package org.elasticsearch.xpack.security.authc.ldap;

import com.unboundid.ldap.sdk.BindRequest;
import com.unboundid.ldap.sdk.GetEntryLDAPConnectionPoolHealthCheck;
import com.unboundid.ldap.sdk.LDAPConnectionPool;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.ServerSet;
import com.unboundid.ldap.sdk.SimpleBindRequest;
import java.util.Optional;
import java.util.function.Supplier;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.logging.DeprecationCategory;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.core.CharArrays;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.Releasable;
import org.elasticsearch.core.Strings;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.ldap.PoolingSessionFactorySettings;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils;
import org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/PoolingSessionFactory.class */
abstract class PoolingSessionFactory extends SessionFactory implements Releasable {
    private final boolean useConnectionPool;
    private final LDAPConnectionPool connectionPool;
    final SimpleBindRequest bindCredentials;
    final LdapSession.GroupsResolver groupResolver;

    /* JADX INFO: Access modifiers changed from: package-private */
    public PoolingSessionFactory(RealmConfig realmConfig, SSLService sSLService, LdapSession.GroupsResolver groupsResolver, Setting.AffixSetting<Boolean> affixSetting, @Nullable String str, Supplier<String> supplier, ThreadPool threadPool) throws LDAPException {
        super(realmConfig, sSLService, threadPool);
        byte[] utf8Bytes;
        this.groupResolver = groupsResolver;
        if (!realmConfig.hasSetting(PoolingSessionFactorySettings.LEGACY_BIND_PASSWORD)) {
            utf8Bytes = realmConfig.hasSetting(PoolingSessionFactorySettings.SECURE_BIND_PASSWORD) ? CharArrays.toUtf8Bytes(((SecureString) realmConfig.getSetting(PoolingSessionFactorySettings.SECURE_BIND_PASSWORD)).getChars()) : null;
        } else {
            if (realmConfig.hasSetting(PoolingSessionFactorySettings.SECURE_BIND_PASSWORD)) {
                throw new IllegalArgumentException("You cannot specify both [" + RealmSettings.getFullSettingKey(realmConfig, PoolingSessionFactorySettings.LEGACY_BIND_PASSWORD) + "] and [" + RealmSettings.getFullSettingKey(realmConfig, PoolingSessionFactorySettings.SECURE_BIND_PASSWORD) + "]");
            }
            utf8Bytes = CharArrays.toUtf8Bytes(((SecureString) realmConfig.getSetting(PoolingSessionFactorySettings.LEGACY_BIND_PASSWORD)).getChars());
        }
        if (str == null) {
            this.bindCredentials = new SimpleBindRequest();
        } else {
            if (utf8Bytes == null) {
                this.deprecationLogger.critical(DeprecationCategory.SECURITY, "bind_dn_set_without_password", "[{}] is set but no bind password is specified. Without a corresponding bind password, all {} realm authentication will fail. Specify a bind password via [{}] or [{}]. In the next major release, nodes with incomplete bind credentials will fail to start.", new Object[]{RealmSettings.getFullSettingKey(realmConfig, PoolingSessionFactorySettings.BIND_DN), realmConfig.type(), RealmSettings.getFullSettingKey(realmConfig, PoolingSessionFactorySettings.SECURE_BIND_PASSWORD), RealmSettings.getFullSettingKey(realmConfig, PoolingSessionFactorySettings.LEGACY_BIND_PASSWORD)});
            }
            this.bindCredentials = new SimpleBindRequest(str, utf8Bytes);
        }
        this.useConnectionPool = ((Boolean) realmConfig.getSetting(affixSetting)).booleanValue();
        if (this.useConnectionPool) {
            this.connectionPool = createConnectionPool(realmConfig, this.serverSet, this.timeout, this.logger, this.bindCredentials, supplier);
        } else {
            this.connectionPool = null;
        }
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory
    public final void session(String str, SecureString secureString, ActionListener<LdapSession> actionListener) {
        if (this.useConnectionPool) {
            getSessionWithPool(this.connectionPool, str, secureString, actionListener);
        } else {
            getSessionWithoutPool(str, secureString, actionListener);
        }
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory
    public final void unauthenticatedSession(String str, ActionListener<LdapSession> actionListener) {
        if (this.useConnectionPool) {
            getUnauthenticatedSessionWithPool(this.connectionPool, str, actionListener);
        } else {
            getUnauthenticatedSessionWithoutPool(str, actionListener);
        }
    }

