package com.datastax.bdp.cassandra.auth;

import com.datastax.bdp.config.DseConfig;
import com.datastax.bdp.config.LdapConfig;
import com.datastax.dse.byos.shade.com.google.common.annotations.VisibleForTesting;
import com.datastax.dse.byos.shade.com.google.common.cache.Cache;
import com.datastax.dse.byos.shade.com.google.common.cache.CacheBuilder;
import com.datastax.dse.byos.shade.com.google.common.cache.CacheLoader;
import com.datastax.dse.byos.shade.com.google.common.cache.LoadingCache;
import com.datastax.dse.byos.shade.com.google.common.util.concurrent.Uninterruptibles;
import com.datastax.dse.byos.shade.org.mindrot.jbcrypt.BCrypt;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.text.MessageFormat;
import java.time.Duration;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.annotation.Nonnull;
import javax.annotation.concurrent.NotThreadSafe;
import org.apache.cassandra.auth.AuthenticatedUser;
import org.apache.cassandra.concurrent.TPC;
import org.apache.cassandra.concurrent.TPCUtils;
import org.apache.cassandra.exceptions.AuthenticationException;
import org.apache.cassandra.utils.Throwables;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.directory.api.ldap.model.cursor.CursorException;
import org.apache.directory.api.ldap.model.cursor.CursorLdapReferralException;
import org.apache.directory.api.ldap.model.cursor.EntryCursor;
import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.directory.api.ldap.model.entry.Value;
import org.apache.directory.api.ldap.model.exception.LdapAuthenticationException;
import org.apache.directory.api.ldap.model.exception.LdapException;
import org.apache.directory.api.ldap.model.message.SearchScope;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.ldap.client.api.LdapConnection;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@NotThreadSafe
/* loaded from: input_file:com/datastax/bdp/cassandra/auth/LdapManagerImpl.class */
public class LdapManagerImpl implements LdapManager {
    private static final Logger logger;
    private final Cache<String, Dn> searchCache = initSearchCache();
    private final Cache<String, CachedCredentials> credentialsCache = initCredentialsCache();
    private final LoadingCache<Pair<String, Boolean>, Set<String>> groupCache = initGroupCache();
    private static final int GENSALT_LOG2_ROUNDS = 10;
    private final LdapConnectionProvider ldapConnectionProvider;
    private final LdapConfig.SearchConfig searchConfig;
    private final GroupSearch groupSearch;
    private final GroupSearch allGroupsSearch;
    private static final String[] EMPTY_STRING_ARRAY;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/LdapManagerImpl$CachedCredentials.class */
    private static final class CachedCredentials {
        final String hashedPassword;
        final AuthenticatedUser user;

        CachedCredentials(String str, AuthenticatedUser authenticatedUser) {
            this.hashedPassword = str;
            this.user = authenticatedUser;
        }
    }

    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/LdapManagerImpl$DirectorySearch.class */
    private class DirectorySearch extends GroupSearch {
        private DirectorySearch() {
            super();
        }

        private List<Entry> getParentGroups(LdapConnection ldapConnection, Entry entry, boolean z) throws IOException, LdapException, CursorException {
            LinkedList linkedList = new LinkedList();
            String rfc2254EscapedPattern = LdapManagerImpl.rfc2254EscapedPattern(z ? LdapManagerImpl.this.searchConfig.groupSearchConfig.allParentGroupsSearchFilter : LdapManagerImpl.this.searchConfig.groupSearchConfig.searchFilter, entry.getDn().toString());
            LdapManagerImpl.logger.trace("Searching for parent groups of {} with base {} and filter {} using connection {}", new Object[]{entry.getDn(), LdapManagerImpl.this.searchConfig.groupSearchConfig.searchBases, rfc2254EscapedPattern, ldapConnection});
            Exception exc = null;
            Iterator<String> it2 = LdapManagerImpl.this.searchConfig.groupSearchConfig.searchBases.iterator();
            while (it2.hasNext()) {
                try {
                    EntryCursor search = ldapConnection.search(it2.next(), rfc2254EscapedPattern, SearchScope.SUBTREE, new String[0]);
                    Throwable th = null;
                    while (search.next()) {
                        try {
                            try {
                                Entry safeGetEntry = LdapManagerImpl.safeGetEntry(search);
                                if (safeGetEntry != null && safeGetEntry.containsAttribute(new String[]{LdapManagerImpl.this.searchConfig.groupSearchConfig.nameAttribute})) {
                                    LdapManagerImpl.logger.trace("Found group {}", safeGetEntry.getDn());
                                    linkedList.add(safeGetEntry);
                                }
                            } catch (Throwable th2) {
                                th = th2;
                                throw th2;
                                break;
                            }
                        } catch (Throwable th3) {
                            if (search != null) {
                                if (th != null) {
                                    try {
                                        search.close();
                                    } catch (Throwable th4) {
                                        th.addSuppressed(th4);
                                    }
                                } else {
                                    search.close();
                                }
                            }
                            throw th3;
                            break;
                        }
                    }
                    if (search != null) {
                        if (0 != 0) {
                            try {
                                search.close();
                            } catch (Throwable th5) {
                                th.addSuppressed(th5);
                            }
                        } else {
                            search.close();
                        }
                    }
                } catch (Exception e) {
                    exc = e;
                }
            }
            if (!linkedList.isEmpty() || exc == null) {
                return linkedList;
            }
            if (exc instanceof CursorException) {
                throw ((CursorException) exc);
            }
            if (exc instanceof LdapException) {
                throw ((LdapException) exc);
            }
            if (exc instanceof IOException) {
                throw ((IOException) exc);
            }
            throw new RuntimeException(exc);
        }

