package org.elasticsearch.shield.authc.ldap;

import com.google.common.primitives.Ints;
import com.unboundid.ldap.sdk.Attribute;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.LDAPInterface;
import com.unboundid.ldap.sdk.SearchRequest;
import com.unboundid.ldap.sdk.SearchResultEntry;
import com.unboundid.ldap.sdk.SearchScope;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.shield.authc.ldap.support.LdapSearchScope;
import org.elasticsearch.shield.authc.ldap.support.LdapSession;
import org.elasticsearch.shield.authc.ldap.support.LdapUtils;
import org.elasticsearch.shield.support.Exceptions;

/* loaded from: input_file:org/elasticsearch/shield/authc/ldap/SearchGroupsResolver.class */
class SearchGroupsResolver implements LdapSession.GroupsResolver {
    private static final String GROUP_SEARCH_DEFAULT_FILTER = "(&(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))(|(uniqueMember={0})(member={0})))";
    private final String baseDn;
    private final String filter;
    private final String userAttribute;
    private final LdapSearchScope scope;

    public SearchGroupsResolver(Settings settings) {
        this.baseDn = settings.get("base_dn");
        if (this.baseDn == null) {
            throw new IllegalArgumentException("base_dn must be specified");
        }
        this.filter = settings.get("filter", GROUP_SEARCH_DEFAULT_FILTER);
        this.userAttribute = settings.get("user_attribute");
        this.scope = LdapSearchScope.resolve(settings.get("scope"), LdapSearchScope.SUB_TREE);
    }

    @Override // org.elasticsearch.shield.authc.ldap.support.LdapSession.GroupsResolver
    public List<String> resolve(LDAPInterface lDAPInterface, String str, TimeValue timeValue, ESLogger eSLogger) {
        LinkedList linkedList = new LinkedList();
        try {
            SearchRequest searchRequest = new SearchRequest(this.baseDn, this.scope.scope(), LdapUtils.createFilter(this.filter, this.userAttribute != null ? readUserAttribute(lDAPInterface, str, timeValue, eSLogger) : str), new String[]{"1.1"});
            searchRequest.setTimeLimitSeconds(Ints.checkedCast(timeValue.seconds()));
            Iterator it = LdapUtils.search(lDAPInterface, searchRequest, eSLogger).getSearchEntries().iterator();
            while (it.hasNext()) {
                linkedList.add(((SearchResultEntry) it.next()).getDN());
            }
            return linkedList;
        } catch (LDAPException e) {
            throw Exceptions.authenticationError("could not search for LDAP groups for DN [{}]", e, str);
        }
    }

    String readUserAttribute(LDAPInterface lDAPInterface, String str, TimeValue timeValue, ESLogger eSLogger) {
        try {
            SearchRequest searchRequest = new SearchRequest(str, SearchScope.BASE, LdapUtils.OBJECT_CLASS_PRESENCE_FILTER, new String[]{this.userAttribute});
            searchRequest.setTimeLimitSeconds(Ints.checkedCast(timeValue.seconds()));
            Attribute attribute = LdapUtils.searchForEntry(lDAPInterface, searchRequest, eSLogger).getAttribute(this.userAttribute);
            if (attribute == null) {
                throw Exceptions.authenticationError("no results returned for DN [{}] attribute [{}]", str, this.userAttribute);
            }
            return attribute.getValue();
        } catch (LDAPException e) {
            throw Exceptions.authenticationError("could not retrieve attribute [{}] for DN [{}]", e, this.userAttribute, str);
        }
    }
}
