package org.elasticsearch.shield.authc.activedirectory;

import com.google.common.primitives.Ints;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.SearchRequest;
import com.unboundid.ldap.sdk.SearchResult;
import com.unboundid.ldap.sdk.SearchResultEntry;
import java.io.IOException;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.shield.ShieldSettingsFilter;
import org.elasticsearch.shield.authc.RealmConfig;
import org.elasticsearch.shield.authc.ldap.support.LdapSearchScope;
import org.elasticsearch.shield.authc.ldap.support.LdapSession;
import org.elasticsearch.shield.authc.ldap.support.LdapUtils;
import org.elasticsearch.shield.authc.ldap.support.SessionFactory;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.shield.ssl.ClientSSLService;
import org.elasticsearch.shield.support.Exceptions;

/* loaded from: input_file:org/elasticsearch/shield/authc/activedirectory/ActiveDirectorySessionFactory.class */
public class ActiveDirectorySessionFactory extends SessionFactory {
    public static final String AD_DOMAIN_NAME_SETTING = "domain_name";
    public static final String AD_GROUP_SEARCH_BASEDN_SETTING = "group_search.base_dn";
    public static final String AD_GROUP_SEARCH_SCOPE_SETTING = "group_search.scope";
    public static final String AD_USER_SEARCH_BASEDN_SETTING = "user_search.base_dn";
    public static final String AD_USER_SEARCH_FILTER_SETTING = "user_search.filter";
    public static final String AD_USER_SEARCH_SCOPE_SETTING = "user_search.scope";
    private final String userSearchDN;
    private final String domainName;
    private final String userSearchFilter;
    private final LdapSearchScope userSearchScope;
    private final LdapSession.GroupsResolver groupResolver;

    public ActiveDirectorySessionFactory(RealmConfig realmConfig, ClientSSLService clientSSLService) {
        super(realmConfig, clientSSLService);
        Settings settings = realmConfig.settings();
        this.domainName = settings.get(AD_DOMAIN_NAME_SETTING);
        if (this.domainName == null) {
            throw new IllegalArgumentException("missing [domain_name] setting for active directory");
        }
        String buildDnFromDomain = buildDnFromDomain(this.domainName);
        this.userSearchDN = settings.get(AD_USER_SEARCH_BASEDN_SETTING, buildDnFromDomain);
        this.userSearchScope = LdapSearchScope.resolve(settings.get(AD_USER_SEARCH_SCOPE_SETTING), LdapSearchScope.SUB_TREE);
        this.userSearchFilter = settings.get(AD_USER_SEARCH_FILTER_SETTING, "(&(objectClass=user)(|(sAMAccountName={0})(userPrincipalName={0}@" + this.domainName + ")))");
        this.groupResolver = new ActiveDirectoryGroupsResolver(settings.getAsSettings("group_search"), buildDnFromDomain);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void filterOutSensitiveSettings(String str, ShieldSettingsFilter shieldSettingsFilter) {
        shieldSettingsFilter.filterOut("shield.authc.realms." + str + "." + SessionFactory.HOSTNAME_VERIFICATION_SETTING);
    }

    @Override // org.elasticsearch.shield.authc.ldap.support.SessionFactory
    protected SessionFactory.LDAPServers ldapServers(Settings settings) {
        return new SessionFactory.LDAPServers(settings.getAsArray(SessionFactory.URLS_SETTING, new String[]{"ldap://" + this.domainName + ":389"}));
    }

    @Override // org.elasticsearch.shield.authc.ldap.support.SessionFactory
    protected LdapSession getSession(String str, SecuredString securedString) throws Exception {
        try {
            LDAPConnection connection = this.serverSet.getConnection();
            try {
                connection.bind(str + "@" + this.domainName, new String(securedString.internalChars()));
                SearchRequest searchRequest = new SearchRequest(this.userSearchDN, this.userSearchScope.scope(), LdapUtils.createFilter(this.userSearchFilter, str), new String[]{"1.1"});
                searchRequest.setTimeLimitSeconds(Ints.checkedCast(this.timeout.seconds()));
                SearchResult search = LdapUtils.search(connection, searchRequest, this.logger);
                int entryCount = search.getEntryCount();
                if (entryCount > 1) {
                    throw new IllegalStateException("search for user [" + str + "] by principle name yielded multiple results");
                }
                if (entryCount < 1) {
                    throw new IllegalStateException("search for user [" + str + "] by principle name yielded no results");
                }
                return new LdapSession(this.connectionLogger, connection, ((SearchResultEntry) search.getSearchEntries().get(0)).getDN(), this.groupResolver, this.timeout);
            } catch (LDAPException e) {
                connection.close();
                throw Exceptions.authenticationError("unable to authenticate user [{}] to active directory domain [{}]", e, str, this.domainName);
            }
        } catch (LDAPException e2) {
            throw new IOException("failed to connect to any active directory servers", e2);
        }
    }

    String buildDnFromDomain(String str) {
        return "DC=" + str.replace(".", ",DC=");
    }
}
