package org.elasticsearch.xpack.security.authc.saml;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.time.Clock;
import java.time.Instant;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.zip.Inflater;
import java.util.zip.InflaterInputStream;
import javax.xml.parsers.DocumentBuilder;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.hash.MessageDigests;
import org.elasticsearch.core.CheckedFunction;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.Streams;
import org.elasticsearch.core.Strings;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.rest.RestUtils;
import org.elasticsearch.xpack.core.security.support.RestorableContextClassLoader;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.core.xml.io.Unmarshaller;
import org.opensaml.core.xml.io.UnmarshallerFactory;
import org.opensaml.core.xml.io.UnmarshallingException;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.x509.X509Credential;
import org.opensaml.xmlsec.algorithm.AlgorithmSupport;
import org.opensaml.xmlsec.crypto.XMLSigningUtil;
import org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver;
import org.opensaml.xmlsec.encryption.support.EncryptedKeyResolver;
import org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver;
import org.opensaml.xmlsec.encryption.support.SimpleKeyInfoReferenceEncryptedKeyResolver;
import org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.ChainingKeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.CollectionKeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.LocalKeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.KeyInfoReferenceProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import org.w3c.dom.Element;
import org.xml.sax.SAXException;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/saml/SamlObjectHandler.class */
public class SamlObjectHandler {
    protected static final String SAML_NAMESPACE = "urn:oasis:names:tc:SAML:2.0:protocol";
    private static final String[] XSD_FILES = {"/org/elasticsearch/xpack/security/authc/saml/saml-schema-protocol-2.0.xsd", "/org/elasticsearch/xpack/security/authc/saml/saml-schema-assertion-2.0.xsd", "/org/elasticsearch/xpack/security/authc/saml/xenc-schema.xsd", "/org/elasticsearch/xpack/security/authc/saml/xmldsig-core-schema.xsd"};
    private static final ThreadLocal<DocumentBuilder> THREAD_LOCAL_DOCUMENT_BUILDER = ThreadLocal.withInitial(() -> {
        try {
            return SamlUtils.getHardenedBuilder(XSD_FILES);
        } catch (Exception e) {
            throw SamlUtils.samlException("Could not load XSD schema file", e, new Object[0]);
        }
    });
    private static final int ISSUER_VALUE_MAX_LENGTH = 512;

    @Nullable
    protected final Decrypter decrypter;
    private final Clock clock;
    private final IdpConfiguration idp;
    private final SpConfiguration sp;
    private final TimeValue maxSkew;
    protected final Logger logger = LogManager.getLogger(getClass());
    private final UnmarshallerFactory unmarshallerFactory = XMLObjectProviderRegistrySupport.getUnmarshallerFactory();

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/saml/SamlObjectHandler$ParsedQueryString.class */
    static class ParsedQueryString {
        final String samlMessage;
        final boolean hasSignature;
        final String relayState;

        ParsedQueryString(String str, boolean z, String str2) {
            this.samlMessage = str;
            this.hasSignature = z;
            this.relayState = str2;
        }
    }

    public SamlObjectHandler(Clock clock, IdpConfiguration idpConfiguration, SpConfiguration spConfiguration, TimeValue timeValue) {
        this.clock = clock;
        this.idp = idpConfiguration;
        this.sp = spConfiguration;
        this.maxSkew = timeValue;
        if (spConfiguration.getEncryptionCredentials().isEmpty()) {
            this.decrypter = null;
        } else {
            this.decrypter = new Decrypter((KeyInfoCredentialResolver) null, createResolverForEncryptionKeys(), createResolverForEncryptedKeyElements());
        }
    }

    private KeyInfoCredentialResolver createResolverForEncryptionKeys() {
        KeyInfoCredentialResolver collectionKeyInfoCredentialResolver = new CollectionKeyInfoCredentialResolver(Collections.unmodifiableCollection(this.sp.getEncryptionCredentials()));
        return new ChainingKeyInfoCredentialResolver(Arrays.asList(new LocalKeyInfoCredentialResolver(Arrays.asList(new InlineX509DataProvider(), new KeyInfoReferenceProvider(), new RSAKeyValueProvider(), new DEREncodedKeyValueProvider()), collectionKeyInfoCredentialResolver), collectionKeyInfoCredentialResolver));
    }

