package com.floragunn.dlic.auth.ldap2;

import com.floragunn.dlic.auth.ldap.LdapUser;
import com.floragunn.dlic.auth.ldap.util.ConfigConstants;
import com.floragunn.dlic.auth.ldap.util.Utils;
import com.floragunn.dlic.util.SettingsBasedSSLConfigurator;
import com.floragunn.searchguard.auth.AuthenticationBackend;
import com.floragunn.searchguard.auth.Destroyable;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.user.User;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.List;
import java.util.UUID;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.settings.Settings;
import org.ldaptive.BindRequest;
import org.ldaptive.Connection;
import org.ldaptive.ConnectionFactory;
import org.ldaptive.Credential;
import org.ldaptive.LdapEntry;
import org.ldaptive.LdapException;
import org.ldaptive.Response;
import org.ldaptive.pool.ConnectionPool;

/* loaded from: input_file:com/floragunn/dlic/auth/ldap2/LDAPAuthenticationBackend2.class */
public class LDAPAuthenticationBackend2 implements AuthenticationBackend, Destroyable {
    protected static final Logger log = LogManager.getLogger(LDAPAuthenticationBackend2.class);
    private final Settings settings;
    private ConnectionPool connectionPool;
    private ConnectionFactory connectionFactory;
    private ConnectionFactory authConnectionFactory;
    private LDAPUserSearcher userSearcher;
    private final int customAttrMaxValueLen;
    private final List<String> whitelistedAttributes;

    public LDAPAuthenticationBackend2(Settings settings, Path path) throws SettingsBasedSSLConfigurator.SSLConfigException {
        this.settings = settings;
        LDAPConnectionFactoryFactory lDAPConnectionFactoryFactory = new LDAPConnectionFactoryFactory(settings, path);
        this.connectionPool = lDAPConnectionFactoryFactory.createConnectionPool();
        this.connectionFactory = lDAPConnectionFactoryFactory.createConnectionFactory(this.connectionPool);
        if (this.connectionPool != null) {
            this.authConnectionFactory = lDAPConnectionFactoryFactory.createBasicConnectionFactory();
        } else {
            this.authConnectionFactory = this.connectionFactory;
        }
        this.userSearcher = new LDAPUserSearcher(settings);
        this.customAttrMaxValueLen = settings.getAsInt(ConfigConstants.LDAP_CUSTOM_ATTR_MAXVAL_LEN, 36).intValue();
        this.whitelistedAttributes = settings.getAsList(ConfigConstants.LDAP_CUSTOM_ATTR_WHITELIST, (List) null);
    }

