package org.elasticsearch.xpack.security.authc.ldap;

import com.unboundid.ldap.sdk.LDAPException;
import java.io.Closeable;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Consumer;
import java.util.function.Function;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchTimeoutException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.support.ContextPreservingActionListener;
import org.elasticsearch.common.collect.MapBuilder;
import org.elasticsearch.common.util.concurrent.AbstractRunnable;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.IOUtils;
import org.elasticsearch.core.Strings;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.watcher.ResourceWatcherService;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.Realm;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.ldap.LdapRealmSettings;
import org.elasticsearch.xpack.core.security.authc.ldap.LdapSessionFactorySettings;
import org.elasticsearch.xpack.core.security.authc.ldap.LdapUserSearchSessionFactorySettings;
import org.elasticsearch.xpack.core.security.authc.support.UserRoleMapper;
import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapLoadBalancing;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession;
import org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory;
import org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm;
import org.elasticsearch.xpack.security.authc.support.DelegatedAuthorizationSupport;
import org.elasticsearch.xpack.security.authc.support.mapper.CompositeRoleMapper;
import org.elasticsearch.xpack.security.authc.support.mapper.NativeRoleMappingStore;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/LdapRealm.class */
public final class LdapRealm extends CachingUsernamePasswordRealm {
    private final SessionFactory sessionFactory;
    private final UserRoleMapper roleMapper;
    private final ThreadPool threadPool;
    private final TimeValue executionTimeout;
    private DelegatedAuthorizationSupport delegatedRealms;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/LdapRealm$CancellableLdapRunnable.class */
    static class CancellableLdapRunnable<T> extends AbstractRunnable {
        private final Runnable in;
        private final ActionListener<T> listener;
        private final Function<Exception, T> defaultValue;
        private final Logger logger;
        private final AtomicReference<LdapRunnableState> state = new AtomicReference<>(LdapRunnableState.AWAITING_EXECUTION);

        /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/LdapRealm$CancellableLdapRunnable$LdapRunnableState.class */
        enum LdapRunnableState {
            AWAITING_EXECUTION,
            EXECUTING,
            TIMED_OUT
        }

        CancellableLdapRunnable(ActionListener<T> actionListener, Function<Exception, T> function, Runnable runnable, Logger logger) {
            this.listener = actionListener;
            this.defaultValue = (Function) Objects.requireNonNull(function);
            this.in = runnable;
            this.logger = logger;
        }

        public void onFailure(Exception exc) {
            this.logger.error("execution of ldap runnable failed", exc);
            this.listener.onResponse(this.defaultValue.apply(exc));
        }

        protected void doRun() throws Exception {
            if (this.state.compareAndSet(LdapRunnableState.AWAITING_EXECUTION, LdapRunnableState.EXECUTING)) {
                this.in.run();
            } else {
                this.logger.trace("skipping execution of ldap runnable as the current state is [{}]", this.state.get());
            }
        }

        public void onRejection(Exception exc) {
            this.listener.onFailure(exc);
        }

        void maybeTimeout() {
            if (this.state.compareAndSet(LdapRunnableState.AWAITING_EXECUTION, LdapRunnableState.TIMED_OUT)) {
                this.logger.warn("skipping execution of ldap runnable as it has been waiting for execution too long");
                this.listener.onFailure(new ElasticsearchTimeoutException("timed out waiting for execution of ldap runnable", new Object[0]));
            }
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/LdapRealm$LdapSessionActionListener.class */
    private class LdapSessionActionListener implements ActionListener<LdapSession> {
        private final AtomicReference<LdapSession> ldapSessionAtomicReference = new AtomicReference<>();
        private String action;
        private final String username;
        private final ActionListener<AuthenticationResult<User>> resultListener;

        LdapSessionActionListener(String str, String str2, ActionListener<AuthenticationResult<User>> actionListener) {
            this.action = str;
            this.username = str2;
            this.resultListener = actionListener;
        }

        public void onResponse(LdapSession ldapSession) {
            if (ldapSession == null) {
                this.resultListener.onResponse(AuthenticationResult.notHandled());
            } else {
                this.ldapSessionAtomicReference.set(ldapSession);
                LdapRealm.buildUser(ldapSession, this.username, this.resultListener, LdapRealm.this.roleMapper, LdapRealm.this.delegatedRealms);
            }
        }

        public void onFailure(Exception exc) {
            if (this.ldapSessionAtomicReference.get() != null) {
                IOUtils.closeWhileHandlingException((Closeable) this.ldapSessionAtomicReference.get());
            }
            if (LdapRealm.this.logger.isDebugEnabled()) {
                LdapRealm.this.logger.debug(() -> {
                    return Strings.format("Exception occurred during %s for %s", new Object[]{this.action, LdapRealm.this});
                }, exc);
            }
            this.resultListener.onResponse(AuthenticationResult.unsuccessful(this.action + " failed", exc));
        }
    }

    public LdapRealm(RealmConfig realmConfig, SSLService sSLService, ResourceWatcherService resourceWatcherService, NativeRoleMappingStore nativeRoleMappingStore, ThreadPool threadPool) throws LDAPException {
        this(realmConfig, sessionFactory(realmConfig, sSLService, threadPool), new CompositeRoleMapper(realmConfig, resourceWatcherService, nativeRoleMappingStore), threadPool);
    }

