package com.datastax.bdp.cassandra.auth;

import com.datastax.bdp.config.DseConfig;
import com.datastax.bdp.jmx.JMX;
import com.datastax.bdp.util.MapBuilder;
import com.datastax.dse.byos.shade.com.google.common.base.Strings;
import com.datastax.dse.byos.shade.com.google.common.cache.Cache;
import com.datastax.dse.byos.shade.com.google.common.cache.CacheBuilder;
import com.datastax.dse.byos.shade.com.google.common.util.concurrent.Uninterruptibles;
import com.datastax.dse.byos.shade.org.antlr.runtime.debug.Profiler;
import com.datastax.dse.byos.shade.org.mindrot.jbcrypt.BCrypt;
import java.io.FileInputStream;
import java.security.KeyStore;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.TimeUnit;
import java.util.function.Consumer;
import java.util.stream.Collectors;
import javax.annotation.Nullable;
import javax.net.ssl.TrustManagerFactory;
import org.apache.cassandra.auth.AuthenticatedUser;
import org.apache.cassandra.concurrent.TPC;
import org.apache.cassandra.concurrent.TPCUtils;
import org.apache.cassandra.exceptions.AuthenticationException;
import org.apache.cassandra.exceptions.ConfigurationException;
import org.apache.commons.lang.StringUtils;
import org.apache.directory.api.ldap.model.cursor.CursorException;
import org.apache.directory.api.ldap.model.cursor.EntryCursor;
import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.directory.api.ldap.model.entry.Value;
import org.apache.directory.api.ldap.model.exception.LdapAuthenticationException;
import org.apache.directory.api.ldap.model.exception.LdapException;
import org.apache.directory.api.ldap.model.message.SearchScope;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.api.ldap.model.name.Rdn;
import org.apache.directory.ldap.client.api.DefaultPoolableLdapConnectionFactory;
import org.apache.directory.ldap.client.api.LdapConnection;
import org.apache.directory.ldap.client.api.LdapConnectionConfig;
import org.apache.directory.ldap.client.api.LdapConnectionPool;
import org.apache.directory.ldap.client.api.ValidatingPoolableLdapConnectionFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/datastax/bdp/cassandra/auth/LdapUtils.class */
public class LdapUtils implements LdapUtilsMXBean {
    private static final Logger logger;
    private static final Cache<String, Dn> searchCache;
    private static final Cache<String, CachedCredentials> credentialsCache;
    private static final int GENSALT_LOG2_ROUNDS = 10;
    public static LdapUtils instance;
    private static final int MAX_RETRIES;
    private boolean anonymousSearch;
    private String userSearchBase;
    private String userSearchFilter;
    private String userMemberOfAttribute;
    private GroupSearchType groupSearchType;
    private String groupSearchBase;
    private String groupSearchFilter;
    private String groupNameAttribute;
    private LdapConnectionPool connectionPool;
    private LdapConnectionConfig ldapConnectionConfig;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/LdapUtils$CachedCredentials.class */
    public class CachedCredentials {
        final String hashedPassword;
        final AuthenticatedUser user;

        CachedCredentials(String str, AuthenticatedUser authenticatedUser) {
            this.hashedPassword = str;
            this.user = authenticatedUser;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/LdapUtils$GroupSearchType.class */
    public enum GroupSearchType {
        DIRECTORY_SEARCH,
        MEMBEROF_SEARCH
    }

    private LdapUtils() {
    }

    public void validateAuthenticationConfiguration() throws ConfigurationException {
        validateConfiguration(this::validateAuthenticationConfiguration);
    }

    public void validateGroupConfiguration() throws ConfigurationException {
        validateConfiguration(list -> {
            validateAuthenticationConfiguration(list);
            validateGroupConfiguration(list);
        });
    }

    private void validateConfiguration(Consumer<List> consumer) {
        ArrayList arrayList = new ArrayList();
        consumer.accept(arrayList);
        if (!arrayList.isEmpty()) {
            throw new ConfigurationException((String) arrayList.stream().collect(Collectors.joining(", ")));
        }
    }

