package com.floragunn.dlic.auth.ldap.backend;

import com.floragunn.dlic.auth.ldap.LdapUser;
import com.floragunn.dlic.auth.ldap.util.ConfigConstants;
import com.floragunn.dlic.auth.ldap.util.LdapHelper;
import com.floragunn.dlic.auth.ldap.util.Utils;
import com.floragunn.searchguard.TypedComponent;
import com.floragunn.searchguard.authc.legacy.LegacyAuthorizationBackend;
import com.floragunn.searchguard.legacy.LegacyComponentFactory;
import com.floragunn.searchguard.support.PemKeyReader;
import com.floragunn.searchguard.support.WildcardMatcher;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.user.User;
import com.google.common.collect.HashMultimap;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.security.AccessController;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.atomic.AtomicInteger;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.net.ssl.TrustManager;
import org.apache.commons.lang.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.Settings;
import org.ldaptive.BindConnectionInitializer;
import org.ldaptive.BindRequest;
import org.ldaptive.Connection;
import org.ldaptive.ConnectionConfig;
import org.ldaptive.Credential;
import org.ldaptive.DefaultConnectionFactory;
import org.ldaptive.LdapAttribute;
import org.ldaptive.LdapEntry;
import org.ldaptive.LdapException;
import org.ldaptive.Response;
import org.ldaptive.SearchFilter;
import org.ldaptive.SearchScope;
import org.ldaptive.control.RequestControl;
import org.ldaptive.provider.ProviderConnection;
import org.ldaptive.ssl.AllowAnyHostnameVerifier;
import org.ldaptive.ssl.AllowAnyTrustManager;
import org.ldaptive.ssl.CredentialConfig;
import org.ldaptive.ssl.CredentialConfigFactory;
import org.ldaptive.ssl.SslConfig;
import org.ldaptive.ssl.ThreadLocalTLSSocketFactory;

/* loaded from: input_file:com/floragunn/dlic/auth/ldap/backend/LDAPAuthorizationBackend.class */
public class LDAPAuthorizationBackend implements LegacyAuthorizationBackend {
    private static final String COM_SUN_JNDI_LDAP_OBJECT_DISABLE_ENDPOINT_IDENTIFICATION = "com.sun.jndi.ldap.object.disableEndpointIdentification";
    static final int ONE_PLACEHOLDER = 1;
    static final int TWO_PLACEHOLDER = 2;
    static final String DEFAULT_ROLEBASE = "";
    static final String DEFAULT_ROLESEARCH = "(member={0})";
    static final String DEFAULT_ROLENAME = "name";
    static final String DEFAULT_USERROLENAME = "memberOf";
    private final Settings settings;
    private final Path configPath;
    private final List<Map.Entry<String, Settings>> roleBaseSettings;
    private final List<Map.Entry<String, Settings>> userBaseSettings;
    private static final AtomicInteger CONNECTION_COUNTER = new AtomicInteger();
    private static final List<String> DEFAULT_TLS_PROTOCOLS = Arrays.asList("TLSv1.2", "TLSv1.1");
    protected static final Logger log = LogManager.getLogger(LDAPAuthorizationBackend.class);
    private static final Class clazz = ThreadLocalTLSSocketFactory.class;
    public static TypedComponent.Info<LegacyAuthorizationBackend> INFO = new TypedComponent.Info<LegacyAuthorizationBackend>() { // from class: com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.6
        public Class<LegacyAuthorizationBackend> getType() {
            return LegacyAuthorizationBackend.class;
        }

        public String getName() {
            return "ldap";
        }

        public TypedComponent.Factory<LegacyAuthorizationBackend> getFactory() {
            return LegacyComponentFactory.adapt(LDAPAuthorizationBackend::new);
        }
    };

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/dlic/auth/ldap/backend/LDAPAuthorizationBackend$Java9CL.class */
    public static final class Java9CL extends ClassLoader {
        public Java9CL() {
        }

        public Java9CL(ClassLoader classLoader) {
            super(classLoader);
        }

        @Override // java.lang.ClassLoader
        public Class loadClass(String str) throws ClassNotFoundException {
            return !str.equalsIgnoreCase("org.ldaptive.ssl.ThreadLocalTLSSocketFactory") ? super.loadClass(str) : LDAPAuthorizationBackend.clazz;
        }
    }

    public LDAPAuthorizationBackend(Settings settings, Path path) {
        this.settings = settings;
        this.configPath = path;
        this.roleBaseSettings = getRoleSearchSettings(settings);
        this.userBaseSettings = LDAPAuthenticationBackend.getUserBaseSettings(settings);
    }

    public static void checkConnection(final ConnectionConfig connectionConfig, final String str, final byte[] bArr) throws Exception {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        try {
            AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() { // from class: com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws Exception {
                    boolean z = LDAPAuthorizationBackend.access$000() >= 9;
                    ClassLoader classLoader = null;
                    if (z) {
                        classLoader = Thread.currentThread().getContextClassLoader();
                        Thread.currentThread().setContextClassLoader(new Java9CL());
                    }
                    LDAPAuthorizationBackend.checkConnection0(connectionConfig, str, bArr, classLoader, z);
                    return null;
                }
            });
        } catch (PrivilegedActionException e) {
            throw e.getException();
        }
    }

