package org.elasticsearch.xpack.security.authc.ldap;

import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPConnectionPool;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.LDAPInterface;
import com.unboundid.ldap.sdk.SearchResultEntry;
import com.unboundid.ldap.sdk.ServerSet;
import com.unboundid.ldap.sdk.SimpleBindRequest;
import java.util.Objects;
import java.util.stream.Stream;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRunnable;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.util.concurrent.AbstractRunnable;
import org.elasticsearch.core.CharArrays;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.internal.io.IOUtils;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.ldap.LdapUserSearchSessionFactorySettings;
import org.elasticsearch.xpack.core.security.authc.ldap.PoolingSessionFactorySettings;
import org.elasticsearch.xpack.core.security.authc.ldap.SearchGroupsResolverSettings;
import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactory.class */
class LdapUserSearchSessionFactory extends PoolingSessionFactory {
    static final String SEARCH_PREFIX = "user_search.";
    private final String userSearchBaseDn;
    private final LdapSearchScope scope;
    private final String searchFilter;

    /* renamed from: org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory$1, reason: invalid class name */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactory$1.class */
    class AnonymousClass1 extends AbstractRunnable {
        final /* synthetic */ String val$user;
        final /* synthetic */ LDAPConnection val$connection;
        final /* synthetic */ ActionListener val$listener;
        final /* synthetic */ SecureString val$password;

        AnonymousClass1(String str, LDAPConnection lDAPConnection, ActionListener actionListener, SecureString secureString) {
            this.val$user = str;
            this.val$connection = lDAPConnection;
            this.val$listener = actionListener;
            this.val$password = secureString;
        }

        protected void doRun() throws Exception {
            LdapUserSearchSessionFactory ldapUserSearchSessionFactory = LdapUserSearchSessionFactory.this;
            String str = this.val$user;
            LDAPConnection lDAPConnection = this.val$connection;
            LDAPConnection lDAPConnection2 = this.val$connection;
            ActionListener actionListener = this.val$listener;
            SecureString secureString = this.val$password;
            CheckedConsumer checkedConsumer = searchResultEntry -> {
                if (searchResultEntry == null) {
                    IOUtils.close(lDAPConnection2);
                    actionListener.onResponse((Object) null);
                } else {
                    final String dn = searchResultEntry.getDN();
                    LdapUtils.maybeForkThenBind(lDAPConnection2, new SimpleBindRequest(dn, CharArrays.toUtf8Bytes(secureString.getChars())), LdapUserSearchSessionFactory.this.threadPool, new AbstractRunnable() { // from class: org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.1.1
                        protected void doRun() throws Exception {
                            LdapUtils.maybeForkThenBind(lDAPConnection2, LdapUserSearchSessionFactory.this.bindCredentials, LdapUserSearchSessionFactory.this.threadPool, new AbstractRunnable() { // from class: org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.1.1.1
                                protected void doRun() throws Exception {
                                    actionListener.onResponse(new LdapSession(LdapUserSearchSessionFactory.this.logger, LdapUserSearchSessionFactory.this.config, lDAPConnection2, dn, LdapUserSearchSessionFactory.this.groupResolver, LdapUserSearchSessionFactory.this.metadataResolver, LdapUserSearchSessionFactory.this.timeout, searchResultEntry.getAttributes()));
                                }

                                public void onFailure(Exception exc) {
                                    IOUtils.closeWhileHandlingException(lDAPConnection2);
                                    actionListener.onFailure(exc);
                                }
                            });
                        }

                        public void onFailure(Exception exc) {
                            IOUtils.closeWhileHandlingException(lDAPConnection2);
                            actionListener.onFailure(exc);
                        }
                    });
                }
            };
            LDAPConnection lDAPConnection3 = this.val$connection;
            ActionListener actionListener2 = this.val$listener;
            ldapUserSearchSessionFactory.findUser(str, lDAPConnection, ActionListener.wrap(checkedConsumer, exc -> {
                IOUtils.closeWhileHandlingException(lDAPConnection3);
                actionListener2.onFailure(exc);
            }));
        }

