package org.elasticsearch.xpack.security.authc.ldap;

import com.unboundid.ldap.sdk.Control;
import com.unboundid.ldap.sdk.Filter;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPConnectionOptions;
import com.unboundid.ldap.sdk.LDAPConnectionPool;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.LDAPInterface;
import com.unboundid.ldap.sdk.SearchResultEntry;
import com.unboundid.ldap.sdk.SearchScope;
import com.unboundid.ldap.sdk.SimpleBindRequest;
import com.unboundid.ldap.sdk.controls.AuthorizationIdentityRequestControl;
import java.io.Closeable;
import java.util.HashSet;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.util.IOUtils;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.cache.CacheBuilder;
import org.elasticsearch.common.logging.DeprecationLogger;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.xpack.ml.job.process.autodetect.writer.RecordWriter;
import org.elasticsearch.xpack.security.authc.RealmConfig;
import org.elasticsearch.xpack.security.authc.RealmSettings;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapMetaDataResolver;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapSearchScope;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils;
import org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory;
import org.elasticsearch.xpack.security.authc.support.CharArrays;
import org.elasticsearch.xpack.ssl.SSLService;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactory.class */
public class ActiveDirectorySessionFactory extends PoolingSessionFactory {
    static final String AD_DOMAIN_NAME_SETTING = "domain_name";
    static final String AD_GROUP_SEARCH_BASEDN_SETTING = "group_search.base_dn";
    static final String AD_GROUP_SEARCH_SCOPE_SETTING = "group_search.scope";
    static final String AD_USER_SEARCH_BASEDN_SETTING = "user_search.base_dn";
    static final String AD_USER_SEARCH_FILTER_SETTING = "user_search.filter";
    static final String AD_UPN_USER_SEARCH_FILTER_SETTING = "user_search.upn_filter";
    static final String AD_DOWN_LEVEL_USER_SEARCH_FILTER_SETTING = "user_search.down_level_filter";
    static final String AD_USER_SEARCH_SCOPE_SETTING = "user_search.scope";
    private static final String NETBIOS_NAME_FILTER_TEMPLATE = "(netbiosname={0})";
    private static final Setting<Boolean> POOL_ENABLED = Setting.boolSetting("user_search.pool.enabled", settings -> {
        return Boolean.toString(PoolingSessionFactory.BIND_DN.exists(settings));
    }, new Setting.Property[]{Setting.Property.NodeScope});
    final DefaultADAuthenticator defaultADAuthenticator;
    final DownLevelADAuthenticator downLevelADAuthenticator;
    final UpnADAuthenticator upnADAuthenticator;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactory$ADAuthenticator.class */
    public static abstract class ADAuthenticator {
        private final RealmConfig realm;
        final TimeValue timeout;
        final boolean ignoreReferralErrors;
        final Logger logger;
        final LdapSession.GroupsResolver groupsResolver;
        final LdapMetaDataResolver metaDataResolver;
        final String userSearchDN;
        final LdapSearchScope userSearchScope;
        final String userSearchFilter;
        final String bindDN;
        final String bindPassword;

        ADAuthenticator(RealmConfig realmConfig, TimeValue timeValue, boolean z, Logger logger, LdapSession.GroupsResolver groupsResolver, LdapMetaDataResolver ldapMetaDataResolver, String str, String str2, String str3) {
            this.realm = realmConfig;
            this.timeout = timeValue;
            this.ignoreReferralErrors = z;
            this.logger = logger;
            this.groupsResolver = groupsResolver;
            this.metaDataResolver = ldapMetaDataResolver;
            Settings settings = realmConfig.settings();
            this.bindDN = ActiveDirectorySessionFactory.getBindDN(settings);
            this.bindPassword = (String) PoolingSessionFactory.BIND_PASSWORD.get(settings);
            this.userSearchDN = settings.get(ActiveDirectorySessionFactory.AD_USER_SEARCH_BASEDN_SETTING, str);
            this.userSearchScope = LdapSearchScope.resolve(settings.get(ActiveDirectorySessionFactory.AD_USER_SEARCH_SCOPE_SETTING), LdapSearchScope.SUB_TREE);
            this.userSearchFilter = settings.get(str2, str3);
        }