    public User authenticate(final AuthCredentials authCredentials) throws ElasticsearchSecurityException {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        try {
            return (User) AccessController.doPrivileged(new PrivilegedExceptionAction<User>() { // from class: com.floragunn.dlic.auth.ldap2.LDAPAuthenticationBackend2.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public User run() throws Exception {
                    return LDAPAuthenticationBackend2.this.authenticate0(authCredentials);
                }
            });
        } catch (PrivilegedActionException e) {
            if (e.getException() instanceof ElasticsearchSecurityException) {
                throw e.getException();
            }
            if (e.getException() instanceof RuntimeException) {
                throw ((RuntimeException) e.getException());
            }
            throw new RuntimeException(e.getException());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public User authenticate0(AuthCredentials authCredentials) throws ElasticsearchSecurityException {
        String username = authCredentials.getUsername();
        byte[] password = authCredentials.getPassword();
        try {
            try {
                Connection connection = this.connectionFactory.getConnection();
                connection.open();
                LdapEntry exists = this.userSearcher.exists(connection, username);
                if (exists == null && this.settings.getAsBoolean(ConfigConstants.LDAP_FAKE_LOGIN_ENABLED, false).booleanValue()) {
                    exists = new LdapEntry(this.settings.get(ConfigConstants.LDAP_FAKE_LOGIN_DN, "CN=faketomakebindfail,DC=" + UUID.randomUUID().toString()));
                    password = this.settings.get(ConfigConstants.LDAP_FAKE_LOGIN_PASSWORD, "fakeLoginPwd123").getBytes(StandardCharsets.UTF_8);
                } else if (exists == null) {
                    throw new ElasticsearchSecurityException("No user " + username + " found", new Object[0]);
                }
                String dn = exists.getDn();
                if (log.isTraceEnabled()) {
                    log.trace("Try to authenticate dn {}", dn);
                }
                if (this.connectionPool == null) {
                    authenticateByLdapServer(connection, dn, password);
                } else {
                    authenticateByLdapServerWithSeparateConnection(dn, password);
                }
                String str = this.settings.get(ConfigConstants.LDAP_AUTHC_USERNAME_ATTRIBUTE, (String) null);
                String str2 = dn;
                if (str != null && exists.getAttribute(str) != null) {
                    str2 = Utils.getSingleStringValue(exists.getAttribute(str));
                }
                if (log.isDebugEnabled()) {
                    log.debug("Authenticated username {}", str2);
                }
                LdapUser ldapUser = new LdapUser(str2, username, exists, authCredentials, this.customAttrMaxValueLen, this.whitelistedAttributes);
                Arrays.fill(password, (byte) 0);
                Utils.unbindAndCloseSilently(connection);
                return ldapUser;
            } catch (Exception e) {
                if (log.isDebugEnabled()) {
                    log.debug("Unable to authenticate user due to ", e);
                }
                throw new ElasticsearchSecurityException(e.toString(), e, new Object[0]);
            }
        } catch (Throwable th) {
            Arrays.fill(password, (byte) 0);
            Utils.unbindAndCloseSilently(null);
            throw th;
        }
    }

    public String getType() {
        return "ldap";
    }

    public boolean exists(final User user) {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        return ((Boolean) AccessController.doPrivileged(new PrivilegedAction<Boolean>() { // from class: com.floragunn.dlic.auth.ldap2.LDAPAuthenticationBackend2.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Boolean run() {
                return Boolean.valueOf(LDAPAuthenticationBackend2.this.exists0(user));
            }
        })).booleanValue();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean exists0(User user) {
        String str = null;
        String name = user.getName();
        if (user instanceof LdapUser) {
            name = ((LdapUser) user).getUserEntry().getDn();
        }
        try {
            str = this.connectionFactory.getConnection();
            str.open();
            LdapEntry exists = this.userSearcher.exists(str, str);
            boolean z = exists != null;
            if (z) {
                user.addAttributes(LdapUser.extractLdapAttributes(str, exists, this.customAttrMaxValueLen, this.whitelistedAttributes));
            }
            Utils.unbindAndCloseSilently(str);
            return z;
        } catch (Exception e) {
            Logger logger = log;
            String str2 = "User {} does not exist due to " + e;
            if (log.isDebugEnabled()) {
                log.debug("User does not exist due to ", e);
            }
            return false;
        } finally {
            Utils.unbindAndCloseSilently(str);
        }
    }

    private void authenticateByLdapServer(final Connection connection, final String str, final byte[] bArr) throws LdapException {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        try {
            AccessController.doPrivileged(new PrivilegedExceptionAction<Response<Void>>() { // from class: com.floragunn.dlic.auth.ldap2.LDAPAuthenticationBackend2.3
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Response<Void> run() throws LdapException {
                    return connection.getProviderConnection().bind(new BindRequest(str, new Credential(bArr)));
                }
            });
        } catch (PrivilegedActionException e) {
            if (e.getException() instanceof LdapException) {
                throw e.getException();
            }
            if (!(e.getException() instanceof RuntimeException)) {
                throw new RuntimeException(e);
            }
            throw ((RuntimeException) e.getException());
        }
    }

    private void authenticateByLdapServerWithSeparateConnection(String str, byte[] bArr) throws LdapException {
        Connection connection = this.authConnectionFactory.getConnection();
        try {
            connection.open();
            authenticateByLdapServer(connection, str, bArr);
            if (connection != null) {
                connection.close();
            }
        } catch (Throwable th) {
            if (connection != null) {
                try {
                    connection.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public void destroy() {
        if (this.connectionPool != null) {
            this.connectionPool.close();
            this.connectionPool = null;
        }
    }
}
