package org.elasticsearch.xpack.security.authc.saml;

import java.time.Clock;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.xpack.security.authc.saml.SamlAttributes;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.AudienceRestriction;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.EncryptedAttribute;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Status;
import org.opensaml.saml.saml2.core.StatusCode;
import org.opensaml.saml.saml2.core.StatusDetail;
import org.opensaml.saml.saml2.core.StatusMessage;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.core.SubjectConfirmationData;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/elasticsearch/xpack/security/authc/saml/SamlAuthenticator.class */
public class SamlAuthenticator extends SamlRequestHandler {
    private static final String RESPONSE_TAG_NAME = "Response";

    /* JADX INFO: Access modifiers changed from: package-private */
    public SamlAuthenticator(Clock clock, IdpConfiguration idpConfiguration, SpConfiguration spConfiguration, TimeValue timeValue) {
        super(clock, idpConfiguration, spConfiguration, timeValue);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SamlAttributes authenticate(SamlToken samlToken) {
        Element parseSamlMessage = parseSamlMessage(samlToken.getContent());
        if (!RESPONSE_TAG_NAME.equals(parseSamlMessage.getLocalName()) || !"urn:oasis:names:tc:SAML:2.0:protocol".equals(parseSamlMessage.getNamespaceURI())) {
            throw SamlUtils.samlException("SAML content [{}] should have a root element of Namespace=[{}] Tag=[{}]", parseSamlMessage, "urn:oasis:names:tc:SAML:2.0:protocol", RESPONSE_TAG_NAME);
        }
        try {
            return authenticateResponse(parseSamlMessage, samlToken.getAllowedSamlRequestIds());
        } catch (ElasticsearchSecurityException e) {
            this.logger.trace("Rejecting SAML response [{}...] because {}", Strings.cleanTruncate(SamlUtils.toString(parseSamlMessage), 512), e.getMessage());
            throw e;
        }
    }

    private SamlAttributes authenticateResponse(Element element, Collection<String> collection) {
        boolean z;
        Response buildXmlObject = buildXmlObject(element, Response.class);
        if (buildXmlObject == null) {
            throw SamlUtils.samlException("Cannot convert element {} into Response object", element);
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace(SamlUtils.describeSamlObject(buildXmlObject));
        }
        if (buildXmlObject.isSigned()) {
            validateSignature(buildXmlObject.getSignature());
            z = false;
        } else {
            z = true;
        }
        if (Strings.hasText(buildXmlObject.getInResponseTo()) && !collection.contains(buildXmlObject.getInResponseTo())) {
            this.logger.debug("The SAML Response with ID [{}] is unsolicited. A user might have used a stale URL or the Identity Provider incorrectly populates the InResponseTo attribute", buildXmlObject.getID());
            throw SamlUtils.samlException("SAML content is in-response-to [{}] but expected one of {} ", buildXmlObject.getInResponseTo(), collection);
        }
        Status status = buildXmlObject.getStatus();
        if (status == null || status.getStatusCode() == null) {
            throw SamlUtils.samlException("SAML Response has no status code", new Object[0]);
        }
        if (!isSuccess(status)) {
            throw SamlUtils.samlException("SAML Response is not a 'success' response: {}", getStatusCodeMessage(status));
        }
        checkIssuer(buildXmlObject.getIssuer(), buildXmlObject);
        checkResponseDestination(buildXmlObject);
        Tuple<Assertion, List<Attribute>> extractDetails = extractDetails(buildXmlObject, collection, z);
        Assertion assertion = (Assertion) extractDetails.v1();
        SamlNameId forSubject = SamlNameId.forSubject(assertion.getSubject());
        String sessionIndex = getSessionIndex(assertion);
        List list = (List) ((List) extractDetails.v2()).stream().map(SamlAttributes.SamlAttribute::new).collect(Collectors.toList());
        if (this.logger.isTraceEnabled()) {
            StringBuilder sb = new StringBuilder();
            sb.append("The SAML Assertion contained the following attributes: \n");
            Iterator it = list.iterator();
            while (it.hasNext()) {
                sb.append((SamlAttributes.SamlAttribute) it.next()).append("\n");
            }
            this.logger.trace(sb.toString());
        }
        if (!list.isEmpty() || forSubject != null) {
            return new SamlAttributes(forSubject, sessionIndex, list);
        }
        this.logger.debug("The Attribute Statements of SAML Response with ID [{}] contained no attributes and the SAML Assertion Subject did not contain a SAML NameID. Please verify that the Identity Provider configuration with regards to attribute release is correct. ", buildXmlObject.getID());
        throw SamlUtils.samlException("Could not process any SAML attributes in {}", buildXmlObject.getElementQName());
    }

