package org.elasticsearch.xpack.security.authc.ldap;

import com.unboundid.ldap.sdk.Attribute;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.LDAPInterface;
import com.unboundid.ldap.sdk.SearchRequest;
import com.unboundid.ldap.sdk.SearchResult;
import com.unboundid.ldap.sdk.SearchResultEntry;
import com.unboundid.ldap.sdk.SearchScope;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapSearchScope;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolver.class */
class SearchGroupsResolver implements LdapSession.GroupsResolver {
    private static final String GROUP_SEARCH_DEFAULT_FILTER = "(&(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group)(objectclass=posixGroup))(|(uniqueMember={0})(member={0})(memberUid={0})))";
    private final String baseDn;
    private final String filter;
    private final String userAttribute;
    private final LdapSearchScope scope;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SearchGroupsResolver(Settings settings) {
        this.baseDn = settings.get("base_dn");
        if (this.baseDn == null) {
            throw new IllegalArgumentException("base_dn must be specified");
        }
        this.filter = settings.get("filter", GROUP_SEARCH_DEFAULT_FILTER);
        this.userAttribute = settings.get("user_attribute");
        this.scope = LdapSearchScope.resolve(settings.get("scope"), LdapSearchScope.SUB_TREE);
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.support.LdapSession.GroupsResolver
    public List<String> resolve(LDAPInterface lDAPInterface, String str, TimeValue timeValue, Logger logger, Collection<Attribute> collection) throws LDAPException {
        String userId = getUserId(str, collection, lDAPInterface, timeValue, logger);
        if (userId == null) {
            return Collections.emptyList();
        }
        SearchRequest searchRequest = new SearchRequest(this.baseDn, this.scope.scope(), LdapUtils.createFilter(this.filter, userId), new String[]{"1.1"});
        searchRequest.setTimeLimitSeconds(Math.toIntExact(timeValue.seconds()));
        SearchResult search = LdapUtils.search(lDAPInterface, searchRequest, logger);
        ArrayList arrayList = new ArrayList(search.getSearchEntries().size());
        Iterator it = search.getSearchEntries().iterator();
        while (it.hasNext()) {
            arrayList.add(((SearchResultEntry) it.next()).getDN());
        }
        return arrayList;
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.support.LdapSession.GroupsResolver
    public String[] attributes() {
        if (this.userAttribute != null) {
            return new String[]{this.userAttribute};
        }
        return null;
    }

    private String getUserId(String str, Collection<Attribute> collection, LDAPInterface lDAPInterface, TimeValue timeValue, Logger logger) throws LDAPException {
        if (this.userAttribute == null) {
            return str;
        }
        if (collection != null) {
            for (Attribute attribute : collection) {
                if (attribute.getName().equals(this.userAttribute)) {
                    return attribute.getValue();
                }
            }
        }
        return readUserAttribute(lDAPInterface, str, timeValue, logger);
    }

    String readUserAttribute(LDAPInterface lDAPInterface, String str, TimeValue timeValue, Logger logger) throws LDAPException {
        Attribute attribute;
        SearchRequest searchRequest = new SearchRequest(str, SearchScope.BASE, LdapUtils.OBJECT_CLASS_PRESENCE_FILTER, new String[]{this.userAttribute});
        searchRequest.setTimeLimitSeconds(Math.toIntExact(timeValue.seconds()));
        SearchResultEntry searchForEntry = LdapUtils.searchForEntry(lDAPInterface, searchRequest, logger);
        if (searchForEntry == null || (attribute = searchForEntry.getAttribute(this.userAttribute)) == null) {
            return null;
        }
        return attribute.getValue();
    }
}