        @Override // com.datastax.bdp.cassandra.auth.LdapManagerImpl.GroupSearch
        void populateParentGroups(LdapConnection ldapConnection, Entry entry, Set<String> set, FetchMode fetchMode) throws IOException, LdapException, CursorException {
            for (Entry entry2 : getParentGroups(ldapConnection, entry, fetchMode == FetchMode.ALL_PARENTS_OPTIMIZED)) {
                if (set.add(entry2.get(LdapManagerImpl.this.searchConfig.groupSearchConfig.nameAttribute).getString()) && fetchMode == FetchMode.ALL_PARENTS) {
                    populateParentGroups(ldapConnection, entry2, set, fetchMode);
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/LdapManagerImpl$FetchMode.class */
    public enum FetchMode {
        DIRECT_PARENTS,
        ALL_PARENTS,
        ALL_PARENTS_OPTIMIZED
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/LdapManagerImpl$GroupSearch.class */
    public abstract class GroupSearch {
        private GroupSearch() {
        }

        String[] attributes(FetchMode fetchMode) {
            return LdapManagerImpl.EMPTY_STRING_ARRAY;
        }

        abstract void populateParentGroups(LdapConnection ldapConnection, Entry entry, Set<String> set, FetchMode fetchMode) throws IOException, LdapException, CursorException;

        Set<String> getParentGroups(LdapConnection ldapConnection, String str, FetchMode fetchMode) throws LdapException, CursorException, IOException {
            HashSet hashSet = new HashSet();
            Optional userOrGroup = LdapManagerImpl.this.getUserOrGroup(ldapConnection, str, attributes(fetchMode));
            if (userOrGroup.isPresent()) {
                populateParentGroups(ldapConnection, (Entry) userOrGroup.get(), hashSet, fetchMode);
            }
            LdapManagerImpl.logger.trace("Found parent the following parent groups of {}: {}", str, hashSet);
            return hashSet;
        }
    }

    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/LdapManagerImpl$MemberOfSearch.class */
    private class MemberOfSearch extends GroupSearch {
        private MemberOfSearch() {
            super();
        }

        /* JADX WARN: Failed to calculate best type for var: r12v1 ??
        java.lang.NullPointerException
         */
        /* JADX WARN: Failed to calculate best type for var: r13v0 ??
        java.lang.NullPointerException
         */
        /* JADX WARN: Multi-variable type inference failed. Error: java.lang.NullPointerException
         */
        /* JADX WARN: Not initialized variable reg: 12, insn: 0x007a: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r12 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) A[TRY_LEAVE], block:B:26:0x007a */
        /* JADX WARN: Not initialized variable reg: 13, insn: 0x007e: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r13 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]), block:B:28:0x007e */
        /* JADX WARN: Type inference failed for: r12v1, types: [org.apache.directory.api.ldap.model.cursor.EntryCursor] */
        /* JADX WARN: Type inference failed for: r13v0, types: [java.lang.Throwable] */
        private Optional<Entry> getGroup(LdapConnection ldapConnection, Dn dn) throws LdapException, CursorException {
            LdapManagerImpl.logger.trace("Searching for a group with base {} and filter (objectclass=*) using connection {}", dn, ldapConnection);
            try {
                try {
                    EntryCursor search = ldapConnection.search(dn, "(objectclass=*)", SearchScope.SUBTREE, new String[]{LdapManagerImpl.this.searchConfig.groupSearchConfig.userMemberOfAttribute});
                    Throwable th = null;
                    Optional<Entry> ofNullable = search.next() ? Optional.ofNullable(LdapManagerImpl.safeGetEntry(search)) : Optional.empty();
                    if (search != null) {
                        if (0 != 0) {
                            try {
                                search.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            search.close();
                        }
                    }
                    return ofNullable;
                } finally {
                }
            } catch (IOException e) {
                throw new LdapException(e);
            }
        }

