package org.elasticsearch.xpack.security.authc.ldap;

import com.unboundid.ldap.sdk.Filter;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPConnectionOptions;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.SearchResultEntry;
import java.io.Closeable;
import java.util.HashSet;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.util.IOUtils;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.cache.CacheBuilder;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.xpack.ml.job.process.autodetect.writer.RecordWriter;
import org.elasticsearch.xpack.security.authc.RealmConfig;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapSearchScope;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils;
import org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory;
import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.xpack.ssl.SSLService;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactory.class */
public class ActiveDirectorySessionFactory extends SessionFactory {
    static final String AD_DOMAIN_NAME_SETTING = "domain_name";
    static final String AD_GROUP_SEARCH_BASEDN_SETTING = "group_search.base_dn";
    static final String AD_GROUP_SEARCH_SCOPE_SETTING = "group_search.scope";
    static final String AD_USER_SEARCH_BASEDN_SETTING = "user_search.base_dn";
    static final String AD_USER_SEARCH_FILTER_SETTING = "user_search.filter";
    static final String AD_UPN_USER_SEARCH_FILTER_SETTING = "user_search.upn_filter";
    static final String AD_DOWN_LEVEL_USER_SEARCH_FILTER_SETTING = "user_search.down_level_filter";
    static final String AD_USER_SEARCH_SCOPE_SETTING = "user_search.scope";
    private static final String NETBIOS_NAME_FILTER_TEMPLATE = "(netbiosname={0})";
    final DefaultADAuthenticator defaultADAuthenticator;
    final DownLevelADAuthenticator downLevelADAuthenticator;
    final UpnADAuthenticator upnADAuthenticator;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactory$ADAuthenticator.class */
    public static abstract class ADAuthenticator {
        final TimeValue timeout;
        final boolean ignoreReferralErrors;
        final Logger logger;
        final LdapSession.GroupsResolver groupsResolver;
        final String userSearchDN;
        final LdapSearchScope userSearchScope;
        final String userSearchFilter;

        ADAuthenticator(Settings settings, TimeValue timeValue, boolean z, Logger logger, LdapSession.GroupsResolver groupsResolver, String str, String str2, String str3) {
            this.timeout = timeValue;
            this.ignoreReferralErrors = z;
            this.logger = logger;
            this.groupsResolver = groupsResolver;
            this.userSearchDN = settings.get(ActiveDirectorySessionFactory.AD_USER_SEARCH_BASEDN_SETTING, str);
            this.userSearchScope = LdapSearchScope.resolve(settings.get(ActiveDirectorySessionFactory.AD_USER_SEARCH_SCOPE_SETTING), LdapSearchScope.SUB_TREE);
            this.userSearchFilter = settings.get(str2, str3);
        }

        /* JADX WARN: Multi-variable type inference failed */
        final void authenticate(LDAPConnection lDAPConnection, String str, SecuredString securedString, ActionListener<LdapSession> actionListener) {
            boolean z = false;
            try {
                try {
                    lDAPConnection.bind(bindUsername(str), new String(securedString.internalChars()));
                    searchForDN(lDAPConnection, str, securedString, Math.toIntExact(this.timeout.seconds()), ActionListener.wrap(searchResultEntry -> {
                        if (searchResultEntry != null) {
                            actionListener.onResponse(new LdapSession(this.logger, lDAPConnection, searchResultEntry.getDN(), this.groupsResolver, this.timeout, null));
                        } else {
                            IOUtils.close(new Closeable[]{lDAPConnection});
                            actionListener.onFailure(new ElasticsearchSecurityException("search for user [" + str + "] by principle name yielded no results", new Object[0]));
                        }
                    }, exc -> {
                        IOUtils.closeWhileHandlingException(new Closeable[]{lDAPConnection});
                        actionListener.onFailure(exc);
                    }));
                    z = true;
                    if (1 == 0) {
                        IOUtils.closeWhileHandlingException(new Closeable[]{lDAPConnection});
                    }
                } catch (LDAPException e) {
                    actionListener.onFailure(e);
                    if (!z) {
                        IOUtils.closeWhileHandlingException(new Closeable[]{lDAPConnection});
                    }
                }
            } catch (Throwable th) {
                if (!z) {
                    IOUtils.closeWhileHandlingException(new Closeable[]{lDAPConnection});
                }
                throw th;
            }
        }

        String bindUsername(String str) {
            return str;
        }

        final String getUserSearchFilter() {
            return this.userSearchFilter;
        }

        abstract void searchForDN(LDAPConnection lDAPConnection, String str, SecuredString securedString, int i, ActionListener<SearchResultEntry> actionListener);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactory$DefaultADAuthenticator.class */
    public static class DefaultADAuthenticator extends ADAuthenticator {
        final String domainName;