    public static Connection getConnection(final Settings settings, final Path path) throws Exception {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        try {
            return (Connection) AccessController.doPrivileged(new PrivilegedExceptionAction<Connection>() { // from class: com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Connection run() throws Exception {
                    boolean z = LDAPAuthorizationBackend.access$000() >= 9;
                    ClassLoader classLoader = null;
                    if (z) {
                        classLoader = Thread.currentThread().getContextClassLoader();
                        Thread.currentThread().setContextClassLoader(new Java9CL());
                    }
                    return LDAPAuthorizationBackend.getConnection0(settings, path, classLoader, z);
                }
            });
        } catch (PrivilegedActionException e) {
            throw e.getException();
        }
    }

    private static List<Map.Entry<String, Settings>> getRoleSearchSettings(Settings settings) {
        Map groups = settings.getGroups(ConfigConstants.LDAP_AUTHZ_ROLES, true);
        return !groups.isEmpty() ? Utils.getOrderedBaseSettings((Map<String, Settings>) groups) : convertOldStyleSettingsToNewStyle(settings);
    }

    private static List<Map.Entry<String, Settings>> convertOldStyleSettingsToNewStyle(Settings settings) {
        HashMap hashMap = new HashMap(1);
        Settings.Builder builder = Settings.builder();
        builder.put(ConfigConstants.LDAP_AUTHCZ_BASE, settings.get(ConfigConstants.LDAP_AUTHZ_ROLEBASE, DEFAULT_ROLEBASE));
        builder.put(ConfigConstants.LDAP_AUTHCZ_SEARCH, settings.get(ConfigConstants.LDAP_AUTHZ_ROLESEARCH, DEFAULT_ROLESEARCH));
        hashMap.put("convertedOldStyleSettings", builder.build());
        return Collections.singletonList((Map.Entry) hashMap.entrySet().iterator().next());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkConnection0(ConnectionConfig connectionConfig, String str, byte[] bArr, final ClassLoader classLoader, boolean z) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, LdapException {
        try {
            if (log.isDebugEnabled()) {
                log.debug("bindDn {}, password {}", str, (bArr == null || bArr.length <= 0) ? "<not set>" : "****");
            }
            if (str != null && (bArr == null || bArr.length == 0)) {
                throw new LdapException("no bindDn or no Password");
            }
            ConnectionConfig newConnectionConfig = ConnectionConfig.newConnectionConfig(connectionConfig);
            newConnectionConfig.setConnectionInitializer(new BindConnectionInitializer(str, new Credential(bArr)));
            Connection connection = new DefaultConnectionFactory(newConnectionConfig).getConnection();
            connection.open();
            Utils.unbindAndCloseSilently(connection);
            if (z) {
                try {
                    AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() { // from class: com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.3
                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // java.security.PrivilegedExceptionAction
                        public Void run() throws Exception {
                            Thread.currentThread().setContextClassLoader(classLoader);
                            return null;
                        }
                    });
                } catch (PrivilegedActionException e) {
                    log.warn("Unable to restore classloader because of " + e.getException(), e.getException());
                }
            }
        } catch (Throwable th) {
            Utils.unbindAndCloseSilently(null);
            if (z) {
                try {
                    AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() { // from class: com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.3
                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // java.security.PrivilegedExceptionAction
                        public Void run() throws Exception {
                            Thread.currentThread().setContextClassLoader(classLoader);
                            return null;
                        }
                    });
                } catch (PrivilegedActionException e2) {
                    log.warn("Unable to restore classloader because of " + e2.getException(), e2.getException());
                }
            }
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Connection getConnection0(Settings settings, Path path, final ClassLoader classLoader, final boolean z) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, LdapException {
        boolean booleanValue = settings.getAsBoolean("enable_ssl", false).booleanValue();
        List<String> asList = settings.getAsList(ConfigConstants.LDAP_HOSTS, Collections.singletonList("localhost"));
        Connection connection = null;
        Exception exc = null;
        for (String str : asList) {
            if (log.isTraceEnabled()) {
                log.trace("Connect to {}", str);
            }
            try {
                String[] split = str.split(":");
                int parseInt = split.length > 1 ? Integer.parseInt(split[1]) : booleanValue ? 636 : 389;
                ConnectionConfig connectionConfig = new ConnectionConfig();
                connectionConfig.setLdapUrl("ldap" + (booleanValue ? "s" : DEFAULT_ROLEBASE) + "://" + split[0] + ":" + parseInt);
                if (log.isTraceEnabled()) {
                    log.trace("Connect to {}", connectionConfig.getLdapUrl());
                }
                Map<String, Object> configureSSL = configureSSL(connectionConfig, settings, path);
                String str2 = settings.get(ConfigConstants.LDAP_BIND_DN, (String) null);
                String str3 = settings.get(ConfigConstants.LDAP_PASSWORD, (String) null);
                if (log.isDebugEnabled()) {
                    log.debug("bindDn {}, password {}", str2, (str3 == null || str3.length() <= 0) ? "<not set>" : "****");
                }
                if (str2 != null && (str3 == null || str3.length() == 0)) {
                    log.error("No password given for bind_dn {}. Will try to authenticate anonymously to ldap", str2);
                }
                boolean booleanValue2 = settings.getAsBoolean("enable_ssl_client_auth", false).booleanValue();
                if (log.isDebugEnabled()) {
                    if (booleanValue2 && str2 == null) {
                        log.debug("Will perform External SASL bind because client cert authentication is enabled");
                    } else if (str2 == null) {
                        log.debug("Will perform anonymous bind because no bind dn is given");
                    } else if (booleanValue2 && str2 != null) {
                        log.debug("Will perform simple bind with bind dn because to bind dn is given and overrides client cert authentication");
                    } else if (!booleanValue2 && str2 != null) {
                        log.debug("Will perform simple bind with bind dn");
                    }
                }
                if (str2 != null && str3 != null && str3.length() > 0) {
                    connectionConfig.setConnectionInitializer(new BindConnectionInitializer(str2, new Credential(str3)));
                } else if (booleanValue2) {
                    configureSSL.put("java.naming.security.authentication", "EXTERNAL");
                } else {
                    configureSSL.put("java.naming.security.authentication", "none");
                }
                DefaultConnectionFactory defaultConnectionFactory = new DefaultConnectionFactory(connectionConfig);
                defaultConnectionFactory.getProvider().getProviderConfig().setProperties(configureSSL);
                connection = defaultConnectionFactory.getConnection();
                connection.open();
            } catch (Exception e) {
                exc = e;
                log.warn("Unable to connect to ldapserver {} due to {}. Try next.", str, e.toString());
                if (log.isDebugEnabled()) {
                    log.debug("Unable to connect to ldapserver due to ", e);
                }
                Utils.unbindAndCloseSilently(connection);
                if (z) {
                    restoreClassLoader0(classLoader);
                }
                connection = null;
            }
            if (connection != null && connection.isOpen()) {
                break;
            }
            Utils.unbindAndCloseSilently(connection);
            if (z) {
                restoreClassLoader0(classLoader);
            }
            connection = null;
        }
        if (connection != null && connection.isOpen()) {
            final Connection connection2 = connection;
            if (log.isDebugEnabled()) {
                log.debug("Opened a connection, total count is now {}", Integer.valueOf(CONNECTION_COUNTER.incrementAndGet()));
            }
            return new Connection() { // from class: com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.4
                public Response<Void> reopen(BindRequest bindRequest) throws LdapException {
                    if (LDAPAuthorizationBackend.log.isDebugEnabled()) {
                        LDAPAuthorizationBackend.log.debug("Reopened a connection");
                    }
                    return connection2.reopen(bindRequest);
                }

