package org.elasticsearch.xpack.security.authc.saml;

import java.io.IOException;
import java.io.InputStream;
import java.io.StringWriter;
import java.io.Writer;
import java.net.URISyntaxException;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerConfigurationException;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource;
import javax.xml.validation.SchemaFactory;
import javax.xml.validation.Validator;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.hash.MessageDigests;
import org.elasticsearch.core.IOUtils;
import org.elasticsearch.core.SuppressForbidden;
import org.elasticsearch.xpack.core.security.support.RestorableContextClassLoader;
import org.opensaml.core.config.InitializationService;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.xmlsec.signature.impl.X509CertificateBuilder;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;
import org.w3c.dom.bootstrap.DOMImplementationRegistry;
import org.w3c.dom.ls.DOMImplementationLS;
import org.w3c.dom.ls.LSInput;
import org.w3c.dom.ls.LSResourceResolver;
import org.xml.sax.SAXException;
import org.xml.sax.SAXParseException;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/saml/SamlUtils.class */
public class SamlUtils {
    private static final String SAML_EXCEPTION_KEY = "es.security.saml";
    private static final String SAML_MARSHALLING_ERROR_STRING = "_unserializable_";
    private static final AtomicBoolean INITIALISED = new AtomicBoolean(false);
    private static final SecureRandom SECURE_RANDOM = new SecureRandom();
    private static XMLObjectBuilderFactory builderFactory = null;
    private static final Logger LOGGER = LogManager.getLogger(SamlUtils.class);

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/saml/SamlUtils$ErrorHandler.class */
    private static class ErrorHandler implements org.xml.sax.ErrorHandler {
        private ErrorHandler() {
        }

        @Override // org.xml.sax.ErrorHandler
        public void warning(SAXParseException sAXParseException) throws SAXException {
            SamlUtils.LOGGER.debug("XML Parser error ", sAXParseException);
            throw sAXParseException;
        }

        @Override // org.xml.sax.ErrorHandler
        public void error(SAXParseException sAXParseException) throws SAXException {
            SamlUtils.LOGGER.debug("XML Parser error ", sAXParseException);
            throw sAXParseException;
        }

        @Override // org.xml.sax.ErrorHandler
        public void fatalError(SAXParseException sAXParseException) throws SAXException {
            SamlUtils.LOGGER.debug("XML Parser error ", sAXParseException);
            throw sAXParseException;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/saml/SamlUtils$ErrorListener.class */
    public static class ErrorListener implements javax.xml.transform.ErrorListener {
        private ErrorListener() {
        }

        @Override // javax.xml.transform.ErrorListener
        public void warning(TransformerException transformerException) throws TransformerException {
            SamlUtils.LOGGER.debug("XML transformation error", transformerException);
            throw transformerException;
        }

        @Override // javax.xml.transform.ErrorListener
        public void error(TransformerException transformerException) throws TransformerException {
            SamlUtils.LOGGER.debug("XML transformation error", transformerException);
            throw transformerException;
        }

        @Override // javax.xml.transform.ErrorListener
        public void fatalError(TransformerException transformerException) throws TransformerException {
            SamlUtils.LOGGER.debug("XML transformation error", transformerException);
            throw transformerException;
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/saml/SamlUtils$ResourceResolver.class */
    private static class ResourceResolver implements LSResourceResolver, AutoCloseable {
        private final DOMImplementationLS domLS = (DOMImplementationLS) DOMImplementationRegistry.newInstance().getDOMImplementation("LS");
        private final List<InputStream> streams = new ArrayList();

        private ResourceResolver() throws InstantiationException, IllegalAccessException, ClassNotFoundException {
        }

        @Override // org.w3c.dom.ls.LSResourceResolver
        public LSInput resolveResource(String str, String str2, String str3, String str4, String str5) {
            InputStream loadSchema = SamlUtils.loadSchema(str4);
            if (loadSchema == null) {
                return null;
            }
            this.streams.add(loadSchema);
            LSInput createLSInput = this.domLS.createLSInput();
            createLSInput.setByteStream(loadSchema);
            return createLSInput;
        }

