package com.floragunn.dlic.auth.ldap2;

import com.floragunn.dlic.auth.ldap.util.ConfigConstants;
import com.floragunn.dlic.util.SettingsBasedSSLConfigurator;
import java.nio.file.Path;
import java.time.Duration;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import javax.net.ssl.TrustManager;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.settings.Settings;
import org.ldaptive.ActivePassiveConnectionStrategy;
import org.ldaptive.BindConnectionInitializer;
import org.ldaptive.CompareRequest;
import org.ldaptive.Connection;
import org.ldaptive.ConnectionConfig;
import org.ldaptive.ConnectionFactory;
import org.ldaptive.ConnectionInitializer;
import org.ldaptive.ConnectionStrategy;
import org.ldaptive.Credential;
import org.ldaptive.DefaultConnectionFactory;
import org.ldaptive.LdapAttribute;
import org.ldaptive.RandomConnectionStrategy;
import org.ldaptive.ReturnAttributes;
import org.ldaptive.RoundRobinConnectionStrategy;
import org.ldaptive.SearchFilter;
import org.ldaptive.SearchRequest;
import org.ldaptive.SearchScope;
import org.ldaptive.pool.BlockingConnectionPool;
import org.ldaptive.pool.CompareValidator;
import org.ldaptive.pool.ConnectionPool;
import org.ldaptive.pool.IdlePruneStrategy;
import org.ldaptive.pool.PoolConfig;
import org.ldaptive.pool.PooledConnectionFactory;
import org.ldaptive.pool.SearchValidator;
import org.ldaptive.pool.SoftLimitConnectionPool;
import org.ldaptive.pool.Validator;
import org.ldaptive.sasl.ExternalConfig;
import org.ldaptive.ssl.AllowAnyHostnameVerifier;
import org.ldaptive.ssl.AllowAnyTrustManager;
import org.ldaptive.ssl.CredentialConfigFactory;
import org.ldaptive.ssl.SslConfig;

/* loaded from: input_file:com/floragunn/dlic/auth/ldap2/LDAPConnectionFactoryFactory.class */
public class LDAPConnectionFactoryFactory {
    private static final Logger log = LogManager.getLogger(LDAPConnectionFactoryFactory.class);
    private final Settings settings;
    private final SettingsBasedSSLConfigurator.SSLConfig sslConfig;

    public LDAPConnectionFactoryFactory(Settings settings, Path path) throws SettingsBasedSSLConfigurator.SSLConfigException {
        this.settings = settings;
        this.sslConfig = new SettingsBasedSSLConfigurator(settings, path, "").buildSSLConfig();
    }

    public ConnectionFactory createConnectionFactory(ConnectionPool connectionPool) {
        return connectionPool != null ? new PooledConnectionFactory(connectionPool) : createBasicConnectionFactory();
    }

    public DefaultConnectionFactory createBasicConnectionFactory() {
        DefaultConnectionFactory defaultConnectionFactory = new DefaultConnectionFactory(getConnectionConfig());
        defaultConnectionFactory.setProvider(new PrivilegedProvider(defaultConnectionFactory.getProvider()));
        defaultConnectionFactory.getProvider().getProviderConfig().setClassLoader(MakeJava9Happy.getClassLoader());
        if (this.sslConfig != null) {
            configureSSLinConnectionFactory(defaultConnectionFactory);
        }
        return defaultConnectionFactory;
    }

