package org.elasticsearch.xpack.security.authc.ldap;

import com.unboundid.ldap.sdk.Control;
import com.unboundid.ldap.sdk.Filter;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPConnectionPool;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.LDAPInterface;
import com.unboundid.ldap.sdk.SearchResultEntry;
import com.unboundid.ldap.sdk.SearchScope;
import com.unboundid.ldap.sdk.ServerSet;
import com.unboundid.ldap.sdk.SimpleBindRequest;
import com.unboundid.ldap.sdk.controls.AuthorizationIdentityRequestControl;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.ExecutionException;
import java.util.function.Supplier;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRunnable;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.cache.CacheBuilder;
import org.elasticsearch.common.logging.DeprecationCategory;
import org.elasticsearch.common.logging.DeprecationLogger;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.util.concurrent.AbstractRunnable;
import org.elasticsearch.core.CharArrays;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.IOUtils;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.ldap.ActiveDirectorySessionFactorySettings;
import org.elasticsearch.xpack.core.security.authc.ldap.PoolingSessionFactorySettings;
import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapMetadataResolver;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactory.class */
public class ActiveDirectorySessionFactory extends PoolingSessionFactory {
    private static final String NETBIOS_NAME_FILTER_TEMPLATE = "(netbiosname={0})";
    final DefaultADAuthenticator defaultADAuthenticator;
    final DownLevelADAuthenticator downLevelADAuthenticator;
    final UpnADAuthenticator upnADAuthenticator;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactory$ADAuthenticator.class */
    public static abstract class ADAuthenticator {
        private final RealmConfig realm;
        final TimeValue timeout;
        final boolean ignoreReferralErrors;
        final Logger logger;
        final LdapSession.GroupsResolver groupsResolver;
        final LdapMetadataResolver metadataResolver;
        final String userSearchDN;
        final LdapSearchScope userSearchScope;
        final String userSearchFilter;
        final Supplier<SimpleBindRequest> bindRequestSupplier;
        final ThreadPool threadPool;

        ADAuthenticator(RealmConfig realmConfig, TimeValue timeValue, boolean z, Logger logger, LdapSession.GroupsResolver groupsResolver, LdapMetadataResolver ldapMetadataResolver, String str, Setting.AffixSetting<String> affixSetting, String str2, ThreadPool threadPool, Supplier<SimpleBindRequest> supplier) {
            this.realm = realmConfig;
            this.timeout = timeValue;
            this.ignoreReferralErrors = z;
            this.logger = logger;
            this.groupsResolver = groupsResolver;
            this.metadataResolver = ldapMetadataResolver;
            this.bindRequestSupplier = supplier;
            this.threadPool = threadPool;
            this.userSearchDN = (String) realmConfig.getSetting(ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_BASEDN_SETTING, () -> {
                return str;
            });
            this.userSearchScope = LdapSearchScope.resolve((String) realmConfig.getSetting(ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_SCOPE_SETTING), LdapSearchScope.SUB_TREE);
            this.userSearchFilter = (String) realmConfig.getSetting(affixSetting, () -> {
                return str2;
            });
        }