    private static EncryptedKeyResolver createResolverForEncryptedKeyElements() {
        return new ChainingEncryptedKeyResolver(Arrays.asList(new InlineEncryptedKeyResolver(), new SimpleRetrievalMethodEncryptedKeyResolver(), new SimpleKeyInfoReferenceEncryptedKeyResolver()));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SpConfiguration getSpConfiguration() {
        return this.sp;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static String describe(X509Certificate x509Certificate) {
        return "X509Certificate{Subject=" + String.valueOf(x509Certificate.getSubjectX500Principal()) + "; SerialNo=" + x509Certificate.getSerialNumber().toString(16) + "}";
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static String describe(Collection<X509Credential> collection) {
        return (String) collection.stream().map(x509Credential -> {
            return describe(x509Credential.getEntityCertificate());
        }).collect(Collectors.joining(","));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void validateSignature(Signature signature, @Nullable Issuer issuer) {
        String text = text(signature, 32);
        try {
            new SAMLSignatureProfileValidator().validate(signature);
            checkIdpSignature(credential -> {
                try {
                    String keyAlgorithm = AlgorithmSupport.getKeyAlgorithm(signature.getSignatureAlgorithm());
                    String algorithm = credential.getPublicKey().getAlgorithm();
                    if (keyAlgorithm == null || keyAlgorithm.equals(algorithm)) {
                        return (Boolean) AccessController.doPrivileged(() -> {
                            try {
                                RestorableContextClassLoader restorableContextClassLoader = new RestorableContextClassLoader(SignatureValidator.class);
                                try {
                                    SignatureValidator.validate(signature, credential);
                                    this.logger.debug(() -> {
                                        return Strings.format("SAML Signature [%s] matches credentials [%s] [%s]", new Object[]{text, credential.getEntityId(), credential.getPublicKey()});
                                    });
                                    restorableContextClassLoader.close();
                                    return true;
                                } finally {
                                }
                            } catch (PrivilegedActionException e) {
                                this.logger.warn("SecurityException while attempting to validate SAML signature." + describeIssuer(issuer), e);
                                return false;
                            }
                        });
                    }
                    if (this.logger.isDebugEnabled()) {
                        this.logger.debug("Skipping [{}] key [{}] because it is not compatible with signature algorithm [{}]", algorithm, "SHA265:" + MessageDigests.toHexString(MessageDigests.sha256().digest(credential.getPublicKey().getEncoded())), keyAlgorithm);
                    }
                    return false;
                } catch (PrivilegedActionException e) {
                    throw new SecurityException("SecurityException while attempting to validate SAML signature", e);
                }
            }, text, issuer);
        } catch (SignatureException e) {
            throw samlSignatureException(issuer, this.idp.getSigningCredentials(), text, e);
        }
    }

    protected void checkIdpSignature(CheckedFunction<Credential, Boolean, Exception> checkedFunction, String str, @Nullable Issuer issuer) {
        Predicate<? super Credential> predicate = credential -> {
            try {
                return ((Boolean) checkedFunction.apply(credential)).booleanValue();
            } catch (SignatureException | SecurityException e) {
                this.logger.debug(() -> {
                    return Strings.format("SAML Signature [%s] does not match credentials [%s] [%s] -- %s", new Object[]{str, credential.getEntityId(), credential.getPublicKey(), e});
                });
                this.logger.trace("SAML Signature failure caused by", e);
                return false;
            } catch (Exception e2) {
                this.logger.warn("Exception while attempting to validate SAML Signature." + describeIssuer(issuer), e2);
                return false;
            }
        };
        List<Credential> signingCredentials = this.idp.getSigningCredentials();
        if (!signingCredentials.stream().anyMatch(predicate)) {
            throw samlSignatureException(issuer, signingCredentials, str);
        }
    }