        @Override // java.lang.AutoCloseable
        public void close() throws IOException {
            IOUtils.close(this.streams);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void initialize(Logger logger) throws PrivilegedActionException {
        if (INITIALISED.compareAndSet(false, true)) {
            LoggerFactory.getLogger(InitializationService.class);
            SpecialPermission.check();
            AccessController.doPrivileged(() -> {
                logger.debug("Initializing OpenSAML");
                RestorableContextClassLoader restorableContextClassLoader = new RestorableContextClassLoader(InitializationService.class);
                try {
                    InitializationService.initialize();
                    new X509CertificateBuilder().buildObject();
                    restorableContextClassLoader.close();
                    logger.debug("Initialized OpenSAML");
                    return null;
                } catch (Throwable th) {
                    try {
                        restorableContextClassLoader.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            });
            builderFactory = XMLObjectProviderRegistrySupport.getBuilderFactory();
        }
    }

    public static ElasticsearchSecurityException samlException(String str, Object... objArr) {
        ElasticsearchSecurityException elasticsearchSecurityException = new ElasticsearchSecurityException(str, objArr);
        elasticsearchSecurityException.addMetadata(SAML_EXCEPTION_KEY, new String[0]);
        return elasticsearchSecurityException;
    }

    public static ElasticsearchSecurityException samlException(String str, Exception exc, Object... objArr) {
        ElasticsearchSecurityException elasticsearchSecurityException = new ElasticsearchSecurityException(str, exc, objArr);
        elasticsearchSecurityException.addMetadata(SAML_EXCEPTION_KEY, new String[0]);
        return elasticsearchSecurityException;
    }

    public static boolean isSamlException(ElasticsearchSecurityException elasticsearchSecurityException) {
        return (elasticsearchSecurityException == null || elasticsearchSecurityException.getMetadata(SAML_EXCEPTION_KEY) == null) ? false : true;
    }

    public static <T extends XMLObject> T buildObject(Class<T> cls, QName qName) {
        XMLObject buildObject = builderFactory.getBuilder(qName).buildObject(qName);
        if (cls.isInstance(buildObject)) {
            return cls.cast(buildObject);
        }
        throw new IllegalArgumentException("Object for element " + qName.getLocalPart() + " is of type " + String.valueOf(buildObject.getClass()) + " not " + String.valueOf(cls));
    }

    public static String generateSecureNCName(int i) {
        byte[] bArr = new byte[i];
        SECURE_RANDOM.nextBytes(bArr);
        return "_".concat(MessageDigests.toHexString(bArr));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String toString(Element element, boolean z) {
        try {
            StringWriter stringWriter = new StringWriter();
            print(element, stringWriter, z);
            return stringWriter.toString();
        } catch (TransformerException e) {
            return "[" + element.getNamespaceURI() + "]" + element.getLocalName();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String toString(Element element) {
        return toString(element, false);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void print(Element element, Writer writer, boolean z) throws TransformerException {
        Transformer hardenedXMLTransformer = getHardenedXMLTransformer();
        if (z) {
            hardenedXMLTransformer.setOutputProperty("indent", "yes");
        }
        hardenedXMLTransformer.transform(new DOMSource(element), new StreamResult(writer));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String getXmlContent(SAMLObject sAMLObject, boolean z) {
        try {
            return toString(XMLObjectSupport.marshall(sAMLObject), z);
        } catch (MarshallingException e) {
            LOGGER.info("Error marshalling SAMLObject ", e);
            return SAML_MARSHALLING_ERROR_STRING;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String describeSamlObject(SAMLObject sAMLObject) {
        if (Response.class.isInstance(sAMLObject)) {
            Response response = (Response) sAMLObject;
            StringBuilder sb = new StringBuilder();
            sb.append("SAML Response: [\n");
            sb.append("    Destination: ").append(response.getDestination()).append("\n");
            sb.append("    Response ID: ").append(response.getID()).append("\n");
            sb.append("    In response to: ").append(response.getInResponseTo()).append("\n");
            sb.append("    Response issued at:").append(response.getIssueInstant()).append("\n");
            if (response.getIssuer() != null) {
                sb.append("    Issuer: ").append(response.getIssuer().getValue()).append("\n");
            }
            sb.append("    Number of unencrypted Assertions: ").append(response.getAssertions().size()).append("\n");
            sb.append("    Number of encrypted Assertions: ").append(response.getEncryptedAssertions().size()).append("\n");
            sb.append("]");
            return sb.toString();
        }
        if (!Assertion.class.isInstance(sAMLObject)) {
            return getXmlContent(sAMLObject, true);
        }
        Assertion assertion = (Assertion) sAMLObject;
        StringBuilder sb2 = new StringBuilder();
        sb2.append("SAML Assertion: [\n");
        sb2.append("    Response ID: ").append(assertion.getID()).append("\n");
        sb2.append("    Response issued at: ").append(assertion.getIssueInstant()).append("\n");
        if (assertion.getIssuer() != null) {
            sb2.append("    Issuer: ").append(assertion.getIssuer().getValue()).append("\n");
        }
        sb2.append("    Number of attribute statements: ").append(assertion.getAttributeStatements().size()).append("\n");
        sb2.append("    Number of authentication statements: ").append(assertion.getAuthnStatements().size()).append("\n");
        sb2.append("]");
        return sb2.toString();
    }

