package org.elasticsearch.shield.authc.ldap.support;

import com.google.common.base.Predicates;
import com.google.common.collect.Iterables;
import com.google.common.primitives.Ints;
import com.unboundid.ldap.sdk.LDAPConnectionOptions;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.LDAPURL;
import com.unboundid.ldap.sdk.ServerSet;
import com.unboundid.util.ssl.HostNameSSLSocketVerifier;
import java.util.Arrays;
import java.util.regex.Pattern;
import javax.net.ssl.SSLSocketFactory;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.shield.authc.RealmConfig;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.shield.ssl.ClientSSLService;

/* loaded from: input_file:lib/shield-2.4.0.jar:org/elasticsearch/shield/authc/ldap/support/SessionFactory.class */
public abstract class SessionFactory {
    public static final String URLS_SETTING = "url";
    public static final String TIMEOUT_TCP_CONNECTION_SETTING = "timeout.tcp_connect";
    public static final String TIMEOUT_TCP_READ_SETTING = "timeout.tcp_read";
    public static final String TIMEOUT_LDAP_SETTING = "timeout.ldap_search";
    public static final String HOSTNAME_VERIFICATION_SETTING = "hostname_verification";
    public static final String FOLLOW_REFERRALS_SETTING = "follow_referrals";
    public static final TimeValue TIMEOUT_DEFAULT = TimeValue.timeValueSeconds(5);
    private static final Pattern STARTS_WITH_LDAPS = Pattern.compile("^ldaps:.*", 2);
    private static final Pattern STARTS_WITH_LDAP = Pattern.compile("^ldap:.*", 2);
    protected final ESLogger logger;
    protected final ESLogger connectionLogger;
    protected final RealmConfig config;
    protected final TimeValue timeout;
    protected final ClientSSLService sslService;
    protected ServerSet serverSet;

    /* loaded from: input_file:lib/shield-2.4.0.jar:org/elasticsearch/shield/authc/ldap/support/SessionFactory$LDAPServers.class */
    public static class LDAPServers {
        private final String[] addresses;
        private final int[] ports;
        private final boolean ssl;

        public LDAPServers(String[] strArr) {
            this.ssl = secureUrls(strArr);
            this.addresses = new String[strArr.length];
            this.ports = new int[strArr.length];
            for (int i = 0; i < strArr.length; i++) {
                try {
                    LDAPURL ldapurl = new LDAPURL(strArr[i]);
                    this.addresses[i] = ldapurl.getHost();
                    this.ports[i] = ldapurl.getPort();
                } catch (LDAPException e) {
                    throw new IllegalArgumentException("unable to parse configured LDAP url [" + strArr[i] + "]", e);
                }
            }
        }

        public String[] addresses() {
            return this.addresses;
        }

        public int[] ports() {
            return this.ports;
        }

        public boolean ssl() {
            return this.ssl;
        }

        private boolean secureUrls(String[] strArr) {
            if (strArr.length == 0) {
                return true;
            }
            boolean all = Iterables.all(Arrays.asList(strArr), Predicates.contains(SessionFactory.STARTS_WITH_LDAPS));
            boolean all2 = Iterables.all(Arrays.asList(strArr), Predicates.contains(SessionFactory.STARTS_WITH_LDAP));
            if (all || all2) {
                return all;
            }
            throw new IllegalArgumentException("configured LDAP protocols are not all equal (ldaps://.. and ldap://..): [" + Strings.arrayToCommaDelimitedString(strArr) + "]");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SessionFactory(RealmConfig realmConfig, ClientSSLService clientSSLService) {
        this.config = realmConfig;
        this.logger = realmConfig.logger(getClass());
        this.connectionLogger = realmConfig.logger(getClass());
        TimeValue asTime = realmConfig.settings().getAsTime(TIMEOUT_LDAP_SETTING, TIMEOUT_DEFAULT);
        if (asTime.millis() < 1000) {
            this.logger.warn("ldap_search timeout [{}] is less than the minimum supported search timeout of 1s. using 1s", new Object[]{Long.valueOf(asTime.millis())});
            asTime = TimeValue.timeValueSeconds(1L);
        }
        this.timeout = asTime;
        this.sslService = clientSSLService;
    }

    public final LdapSession session(String str, SecuredString securedString) throws Exception {
        if (this.serverSet == null) {
            throw new IllegalStateException("session factory is not initialized");
        }
        return getSession(str, securedString);
    }

    protected abstract LdapSession getSession(String str, SecuredString securedString) throws Exception;

    public boolean supportsUnauthenticatedSession() {
        return false;
    }

    public LdapSession unauthenticatedSession(String str) throws Exception {
        throw new UnsupportedOperationException("unauthenticated sessions are not supported");
    }

    /* JADX WARN: Multi-variable type inference failed */
    public <T extends SessionFactory> T init() {
        this.serverSet = serverSet(this.config.settings(), this.sslService, ldapServers(this.config.settings()));
        return this;
    }

    protected static LDAPConnectionOptions connectionOptions(Settings settings) {
        LDAPConnectionOptions lDAPConnectionOptions = new LDAPConnectionOptions();
        lDAPConnectionOptions.setConnectTimeoutMillis(Ints.checkedCast(settings.getAsTime(TIMEOUT_TCP_CONNECTION_SETTING, TIMEOUT_DEFAULT).millis()));
        lDAPConnectionOptions.setFollowReferrals(settings.getAsBoolean(FOLLOW_REFERRALS_SETTING, true).booleanValue());
        lDAPConnectionOptions.setResponseTimeoutMillis(settings.getAsTime(TIMEOUT_TCP_READ_SETTING, TIMEOUT_DEFAULT).millis());
        lDAPConnectionOptions.setAutoReconnect(true);
        lDAPConnectionOptions.setAllowConcurrentSocketFactoryUse(true);
        if (settings.getAsBoolean(HOSTNAME_VERIFICATION_SETTING, true).booleanValue()) {
            lDAPConnectionOptions.setSSLSocketVerifier(new HostNameSSLSocketVerifier(true));
        }
        return lDAPConnectionOptions;
    }

    protected LDAPServers ldapServers(Settings settings) {
        String[] asArray = settings.getAsArray(URLS_SETTING);
        if (asArray == null || asArray.length == 0) {
            throw new IllegalArgumentException("missing required LDAP setting [url]");
        }
        return new LDAPServers(asArray);
    }

    protected ServerSet serverSet(Settings settings, ClientSSLService clientSSLService, LDAPServers lDAPServers) {
        SSLSocketFactory sSLSocketFactory = null;
        if (lDAPServers.ssl()) {
            sSLSocketFactory = clientSSLService.sslSocketFactory();
            if (settings.getAsBoolean(HOSTNAME_VERIFICATION_SETTING, true).booleanValue()) {
                this.logger.debug("using encryption for LDAP connections with hostname verification", new Object[0]);
            } else {
                this.logger.debug("using encryption for LDAP connections without hostname verification", new Object[0]);
            }
        }
        return LdapLoadBalancing.serverSet(lDAPServers.addresses(), lDAPServers.ports(), settings, sSLSocketFactory, connectionOptions(settings));
    }

    ServerSet getServerSet() {
        return this.serverSet;
    }
}