    private ElasticsearchSecurityException samlSignatureException(@Nullable Issuer issuer, List<Credential> list, String str, Exception exc) {
        this.logger.warn("The XML Signature of this SAML message cannot be validated. Please verify that the saml realm uses the correct SAML metadata file/URL for this Identity Provider.{}", describeIssuer(issuer));
        return exc != null ? SamlUtils.samlException("SAML Signature [{}] could not be validated against [{}]", exc, str, describeCredentials(list)) : SamlUtils.samlException("SAML Signature [{}] could not be validated against [{}]", str, describeCredentials(list));
    }

    private ElasticsearchSecurityException samlSignatureException(Issuer issuer, List<Credential> list, String str) {
        return samlSignatureException(issuer, list, str, null);
    }

    static String describeIssuer(@Nullable Issuer issuer) {
        return (issuer == null || issuer.getValue() == null) ? "" : issuer.getValue().length() > ISSUER_VALUE_MAX_LENGTH ? org.elasticsearch.common.Strings.format(" The issuer included in the SAML message was [%s]...", new Object[]{org.elasticsearch.common.Strings.cleanTruncate(issuer.getValue(), ISSUER_VALUE_MAX_LENGTH)}) : org.elasticsearch.common.Strings.format(" The issuer included in the SAML message was [%s]", new Object[]{issuer.getValue()});
    }

    private static String describeCredentials(List<Credential> list) {
        return (String) list.stream().map(credential -> {
            byte[] encoded;
            if (credential == null) {
                return "<null>";
            }
            if (credential instanceof X509Credential) {
                try {
                    encoded = ((X509Credential) credential).getEntityCertificate().getEncoded();
                } catch (CertificateEncodingException e) {
                    encoded = credential.getPublicKey().getEncoded();
                }
            } else {
                encoded = credential.getPublicKey().getEncoded();
            }
            return Base64.getEncoder().encodeToString(encoded).substring(0, 64) + "...";
        }).collect(Collectors.joining(","));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkIssuer(Issuer issuer, XMLObject xMLObject) {
        if (issuer == null) {
            throw SamlUtils.samlException("Element {} ({}) has no issuer, but expected [{}]", xMLObject.getElementQName(), text(xMLObject, 16), this.idp.getEntityId());
        }
        if (!this.idp.getEntityId().equals(issuer.getValue())) {
            throw SamlUtils.samlException("SAML Issuer [{}] does not match expected value [{}]", issuer.getValue(), this.idp.getEntityId());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public long maxSkewInMillis() {
        return this.maxSkew.millis();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Instant now() {
        return this.clock.instant();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public <T extends XMLObject> T buildXmlObject(Element element, Class<T> cls) {
        try {
            Unmarshaller unmarshaller = this.unmarshallerFactory.getUnmarshaller(element);
            if (unmarshaller == null) {
                throw SamlUtils.samlException("XML element [{}] cannot be unmarshalled to SAML type [{}] (no unmarshaller)", element.getTagName(), cls);
            }
            XMLObject unmarshall = unmarshaller.unmarshall(element);
            if (cls.isInstance(unmarshall)) {
                return cls.cast(unmarshall);
            }
            Object[] objArr = new Object[3];
            objArr[0] = element.getTagName();
            objArr[1] = cls.getName();
            objArr[2] = unmarshall == null ? "<null>" : unmarshall.getClass().getName();
            throw SamlUtils.samlException("SAML object [{}] is incorrect type. Expected [{}] but was [{}]", objArr);
        } catch (UnmarshallingException e) {
            throw SamlUtils.samlException("Failed to unmarshall SAML content [{}]", e, element.getTagName());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static String text(XMLObject xMLObject, int i) {
        return text(xMLObject, i, 0);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static String text(XMLObject xMLObject, int i, int i2) {
        Element dom = xMLObject.getDOM();
        if (dom == null) {
            return null;
        }
        String trim = dom.getTextContent().trim();
        if (trim.length() <= i + i2) {
            return trim;
        }
        String str = org.elasticsearch.common.Strings.cleanTruncate(trim, i) + "...";
        if (i2 == 0) {
            return str;
        }
        int length = trim.length() - i2;
        if (Character.isHighSurrogate(trim.charAt(length))) {
            length++;
        }
        return str + trim.substring(length);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Element parseSamlMessage(byte[] bArr) {
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
            try {
                Element documentElement = THREAD_LOCAL_DOCUMENT_BUILDER.get().parse(byteArrayInputStream).getDocumentElement();
                if (this.logger.isTraceEnabled()) {
                    this.logger.trace("Received SAML Message: {} \n", SamlUtils.toString(documentElement, true));
                }
                byteArrayInputStream.close();
                return documentElement;
            } finally {
            }
        } catch (IOException | SAXException e) {
            throw SamlUtils.samlException("Failed to parse SAML message", e, new Object[0]);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateNotOnOrAfter(Instant instant) {
        if (instant == null) {
            return;
        }
        Instant minusMillis = now().minusMillis(this.maxSkew.millis());
        if (!minusMillis.isBefore(instant)) {
            throw SamlUtils.samlException("Rejecting SAML assertion because [{}] is on/after [{}]", minusMillis, instant);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ParsedQueryString parseQueryStringAndValidateSignature(String str, String str2) {
        String replaceAll = str.replaceAll("&Signature=.*$", "");
        HashMap hashMap = new HashMap();
        RestUtils.decodeQueryString(str, 0, hashMap);
        String str3 = (String) hashMap.get(str2);
        if (str3 == null) {
            throw SamlUtils.samlException("Could not parse {} from query string: [{}]", str2, str);
        }
        String str4 = (String) hashMap.get("RelayState");
        String str5 = (String) hashMap.get("SigAlg");
        String str6 = (String) hashMap.get("Signature");
        if (str6 == null || str5 == null) {
            return new ParsedQueryString(str3, false, str4);
        }
        validateSignature(replaceAll, str5, str6);
        return new ParsedQueryString(str3, true, str4);
    }