                public Response<Void> reopen() throws LdapException {
                    if (LDAPAuthorizationBackend.log.isDebugEnabled()) {
                        LDAPAuthorizationBackend.log.debug("Reopened a connection");
                    }
                    return connection2.reopen();
                }

                public Response<Void> open(BindRequest bindRequest) throws LdapException {
                    try {
                        if (LDAPAuthorizationBackend.log.isDebugEnabled() && connection2 != null && connection2.isOpen()) {
                            LDAPAuthorizationBackend.log.debug("Opened a connection, total count is now {}", Integer.valueOf(LDAPAuthorizationBackend.CONNECTION_COUNTER.incrementAndGet()));
                        }
                    } catch (Throwable th) {
                    }
                    return connection2.open(bindRequest);
                }

                public Response<Void> open() throws LdapException {
                    try {
                        if (LDAPAuthorizationBackend.log.isDebugEnabled() && connection2 != null && connection2.isOpen()) {
                            LDAPAuthorizationBackend.log.debug("Opened a connection, total count is now {}", Integer.valueOf(LDAPAuthorizationBackend.CONNECTION_COUNTER.incrementAndGet()));
                        }
                    } catch (Throwable th) {
                    }
                    return connection2.open();
                }

                public boolean isOpen() {
                    return connection2.isOpen();
                }

                public ProviderConnection getProviderConnection() {
                    return connection2.getProviderConnection();
                }

                public ConnectionConfig getConnectionConfig() {
                    return connection2.getConnectionConfig();
                }

                public void close(RequestControl[] requestControlArr) {
                    try {
                        if (LDAPAuthorizationBackend.log.isDebugEnabled() && connection2 != null && connection2.isOpen()) {
                            LDAPAuthorizationBackend.log.debug("Closed a connection, total count is now {}", Integer.valueOf(LDAPAuthorizationBackend.CONNECTION_COUNTER.decrementAndGet()));
                        }
                    } catch (Throwable th) {
                    }
                    try {
                        connection2.close(requestControlArr);
                    } finally {
                        restoreClassLoader();
                    }
                }