        DefaultADAuthenticator(Settings settings, TimeValue timeValue, boolean z, Logger logger, LdapSession.GroupsResolver groupsResolver, String str) {
            super(settings, timeValue, z, logger, groupsResolver, str, ActiveDirectorySessionFactory.AD_USER_SEARCH_FILTER_SETTING, "(&(objectClass=user)(|(sAMAccountName={0})(userPrincipalName={0}@" + settings.get(ActiveDirectorySessionFactory.AD_DOMAIN_NAME_SETTING) + ")))");
            this.domainName = settings.get(ActiveDirectorySessionFactory.AD_DOMAIN_NAME_SETTING);
        }

        @Override // org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.ADAuthenticator
        void searchForDN(LDAPConnection lDAPConnection, String str, SecuredString securedString, int i, ActionListener<SearchResultEntry> actionListener) {
            try {
                LdapUtils.searchForEntry(lDAPConnection, this.userSearchDN, this.userSearchScope.scope(), LdapUtils.createFilter(this.userSearchFilter, str), i, this.ignoreReferralErrors, actionListener, LdapUtils.attributesToSearchFor(this.groupsResolver.attributes()));
            } catch (LDAPException e) {
                actionListener.onFailure(e);
            }
        }

        @Override // org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.ADAuthenticator
        String bindUsername(String str) {
            return str + "@" + this.domainName;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactory$DownLevelADAuthenticator.class */
    public static class DownLevelADAuthenticator extends ADAuthenticator {
        static final String DOWN_LEVEL_FILTER = "(&(objectClass=user)(sAMAccountName={0}))";
        Cache<String, String> domainNameCache;
        final String domainDN;
        final Settings settings;
        final SSLService sslService;
        final RealmConfig config;
        static final /* synthetic */ boolean $assertionsDisabled;

        DownLevelADAuthenticator(RealmConfig realmConfig, TimeValue timeValue, boolean z, Logger logger, LdapSession.GroupsResolver groupsResolver, String str, SSLService sSLService) {
            super(realmConfig.settings(), timeValue, z, logger, groupsResolver, str, ActiveDirectorySessionFactory.AD_DOWN_LEVEL_USER_SEARCH_FILTER_SETTING, DOWN_LEVEL_FILTER);
            this.domainNameCache = CacheBuilder.builder().setMaximumWeight(100L).build();
            this.domainDN = str;
            this.settings = realmConfig.settings();
            this.sslService = sSLService;
            this.config = realmConfig;
        }

        @Override // org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.ADAuthenticator
        void searchForDN(LDAPConnection lDAPConnection, String str, SecuredString securedString, int i, ActionListener<SearchResultEntry> actionListener) {
            String[] split = str.split("\\\\");
            if (!$assertionsDisabled && split.length != 2) {
                throw new AssertionError();
            }
            String str2 = split[0];
            String str3 = split[1];
            netBiosDomainNameToDn(lDAPConnection, str2, str, securedString, i, ActionListener.wrap(str4 -> {
                if (str4 == null) {
                    IOUtils.close(new Closeable[]{lDAPConnection});
                    actionListener.onResponse((Object) null);
                    return;
                }
                try {
                    LdapUtils.searchForEntry(lDAPConnection, str4, LdapSearchScope.SUB_TREE.scope(), LdapUtils.createFilter(this.userSearchFilter, str3), i, this.ignoreReferralErrors, (ActionListener<SearchResultEntry>) actionListener, LdapUtils.attributesToSearchFor(this.groupsResolver.attributes()));
                } catch (LDAPException e) {
                    IOUtils.closeWhileHandlingException(new Closeable[]{lDAPConnection});
                    actionListener.onFailure(e);
                }
            }, exc -> {
                IOUtils.closeWhileHandlingException(new Closeable[]{lDAPConnection});
                actionListener.onFailure(exc);
            }));
        }