    public ConnectionPool createConnectionPool() {
        if (!this.settings.getAsBoolean(ConfigConstants.LDAP_POOL_ENABLED, false).booleanValue()) {
            return null;
        }
        PoolConfig poolConfig = new PoolConfig();
        poolConfig.setMinPoolSize(this.settings.getAsInt(ConfigConstants.LDAP_POOL_MIN_SIZE, 3).intValue());
        poolConfig.setMaxPoolSize(this.settings.getAsInt(ConfigConstants.LDAP_POOL_MAX_SIZE, 10).intValue());
        if (this.settings.getAsBoolean("validation.enabled", false).booleanValue()) {
            poolConfig.setValidateOnCheckIn(this.settings.getAsBoolean("validation.on_checkin", false).booleanValue());
            poolConfig.setValidateOnCheckOut(this.settings.getAsBoolean("validation.on_checkout", false).booleanValue());
            poolConfig.setValidatePeriodically(this.settings.getAsBoolean("validation.periodically", true).booleanValue());
            poolConfig.setValidatePeriod(Duration.ofMinutes(this.settings.getAsLong("validation.period", 30L).longValue()));
            poolConfig.setValidateTimeout(Duration.ofSeconds(this.settings.getAsLong("validation.timeout", 5L).longValue()));
        }
        BlockingConnectionPool blockingConnectionPool = "blocking".equals(this.settings.get(ConfigConstants.LDAP_POOL_TYPE)) ? new BlockingConnectionPool(poolConfig, createBasicConnectionFactory()) : new SoftLimitConnectionPool(poolConfig, createBasicConnectionFactory());
        blockingConnectionPool.setValidator(getConnectionValidator());
        blockingConnectionPool.setPruneStrategy(new IdlePruneStrategy(Duration.ofMinutes(this.settings.getAsLong("pruning.period", 5L).longValue()), Duration.ofMinutes(this.settings.getAsLong("pruning.idleTime", 10L).longValue())));
        blockingConnectionPool.initialize();
        return blockingConnectionPool;
    }

    private ConnectionConfig getConnectionConfig() {
        ConnectionConfig connectionConfig = new ConnectionConfig(getLdapUrlString());
        if (this.sslConfig != null) {
            configureSSL(connectionConfig);
        }
        connectionConfig.setConnectionStrategy(getConnectionStrategy());
        connectionConfig.setConnectionInitializer(getConnectionInitializer());
        long longValue = this.settings.getAsLong(ConfigConstants.LDAP_CONNECT_TIMEOUT, 5000L).longValue();
        long longValue2 = this.settings.getAsLong(ConfigConstants.LDAP_RESPONSE_TIMEOUT, 0L).longValue();
        connectionConfig.setConnectTimeout(Duration.ofMillis(longValue < 0 ? 0L : longValue));
        connectionConfig.setResponseTimeout(Duration.ofMillis(longValue2 < 0 ? 0L : longValue2));
        if (log.isDebugEnabled()) {
            log.debug("LDAP connection config:\n" + connectionConfig);
        }
        return connectionConfig;
    }

    private ConnectionInitializer getConnectionInitializer() {
        BindConnectionInitializer bindConnectionInitializer = new BindConnectionInitializer();
        String str = this.settings.get(ConfigConstants.LDAP_BIND_DN, (String) null);
        String str2 = this.settings.get(ConfigConstants.LDAP_PASSWORD, (String) null);
        if (str2 != null && str2.length() == 0) {
            str2 = null;
        }
        if (log.isDebugEnabled()) {
            log.debug("bindDn {}, password {}", str, str2 != null ? "****" : "<not set>");
        }
        if (str != null && str2 == null) {
            log.error("No password given for bind_dn {}. Will try to authenticate anonymously to ldap", str);
        }
        boolean booleanValue = this.settings.getAsBoolean("enable_ssl_client_auth", false).booleanValue();
        if (str != null && str2 != null) {
            log.debug("Will perform simple bind with bind dn");
            bindConnectionInitializer.setBindDn(str);
            bindConnectionInitializer.setBindCredential(new Credential(str2));
            if (booleanValue) {
                log.warn("Will perform simple bind with bind dn because to bind dn is given and overrides client cert authentication");
            }
        } else if (booleanValue) {
            log.debug("Will perform External SASL bind because client cert authentication is enabled");
            bindConnectionInitializer.setBindSaslConfig(new ExternalConfig());
        } else {
            log.debug("Will perform anonymous bind because no bind dn or password is given");
        }
        return bindConnectionInitializer;
    }

    private ConnectionStrategy getConnectionStrategy() {
        String lowerCase = this.settings.get(ConfigConstants.LDAP_CONNECTION_STRATEGY, "active_passive").toLowerCase();
        boolean z = -1;
        switch (lowerCase.hashCode()) {
            case -938285885:
                if (lowerCase.equals("random")) {
                    z = true;
                    break;
                }
                break;
            case -230843463:
                if (lowerCase.equals("round_robin")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case ConfigConstants.LDAPS_ENABLE_SSL_CLIENT_AUTH_DEFAULT /* 0 */:
                return new RoundRobinConnectionStrategy();
            case ConfigConstants.LDAPS_VERIFY_HOSTNAMES_DEFAULT /* 1 */:
                return new RandomConnectionStrategy();
            default:
                return new ActivePassiveConnectionStrategy();
        }
    }

