package org.elasticsearch.xpack.security.authc.ldap;

import com.unboundid.ldap.sdk.Filter;
import com.unboundid.ldap.sdk.GetEntryLDAPConnectionPoolHealthCheck;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPConnectionPool;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.LDAPInterface;
import com.unboundid.ldap.sdk.SearchResultEntry;
import com.unboundid.ldap.sdk.ServerSet;
import com.unboundid.ldap.sdk.SimpleBindRequest;
import java.io.Closeable;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.util.IOUtils;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.xpack.security.authc.RealmConfig;
import org.elasticsearch.xpack.security.authc.RealmSettings;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapMetaDataResolver;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapSearchScope;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils;
import org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory;
import org.elasticsearch.xpack.security.authc.support.CharArrays;
import org.elasticsearch.xpack.ssl.SSLService;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactory.class */
public class LdapUserSearchSessionFactory extends SessionFactory {
    static final int DEFAULT_CONNECTION_POOL_INITIAL_SIZE = 0;
    static final String DEFAULT_USERNAME_ATTRIBUTE = "uid";
    static final String SEARCH_PREFIX = "user_search.";
    private final String userSearchBaseDn;
    private final LdapSearchScope scope;
    private final String userAttribute;
    private final LdapSession.GroupsResolver groupResolver;
    private final boolean useConnectionPool;
    private final LDAPConnectionPool connectionPool;
    private final LdapMetaDataResolver metaDataResolver;
    static final TimeValue DEFAULT_HEALTH_CHECK_INTERVAL = TimeValue.timeValueSeconds(60);
    private static final Setting<String> SEARCH_BASE_DN = Setting.simpleString("user_search.base_dn", new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<String> SEARCH_ATTRIBUTE = new Setting<>("user_search.attribute", "uid", Function.identity(), new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<LdapSearchScope> SEARCH_SCOPE = new Setting<>("user_search.scope", (String) null, str -> {
        return LdapSearchScope.resolve(str, LdapSearchScope.SUB_TREE);
    }, new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<Boolean> POOL_ENABLED = Setting.boolSetting("user_search.pool.enabled", true, new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<Integer> POOL_INITIAL_SIZE = Setting.intSetting("user_search.pool.initial_size", 0, 0, new Setting.Property[]{Setting.Property.NodeScope});
    static final int DEFAULT_CONNECTION_POOL_SIZE = 20;
    private static final Setting<Integer> POOL_SIZE = Setting.intSetting("user_search.pool.size", DEFAULT_CONNECTION_POOL_SIZE, 1, new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<TimeValue> HEALTH_CHECK_INTERVAL = Setting.timeSetting("user_search.pool.health_check.interval", DEFAULT_HEALTH_CHECK_INTERVAL, new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<Boolean> HEALTH_CHECK_ENABLED = Setting.boolSetting("user_search.pool.health_check.enabled", true, new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<Optional<String>> HEALTH_CHECK_DN = new Setting<>("user_search.pool.health_check.dn", (String) null, (v0) -> {
        return Optional.ofNullable(v0);
    }, new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<String> BIND_DN = Setting.simpleString("bind_dn", new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<String> BIND_PASSWORD = Setting.simpleString("bind_password", new Setting.Property[]{Setting.Property.NodeScope});

    /* JADX INFO: Access modifiers changed from: package-private */
    public LdapUserSearchSessionFactory(RealmConfig realmConfig, SSLService sSLService) throws LDAPException {
        super(realmConfig, sSLService);
        Settings settings = realmConfig.settings();
        if (!SEARCH_BASE_DN.exists(settings)) {
            throw new IllegalArgumentException("[" + RealmSettings.getFullSettingKey(realmConfig, SEARCH_BASE_DN) + "] must be specified");
        }
        this.userSearchBaseDn = (String) SEARCH_BASE_DN.get(settings);
        this.scope = (LdapSearchScope) SEARCH_SCOPE.get(settings);
        this.userAttribute = (String) SEARCH_ATTRIBUTE.get(settings);
        this.groupResolver = groupResolver(settings);
        this.metaDataResolver = new LdapMetaDataResolver(realmConfig.settings(), this.ignoreReferralErrors);
        this.useConnectionPool = ((Boolean) POOL_ENABLED.get(settings)).booleanValue();
        if (this.useConnectionPool) {
            this.connectionPool = createConnectionPool(realmConfig, this.serverSet, this.timeout, this.logger);
        } else {
            this.connectionPool = null;
        }
        this.logger.info("Realm [{}] is in user-search mode - base_dn=[{}], attribute=[{}]", realmConfig.name(), this.userSearchBaseDn, this.userAttribute);
    }