                public void close() {
                    try {
                        if (LDAPAuthorizationBackend.log.isDebugEnabled() && connection2 != null && connection2.isOpen()) {
                            LDAPAuthorizationBackend.log.debug("Closed a connection, total count is now {}", Integer.valueOf(LDAPAuthorizationBackend.CONNECTION_COUNTER.decrementAndGet()));
                        }
                    } catch (Throwable th) {
                    }
                    try {
                        connection2.close();
                    } finally {
                        restoreClassLoader();
                    }
                }

                private void restoreClassLoader() {
                    if (z) {
                        LDAPAuthorizationBackend.restoreClassLoader0(classLoader);
                    }
                }
            };
        }
        Utils.unbindAndCloseSilently(connection);
        if (z) {
            restoreClassLoader0(classLoader);
        }
        if (exc == null) {
            throw new LdapException("Unable to connect to any of those ldap servers " + asList);
        }
        throw new LdapException("Unable to connect to any of those ldap servers " + asList + " due to " + exc, exc);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void restoreClassLoader0(final ClassLoader classLoader) {
        try {
            AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() { // from class: com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.5
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws Exception {
                    Thread.currentThread().setContextClassLoader(classLoader);
                    return null;
                }
            });
        } catch (PrivilegedActionException e) {
            log.warn("Unable to restore classloader because of " + e.getException(), e.getException());
        }
    }