    private void validateAuthenticationConfiguration(List<String> list) {
        if (Strings.isNullOrEmpty(DseConfig.getLdapServerHost())) {
            list.add("ldap_options.server_host must be set to use LDAP functionality");
        }
        if (Strings.isNullOrEmpty(DseConfig.getLdapUserSearchBase())) {
            list.add("ldap_options.user_search_base must be set to a valid DN");
        }
        if (Strings.isNullOrEmpty(DseConfig.getLdapUserSearchFilter())) {
            list.add("ldap_options.user_search_filter must be set to a valid LDAP search filter");
        }
    }

    private void validateGroupConfiguration(List<String> list) {
        if (GroupSearchType.valueOf(DseConfig.getLdapGroupSearchType().toUpperCase()) == GroupSearchType.DIRECTORY_SEARCH) {
            if (Strings.isNullOrEmpty(DseConfig.getLdapGroupSearchBase())) {
                list.add("ldap_options.group_search_base must be set to do group directory searches");
            }
            if (Strings.isNullOrEmpty(DseConfig.getLdapGroupSearchFilter())) {
                list.add("ldap_options.group_search_filter must be set to do group directory searches");
            }
        } else if (Strings.isNullOrEmpty(DseConfig.getLdapUserMemberOfAttribute())) {
            list.add("ldap_options.user_memberof_attribute must be set to do group memberof searches");
        }
        if (Strings.isNullOrEmpty(DseConfig.getLdapGroupNameAttribute())) {
            list.add("ldap_options.group_name_attribute must be set to get group information for a user");
        }
    }

