package org.elasticsearch.xpack.security.authc.ldap.support;

import com.unboundid.ldap.sdk.LDAPConnectionOptions;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.LDAPURL;
import com.unboundid.ldap.sdk.ServerSet;
import com.unboundid.util.ssl.HostNameSSLSocketVerifier;
import java.io.Closeable;
import java.io.IOException;
import java.util.Arrays;
import java.util.List;
import java.util.regex.Pattern;
import javax.net.ssl.SSLSocketFactory;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.logging.DeprecationCategory;
import org.elasticsearch.common.logging.DeprecationLogger;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.ssl.SslConfiguration;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.ldap.support.SessionFactorySettings;
import org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings;
import org.elasticsearch.xpack.core.ssl.SSLService;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/support/SessionFactory.class */
public abstract class SessionFactory implements Closeable {
    private static final Pattern STARTS_WITH_LDAPS = Pattern.compile("^ldaps:.*", 2);
    private static final Pattern STARTS_WITH_LDAP = Pattern.compile("^ldap:.*", 2);
    protected final Logger logger = LogManager.getLogger(getClass());
    protected final RealmConfig config;
    protected final TimeValue timeout;
    protected final SSLService sslService;
    protected final ThreadPool threadPool;
    protected final ServerSet serverSet;
    protected final boolean sslUsed;
    protected final boolean ignoreReferralErrors;
    protected final LdapMetadataResolver metadataResolver;

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/support/SessionFactory$LDAPServers.class */
    public static class LDAPServers {
        private final String[] addresses;
        private final int[] ports;
        private final boolean ssl;

        public LDAPServers(String[] strArr) {
            this.ssl = secureUrls(strArr);
            this.addresses = new String[strArr.length];
            this.ports = new int[strArr.length];
            for (int i = 0; i < strArr.length; i++) {
                try {
                    LDAPURL ldapurl = new LDAPURL(strArr[i]);
                    this.addresses[i] = ldapurl.getHost();
                    this.ports[i] = ldapurl.getPort();
                } catch (LDAPException e) {
                    throw new IllegalArgumentException("unable to parse configured LDAP url [" + strArr[i] + "]", e);
                }
            }
        }

        public String[] addresses() {
            return this.addresses;
        }

        public int[] ports() {
            return this.ports;
        }

        public boolean ssl() {
            return this.ssl;
        }

        private boolean secureUrls(String[] strArr) {
            if (strArr.length == 0) {
                return true;
            }
            boolean allMatch = Arrays.stream(strArr).allMatch(str -> {
                return SessionFactory.STARTS_WITH_LDAPS.matcher(str).find();
            });
            boolean allMatch2 = Arrays.stream(strArr).allMatch(str2 -> {
                return SessionFactory.STARTS_WITH_LDAP.matcher(str2).find();
            });
            if (allMatch || allMatch2) {
                return allMatch;
            }
            throw new IllegalArgumentException("configured LDAP protocols are not all equal (ldaps://.. and ldap://..): [" + Strings.arrayToCommaDelimitedString(strArr) + "]");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SessionFactory(RealmConfig realmConfig, SSLService sSLService, ThreadPool threadPool) {
        this.config = realmConfig;
        TimeValue timeValue = (TimeValue) realmConfig.getSetting(SessionFactorySettings.TIMEOUT_LDAP_SETTING, () -> {
            return SessionFactorySettings.TIMEOUT_DEFAULT;
        });
        if (timeValue.millis() < 1000) {
            this.logger.warn("ldap_search timeout [{}] is less than the minimum supported search timeout of 1s. using 1s", Long.valueOf(timeValue.millis()));
            timeValue = TimeValue.timeValueSeconds(1L);
        }
        this.timeout = timeValue;
        this.sslService = sSLService;
        this.threadPool = threadPool;
        LDAPServers ldapServers = ldapServers(realmConfig);
        this.serverSet = serverSet(realmConfig, sSLService, ldapServers);
        this.sslUsed = ldapServers.ssl;
        this.ignoreReferralErrors = ((Boolean) realmConfig.getSetting(SessionFactorySettings.IGNORE_REFERRAL_ERRORS_SETTING)).booleanValue();
        this.metadataResolver = new LdapMetadataResolver(realmConfig, this.ignoreReferralErrors);
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
        this.serverSet.shutDown();
    }

    public abstract void session(String str, SecureString secureString, ActionListener<LdapSession> actionListener);

