package com.floragunn.dlic.auth.ldap2;

import com.floragunn.dlic.auth.ldap.LdapUser;
import com.floragunn.dlic.auth.ldap.util.ConfigConstants;
import com.floragunn.dlic.auth.ldap.util.Utils;
import com.floragunn.dlic.util.SettingsBasedSSLConfigurator;
import com.floragunn.searchguard.TypedComponent;
import com.floragunn.searchguard.authc.legacy.LegacyAuthenticationBackend;
import com.floragunn.searchguard.legacy.LegacyComponentFactory;
import com.floragunn.searchguard.user.Attributes;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.user.User;
import com.unboundid.ldap.sdk.Attribute;
import com.unboundid.ldap.sdk.Control;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.SearchResultEntry;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.settings.Settings;

/* loaded from: input_file:com/floragunn/dlic/auth/ldap2/LDAPAuthenticationBackend2.class */
public class LDAPAuthenticationBackend2 implements LegacyAuthenticationBackend, AutoCloseable {
    private final Settings settings;
    private final LDAPConnectionManager lcm;
    private final int customAttrMaxValueLen;
    private final List<String> whitelistedAttributes;
    private Map<String, String> attributeMapping;
    protected static final Logger log = LogManager.getLogger(LDAPAuthenticationBackend2.class);
    public static TypedComponent.Info<LegacyAuthenticationBackend> INFO = new TypedComponent.Info<LegacyAuthenticationBackend>() { // from class: com.floragunn.dlic.auth.ldap2.LDAPAuthenticationBackend2.3
        public Class<LegacyAuthenticationBackend> getType() {
            return LegacyAuthenticationBackend.class;
        }

        public String getName() {
            return "ldap2";
        }

        public TypedComponent.Factory<LegacyAuthenticationBackend> getFactory() {
            return LegacyComponentFactory.adapt(LDAPAuthenticationBackend2::new);
        }
    };

    public LDAPAuthenticationBackend2(Settings settings, Path path) {
        try {
            this.settings = settings;
            this.lcm = new LDAPConnectionManager(settings, path);
            this.customAttrMaxValueLen = settings.getAsInt(ConfigConstants.LDAP_CUSTOM_ATTR_MAXVAL_LEN, 36).intValue();
            this.whitelistedAttributes = settings.getAsList(ConfigConstants.LDAP_CUSTOM_ATTR_WHITELIST, (List) null);
            this.attributeMapping = Attributes.getFlatAttributeMapping(settings.getAsSettings("map_ldap_attrs_to_user_attrs"));
        } catch (LDAPException | SettingsBasedSSLConfigurator.SSLConfigException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    public User authenticate(final AuthCredentials authCredentials) throws ElasticsearchSecurityException {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        try {
            return (User) AccessController.doPrivileged(new PrivilegedExceptionAction<User>() { // from class: com.floragunn.dlic.auth.ldap2.LDAPAuthenticationBackend2.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public User run() throws Exception {
                    return LDAPAuthenticationBackend2.this.authenticate0(authCredentials);
                }
            });
        } catch (PrivilegedActionException e) {
            if (e.getException() instanceof ElasticsearchSecurityException) {
                throw e.getException();
            }
            if (e.getException() instanceof RuntimeException) {
                throw ((RuntimeException) e.getException());
            }
            throw new RuntimeException(e.getException());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public User authenticate0(AuthCredentials authCredentials) throws ElasticsearchSecurityException {
        String username = authCredentials.getUsername();
        byte[] password = authCredentials.getPassword();
        try {
            try {
                LDAPConnection connection = this.lcm.getConnection();
                try {
                    SearchResultEntry exists = this.lcm.exists(connection, username);
                    if (connection != null) {
                        connection.close();
                    }
                    if (exists == null && this.settings.getAsBoolean(ConfigConstants.LDAP_FAKE_LOGIN_ENABLED, false).booleanValue()) {
                        exists = new SearchResultEntry(this.settings.get(ConfigConstants.LDAP_FAKE_LOGIN_DN, "CN=faketomakebindfail,DC=" + UUID.randomUUID().toString()), new Attribute[0], new Control[0]);
                        password = this.settings.get(ConfigConstants.LDAP_FAKE_LOGIN_PASSWORD, "fakeLoginPwd123").getBytes(StandardCharsets.UTF_8);
                    } else if (exists == null) {
                        throw new ElasticsearchSecurityException("No user " + username + " found", new Object[0]);
                    }
                    String dn = exists.getDN();
                    if (log.isTraceEnabled()) {
                        log.trace("Try to authenticate dn {}", dn);
                    }
                    this.lcm.checkDnPassword(dn, password);
                    String str = this.settings.get(ConfigConstants.LDAP_AUTHC_USERNAME_ATTRIBUTE, (String) null);
                    String str2 = dn;
                    if (str != null && exists.getAttribute(str) != null) {
                        str2 = Utils.getSingleStringValue(exists.getAttribute(str));
                    }
                    if (log.isDebugEnabled()) {
                        log.debug("Authenticated username {}", str2);
                    }
                    LdapUser ldapUser = new LdapUser(str2, authCredentials.getAuthDomainInfo().authBackendType(getType()), username, new LdapUser.DirEntry(exists), authCredentials, this.customAttrMaxValueLen, this.whitelistedAttributes);
                    processAttributeMapping(ldapUser, exists);
                    Arrays.fill(password, (byte) 0);
                    return ldapUser;
                } catch (Throwable th) {
                    if (connection != null) {
                        try {
                            connection.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Exception e) {
                if (log.isDebugEnabled()) {
                    log.debug("Unable to authenticate user due to ", e);
                }
                throw new ElasticsearchSecurityException(e.toString(), e, new Object[0]);
            }
        } catch (Throwable th3) {
            Arrays.fill(password, (byte) 0);
            throw th3;
        }
    }

