package org.elasticsearch.xpack.security.authc.ldap;

import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPConnectionPool;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.LDAPInterface;
import com.unboundid.ldap.sdk.SearchResultEntry;
import com.unboundid.ldap.sdk.ServerSet;
import com.unboundid.ldap.sdk.SimpleBindRequest;
import java.util.HashSet;
import java.util.Set;
import java.util.function.Function;
import org.apache.lucene.util.IOUtils;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRunnable;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.AbstractRunnable;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xpack.security.authc.RealmConfig;
import org.elasticsearch.xpack.security.authc.RealmSettings;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapSearchScope;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils;
import org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory;
import org.elasticsearch.xpack.security.authc.support.CharArrays;
import org.elasticsearch.xpack.ssl.SSLService;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:lib/org.elasticsearch.plugin.xpack.api-6.1.3.jar:org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactory.class */
public class LdapUserSearchSessionFactory extends PoolingSessionFactory {
    private static final String DEFAULT_USERNAME_ATTRIBUTE = "uid";
    static final String SEARCH_PREFIX = "user_search.";
    static final Setting<String> SEARCH_ATTRIBUTE = new Setting<>("user_search.attribute", "uid", Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated);
    private static final Setting<String> SEARCH_BASE_DN = Setting.simpleString("user_search.base_dn", Setting.Property.NodeScope);
    private static final Setting<String> SEARCH_FILTER = Setting.simpleString("user_search.filter", Setting.Property.NodeScope);
    private static final Setting<LdapSearchScope> SEARCH_SCOPE = new Setting<>("user_search.scope", (String) null, str -> {
        return LdapSearchScope.resolve(str, LdapSearchScope.SUB_TREE);
    }, Setting.Property.NodeScope);
    private static final Setting<Boolean> POOL_ENABLED = Setting.boolSetting("user_search.pool.enabled", true, Setting.Property.NodeScope);
    private final String userSearchBaseDn;
    private final LdapSearchScope scope;
    private final String searchFilter;

    /* JADX INFO: Access modifiers changed from: package-private */
    public LdapUserSearchSessionFactory(RealmConfig realmConfig, SSLService sSLService, ThreadPool threadPool) throws LDAPException {
        super(realmConfig, sSLService, groupResolver(realmConfig.settings()), POOL_ENABLED, () -> {
            return bindRequest(realmConfig.settings());
        }, () -> {
            return BIND_DN.exists(realmConfig.settings()) ? BIND_DN.get(realmConfig.settings()) : SEARCH_BASE_DN.get(realmConfig.settings());
        }, threadPool);
        Settings settings = realmConfig.settings();
        if (!SEARCH_BASE_DN.exists(settings)) {
            throw new IllegalArgumentException("[" + RealmSettings.getFullSettingKey(realmConfig, SEARCH_BASE_DN) + "] must be specified");
        }
        this.userSearchBaseDn = SEARCH_BASE_DN.get(settings);
        this.scope = SEARCH_SCOPE.get(settings);
        this.searchFilter = getSearchFilter(realmConfig);
        this.logger.info("Realm [{}] is in user-search mode - base_dn=[{}], search filter=[{}]", realmConfig.name(), this.userSearchBaseDn, this.searchFilter);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SimpleBindRequest bindRequest(Settings settings) {
        return BIND_DN.exists(settings) ? new SimpleBindRequest(BIND_DN.get(settings), BIND_PASSWORD.get(settings)) : new SimpleBindRequest();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean hasUserSearchSettings(RealmConfig realmConfig) {
        return !realmConfig.settings().getByPrefix(SEARCH_PREFIX).isEmpty();
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory
    void getSessionWithPool(LDAPConnectionPool lDAPConnectionPool, String str, SecureString secureString, ActionListener<LdapSession> actionListener) {
        CheckedConsumer checkedConsumer = searchResultEntry -> {
            if (searchResultEntry == null) {
                actionListener.onResponse(null);
            } else {
                final String dn = searchResultEntry.getDN();
                LdapUtils.maybeForkThenBind(lDAPConnectionPool, new SimpleBindRequest(dn, CharArrays.toUtf8Bytes(secureString.getChars())), this.threadPool, new ActionRunnable<LdapSession>(actionListener) { // from class: org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.1
                    /* JADX INFO: Access modifiers changed from: protected */
                    @Override // org.elasticsearch.common.util.concurrent.AbstractRunnable
                    public void doRun() throws Exception {
                        this.listener.onResponse(new LdapSession(LdapUserSearchSessionFactory.this.logger, LdapUserSearchSessionFactory.this.config, lDAPConnectionPool, dn, LdapUserSearchSessionFactory.this.groupResolver, LdapUserSearchSessionFactory.this.metaDataResolver, LdapUserSearchSessionFactory.this.timeout, searchResultEntry.getAttributes()));
                    }

