package org.elasticsearch.xpack.security.authc.ldap;

import com.unboundid.ldap.sdk.LDAPException;
import java.io.Closeable;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.apache.lucene.util.IOUtils;
import org.elasticsearch.ElasticsearchTimeoutException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.common.util.concurrent.AbstractRunnable;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.watcher.ResourceWatcherService;
import org.elasticsearch.xpack.monitoring.exporter.http.HttpExporter;
import org.elasticsearch.xpack.security.authc.RealmConfig;
import org.elasticsearch.xpack.security.authc.RealmSettings;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapLoadBalancing;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession;
import org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory;
import org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm;
import org.elasticsearch.xpack.security.authc.support.DnRoleMapper;
import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
import org.elasticsearch.xpack.security.user.User;
import org.elasticsearch.xpack.ssl.SSLService;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/LdapRealm.class */
public final class LdapRealm extends CachingUsernamePasswordRealm {
    public static final String LDAP_TYPE = "ldap";
    public static final String AD_TYPE = "active_directory";
    static final Setting<TimeValue> EXECUTION_TIMEOUT;
    private final SessionFactory sessionFactory;
    private final DnRoleMapper roleMapper;
    private final ThreadPool threadPool;
    private final TimeValue executionTimeout;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/LdapRealm$CancellableLdapRunnable.class */
    static class CancellableLdapRunnable extends AbstractRunnable {
        private final Runnable in;
        private final ActionListener<User> listener;
        private final Logger logger;
        private final AtomicReference<LdapRunnableState> state = new AtomicReference<>(LdapRunnableState.AWAITING_EXECUTION);

        /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/LdapRealm$CancellableLdapRunnable$LdapRunnableState.class */
        enum LdapRunnableState {
            AWAITING_EXECUTION,
            EXECUTING,
            TIMED_OUT
        }

        CancellableLdapRunnable(ActionListener<User> actionListener, Runnable runnable, Logger logger) {
            this.listener = actionListener;
            this.in = runnable;
            this.logger = logger;
        }

        public void onFailure(Exception exc) {
            this.logger.error("execution of ldap runnable failed", exc);
            this.listener.onResponse((Object) null);
        }

        protected void doRun() throws Exception {
            if (this.state.compareAndSet(LdapRunnableState.AWAITING_EXECUTION, LdapRunnableState.EXECUTING)) {
                this.in.run();
            } else {
                this.logger.trace("skipping execution of ldap runnable as the current state is [{}]", this.state.get());
            }
        }

        public void onRejection(Exception exc) {
            this.listener.onFailure(exc);
        }

        void maybeTimeout() {
            if (this.state.compareAndSet(LdapRunnableState.AWAITING_EXECUTION, LdapRunnableState.TIMED_OUT)) {
                this.logger.warn("skipping execution of ldap runnable as it has been waiting for execution too long");
                this.listener.onFailure(new ElasticsearchTimeoutException("timed out waiting for execution of ldap runnable", new Object[0]));
            }
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/LdapRealm$LdapSessionActionListener.class */
    private static class LdapSessionActionListener implements ActionListener<LdapSession> {
        private final AtomicReference<LdapSession> ldapSessionAtomicReference = new AtomicReference<>();
        private String action;
        private Logger logger;
        private final String username;
        private final ActionListener<User> userActionListener;
        private final DnRoleMapper roleMapper;

        LdapSessionActionListener(String str, String str2, ActionListener<User> actionListener, DnRoleMapper dnRoleMapper, Logger logger) {
            this.action = str;
            this.username = str2;
            this.userActionListener = actionListener;
            this.roleMapper = dnRoleMapper;
            this.logger = logger;
        }

        public void onResponse(LdapSession ldapSession) {
            if (ldapSession == null) {
                this.userActionListener.onResponse((Object) null);
            } else {
                this.ldapSessionAtomicReference.set(ldapSession);
                LdapRealm.lookupGroups(ldapSession, this.username, this.userActionListener, this.roleMapper);
            }
        }