        /* JADX WARN: Multi-variable type inference failed */
        final void authenticate(LDAPConnection lDAPConnection, String str, SecureString secureString, ActionListener<LdapSession> actionListener) {
            boolean z = false;
            try {
                try {
                    lDAPConnection.bind(new SimpleBindRequest(bindUsername(str), CharArrays.toUtf8Bytes(secureString.getChars()), new Control[]{new AuthorizationIdentityRequestControl()}));
                    if (!this.bindDN.isEmpty()) {
                        lDAPConnection.bind(new SimpleBindRequest(this.bindDN, this.bindPassword));
                    }
                    searchForDN(lDAPConnection, str, secureString, Math.toIntExact(this.timeout.seconds()), ActionListener.wrap(searchResultEntry -> {
                        if (searchResultEntry != null) {
                            actionListener.onResponse(new LdapSession(this.logger, this.realm, lDAPConnection, searchResultEntry.getDN(), this.groupsResolver, this.metaDataResolver, this.timeout, null));
                        } else {
                            IOUtils.close(new Closeable[]{lDAPConnection});
                            actionListener.onFailure(new ElasticsearchSecurityException("search for user [" + str + "] by principle name yielded no results", new Object[0]));
                        }
                    }, exc -> {
                        IOUtils.closeWhileHandlingException(new Closeable[]{lDAPConnection});
                        actionListener.onFailure(exc);
                    }));
                    z = true;
                    if (1 == 0) {
                        IOUtils.closeWhileHandlingException(new Closeable[]{lDAPConnection});
                    }
                } catch (LDAPException e) {
                    actionListener.onFailure(e);
                    if (z) {
                        return;
                    }
                    IOUtils.closeWhileHandlingException(new Closeable[]{lDAPConnection});
                }
            } catch (Throwable th) {
                if (!z) {
                    IOUtils.closeWhileHandlingException(new Closeable[]{lDAPConnection});
                }
                throw th;
            }
        }

        final void authenticate(LDAPConnectionPool lDAPConnectionPool, String str, SecureString secureString, ActionListener<LdapSession> actionListener) {
            try {
                lDAPConnectionPool.bindAndRevertAuthentication(new SimpleBindRequest(bindUsername(str), CharArrays.toUtf8Bytes(secureString.getChars())));
                int intExact = Math.toIntExact(this.timeout.seconds());
                CheckedConsumer checkedConsumer = searchResultEntry -> {
                    if (searchResultEntry == null) {
                        actionListener.onFailure(new ElasticsearchSecurityException("search for user [" + str + "] by principle name yielded no results", new Object[0]));
                    } else {
                        actionListener.onResponse(new LdapSession(this.logger, this.realm, lDAPConnectionPool, searchResultEntry.getDN(), this.groupsResolver, this.metaDataResolver, this.timeout, null));
                    }
                };
                actionListener.getClass();
                searchForDN(lDAPConnectionPool, str, secureString, intExact, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            } catch (LDAPException e) {
                actionListener.onFailure(e);
            }
        }

        String bindUsername(String str) {
            return str;
        }

        final String getUserSearchFilter() {
            return this.userSearchFilter;
        }

        abstract void searchForDN(LDAPInterface lDAPInterface, String str, SecureString secureString, int i, ActionListener<SearchResultEntry> actionListener);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactory$DefaultADAuthenticator.class */
    public static class DefaultADAuthenticator extends ADAuthenticator {
        final String domainName;

        DefaultADAuthenticator(RealmConfig realmConfig, TimeValue timeValue, boolean z, Logger logger, LdapSession.GroupsResolver groupsResolver, LdapMetaDataResolver ldapMetaDataResolver, String str) {
            super(realmConfig, timeValue, z, logger, groupsResolver, ldapMetaDataResolver, str, ActiveDirectorySessionFactory.AD_USER_SEARCH_FILTER_SETTING, "(&(objectClass=user)(|(sAMAccountName={0})(userPrincipalName={0}@" + domainName(realmConfig) + ")))");
            this.domainName = domainName(realmConfig);
        }

        private static String domainName(RealmConfig realmConfig) {
            return realmConfig.settings().get(ActiveDirectorySessionFactory.AD_DOMAIN_NAME_SETTING);
        }

        @Override // org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.ADAuthenticator
        void searchForDN(LDAPInterface lDAPInterface, String str, SecureString secureString, int i, ActionListener<SearchResultEntry> actionListener) {
            try {
                LdapUtils.searchForEntry(lDAPInterface, this.userSearchDN, this.userSearchScope.scope(), LdapUtils.createFilter(this.userSearchFilter, str), i, this.ignoreReferralErrors, actionListener, LdapUtils.attributesToSearchFor(this.groupsResolver.attributes()));
            } catch (LDAPException e) {
                actionListener.onFailure(e);
            }
        }