    public void setup() {
        if (this.connectionPool == null) {
            this.userSearchBase = DseConfig.getLdapUserSearchBase();
            this.userSearchFilter = DseConfig.getLdapUserSearchFilter();
            this.userMemberOfAttribute = DseConfig.getLdapUserMemberOfAttribute();
            this.groupSearchType = GroupSearchType.valueOf(DseConfig.getLdapGroupSearchType().toUpperCase());
            this.groupSearchBase = DseConfig.getLdapGroupSearchBase();
            this.groupSearchFilter = DseConfig.getLdapGroupSearchFilter();
            this.groupNameAttribute = DseConfig.getLdapGroupNameAttribute();
            this.ldapConnectionConfig = new LdapConnectionConfig();
            this.ldapConnectionConfig.setLdapHost(DseConfig.getLdapServerHost());
            this.ldapConnectionConfig.setLdapPort(DseConfig.getLdapServerPort());
            this.ldapConnectionConfig.setUseSsl(DseConfig.isLdapUseSSL());
            this.ldapConnectionConfig.setUseTls(DseConfig.isLdapUseTls());
            if ((DseConfig.isLdapUseSSL() || DseConfig.isLdapUseTls()) && StringUtils.isNotEmpty(DseConfig.getLdapTruststorePath())) {
                try {
                    FileInputStream fileInputStream = new FileInputStream(DseConfig.getLdapTruststorePath());
                    Throwable th = null;
                    try {
                        char[] charArray = StringUtils.isEmpty(DseConfig.getLdapTruststorePassword()) ? null : DseConfig.getLdapTruststorePassword().toCharArray();
                        KeyStore keyStore = KeyStore.getInstance(DseConfig.getLdapTruststoreType());
                        keyStore.load(fileInputStream, charArray);
                        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                        trustManagerFactory.init(keyStore);
                        this.ldapConnectionConfig.setTrustManagers(trustManagerFactory.getTrustManagers());
                        if (fileInputStream != null) {
                            if (0 != 0) {
                                try {
                                    fileInputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                fileInputStream.close();
                            }
                        }
                    } finally {
                    }
                } catch (Exception e) {
                    throw new AssertionError("Failed to initialize trust manager in LdapConnectionConfig", e);
                }
            }
            this.anonymousSearch = StringUtils.isEmpty(DseConfig.getLdapSearchDn());
            if (!this.anonymousSearch) {
                this.ldapConnectionConfig.setName(DseConfig.getLdapSearchDn());
                this.ldapConnectionConfig.setCredentials(DseConfig.getLdapSearchPassword());
            }
            this.ldapConnectionConfig.setTimeout(Long.getLong("dse.ldap.connection.timeout.ms", 30000L).longValue());
            ValidatingPoolableLdapConnectionFactory validatingPoolableLdapConnectionFactory = System.getProperty("dse.ldap.connection.factory", "default").equals("validating") ? new ValidatingPoolableLdapConnectionFactory(this.ldapConnectionConfig) : new DefaultPoolableLdapConnectionFactory(this.ldapConnectionConfig);
            this.connectionPool = new LdapConnectionPool(validatingPoolableLdapConnectionFactory);
            this.connectionPool.setMaxActive(DseConfig.getLdapConnectionPoolMaxActive());
            this.connectionPool.setMaxIdle(DseConfig.getLdapConnectionPoolMaxIdle());
            this.connectionPool.setMinIdle(Integer.getInteger("dse.ldap.pool.min.idle", 0).intValue());
            String property = System.getProperty("dse.ldap.pool.exhausted.action", "block");
            this.connectionPool.setWhenExhaustedAction(property.equals("fail") ? (byte) 0 : property.equals("grow") ? (byte) 2 : (byte) 1);
            this.connectionPool.setMaxWait(Long.getLong("dse.ldap.pool.max.wait", 30000L).longValue());
            this.connectionPool.setTestOnBorrow(Boolean.parseBoolean(System.getProperty("dse.ldap.pool.test.borrow", "false")));
            this.connectionPool.setTestOnReturn(Boolean.parseBoolean(System.getProperty("dse.ldap.pool.test.return", "true")));
            this.connectionPool.setTestWhileIdle(Boolean.parseBoolean(System.getProperty("dse.ldap.pool.test.idle", "false")));
            this.connectionPool.setTimeBetweenEvictionRunsMillis(Long.getLong("dse.ldap.pool.time.between.evictions", -1L).longValue());
            this.connectionPool.setNumTestsPerEvictionRun(Integer.getInteger("dse.ldap.pool.num.tests.per.eviction", 3).intValue());
            this.connectionPool.setMinEvictableIdleTimeMillis(Long.getLong("dse.ldap.pool.min.evictable.idle.time.ms", 1800000L).longValue());
            this.connectionPool.setSoftMinEvictableIdleTimeMillis(Long.getLong("dse.ldap.pool.soft.min.evictable.idle.time.ms", -1L).longValue());
            if (logger.isTraceEnabled()) {
                logger.trace("[ldap-configuration] Ldap configured using the following settings\n" + String.format("Host: %s\n", this.ldapConnectionConfig.getLdapHost()) + String.format("Port: %s\n", Integer.valueOf(this.ldapConnectionConfig.getLdapPort())) + String.format("Use SSL: %s\n", Boolean.valueOf(this.ldapConnectionConfig.isUseSsl())) + String.format("Use TLS: %s\n", Boolean.valueOf(this.ldapConnectionConfig.isUseTls())) + String.format("Timeout: %s\n", Long.valueOf(this.ldapConnectionConfig.getTimeout())) + String.format("Anonymous bind: %s\n", Boolean.valueOf(this.anonymousSearch)) + String.format("User search base: %s\n", this.userSearchBase) + String.format("User search filter: %s\n", this.userSearchFilter) + String.format("Group search type: %s\n", this.groupSearchType) + String.format("Group search base: %s\n", this.groupSearchBase) + String.format("Group search filter: %s\n", this.groupSearchFilter) + String.format("Group name attribute: %s\n", this.groupNameAttribute) + String.format("User memberof attribute: %s\n", this.userMemberOfAttribute) + String.format("Poolable connection factory: %s\n", validatingPoolableLdapConnectionFactory.getClass().getCanonicalName()) + String.format("Max active: %s\n", Integer.valueOf(this.connectionPool.getMaxActive())) + String.format("Max idle: %s\n", Integer.valueOf(this.connectionPool.getMaxIdle())) + String.format("Min idle: %s\n", Integer.valueOf(this.connectionPool.getMinIdle())) + String.format("Exhausted action: %s\n", Byte.valueOf(this.connectionPool.getWhenExhaustedAction())) + String.format("Max wait: %s\n", Long.valueOf(this.connectionPool.getMaxWait())) + String.format("Test on borrow: %s\n", Boolean.valueOf(this.connectionPool.getTestOnBorrow())) + String.format("Test on return: %s\n", Boolean.valueOf(this.connectionPool.getTestOnReturn())) + String.format("Test while idle: %s\n", Boolean.valueOf(this.connectionPool.getTestWhileIdle())) + String.format("Time between eviction runs: %s\n", Long.valueOf(this.connectionPool.getTimeBetweenEvictionRunsMillis())) + String.format("Number of tests per eviction run: %s\n", Integer.valueOf(this.connectionPool.getNumTestsPerEvictionRun())) + String.format("Minimum evictable idle time: %s\n", Long.valueOf(this.connectionPool.getMinEvictableIdleTimeMillis())) + String.format("Soft minimum evictable idle time: %s\n", Long.valueOf(this.connectionPool.getSoftMinEvictableIdleTimeMillis())));
            }
        }
    }