        private List<Dn> extractGroupsFromEntry(Entry entry) throws LdapException {
            LdapManagerImpl.logger.trace("Extracting attribute {} values from entry {}", LdapManagerImpl.this.searchConfig.groupSearchConfig.userMemberOfAttribute, entry);
            LinkedList linkedList = new LinkedList();
            if (entry != null && entry.containsAttribute(new String[]{LdapManagerImpl.this.searchConfig.groupSearchConfig.userMemberOfAttribute})) {
                for (Value value : entry.get(LdapManagerImpl.this.searchConfig.groupSearchConfig.userMemberOfAttribute)) {
                    if (value.isHumanReadable() && !value.isNull()) {
                        Dn dn = new Dn(new String[]{value.toString()});
                        LdapManagerImpl.logger.trace("Found group {}", dn);
                        linkedList.add(dn);
                    }
                }
            }
            return linkedList;
        }

        /* JADX WARN: Multi-variable type inference failed */
        @Override // com.datastax.bdp.cassandra.auth.LdapManagerImpl.GroupSearch
        void populateParentGroups(LdapConnection ldapConnection, Entry entry, Set<String> set, FetchMode fetchMode) throws LdapException, CursorException {
            for (Dn dn : extractGroupsFromEntry(entry)) {
                Optional findFirst = dn.getRdns().stream().filter(rdn -> {
                    return LdapManagerImpl.this.searchConfig.groupSearchConfig.nameAttribute.equalsIgnoreCase(rdn.getType());
                }).map((v0) -> {
                    return v0.getValue();
                }).filter((v0) -> {
                    return StringUtils.isNotBlank(v0);
                }).findFirst();
                if (findFirst.isPresent() && set.add(findFirst.get()) && fetchMode == FetchMode.ALL_PARENTS) {
                    Optional<Entry> group = getGroup(ldapConnection, dn);
                    if (group.isPresent()) {
                        populateParentGroups(ldapConnection, group.get(), set, fetchMode);
                    }
                }
            }
        }

        @Override // com.datastax.bdp.cassandra.auth.LdapManagerImpl.GroupSearch
        String[] attributes(FetchMode fetchMode) {
            String[] strArr = new String[1];
            strArr[0] = fetchMode == FetchMode.ALL_PARENTS_OPTIMIZED ? LdapManagerImpl.this.searchConfig.groupSearchConfig.allParentGroupsMemberOfAttribute : LdapManagerImpl.this.searchConfig.groupSearchConfig.userMemberOfAttribute;
            return strArr;
        }
    }

    public LdapManagerImpl(@Nonnull LdapConnectionProvider ldapConnectionProvider, @Nonnull LdapConfig.SearchConfig searchConfig) {
        this.ldapConnectionProvider = ldapConnectionProvider;
        this.searchConfig = searchConfig;
        switch (searchConfig.groupSearchConfig.searchType) {
            case DIRECTORY_SEARCH:
                this.groupSearch = new DirectorySearch();
                break;
            case MEMBEROF_SEARCH:
                this.groupSearch = new MemberOfSearch();
                break;
            default:
                throw new AssertionError("Unknown group search type");
        }
        if (searchConfig.groupSearchConfig.allParentGroupsSearchType == null) {
            this.allGroupsSearch = null;
            return;
        }
        switch (searchConfig.groupSearchConfig.allParentGroupsSearchType) {
            case DIRECTORY_SEARCH:
                this.allGroupsSearch = new DirectorySearch();
                return;
            case MEMBEROF_SEARCH:
                this.allGroupsSearch = new MemberOfSearch();
                return;
            default:
                throw new AssertionError("Unknown all groups search type");
        }
    }