    public String getType() {
        return "ldap";
    }

    private void processAttributeMapping(User user, SearchResultEntry searchResultEntry) {
        for (Map.Entry<String, String> entry : this.attributeMapping.entrySet()) {
            String value = entry.getValue();
            String key = entry.getKey();
            if (value.equals("dn")) {
                user.addStructuredAttribute(key, searchResultEntry.getDN());
            } else {
                Attribute attribute = searchResultEntry.getAttribute(value);
                if (attribute != null) {
                    user.addStructuredAttribute(key, Arrays.asList(attribute.getValues()));
                }
            }
        }
    }

    @Override // java.lang.AutoCloseable
    public void close() {
        if (this.lcm != null) {
            try {
                this.lcm.close();
            } catch (IOException e) {
            }
        }
    }

    public boolean exists(final User user) {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        return ((Boolean) AccessController.doPrivileged(new PrivilegedAction<Boolean>() { // from class: com.floragunn.dlic.auth.ldap2.LDAPAuthenticationBackend2.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Boolean run() {
                return Boolean.valueOf(LDAPAuthenticationBackend2.this.impersonate0(user));
            }
        })).booleanValue();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean impersonate0(User user) {
        String name = user.getName();
        if (user instanceof LdapUser) {
            name = ((LdapUser) user).getUserEntry().getDN();
        }
        try {
            LDAPConnection connection = this.lcm.getConnection();
            try {
                SearchResultEntry exists = this.lcm.exists(connection, name);
                boolean z = exists != null;
                if (z) {
                    user.addAttributes(LdapUser.extractLdapAttributes(name, new LdapUser.DirEntry(exists), this.customAttrMaxValueLen, this.whitelistedAttributes));
                    processAttributeMapping(user, exists);
                }
                if (connection != null) {
                    connection.close();
                }
                return z;
            } catch (Throwable th) {
                if (connection != null) {
                    try {
                        connection.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (Exception e) {
            log.warn("User {} does not exist due to " + e, name);
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("User does not exist due to ", e);
            return false;
        }
    }
}