    public void setupAuthentication() {
        setup();
        JMX.registerMBean(this, JMX.Type.CORE, MapBuilder.immutable().withKeys((Object[]) new String[]{"name"}).withValues((Object[]) new String[]{"LdapAuthenticator"}).build());
    }

    public AuthenticatedUser authenticate(Credentials credentials) throws AuthenticationException {
        if (StringUtils.isEmpty(credentials.authenticationUser) || StringUtils.isEmpty(credentials.password)) {
            logger.error("Either the username or password were null or zero length");
            throw new DseAuthenticationException(credentials.authorizationUser, credentials.authenticationUser);
        }
        if (credentialsCache == null) {
            return doAuthentication(credentials.authenticationUser, credentials.password, MAX_RETRIES);
        }
        CachedCredentials ifPresent = credentialsCache.getIfPresent(credentials.authenticationUser);
        if (ifPresent == null || !BCrypt.checkpw(credentials.password, ifPresent.hashedPassword)) {
            credentialsCache.invalidate(credentials.authenticationUser);
            ifPresent = new CachedCredentials(BCrypt.hashpw(credentials.password, BCrypt.gensalt(10)), doAuthentication(credentials.authenticationUser, credentials.password, MAX_RETRIES));
            credentialsCache.put(credentials.authenticationUser, ifPresent);
        }
        return ifPresent.user;
    }

    private AuthenticatedUser doAuthentication(String str, String str2, int i) {
        AuthenticationException authenticationException = null;
        for (int i2 = 0; i2 <= i; i2++) {
            if (i2 > 0) {
                try {
                    if (logger.isTraceEnabled()) {
                        logger.trace("[ldap-authenticate] attempting authentication retry: " + i2);
                    }
                } catch (AuthenticationException e) {
                    if (authenticationException == null) {
                        authenticationException = e;
                    } else {
                        authenticationException.addSuppressed(e);
                    }
                    Uninterruptibles.sleepUninterruptibly(10L, TimeUnit.MILLISECONDS);
                }
            }
            return doAuthentication(str, str2);
        }
        if ($assertionsDisabled || authenticationException != null) {
            throw authenticationException;
        }
        throw new AssertionError();
    }