                    @Override // org.elasticsearch.action.ActionRunnable, org.elasticsearch.common.util.concurrent.AbstractRunnable
                    public void onFailure(Exception exc) {
                        this.listener.onFailure(exc);
                    }
                });
            }
        };
        actionListener.getClass();
        findUser(str, lDAPConnectionPool, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory
    void getSessionWithoutPool(final String str, final SecureString secureString, final ActionListener<LdapSession> actionListener) {
        try {
            ServerSet serverSet = this.serverSet;
            serverSet.getClass();
            final LDAPConnection lDAPConnection = (LDAPConnection) LdapUtils.privilegedConnect(serverSet::getConnection);
            LdapUtils.maybeForkThenBind(lDAPConnection, bindRequest(this.config.settings()), this.threadPool, new AbstractRunnable() { // from class: org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.2
                /* JADX INFO: Access modifiers changed from: protected */
                @Override // org.elasticsearch.common.util.concurrent.AbstractRunnable
                public void doRun() throws Exception {
                    LdapUserSearchSessionFactory ldapUserSearchSessionFactory = LdapUserSearchSessionFactory.this;
                    String str2 = str;
                    LDAPConnection lDAPConnection2 = lDAPConnection;
                    LDAPConnection lDAPConnection3 = lDAPConnection;
                    ActionListener actionListener2 = actionListener;
                    SecureString secureString2 = secureString;
                    CheckedConsumer checkedConsumer = searchResultEntry -> {
                        if (searchResultEntry == null) {
                            IOUtils.close(lDAPConnection3);
                            actionListener2.onResponse(null);
                        } else {
                            final String dn = searchResultEntry.getDN();
                            LdapUtils.maybeForkThenBind(lDAPConnection3, new SimpleBindRequest(dn, CharArrays.toUtf8Bytes(secureString2.getChars())), LdapUserSearchSessionFactory.this.threadPool, new AbstractRunnable() { // from class: org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.2.1
                                /* JADX INFO: Access modifiers changed from: protected */
                                @Override // org.elasticsearch.common.util.concurrent.AbstractRunnable
                                public void doRun() throws Exception {
                                    actionListener2.onResponse(new LdapSession(LdapUserSearchSessionFactory.this.logger, LdapUserSearchSessionFactory.this.config, lDAPConnection3, dn, LdapUserSearchSessionFactory.this.groupResolver, LdapUserSearchSessionFactory.this.metaDataResolver, LdapUserSearchSessionFactory.this.timeout, searchResultEntry.getAttributes()));
                                }

                                @Override // org.elasticsearch.common.util.concurrent.AbstractRunnable
                                public void onFailure(Exception exc) {
                                    IOUtils.closeWhileHandlingException(lDAPConnection3);
                                    actionListener2.onFailure(exc);
                                }
                            });
                        }
                    };
                    LDAPConnection lDAPConnection4 = lDAPConnection;
                    ActionListener actionListener3 = actionListener;
                    ldapUserSearchSessionFactory.findUser(str2, lDAPConnection2, ActionListener.wrap(checkedConsumer, exc -> {
                        IOUtils.closeWhileHandlingException(lDAPConnection4);
                        actionListener3.onFailure(exc);
                    }));
                }