    @Override // com.datastax.bdp.cassandra.auth.LdapManager
    public AuthenticatedUser authenticate(Credentials credentials) throws AuthenticationException {
        logger.trace("Authenticating user {}", credentials);
        if (StringUtils.isEmpty(credentials.authenticationUser) || StringUtils.isEmpty(credentials.password)) {
            logger.debug("Either the username or password were null or zero length");
            throw new DseAuthenticationException(credentials.authorizationUser, credentials.authenticationUser);
        }
        if (this.credentialsCache == null) {
            return doAuthenticationWithRetry(credentials.authenticationUser, credentials.password);
        }
        CachedCredentials ifPresent = this.credentialsCache.getIfPresent(credentials.authenticationUser);
        if (ifPresent == null || !BCrypt.checkpw(credentials.password, ifPresent.hashedPassword)) {
            this.credentialsCache.invalidate(credentials.authenticationUser);
            ifPresent = new CachedCredentials(BCrypt.hashpw(credentials.password, BCrypt.gensalt(10)), doAuthenticationWithRetry(credentials.authenticationUser, credentials.password));
            this.credentialsCache.put(credentials.authenticationUser, ifPresent);
        }
        return ifPresent.user;
    }

    private AuthenticatedUser doAuthenticationWithRetry(String str, String str2) {
        AuthenticationException authenticationException = null;
        for (int i = 0; i <= this.searchConfig.maxRetries; i++) {
            if (i > 0) {
                try {
                    logger.trace("Attempting authentication of {} retry {}/{}", new Object[]{str, Integer.valueOf(i), Integer.valueOf(this.searchConfig.maxRetries)});
                } catch (AuthenticationException e) {
                    if (authenticationException == null) {
                        authenticationException = e;
                    } else {
                        authenticationException.addSuppressed(e);
                    }
                    Uninterruptibles.sleepUninterruptibly(this.searchConfig.retryInterval.toNanos(), TimeUnit.NANOSECONDS);
                }
            }
            return doAuthentication(str, str2);
        }
        if ($assertionsDisabled || authenticationException != null) {
            throw authenticationException;
        }
        throw new AssertionError();
    }

    private AuthenticatedUser doAuthentication(String str, String str2) throws AuthenticationException {
        Dn ifPresent = this.searchCache == null ? null : this.searchCache.getIfPresent(str);
        boolean z = true;
        if (ifPresent == null) {
            logger.trace("Username: {} not found in cache", str);
            ifPresent = fetchUserDn(str);
            if (ifPresent == null) {
                logger.trace("Could not find user DN for username: {}", str);
                throw new DseAuthenticationException(str);
            }
            z = false;
        }
        try {
            if (userCanBind(ifPresent, str2)) {
                logger.trace("Authentication succeeded: username: {}, user DN: {}", str, ifPresent);
                if (!z && this.searchCache != null) {
                    this.searchCache.put(str, ifPresent);
                }
                return new AuthenticatedUser(str);
            }
            logger.trace("Bind failed for username: {}, user DN: {}", str, ifPresent);
            if (z) {
                logger.trace("User DN was in cache so looking for new DN");
                Dn fetchUserDn = fetchUserDn(str);
                if (fetchUserDn == null) {
                    logger.trace("Could not find user DN for username: {}", str);
                    throw new DseAuthenticationException(str);
                }
                if (!fetchUserDn.equals(ifPresent)) {
                    logger.trace("Found new DN: {} for username {} so attempting to bind again. Old DN was: {}", new Object[]{fetchUserDn, str, ifPresent});
                    if (userCanBind(fetchUserDn, str2)) {
                        logger.trace("Authentication succeeded: username: {}, user DN: {}, new DN will be put into cache", str, ifPresent);
                        this.searchCache.put(str, fetchUserDn);
                        return new AuthenticatedUser(str);
                    }
                }
            }
            if (this.searchCache != null) {
                this.searchCache.invalidate(str);
            }
            logger.trace("Failed to authenticate user {}", str);
            throw new DseAuthenticationException(str);
        } catch (RuntimeException e) {
            logger.warn("Unexpected authentication error for username: " + str, e);
            if (this.searchCache != null) {
                this.searchCache.invalidate(str);
            }
            AuthenticationException authenticationException = new AuthenticationException(str);
            authenticationException.initCause(e);
            throw authenticationException;
        }
    }