    LdapRealm(RealmConfig realmConfig, SessionFactory sessionFactory, UserRoleMapper userRoleMapper, ThreadPool threadPool) {
        super(realmConfig, threadPool);
        this.sessionFactory = sessionFactory;
        this.roleMapper = userRoleMapper;
        this.threadPool = threadPool;
        this.executionTimeout = (TimeValue) realmConfig.getSetting(LdapRealmSettings.EXECUTION_TIMEOUT);
        userRoleMapper.refreshRealmOnChange(this);
    }

    static SessionFactory sessionFactory(RealmConfig realmConfig, SSLService sSLService, ThreadPool threadPool) throws LDAPException {
        SessionFactory ldapUserSearchSessionFactory;
        if ("active_directory".equals(realmConfig.type())) {
            ldapUserSearchSessionFactory = new ActiveDirectorySessionFactory(realmConfig, sSLService, threadPool);
        } else {
            if (!$assertionsDisabled && !"ldap".equals(realmConfig.type())) {
                throw new AssertionError("type [" + realmConfig.type() + "] is unknown. expected one of [active_directory, ldap]");
            }
            boolean hasUserSearchSettings = LdapUserSearchSessionFactory.hasUserSearchSettings(realmConfig);
            boolean hasSetting = realmConfig.hasSetting(LdapSessionFactorySettings.USER_DN_TEMPLATES_SETTING);
            if (hasUserSearchSettings) {
                if (hasSetting) {
                    throw new IllegalArgumentException("settings were found for both user search [" + RealmSettings.getFullSettingKey(realmConfig, LdapUserSearchSessionFactorySettings.SEARCH_BASE_DN) + "] and user template [" + RealmSettings.getFullSettingKey(realmConfig, LdapSessionFactorySettings.USER_DN_TEMPLATES_SETTING) + "] modes of operation. Please remove the settings for the mode you do not wish to use. For more details refer to the ldap authentication section of the X-Pack guide.");
                }
                ldapUserSearchSessionFactory = new LdapUserSearchSessionFactory(realmConfig, sSLService, threadPool);
            } else {
                if (!hasSetting) {
                    throw new IllegalArgumentException("settings were not found for either user search [" + RealmSettings.getFullSettingKey(realmConfig, LdapUserSearchSessionFactorySettings.SEARCH_BASE_DN) + "] or user template [" + RealmSettings.getFullSettingKey(realmConfig, LdapSessionFactorySettings.USER_DN_TEMPLATES_SETTING) + "] modes of operation. Please provide the settings for the mode you wish to use. For more details refer to the ldap authentication section of the X-Pack guide.");
                }
                ldapUserSearchSessionFactory = new LdapSessionFactory(realmConfig, sSLService, threadPool);
            }
        }
        return ldapUserSearchSessionFactory;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v1, types: [org.elasticsearch.xpack.security.authc.ldap.LdapRealm$CancellableLdapRunnable, java.lang.Object, java.lang.Runnable] */
    @Override // org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm
    protected void doAuthenticate(UsernamePasswordToken usernamePasswordToken, ActionListener<AuthenticationResult<User>> actionListener) {
        if (!$assertionsDisabled && this.delegatedRealms == null) {
            throw new AssertionError("Realm has not been initialized correctly");
        }
        ?? cancellableLdapRunnable = new CancellableLdapRunnable(actionListener, exc -> {
            return AuthenticationResult.unsuccessful("Authentication against realm [" + toString() + "] failed", exc);
        }, () -> {
            this.sessionFactory.session(usernamePasswordToken.principal(), usernamePasswordToken.credentials(), contextPreservingListener(new LdapSessionActionListener("authenticate", usernamePasswordToken.principal(), actionListener)));
        }, this.logger);
        this.threadPool.generic().execute(cancellableLdapRunnable);
        ThreadPool threadPool = this.threadPool;
        Objects.requireNonNull(cancellableLdapRunnable);
        threadPool.schedule(cancellableLdapRunnable::maybeTimeout, this.executionTimeout, "same");
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v7, types: [org.elasticsearch.xpack.security.authc.ldap.LdapRealm$CancellableLdapRunnable, java.lang.Object, java.lang.Runnable] */
    @Override // org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm
    protected void doLookupUser(String str, ActionListener<User> actionListener) {
        if (!this.sessionFactory.supportsUnauthenticatedSession()) {
            actionListener.onResponse((Object) null);
            return;
        }
        CheckedConsumer checkedConsumer = authenticationResult -> {
            actionListener.onResponse((User) authenticationResult.getValue());
        };
        Objects.requireNonNull(actionListener);
        ActionListener wrap = ActionListener.wrap(checkedConsumer, actionListener::onFailure);
        ?? cancellableLdapRunnable = new CancellableLdapRunnable(actionListener, exc -> {
            return null;
        }, () -> {
            this.sessionFactory.unauthenticatedSession(str, contextPreservingListener(new LdapSessionActionListener("lookup", str, wrap)));
        }, this.logger);
        this.threadPool.generic().execute(cancellableLdapRunnable);
        ThreadPool threadPool = this.threadPool;
        Objects.requireNonNull(cancellableLdapRunnable);
        threadPool.schedule(cancellableLdapRunnable::maybeTimeout, this.executionTimeout, "same");
    }