        public void onFailure(Exception exc) {
            IOUtils.closeWhileHandlingException(this.val$connection);
            this.val$listener.onFailure(exc);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public LdapUserSearchSessionFactory(RealmConfig realmConfig, SSLService sSLService, ThreadPool threadPool) throws LDAPException {
        super(realmConfig, sSLService, groupResolver(realmConfig), LdapUserSearchSessionFactorySettings.POOL_ENABLED, (String) realmConfig.getSetting(PoolingSessionFactorySettings.BIND_DN, () -> {
            return null;
        }), () -> {
            return (String) realmConfig.getSetting(PoolingSessionFactorySettings.BIND_DN, () -> {
                return (String) realmConfig.getSetting(LdapUserSearchSessionFactorySettings.SEARCH_BASE_DN);
            });
        }, threadPool);
        this.userSearchBaseDn = (String) realmConfig.getSetting(LdapUserSearchSessionFactorySettings.SEARCH_BASE_DN, () -> {
            throw new IllegalArgumentException("[" + RealmSettings.getFullSettingKey(realmConfig, LdapUserSearchSessionFactorySettings.SEARCH_BASE_DN) + "] must be specified");
        });
        this.scope = (LdapSearchScope) realmConfig.getSetting(LdapUserSearchSessionFactorySettings.SEARCH_SCOPE);
        this.searchFilter = getSearchFilter(realmConfig);
        this.logger.info("Realm [{}] is in user-search mode - base_dn=[{}], search filter=[{}]", realmConfig.name(), this.userSearchBaseDn, this.searchFilter);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean hasUserSearchSettings(RealmConfig realmConfig) {
        Stream of = Stream.of((Object[]) new Setting.AffixSetting[]{LdapUserSearchSessionFactorySettings.SEARCH_BASE_DN, LdapUserSearchSessionFactorySettings.SEARCH_ATTRIBUTE, LdapUserSearchSessionFactorySettings.SEARCH_SCOPE, LdapUserSearchSessionFactorySettings.SEARCH_FILTER, LdapUserSearchSessionFactorySettings.POOL_ENABLED});
        Objects.requireNonNull(realmConfig);
        return of.anyMatch(realmConfig::hasSetting);
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory
    void getSessionWithPool(LDAPConnectionPool lDAPConnectionPool, String str, SecureString secureString, ActionListener<LdapSession> actionListener) {
        CheckedConsumer checkedConsumer = searchResultEntry -> {
            if (searchResultEntry == null) {
                actionListener.onResponse((Object) null);
            } else {
                String dn = searchResultEntry.getDN();
                LdapUtils.maybeForkThenBindAndRevert(lDAPConnectionPool, new SimpleBindRequest(dn, CharArrays.toUtf8Bytes(secureString.getChars())), this.threadPool, ActionRunnable.supply(actionListener, () -> {
                    return new LdapSession(this.logger, this.config, lDAPConnectionPool, dn, this.groupResolver, this.metadataResolver, this.timeout, searchResultEntry.getAttributes());
                }));
            }
        };
        Objects.requireNonNull(actionListener);
        findUser(str, lDAPConnectionPool, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory
    void getSessionWithoutPool(String str, SecureString secureString, ActionListener<LdapSession> actionListener) {
        try {
            ServerSet serverSet = this.serverSet;
            Objects.requireNonNull(serverSet);
            LDAPConnection lDAPConnection = (LDAPConnection) LdapUtils.privilegedConnect(serverSet::getConnection);
            LdapUtils.maybeForkThenBind(lDAPConnection, this.bindCredentials, this.threadPool, new AnonymousClass1(str, lDAPConnection, actionListener, secureString));
        } catch (LDAPException e) {
            actionListener.onFailure(e);
        }
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory
    public boolean supportsUnauthenticatedSession() {
        return true;
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory
    void getUnauthenticatedSessionWithPool(LDAPConnectionPool lDAPConnectionPool, String str, ActionListener<LdapSession> actionListener) {
        CheckedConsumer checkedConsumer = searchResultEntry -> {
            if (searchResultEntry == null) {
                actionListener.onResponse((Object) null);
            } else {
                actionListener.onResponse(new LdapSession(this.logger, this.config, lDAPConnectionPool, searchResultEntry.getDN(), this.groupResolver, this.metadataResolver, this.timeout, searchResultEntry.getAttributes()));
            }
        };
        Objects.requireNonNull(actionListener);
        findUser(str, lDAPConnectionPool, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory
    void getUnauthenticatedSessionWithoutPool(final String str, final ActionListener<LdapSession> actionListener) {
        try {
            ServerSet serverSet = this.serverSet;
            Objects.requireNonNull(serverSet);
            final LDAPConnection lDAPConnection = (LDAPConnection) LdapUtils.privilegedConnect(serverSet::getConnection);
            LdapUtils.maybeForkThenBind(lDAPConnection, this.bindCredentials, this.threadPool, new AbstractRunnable() { // from class: org.elasticsearch.xpack.security.authc.ldap.LdapUserSearchSessionFactory.2
                protected void doRun() throws Exception {
                    LdapUserSearchSessionFactory ldapUserSearchSessionFactory = LdapUserSearchSessionFactory.this;
                    String str2 = str;
                    LDAPConnection lDAPConnection2 = lDAPConnection;
                    LDAPConnection lDAPConnection3 = lDAPConnection;
                    ActionListener actionListener2 = actionListener;
                    CheckedConsumer checkedConsumer = searchResultEntry -> {
                        if (searchResultEntry != null) {
                            actionListener2.onResponse(new LdapSession(LdapUserSearchSessionFactory.this.logger, LdapUserSearchSessionFactory.this.config, lDAPConnection3, searchResultEntry.getDN(), LdapUserSearchSessionFactory.this.groupResolver, LdapUserSearchSessionFactory.this.metadataResolver, LdapUserSearchSessionFactory.this.timeout, searchResultEntry.getAttributes()));
                        } else {
                            IOUtils.close(lDAPConnection3);
                            actionListener2.onResponse((Object) null);
                        }
                    };
                    LDAPConnection lDAPConnection4 = lDAPConnection;
                    ActionListener actionListener3 = actionListener;
                    ldapUserSearchSessionFactory.findUser(str2, lDAPConnection2, ActionListener.wrap(checkedConsumer, exc -> {
                        IOUtils.closeWhileHandlingException(lDAPConnection4);
                        actionListener3.onFailure(exc);
                    }));
                }

