            LOG.warn("Exception while trying to get password for alias {}:", str, e);
        }
        return str3;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String extractPassword(String str) {
        if (str.isEmpty()) {
            return "";
        }
        StringBuilder sb = new StringBuilder();
        try {
            InputStreamReader inputStreamReader = new InputStreamReader(Files.newInputStream(Paths.get(str, new String[0]), new OpenOption[0]), StandardCharsets.UTF_8);
            try {
                for (int read = inputStreamReader.read(); read > -1; read = inputStreamReader.read()) {
                    sb.append((char) read);
                }
                String trim = sb.toString().trim();
                inputStreamReader.close();
                return trim;
            } finally {
            }
        } catch (IOException e) {
            throw new RuntimeException("Could not read password file: " + str, e);
        }
    }

    private void initializeBindUsers() {
        ArrayList arrayList = new ArrayList();
        String[] strings = this.conf.getStrings(BIND_USERS_KEY);
        if (strings == null || strings.length <= 0) {
            arrayList.add(new BindUserInfo(this.conf.get(BIND_USER_KEY, ""), getPasswordForBindUser(LDAP_CONFIG_PREFIX)));
        } else {
            for (String str : strings) {
                String str2 = "hadoop.security.group.mapping.ldap.bind.users." + str;
                String str3 = this.conf.get(str2 + BIND_USER_SUFFIX);
                String passwordForBindUser = getPasswordForBindUser(str2);
                if (str3 == null || passwordForBindUser == null) {
                    throw new RuntimeException("Bind username or password not configured for user: " + str);
                }
                arrayList.add(new BindUserInfo(str3, passwordForBindUser));
            }
        }
        this.bindUsers = Iterators.cycle(arrayList);
        this.currentBindUser = this.bindUsers.next();
    }

    private String getPasswordForBindUser(String str) {
        String passwordFromCredentialProviders = getPasswordFromCredentialProviders(this.conf, this.conf.get(str + BIND_PASSWORD_ALIAS_SUFFIX, ""), "");
        if (passwordFromCredentialProviders.isEmpty()) {
            passwordFromCredentialProviders = getPassword(this.conf, str + BIND_PASSWORD_SUFFIX, "");
            if (passwordFromCredentialProviders.isEmpty()) {
                passwordFromCredentialProviders = extractPassword(this.conf.get(str + BIND_PASSWORD_FILE_SUFFIX, ""));
            }
        }
        return passwordFromCredentialProviders;
    }

    static {
        SEARCH_CONTROLS.setSearchScope(2);
    }
}