        @Override // org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.ADAuthenticator
        String bindUsername(String str) {
            return str + "@" + this.domainName;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactory$DownLevelADAuthenticator.class */
    public static class DownLevelADAuthenticator extends ADAuthenticator {
        static final String DOWN_LEVEL_FILTER = "(&(objectClass=user)(sAMAccountName={0}))";
        Cache<String, String> domainNameCache;
        final String domainDN;
        final Settings settings;
        final SSLService sslService;
        final RealmConfig config;
        static final /* synthetic */ boolean $assertionsDisabled;

        DownLevelADAuthenticator(RealmConfig realmConfig, TimeValue timeValue, boolean z, Logger logger, LdapSession.GroupsResolver groupsResolver, LdapMetaDataResolver ldapMetaDataResolver, String str, SSLService sSLService) {
            super(realmConfig, timeValue, z, logger, groupsResolver, ldapMetaDataResolver, str, ActiveDirectorySessionFactory.AD_DOWN_LEVEL_USER_SEARCH_FILTER_SETTING, DOWN_LEVEL_FILTER);
            this.domainNameCache = CacheBuilder.builder().setMaximumWeight(100L).build();
            this.domainDN = str;
            this.settings = realmConfig.settings();
            this.sslService = sSLService;
            this.config = realmConfig;
        }

        @Override // org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.ADAuthenticator
        void searchForDN(LDAPInterface lDAPInterface, String str, SecureString secureString, int i, ActionListener<SearchResultEntry> actionListener) {
            String[] split = str.split("\\\\");
            if (!$assertionsDisabled && split.length != 2) {
                throw new AssertionError();
            }
            String str2 = split[0];
            String str3 = split[1];
            CheckedConsumer checkedConsumer = str4 -> {
                if (str4 == null) {
                    actionListener.onResponse((Object) null);
                    return;
                }
                try {
                    LdapUtils.searchForEntry(lDAPInterface, str4, LdapSearchScope.SUB_TREE.scope(), LdapUtils.createFilter(this.userSearchFilter, str3), i, this.ignoreReferralErrors, (ActionListener<SearchResultEntry>) actionListener, LdapUtils.attributesToSearchFor(this.groupsResolver.attributes()));
                } catch (LDAPException e) {
                    actionListener.onFailure(e);
                }
            };
            actionListener.getClass();
            netBiosDomainNameToDn(lDAPInterface, str2, str, secureString, i, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        }

        /* JADX WARN: Finally extract failed */
        void netBiosDomainNameToDn(LDAPInterface lDAPInterface, String str, String str2, SecureString secureString, int i, ActionListener<String> actionListener) {
            String str3 = (String) this.domainNameCache.get(str);
            try {
                if (str3 != null) {
                    actionListener.onResponse(str3);
                } else if (usingGlobalCatalog(lDAPInterface)) {
                    LDAPConnectionOptions connectionOptions = ActiveDirectorySessionFactory.connectionOptions(this.config, this.sslService, this.logger);
                    boolean z = false;
                    Closeable closeable = null;
                    LDAPConnection lDAPConnection = null;
                    try {
                        Filter createFilter = LdapUtils.createFilter(ActiveDirectorySessionFactory.NETBIOS_NAME_FILTER_TEMPLATE, str);
                        lDAPConnection = lDAPInterface instanceof LDAPConnection ? (LDAPConnection) lDAPInterface : ((LDAPConnectionPool) lDAPInterface).getConnection();
                        LDAPConnection lDAPConnection2 = lDAPConnection;
                        closeable = new LDAPConnection(lDAPConnection2.getSocketFactory(), connectionOptions, lDAPConnection2.getConnectedAddress(), lDAPConnection2.getSSLSession() != null ? 636 : 389);
                        closeable.bind(this.bindDN.isEmpty() ? new SimpleBindRequest(str2, CharArrays.toUtf8Bytes(secureString.getChars())) : new SimpleBindRequest(this.bindDN, this.bindPassword));
                        LdapUtils.search((LDAPConnection) closeable, this.domainDN, LdapSearchScope.SUB_TREE.scope(), createFilter, i, this.ignoreReferralErrors, (ActionListener<List<SearchResultEntry>>) ActionListener.wrap(list -> {
                            IOUtils.close(new Closeable[]{closeable});
                            handleSearchResults(list, str, this.domainNameCache, actionListener);
                        }, exc -> {
                            IOUtils.closeWhileHandlingException(new Closeable[]{closeable});
                            actionListener.onFailure(exc);
                        }), "ncname");
                        z = true;
                        if (1 == 0) {
                            IOUtils.closeWhileHandlingException(new Closeable[]{closeable});
                        }
                        if ((lDAPInterface instanceof LDAPConnectionPool) && lDAPConnection != null) {
                            ((LDAPConnectionPool) lDAPInterface).releaseConnection(lDAPConnection);
                        }
                    } catch (Throwable th) {
                        if (!z) {
                            IOUtils.closeWhileHandlingException(new Closeable[]{closeable});
                        }
                        if ((lDAPInterface instanceof LDAPConnectionPool) && lDAPConnection != null) {
                            ((LDAPConnectionPool) lDAPInterface).releaseConnection(lDAPConnection);
                        }
                        throw th;
                    }
                } else {
                    Filter createFilter2 = LdapUtils.createFilter(ActiveDirectorySessionFactory.NETBIOS_NAME_FILTER_TEMPLATE, str);
                    String str4 = this.domainDN;
                    SearchScope scope = LdapSearchScope.SUB_TREE.scope();
                    boolean z2 = this.ignoreReferralErrors;
                    CheckedConsumer checkedConsumer = list2 -> {
                        handleSearchResults(list2, str, this.domainNameCache, actionListener);
                    };
                    actionListener.getClass();
                    LdapUtils.search(lDAPInterface, str4, scope, createFilter2, i, z2, (ActionListener<List<SearchResultEntry>>) ActionListener.wrap(checkedConsumer, actionListener::onFailure), "ncname");
                }
            } catch (LDAPException e) {
                actionListener.onFailure(e);
            }
        }