    private void validateSignature(String str, String str2, String str3) {
        byte[] decodeBase64 = decodeBase64(str3);
        byte[] bytes = str.getBytes(StandardCharsets.US_ASCII);
        String cleanTruncate = org.elasticsearch.common.Strings.cleanTruncate(str3, 32);
        checkIdpSignature(credential -> {
            if (XMLSigningUtil.verifyWithURI(credential, str2, decodeBase64, bytes)) {
                this.logger.debug(() -> {
                    return Strings.format("SAML Signature [%s] matches credentials [%s] [%s]", new Object[]{cleanTruncate, credential.getEntityId(), credential.getPublicKey()});
                });
                return true;
            }
            this.logger.debug(() -> {
                return Strings.format("SAML Signature [%s] failed against credentials [%s] [%s]", new Object[]{cleanTruncate, credential.getEntityId(), credential.getPublicKey()});
            });
            return false;
        }, cleanTruncate, null);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public byte[] decodeBase64(String str) {
        try {
            return Base64.getDecoder().decode(str.replaceAll("\\s+", ""));
        } catch (IllegalArgumentException e) {
            this.logger.info("Failed to decode base64 string [{}] - {}", str, e.toString());
            throw SamlUtils.samlException("SAML message cannot be Base64 decoded", e, new Object[0]);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static byte[] inflate(byte[] bArr) {
        Inflater inflater = new Inflater(true);
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
            try {
                InflaterInputStream inflaterInputStream = new InflaterInputStream(byteArrayInputStream, inflater);
                try {
                    ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream((bArr.length * 3) / 2);
                    try {
                        Streams.copy(inflaterInputStream, byteArrayOutputStream);
                        byte[] byteArray = byteArrayOutputStream.toByteArray();
                        byteArrayOutputStream.close();
                        inflaterInputStream.close();
                        byteArrayInputStream.close();
                        return byteArray;
                    } catch (Throwable th) {
                        try {
                            byteArrayOutputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                        throw th;
                    }
                } catch (Throwable th3) {
                    try {
                        inflaterInputStream.close();
                    } catch (Throwable th4) {
                        th3.addSuppressed(th4);
                    }
                    throw th3;
                }
            } finally {
            }
        } catch (IOException e) {
            throw SamlUtils.samlException("SAML message cannot be inflated", e, new Object[0]);
        }
    }
}