    private static Map<String, Object> configureSSL(ConnectionConfig connectionConfig, Settings settings, Path path) throws Exception {
        CredentialConfig createKeyStoreCredentialConfig;
        HashMap hashMap = new HashMap();
        boolean booleanValue = settings.getAsBoolean("enable_ssl", false).booleanValue();
        boolean booleanValue2 = settings.getAsBoolean("enable_start_tls", false).booleanValue();
        if (booleanValue || booleanValue2) {
            boolean booleanValue3 = settings.getAsBoolean("enable_ssl_client_auth", false).booleanValue();
            boolean booleanValue4 = settings.getAsBoolean("trust_all", false).booleanValue();
            boolean z = !booleanValue4 && settings.getAsBoolean("verify_hostnames", true).booleanValue();
            if (log.isDebugEnabled()) {
                log.debug("verifyHostname {}:", Boolean.valueOf(z));
                log.debug("trustall {}:", Boolean.valueOf(booleanValue4));
            }
            if (booleanValue2 && !z) {
                hashMap.put("jndi.starttls.allowAnyHostname", "true");
            }
            boolean z2 = (settings.get("pemtrustedcas_filepath", (String) null) == null && settings.get("pemtrustedcas_content", (String) null) == null) ? false : true;
            SslConfig sslConfig = new SslConfig();
            if (z2) {
                X509Certificate[] loadCertificatesFromStream = PemKeyReader.loadCertificatesFromStream(PemKeyReader.resolveStream("pemtrustedcas_content", settings));
                if (loadCertificatesFromStream == null) {
                    loadCertificatesFromStream = PemKeyReader.loadCertificatesFromFile(PemKeyReader.resolve("pemtrustedcas_filepath", settings, path, !booleanValue4));
                }
                X509Certificate loadCertificateFromStream = PemKeyReader.loadCertificateFromStream(PemKeyReader.resolveStream("pemcert_content", settings));
                if (loadCertificateFromStream == null) {
                    loadCertificateFromStream = PemKeyReader.loadCertificateFromFile(PemKeyReader.resolve("pemcert_filepath", settings, path, booleanValue3));
                }
                PrivateKey loadKeyFromStream = PemKeyReader.loadKeyFromStream(settings.get("pemkey_password"), PemKeyReader.resolveStream("pemkey_content", settings));
                if (loadKeyFromStream == null) {
                    loadKeyFromStream = PemKeyReader.loadKeyFromFile(settings.get("pemkey_password"), PemKeyReader.resolve("pemkey_filepath", settings, path, booleanValue3));
                }
                createKeyStoreCredentialConfig = CredentialConfigFactory.createX509CredentialConfig(loadCertificatesFromStream, loadCertificateFromStream, loadKeyFromStream);
                if (log.isDebugEnabled()) {
                    log.debug("Use PEM to secure communication with LDAP server (client auth is {})", Boolean.valueOf(loadKeyFromStream != null));
                }
            } else {
                KeyStore loadKeyStore = PemKeyReader.loadKeyStore(PemKeyReader.resolve("searchguard.ssl.transport.truststore_filepath", settings, path, !booleanValue4), settings.get("searchguard.ssl.transport.truststore_password", "changeit"), settings.get("searchguard.ssl.transport.truststore_type"));
                List asList = settings.getAsList("ca_alias", (List) null);
                KeyStore loadKeyStore2 = PemKeyReader.loadKeyStore(PemKeyReader.resolve("searchguard.ssl.transport.keystore_filepath", settings, path, booleanValue3), settings.get("searchguard.ssl.transport.keystore_password", "changeit"), settings.get("searchguard.ssl.transport.keystore_type"));
                String str = settings.get("searchguard.ssl.transport.keystore_password", "changeit");
                String str2 = settings.get("cert_alias", (String) null);
                String[] strArr = str2 == null ? null : new String[]{str2};
                if (booleanValue3 && strArr == null) {
                    throw new IllegalArgumentException("cert_alias not given");
                }
                if (log.isDebugEnabled()) {
                    log.debug("Use Trust-/Keystore to secure communication with LDAP server (client auth is {})", Boolean.valueOf(loadKeyStore2 != null));
                    log.debug("trustStoreAliases: {}, keyStoreAlias: {}", asList, str2);
                }
                createKeyStoreCredentialConfig = CredentialConfigFactory.createKeyStoreCredentialConfig(loadKeyStore, asList == null ? null : (String[]) asList.toArray(new String[0]), loadKeyStore2, str, strArr);
            }
            sslConfig.setCredentialConfig(createKeyStoreCredentialConfig);
            if (booleanValue4) {
                sslConfig.setTrustManagers(new TrustManager[]{new AllowAnyTrustManager()});
            }
            if (!z) {
                sslConfig.setHostnameVerifier(new AllowAnyHostnameVerifier());
                String property = System.getProperty(COM_SUN_JNDI_LDAP_OBJECT_DISABLE_ENDPOINT_IDENTIFICATION);
                if (property == null || !Boolean.parseBoolean(property)) {
                    log.warn("In order to disable host name verification for LDAP connections (verify_hostnames: true), you also need to set set the system property com.sun.jndi.ldap.object.disableEndpointIdentification to true when starting the JVM running ES. This applies for all Java versions released since July 2018.");
                }
                System.setProperty(COM_SUN_JNDI_LDAP_OBJECT_DISABLE_ENDPOINT_IDENTIFICATION, "true");
            }
            List asList2 = settings.getAsList(ConfigConstants.LDAPS_ENABLED_SSL_CIPHERS, Collections.emptyList());
            List asList3 = settings.getAsList(ConfigConstants.LDAPS_ENABLED_SSL_PROTOCOLS, DEFAULT_TLS_PROTOCOLS);
            if (!asList2.isEmpty()) {
                sslConfig.setEnabledCipherSuites((String[]) asList2.toArray(new String[0]));
                log.debug("enabled ssl cipher suites for ldaps {}", asList2);
            }
            log.debug("enabled ssl/tls protocols for ldaps {}", asList3);
            sslConfig.setEnabledProtocols((String[]) asList3.toArray(new String[0]));
            connectionConfig.setSslConfig(sslConfig);
        }
        connectionConfig.setUseSSL(booleanValue);
        connectionConfig.setUseStartTLS(booleanValue2);
        long longValue = settings.getAsLong(ConfigConstants.LDAP_CONNECT_TIMEOUT, 5000L).longValue();
        long longValue2 = settings.getAsLong(ConfigConstants.LDAP_RESPONSE_TIMEOUT, 0L).longValue();
        connectionConfig.setConnectTimeout(Duration.ofMillis(longValue < 0 ? 0L : longValue));
        connectionConfig.setResponseTimeout(Duration.ofMillis(longValue2 < 0 ? 0L : longValue2));
        if (log.isDebugEnabled()) {
            log.debug("Connect timeout: " + connectionConfig.getConnectTimeout() + "/ResponseTimeout: " + connectionConfig.getResponseTimeout());
        }
        return hashMap;
    }