        static void handleSearchResults(List<SearchResultEntry> list, String str, Cache<String, String> cache, ActionListener<String> actionListener) {
            Optional<SearchResultEntry> findFirst = list.stream().filter(searchResultEntry -> {
                return searchResultEntry.hasAttribute("ncname");
            }).findFirst();
            if (!findFirst.isPresent()) {
                actionListener.onResponse((Object) null);
                return;
            }
            String attributeValue = findFirst.get().getAttributeValue("ncname");
            try {
                cache.computeIfAbsent(str, str2 -> {
                    return attributeValue;
                });
                actionListener.onResponse(attributeValue);
            } catch (ExecutionException e) {
                throw new AssertionError("failed to load constant non-null value", e);
            }
        }

        static boolean usingGlobalCatalog(LDAPInterface lDAPInterface) throws LDAPException {
            if (lDAPInterface instanceof LDAPConnection) {
                return usingGlobalCatalog((LDAPConnection) lDAPInterface);
            }
            LDAPConnectionPool lDAPConnectionPool = (LDAPConnectionPool) lDAPInterface;
            LDAPConnection lDAPConnection = null;
            try {
                lDAPConnection = lDAPConnectionPool.getConnection();
                boolean usingGlobalCatalog = usingGlobalCatalog(lDAPConnection);
                if (lDAPConnection != null) {
                    lDAPConnectionPool.releaseConnection(lDAPConnection);
                }
                return usingGlobalCatalog;
            } catch (Throwable th) {
                if (lDAPConnection != null) {
                    lDAPConnectionPool.releaseConnection(lDAPConnection);
                }
                throw th;
            }
        }

        private static boolean usingGlobalCatalog(LDAPConnection lDAPConnection) {
            return lDAPConnection.getConnectedPort() == 3268 || lDAPConnection.getConnectedPort() == 3269;
        }

        static {
            $assertionsDisabled = !ActiveDirectorySessionFactory.class.desiredAssertionStatus();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactory$UpnADAuthenticator.class */
    public static class UpnADAuthenticator extends ADAuthenticator {
        static final String UPN_USER_FILTER = "(&(objectClass=user)(userPrincipalName={1}))";
        static final /* synthetic */ boolean $assertionsDisabled;

        UpnADAuthenticator(RealmConfig realmConfig, TimeValue timeValue, boolean z, Logger logger, LdapSession.GroupsResolver groupsResolver, LdapMetaDataResolver ldapMetaDataResolver, String str) {
            super(realmConfig, timeValue, z, logger, groupsResolver, ldapMetaDataResolver, str, ActiveDirectorySessionFactory.AD_UPN_USER_SEARCH_FILTER_SETTING, UPN_USER_FILTER);
            if (this.userSearchFilter.contains("{0}")) {
                new DeprecationLogger(logger).deprecated("The use of the account name variable {0} in the setting [" + RealmSettings.getFullSettingKey(realmConfig, ActiveDirectorySessionFactory.AD_UPN_USER_SEARCH_FILTER_SETTING) + "] has been deprecated and will be removed in a future version!", new Object[0]);
            }
        }