        final void authenticate(final LDAPConnection lDAPConnection, final String str, final SecureString secureString, ActionListener<LdapSession> actionListener) {
            LdapUtils.maybeForkThenBind(lDAPConnection, new SimpleBindRequest(bindUsername(str), CharArrays.toUtf8Bytes(secureString.getChars()), new Control[]{new AuthorizationIdentityRequestControl()}), false, this.threadPool, new ActionRunnable<LdapSession>(actionListener) { // from class: org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.ADAuthenticator.1
                protected void doRun() throws Exception {
                    ActionRunnable<LdapSession> actionRunnable = new ActionRunnable<LdapSession>(this.listener) { // from class: org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.ADAuthenticator.1.1
                        protected void doRun() throws Exception {
                            ADAuthenticator aDAuthenticator = ADAuthenticator.this;
                            LDAPConnection lDAPConnection2 = lDAPConnection;
                            String str2 = str;
                            SecureString secureString2 = secureString;
                            int intExact = Math.toIntExact(ADAuthenticator.this.timeout.seconds());
                            String str3 = str;
                            LDAPConnection lDAPConnection3 = lDAPConnection;
                            aDAuthenticator.searchForDN(lDAPConnection2, str2, secureString2, intExact, ActionListener.wrap(searchResultEntry -> {
                                if (searchResultEntry == null) {
                                    this.listener.onFailure(new ElasticsearchSecurityException("search for user [" + str3 + "] by principal name yielded no results", new Object[0]));
                                } else {
                                    this.listener.onResponse(new LdapSession(ADAuthenticator.this.logger, ADAuthenticator.this.realm, lDAPConnection3, searchResultEntry.getDN(), ADAuthenticator.this.groupsResolver, ADAuthenticator.this.metadataResolver, ADAuthenticator.this.timeout, null));
                                }
                            }, exc -> {
                                this.listener.onFailure(exc);
                            }));
                        }
                    };
                    SimpleBindRequest simpleBindRequest = ADAuthenticator.this.bindRequestSupplier.get();
                    if (simpleBindRequest.getBindDN().isEmpty()) {
                        actionRunnable.run();
                    } else {
                        LdapUtils.maybeForkThenBind(lDAPConnection, simpleBindRequest, true, ADAuthenticator.this.threadPool, actionRunnable);
                    }
                }
            });
        }

        final void authenticate(final LDAPConnectionPool lDAPConnectionPool, final String str, final SecureString secureString, ThreadPool threadPool, ActionListener<LdapSession> actionListener) {
            LdapUtils.maybeForkThenBindAndRevert(lDAPConnectionPool, new SimpleBindRequest(bindUsername(str), CharArrays.toUtf8Bytes(secureString.getChars())), threadPool, new ActionRunnable<LdapSession>(actionListener) { // from class: org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.ADAuthenticator.2
                protected void doRun() throws Exception {
                    ADAuthenticator aDAuthenticator = ADAuthenticator.this;
                    LDAPConnectionPool lDAPConnectionPool2 = lDAPConnectionPool;
                    String str2 = str;
                    SecureString secureString2 = secureString;
                    int intExact = Math.toIntExact(ADAuthenticator.this.timeout.seconds());
                    String str3 = str;
                    LDAPConnectionPool lDAPConnectionPool3 = lDAPConnectionPool;
                    aDAuthenticator.searchForDN(lDAPConnectionPool2, str2, secureString2, intExact, ActionListener.wrap(searchResultEntry -> {
                        if (searchResultEntry == null) {
                            this.listener.onFailure(new ElasticsearchSecurityException("search for user [" + str3 + "] by principal name yielded no results", new Object[0]));
                        } else {
                            this.listener.onResponse(new LdapSession(ADAuthenticator.this.logger, ADAuthenticator.this.realm, lDAPConnectionPool3, searchResultEntry.getDN(), ADAuthenticator.this.groupsResolver, ADAuthenticator.this.metadataResolver, ADAuthenticator.this.timeout, null));
                        }
                    }, exc -> {
                        this.listener.onFailure(exc);
                    }));
                }
            });
        }

        String bindUsername(String str) {
            return str;
        }

        final String getUserSearchFilter() {
            return this.userSearchFilter;
        }

        abstract void searchForDN(LDAPInterface lDAPInterface, String str, SecureString secureString, int i, ActionListener<SearchResultEntry> actionListener);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactory$DefaultADAuthenticator.class */
    public static class DefaultADAuthenticator extends ADAuthenticator {
        final String domainName;

        DefaultADAuthenticator(RealmConfig realmConfig, TimeValue timeValue, boolean z, Logger logger, LdapSession.GroupsResolver groupsResolver, LdapMetadataResolver ldapMetadataResolver, String str, ThreadPool threadPool, Supplier<SimpleBindRequest> supplier) {
            super(realmConfig, timeValue, z, logger, groupsResolver, ldapMetadataResolver, str, ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_FILTER_SETTING, "(&(objectClass=user)(|(sAMAccountName={0})(userPrincipalName={0}@" + domainName(realmConfig) + ")))", threadPool, supplier);
            this.domainName = domainName(realmConfig);
        }

        private static String domainName(RealmConfig realmConfig) {
            return (String) realmConfig.getSetting(ActiveDirectorySessionFactorySettings.AD_DOMAIN_NAME_SETTING);
        }