    private boolean userCanBind(Dn dn, String str) {
        if (TPC.isTPCThread()) {
            throw new TPCUtils.WouldBlockException("Binding LDAP user would block TPC thread");
        }
        try {
            LdapConnection connection = this.ldapConnectionProvider.getConnection();
            Throwable th = null;
            try {
                logger.trace("Trying to bind user DN: {} with connection: {}", dn, connection);
                connection.bind(dn, str);
                logger.trace("Successfully bound user user DN: {}", dn);
                if (connection != null) {
                    if (0 != 0) {
                        try {
                            connection.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        connection.close();
                    }
                }
                return true;
            } catch (Throwable th3) {
                if (connection != null) {
                    if (0 != 0) {
                        try {
                            connection.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        connection.close();
                    }
                }
                throw th3;
            }
        } catch (LdapException | IOException | RuntimeException e) {
            logger.trace("Failed to bind user DN: " + dn, e);
            return false;
        }
    }

    private static String doRFC2254Escaping(String str) {
        byte[] bytes = str.getBytes(StandardCharsets.UTF_8);
        StringBuilder sb = new StringBuilder(bytes.length);
        for (byte b : bytes) {
            if (b == 42 || b == 40 || b == 41 || b == 92 || b < 32) {
                sb.append('\\').append("0123456789abcdef".charAt((b >> 4) & 15)).append("0123456789abcdef".charAt(b & 15));
            } else {
                sb.append((char) b);
            }
        }
        return sb.toString();
    }

    @VisibleForTesting
    static String rfc2254EscapedPattern(String str, String str2) {
        return MessageFormat.format(str, doRFC2254Escaping(str2));
    }

    private void bind(LdapConnection ldapConnection) throws LdapException {
        if (this.searchConfig.anonymousSearch) {
            logger.trace("Binding anonymously to connection {} for searching", ldapConnection);
            ldapConnection.anonymousBind();
        } else {
            logger.trace("Binding to connection {} for searching", ldapConnection);
            ldapConnection.bind();
        }
    }

    private Dn fetchUserDn(String str) throws AuthenticationException {
        LdapConnection connection;
        Throwable th;
        Optional<Entry> user;
        if (TPC.isTPCThread()) {
            throw new TPCUtils.WouldBlockException("Fetching user from LDAP would block TPC thread");
        }
        try {
            try {
                connection = this.ldapConnectionProvider.getConnection();
                th = null;
                try {
                    try {
                        bind(connection);
                        user = getUser(connection, str, false, new String[0]);
                    } finally {
                    }
                } catch (Throwable th2) {
                    if (connection != null) {
                        if (th != null) {
                            try {
                                connection.close();
                            } catch (Throwable th3) {
                                th.addSuppressed(th3);
                            }
                        } else {
                            connection.close();
                        }
                    }
                    throw th2;
                }
            } catch (CursorException | LdapException | IOException | RuntimeException e) {
                logger.warn("Failed to find entry for username: " + str, e);
                DseAuthenticationException dseAuthenticationException = new DseAuthenticationException(str);
                dseAuthenticationException.initCause(e);
                throw dseAuthenticationException;
            }
        } catch (LdapAuthenticationException e2) {
            logger.error("Failed to bind to LDAP connection for searching. Check LDAP search DN and password.", e2);
        }
        if (user.isPresent()) {
            Dn dn = user.get().getDn();
            if (connection != null) {
                if (0 != 0) {
                    try {
                        connection.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    connection.close();
                }
            }
            return dn;
        }
        if (connection != null) {
            if (0 != 0) {
                try {
                    connection.close();
                } catch (Throwable th5) {
                    th.addSuppressed(th5);
                }
            } else {
                connection.close();
            }
        }
        logger.trace("Did not find entry for username: {}", str);
        throw new DseAuthenticationException(str);
    }

    private static void handleReferralException(CursorLdapReferralException cursorLdapReferralException) {
        String str = "<empty>";
        try {
            str = cursorLdapReferralException.getReferralInfo();
        } catch (RuntimeException e) {
        }
        logger.warn("A search reference to {} was returned but we do not support search references", str);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Entry safeGetEntry(EntryCursor entryCursor) throws CursorException {
        try {
            return (Entry) entryCursor.get();
        } catch (CursorLdapReferralException e) {
            handleReferralException(e);
            return null;
        }
    }

    @Override // com.datastax.bdp.cassandra.auth.LdapManager
    public Set<String> fetchUserGroups(String str, boolean z) {
        if (this.groupCache == null) {
            logger.trace("Fetching parent groups of {} from LDAP (include inherited groups: {})", str, Boolean.valueOf(z));
            return fetchUserGroupsInternal(str, z);
        }
        logger.trace("Fetching parent groups of {} from cache (include inherited groups: {})", str, Boolean.valueOf(z));
        return this.groupCache.getUnchecked(Pair.of(str, Boolean.valueOf(z)));
    }