        void netBiosDomainNameToDn(LDAPConnection lDAPConnection, String str, String str2, SecuredString securedString, int i, ActionListener<String> actionListener) {
            String str3 = (String) this.domainNameCache.get(str);
            if (str3 != null) {
                actionListener.onResponse(str3);
                return;
            }
            if (!usingGlobalCatalog(this.settings, lDAPConnection)) {
                try {
                    LdapUtils.search(lDAPConnection, this.domainDN, LdapSearchScope.SUB_TREE.scope(), LdapUtils.createFilter(ActiveDirectorySessionFactory.NETBIOS_NAME_FILTER_TEMPLATE, str), i, this.ignoreReferralErrors, (ActionListener<List<SearchResultEntry>>) ActionListener.wrap(list -> {
                        handleSearchResults(list, str, this.domainNameCache, actionListener);
                    }, exc -> {
                        IOUtils.closeWhileHandlingException(new Closeable[]{lDAPConnection});
                        actionListener.onFailure(exc);
                    }), "ncname");
                    return;
                } catch (LDAPException e) {
                    actionListener.onFailure(e);
                    return;
                }
            }
            LDAPConnectionOptions connectionOptions = ActiveDirectorySessionFactory.connectionOptions(this.config, this.sslService, this.logger);
            boolean z = false;
            LDAPConnection lDAPConnection2 = null;
            try {
                try {
                    Filter createFilter = LdapUtils.createFilter(ActiveDirectorySessionFactory.NETBIOS_NAME_FILTER_TEMPLATE, str);
                    lDAPConnection2 = lDAPConnection.getSSLSession() != null ? new LDAPConnection(lDAPConnection.getSocketFactory(), connectionOptions, lDAPConnection.getConnectedAddress(), 636) : new LDAPConnection(connectionOptions, lDAPConnection.getConnectedAddress(), 389);
                    lDAPConnection2.bind(str2, new String(securedString.internalChars()));
                    LDAPConnection lDAPConnection3 = lDAPConnection2;
                    LdapUtils.search(lDAPConnection3, this.domainDN, LdapSearchScope.SUB_TREE.scope(), createFilter, i, this.ignoreReferralErrors, (ActionListener<List<SearchResultEntry>>) ActionListener.wrap(list2 -> {
                        IOUtils.close(new Closeable[]{lDAPConnection3});
                        handleSearchResults(list2, str, this.domainNameCache, actionListener);
                    }, exc2 -> {
                        IOUtils.closeWhileHandlingException(new Closeable[]{lDAPConnection});
                        actionListener.onFailure(exc2);
                    }), "ncname");
                    z = true;
                    if (1 == 0) {
                        IOUtils.closeWhileHandlingException(new Closeable[]{lDAPConnection2});
                    }
                } catch (LDAPException e2) {
                    actionListener.onFailure(e2);
                    if (z) {
                        return;
                    }
                    IOUtils.closeWhileHandlingException(new Closeable[]{lDAPConnection2});
                }
            } catch (Throwable th) {
                if (!z) {
                    IOUtils.closeWhileHandlingException(new Closeable[]{lDAPConnection2});
                }
                throw th;
            }
        }

        static void handleSearchResults(List<SearchResultEntry> list, String str, Cache<String, String> cache, ActionListener<String> actionListener) {
            Optional<SearchResultEntry> findFirst = list.stream().filter(searchResultEntry -> {
                return searchResultEntry.hasAttribute("ncname");
            }).findFirst();
            if (!findFirst.isPresent()) {
                actionListener.onResponse((Object) null);
                return;
            }
            String attributeValue = findFirst.get().getAttributeValue("ncname");
            try {
                cache.computeIfAbsent(str, str2 -> {
                    return attributeValue;
                });
                actionListener.onResponse(attributeValue);
            } catch (ExecutionException e) {
                throw new AssertionError("failed to load constant non-null value", e);
            }
        }

        static boolean usingGlobalCatalog(Settings settings, LDAPConnection lDAPConnection) {
            Boolean asBoolean = settings.getAsBoolean("global_catalog", (Boolean) null);
            return asBoolean != null ? asBoolean.booleanValue() : lDAPConnection.getConnectedPort() == 3268 || lDAPConnection.getConnectedPort() == 3269;
        }

        static {
            $assertionsDisabled = !ActiveDirectorySessionFactory.class.desiredAssertionStatus();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactory$UpnADAuthenticator.class */
    public static class UpnADAuthenticator extends ADAuthenticator {
        static final String UPN_USER_FILTER = "(&(objectClass=user)(|(sAMAccountName={0})(userPrincipalName={1})))";
        static final /* synthetic */ boolean $assertionsDisabled;

        UpnADAuthenticator(Settings settings, TimeValue timeValue, boolean z, Logger logger, LdapSession.GroupsResolver groupsResolver, String str) {
            super(settings, timeValue, z, logger, groupsResolver, str, ActiveDirectorySessionFactory.AD_UPN_USER_SEARCH_FILTER_SETTING, UPN_USER_FILTER);
        }