    private AuthenticatedUser doAuthentication(String str, String str2) throws AuthenticationException {
        Dn ifPresent = searchCache == null ? null : searchCache.getIfPresent(str);
        boolean z = true;
        if (ifPresent == null) {
            if (logger.isTraceEnabled()) {
                logger.trace("[ldap-authenticate] username: " + str + " not found in cache");
            }
            ifPresent = fetchUserDn(str);
            if (ifPresent == null) {
                if (logger.isTraceEnabled()) {
                    logger.trace("[ldap-authenticate] ERROR - could not find userDN for username: " + str);
                }
                throw new DseAuthenticationException(str);
            }
            z = false;
        }
        try {
            if (userCanBind(ifPresent, str2)) {
                if (logger.isTraceEnabled()) {
                    logger.trace("[ldap-authenticate] SUCCESS - username: " + str + ", userDN: " + ifPresent);
                }
                if (!z && searchCache != null) {
                    searchCache.put(str, ifPresent);
                }
                return new AuthenticatedUser(str);
            }
            if (logger.isTraceEnabled()) {
                logger.trace("[ldap-authenticate] FAILURE - bind failed for username: " + str + ", userDN: " + ifPresent);
            }
            if (z) {
                if (logger.isTraceEnabled()) {
                    logger.trace("[ldap-authenticate] - userDN was in cache so looking for new DN");
                }
                Dn fetchUserDn = fetchUserDn(str);
                if (fetchUserDn == null) {
                    if (logger.isTraceEnabled()) {
                        logger.trace("[ldap-authenticate] ERROR - could not find userDN for username: " + str);
                    }
                    throw new DseAuthenticationException(str);
                }
                if (!fetchUserDn.equals(ifPresent)) {
                    if (logger.isTraceEnabled()) {
                        logger.trace("[ldap-authenticate] new userDN: " + fetchUserDn + " does not match cached userDN: " + ifPresent + " so attempting to bind again");
                    }
                    if (userCanBind(fetchUserDn, str2)) {
                        if (logger.isTraceEnabled()) {
                            logger.trace("[ldap-authenticate] SUCCESS - username: " + str + ", userDN: " + ifPresent);
                        }
                        if (searchCache != null) {
                            searchCache.put(str, fetchUserDn);
                        }
                        return new AuthenticatedUser(str);
                    }
                }
            }
            if (searchCache != null) {
                searchCache.invalidate(str);
            }
            if (logger.isTraceEnabled()) {
                logger.trace("[ldap-authenticate] ERROR - username: " + str + " failed to authenticate");
            }
            throw new DseAuthenticationException(str);
        } catch (RuntimeException e) {
            if (logger.isTraceEnabled()) {
                logger.trace("[ldap-authenticate] ERROR - unexpected error for username: " + str, e);
            }
            if (searchCache != null) {
                searchCache.invalidate(str);
            }
            AuthenticationException authenticationException = new AuthenticationException(str);
            authenticationException.initCause(e);
            throw authenticationException;
        }
    }

    private boolean userCanBind(Dn dn, String str) {
        if (TPC.isTPCThread()) {
            throw new TPCUtils.WouldBlockException("Binding LDAP user would block TPC thread");
        }
        LdapConnection ldapConnection = null;
        try {
            try {
                ldapConnection = this.connectionPool.getConnection();
                ldapConnection.setTimeOut(this.ldapConnectionConfig.getTimeout());
                if (logger.isTraceEnabled()) {
                    logger.trace("[ldap-bind] userDN: " + dn + " connection: " + ldapConnection);
                }
                ldapConnection.bind(dn, str);
                if (logger.isTraceEnabled()) {
                    logger.trace("[ldap-bind] SUCCESS - bind succcessful for userDN: " + dn);
                }
                freeConnection(ldapConnection, null);
                return true;
            } catch (LdapAuthenticationException e) {
                if (logger.isTraceEnabled()) {
                    logger.trace("[ldap-bind] ERROR - bind failed for userDN: " + dn, e);
                }
                freeConnection(ldapConnection, null);
                return false;
            } catch (LdapException | RuntimeException e2) {
                if (logger.isTraceEnabled()) {
                    logger.trace("[ldap-bind] ERROR - bind failed for userDN: " + dn, e2);
                }
                freeConnection(ldapConnection, e2);
                return false;
            }
        } catch (Throwable th) {
            freeConnection(ldapConnection, null);
            throw th;
        }
    }