    @SuppressForbidden(reason = "This is the only allowed way to construct a Transformer")
    public static Transformer getHardenedXMLTransformer() throws TransformerConfigurationException {
        TransformerFactory newInstance = TransformerFactory.newInstance();
        newInstance.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
        newInstance.setAttribute("http://javax.xml.XMLConstants/property/accessExternalDTD", "");
        newInstance.setAttribute("http://javax.xml.XMLConstants/property/accessExternalStylesheet", "");
        newInstance.setAttribute("indent-number", 2);
        Transformer newTransformer = newInstance.newTransformer();
        newTransformer.setErrorListener(new ErrorListener());
        return newTransformer;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void validate(InputStream inputStream, String str) throws Exception {
        SchemaFactory newInstance = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
        InputStream loadSchema = loadSchema(str);
        try {
            ResourceResolver resourceResolver = new ResourceResolver();
            try {
                newInstance.setResourceResolver(resourceResolver);
                Validator newValidator = newInstance.newSchema(new StreamSource(loadSchema)).newValidator();
                newValidator.setProperty("http://javax.xml.XMLConstants/property/accessExternalDTD", "");
                newValidator.setProperty("http://javax.xml.XMLConstants/property/accessExternalSchema", "");
                newValidator.validate(new StreamSource(inputStream));
                resourceResolver.close();
                if (loadSchema != null) {
                    loadSchema.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (loadSchema != null) {
                try {
                    loadSchema.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static InputStream loadSchema(String str) {
        if (str.endsWith(".xsd") && str.indexOf(47) == -1 && str.indexOf(92) == -1) {
            return SamlUtils.class.getResourceAsStream(str);
        }
        return null;
    }

    @SuppressForbidden(reason = "This is the only allowed way to construct a DocumentBuilder")
    public static DocumentBuilder getHardenedBuilder(String[] strArr) throws ParserConfigurationException {
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setNamespaceAware(true);
        newInstance.setValidating(true);
        newInstance.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        newInstance.setFeature("http://xml.org/sax/features/external-general-entities", false);
        newInstance.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
        newInstance.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
        newInstance.setFeature("http://xml.org/sax/features/validation", true);
        newInstance.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
        newInstance.setIgnoringComments(true);
        newInstance.setFeature("http://apache.org/xml/features/validation/schema/normalized-value", false);
        newInstance.setAttribute("http://javax.xml.XMLConstants/property/accessExternalDTD", "file,jar");
        newInstance.setAttribute("http://javax.xml.XMLConstants/property/accessExternalSchema", "file,jar");
        newInstance.setFeature("http://apache.org/xml/features/honour-all-schemaLocations", true);
        newInstance.setXIncludeAware(false);
        newInstance.setExpandEntityReferences(false);
        newInstance.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
        newInstance.setAttribute("http://apache.org/xml/features/validation/schema", true);
        newInstance.setAttribute("http://apache.org/xml/features/validation/schema-full-checking", true);
        newInstance.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaLanguage", "http://www.w3.org/2001/XMLSchema");
        newInstance.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaSource", resolveSchemaFilePaths(strArr));
        DocumentBuilder newDocumentBuilder = newInstance.newDocumentBuilder();
        newDocumentBuilder.setErrorHandler(new ErrorHandler());
        return newDocumentBuilder;
    }

    private static String[] resolveSchemaFilePaths(String[] strArr) {
        return (String[]) Arrays.stream(strArr).map(str -> {
            try {
                return SamlUtils.class.getResource(str).toURI().toString();
            } catch (URISyntaxException e) {
                LOGGER.warn("Error resolving schema file path", e);
                return null;
            }
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).toArray(i -> {
            return new String[i];
        });
    }
}