        @Override // org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.ADAuthenticator
        void searchForDN(LDAPInterface lDAPInterface, String str, SecureString secureString, int i, ActionListener<SearchResultEntry> actionListener) {
            String[] split = str.split("@");
            if (!$assertionsDisabled && split.length != 2) {
                throw new AssertionError("there should have only been two values for " + str + " after splitting on '@'");
            }
            try {
                LdapUtils.searchForEntry(lDAPInterface, this.userSearchDN, LdapSearchScope.SUB_TREE.scope(), LdapUtils.createFilter(this.userSearchFilter, split[0], str), i, this.ignoreReferralErrors, actionListener, LdapUtils.attributesToSearchFor(this.groupsResolver.attributes()));
            } catch (LDAPException e) {
                actionListener.onFailure(e);
            }
        }

        static {
            $assertionsDisabled = !ActiveDirectorySessionFactory.class.desiredAssertionStatus();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ActiveDirectorySessionFactory(RealmConfig realmConfig, SSLService sSLService) throws LDAPException {
        super(realmConfig, sSLService, new ActiveDirectoryGroupsResolver(realmConfig.settings()), POOL_ENABLED, () -> {
            return BIND_DN.exists(realmConfig.settings()) ? new SimpleBindRequest(getBindDN(realmConfig.settings()), (String) BIND_PASSWORD.get(realmConfig.settings())) : new SimpleBindRequest();
        }, () -> {
            if (BIND_DN.exists(realmConfig.settings())) {
                String str = (String) BIND_DN.get(realmConfig.settings());
                if (str.isEmpty() && str.indexOf(61) > 0) {
                    return str;
                }
            }
            return realmConfig.settings().get(AD_USER_SEARCH_BASEDN_SETTING, realmConfig.settings().get(AD_DOMAIN_NAME_SETTING));
        });
        String str = realmConfig.settings().get(AD_DOMAIN_NAME_SETTING);
        if (str == null) {
            throw new IllegalArgumentException("missing [domain_name] setting for active directory");
        }
        String buildDnFromDomain = buildDnFromDomain(str);
        this.defaultADAuthenticator = new DefaultADAuthenticator(realmConfig, this.timeout, this.ignoreReferralErrors, this.logger, this.groupResolver, this.metaDataResolver, buildDnFromDomain);
        this.downLevelADAuthenticator = new DownLevelADAuthenticator(realmConfig, this.timeout, this.ignoreReferralErrors, this.logger, this.groupResolver, this.metaDataResolver, buildDnFromDomain, sSLService);
        this.upnADAuthenticator = new UpnADAuthenticator(realmConfig, this.timeout, this.ignoreReferralErrors, this.logger, this.groupResolver, this.metaDataResolver, buildDnFromDomain);
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory
    protected String[] getDefaultLdapUrls(Settings settings) {
        return new String[]{"ldap://" + settings.get(AD_DOMAIN_NAME_SETTING) + ":389"};
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory
    void getSessionWithPool(LDAPConnectionPool lDAPConnectionPool, String str, SecureString secureString, ActionListener<LdapSession> actionListener) {
        getADAuthenticator(str).authenticate(lDAPConnectionPool, str, secureString, actionListener);
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory
    void getSessionWithoutPool(String str, SecureString secureString, ActionListener<LdapSession> actionListener) {
        Runnable runnable;
        try {
            LDAPConnection connection = this.serverSet.getConnection();
            runnable = () -> {
                ADAuthenticator aDAuthenticator = getADAuthenticator(str);
                actionListener.getClass();
                aDAuthenticator.authenticate(connection, str, secureString, ActionListener.wrap((v1) -> {
                    r4.onResponse(v1);
                }, exc -> {
                    IOUtils.closeWhileHandlingException(new Closeable[]{connection});
                    actionListener.onFailure(exc);
                }));
            };
        } catch (LDAPException e) {
            runnable = () -> {
                actionListener.onFailure(e);
            };
        }
        runnable.run();
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory
    void getUnauthenticatedSessionWithPool(LDAPConnectionPool lDAPConnectionPool, String str, ActionListener<LdapSession> actionListener) {
        ADAuthenticator aDAuthenticator = getADAuthenticator(str);
        int intExact = Math.toIntExact(this.timeout.seconds());
        CheckedConsumer checkedConsumer = searchResultEntry -> {
            if (searchResultEntry == null) {
                actionListener.onResponse((Object) null);
            } else {
                actionListener.onResponse(new LdapSession(this.logger, this.config, lDAPConnectionPool, searchResultEntry.getDN(), this.groupResolver, this.metaDataResolver, this.timeout, null));
            }
        };
        actionListener.getClass();
        aDAuthenticator.searchForDN(lDAPConnectionPool, str, null, intExact, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory
    void getUnauthenticatedSessionWithoutPool(String str, ActionListener<LdapSession> actionListener) {
        if (!BIND_DN.exists(this.config.settings())) {
            actionListener.onResponse((Object) null);
            return;
        }
        Closeable closeable = null;
        boolean z = false;
        try {
            try {
                closeable = this.serverSet.getConnection();
                closeable.bind(new SimpleBindRequest(getBindDN(this.config.settings()), (String) BIND_PASSWORD.get(this.config.settings())));
                getADAuthenticator(str).searchForDN(closeable, str, null, Math.toIntExact(this.timeout.getSeconds()), ActionListener.wrap(searchResultEntry -> {
                    if (searchResultEntry != null) {
                        actionListener.onResponse(new LdapSession(this.logger, this.config, closeable, searchResultEntry.getDN(), this.groupResolver, this.metaDataResolver, this.timeout, null));
                    } else {
                        IOUtils.closeWhileHandlingException(new Closeable[]{closeable});
                        actionListener.onResponse((Object) null);
                    }
                }, exc -> {
                    IOUtils.closeWhileHandlingException(new Closeable[]{closeable});
                    actionListener.onFailure(exc);
                }));
                z = true;
                if (closeable == null || 1 != 0) {
                    return;
                }
                IOUtils.closeWhileHandlingException(new Closeable[]{closeable});
            } catch (LDAPException e) {
                actionListener.onFailure(e);
                if (closeable == null || z) {
                    return;
                }
                IOUtils.closeWhileHandlingException(new Closeable[]{closeable});
            }
        } catch (Throwable th) {
            if (closeable != null && !z) {
                IOUtils.closeWhileHandlingException(new Closeable[]{closeable});
            }
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String buildDnFromDomain(String str) {
        return "DC=" + str.replace(RecordWriter.CONTROL_FIELD_NAME, ",DC=");
    }

