package org.elasticsearch.xpack.security.authc.activedirectory;

import com.unboundid.ldap.sdk.Attribute;
import com.unboundid.ldap.sdk.Filter;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.LDAPInterface;
import com.unboundid.ldap.sdk.SearchRequest;
import com.unboundid.ldap.sdk.SearchResult;
import com.unboundid.ldap.sdk.SearchResultEntry;
import com.unboundid.ldap.sdk.SearchScope;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.xpack.monitoring.resolver.MonitoringIndexNameResolver;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapSearchScope;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/activedirectory/ActiveDirectoryGroupsResolver.class */
public class ActiveDirectoryGroupsResolver implements LdapSession.GroupsResolver {
    private final String baseDn;
    private final LdapSearchScope scope;

    public ActiveDirectoryGroupsResolver(Settings settings, String str) {
        this.baseDn = settings.get("base_dn", str);
        this.scope = LdapSearchScope.resolve(settings.get("scope"), LdapSearchScope.SUB_TREE);
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.support.LdapSession.GroupsResolver
    public List<String> resolve(LDAPInterface lDAPInterface, String str, TimeValue timeValue, Logger logger, Collection<Attribute> collection) {
        Filter buildGroupQuery = buildGroupQuery(lDAPInterface, str, timeValue, logger);
        logger.debug("group SID to DN search filter: [{}]", buildGroupQuery);
        if (buildGroupQuery == null) {
            return Collections.emptyList();
        }
        SearchRequest searchRequest = new SearchRequest(this.baseDn, this.scope.scope(), buildGroupQuery, new String[]{"1.1"});
        searchRequest.setTimeLimitSeconds(Math.toIntExact(timeValue.seconds()));
        try {
            SearchResult search = LdapUtils.search(lDAPInterface, searchRequest, logger);
            ArrayList arrayList = new ArrayList();
            Iterator it = search.getSearchEntries().iterator();
            while (it.hasNext()) {
                arrayList.add(((SearchResultEntry) it.next()).getDN());
            }
            if (logger.isDebugEnabled()) {
                logger.debug("found these groups [{}] for userDN [{}]", arrayList, str);
            }
            return arrayList;
        } catch (LDAPException e) {
            logger.error(() -> {
                return new ParameterizedMessage("failed to fetch AD groups for DN [{}]", str);
            }, e);
            return Collections.emptyList();
        }
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.support.LdapSession.GroupsResolver
    public String[] attributes() {
        return null;
    }

    static Filter buildGroupQuery(LDAPInterface lDAPInterface, String str, TimeValue timeValue, Logger logger) {
        try {
            SearchRequest searchRequest = new SearchRequest(str, SearchScope.BASE, LdapUtils.OBJECT_CLASS_PRESENCE_FILTER, new String[]{"tokenGroups"});
            searchRequest.setTimeLimitSeconds(Math.toIntExact(timeValue.seconds()));
            SearchResultEntry searchForEntry = LdapUtils.searchForEntry(lDAPInterface, searchRequest, logger);
            if (searchForEntry == null) {
                return null;
            }
            byte[][] valueByteArrays = searchForEntry.getAttribute("tokenGroups").getValueByteArrays();
            ArrayList arrayList = new ArrayList(valueByteArrays.length);
            for (byte[] bArr : valueByteArrays) {
                arrayList.add(Filter.createEqualityFilter("objectSid", binarySidToStringSid(bArr)));
            }
            return Filter.createORFilter(arrayList);
        } catch (LDAPException e) {
            logger.error(() -> {
                return new ParameterizedMessage("failed to fetch AD groups for DN [{}]", str);
            }, e);
            return null;
        }
    }

    public static String binarySidToStringSid(byte[] bArr) {
        String str = "S" + MonitoringIndexNameResolver.DELIMITER + Long.toString(bArr[0]);
        long j = bArr[4];
        for (int i = 0; i < 4; i++) {
            j = (j << 8) + (bArr[4 + i] & 255);
        }
        String str2 = str + MonitoringIndexNameResolver.DELIMITER + Long.toString(j);
        long j2 = (bArr[2] << 8) + (bArr[1] & 255);
        for (int i2 = 0; i2 < j2; i2++) {
            long j3 = bArr[11 + (i2 * 4)] & 255;
            for (int i3 = 1; i3 < 4; i3++) {
                j3 = (j3 << 8) + (bArr[(11 - i3) + (i2 * 4)] & 255);
            }
            str2 = str2 + MonitoringIndexNameResolver.DELIMITER + Long.toString(j3);
        }
        return str2;
    }
}
