package org.elasticsearch.xpack.security.authc.ldap;

import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.SimpleBindRequest;
import java.io.Closeable;
import java.text.FieldPosition;
import java.text.MessageFormat;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import java.util.function.Function;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.apache.lucene.util.IOUtils;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.xpack.security.authc.RealmConfig;
import org.elasticsearch.xpack.security.authc.RealmSettings;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapMetaDataResolver;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils;
import org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory;
import org.elasticsearch.xpack.security.authc.support.CharArrays;
import org.elasticsearch.xpack.ssl.SSLService;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactory.class */
public class LdapSessionFactory extends SessionFactory {
    public static final Setting<List<String>> USER_DN_TEMPLATES_SETTING;
    private final String[] userDnTemplates;
    private final LdapSession.GroupsResolver groupResolver;
    private final LdapMetaDataResolver metaDataResolver;
    static final /* synthetic */ boolean $assertionsDisabled;

    public LdapSessionFactory(RealmConfig realmConfig, SSLService sSLService) {
        super(realmConfig, sSLService);
        Settings settings = realmConfig.settings();
        this.userDnTemplates = (String[]) ((List) USER_DN_TEMPLATES_SETTING.get(settings)).toArray(Strings.EMPTY_ARRAY);
        if (this.userDnTemplates.length == 0) {
            throw new IllegalArgumentException("missing required LDAP setting [" + RealmSettings.getFullSettingKey(realmConfig, USER_DN_TEMPLATES_SETTING) + "]");
        }
        this.logger.info("Realm [{}] is in user-dn-template mode: [{}]", realmConfig.name(), this.userDnTemplates);
        this.groupResolver = groupResolver(settings);
        this.metaDataResolver = new LdapMetaDataResolver(settings, this.ignoreReferralErrors);
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory
    public void session(String str, SecureString secureString, ActionListener<LdapSession> actionListener) {
        LDAPException lDAPException = null;
        Closeable closeable = null;
        LdapSession ldapSession = null;
        byte[] utf8Bytes = CharArrays.toUtf8Bytes(secureString.getChars());
        boolean z = false;
        try {
            try {
                closeable = this.serverSet.getConnection();
                for (String str2 : this.userDnTemplates) {
                    String buildDnFromTemplate = buildDnFromTemplate(str, str2);
                    try {
                        closeable.bind(new SimpleBindRequest(buildDnFromTemplate, utf8Bytes));
                        ldapSession = new LdapSession(this.logger, this.config, closeable, buildDnFromTemplate, this.groupResolver, this.metaDataResolver, this.timeout, null);
                        z = true;
                        break;
                    } catch (LDAPException e) {
                        this.logger.trace(() -> {
                            return new ParameterizedMessage("failed LDAP authentication with user template [{}] and DN [{}]", str2, buildDnFromTemplate);
                        }, e);
                        if (lDAPException == null) {
                            lDAPException = e;
                        } else {
                            lDAPException.addSuppressed(e);
                        }
                    }
                }
                Arrays.fill(utf8Bytes, (byte) 0);
                if (!z) {
                    IOUtils.closeWhileHandlingException(new Closeable[]{closeable});
                }
            } catch (LDAPException e2) {
                if (!$assertionsDisabled && lDAPException != null) {
                    throw new AssertionError("if we catch a LDAPException here, we should have never seen another exception");
                }
                if (!$assertionsDisabled && ldapSession != null) {
                    throw new AssertionError("LDAPSession should not have been established due to a connection failure");
                }
                lDAPException = e2;
                Arrays.fill(utf8Bytes, (byte) 0);
                if (!z) {
                    IOUtils.closeWhileHandlingException(new Closeable[]{closeable});
                }
            }
            if (ldapSession != null) {
                actionListener.onResponse(ldapSession);
            } else {
                if (!$assertionsDisabled && lDAPException == null) {
                    throw new AssertionError("if there is not LDAPSession, then we must have a exception");
                }
                actionListener.onFailure(lDAPException);
            }
        } catch (Throwable th) {
            Arrays.fill(utf8Bytes, (byte) 0);
            if (!z) {
                IOUtils.closeWhileHandlingException(new Closeable[]{closeable});
            }
            throw th;
        }
    }

    String buildDnFromTemplate(String str, String str2) {
        return new MessageFormat(str2, Locale.ROOT).format(new Object[]{LdapUtils.escapedRDNValue(str)}, new StringBuffer(), (FieldPosition) null).toString();
    }

    static LdapSession.GroupsResolver groupResolver(Settings settings) {
        return SearchGroupsResolver.BASE_DN.exists(settings) ? new SearchGroupsResolver(settings) : new UserAttributeGroupsResolver(settings);
    }

    public static Set<Setting<?>> getSettings() {
        HashSet hashSet = new HashSet();
        hashSet.addAll(SessionFactory.getSettings());
        hashSet.add(USER_DN_TEMPLATES_SETTING);
        return hashSet;
    }

    static {
        $assertionsDisabled = !LdapSessionFactory.class.desiredAssertionStatus();
        USER_DN_TEMPLATES_SETTING = Setting.listSetting("user_dn_templates", Collections.emptyList(), Function.identity(), new Setting.Property[]{Setting.Property.NodeScope});
    }
}
