package org.elasticsearch.shield.authc.ldap;

import com.google.common.primitives.Ints;
import com.unboundid.ldap.sdk.Filter;
import com.unboundid.ldap.sdk.GetEntryLDAPConnectionPoolHealthCheck;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPConnectionPool;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.SearchRequest;
import com.unboundid.ldap.sdk.SearchResultEntry;
import com.unboundid.ldap.sdk.ServerSet;
import com.unboundid.ldap.sdk.SimpleBindRequest;
import java.io.IOException;
import java.util.Locale;
import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.shield.ShieldSettingsFilter;
import org.elasticsearch.shield.authc.RealmConfig;
import org.elasticsearch.shield.authc.activedirectory.ActiveDirectorySessionFactory;
import org.elasticsearch.shield.authc.ldap.support.LdapSearchScope;
import org.elasticsearch.shield.authc.ldap.support.LdapSession;
import org.elasticsearch.shield.authc.ldap.support.LdapUtils;
import org.elasticsearch.shield.authc.ldap.support.SessionFactory;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.shield.ssl.ClientSSLService;
import org.elasticsearch.shield.support.Exceptions;

/* loaded from: input_file:org/elasticsearch/shield/authc/ldap/LdapUserSearchSessionFactory.class */
public class LdapUserSearchSessionFactory extends SessionFactory {
    static final int DEFAULT_CONNECTION_POOL_SIZE = 20;
    static final int DEFAULT_CONNECTION_POOL_INITIAL_SIZE = 5;
    static final String DEFAULT_USERNAME_ATTRIBUTE = "uid";
    static final TimeValue DEFAULT_HEALTH_CHECK_INTERVAL = TimeValue.timeValueSeconds(60);
    private final String userSearchBaseDn;
    private final LdapSearchScope scope;
    private final String userAttribute;
    private LDAPConnectionPool connectionPool;
    private LdapSession.GroupsResolver groupResolver;

    public LdapUserSearchSessionFactory(RealmConfig realmConfig, ClientSSLService clientSSLService) {
        super(realmConfig, clientSSLService);
        Settings settings = realmConfig.settings();
        this.userSearchBaseDn = settings.get(ActiveDirectorySessionFactory.AD_USER_SEARCH_BASEDN_SETTING);
        if (this.userSearchBaseDn == null) {
            throw new IllegalArgumentException("user_search base_dn must be specified");
        }
        this.scope = LdapSearchScope.resolve(settings.get(ActiveDirectorySessionFactory.AD_USER_SEARCH_SCOPE_SETTING), LdapSearchScope.SUB_TREE);
        this.userAttribute = settings.get("user_search.attribute", DEFAULT_USERNAME_ATTRIBUTE);
    }

    @Override // org.elasticsearch.shield.authc.ldap.support.SessionFactory
    public LdapUserSearchSessionFactory init() {
        super.init();
        this.connectionPool = createConnectionPool(this.config, this.serverSet, this.timeout, this.logger);
        this.groupResolver = groupResolver(this.config.settings());
        return this;
    }

    private synchronized LDAPConnectionPool connectionPool() throws IOException {
        if (this.connectionPool == null) {
            this.connectionPool = createConnectionPool(this.config, this.serverSet, this.timeout, this.logger);
            if (this.connectionPool == null) {
                throw new IOException("failed to create a connection pool for realm [" + this.config.name() + "] as no LDAP servers are available");
            }
        }
        return this.connectionPool;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void filterOutSensitiveSettings(String str, ShieldSettingsFilter shieldSettingsFilter) {
        shieldSettingsFilter.filterOut("shield.authc.realms." + str + ".bind_dn");
        shieldSettingsFilter.filterOut("shield.authc.realms." + str + ".bind_password");
        shieldSettingsFilter.filterOut("shield.authc.realms." + str + "." + SessionFactory.HOSTNAME_VERIFICATION_SETTING);
    }