    /* JADX WARN: Failed to calculate best type for var: r10v0 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Failed to calculate best type for var: r11v0 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Multi-variable type inference failed. Error: java.lang.NullPointerException
     */
    /* JADX WARN: Not initialized variable reg: 10, insn: 0x00de: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r10 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) A[TRY_LEAVE], block:B:48:0x00de */
    /* JADX WARN: Not initialized variable reg: 11, insn: 0x00e2: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r11 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]), block:B:50:0x00e2 */
    /* JADX WARN: Type inference failed for: r10v0, types: [org.apache.directory.ldap.client.api.LdapConnection] */
    /* JADX WARN: Type inference failed for: r11v0, types: [java.lang.Throwable] */
    private Set<String> fetchUserGroupsInternal(String str, boolean z) {
        if (TPC.isTPCThread()) {
            throw new TPCUtils.WouldBlockException("Fetching groups from LDAP would block TPC thread");
        }
        try {
            try {
                LdapConnection connection = this.ldapConnectionProvider.getConnection();
                Throwable th = null;
                bind(connection);
                if (this.allGroupsSearch == null || !z) {
                    logger.trace("Fetching parent groups of {} using connection {} (include inherited groups: {})", new Object[]{str, connection, Boolean.valueOf(z)});
                    Set<String> unmodifiableSet = Collections.unmodifiableSet(this.groupSearch.getParentGroups(connection, str, z ? FetchMode.ALL_PARENTS : FetchMode.DIRECT_PARENTS));
                    if (connection != null) {
                        if (0 != 0) {
                            try {
                                connection.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            connection.close();
                        }
                    }
                    return unmodifiableSet;
                }
                logger.trace("Fetching parent groups of {} using connection {} and optimized search for all parents", str, connection);
                Set<String> unmodifiableSet2 = Collections.unmodifiableSet(this.allGroupsSearch.getParentGroups(connection, str, FetchMode.ALL_PARENTS_OPTIMIZED));
                if (connection != null) {
                    if (0 != 0) {
                        try {
                            connection.close();
                        } catch (Throwable th3) {
                            th.addSuppressed(th3);
                        }
                    } else {
                        connection.close();
                    }
                }
                return unmodifiableSet2;
            } finally {
            }
        } catch (Exception e) {
            logger.warn("Failed to fetch parent groups of " + str, e);
            throw Throwables.cleaned(e);
        }
        logger.warn("Failed to fetch parent groups of " + str, e);
        throw Throwables.cleaned(e);
    }

    private Optional<Entry> getUser(LdapConnection ldapConnection, String str, boolean z, String... strArr) throws LdapException, CursorException {
        Optional<Entry> user;
        logger.trace("Searching for a user {} with attributes {}, using bases {}", new Object[]{str, Arrays.toString(strArr), this.searchConfig.userSearchBases});
        CursorLdapReferralException cursorLdapReferralException = null;
        LdapException ldapException = null;
        for (String str2 : this.searchConfig.userSearchBases) {
            try {
                user = getUser(ldapConnection, str2, str, z, strArr);
            } catch (CursorLdapReferralException e) {
                handleReferralException(e);
                cursorLdapReferralException = updatedException(cursorLdapReferralException, e);
            } catch (LdapException e2) {
                logger.debug("Failed to get user {} using search base {} due to: {}", new Object[]{str, str2, e2.getMessage()});
                ldapException = updatedException(ldapException, e2);
            }
            if (user.isPresent()) {
                return user;
            }
        }
        if (ldapException != null) {
            throw ldapException;
        }
        if (cursorLdapReferralException != null) {
            throw cursorLdapReferralException;
        }
        return Optional.empty();
    }