    private ContextPreservingActionListener<LdapSession> contextPreservingListener(LdapSessionActionListener ldapSessionActionListener) {
        return new ContextPreservingActionListener<>(this.config.threadContext().newRestorableContext(false), ldapSessionActionListener);
    }

    public void initialize(Iterable<Realm> iterable, XPackLicenseState xPackLicenseState) {
        if (this.delegatedRealms != null) {
            throw new IllegalStateException("Realm has already been initialized");
        }
        this.delegatedRealms = new DelegatedAuthorizationSupport(iterable, this.config, xPackLicenseState);
    }

    @Override // org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm
    public void usageStats(ActionListener<Map<String, Object>> actionListener) {
        CheckedConsumer checkedConsumer = map -> {
            map.put("size", Integer.valueOf(getCacheSize()));
            map.put("load_balance_type", LdapLoadBalancing.resolve(this.config).toString());
            map.put("ssl", Boolean.valueOf(this.sessionFactory.isSslUsed()));
            map.put("user_search", Boolean.valueOf(LdapUserSearchSessionFactory.hasUserSearchSettings(this.config)));
            actionListener.onResponse(map);
        };
        Objects.requireNonNull(actionListener);
        super.usageStats(ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private static void buildUser(LdapSession ldapSession, String str, ActionListener<AuthenticationResult<User>> actionListener, UserRoleMapper userRoleMapper, DelegatedAuthorizationSupport delegatedAuthorizationSupport) {
        if (!$assertionsDisabled && delegatedAuthorizationSupport == null) {
            throw new AssertionError("DelegatedAuthorizationSupport is null");
        }
        if (ldapSession == null) {
            actionListener.onResponse(AuthenticationResult.notHandled());
        } else if (delegatedAuthorizationSupport.hasDelegation()) {
            delegatedAuthorizationSupport.resolve(str, actionListener);
        } else {
            lookupUserFromSession(str, ldapSession, userRoleMapper, actionListener);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm
    public void handleCachedAuthentication(User user, ActionListener<AuthenticationResult<User>> actionListener) {
        if (this.delegatedRealms.hasDelegation()) {
            this.delegatedRealms.resolve(user.principal(), actionListener);
        } else {
            super.handleCachedAuthentication(user, actionListener);
        }
    }

    private static void lookupUserFromSession(String str, LdapSession ldapSession, UserRoleMapper userRoleMapper, ActionListener<AuthenticationResult<User>> actionListener) {
        boolean z = false;
        try {
            Consumer consumer = exc -> {
                IOUtils.closeWhileHandlingException(ldapSession);
                actionListener.onFailure(exc);
            };
            ldapSession.resolve(ActionListener.wrap(ldapUserData -> {
                Map map = MapBuilder.newMapBuilder().put("ldap_dn", ldapSession.userDn()).put("ldap_groups", ldapUserData.groups).putAll(ldapUserData.metadata).map();
                userRoleMapper.resolveRoles(new UserRoleMapper.UserData(str, ldapSession.userDn(), ldapUserData.groups, map, ldapSession.realm()), ActionListener.wrap(set -> {
                    IOUtils.close(ldapSession);
                    actionListener.onResponse(AuthenticationResult.success(new User(str, (String[]) set.toArray(new String[set.size()]), (String) null, (String) null, map, true)));
                }, consumer));
            }, consumer));
            z = true;
            if (1 == 0) {
                ldapSession.close();
            }
        } catch (Throwable th) {
            if (!z) {
                ldapSession.close();
            }
            throw th;
        }
    }

    static {
        $assertionsDisabled = !LdapRealm.class.desiredAssertionStatus();
    }
}
