package org.elasticsearch.xpack.security.authc.saml;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.PrivilegedActionException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.time.Clock;
import java.time.Instant;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import javax.xml.parsers.DocumentBuilder;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.CheckedFunction;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.xpack.security.support.RestorableContextClassLoader;
import org.joda.time.DateTime;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.core.xml.io.Unmarshaller;
import org.opensaml.core.xml.io.UnmarshallerFactory;
import org.opensaml.core.xml.io.UnmarshallingException;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.x509.X509Credential;
import org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver;
import org.opensaml.xmlsec.encryption.support.EncryptedKeyResolver;
import org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver;
import org.opensaml.xmlsec.encryption.support.SimpleKeyInfoReferenceEncryptedKeyResolver;
import org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.ChainingKeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.CollectionKeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.LocalKeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.KeyInfoReferenceProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import org.w3c.dom.Element;
import org.xml.sax.SAXException;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/saml/SamlRequestHandler.class */
public class SamlRequestHandler {
    protected static final String SAML_NAMESPACE = "urn:oasis:names:tc:SAML:2.0:protocol";
    private static final String[] XSD_FILES = {"/org/elasticsearch/xpack/security/authc/saml/saml-schema-protocol-2.0.xsd", "/org/elasticsearch/xpack/security/authc/saml/saml-schema-assertion-2.0.xsd", "/org/elasticsearch/xpack/security/authc/saml/xenc-schema.xsd", "/org/elasticsearch/xpack/security/authc/saml/xmldsig-core-schema.xsd"};
    private static final ThreadLocal<DocumentBuilder> THREAD_LOCAL_DOCUMENT_BUILDER = ThreadLocal.withInitial(() -> {
        try {
            return SamlUtils.getHardenedBuilder(XSD_FILES);
        } catch (Exception e) {
            throw SamlUtils.samlException("Could not load XSD schema file", e, new Object[0]);
        }
    });

    @Nullable
    protected final Decrypter decrypter;
    private final Clock clock;
    private final IdpConfiguration idp;
    private final SpConfiguration sp;
    private final TimeValue maxSkew;
    protected final Logger logger = LogManager.getLogger(getClass());
    private final UnmarshallerFactory unmarshallerFactory = XMLObjectProviderRegistrySupport.getUnmarshallerFactory();

    public SamlRequestHandler(Clock clock, IdpConfiguration idpConfiguration, SpConfiguration spConfiguration, TimeValue timeValue) {
        this.clock = clock;
        this.idp = idpConfiguration;
        this.sp = spConfiguration;
        this.maxSkew = timeValue;
        if (spConfiguration.getEncryptionCredentials().isEmpty()) {
            this.decrypter = null;
        } else {
            this.decrypter = new Decrypter((KeyInfoCredentialResolver) null, createResolverForEncryptionKeys(), createResolverForEncryptedKeyElements());
        }
    }

    private KeyInfoCredentialResolver createResolverForEncryptionKeys() {
        KeyInfoCredentialResolver collectionKeyInfoCredentialResolver = new CollectionKeyInfoCredentialResolver(Collections.unmodifiableCollection(this.sp.getEncryptionCredentials()));
        return new ChainingKeyInfoCredentialResolver(Arrays.asList(new LocalKeyInfoCredentialResolver(Arrays.asList(new InlineX509DataProvider(), new KeyInfoReferenceProvider(), new RSAKeyValueProvider(), new DEREncodedKeyValueProvider()), collectionKeyInfoCredentialResolver), collectionKeyInfoCredentialResolver));
    }

    private EncryptedKeyResolver createResolverForEncryptedKeyElements() {
        return new ChainingEncryptedKeyResolver(Arrays.asList(new InlineEncryptedKeyResolver(), new SimpleRetrievalMethodEncryptedKeyResolver(), new SimpleKeyInfoReferenceEncryptedKeyResolver()));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SpConfiguration getSpConfiguration() {
        return this.sp;
    }

    protected String describe(X509Certificate x509Certificate) {
        return "X509Certificate{Subject=" + x509Certificate.getSubjectDN() + "; SerialNo=" + x509Certificate.getSerialNumber().toString(16) + "}";
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String describe(Collection<X509Credential> collection) {
        return (String) collection.stream().map(x509Credential -> {
            return describe(x509Credential.getEntityCertificate());
        }).collect(Collectors.joining(","));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void validateSignature(Signature signature) {
        String text = text(signature, 32);
        try {
            new SAMLSignatureProfileValidator().validate(signature);
            checkIdpSignature(credential -> {
                try {
                    RestorableContextClassLoader restorableContextClassLoader = new RestorableContextClassLoader(SignatureValidator.class);
                    try {
                        SignatureValidator.validate(signature, credential);
                        this.logger.debug(() -> {
                            return new ParameterizedMessage("SAML Signature [{}] matches credentials [{}] [{}]", new Object[]{text, credential.getEntityId(), credential.getPublicKey()});
                        });
                        restorableContextClassLoader.close();
                        return true;
                    } finally {
                    }
                } catch (PrivilegedActionException e) {
                    this.logger.warn("SecurityException while attempting to validate SAML signature", e);
                    return false;
                }
            }, text);
        } catch (SignatureException e) {
            throw samlSignatureException(this.idp.getSigningCredentials(), text, e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkIdpSignature(CheckedFunction<Credential, Boolean, Exception> checkedFunction, String str) {
        Predicate<? super Credential> predicate = credential -> {
            try {
                return ((Boolean) checkedFunction.apply(credential)).booleanValue();
            } catch (SignatureException | SecurityException e) {
                this.logger.debug(() -> {
                    return new ParameterizedMessage("SAML Signature [{}] does not match credentials [{}] [{}] -- {}", new Object[]{str, credential.getEntityId(), credential.getPublicKey(), e});
                });
                this.logger.trace("SAML Signature failure caused by", e);
                return false;
            } catch (Exception e2) {
                this.logger.warn("Exception while attempting to validate SAML Signature", e2);
                return false;
            }
        };
        List<Credential> signingCredentials = this.idp.getSigningCredentials();
        if (!signingCredentials.stream().anyMatch(predicate)) {
            throw samlSignatureException(signingCredentials, str);
        }
    }