        @Override // org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.ADAuthenticator
        void searchForDN(LDAPConnection lDAPConnection, String str, SecuredString securedString, int i, ActionListener<SearchResultEntry> actionListener) {
            String[] split = str.split("@");
            if (!$assertionsDisabled && split.length != 2) {
                throw new AssertionError();
            }
            String str2 = split[0];
            try {
                LdapUtils.searchForEntry(lDAPConnection, ActiveDirectorySessionFactory.buildDnFromDomain(split[1]), LdapSearchScope.SUB_TREE.scope(), LdapUtils.createFilter(UPN_USER_FILTER, str2, str), i, this.ignoreReferralErrors, actionListener, LdapUtils.attributesToSearchFor(this.groupsResolver.attributes()));
            } catch (LDAPException e) {
                actionListener.onFailure(e);
            }
        }

        static {
            $assertionsDisabled = !ActiveDirectorySessionFactory.class.desiredAssertionStatus();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ActiveDirectorySessionFactory(RealmConfig realmConfig, SSLService sSLService) {
        super(realmConfig, sSLService);
        Settings settings = realmConfig.settings();
        String str = settings.get(AD_DOMAIN_NAME_SETTING);
        if (str == null) {
            throw new IllegalArgumentException("missing [domain_name] setting for active directory");
        }
        String buildDnFromDomain = buildDnFromDomain(str);
        ActiveDirectoryGroupsResolver activeDirectoryGroupsResolver = new ActiveDirectoryGroupsResolver(settings.getAsSettings("group_search"), buildDnFromDomain, this.ignoreReferralErrors);
        this.defaultADAuthenticator = new DefaultADAuthenticator(settings, this.timeout, this.ignoreReferralErrors, this.logger, activeDirectoryGroupsResolver, buildDnFromDomain);
        this.downLevelADAuthenticator = new DownLevelADAuthenticator(realmConfig, this.timeout, this.ignoreReferralErrors, this.logger, activeDirectoryGroupsResolver, buildDnFromDomain, sSLService);
        this.upnADAuthenticator = new UpnADAuthenticator(settings, this.timeout, this.ignoreReferralErrors, this.logger, activeDirectoryGroupsResolver, buildDnFromDomain);
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory
    protected String[] getDefaultLdapUrls(Settings settings) {
        return new String[]{"ldap://" + settings.get(AD_DOMAIN_NAME_SETTING) + ":389"};
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory
    public void session(String str, SecuredString securedString, ActionListener<LdapSession> actionListener) {
        Runnable runnable;
        try {
            LDAPConnection connection = this.serverSet.getConnection();
            runnable = () -> {
                ADAuthenticator aDAuthenticator = getADAuthenticator(str);
                actionListener.getClass();
                aDAuthenticator.authenticate(connection, str, securedString, ActionListener.wrap((v1) -> {
                    r4.onResponse(v1);
                }, exc -> {
                    IOUtils.closeWhileHandlingException(new Closeable[]{connection});
                    actionListener.onFailure(exc);
                }));
            };
        } catch (LDAPException e) {
            runnable = () -> {
                actionListener.onFailure(e);
            };
        }
        runnable.run();
    }

    static String buildDnFromDomain(String str) {
        return "DC=" + str.replace(RecordWriter.CONTROL_FIELD_NAME, ",DC=");
    }

    public static Set<Setting<?>> getSettings() {
        HashSet hashSet = new HashSet();
        hashSet.addAll(SessionFactory.getSettings());
        hashSet.add(Setting.simpleString(AD_DOMAIN_NAME_SETTING, new Setting.Property[]{Setting.Property.NodeScope}));
        hashSet.add(Setting.simpleString(AD_GROUP_SEARCH_BASEDN_SETTING, new Setting.Property[]{Setting.Property.NodeScope}));
        hashSet.add(Setting.simpleString(AD_GROUP_SEARCH_SCOPE_SETTING, new Setting.Property[]{Setting.Property.NodeScope}));
        hashSet.add(Setting.simpleString(AD_USER_SEARCH_BASEDN_SETTING, new Setting.Property[]{Setting.Property.NodeScope}));
        hashSet.add(Setting.simpleString(AD_USER_SEARCH_FILTER_SETTING, new Setting.Property[]{Setting.Property.NodeScope}));
        hashSet.add(Setting.simpleString(AD_UPN_USER_SEARCH_FILTER_SETTING, new Setting.Property[]{Setting.Property.NodeScope}));
        hashSet.add(Setting.simpleString(AD_DOWN_LEVEL_USER_SEARCH_FILTER_SETTING, new Setting.Property[]{Setting.Property.NodeScope}));
        hashSet.add(Setting.simpleString(AD_USER_SEARCH_SCOPE_SETTING, new Setting.Property[]{Setting.Property.NodeScope}));
        return hashSet;
    }

    ADAuthenticator getADAuthenticator(String str) {
        return str.indexOf(92) > 0 ? this.downLevelADAuthenticator : str.indexOf("@") > 0 ? this.upnADAuthenticator : this.defaultADAuthenticator;
    }
}