    public void fillRoles(User user, AuthCredentials authCredentials) throws ElasticsearchSecurityException {
        String name;
        String name2;
        if (user == null) {
            return;
        }
        LdapEntry ldapEntry = null;
        String str = null;
        if (log.isDebugEnabled()) {
            log.debug("DBGTRACE (2): username=" + user.getName() + " -> " + Arrays.toString(user.getName().getBytes(StandardCharsets.UTF_8)));
        }
        if (!(user instanceof LdapUser) || ((LdapUser) user).getUserEntry() == null || ((LdapUser) user).getUserEntry().getLdaptiveEntry() == null) {
            name = user.getName();
            name2 = user.getName();
        } else {
            ldapEntry = ((LdapUser) user).getUserEntry().getLdaptiveEntry();
            str = ldapEntry.getDn();
            name = ldapEntry.getDn();
            name2 = ((LdapUser) user).getOriginalUsername();
        }
        if (log.isDebugEnabled()) {
            log.debug("DBGTRACE (3): authenticatedUser=" + name + " -> " + Arrays.toString(name.getBytes(StandardCharsets.UTF_8)));
        }
        boolean booleanValue = this.settings.getAsBoolean(ConfigConstants.LDAP_AUTHZ_ROLESEARCH_ENABLED, true).booleanValue();
        if (log.isDebugEnabled()) {
            log.debug("Try to get roles for {}", name);
        }
        if (log.isTraceEnabled()) {
            log.trace("user class: {}", user.getClass());
            log.trace("authenticatedUser: {}", name);
            log.trace("originalUserName: {}", name2);
            log.trace("entry: {}", String.valueOf(ldapEntry));
            log.trace("dn: {}", str);
        }
        List asList = this.settings.getAsList(ConfigConstants.LDAP_AUTHZ_SKIP_USERS, Collections.emptyList());
        if (!asList.isEmpty() && (WildcardMatcher.matchAny(asList, name2) || WildcardMatcher.matchAny(asList, name))) {
            if (log.isDebugEnabled()) {
                log.debug("Skipped search roles of user {}/{}", name, name2);
                return;
            }
            return;
        }
        try {
            try {
                Connection connection = getConnection(this.settings, this.configPath);
                if (ldapEntry == null || str == null) {
                    if (isValidDn(name)) {
                        if (log.isTraceEnabled()) {
                            log.trace("{} is a valid DN", name);
                        }
                        if (log.isDebugEnabled()) {
                            log.debug("DBGTRACE (4): authenticatedUser=" + name + " -> " + Arrays.toString(name.getBytes(StandardCharsets.UTF_8)));
                        }
                        ldapEntry = LdapHelper.lookup(connection, name);
                        if (ldapEntry == null) {
                            throw new ElasticsearchSecurityException("No user '" + name + "' found", new Object[0]);
                        }
                    } else {
                        if (log.isDebugEnabled()) {
                            log.debug("DBGTRACE (5): authenticatedUser=" + user.getName() + " -> " + Arrays.toString(user.getName().getBytes(StandardCharsets.UTF_8)));
                        }
                        ldapEntry = LDAPAuthenticationBackend.exists(user.getName(), connection, this.settings, this.userBaseSettings);
                        if (log.isTraceEnabled()) {
                            log.trace("{} is not a valid DN and was resolved to {}", name, ldapEntry);
                        }
                        if (ldapEntry == null || ldapEntry.getDn() == null) {
                            throw new ElasticsearchSecurityException("No user " + name + " found", new Object[0]);
                        }
                    }
                    str = ldapEntry.getDn();
                    if (log.isTraceEnabled()) {
                        log.trace("User found with DN {}", str);
                    }
                    if (log.isDebugEnabled()) {
                        log.debug("DBGTRACE (6): dn" + str + " -> " + Arrays.toString(str.getBytes(StandardCharsets.UTF_8)));
                    }
                }
                HashSet<LdapName> hashSet = new HashSet(150);
                HashSet hashSet2 = new HashSet(150);
                HashMultimap create = HashMultimap.create();
                String str2 = this.settings.get(ConfigConstants.LDAP_AUTHZ_USERROLENAME, DEFAULT_USERROLENAME);
                if (log.isTraceEnabled()) {
                    log.trace("raw userRoleName(s): {}", str2);
                }
                for (String str3 : str2.split(",")) {
                    String trim = str3.trim();
                    if (ldapEntry.getAttribute(trim) != null) {
                        for (String str4 : ldapEntry.getAttribute(trim).getStringValues()) {
                            if (log.isDebugEnabled()) {
                                log.debug("DBGTRACE (7): possibleRoleDN" + str4);
                            }
                            if (isValidDn(str4)) {
                                LdapName ldapName = new LdapName(str4);
                                hashSet.add(ldapName);
                                create.putAll(ldapName, this.roleBaseSettings);
                            } else {
                                hashSet2.add(str4);
                            }
                        }
                    }
                }
                if (log.isTraceEnabled()) {
                    log.trace("User attr. ldap roles count: {}", Integer.valueOf(hashSet.size()));
                    log.trace("User attr. ldap roles {}", hashSet);
                    log.trace("User attr. non-ldap roles count: {}", Integer.valueOf(hashSet2.size()));
                    log.trace("User attr. non-ldap roles {}", hashSet2);
                }
                String str5 = this.settings.get(ConfigConstants.LDAP_AUTHZ_ROLENAME, DEFAULT_ROLENAME);
                if (log.isTraceEnabled()) {
                    log.trace("roleName: {}", str5);
                }
                String str6 = this.settings.get(ConfigConstants.LDAP_AUTHZ_USERROLEATTRIBUTE, (String) null);
                if (log.isTraceEnabled()) {
                    log.trace("userRoleAttribute: {}", str6);
                    log.trace("rolesearch: {}", this.settings.get(ConfigConstants.LDAP_AUTHZ_ROLESEARCH, DEFAULT_ROLESEARCH));
                }
                LdapAttribute attribute = ldapEntry.getAttribute(str6);
                Object singleStringValue = attribute != null ? Utils.getSingleStringValue(attribute) : null;
                if (booleanValue) {
                    String str7 = str;
                    if (log.isDebugEnabled()) {
                        log.debug("DBGTRACE (8): escapedDn" + str7);
                    }
                    for (Map.Entry<String, Settings> entry : this.roleBaseSettings) {
                        Settings value = entry.getValue();
                        SearchFilter searchFilter = new SearchFilter();
                        searchFilter.setFilter(value.get(ConfigConstants.LDAP_AUTHCZ_SEARCH, DEFAULT_ROLESEARCH));
                        searchFilter.setParameter(0, str7);
                        searchFilter.setParameter(1, name2);
                        searchFilter.setParameter(TWO_PLACEHOLDER, singleStringValue == null ? Integer.valueOf(TWO_PLACEHOLDER) : singleStringValue);
                        List<LdapEntry> search = LdapHelper.search(connection, value.get(ConfigConstants.LDAP_AUTHCZ_BASE, DEFAULT_ROLEBASE), searchFilter, SearchScope.SUBTREE);
                        if (log.isTraceEnabled()) {
                            log.trace("Results for LDAP group search for " + str7 + " in base " + entry.getKey() + ":\n" + search);
                        }
                        if (search != null && !search.isEmpty()) {
                            Iterator<LdapEntry> it = search.iterator();
                            while (it.hasNext()) {
                                LdapName ldapName2 = new LdapName(it.next().getDn());
                                hashSet.add(ldapName2);
                                create.put(ldapName2, entry);
                            }
                        }
                    }
                }
                if (log.isTraceEnabled()) {
                    log.trace("roles count total {}", Integer.valueOf(hashSet.size()));
                }
                if (this.settings.getAsBoolean(ConfigConstants.LDAP_AUTHZ_RESOLVE_NESTED_ROLES, false).booleanValue()) {
                    List<String> asList2 = this.settings.getAsList(ConfigConstants.LDAP_AUTHZ_NESTEDROLEFILTER, Collections.emptyList());
                    if (log.isTraceEnabled()) {
                        log.trace("Evaluate nested roles");
                    }
                    HashSet<LdapName> hashSet3 = new HashSet(hashSet);
                    for (LdapName ldapName3 : hashSet) {
                        Set<Map.Entry<String, Settings>> set = create.get(ldapName3);
                        if (set == null) {
                            log.error("Could not find roleSearchBaseKeys for " + ldapName3 + "; existing: " + create);
                        } else {
                            Set<LdapName> resolveNestedRoles = resolveNestedRoles(ldapName3, connection, str2, 0, booleanValue, set, asList2);
                            if (log.isTraceEnabled()) {
                                log.trace("{} nested roles for {}", Integer.valueOf(resolveNestedRoles.size()), ldapName3);
                            }
                            hashSet3.addAll(resolveNestedRoles);
                        }
                    }
                    for (LdapName ldapName4 : hashSet3) {
                        String roleFromEntry = getRoleFromEntry(connection, ldapName4, str5);
                        if (Strings.isNullOrEmpty(roleFromEntry)) {
                            log.warn("No or empty attribute '{}' for entry {}", str5, ldapName4);
                        } else {
                            user.addRole(roleFromEntry);
                        }
                    }
                } else {
                    for (LdapName ldapName5 : hashSet) {
                        String roleFromEntry2 = getRoleFromEntry(connection, ldapName5, str5);
                        if (Strings.isNullOrEmpty(roleFromEntry2)) {
                            log.warn("No or empty attribute '{}' for entry {}", str5, ldapName5);
                        } else {
                            user.addRole(roleFromEntry2);
                        }
                    }
                }
                Iterator it2 = hashSet2.iterator();
                while (it2.hasNext()) {
                    user.addRole((String) it2.next());
                }
                if (log.isDebugEnabled()) {
                    log.debug("Roles for {} -> {}", user.getName(), user.getRoles());
                }
                if (log.isTraceEnabled()) {
                    log.trace("returned user: {}", user);
                }
                Utils.unbindAndCloseSilently(connection);
            } catch (Exception e) {
                if (log.isDebugEnabled()) {
                    log.debug("Unable to fill user roles due to ", e);
                }
                throw new ElasticsearchSecurityException(e.toString(), e, new Object[0]);
            }
        } catch (Throwable th) {
            Utils.unbindAndCloseSilently(null);
            throw th;
        }
    }