    private Dn fetchUserDn(String str) throws AuthenticationException {
        EntryCursor search;
        if (TPC.isTPCThread()) {
            throw new TPCUtils.WouldBlockException("Fetching user from LDAP would block TPC thread");
        }
        LdapConnection ldapConnection = null;
        try {
            try {
                try {
                    ldapConnection = this.connectionPool.getConnection();
                    ldapConnection.setTimeOut(this.ldapConnectionConfig.getTimeout());
                    if (logger.isTraceEnabled()) {
                        logger.trace("[ldap-fetch-user] username: " + str + " connection: " + ldapConnection);
                    }
                    if (this.anonymousSearch) {
                        if (logger.isTraceEnabled()) {
                            logger.trace("[ldap-fetch-user] anonymous bind to connection");
                        }
                        ldapConnection.anonymousBind();
                    } else {
                        if (logger.isTraceEnabled()) {
                            logger.trace("[ldap-fetch-user] bind to connection");
                        }
                        ldapConnection.bind();
                    }
                    String format = MessageFormat.format(this.userSearchFilter, str);
                    if (logger.isTraceEnabled()) {
                        logger.trace("[ldap-fetch-user] user_search_base: " + this.userSearchBase + ", user_search_filter: " + format);
                    }
                    search = ldapConnection.search(this.userSearchBase, format, SearchScope.SUBTREE, new String[0]);
                } catch (LdapAuthenticationException e) {
                    if (logger.isTraceEnabled()) {
                        logger.trace("[ldap-fetch-user] ERROR - failed to fetch username: " + str, e);
                    }
                    freeConnection(ldapConnection, null);
                }
                if (!search.next()) {
                    freeConnection(ldapConnection, null);
                    if (logger.isTraceEnabled()) {
                        logger.trace("[ldap-fetch-user] ERROR - failed to fetch username: " + str);
                    }
                    throw new DseAuthenticationException("Username and/or password are incorrect");
                }
                if (logger.isTraceEnabled()) {
                    logger.trace("[ldap-fetch-user] found entry for username: " + str);
                }
                Dn dn = ((Entry) search.get()).getDn();
                freeConnection(ldapConnection, null);
                return dn;
            } catch (CursorException | LdapException | RuntimeException e2) {
                if (logger.isTraceEnabled()) {
                    logger.trace("[ldap-fetch-user] ERROR - failed to fetch username: " + str, e2);
                }
                DseAuthenticationException dseAuthenticationException = new DseAuthenticationException("LDAP authentication failure");
                dseAuthenticationException.initCause(e2);
                throw dseAuthenticationException;
            }
        } catch (Throwable th) {
            freeConnection(ldapConnection, null);
            throw th;
        }
    }