        @Override // org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.ADAuthenticator
        void searchForDN(LDAPInterface lDAPInterface, String str, SecureString secureString, int i, ActionListener<SearchResultEntry> actionListener) {
            try {
                LdapUtils.searchForEntry(lDAPInterface, this.userSearchDN, this.userSearchScope.scope(), LdapUtils.createFilter(this.userSearchFilter, str), i, this.ignoreReferralErrors, actionListener, LdapUtils.attributesToSearchFor(this.groupsResolver.attributes()));
            } catch (LDAPException e) {
                actionListener.onFailure(e);
            }
        }

        @Override // org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.ADAuthenticator
        String bindUsername(String str) {
            return str + "@" + this.domainName;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactory$DownLevelADAuthenticator.class */
    public static class DownLevelADAuthenticator extends ADAuthenticator {
        static final String DOWN_LEVEL_FILTER = "(&(objectClass=user)(sAMAccountName={0}))";
        Cache<String, String> domainNameCache;
        final String domainDN;
        final SSLService sslService;
        final RealmConfig config;
        private final int ldapPort;
        private final int ldapsPort;
        private final int gcLdapPort;
        private final int gcLdapsPort;
        static final /* synthetic */ boolean $assertionsDisabled;

        DownLevelADAuthenticator(RealmConfig realmConfig, TimeValue timeValue, boolean z, Logger logger, LdapSession.GroupsResolver groupsResolver, LdapMetadataResolver ldapMetadataResolver, String str, SSLService sSLService, ThreadPool threadPool, int i, int i2, int i3, int i4, Supplier<SimpleBindRequest> supplier) {
            super(realmConfig, timeValue, z, logger, groupsResolver, ldapMetadataResolver, str, ActiveDirectorySessionFactorySettings.AD_DOWN_LEVEL_USER_SEARCH_FILTER_SETTING, DOWN_LEVEL_FILTER, threadPool, supplier);
            this.domainNameCache = CacheBuilder.builder().setMaximumWeight(100L).build();
            this.domainDN = str;
            this.sslService = sSLService;
            this.config = realmConfig;
            this.ldapPort = i;
            this.ldapsPort = i2;
            this.gcLdapPort = i3;
            this.gcLdapsPort = i4;
        }

        @Override // org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.ADAuthenticator
        void searchForDN(LDAPInterface lDAPInterface, String str, SecureString secureString, int i, ActionListener<SearchResultEntry> actionListener) {
            String[] split = str.split("\\\\");
            if (!$assertionsDisabled && split.length != 2) {
                throw new AssertionError();
            }
            String str2 = split[0];
            String str3 = split[1];
            CheckedConsumer checkedConsumer = str4 -> {
                if (str4 == null) {
                    actionListener.onResponse((Object) null);
                } else {
                    LdapUtils.searchForEntry(lDAPInterface, str4, LdapSearchScope.SUB_TREE.scope(), LdapUtils.createFilter(this.userSearchFilter, str3), i, this.ignoreReferralErrors, (ActionListener<SearchResultEntry>) actionListener, LdapUtils.attributesToSearchFor(this.groupsResolver.attributes()));
                }
            };
            Objects.requireNonNull(actionListener);
            netBiosDomainNameToDn(lDAPInterface, str2, str, secureString, i, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        }