    static LDAPConnectionPool createConnectionPool(RealmConfig realmConfig, ServerSet serverSet, TimeValue timeValue, Logger logger) throws LDAPException {
        Settings settings = realmConfig.settings();
        SimpleBindRequest bindRequest = bindRequest(settings);
        int intValue = ((Integer) POOL_INITIAL_SIZE.get(settings)).intValue();
        int intValue2 = ((Integer) POOL_SIZE.get(settings)).intValue();
        LDAPConnectionPool lDAPConnectionPool = null;
        try {
            LDAPConnectionPool lDAPConnectionPool2 = (LDAPConnectionPool) LdapUtils.privilegedConnect(() -> {
                return new LDAPConnectionPool(serverSet, bindRequest, intValue, intValue2);
            });
            lDAPConnectionPool2.setRetryFailedOperationsDueToInvalidConnections(true);
            if (((Boolean) HEALTH_CHECK_ENABLED.get(settings)).booleanValue()) {
                String str = (String) ((Optional) HEALTH_CHECK_DN.get(settings)).orElseGet(() -> {
                    if (bindRequest == null) {
                        return null;
                    }
                    return bindRequest.getBindDN();
                });
                long millis = ((TimeValue) HEALTH_CHECK_INTERVAL.get(settings)).millis();
                if (str != null) {
                    lDAPConnectionPool2.setHealthCheck(new GetEntryLDAPConnectionPoolHealthCheck(str, timeValue.millis(), false, false, false, true, false));
                    lDAPConnectionPool2.setHealthCheckIntervalMillis(millis);
                } else {
                    logger.warn("[" + RealmSettings.getFullSettingKey(realmConfig, BIND_DN) + "] and [" + RealmSettings.getFullSettingKey(realmConfig, HEALTH_CHECK_DN) + "] have not been specified so no ldap query will be run as a health check");
                }
            }
            if (1 == 0 && lDAPConnectionPool2 != null) {
                lDAPConnectionPool2.close();
            }
            return lDAPConnectionPool2;
        } catch (Throwable th) {
            if (0 == 0 && 0 != 0) {
                lDAPConnectionPool.close();
            }
            throw th;
        }
    }

    static SimpleBindRequest bindRequest(Settings settings) {
        SimpleBindRequest simpleBindRequest = null;
        if (BIND_DN.exists(settings)) {
            simpleBindRequest = new SimpleBindRequest((String) BIND_DN.get(settings), (String) BIND_PASSWORD.get(settings));
        }
        return simpleBindRequest;
    }

    public static boolean hasUserSearchSettings(RealmConfig realmConfig) {
        return !realmConfig.settings().getByPrefix(SEARCH_PREFIX).isEmpty();
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory
    public void session(String str, SecureString secureString, ActionListener<LdapSession> actionListener) {
        if (this.useConnectionPool) {
            getSessionWithPool(str, secureString, actionListener);
        } else {
            getSessionWithoutPool(str, secureString, actionListener);
        }
    }

