package org.elasticsearch.xpack.security.authc.ldap;

import com.unboundid.ldap.sdk.Attribute;
import com.unboundid.ldap.sdk.Filter;
import com.unboundid.ldap.sdk.LDAPInterface;
import com.unboundid.ldap.sdk.SearchRequest;
import com.unboundid.ldap.sdk.SearchResultEntry;
import com.unboundid.ldap.sdk.SearchScope;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.stream.Collectors;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.xpack.monitoring.resolver.MonitoringIndexNameResolver;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapSearchScope;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils;

/* loaded from: input_file:x-pack-api-5.4.3.jar:org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryGroupsResolver.class */
class ActiveDirectoryGroupsResolver implements LdapSession.GroupsResolver {
    private static final String TOKEN_GROUPS = "tokenGroups";
    private final String baseDn;
    private final LdapSearchScope scope;
    private final boolean ignoreReferralErrors;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ActiveDirectoryGroupsResolver(Settings settings, String str, boolean z) {
        this.baseDn = settings.get("base_dn", str);
        this.scope = LdapSearchScope.resolve(settings.get("scope"), LdapSearchScope.SUB_TREE);
        this.ignoreReferralErrors = z;
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.support.LdapSession.GroupsResolver
    public void resolve(LDAPInterface lDAPInterface, String str, TimeValue timeValue, Logger logger, Collection<Attribute> collection, ActionListener<List<String>> actionListener) {
        boolean z = this.ignoreReferralErrors;
        CheckedConsumer checkedConsumer = filter -> {
            if (filter == null) {
                actionListener.onResponse(Collections.emptyList());
                return;
            }
            logger.debug("group SID to DN [{}] search filter: [{}]", str, filter);
            String str2 = this.baseDn;
            SearchScope scope = this.scope.scope();
            int intExact = Math.toIntExact(timeValue.seconds());
            boolean z2 = this.ignoreReferralErrors;
            CheckedConsumer checkedConsumer2 = list -> {
                actionListener.onResponse(Collections.unmodifiableList((List) list.stream().map((v0) -> {
                    return v0.getDN();
                }).collect(Collectors.toList())));
            };
            actionListener.getClass();
            LdapUtils.search(lDAPInterface, str2, scope, filter, intExact, z2, (ActionListener<List<SearchResultEntry>>) ActionListener.wrap(checkedConsumer2, actionListener::onFailure), SearchRequest.NO_ATTRIBUTES);
        };
        actionListener.getClass();
        buildGroupQuery(lDAPInterface, str, timeValue, z, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    @Override // org.elasticsearch.xpack.security.authc.ldap.support.LdapSession.GroupsResolver
    public String[] attributes() {
        return null;
    }

    static void buildGroupQuery(LDAPInterface lDAPInterface, String str, TimeValue timeValue, boolean z, ActionListener<Filter> actionListener) {
        SearchScope searchScope = SearchScope.BASE;
        Filter filter = LdapUtils.OBJECT_CLASS_PRESENCE_FILTER;
        int intExact = Math.toIntExact(timeValue.seconds());
        CheckedConsumer checkedConsumer = searchResultEntry -> {
            if (searchResultEntry == null || !searchResultEntry.hasAttribute(TOKEN_GROUPS)) {
                actionListener.onResponse(null);
            } else {
                actionListener.onResponse(Filter.createORFilter((List<Filter>) Arrays.stream(searchResultEntry.getAttributeValueByteArrays(TOKEN_GROUPS)).map(bArr -> {
                    return Filter.createEqualityFilter("objectSid", binarySidToStringSid(bArr));
                }).collect(Collectors.toList())));
            }
        };
        actionListener.getClass();
        LdapUtils.searchForEntry(lDAPInterface, str, searchScope, filter, intExact, z, (ActionListener<SearchResultEntry>) ActionListener.wrap(checkedConsumer, actionListener::onFailure), TOKEN_GROUPS);
    }

    private static String binarySidToStringSid(byte[] bArr) {
        String str = "S" + MonitoringIndexNameResolver.DELIMITER + Long.toString(bArr[0]);
        long j = bArr[4];
        for (int i = 0; i < 4; i++) {
            j = (j << 8) + (bArr[4 + i] & 255);
        }
        String str2 = str + MonitoringIndexNameResolver.DELIMITER + Long.toString(j);
        long j2 = (bArr[2] << 8) + (bArr[1] & 255);
        for (int i2 = 0; i2 < j2; i2++) {
            long j3 = bArr[11 + (i2 * 4)] & 255;
            for (int i3 = 1; i3 < 4; i3++) {
                j3 = (j3 << 8) + (bArr[(11 - i3) + (i2 * 4)] & 255);
            }
            str2 = str2 + MonitoringIndexNameResolver.DELIMITER + Long.toString(j3);
        }
        return str2;
    }
}