        void netBiosDomainNameToDn(LDAPInterface lDAPInterface, final String str, String str2, SecureString secureString, final int i, ActionListener<String> actionListener) {
            LDAPConnection lDAPConnection = null;
            try {
                try {
                    final Filter createFilter = LdapUtils.createFilter(ActiveDirectorySessionFactory.NETBIOS_NAME_FILTER_TEMPLATE, str);
                    String str3 = (String) this.domainNameCache.get(str);
                    if (str3 != null) {
                        actionListener.onResponse(str3);
                    } else if (usingGlobalCatalog(lDAPInterface)) {
                        if (lDAPInterface instanceof LDAPConnection) {
                            lDAPConnection = (LDAPConnection) lDAPInterface;
                        } else {
                            LDAPConnectionPool lDAPConnectionPool = (LDAPConnectionPool) lDAPInterface;
                            Objects.requireNonNull(lDAPConnectionPool);
                            lDAPConnection = (LDAPConnection) LdapUtils.privilegedConnect(lDAPConnectionPool::getConnection);
                        }
                        LDAPConnection lDAPConnection2 = lDAPConnection;
                        final LDAPConnection lDAPConnection3 = (LDAPConnection) LdapUtils.privilegedConnect(() -> {
                            return new LDAPConnection(lDAPConnection2.getSocketFactory(), ActiveDirectorySessionFactory.connectionOptions(this.config, this.sslService, this.logger), lDAPConnection2.getConnectedAddress(), lDAPConnection2.getSSLSession() != null ? this.ldapsPort : this.ldapPort);
                        });
                        byte[] utf8Bytes = CharArrays.toUtf8Bytes(secureString.getChars());
                        SimpleBindRequest simpleBindRequest = this.bindRequestSupplier.get();
                        boolean isEmpty = simpleBindRequest.getBindDN().isEmpty();
                        LdapUtils.maybeForkThenBind(lDAPConnection3, isEmpty ? new SimpleBindRequest(str2, utf8Bytes) : simpleBindRequest, !isEmpty, this.threadPool, new ActionRunnable<String>(actionListener) { // from class: org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.DownLevelADAuthenticator.1
                            protected void doRun() throws Exception {
                                LDAPConnection lDAPConnection4 = lDAPConnection3;
                                String str4 = "CN=Configuration," + DownLevelADAuthenticator.this.domainDN;
                                SearchScope scope = LdapSearchScope.SUB_TREE.scope();
                                Filter filter = createFilter;
                                int i2 = i;
                                boolean z = DownLevelADAuthenticator.this.ignoreReferralErrors;
                                LDAPConnection lDAPConnection5 = lDAPConnection3;
                                String str5 = str;
                                CheckedConsumer checkedConsumer = list -> {
                                    IOUtils.close(lDAPConnection5);
                                    DownLevelADAuthenticator.handleSearchResults(list, str5, DownLevelADAuthenticator.this.domainNameCache, this.listener);
                                };
                                LDAPConnection lDAPConnection6 = lDAPConnection3;
                                LdapUtils.search(lDAPConnection4, str4, scope, filter, i2, z, (ActionListener<List<SearchResultEntry>>) ActionListener.wrap(checkedConsumer, exc -> {
                                    IOUtils.closeWhileHandlingException(lDAPConnection6);
                                    this.listener.onFailure(exc);
                                }), "ncname");
                            }

                            public void onFailure(Exception exc) {
                                IOUtils.closeWhileHandlingException(lDAPConnection3);
                                this.listener.onFailure(exc);
                            }
                        });
                    } else {
                        String str4 = "CN=Configuration," + this.domainDN;
                        SearchScope scope = LdapSearchScope.SUB_TREE.scope();
                        boolean z = this.ignoreReferralErrors;
                        CheckedConsumer checkedConsumer = list -> {
                            handleSearchResults(list, str, this.domainNameCache, actionListener);
                        };
                        Objects.requireNonNull(actionListener);
                        LdapUtils.search(lDAPInterface, str4, scope, createFilter, i, z, (ActionListener<List<SearchResultEntry>>) ActionListener.wrap(checkedConsumer, actionListener::onFailure), "ncname");
                    }
                    if (!(lDAPInterface instanceof LDAPConnectionPool) || lDAPConnection == null) {
                        return;
                    }
                    ((LDAPConnectionPool) lDAPInterface).releaseConnection(lDAPConnection);
                } catch (LDAPException e) {
                    actionListener.onFailure(e);
                    if (!(lDAPInterface instanceof LDAPConnectionPool) || 0 == 0) {
                        return;
                    }
                    ((LDAPConnectionPool) lDAPInterface).releaseConnection((LDAPConnection) null);
                }
            } catch (Throwable th) {
                if ((lDAPInterface instanceof LDAPConnectionPool) && 0 != 0) {
                    ((LDAPConnectionPool) lDAPInterface).releaseConnection((LDAPConnection) null);
                }
                throw th;
            }
        }