    static LDAPConnectionPool createConnectionPool(RealmConfig realmConfig, ServerSet serverSet, TimeValue timeValue, ESLogger eSLogger) {
        Settings settings = realmConfig.settings();
        SimpleBindRequest bindRequest = bindRequest(settings);
        try {
            LDAPConnectionPool lDAPConnectionPool = new LDAPConnectionPool(serverSet, bindRequest, settings.getAsInt("user_search.pool.initial_size", Integer.valueOf(DEFAULT_CONNECTION_POOL_INITIAL_SIZE)).intValue(), settings.getAsInt("user_search.pool.size", Integer.valueOf(DEFAULT_CONNECTION_POOL_SIZE)).intValue());
            lDAPConnectionPool.setRetryFailedOperationsDueToInvalidConnections(true);
            if (settings.getAsBoolean("user_search.pool.health_check.enabled", true).booleanValue()) {
                String str = settings.get("user_search.pool.health_check.dn", bindRequest == null ? null : bindRequest.getBindDN());
                if (str == null) {
                    lDAPConnectionPool.close();
                    throw new IllegalArgumentException("[bind_dn] has not been specified so a value must be specified for [user_search.pool.health_check.dn] or [user_search.pool.health_check.enabled] must be set to false");
                }
                long millis = settings.getAsTime("user_search.pool.health_check.interval", DEFAULT_HEALTH_CHECK_INTERVAL).millis();
                lDAPConnectionPool.setHealthCheck(new GetEntryLDAPConnectionPoolHealthCheck(str, timeValue.millis(), false, false, false, true, false));
                lDAPConnectionPool.setHealthCheckIntervalMillis(millis);
            }
            return lDAPConnectionPool;
        } catch (LDAPException e) {
            if (eSLogger.isDebugEnabled()) {
                eSLogger.debug("unable to create connection pool for realm [{}]", e, new Object[]{realmConfig.name()});
                return null;
            }
            eSLogger.error("unable to create connection pool for realm [{}]: {}", new Object[]{realmConfig.name(), e.getMessage()});
            return null;
        }
    }

    static SimpleBindRequest bindRequest(Settings settings) {
        SimpleBindRequest simpleBindRequest = null;
        String str = settings.get("bind_dn");
        if (str != null) {
            simpleBindRequest = new SimpleBindRequest(str, settings.get("bind_password"));
        }
        return simpleBindRequest;
    }

    @Override // org.elasticsearch.shield.authc.ldap.support.SessionFactory
    protected LdapSession getSession(String str, SecuredString securedString) throws Exception {
        try {
            String findUserDN = findUserDN(str);
            tryBind(findUserDN, securedString);
            return new LdapSession(this.logger, this.connectionPool, findUserDN, this.groupResolver, this.timeout);
        } catch (LDAPException e) {
            throw Exceptions.authenticationError("failed to authenticate user [{}]", e, str);
        }
    }

    @Override // org.elasticsearch.shield.authc.ldap.support.SessionFactory
    public boolean supportsUnauthenticatedSession() {
        return true;
    }

    @Override // org.elasticsearch.shield.authc.ldap.support.SessionFactory
    public LdapSession unauthenticatedSession(String str) throws Exception {
        try {
            return new LdapSession(this.logger, this.connectionPool, findUserDN(str), this.groupResolver, this.timeout);
        } catch (LDAPException e) {
            throw Exceptions.authenticationError("failed to lookup user [{}]", e, str);
        }
    }

    private String findUserDN(String str) throws Exception {
        SearchRequest searchRequest = new SearchRequest(this.userSearchBaseDn, this.scope.scope(), Filter.createEqualityFilter(this.userAttribute, Filter.encodeValue(str)), new String[]{"1.1"});
        searchRequest.setTimeLimitSeconds(Ints.checkedCast(this.timeout.seconds()));
        SearchResultEntry searchForEntry = LdapUtils.searchForEntry(connectionPool(), searchRequest, this.logger);
        if (searchForEntry == null) {
            throw Exceptions.authenticationError("failed to find user [{}] with search base [{}] scope [{}]", str, this.userSearchBaseDn, this.scope.toString().toLowerCase(Locale.ENGLISH));
        }
        return searchForEntry.getDN();
    }

    private void tryBind(String str, SecuredString securedString) throws IOException {
        try {
            LDAPConnection connection = this.serverSet.getConnection();
            try {
                try {
                    connection.bind(str, new String(securedString.internalChars()));
                    connection.close();
                } catch (LDAPException e) {
                    throw Exceptions.authenticationError("failed LDAP authentication for DN [{}]", e, str);
                }
            } catch (Throwable th) {
                connection.close();
                throw th;
            }
        } catch (LDAPException e2) {
            throw new IOException("unable to connect to any LDAP servers for bind", e2);
        }
    }

    void shutdown() {
        if (this.connectionPool != null) {
            this.connectionPool.close();
        }
    }

    static LdapSession.GroupsResolver groupResolver(Settings settings) {
        Settings asSettings = settings.getAsSettings("group_search");
        return !asSettings.names().isEmpty() ? new SearchGroupsResolver(asSettings) : new UserAttributeGroupsResolver(settings);
    }
}