    public List<String> fetchUserGroups(String str) {
        if (TPC.isTPCThread()) {
            throw new TPCUtils.WouldBlockException("Fetching groups from LDAP would block TPC thread");
        }
        ArrayList arrayList = new ArrayList();
        try {
            try {
                LdapConnection connection = this.connectionPool.getConnection();
                connection.setTimeOut(this.ldapConnectionConfig.getTimeout());
                if (logger.isTraceEnabled()) {
                    logger.trace("[ldap-fetch-user-groups] username: " + str + " connection: " + connection);
                }
                if (this.anonymousSearch) {
                    if (logger.isTraceEnabled()) {
                        logger.trace("[ldap-fetch-user-groups] anonymous bind to connection");
                    }
                    connection.anonymousBind();
                } else {
                    if (logger.isTraceEnabled()) {
                        logger.trace("[ldap-fetch-user-groups] bind to connection");
                    }
                    connection.bind();
                }
                if (this.groupSearchType == GroupSearchType.DIRECTORY_SEARCH) {
                    String format = MessageFormat.format(this.userSearchFilter, str);
                    if (logger.isTraceEnabled()) {
                        logger.trace("[ldap-fetch-user-groups] performing directory search for groups - fetching username: " + str + " with user_search_base: " + this.userSearchBase + ", user_search_filter: " + format);
                    }
                    EntryCursor search = connection.search(this.userSearchBase, format, SearchScope.SUBTREE, new String[0]);
                    if (search.next()) {
                        Dn dn = ((Entry) search.get()).getDn();
                        String format2 = MessageFormat.format(this.groupSearchFilter, dn.toString());
                        if (logger.isTraceEnabled()) {
                            logger.trace("[ldap-fetch-user-groups] looking for groups for userDN: " + dn + " with group_search_base: " + this.groupSearchBase + ", group_search_filter: " + format2);
                        }
                        EntryCursor search2 = connection.search(this.groupSearchBase, MessageFormat.format(this.groupSearchFilter, dn.toString()), SearchScope.SUBTREE, new String[0]);
                        while (search2.next()) {
                            Entry entry = (Entry) search2.get();
                            if (entry.containsAttribute(new String[]{this.groupNameAttribute})) {
                                String string = entry.get(this.groupNameAttribute).getString();
                                if (logger.isTraceEnabled()) {
                                    logger.trace("[ldap-fetch-user-groups] found group: " + string + " for username: " + str);
                                }
                                arrayList.add(string);
                            } else if (logger.isTraceEnabled()) {
                                logger.trace("[ldap-fetch-user-groups] ERROR - group entry: " + entry.getDn() + " does not contain group_name_attribute: " + this.groupNameAttribute);
                            }
                        }
                    } else if (logger.isTraceEnabled()) {
                        logger.trace("[ldap-fetch-user-groups] FAILURE - could not find user entry for username: " + str);
                    }
                } else {
                    String format3 = MessageFormat.format(this.userSearchFilter, str);
                    if (logger.isTraceEnabled()) {
                        logger.trace("[ldap-fetch-user-groups] performing member-of lookup for groups - fetching username: " + str + " with user_search_base: " + this.userSearchBase + ", user_search_filter: " + format3);
                    }
                    EntryCursor search3 = connection.search(this.userSearchBase, format3, SearchScope.SUBTREE, new String[]{this.userMemberOfAttribute});
                    if (search3.next()) {
                        Entry entry2 = (Entry) search3.get();
                        if (entry2.containsAttribute(new String[]{this.userMemberOfAttribute})) {
                            Iterator it2 = entry2.get(this.userMemberOfAttribute).iterator();
                            while (it2.hasNext()) {
                                String str2 = null;
                                Iterator it3 = new Dn(new String[]{((Value) it2.next()).toString()}).iterator();
                                while (it3.hasNext()) {
                                    Rdn rdn = (Rdn) it3.next();
                                    if (rdn.getType().equalsIgnoreCase(this.groupNameAttribute)) {
                                        str2 = rdn.getValue();
                                    }
                                }
                                if (!Strings.isNullOrEmpty(str2)) {
                                    if (logger.isTraceEnabled()) {
                                        logger.trace("[ldap-fetch-user-groups] found group: " + str2 + " for username: " + str);
                                    }
                                    arrayList.add(str2);
                                }
                            }
                        }
                    } else if (logger.isTraceEnabled()) {
                        logger.trace("[ldap-fetch-user-groups] FAILURE - could not find user entry for username: " + str + " or user entry did not have any memberOf attribute entries");
                    }
                }
                freeConnection(connection, null);
            } catch (CursorException | LdapException | RuntimeException e) {
                if (logger.isTraceEnabled()) {
                    logger.trace("[ldap-fetch-user-groups] ERROR - failed to fetch groups for username: " + str, e);
                }
                freeConnection(null, e);
            }
            return arrayList;
        } catch (Throwable th) {
            freeConnection(null, null);
            throw th;
        }
    }