                public void onFailure(Exception exc) {
                    IOUtils.closeWhileHandlingException(lDAPConnection);
                    actionListener.onFailure(exc);
                }
            });
        } catch (LDAPException e) {
            actionListener.onFailure(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Type inference failed for: r7v1, types: [java.lang.String[], java.lang.String[][]] */
    public void findUser(String str, LDAPInterface lDAPInterface, ActionListener<SearchResultEntry> actionListener) {
        try {
            LdapUtils.searchForEntry(lDAPInterface, this.userSearchBaseDn, this.scope.scope(), LdapUtils.createFilter(this.searchFilter, str), Math.toIntExact(this.timeout.seconds()), this.ignoreReferralErrors, actionListener, LdapUtils.attributesToSearchFor((String[][]) new String[]{this.groupResolver.attributes(), this.metadataResolver.attributeNames()}));
        } catch (LDAPException e) {
            actionListener.onFailure(e);
        }
    }

    private static LdapSession.GroupsResolver groupResolver(RealmConfig realmConfig) {
        return realmConfig.hasSetting(SearchGroupsResolverSettings.BASE_DN) ? new SearchGroupsResolver(realmConfig) : new UserAttributeGroupsResolver(realmConfig);
    }

    static String getSearchFilter(RealmConfig realmConfig) {
        boolean hasSetting = realmConfig.hasSetting(LdapUserSearchSessionFactorySettings.SEARCH_ATTRIBUTE);
        boolean hasSetting2 = realmConfig.hasSetting(LdapUserSearchSessionFactorySettings.SEARCH_FILTER);
        if (hasSetting && hasSetting2) {
            throw new IllegalArgumentException("search attribute setting [" + RealmSettings.getFullSettingKey(realmConfig, LdapUserSearchSessionFactorySettings.SEARCH_ATTRIBUTE) + "] and filter setting [" + RealmSettings.getFullSettingKey(realmConfig, LdapUserSearchSessionFactorySettings.SEARCH_FILTER) + "] cannot be combined!");
        }
        return hasSetting2 ? (String) realmConfig.getSetting(LdapUserSearchSessionFactorySettings.SEARCH_FILTER) : hasSetting ? "(" + ((String) realmConfig.getSetting(LdapUserSearchSessionFactorySettings.SEARCH_ATTRIBUTE)) + "={0})" : "(uid={0})";
    }
}