    private String getStatusCodeMessage(Status status) {
        StatusCode statusCode = status.getStatusCode();
        StatusCode statusCode2 = statusCode.getStatusCode();
        StringBuilder sb = new StringBuilder();
        if ("urn:oasis:names:tc:SAML:2.0:status:Requester".equals(statusCode.getValue())) {
            sb.append("The SAML IdP did not grant the request. It indicated that the Elastic Stack side sent something invalid (");
        } else if ("urn:oasis:names:tc:SAML:2.0:status:Responder".equals(statusCode.getValue())) {
            sb.append("The request could not be granted due to an error in the SAML IDP side (");
        } else if ("urn:oasis:names:tc:SAML:2.0:status:VersionMismatch".equals(statusCode.getValue())) {
            sb.append("The request could not be granted because the SAML IDP doesn't support SAML 2.0 (");
        } else {
            sb.append("The request could not be granted, the SAML IDP responded with a non-standard Status code (");
        }
        sb.append(statusCode.getValue()).append(").");
        if (getMessage(status) != null) {
            sb.append(" Message: [").append(getMessage(status)).append("]");
        }
        if (getDetail(status) != null) {
            sb.append(" Detail: [").append(getDetail(status)).append("]");
        }
        if (null != statusCode2) {
            sb.append(" Specific status code which might indicate what the issue is: [").append(statusCode2.getValue()).append("]");
        }
        return sb.toString();
    }

    private String getMessage(Status status) {
        StatusMessage statusMessage = status.getStatusMessage();
        if (statusMessage == null) {
            return null;
        }
        return statusMessage.getMessage();
    }

    private String getDetail(Status status) {
        StatusDetail statusDetail = status.getStatusDetail();
        if (statusDetail == null) {
            return null;
        }
        return SamlUtils.toString(statusDetail.getDOM());
    }

    private boolean isSuccess(Status status) {
        return status.getStatusCode().getValue().equals("urn:oasis:names:tc:SAML:2.0:status:Success");
    }

    private String getSessionIndex(Assertion assertion) {
        return (String) assertion.getAuthnStatements().stream().map(authnStatement -> {
            return authnStatement.getSessionIndex();
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).findFirst().orElse(null);
    }

    private void checkResponseDestination(Response response) {
        String ascUrl = getSpConfiguration().getAscUrl();
        if (ascUrl.equals(response.getDestination())) {
            return;
        }
        if (response.isSigned() || Strings.hasText(response.getDestination())) {
            throw SamlUtils.samlException("SAML response " + response.getID() + " is for destination " + response.getDestination() + " but this realm uses " + ascUrl, new Object[0]);
        }
    }

    private Tuple<Assertion, List<Attribute>> extractDetails(Response response, Collection<String> collection, boolean z) {
        int size = response.getAssertions().size() + response.getEncryptedAssertions().size();
        if (size > 1) {
            throw SamlUtils.samlException("Expecting only 1 assertion, but response contains multiple (" + size + ")", new Object[0]);
        }
        Iterator it = response.getAssertions().iterator();
        if (it.hasNext()) {
            Assertion assertion = (Assertion) it.next();
            return new Tuple<>(assertion, processAssertion(assertion, z, collection));
        }
        Iterator it2 = response.getEncryptedAssertions().iterator();
        if (!it2.hasNext()) {
            throw SamlUtils.samlException("No assertions found in SAML response", new Object[0]);
        }
        Assertion decrypt = decrypt((EncryptedAssertion) it2.next());
        moveToNewDocument(decrypt);
        decrypt.getDOM().setIdAttribute("ID", true);
        return new Tuple<>(decrypt, processAssertion(decrypt, z, collection));
    }

    private void moveToNewDocument(XMLObject xMLObject) {
        Element dom = xMLObject.getDOM();
        Document createDocument = dom.getOwnerDocument().getImplementation().createDocument(null, null, null);
        createDocument.adoptNode(dom);
        createDocument.appendChild(dom);
    }

    private Assertion decrypt(EncryptedAssertion encryptedAssertion) {
        if (this.decrypter == null) {
            throw SamlUtils.samlException("SAML assertion [" + text(encryptedAssertion, 32) + "] is encrypted, but no decryption key is available", new Object[0]);
        }
        try {
            return this.decrypter.decrypt(encryptedAssertion);
        } catch (DecryptionException e) {
            this.logger.debug(() -> {
                return new ParameterizedMessage("Failed to decrypt SAML assertion [{}] with [{}]", text(encryptedAssertion, 512), describe(getSpConfiguration().getEncryptionCredentials()));
            }, e);
            throw SamlUtils.samlException("Failed to decrypt SAML assertion " + text(encryptedAssertion, 32), e, new Object[0]);
        }
    }