    private Validator<Connection> getConnectionValidator() {
        CompareValidator searchValidator;
        if (!this.settings.getAsBoolean("validation.enabled", false).booleanValue()) {
            return null;
        }
        if ("compare".equalsIgnoreCase(this.settings.get("validation.strategy", ConfigConstants.LDAP_AUTHCZ_SEARCH))) {
            searchValidator = new CompareValidator(new CompareRequest(this.settings.get("validation.compare.dn", ""), new LdapAttribute(this.settings.get("validation.compare.attribute", "objectClass"), new String[]{this.settings.get("validation.compare.value", "top")})));
        } else {
            SearchRequest searchRequest = new SearchRequest();
            searchRequest.setBaseDn(this.settings.get("validation.search.base_dn", ""));
            searchRequest.setSearchFilter(new SearchFilter(this.settings.get("validation.search.filter", "(objectClass=*)")));
            searchRequest.setReturnAttributes(ReturnAttributes.NONE.value());
            searchRequest.setSearchScope(SearchScope.OBJECT);
            searchRequest.setSizeLimit(1L);
            searchValidator = new SearchValidator(searchRequest);
        }
        return searchValidator;
    }

    private String getLdapUrlString() {
        List<String> asList = this.settings.getAsList(ConfigConstants.LDAP_HOSTS, Collections.singletonList("localhost"));
        boolean booleanValue = this.settings.getAsBoolean("enable_ssl", false).booleanValue();
        StringBuilder sb = new StringBuilder();
        for (String str : asList) {
            if (sb.length() > 0) {
                sb.append(" ");
            }
            if (str.contains("://")) {
                sb.append(str);
            } else if (booleanValue) {
                sb.append("ldaps://").append(str);
            } else {
                sb.append("ldap://").append(str);
            }
        }
        return sb.toString();
    }

    private void configureSSL(ConnectionConfig connectionConfig) {
        if (this.sslConfig == null) {
            return;
        }
        SslConfig sslConfig = new SslConfig();
        sslConfig.setCredentialConfig(CredentialConfigFactory.createKeyStoreCredentialConfig(this.sslConfig.getEffectiveTruststore(), this.sslConfig.getEffectiveTruststoreAliasesArray(), this.sslConfig.getEffectiveKeystore(), this.sslConfig.getEffectiveKeyPasswordString(), this.sslConfig.getEffectiveKeyAliasesArray()));
        if (!this.sslConfig.isHostnameVerificationEnabled()) {
            sslConfig.setHostnameVerifier(new AllowAnyHostnameVerifier());
            if (!Boolean.parseBoolean(System.getProperty("com.sun.jndi.ldap.object.disableEndpointIdentification"))) {
                log.warn("In order to disable host name verification for LDAP connections (verify_hostnames: true), you also need to set set the system property com.sun.jndi.ldap.object.disableEndpointIdentification to true when starting the JVM running ES. This applies for all Java versions released since July 2018.");
            }
        }
        if (this.sslConfig.getSupportedCipherSuites() != null && this.sslConfig.getSupportedCipherSuites().length > 0) {
            sslConfig.setEnabledCipherSuites(this.sslConfig.getSupportedCipherSuites());
        }
        sslConfig.setEnabledProtocols(this.sslConfig.getSupportedProtocols());
        if (this.sslConfig.isTrustAllEnabled()) {
            sslConfig.setTrustManagers(new TrustManager[]{new AllowAnyTrustManager()});
        }
        connectionConfig.setSslConfig(sslConfig);
        connectionConfig.setUseSSL(true);
        connectionConfig.setUseStartTLS(this.sslConfig.isStartTlsEnabled());
    }

    private void configureSSLinConnectionFactory(DefaultConnectionFactory defaultConnectionFactory) {
        if (this.sslConfig == null) {
            return;
        }
        HashMap hashMap = new HashMap();
        if (this.sslConfig.isStartTlsEnabled() && !this.sslConfig.isHostnameVerificationEnabled()) {
            hashMap.put("jndi.starttls.allowAnyHostname", "true");
        }
        defaultConnectionFactory.getProvider().getProviderConfig().setProperties(hashMap);
    }
}