    static String getBindDN(Settings settings) {
        String str = (String) BIND_DN.get(settings);
        if (!str.isEmpty() && str.indexOf(92) < 0 && str.indexOf(64) < 0 && str.indexOf(61) < 0) {
            str = str + "@" + settings.get(AD_DOMAIN_NAME_SETTING);
        }
        return str;
    }

    public static Set<Setting<?>> getSettings() {
        HashSet hashSet = new HashSet();
        hashSet.addAll(SessionFactory.getSettings());
        hashSet.add(Setting.simpleString(AD_DOMAIN_NAME_SETTING, new Setting.Property[]{Setting.Property.NodeScope}));
        hashSet.add(Setting.simpleString(AD_GROUP_SEARCH_BASEDN_SETTING, new Setting.Property[]{Setting.Property.NodeScope}));
        hashSet.add(Setting.simpleString(AD_GROUP_SEARCH_SCOPE_SETTING, new Setting.Property[]{Setting.Property.NodeScope}));
        hashSet.add(Setting.simpleString(AD_USER_SEARCH_BASEDN_SETTING, new Setting.Property[]{Setting.Property.NodeScope}));
        hashSet.add(Setting.simpleString(AD_USER_SEARCH_FILTER_SETTING, new Setting.Property[]{Setting.Property.NodeScope}));
        hashSet.add(Setting.simpleString(AD_UPN_USER_SEARCH_FILTER_SETTING, new Setting.Property[]{Setting.Property.NodeScope}));
        hashSet.add(Setting.simpleString(AD_DOWN_LEVEL_USER_SEARCH_FILTER_SETTING, new Setting.Property[]{Setting.Property.NodeScope}));
        hashSet.add(Setting.simpleString(AD_USER_SEARCH_SCOPE_SETTING, new Setting.Property[]{Setting.Property.NodeScope}));
        hashSet.addAll(PoolingSessionFactory.getSettings());
        return hashSet;
    }

    ADAuthenticator getADAuthenticator(String str) {
        return str.indexOf(92) > 0 ? this.downLevelADAuthenticator : str.indexOf("@") > 0 ? this.upnADAuthenticator : this.defaultADAuthenticator;
    }
}