    protected Set<LdapName> resolveNestedRoles(LdapName ldapName, Connection connection, String str, int i, boolean z, Set<Map.Entry<String, Settings>> set, List<String> list) throws ElasticsearchSecurityException, LdapException {
        if (!list.isEmpty() && WildcardMatcher.matchAny(list, ldapName.toString())) {
            if (log.isTraceEnabled()) {
                log.trace("Filter nested role {}", ldapName);
            }
            return Collections.emptySet();
        }
        int i2 = i + 1;
        HashSet hashSet = new HashSet(20);
        HashMultimap create = HashMultimap.create();
        LdapEntry lookup = LdapHelper.lookup(connection, ldapName.toString());
        if (lookup.getAttribute(str) != null) {
            for (String str2 : lookup.getAttribute(str).getStringValues()) {
                if (log.isDebugEnabled()) {
                    log.debug("DBGTRACE (10): possibleRoleDN" + str2);
                }
                if (isValidDn(str2)) {
                    try {
                        LdapName ldapName2 = new LdapName(str2);
                        hashSet.add(ldapName2);
                        create.putAll(ldapName2, this.roleBaseSettings);
                    } catch (InvalidNameException e) {
                    }
                } else if (log.isDebugEnabled()) {
                    log.debug("Cannot add {} as a role because its not a valid dn", str2);
                }
            }
        }
        if (log.isTraceEnabled()) {
            log.trace("result nested attr count for depth {} : {}", Integer.valueOf(i2), Integer.valueOf(hashSet.size()));
        }
        if (z) {
            String ldapName3 = ldapName.toString();
            if (log.isDebugEnabled()) {
                log.debug("DBGTRACE (10): escapedDn" + ldapName3);
            }
            for (Map.Entry<String, Settings> entry : Utils.getOrderedBaseSettings(set)) {
                Settings value = entry.getValue();
                SearchFilter searchFilter = new SearchFilter();
                searchFilter.setFilter(value.get(ConfigConstants.LDAP_AUTHCZ_SEARCH, DEFAULT_ROLESEARCH));
                searchFilter.setParameter(0, ldapName3);
                searchFilter.setParameter(1, ldapName3);
                List<LdapEntry> search = LdapHelper.search(connection, value.get(ConfigConstants.LDAP_AUTHCZ_BASE, DEFAULT_ROLEBASE), searchFilter, SearchScope.SUBTREE);
                if (log.isTraceEnabled()) {
                    log.trace("Results for LDAP group search for " + ldapName3 + " in base " + entry.getKey() + ":\n" + search);
                }
                if (search != null) {
                    Iterator<LdapEntry> it = search.iterator();
                    while (it.hasNext()) {
                        try {
                            LdapName ldapName4 = new LdapName(it.next().getDn());
                            hashSet.add(ldapName4);
                            create.put(ldapName4, entry);
                        } catch (InvalidNameException e2) {
                            throw new LdapException(e2);
                        }
                    }
                }
            }
        }
        int i3 = 30;
        try {
            i3 = this.settings.getAsInt(ConfigConstants.LDAP_AUTHZ_MAX_NESTED_DEPTH, 30).intValue();
        } catch (Exception e3) {
            log.error("max_nested_depth is not parseable: " + e3, e3);
        }
        if (i2 < i3) {
            Iterator it2 = new HashSet(hashSet).iterator();
            while (it2.hasNext()) {
                LdapName ldapName5 = (LdapName) it2.next();
                Set<Map.Entry<String, Settings>> set2 = create.get(ldapName5);
                if (set2 == null) {
                    log.error("Could not find roleSearchBaseKeys for " + ldapName5 + "; existing: " + create);
                } else {
                    hashSet.addAll(resolveNestedRoles(ldapName5, connection, str, i2, z, set2, list));
                }
            }
        }
        return hashSet;
    }