        static void handleSearchResults(List<SearchResultEntry> list, String str, Cache<String, String> cache, ActionListener<String> actionListener) {
            Optional<SearchResultEntry> findFirst = list.stream().filter(searchResultEntry -> {
                return searchResultEntry.hasAttribute("ncname");
            }).findFirst();
            if (!findFirst.isPresent()) {
                actionListener.onResponse((Object) null);
                return;
            }
            String attributeValue = findFirst.get().getAttributeValue("ncname");
            try {
                cache.computeIfAbsent(str, str2 -> {
                    return attributeValue;
                });
                actionListener.onResponse(attributeValue);
            } catch (ExecutionException e) {
                throw new AssertionError("failed to load constant non-null value", e);
            }
        }

        boolean usingGlobalCatalog(LDAPInterface lDAPInterface) throws LDAPException {
            if (lDAPInterface instanceof LDAPConnection) {
                return usingGlobalCatalog((LDAPConnection) lDAPInterface);
            }
            LDAPConnectionPool lDAPConnectionPool = (LDAPConnectionPool) lDAPInterface;
            LDAPConnection lDAPConnection = null;
            try {
                Objects.requireNonNull(lDAPConnectionPool);
                lDAPConnection = (LDAPConnection) LdapUtils.privilegedConnect(lDAPConnectionPool::getConnection);
                boolean usingGlobalCatalog = usingGlobalCatalog(lDAPConnection);
                if (lDAPConnection != null) {
                    lDAPConnectionPool.releaseConnection(lDAPConnection);
                }
                return usingGlobalCatalog;
            } catch (Throwable th) {
                if (lDAPConnection != null) {
                    lDAPConnectionPool.releaseConnection(lDAPConnection);
                }
                throw th;
            }
        }

        private boolean usingGlobalCatalog(LDAPConnection lDAPConnection) {
            return lDAPConnection.getConnectedPort() == this.gcLdapPort || lDAPConnection.getConnectedPort() == this.gcLdapsPort;
        }

        static {
            $assertionsDisabled = !ActiveDirectorySessionFactory.class.desiredAssertionStatus();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactory$UpnADAuthenticator.class */
    public static class UpnADAuthenticator extends ADAuthenticator {
        static final String UPN_USER_FILTER = "(&(objectClass=user)(userPrincipalName={1}))";
        static final /* synthetic */ boolean $assertionsDisabled;

        UpnADAuthenticator(RealmConfig realmConfig, TimeValue timeValue, boolean z, Logger logger, LdapSession.GroupsResolver groupsResolver, LdapMetadataResolver ldapMetadataResolver, String str, ThreadPool threadPool, Supplier<SimpleBindRequest> supplier) {
            super(realmConfig, timeValue, z, logger, groupsResolver, ldapMetadataResolver, str, ActiveDirectorySessionFactorySettings.AD_UPN_USER_SEARCH_FILTER_SETTING, UPN_USER_FILTER, threadPool, supplier);
            if (this.userSearchFilter.contains("{0}")) {
                DeprecationLogger.getLogger(logger.getName()).warn(DeprecationCategory.SECURITY, "ldap_settings", "The use of the account name variable {0} in the setting [" + RealmSettings.getFullSettingKey(realmConfig, ActiveDirectorySessionFactorySettings.AD_UPN_USER_SEARCH_FILTER_SETTING) + "] has been deprecated and will be removed in a future version!", new Object[0]);
            }
        }

        @Override // org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.ADAuthenticator
        void searchForDN(LDAPInterface lDAPInterface, String str, SecureString secureString, int i, ActionListener<SearchResultEntry> actionListener) {
            String[] split = str.split("@");
            if (!$assertionsDisabled && split.length != 2) {
                throw new AssertionError("there should have only been two values for " + str + " after splitting on '@'");
            }
            try {
                LdapUtils.searchForEntry(lDAPInterface, this.userSearchDN, LdapSearchScope.SUB_TREE.scope(), LdapUtils.createFilter(this.userSearchFilter, split[0], str), i, this.ignoreReferralErrors, actionListener, LdapUtils.attributesToSearchFor(this.groupsResolver.attributes()));
            } catch (LDAPException e) {
                actionListener.onFailure(e);
            }
        }