    private List<Attribute> processAssertion(Assertion assertion, boolean z, Collection<String> collection) {
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("(Possibly decrypted) Assertion: {}", SamlUtils.getXmlContent(assertion, true));
            this.logger.trace(SamlUtils.describeSamlObject(assertion));
        }
        if (assertion.isSigned()) {
            validateSignature(assertion.getSignature());
        } else if (z) {
            throw SamlUtils.samlException("Assertion [{}] is not signed, but a signature is required", assertion.getElementQName());
        }
        checkConditions(assertion.getConditions());
        checkIssuer(assertion.getIssuer(), assertion);
        checkSubject(assertion.getSubject(), assertion, collection);
        checkAuthnStatement(assertion.getAuthnStatements());
        ArrayList arrayList = new ArrayList();
        for (AttributeStatement attributeStatement : assertion.getAttributeStatements()) {
            this.logger.trace("SAML AttributeStatement has [{}] attributes and [{}] encrypted attributes", Integer.valueOf(attributeStatement.getAttributes().size()), Integer.valueOf(attributeStatement.getEncryptedAttributes().size()));
            arrayList.addAll(attributeStatement.getAttributes());
            Iterator it = attributeStatement.getEncryptedAttributes().iterator();
            while (it.hasNext()) {
                Attribute decrypt = decrypt((EncryptedAttribute) it.next());
                if (decrypt != null) {
                    this.logger.trace("Successfully decrypted attribute: {}" + SamlUtils.getXmlContent(decrypt, true));
                    arrayList.add(decrypt);
                }
            }
        }
        return arrayList;
    }

    private void checkAuthnStatement(List<AuthnStatement> list) {
        if (list.size() != 1) {
            throw SamlUtils.samlException("SAML Assertion subject contains [{}] Authn Statements while exactly one was expected.", Integer.valueOf(list.size()));
        }
        AuthnStatement authnStatement = list.get(0);
        Instant minusMillis = now().minusMillis(maxSkewInMillis());
        if (authnStatement.getSessionNotOnOrAfter() != null && !minusMillis.isBefore(toInstant(authnStatement.getSessionNotOnOrAfter()))) {
            throw SamlUtils.samlException("Rejecting SAML assertion's Authentication Statement because [{}] is on/after [{}]", minusMillis, authnStatement.getSessionNotOnOrAfter());
        }
        List<String> reqAuthnCtxClassRef = getSpConfiguration().getReqAuthnCtxClassRef();
        if (reqAuthnCtxClassRef.isEmpty()) {
            return;
        }
        String str = null;
        if (authnStatement.getAuthnContext() != null && authnStatement.getAuthnContext().getAuthnContextClassRef() != null) {
            str = authnStatement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef();
        }
        if (Strings.isNullOrEmpty(str) || !reqAuthnCtxClassRef.contains(str)) {
            throw SamlUtils.samlException("Rejecting SAML assertion as the AuthnContextClassRef [{}] is not one of the ({}) that were requested in the corresponding AuthnRequest", str, reqAuthnCtxClassRef);
        }
    }

    private Attribute decrypt(EncryptedAttribute encryptedAttribute) {
        if (this.decrypter == null) {
            this.logger.info("SAML message has encrypted attribute [" + text(encryptedAttribute, 32) + "], but no encryption key has been configured");
            return null;
        }
        try {
            return this.decrypter.decrypt(encryptedAttribute);
        } catch (DecryptionException e) {
            this.logger.info("Failed to decrypt SAML attribute " + text(encryptedAttribute, 32), e);
            return null;
        }
    }

    private void checkConditions(Conditions conditions) {
        if (conditions != null) {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("SAML Assertion was intended for the following Service providers: {}", conditions.getAudienceRestrictions().stream().map(audienceRestriction -> {
                    return text(audienceRestriction, 32);
                }).collect(Collectors.joining(" | ")));
                this.logger.trace("SAML Assertion is only valid between: " + conditions.getNotBefore() + " and " + conditions.getNotOnOrAfter());
            }
            checkAudienceRestrictions(conditions.getAudienceRestrictions());
            checkLifetimeRestrictions(conditions);
        }
    }

