package org.elasticsearch.xpack.security.authc.ldap;

import com.unboundid.ldap.sdk.Control;
import com.unboundid.ldap.sdk.Filter;
import com.unboundid.ldap.sdk.GetEntryLDAPConnectionPoolHealthCheck;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPConnectionPool;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.LDAPInterface;
import com.unboundid.ldap.sdk.SearchRequest;
import com.unboundid.ldap.sdk.SearchResultEntry;
import com.unboundid.ldap.sdk.ServerSet;
import com.unboundid.ldap.sdk.SimpleBindRequest;
import java.util.Locale;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.xpack.security.authc.RealmConfig;
import org.elasticsearch.xpack.security.authc.activedirectory.ActiveDirectorySessionFactory;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapSearchScope;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils;
import org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory;
import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.xpack.security.support.Exceptions;
import org.elasticsearch.xpack.ssl.SSLService;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactory.class */
class LdapUserSearchSessionFactory extends SessionFactory {
    static final int DEFAULT_CONNECTION_POOL_SIZE = 20;
    static final int DEFAULT_CONNECTION_POOL_INITIAL_SIZE = 0;
    static final String DEFAULT_USERNAME_ATTRIBUTE = "uid";
    static final TimeValue DEFAULT_HEALTH_CHECK_INTERVAL;
    private final String userSearchBaseDn;
    private final LdapSearchScope scope;
    private final String userAttribute;
    private final LdapSession.GroupsResolver groupResolver;
    private final boolean useConnectionPool;
    private final LDAPConnectionPool connectionPool;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public LdapUserSearchSessionFactory(RealmConfig realmConfig, SSLService sSLService) throws LDAPException {
        super(realmConfig, sSLService);
        Settings settings = realmConfig.settings();
        this.userSearchBaseDn = settings.get(ActiveDirectorySessionFactory.AD_USER_SEARCH_BASEDN_SETTING);
        if (this.userSearchBaseDn == null) {
            throw new IllegalArgumentException("user_search base_dn must be specified");
        }
        this.scope = LdapSearchScope.resolve(settings.get(ActiveDirectorySessionFactory.AD_USER_SEARCH_SCOPE_SETTING), LdapSearchScope.SUB_TREE);
        this.userAttribute = settings.get("user_search.attribute", "uid");
        this.groupResolver = groupResolver(realmConfig.settings());
        this.useConnectionPool = settings.getAsBoolean("user_search.pool.enabled", true).booleanValue();
        if (this.useConnectionPool) {
            this.connectionPool = createConnectionPool(realmConfig, this.serverSet, this.timeout, this.logger);
        } else {
            this.connectionPool = null;
        }
    }

    static LDAPConnectionPool createConnectionPool(RealmConfig realmConfig, ServerSet serverSet, TimeValue timeValue, Logger logger) throws LDAPException {
        Settings settings = realmConfig.settings();
        SimpleBindRequest bindRequest = bindRequest(settings);
        int intValue = settings.getAsInt("user_search.pool.initial_size", Integer.valueOf(DEFAULT_CONNECTION_POOL_INITIAL_SIZE)).intValue();
        int intValue2 = settings.getAsInt("user_search.pool.size", Integer.valueOf(DEFAULT_CONNECTION_POOL_SIZE)).intValue();
        LDAPConnectionPool lDAPConnectionPool = null;
        try {
            LDAPConnectionPool lDAPConnectionPool2 = new LDAPConnectionPool(serverSet, bindRequest, intValue, intValue2);
            lDAPConnectionPool2.setRetryFailedOperationsDueToInvalidConnections(true);
            if (settings.getAsBoolean("user_search.pool.health_check.enabled", true).booleanValue()) {
                String str = settings.get("user_search.pool.health_check.dn", bindRequest == null ? null : bindRequest.getBindDN());
                long millis = settings.getAsTime("user_search.pool.health_check.interval", DEFAULT_HEALTH_CHECK_INTERVAL).millis();
                if (str != null) {
                    lDAPConnectionPool2.setHealthCheck(new GetEntryLDAPConnectionPoolHealthCheck(str, timeValue.millis(), false, false, false, true, false));
                    lDAPConnectionPool2.setHealthCheckIntervalMillis(millis);
                } else {
                    logger.warn("[bind_dn] and [user_search.pool.health_check.dn] have not been specified so no ldap query will be run as a health check");
                }
            }
            if (1 == 0 && lDAPConnectionPool2 != null) {
                lDAPConnectionPool2.close();
            }
            return lDAPConnectionPool2;
        } catch (Throwable th) {
            if (DEFAULT_CONNECTION_POOL_INITIAL_SIZE == 0 && DEFAULT_CONNECTION_POOL_INITIAL_SIZE != 0) {
                lDAPConnectionPool.close();
            }
            throw th;
        }
    }