    private ElasticsearchSecurityException samlSignatureException(List<Credential> list, String str, Exception exc) {
        this.logger.warn("The XML Signature of this SAML message cannot be validated. Please verify that the saml realm uses the correct SAMLmetadata file/URL for this Identity Provider");
        return SamlUtils.samlException("SAML Signature [{}] could not be validated against [{}]", exc, str, describeCredentials(list));
    }

    private ElasticsearchSecurityException samlSignatureException(List<Credential> list, String str) {
        this.logger.warn("The XML Signature of this SAML message cannot be validated. Please verify that the saml realm uses the correct SAMLmetadata file/URL for this Identity Provider");
        return SamlUtils.samlException("SAML Signature [{}] could not be validated against [{}]", str, describeCredentials(list));
    }

    private String describeCredentials(List<Credential> list) {
        return (String) list.stream().map(credential -> {
            byte[] encoded;
            if (credential == null) {
                return "<null>";
            }
            if (credential instanceof X509Credential) {
                try {
                    encoded = ((X509Credential) credential).getEntityCertificate().getEncoded();
                } catch (CertificateEncodingException e) {
                    encoded = credential.getPublicKey().getEncoded();
                }
            } else {
                encoded = credential.getPublicKey().getEncoded();
            }
            return Base64.getEncoder().encodeToString(encoded).substring(0, 64) + "...";
        }).collect(Collectors.joining(","));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkIssuer(Issuer issuer, XMLObject xMLObject) {
        if (issuer == null) {
            throw SamlUtils.samlException("Element {} ({}) has no issuer, but expected {}", xMLObject.getElementQName(), text(xMLObject, 16), this.idp.getEntityId());
        }
        if (!this.idp.getEntityId().equals(issuer.getValue())) {
            throw SamlUtils.samlException("SAML Issuer {} does not match expected value {}", issuer.getValue(), this.idp.getEntityId());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public long maxSkewInMillis() {
        return this.maxSkew.millis();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Instant now() {
        return this.clock.instant();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Instant toInstant(DateTime dateTime) {
        if (dateTime == null) {
            return null;
        }
        return Instant.ofEpochMilli(dateTime.getMillis());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public <T extends XMLObject> T buildXmlObject(Element element, Class<T> cls) {
        try {
            Unmarshaller unmarshaller = this.unmarshallerFactory.getUnmarshaller(element);
            if (unmarshaller == null) {
                throw SamlUtils.samlException("XML element [{}] cannot be unmarshalled to SAML type [{}] (no unmarshaller)", element.getTagName(), cls);
            }
            XMLObject unmarshall = unmarshaller.unmarshall(element);
            if (cls.isInstance(unmarshall)) {
                return cls.cast(unmarshall);
            }
            Object[] objArr = new Object[3];
            objArr[0] = element.getTagName();
            objArr[1] = cls.getName();
            objArr[2] = unmarshall == null ? "<null>" : unmarshall.getClass().getName();
            throw SamlUtils.samlException("SAML object [{}] is incorrect type. Expected [{}] but was [{}]", objArr);
        } catch (UnmarshallingException e) {
            throw SamlUtils.samlException("Failed to unmarshall SAML content [{}", e, element.getTagName());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String text(XMLObject xMLObject, int i) {
        Element dom = xMLObject.getDOM();
        if (dom == null) {
            return null;
        }
        String trim = dom.getTextContent().trim();
        return trim.length() >= i ? Strings.cleanTruncate(trim, i) + "..." : trim;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Element parseSamlMessage(byte[] bArr) {
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
            try {
                Element documentElement = THREAD_LOCAL_DOCUMENT_BUILDER.get().parse(byteArrayInputStream).getDocumentElement();
                if (this.logger.isTraceEnabled()) {
                    this.logger.trace("Received SAML Message: {} \n", SamlUtils.toString(documentElement, true));
                }
                byteArrayInputStream.close();
                return documentElement;
            } finally {
            }
        } catch (IOException | SAXException e) {
            throw SamlUtils.samlException("Failed to parse SAML message", e, new Object[0]);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateNotOnOrAfter(DateTime dateTime) {
        if (dateTime == null) {
            return;
        }
        Instant minusMillis = now().minusMillis(this.maxSkew.millis());
        if (!minusMillis.isBefore(toInstant(dateTime))) {
            throw SamlUtils.samlException("Rejecting SAML assertion because [{}] is on/after [{}]", minusMillis, dateTime);
        }
    }
}