                @Override // org.elasticsearch.common.util.concurrent.AbstractRunnable
                public void onFailure(Exception exc) {
                    IOUtils.closeWhileHandlingException(lDAPConnection);
                    actionListener.onFailure(exc);
                }
            });
        } catch (LDAPException e) {
            actionListener.onFailure(e);
        }
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory
    public boolean supportsUnauthenticatedSession() {
        return true;
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory
    void getUnauthenticatedSessionWithPool(LDAPConnectionPool lDAPConnectionPool, String str, ActionListener<LdapSession> actionListener) {
        CheckedConsumer checkedConsumer = searchResultEntry -> {
            if (searchResultEntry == null) {
                actionListener.onResponse(null);
            } else {
                actionListener.onResponse(new LdapSession(this.logger, this.config, lDAPConnectionPool, searchResultEntry.getDN(), this.groupResolver, this.metaDataResolver, this.timeout, searchResultEntry.getAttributes()));
            }
        };
        actionListener.getClass();
        findUser(str, lDAPConnectionPool, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory
    void getUnauthenticatedSessionWithoutPool(final String str, final ActionListener<LdapSession> actionListener) {
        try {
            ServerSet serverSet = this.serverSet;
            serverSet.getClass();
            final LDAPConnection lDAPConnection = (LDAPConnection) LdapUtils.privilegedConnect(serverSet::getConnection);
            LdapUtils.maybeForkThenBind(lDAPConnection, bindRequest(this.config.settings()), this.threadPool, new AbstractRunnable() { // from class: org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.3
                /* JADX INFO: Access modifiers changed from: protected */
                @Override // org.elasticsearch.common.util.concurrent.AbstractRunnable
                public void doRun() throws Exception {
                    LdapUserSearchSessionFactory ldapUserSearchSessionFactory = LdapUserSearchSessionFactory.this;
                    String str2 = str;
                    LDAPConnection lDAPConnection2 = lDAPConnection;
                    LDAPConnection lDAPConnection3 = lDAPConnection;
                    ActionListener actionListener2 = actionListener;
                    CheckedConsumer checkedConsumer = searchResultEntry -> {
                        if (searchResultEntry != null) {
                            actionListener2.onResponse(new LdapSession(LdapUserSearchSessionFactory.this.logger, LdapUserSearchSessionFactory.this.config, lDAPConnection3, searchResultEntry.getDN(), LdapUserSearchSessionFactory.this.groupResolver, LdapUserSearchSessionFactory.this.metaDataResolver, LdapUserSearchSessionFactory.this.timeout, searchResultEntry.getAttributes()));
                        } else {
                            IOUtils.close(lDAPConnection3);
                            actionListener2.onResponse(null);
                        }
                    };
                    LDAPConnection lDAPConnection4 = lDAPConnection;
                    ActionListener actionListener3 = actionListener;
                    ldapUserSearchSessionFactory.findUser(str2, lDAPConnection2, ActionListener.wrap(checkedConsumer, exc -> {
                        IOUtils.closeWhileHandlingException(lDAPConnection4);
                        actionListener3.onFailure(exc);
                    }));
                }

                @Override // org.elasticsearch.common.util.concurrent.AbstractRunnable
                public void onFailure(Exception exc) {
                    IOUtils.closeWhileHandlingException(lDAPConnection);
                    actionListener.onFailure(exc);
                }
            });
        } catch (LDAPException e) {
            actionListener.onFailure(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Type inference failed for: r7v1, types: [java.lang.String[], java.lang.String[][]] */
    public void findUser(String str, LDAPInterface lDAPInterface, ActionListener<SearchResultEntry> actionListener) {
        try {
            LdapUtils.searchForEntry(lDAPInterface, this.userSearchBaseDn, this.scope.scope(), LdapUtils.createFilter(this.searchFilter, str), Math.toIntExact(this.timeout.seconds()), this.ignoreReferralErrors, actionListener, LdapUtils.attributesToSearchFor((String[][]) new String[]{this.groupResolver.attributes(), this.metaDataResolver.attributeNames()}));
        } catch (LDAPException e) {
            actionListener.onFailure(e);
        }
    }

    private static LdapSession.GroupsResolver groupResolver(Settings settings) {
        return SearchGroupsResolver.BASE_DN.exists(settings) ? new SearchGroupsResolver(settings) : new UserAttributeGroupsResolver(settings);
    }

    static String getSearchFilter(RealmConfig realmConfig) {
        Settings settings = realmConfig.settings();
        boolean exists = SEARCH_ATTRIBUTE.exists(settings);
        boolean exists2 = SEARCH_FILTER.exists(settings);
        if (exists && exists2) {
            throw new IllegalArgumentException("search attribute setting [" + RealmSettings.getFullSettingKey(realmConfig, SEARCH_ATTRIBUTE) + "] and filter setting [" + RealmSettings.getFullSettingKey(realmConfig, SEARCH_FILTER) + "] cannot be combined!");
        }
        return exists2 ? SEARCH_FILTER.get(settings) : exists ? "(" + SEARCH_ATTRIBUTE.get(settings) + "={0})" : "(uid={0})";
    }

    public static Set<Setting<?>> getSettings() {
        HashSet hashSet = new HashSet();
        hashSet.addAll(SessionFactory.getSettings());
        hashSet.addAll(PoolingSessionFactory.getSettings());
        hashSet.add(SEARCH_BASE_DN);
        hashSet.add(SEARCH_SCOPE);
        hashSet.add(SEARCH_ATTRIBUTE);
        hashSet.add(POOL_ENABLED);
        hashSet.add(SEARCH_FILTER);
        hashSet.addAll(SearchGroupsResolver.getSettings());
        hashSet.addAll(UserAttributeGroupsResolver.getSettings());
        return hashSet;
    }
}