    static SimpleBindRequest bindRequest(Settings settings) {
        SimpleBindRequest simpleBindRequest = DEFAULT_CONNECTION_POOL_INITIAL_SIZE;
        String str = settings.get("bind_dn");
        if (str != null) {
            simpleBindRequest = new SimpleBindRequest(str, settings.get("bind_password"));
        }
        return simpleBindRequest;
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory
    protected LdapSession getSession(String str, SecuredString securedString) throws Exception {
        return this.useConnectionPool ? getSessionWithPool(str, securedString) : getSessionWithoutPool(str, securedString);
    }

    private LdapSession getSessionWithPool(String str, SecuredString securedString) throws Exception {
        SearchResultEntry findUser = findUser(str, this.connectionPool);
        if (!$assertionsDisabled && findUser == null) {
            throw new AssertionError();
        }
        String dn = findUser.getDN();
        this.connectionPool.bindAndRevertAuthentication(dn, new String(securedString.internalChars()), new Control[DEFAULT_CONNECTION_POOL_INITIAL_SIZE]);
        return new LdapSession(this.logger, this.connectionPool, dn, this.groupResolver, this.timeout, findUser.getAttributes());
    }

    private LdapSession getSessionWithoutPool(String str, SecuredString securedString) throws Exception {
        LDAPConnection lDAPConnection = null;
        try {
            LDAPConnection connection = this.serverSet.getConnection();
            connection.bind(bindRequest(this.config.settings()));
            SearchResultEntry findUser = findUser(str, connection);
            if (!$assertionsDisabled && findUser == null) {
                throw new AssertionError();
            }
            String dn = findUser.getDN();
            connection.bind(dn, new String(securedString.internalChars()));
            LdapSession ldapSession = new LdapSession(this.logger, connection, dn, this.groupResolver, this.timeout, findUser.getAttributes());
            if (1 == 0 && connection != null) {
                connection.close();
            }
            return ldapSession;
        } catch (Throwable th) {
            if (DEFAULT_CONNECTION_POOL_INITIAL_SIZE == 0 && DEFAULT_CONNECTION_POOL_INITIAL_SIZE != 0) {
                lDAPConnection.close();
            }
            throw th;
        }
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory
    public boolean supportsUnauthenticatedSession() {
        return true;
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory
    public LdapSession unauthenticatedSession(String str) throws Exception {
        LDAPConnectionPool lDAPConnectionPool;
        LDAPConnectionPool lDAPConnectionPool2 = DEFAULT_CONNECTION_POOL_INITIAL_SIZE;
        try {
            if (this.useConnectionPool) {
                lDAPConnectionPool = this.connectionPool;
            } else {
                lDAPConnectionPool2 = this.serverSet.getConnection();
                lDAPConnectionPool2.bind(bindRequest(this.config.settings()));
                lDAPConnectionPool = lDAPConnectionPool2;
            }
            SearchResultEntry findUser = findUser(str, lDAPConnectionPool);
            if (!$assertionsDisabled && findUser == null) {
                throw new AssertionError();
            }
            LdapSession ldapSession = new LdapSession(this.logger, lDAPConnectionPool, findUser.getDN(), this.groupResolver, this.timeout, findUser.getAttributes());
            if (1 == 0 && lDAPConnectionPool2 != null) {
                lDAPConnectionPool2.close();
            }
            return ldapSession;
        } catch (Throwable th) {
            if (DEFAULT_CONNECTION_POOL_INITIAL_SIZE == 0 && lDAPConnectionPool2 != null) {
                lDAPConnectionPool2.close();
            }
            throw th;
        }
    }

    private SearchResultEntry findUser(String str, LDAPInterface lDAPInterface) throws Exception {
        SearchRequest searchRequest = new SearchRequest(this.userSearchBaseDn, this.scope.scope(), Filter.createEqualityFilter(this.userAttribute, Filter.encodeValue(str)), LdapUtils.attributesToSearchFor(this.groupResolver.attributes()));
        searchRequest.setTimeLimitSeconds(Math.toIntExact(this.timeout.seconds()));
        SearchResultEntry searchForEntry = LdapUtils.searchForEntry(lDAPInterface, searchRequest, this.logger);
        if (searchForEntry == null) {
            throw Exceptions.authenticationError("failed to find user [{}] with search base [{}] scope [{}]", str, this.userSearchBaseDn, this.scope.toString().toLowerCase(Locale.ENGLISH));
        }
        return searchForEntry;
    }

    void shutdown() {
        if (this.connectionPool != null) {
            this.connectionPool.close();
        }
    }

    static LdapSession.GroupsResolver groupResolver(Settings settings) {
        Settings asSettings = settings.getAsSettings("group_search");
        return !asSettings.names().isEmpty() ? new SearchGroupsResolver(asSettings) : new UserAttributeGroupsResolver(settings);
    }

    static {
        $assertionsDisabled = !LdapUserSearchSessionFactory.class.desiredAssertionStatus();
        DEFAULT_HEALTH_CHECK_INTERVAL = TimeValue.timeValueSeconds(60L);
    }
}