        static {
            $assertionsDisabled = !ActiveDirectorySessionFactory.class.desiredAssertionStatus();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ActiveDirectorySessionFactory(RealmConfig realmConfig, SSLService sSLService, ThreadPool threadPool) throws LDAPException {
        super(realmConfig, sSLService, new ActiveDirectoryGroupsResolver(realmConfig), ActiveDirectorySessionFactorySettings.POOL_ENABLED, realmConfig.hasSetting(PoolingSessionFactorySettings.BIND_DN) ? getBindDN(realmConfig) : null, () -> {
            if (realmConfig.hasSetting(PoolingSessionFactorySettings.BIND_DN)) {
                String str = (String) realmConfig.getSetting(PoolingSessionFactorySettings.BIND_DN);
                if (str.isEmpty() && str.indexOf(61) > 0) {
                    return str;
                }
            }
            return (String) realmConfig.getSetting(ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_BASEDN_SETTING, () -> {
                return (String) realmConfig.getSetting(ActiveDirectorySessionFactorySettings.AD_DOMAIN_NAME_SETTING);
            });
        }, threadPool);
        String buildDnFromDomain = buildDnFromDomain((String) realmConfig.getSetting(ActiveDirectorySessionFactorySettings.AD_DOMAIN_NAME_SETTING));
        int intValue = ((Integer) realmConfig.getSetting(ActiveDirectorySessionFactorySettings.AD_LDAP_PORT_SETTING)).intValue();
        int intValue2 = ((Integer) realmConfig.getSetting(ActiveDirectorySessionFactorySettings.AD_LDAPS_PORT_SETTING)).intValue();
        int intValue3 = ((Integer) realmConfig.getSetting(ActiveDirectorySessionFactorySettings.AD_GC_LDAP_PORT_SETTING)).intValue();
        int intValue4 = ((Integer) realmConfig.getSetting(ActiveDirectorySessionFactorySettings.AD_GC_LDAPS_PORT_SETTING)).intValue();
        this.defaultADAuthenticator = new DefaultADAuthenticator(realmConfig, this.timeout, this.ignoreReferralErrors, this.logger, this.groupResolver, this.metadataResolver, buildDnFromDomain, threadPool, this::getBindRequest);
        this.downLevelADAuthenticator = new DownLevelADAuthenticator(realmConfig, this.timeout, this.ignoreReferralErrors, this.logger, this.groupResolver, this.metadataResolver, buildDnFromDomain, sSLService, threadPool, intValue, intValue2, intValue3, intValue4, this::getBindRequest);
        this.upnADAuthenticator = new UpnADAuthenticator(realmConfig, this.timeout, this.ignoreReferralErrors, this.logger, this.groupResolver, this.metadataResolver, buildDnFromDomain, threadPool, this::getBindRequest);
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory
    protected List<String> getDefaultLdapUrls(RealmConfig realmConfig) {
        return Collections.singletonList("ldap://" + ((String) realmConfig.getSetting(ActiveDirectorySessionFactorySettings.AD_DOMAIN_NAME_SETTING)) + ":" + String.valueOf(realmConfig.getSetting(ActiveDirectorySessionFactorySettings.AD_LDAP_PORT_SETTING)));
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory
    public boolean supportsUnauthenticatedSession() {
        return true;
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory
    void getSessionWithPool(LDAPConnectionPool lDAPConnectionPool, String str, SecureString secureString, ActionListener<LdapSession> actionListener) {
        getADAuthenticator(str).authenticate(lDAPConnectionPool, str, secureString, this.threadPool, actionListener);
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory
    void getSessionWithoutPool(String str, SecureString secureString, ActionListener<LdapSession> actionListener) {
        try {
            ServerSet serverSet = this.serverSet;
            Objects.requireNonNull(serverSet);
            LDAPConnection lDAPConnection = (LDAPConnection) LdapUtils.privilegedConnect(serverSet::getConnection);
            ADAuthenticator aDAuthenticator = getADAuthenticator(str);
            Objects.requireNonNull(actionListener);
            aDAuthenticator.authenticate(lDAPConnection, str, secureString, ActionListener.wrap((v1) -> {
                r4.onResponse(v1);
            }, exc -> {
                IOUtils.closeWhileHandlingException(lDAPConnection);
                actionListener.onFailure(exc);
            }));
        } catch (LDAPException e) {
            actionListener.onFailure(e);
        }
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory
    void getUnauthenticatedSessionWithPool(LDAPConnectionPool lDAPConnectionPool, String str, ActionListener<LdapSession> actionListener) {
        ADAuthenticator aDAuthenticator = getADAuthenticator(str);
        int intExact = Math.toIntExact(this.timeout.seconds());
        CheckedConsumer checkedConsumer = searchResultEntry -> {
            if (searchResultEntry == null) {
                actionListener.onResponse((Object) null);
            } else {
                actionListener.onResponse(new LdapSession(this.logger, this.config, lDAPConnectionPool, searchResultEntry.getDN(), this.groupResolver, this.metadataResolver, this.timeout, null));
            }
        };
        Objects.requireNonNull(actionListener);
        aDAuthenticator.searchForDN(lDAPConnectionPool, str, null, intExact, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory
    void getUnauthenticatedSessionWithoutPool(final String str, final ActionListener<LdapSession> actionListener) {
        if (!this.config.hasSetting(PoolingSessionFactorySettings.BIND_DN)) {
            actionListener.onResponse((Object) null);
            return;
        }
        try {
            ServerSet serverSet = this.serverSet;
            Objects.requireNonNull(serverSet);
            final LDAPConnection lDAPConnection = (LDAPConnection) LdapUtils.privilegedConnect(serverSet::getConnection);
            LdapUtils.maybeForkThenBind(lDAPConnection, getBindRequest(), true, this.threadPool, new AbstractRunnable() { // from class: org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.1
                public void onFailure(Exception exc) {
                    IOUtils.closeWhileHandlingException(lDAPConnection);
                    actionListener.onFailure(exc);
                }