        public void onFailure(Exception exc) {
            if (this.ldapSessionAtomicReference.get() != null) {
                IOUtils.closeWhileHandlingException(new Closeable[]{(Closeable) this.ldapSessionAtomicReference.get()});
            }
            this.logger.info("{} failed for user [{}]: {}", this.action, this.username, exc.getMessage());
            if (this.logger.isDebugEnabled()) {
                this.logger.debug(new ParameterizedMessage("{} failed", this.action), exc);
            }
            this.userActionListener.onResponse((Object) null);
        }
    }

    public LdapRealm(String str, RealmConfig realmConfig, ResourceWatcherService resourceWatcherService, SSLService sSLService, ThreadPool threadPool) throws LDAPException {
        this(str, realmConfig, sessionFactory(realmConfig, sSLService, str), new DnRoleMapper(str, realmConfig, resourceWatcherService), threadPool);
    }

    LdapRealm(String str, RealmConfig realmConfig, SessionFactory sessionFactory, DnRoleMapper dnRoleMapper, ThreadPool threadPool) {
        super(str, realmConfig);
        this.sessionFactory = sessionFactory;
        this.roleMapper = dnRoleMapper;
        this.threadPool = threadPool;
        this.executionTimeout = (TimeValue) EXECUTION_TIMEOUT.get(realmConfig.settings());
        dnRoleMapper.addListener(this::expireAll);
    }

    static SessionFactory sessionFactory(RealmConfig realmConfig, SSLService sSLService, String str) throws LDAPException {
        SessionFactory ldapUserSearchSessionFactory;
        if (AD_TYPE.equals(str)) {
            ldapUserSearchSessionFactory = new ActiveDirectorySessionFactory(realmConfig, sSLService);
        } else {
            if (!$assertionsDisabled && !LDAP_TYPE.equals(str)) {
                throw new AssertionError("type [" + str + "] is unknown. expected one of [" + AD_TYPE + ", " + LDAP_TYPE + "]");
            }
            boolean hasUserSearchSettings = LdapUserSearchSessionFactory.hasUserSearchSettings(realmConfig);
            boolean exists = LdapSessionFactory.USER_DN_TEMPLATES_SETTING.exists(realmConfig.settings());
            if (hasUserSearchSettings) {
                if (exists) {
                    throw new IllegalArgumentException("settings were found for both user search [" + RealmSettings.getFullSettingKey(realmConfig, "user_search.") + "] and user template [" + RealmSettings.getFullSettingKey(realmConfig, LdapSessionFactory.USER_DN_TEMPLATES_SETTING) + "] modes of operation. Please remove the settings for the mode you do not wish to use. For more details refer to the ldap authentication section of the X-Pack guide.");
                }
                ldapUserSearchSessionFactory = new LdapUserSearchSessionFactory(realmConfig, sSLService);
            } else {
                if (!exists) {
                    throw new IllegalArgumentException("settings were not found for either user search [" + RealmSettings.getFullSettingKey(realmConfig, "user_search.") + "] or user template [" + RealmSettings.getFullSettingKey(realmConfig, LdapSessionFactory.USER_DN_TEMPLATES_SETTING) + "] modes of operation. Please provide the settings for the mode you wish to use. For more details refer to the ldap authentication section of the X-Pack guide.");
                }
                ldapUserSearchSessionFactory = new LdapSessionFactory(realmConfig, sSLService);
            }
        }
        return ldapUserSearchSessionFactory;
    }