    public boolean supportsUnauthenticatedSession() {
        return false;
    }

    public void unauthenticatedSession(String str, ActionListener<LdapSession> actionListener) {
        throw new UnsupportedOperationException("unauthenticated sessions are not supported");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static LDAPConnectionOptions connectionOptions(RealmConfig realmConfig, SSLService sSLService, Logger logger) {
        long millis;
        LDAPConnectionOptions lDAPConnectionOptions = new LDAPConnectionOptions();
        lDAPConnectionOptions.setConnectTimeoutMillis(Math.toIntExact(((TimeValue) realmConfig.getSetting(SessionFactorySettings.TIMEOUT_TCP_CONNECTION_SETTING)).millis()));
        lDAPConnectionOptions.setFollowReferrals(((Boolean) realmConfig.getSetting(SessionFactorySettings.FOLLOW_REFERRALS_SETTING)).booleanValue());
        if (!realmConfig.hasSetting(SessionFactorySettings.TIMEOUT_RESPONSE_SETTING)) {
            millis = realmConfig.hasSetting(SessionFactorySettings.TIMEOUT_TCP_READ_SETTING) ? ((TimeValue) realmConfig.getSetting(SessionFactorySettings.TIMEOUT_TCP_READ_SETTING)).millis() : ((TimeValue) realmConfig.getSetting(SessionFactorySettings.TIMEOUT_LDAP_SETTING)).millis();
        } else {
            if (realmConfig.hasSetting(SessionFactorySettings.TIMEOUT_TCP_READ_SETTING)) {
                throw new IllegalArgumentException("[" + RealmSettings.getFullSettingKey(realmConfig, SessionFactorySettings.TIMEOUT_TCP_READ_SETTING) + "] and [" + RealmSettings.getFullSettingKey(realmConfig, SessionFactorySettings.TIMEOUT_RESPONSE_SETTING) + "] may not be used at the same time");
            }
            millis = ((TimeValue) realmConfig.getSetting(SessionFactorySettings.TIMEOUT_RESPONSE_SETTING)).millis();
        }
        lDAPConnectionOptions.setResponseTimeoutMillis(millis);
        lDAPConnectionOptions.setAllowConcurrentSocketFactoryUse(true);
        boolean hasSetting = realmConfig.hasSetting(SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM);
        boolean hasSetting2 = realmConfig.hasSetting(SessionFactorySettings.HOSTNAME_VERIFICATION_SETTING);
        if (hasSetting && hasSetting2) {
            throw new IllegalArgumentException("[" + RealmSettings.getFullSettingKey(realmConfig, SessionFactorySettings.HOSTNAME_VERIFICATION_SETTING) + "] and [" + RealmSettings.getFullSettingKey(realmConfig, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM) + "] may not be used at the same time");
        }
        if (hasSetting) {
            String realmSslPrefix = RealmSettings.realmSslPrefix(realmConfig.identifier());
            SslConfiguration sSLConfiguration = sSLService.getSSLConfiguration(realmSslPrefix);
            if (sSLConfiguration == null) {
                throw new IllegalStateException("cannot find SSL configuration for " + realmSslPrefix);
            }
            if (sSLConfiguration.getVerificationMode().isHostnameVerificationEnabled()) {
                lDAPConnectionOptions.setSSLSocketVerifier(new HostNameSSLSocketVerifier(true));
            }
        } else if (hasSetting2) {
            String fullSettingKey = RealmSettings.getFullSettingKey(realmConfig, SessionFactorySettings.HOSTNAME_VERIFICATION_SETTING);
            DeprecationLogger.getLogger(logger.getName()).warn(DeprecationCategory.SETTINGS, "deprecated_setting_" + fullSettingKey.replace('.', '_'), "the setting [{}] has been deprecated and will be removed in a future version. use [{}] instead", new Object[]{fullSettingKey, RealmSettings.getFullSettingKey(realmConfig, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM)});
            if (((Boolean) realmConfig.getSetting(SessionFactorySettings.HOSTNAME_VERIFICATION_SETTING)).booleanValue()) {
                lDAPConnectionOptions.setSSLSocketVerifier(new HostNameSSLSocketVerifier(true));
            }
        } else {
            lDAPConnectionOptions.setSSLSocketVerifier(new HostNameSSLSocketVerifier(true));
        }
        return lDAPConnectionOptions;
    }

    private LDAPServers ldapServers(RealmConfig realmConfig) {
        List list = (List) realmConfig.getSetting(SessionFactorySettings.URLS_SETTING, () -> {
            return getDefaultLdapUrls(realmConfig);
        });
        if (list == null || list.isEmpty()) {
            throw new IllegalArgumentException("missing required LDAP setting [" + RealmSettings.getFullSettingKey(realmConfig, SessionFactorySettings.URLS_SETTING) + "]");
        }
        return new LDAPServers((String[]) list.toArray(new String[list.size()]));
    }

    protected List<String> getDefaultLdapUrls(RealmConfig realmConfig) {
        return null;
    }

    private ServerSet serverSet(RealmConfig realmConfig, SSLService sSLService, LDAPServers lDAPServers) {
        SSLSocketFactory sSLSocketFactory = null;
        if (lDAPServers.ssl()) {
            SslConfiguration sSLConfiguration = sSLService.getSSLConfiguration(RealmSettings.realmSslPrefix(this.config.identifier()));
            sSLSocketFactory = sSLService.sslSocketFactory(sSLConfiguration);
            if (sSLConfiguration.getVerificationMode().isHostnameVerificationEnabled()) {
                this.logger.debug("using encryption for LDAP connections with hostname verification");
            } else {
                this.logger.debug("using encryption for LDAP connections without hostname verification");
            }
        }
        return LdapLoadBalancing.serverSet(lDAPServers.addresses(), lDAPServers.ports(), realmConfig, sSLSocketFactory, connectionOptions(realmConfig, this.sslService, this.logger));
    }

    ServerSet getServerSet() {
        return this.serverSet;
    }

    public boolean isSslUsed() {
        return this.sslUsed;
    }
}