    public String getType() {
        return "ldap";
    }

    private boolean isValidDn(String str) {
        if (Strings.isNullOrEmpty(str)) {
            return false;
        }
        try {
            new LdapName(str);
            return true;
        } catch (Exception e) {
            return false;
        }
    }

    private String getRoleFromEntry(Connection connection, LdapName ldapName, String str) {
        LdapAttribute attribute;
        if (ldapName == null || Strings.isNullOrEmpty(str)) {
            return null;
        }
        if ("dn".equalsIgnoreCase(str)) {
            return ldapName.toString();
        }
        try {
            LdapEntry lookup = LdapHelper.lookup(connection, ldapName.toString());
            if (lookup == null || (attribute = lookup.getAttribute(str)) == null) {
                return null;
            }
            return Utils.getSingleStringValue(attribute);
        } catch (LdapException e) {
            log.error("Unable to handle role {} because of ", ldapName, e.toString(), e);
            return null;
        }
    }

    private static int getJavaVersion() {
        String property = System.getProperty("java.version");
        if (property.startsWith("1.")) {
            int indexOf = property.indexOf(46, TWO_PLACEHOLDER);
            if (indexOf != -1) {
                return Integer.parseInt(property.substring(TWO_PLACEHOLDER, indexOf));
            }
            log.error("Invalid java version " + property);
            return -1;
        }
        if (StringUtils.isNumeric(property)) {
            return Integer.parseInt(property);
        }
        int indexOf2 = property.indexOf(46);
        if (indexOf2 != -1) {
            return Integer.parseInt(property.substring(0, indexOf2));
        }
        log.error("Invalid java version " + property);
        return -1;
    }

    static /* synthetic */ int access$000() {
        return getJavaVersion();
    }
}