    private void checkSubject(Subject subject, XMLObject xMLObject, Collection<String> collection) {
        if (subject == null) {
            throw SamlUtils.samlException("SAML Assertion ({}) has no Subject", text(xMLObject, 16));
        }
        List list = (List) subject.getSubjectConfirmations().stream().filter(subjectConfirmation -> {
            return subjectConfirmation.getMethod().equals("urn:oasis:names:tc:SAML:2.0:cm:bearer");
        }).map((v0) -> {
            return v0.getSubjectConfirmationData();
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(Collectors.toList());
        if (list.size() != 1) {
            throw SamlUtils.samlException("SAML Assertion subject contains [{}] bearer SubjectConfirmation, while exactly one was expected.", Integer.valueOf(list.size()));
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("SAML Assertion Subject Confirmation intended recipient is: " + ((SubjectConfirmationData) list.get(0)).getRecipient());
            this.logger.trace("SAML Assertion Subject Confirmation is only valid before: " + ((SubjectConfirmationData) list.get(0)).getNotOnOrAfter());
            this.logger.trace("SAML Assertion Subject Confirmation is in response to: " + ((SubjectConfirmationData) list.get(0)).getInResponseTo());
        }
        checkRecipient((SubjectConfirmationData) list.get(0));
        checkLifetimeRestrictions((SubjectConfirmationData) list.get(0));
        checkInResponseTo((SubjectConfirmationData) list.get(0), collection);
    }

    private void checkRecipient(SubjectConfirmationData subjectConfirmationData) {
        SpConfiguration spConfiguration = getSpConfiguration();
        if (!spConfiguration.getAscUrl().equals(subjectConfirmationData.getRecipient())) {
            throw SamlUtils.samlException("SAML Assertion SubjectConfirmationData Recipient [{}] does not match expected value [{}]", subjectConfirmationData.getRecipient(), spConfiguration.getAscUrl());
        }
    }

    private void checkInResponseTo(SubjectConfirmationData subjectConfirmationData, Collection<String> collection) {
        if (Strings.hasText(subjectConfirmationData.getInResponseTo()) && !collection.contains(subjectConfirmationData.getInResponseTo())) {
            throw SamlUtils.samlException("SAML Assertion SubjectConfirmationData is in-response-to [{}] but expected one of [{}]", subjectConfirmationData.getInResponseTo(), collection);
        }
    }

    private void checkAudienceRestrictions(List<AudienceRestriction> list) {
        if (!list.stream().allMatch(this::checkAudienceRestriction)) {
            throw SamlUtils.samlException("Conditions [{}] do not match required audience [{}]", list.stream().map(audienceRestriction -> {
                return text(audienceRestriction, 56, 8);
            }).collect(Collectors.joining(" | ")), getSpConfiguration().getEntityId());
        }
    }

    private boolean checkAudienceRestriction(AudienceRestriction audienceRestriction) {
        String entityId = getSpConfiguration().getEntityId();
        Stream map = audienceRestriction.getAudiences().stream().map((v0) -> {
            return v0.getAudienceURI();
        });
        Objects.requireNonNull(entityId);
        if (map.anyMatch((v1) -> {
            return r1.equals(v1);
        })) {
            return true;
        }
        audienceRestriction.getAudiences().stream().map((v0) -> {
            return v0.getAudienceURI();
        }).forEach(str -> {
            int i = 0;
            while (i < str.length() && i < entityId.length() && str.charAt(i) == entityId.charAt(i)) {
                i++;
            }
            if (i >= entityId.length() / 2) {
                this.logger.info("Audience restriction [{}] does not match required audience [{}] (difference starts at character [#{}] [{}] vs [{}])", str, entityId, Integer.valueOf(i), str.substring(i), entityId.substring(i));
            } else {
                this.logger.info("Audience restriction [{}] does not match required audience [{}]", str, entityId);
            }
        });
        return false;
    }

    private void checkLifetimeRestrictions(Conditions conditions) {
        Instant now = now();
        Instant plusMillis = now.plusMillis(maxSkewInMillis());
        Instant minusMillis = now.minusMillis(maxSkewInMillis());
        if (conditions.getNotBefore() != null && plusMillis.isBefore(toInstant(conditions.getNotBefore()))) {
            throw SamlUtils.samlException("Rejecting SAML assertion because [{}] is before [{}]", plusMillis, conditions.getNotBefore());
        }
        if (conditions.getNotOnOrAfter() != null && !minusMillis.isBefore(toInstant(conditions.getNotOnOrAfter()))) {
            throw SamlUtils.samlException("Rejecting SAML assertion because [{}] is on/after [{}]", minusMillis, conditions.getNotOnOrAfter());
        }
    }

    private void checkLifetimeRestrictions(SubjectConfirmationData subjectConfirmationData) {
        validateNotOnOrAfter(subjectConfirmationData.getNotOnOrAfter());
    }
}