    public static Set<Setting<?>> getSettings(String str) {
        HashSet hashSet = new HashSet();
        hashSet.addAll(CachingUsernamePasswordRealm.getCachingSettings());
        DnRoleMapper.getSettings(hashSet);
        hashSet.add(EXECUTION_TIMEOUT);
        if (AD_TYPE.equals(str)) {
            hashSet.addAll(ActiveDirectorySessionFactory.getSettings());
        } else {
            if (!$assertionsDisabled && !LDAP_TYPE.equals(str)) {
                throw new AssertionError("type [" + str + "] is unknown. expected one of [" + AD_TYPE + ", " + LDAP_TYPE + "]");
            }
            hashSet.addAll(LdapSessionFactory.getSettings());
            hashSet.addAll(LdapUserSearchSessionFactory.getSettings());
        }
        return hashSet;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0, types: [org.elasticsearch.xpack.security.authc.ldap.LdapRealm$CancellableLdapRunnable, java.lang.Object, java.lang.Runnable] */
    @Override // org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm
    protected void doAuthenticate(UsernamePasswordToken usernamePasswordToken, ActionListener<User> actionListener) {
        ?? cancellableLdapRunnable = new CancellableLdapRunnable(actionListener, () -> {
            this.sessionFactory.session(usernamePasswordToken.principal(), usernamePasswordToken.credentials(), new LdapSessionActionListener("authenticate", usernamePasswordToken.principal(), actionListener, this.roleMapper, this.logger));
        }, this.logger);
        this.threadPool.generic().execute(cancellableLdapRunnable);
        ThreadPool threadPool = this.threadPool;
        TimeValue timeValue = this.executionTimeout;
        cancellableLdapRunnable.getClass();
        threadPool.schedule(timeValue, "same", cancellableLdapRunnable::maybeTimeout);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v4, types: [org.elasticsearch.xpack.security.authc.ldap.LdapRealm$CancellableLdapRunnable, java.lang.Object, java.lang.Runnable] */
    @Override // org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm
    protected void doLookupUser(String str, ActionListener<User> actionListener) {
        if (!this.sessionFactory.supportsUnauthenticatedSession()) {
            actionListener.onResponse((Object) null);
            return;
        }
        ?? cancellableLdapRunnable = new CancellableLdapRunnable(actionListener, () -> {
            this.sessionFactory.unauthenticatedSession(str, new LdapSessionActionListener("lookup", str, actionListener, this.roleMapper, this.logger));
        }, this.logger);
        this.threadPool.generic().execute(cancellableLdapRunnable);
        ThreadPool threadPool = this.threadPool;
        TimeValue timeValue = this.executionTimeout;
        cancellableLdapRunnable.getClass();
        threadPool.schedule(timeValue, "same", cancellableLdapRunnable::maybeTimeout);
    }

    @Override // org.elasticsearch.xpack.security.authc.Realm
    public boolean userLookupSupported() {
        return this.sessionFactory.supportsUnauthenticatedSession();
    }

    @Override // org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm, org.elasticsearch.xpack.security.authc.Realm
    public Map<String, Object> usageStats() {
        Map<String, Object> usageStats = super.usageStats();
        usageStats.put("load_balance_type", LdapLoadBalancing.resolve(this.config.settings()).toString());
        usageStats.put(HttpExporter.SSL_SETTING, Boolean.valueOf(this.sessionFactory.isSslUsed()));
        usageStats.put("user_search", Boolean.valueOf(LdapUserSearchSessionFactory.hasUserSearchSettings(this.config)));
        return usageStats;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void lookupGroups(LdapSession ldapSession, String str, ActionListener<User> actionListener, DnRoleMapper dnRoleMapper) {
        if (ldapSession == null) {
            actionListener.onResponse((Object) null);
            return;
        }
        boolean z = false;
        try {
            ldapSession.groups(ActionListener.wrap(list -> {
                Set<String> resolveRoles = dnRoleMapper.resolveRoles(ldapSession.userDn(), list);
                IOUtils.close(new Closeable[]{ldapSession});
                actionListener.onResponse(new User(str, (String[]) resolveRoles.toArray(Strings.EMPTY_ARRAY)));
            }, exc -> {
                IOUtils.closeWhileHandlingException(new Closeable[]{ldapSession});
                actionListener.onFailure(exc);
            }));
            z = true;
            if (1 == 0) {
                ldapSession.close();
            }
        } catch (Throwable th) {
            if (!z) {
                ldapSession.close();
            }
            throw th;
        }
    }

    static {
        $assertionsDisabled = !LdapRealm.class.desiredAssertionStatus();
        EXECUTION_TIMEOUT = Setting.timeSetting("timeout.execution", TimeValue.timeValueSeconds(30L), new Setting.Property[]{Setting.Property.NodeScope});
    }
}