    /* JADX WARN: Failed to calculate best type for var: r14v2 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Failed to calculate best type for var: r15v0 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Multi-variable type inference failed. Error: java.lang.NullPointerException
     */
    /* JADX WARN: Not initialized variable reg: 14, insn: 0x00a5: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r14 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) A[TRY_LEAVE], block:B:29:0x00a5 */
    /* JADX WARN: Not initialized variable reg: 15, insn: 0x00aa: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r15 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]), block:B:31:0x00aa */
    /* JADX WARN: Type inference failed for: r14v2, types: [org.apache.directory.api.ldap.model.cursor.EntryCursor] */
    /* JADX WARN: Type inference failed for: r15v0, types: [java.lang.Throwable] */
    private Optional<Entry> getUser(LdapConnection ldapConnection, String str, String str2, boolean z, String... strArr) throws LdapException, CursorLdapReferralException {
        ?? r14;
        ?? r15;
        String rfc2254EscapedPattern = rfc2254EscapedPattern(this.searchConfig.userSearchFilter, str2);
        logger.trace("Searching for a user {} with attributes {}, using base {} and filter {}", new Object[]{str2, Arrays.toString(strArr), str, rfc2254EscapedPattern});
        try {
            try {
                try {
                    EntryCursor search = ldapConnection.search(str, rfc2254EscapedPattern, SearchScope.SUBTREE, strArr);
                    Throwable th = null;
                    Optional<Entry> ofNullable = search.next() ? z ? Optional.ofNullable(search.get()) : Optional.ofNullable(safeGetEntry(search)) : Optional.empty();
                    if (search != null) {
                        if (0 != 0) {
                            try {
                                search.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            search.close();
                        }
                    }
                    return ofNullable;
                } catch (Throwable th3) {
                    if (r14 != 0) {
                        if (r15 != 0) {
                            try {
                                r14.close();
                            } catch (Throwable th4) {
                                r15.addSuppressed(th4);
                            }
                        } else {
                            r14.close();
                        }
                    }
                    throw th3;
                }
            } catch (IOException | CursorException e) {
                throw new LdapException(e.getMessage(), e);
            }
        } catch (CursorLdapReferralException e2) {
            throw e2;
        }
    }

    private Optional<Entry> getGroup(LdapConnection ldapConnection, String str, boolean z, String... strArr) throws LdapException, CursorException {
        Optional<Entry> group;
        logger.trace("Searching for a group {} with attributes {}, using bases {}", new Object[]{str, Arrays.toString(strArr), this.searchConfig.groupSearchConfig.searchBases});
        CursorLdapReferralException cursorLdapReferralException = null;
        LdapException ldapException = null;
        for (String str2 : this.searchConfig.groupSearchConfig.searchBases) {
            try {
                group = getGroup(ldapConnection, str2, str, z, strArr);
            } catch (LdapException e) {
                logger.debug("Failed to get group {} using search base {} due to: {}", new Object[]{str, str2, e.getMessage()});
                ldapException = updatedException(ldapException, e);
            } catch (CursorLdapReferralException e2) {
                handleReferralException(e2);
                cursorLdapReferralException = updatedException(cursorLdapReferralException, e2);
            }
            if (group.isPresent()) {
                return group;
            }
        }
        if (ldapException != null) {
            throw ldapException;
        }
        if (cursorLdapReferralException != null) {
            throw cursorLdapReferralException;
        }
        return Optional.empty();
    }

    private <T extends Throwable> T updatedException(T t, T t2) {
        if (t == null) {
            return t2;
        }
        t.addSuppressed(t2);
        return t;
    }

    /* JADX WARN: Failed to calculate best type for var: r14v2 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Failed to calculate best type for var: r15v0 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Multi-variable type inference failed. Error: java.lang.NullPointerException
     */
    /* JADX WARN: Not initialized variable reg: 14, insn: 0x00a8: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r14 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) A[TRY_LEAVE], block:B:29:0x00a8 */
    /* JADX WARN: Not initialized variable reg: 15, insn: 0x00ad: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r15 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]), block:B:31:0x00ad */
    /* JADX WARN: Type inference failed for: r14v2, types: [org.apache.directory.api.ldap.model.cursor.EntryCursor] */
    /* JADX WARN: Type inference failed for: r15v0, types: [java.lang.Throwable] */
    private Optional<Entry> getGroup(LdapConnection ldapConnection, String str, String str2, boolean z, String... strArr) throws LdapException, CursorLdapReferralException {
        ?? r14;
        ?? r15;
        String rfc2254EscapedPattern = rfc2254EscapedPattern(this.searchConfig.groupSearchConfig.searchFilter, str2);
        logger.trace("Searching for a group {} with attributes {}, using base {} and filter {}", new Object[]{str2, Arrays.toString(strArr), str, rfc2254EscapedPattern});
        try {
            try {
                try {
                    EntryCursor search = ldapConnection.search(str, rfc2254EscapedPattern, SearchScope.SUBTREE, strArr);
                    Throwable th = null;
                    Optional<Entry> ofNullable = search.next() ? z ? Optional.ofNullable(search.get()) : Optional.ofNullable(safeGetEntry(search)) : Optional.empty();
                    if (search != null) {
                        if (0 != 0) {
                            try {
                                search.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            search.close();
                        }
                    }
                    return ofNullable;
                } catch (Throwable th3) {
                    if (r14 != 0) {
                        if (r15 != 0) {
                            try {
                                r14.close();
                            } catch (Throwable th4) {
                                r15.addSuppressed(th4);
                            }
                        } else {
                            r14.close();
                        }
                    }
                    throw th3;
                }
            } catch (IOException | CursorException e) {
                throw new LdapException(e.getMessage(), e);
            }
        } catch (CursorLdapReferralException e2) {
            throw e2;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Optional<Entry> getUserOrGroup(LdapConnection ldapConnection, String str, String... strArr) throws LdapException, CursorException {
        logger.trace("Searching for a user or group {}", str);
        try {
            Optional<Entry> user = getUser(ldapConnection, str, true, strArr);
            if (!user.isPresent()) {
                user = getGroup(ldapConnection, str, true, strArr);
            }
            return user;
        } catch (CursorLdapReferralException e) {
            handleReferralException(e);
            return Optional.empty();
        }
    }