    abstract void getSessionWithPool(LDAPConnectionPool lDAPConnectionPool, String str, SecureString secureString, ActionListener<LdapSession> actionListener);

    abstract void getSessionWithoutPool(String str, SecureString secureString, ActionListener<LdapSession> actionListener);

    abstract void getUnauthenticatedSessionWithPool(LDAPConnectionPool lDAPConnectionPool, String str, ActionListener<LdapSession> actionListener);

    abstract void getUnauthenticatedSessionWithoutPool(String str, ActionListener<LdapSession> actionListener);

    static LDAPConnectionPool createConnectionPool(RealmConfig realmConfig, ServerSet serverSet, TimeValue timeValue, Logger logger, BindRequest bindRequest, Supplier<String> supplier) throws LDAPException {
        int intValue = ((Integer) realmConfig.getSetting(PoolingSessionFactorySettings.POOL_INITIAL_SIZE)).intValue();
        int intValue2 = ((Integer) realmConfig.getSetting(PoolingSessionFactorySettings.POOL_SIZE)).intValue();
        LDAPConnectionPool lDAPConnectionPool = null;
        try {
            LDAPConnectionPool lDAPConnectionPool2 = (LDAPConnectionPool) LdapUtils.privilegedConnect(() -> {
                return new LDAPConnectionPool(serverSet, bindRequest, intValue, intValue2);
            });
            lDAPConnectionPool2.setConnectionPoolName("ldap-pool-" + realmConfig.identifier());
            lDAPConnectionPool2.setRetryFailedOperationsDueToInvalidConnections(true);
            if (((Boolean) realmConfig.getSetting(PoolingSessionFactorySettings.HEALTH_CHECK_ENABLED)).booleanValue()) {
                String str = (String) ((Optional) realmConfig.getSetting(PoolingSessionFactorySettings.HEALTH_CHECK_DN)).orElseGet(supplier);
                long millis = ((TimeValue) realmConfig.getSetting(PoolingSessionFactorySettings.HEALTH_CHECK_INTERVAL)).millis();
                if (str != null) {
                    lDAPConnectionPool2.setHealthCheck(new GetEntryLDAPConnectionPoolHealthCheck(str, timeValue.millis(), false, false, false, true, false));
                    lDAPConnectionPool2.setHealthCheckIntervalMillis(millis);
                } else {
                    logger.warn(() -> {
                        return Strings.format("[%s] and [%s] have not been specified or are not valid distinguished names,so connection health checking is disabled", new Object[]{RealmSettings.getFullSettingKey(realmConfig, PoolingSessionFactorySettings.BIND_DN), RealmSettings.getFullSettingKey(realmConfig, PoolingSessionFactorySettings.HEALTH_CHECK_DN)});
                    });
                }
            }
            if (1 == 0 && lDAPConnectionPool2 != null) {
                lDAPConnectionPool2.close();
            }
            return lDAPConnectionPool2;
        } catch (Throwable th) {
            if (0 == 0 && 0 != 0) {
                lDAPConnectionPool.close();
            }
            throw th;
        }
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory, java.io.Closeable, java.lang.AutoCloseable
    public final void close() {
        if (this.connectionPool != null) {
            this.connectionPool.close();
        }
    }

    LDAPConnectionPool getConnectionPool() {
        return this.connectionPool;
    }
}