                protected void doRun() throws Exception {
                    ADAuthenticator aDAuthenticator = ActiveDirectorySessionFactory.this.getADAuthenticator(str);
                    LDAPConnection lDAPConnection2 = lDAPConnection;
                    String str2 = str;
                    int intExact = Math.toIntExact(ActiveDirectorySessionFactory.this.timeout.getSeconds());
                    LDAPConnection lDAPConnection3 = lDAPConnection;
                    ActionListener actionListener2 = actionListener;
                    CheckedConsumer checkedConsumer = searchResultEntry -> {
                        if (searchResultEntry != null) {
                            actionListener2.onResponse(new LdapSession(ActiveDirectorySessionFactory.this.logger, ActiveDirectorySessionFactory.this.config, lDAPConnection3, searchResultEntry.getDN(), ActiveDirectorySessionFactory.this.groupResolver, ActiveDirectorySessionFactory.this.metadataResolver, ActiveDirectorySessionFactory.this.timeout, null));
                        } else {
                            IOUtils.close(lDAPConnection3);
                            actionListener2.onResponse((Object) null);
                        }
                    };
                    LDAPConnection lDAPConnection4 = lDAPConnection;
                    ActionListener actionListener3 = actionListener;
                    aDAuthenticator.searchForDN(lDAPConnection2, str2, null, intExact, ActionListener.wrap(checkedConsumer, exc -> {
                        IOUtils.closeWhileHandlingException(lDAPConnection4);
                        actionListener3.onFailure(exc);
                    }));
                }
            });
        } catch (LDAPException e) {
            actionListener.onFailure(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String buildDnFromDomain(String str) {
        return "DC=" + str.replace(".", ",DC=");
    }

    static String getBindDN(RealmConfig realmConfig) {
        String str = (String) realmConfig.getSetting(PoolingSessionFactorySettings.BIND_DN);
        if (!str.isEmpty() && str.indexOf(92) < 0 && str.indexOf(64) < 0 && str.indexOf(61) < 0) {
            str = str + "@" + ((String) realmConfig.getSetting(ActiveDirectorySessionFactorySettings.AD_DOMAIN_NAME_SETTING));
        }
        return str;
    }

    ServerSet getServerSet() {
        return this.serverSet;
    }

    ADAuthenticator getADAuthenticator(String str) {
        return str.indexOf(92) > 0 ? this.downLevelADAuthenticator : str.indexOf(64) > 0 ? this.upnADAuthenticator : this.defaultADAuthenticator;
    }
}