    private void getSessionWithPool(String str, SecureString secureString, ActionListener<LdapSession> actionListener) {
        LDAPConnectionPool lDAPConnectionPool = this.connectionPool;
        CheckedConsumer checkedConsumer = searchResultEntry -> {
            if (searchResultEntry == null) {
                actionListener.onResponse((Object) null);
                return;
            }
            String dn = searchResultEntry.getDN();
            byte[] utf8Bytes = CharArrays.toUtf8Bytes(secureString.getChars());
            try {
                try {
                    LdapUtils.privilegedConnect(() -> {
                        return this.connectionPool.bindAndRevertAuthentication(new SimpleBindRequest(dn, utf8Bytes));
                    });
                    actionListener.onResponse(new LdapSession(this.logger, this.config, this.connectionPool, dn, this.groupResolver, this.metaDataResolver, this.timeout, searchResultEntry.getAttributes()));
                    Arrays.fill(utf8Bytes, (byte) 0);
                } catch (LDAPException e) {
                    actionListener.onFailure(e);
                    Arrays.fill(utf8Bytes, (byte) 0);
                }
            } catch (Throwable th) {
                Arrays.fill(utf8Bytes, (byte) 0);
                throw th;
            }
        };
        actionListener.getClass();
        findUser(str, lDAPConnectionPool, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private void getSessionWithoutPool(String str, SecureString secureString, ActionListener<LdapSession> actionListener) {
        boolean z = false;
        Closeable closeable = null;
        try {
            try {
                ServerSet serverSet = this.serverSet;
                serverSet.getClass();
                closeable = (LDAPConnection) LdapUtils.privilegedConnect(serverSet::getConnection);
                closeable.bind(bindRequest(this.config.settings()));
                findUser(str, closeable, ActionListener.wrap(searchResultEntry -> {
                    IOUtils.close(new Closeable[]{closeable});
                    if (searchResultEntry == null) {
                        actionListener.onResponse((Object) null);
                        return;
                    }
                    String dn = searchResultEntry.getDN();
                    boolean z2 = false;
                    Closeable closeable2 = null;
                    byte[] utf8Bytes = CharArrays.toUtf8Bytes(secureString.getChars());
                    try {
                        try {
                            ServerSet serverSet2 = this.serverSet;
                            serverSet2.getClass();
                            closeable2 = (LDAPConnection) LdapUtils.privilegedConnect(serverSet2::getConnection);
                            closeable2.bind(new SimpleBindRequest(dn, utf8Bytes));
                            z2 = true;
                            actionListener.onResponse(new LdapSession(this.logger, this.config, closeable2, dn, this.groupResolver, this.metaDataResolver, this.timeout, searchResultEntry.getAttributes()));
                            Arrays.fill(utf8Bytes, (byte) 0);
                            if (1 == 0) {
                                IOUtils.close(new Closeable[]{closeable2});
                            }
                        } catch (Exception e) {
                            actionListener.onFailure(e);
                            Arrays.fill(utf8Bytes, (byte) 0);
                            if (!z2) {
                                IOUtils.close(new Closeable[]{closeable2});
                            }
                        }
                    } catch (Throwable th) {
                        Arrays.fill(utf8Bytes, (byte) 0);
                        if (!z2) {
                            IOUtils.close(new Closeable[]{closeable2});
                        }
                        throw th;
                    }
                }, exc -> {
                    IOUtils.closeWhileHandlingException(new Closeable[]{closeable});
                    actionListener.onFailure(exc);
                }));
                z = true;
                if (1 == 0) {
                    IOUtils.closeWhileHandlingException(new Closeable[]{closeable});
                }
            } catch (LDAPException e) {
                actionListener.onFailure(e);
                if (z) {
                    return;
                }
                IOUtils.closeWhileHandlingException(new Closeable[]{closeable});
            }
        } catch (Throwable th) {
            if (!z) {
                IOUtils.closeWhileHandlingException(new Closeable[]{closeable});
            }
            throw th;
        }
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory
    public boolean supportsUnauthenticatedSession() {
        return true;
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory
    public void unauthenticatedSession(String str, ActionListener<LdapSession> actionListener) {
        LDAPConnectionPool lDAPConnectionPool;
        LDAPConnectionPool lDAPConnectionPool2 = null;
        boolean z = false;
        try {
            try {
                if (this.useConnectionPool) {
                    lDAPConnectionPool = this.connectionPool;
                } else {
                    ServerSet serverSet = this.serverSet;
                    serverSet.getClass();
                    lDAPConnectionPool2 = (LDAPConnection) LdapUtils.privilegedConnect(serverSet::getConnection);
                    lDAPConnectionPool2.bind(bindRequest(this.config.settings()));
                    lDAPConnectionPool = lDAPConnectionPool2;
                }
                LDAPConnectionPool lDAPConnectionPool3 = lDAPConnectionPool;
                CheckedConsumer checkedConsumer = searchResultEntry -> {
                    if (searchResultEntry == null) {
                        actionListener.onResponse((Object) null);
                        return;
                    }
                    boolean z2 = false;
                    try {
                        z2 = true;
                        actionListener.onResponse(new LdapSession(this.logger, this.config, lDAPConnectionPool3, searchResultEntry.getDN(), this.groupResolver, this.metaDataResolver, this.timeout, searchResultEntry.getAttributes()));
                        if (1 != 0 || this.useConnectionPool) {
                            return;
                        }
                        IOUtils.close(new Closeable[]{(LDAPConnection) lDAPConnectionPool3});
                    } catch (Throwable th) {
                        if (!z2 && !this.useConnectionPool) {
                            IOUtils.close(new Closeable[]{(LDAPConnection) lDAPConnectionPool3});
                        }
                        throw th;
                    }
                };
                actionListener.getClass();
                findUser(str, lDAPConnectionPool, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
                z = true;
                if (1 == 0) {
                    IOUtils.closeWhileHandlingException(new Closeable[]{lDAPConnectionPool2});
                }
            } catch (LDAPException e) {
                actionListener.onFailure(e);
                if (z) {
                    return;
                }
                IOUtils.closeWhileHandlingException(new Closeable[]{lDAPConnectionPool2});
            }
        } catch (Throwable th) {
            if (!z) {
                IOUtils.closeWhileHandlingException(new Closeable[]{lDAPConnectionPool2});
            }
            throw th;
        }
    }