    @Override // com.datastax.bdp.cassandra.auth.LdapUtilsMXBean
    public long getSearchCacheSize() {
        if (searchCache == null) {
            return -1L;
        }
        return searchCache.size();
    }

    @Override // com.datastax.bdp.cassandra.auth.LdapUtilsMXBean
    public long getCredentialsCacheSize() {
        if (credentialsCache == null) {
            return -1L;
        }
        return credentialsCache.size();
    }

    @Override // com.datastax.bdp.cassandra.auth.LdapUtilsMXBean
    public long getConnectionPoolActive() {
        return this.connectionPool.getNumActive();
    }

    @Override // com.datastax.bdp.cassandra.auth.LdapUtilsMXBean
    public long getConnectionPoolIdle() {
        return this.connectionPool.getNumIdle();
    }

    public long getConnectionTimeout() {
        return this.ldapConnectionConfig.getTimeout();
    }

    @Override // com.datastax.bdp.cassandra.auth.LdapUtilsMXBean
    public void invalidateSearchCacheAll() {
        if (searchCache != null) {
            searchCache.invalidateAll();
        }
    }

    @Override // com.datastax.bdp.cassandra.auth.LdapUtilsMXBean
    public void invalidateSearchCache(String str) {
        if (searchCache == null || !StringUtils.isNotEmpty(str)) {
            return;
        }
        searchCache.invalidate(str);
    }

    @Override // com.datastax.bdp.cassandra.auth.LdapUtilsMXBean
    public void invalidateCredentialsCacheAll() {
        if (credentialsCache != null) {
            credentialsCache.invalidateAll();
        }
    }

    @Override // com.datastax.bdp.cassandra.auth.LdapUtilsMXBean
    public void invalidateCredentialsCache(String str) {
        if (credentialsCache == null || !StringUtils.isNotEmpty(str)) {
            return;
        }
        credentialsCache.invalidate(str);
    }

    private void freeConnection(LdapConnection ldapConnection, @Nullable Throwable th) {
        if (ldapConnection != null) {
            try {
                if (th != null) {
                    this.connectionPool.invalidateObject(ldapConnection);
                } else {
                    ldapConnection.setTimeOut(this.ldapConnectionConfig.getTimeout());
                    this.connectionPool.releaseConnection(ldapConnection);
                }
            } catch (Exception e) {
                logger.debug("Failed to release an LDAP connection back to the connection pool", e);
                if (th != null) {
                    th.addSuppressed(e);
                }
            }
        }
    }

    private static Cache<String, Dn> initSearchCache() {
        int ldapSearchValidity = DseConfig.getLdapSearchValidity();
        if (ldapSearchValidity <= 0) {
            return null;
        }
        return CacheBuilder.newBuilder().expireAfterWrite(ldapSearchValidity, TimeUnit.SECONDS).build();
    }

    private static Cache<String, CachedCredentials> initCredentialsCache() {
        int ldapCredentialsValidity = DseConfig.getLdapCredentialsValidity();
        if (ldapCredentialsValidity <= 0) {
            return null;
        }
        return CacheBuilder.newBuilder().expireAfterWrite(ldapCredentialsValidity, TimeUnit.MILLISECONDS).build();
    }

    static {
        $assertionsDisabled = !LdapUtils.class.desiredAssertionStatus();
        logger = LoggerFactory.getLogger(LdapUtils.class);
        searchCache = initSearchCache();
        credentialsCache = initCredentialsCache();
        instance = new LdapUtils();
        MAX_RETRIES = Integer.parseInt(System.getProperty("dse.ldap.max_retries", Profiler.Version));
    }
}