    @Override // com.datastax.bdp.cassandra.auth.LdapManager
    public long getSearchCacheSize() {
        if (this.searchCache == null) {
            return -1L;
        }
        return this.searchCache.size();
    }

    @Override // com.datastax.bdp.cassandra.auth.LdapManager
    public long getCredentialsCacheSize() {
        if (this.credentialsCache == null) {
            return -1L;
        }
        return this.credentialsCache.size();
    }

    @Override // com.datastax.bdp.cassandra.auth.LdapManager
    public void invalidateSearchCacheAll() {
        if (this.searchCache != null) {
            logger.trace("Invalidating all entries in credentials cache");
            this.searchCache.invalidateAll();
        }
    }

    @Override // com.datastax.bdp.cassandra.auth.LdapManager
    public void invalidateSearchCache(String str) {
        if (this.searchCache == null || !StringUtils.isNotEmpty(str)) {
            return;
        }
        logger.trace("Invalidating entry {} in search cache", str);
        this.searchCache.invalidate(str);
    }

    @Override // com.datastax.bdp.cassandra.auth.LdapManager
    public void invalidateCredentialsCacheAll() {
        if (this.credentialsCache != null) {
            logger.trace("Invalidating all entries in credentials cache");
            this.credentialsCache.invalidateAll();
        }
    }

    @Override // com.datastax.bdp.cassandra.auth.LdapManager
    public void invalidateCredentialsCache(String str) {
        if (this.credentialsCache == null || !StringUtils.isNotEmpty(str)) {
            return;
        }
        logger.trace("Invalidating entry {} in credentials cache", str);
        this.credentialsCache.invalidate(str);
    }

    private Cache<String, Dn> initSearchCache() {
        Duration duration = this.searchConfig.cachingOptions.searchValidity;
        if (duration.isZero()) {
            return null;
        }
        return CacheBuilder.newBuilder().expireAfterWrite(duration.toNanos(), TimeUnit.NANOSECONDS).build();
    }

    private Cache<String, CachedCredentials> initCredentialsCache() {
        Duration duration = this.searchConfig.cachingOptions.credentialsValidity;
        if (duration.isZero()) {
            return null;
        }
        return CacheBuilder.newBuilder().expireAfterWrite(duration.toNanos(), TimeUnit.NANOSECONDS).build();
    }

    private LoadingCache<Pair<String, Boolean>, Set<String>> initGroupCache() {
        Duration duration = DseConfig.getLdapConfig().searchConfig.cachingOptions.searchValidity;
        if (duration.isZero()) {
            return null;
        }
        return CacheBuilder.newBuilder().expireAfterWrite(duration.toMillis(), TimeUnit.MILLISECONDS).build(CacheLoader.from(pair -> {
            return fetchUserGroupsInternal((String) pair.getLeft(), ((Boolean) pair.getRight()).booleanValue());
        }));
    }

    static {
        $assertionsDisabled = !LdapManagerImpl.class.desiredAssertionStatus();
        logger = LoggerFactory.getLogger(LdapManagerImpl.class);
        EMPTY_STRING_ARRAY = new String[0];
    }
}