    /* JADX WARN: Type inference failed for: r7v1, types: [java.lang.String[], java.lang.String[][]] */
    private void findUser(String str, LDAPInterface lDAPInterface, ActionListener<SearchResultEntry> actionListener) {
        LdapUtils.searchForEntry(lDAPInterface, this.userSearchBaseDn, this.scope.scope(), Filter.createEqualityFilter(this.userAttribute, Filter.encodeValue(str)), Math.toIntExact(this.timeout.seconds()), this.ignoreReferralErrors, actionListener, LdapUtils.attributesToSearchFor((String[][]) new String[]{this.groupResolver.attributes(), this.metaDataResolver.attributeNames()}));
    }

    void shutdown() {
        if (this.connectionPool != null) {
            this.connectionPool.close();
        }
    }

    static LdapSession.GroupsResolver groupResolver(Settings settings) {
        return SearchGroupsResolver.BASE_DN.exists(settings) ? new SearchGroupsResolver(settings) : new UserAttributeGroupsResolver(settings);
    }

    public static Set<Setting<?>> getSettings() {
        HashSet hashSet = new HashSet();
        hashSet.addAll(SessionFactory.getSettings());
        hashSet.add(SEARCH_BASE_DN);
        hashSet.add(SEARCH_SCOPE);
        hashSet.add(SEARCH_ATTRIBUTE);
        hashSet.add(POOL_ENABLED);
        hashSet.add(POOL_INITIAL_SIZE);
        hashSet.add(POOL_SIZE);
        hashSet.add(HEALTH_CHECK_ENABLED);
        hashSet.add(HEALTH_CHECK_DN);
        hashSet.add(HEALTH_CHECK_INTERVAL);
        hashSet.add(BIND_DN);
        hashSet.add(BIND_PASSWORD);
        hashSet.addAll(SearchGroupsResolver.getSettings());
        hashSet.addAll(UserAttributeGroupsResolver.getSettings());
        return hashSet;
    }
}
