package org.elasticsearch.xpack.security.authc.saml;

import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import java.util.concurrent.atomic.AtomicReference;
import java.util.stream.Collectors;
import joptsimple.OptionParser;
import joptsimple.OptionSet;
import joptsimple.OptionSpec;
import org.apache.logging.log4j.Level;
import org.apache.logging.log4j.LogManager;
import org.elasticsearch.cli.ProcessInfo;
import org.elasticsearch.cli.Terminal;
import org.elasticsearch.cli.UserException;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.cli.KeyStoreAwareCommand;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.settings.KeyStoreWrapper;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.ssl.PemUtils;
import org.elasticsearch.common.util.LocaleUtils;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.CheckedFunction;
import org.elasticsearch.core.PathUtils;
import org.elasticsearch.core.SuppressForbidden;
import org.elasticsearch.env.Environment;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.saml.SamlRealmSettings;
import org.elasticsearch.xpack.core.ssl.CertParsingUtils;
import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
import org.elasticsearch.xpack.security.authc.saml.SamlSpMetadataBuilder;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.impl.EntityDescriptorMarshaller;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.Signer;
import org.w3c.dom.Element;
import org.xml.sax.SAXException;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommand.class */
class SamlMetadataCommand extends KeyStoreAwareCommand {
    static final String METADATA_SCHEMA = "saml-schema-metadata-2.0.xsd";
    private final OptionSpec<String> outputPathSpec;
    private final OptionSpec<Void> batchSpec;
    private final OptionSpec<String> realmSpec;
    private final OptionSpec<String> localeSpec;
    private final OptionSpec<String> serviceNameSpec;
    private final OptionSpec<String> attributeSpec;
    private final OptionSpec<String> orgNameSpec;
    private final OptionSpec<String> orgDisplayNameSpec;
    private final OptionSpec<String> orgUrlSpec;
    private final OptionSpec<Void> contactsSpec;
    private final OptionSpec<String> signingPkcs12PathSpec;
    private final OptionSpec<String> signingCertPathSpec;
    private final OptionSpec<String> signingKeyPathSpec;
    private final OptionSpec<String> keyPasswordSpec;
    private final CheckedFunction<Environment, KeyStoreWrapper, Exception> keyStoreFunction;
    private KeyStoreWrapper keyStoreWrapper;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SamlMetadataCommand() {
        this(environment -> {
            return KeyStoreWrapper.load(environment.configDir());
        });
    }

    SamlMetadataCommand(CheckedFunction<Environment, KeyStoreWrapper, Exception> checkedFunction) {
        super("Generate Service Provider Metadata for a SAML realm");
        this.outputPathSpec = this.parser.accepts("out", "path of the xml file that should be generated").withRequiredArg();
        this.batchSpec = this.parser.accepts("batch", "Do not prompt");
        this.realmSpec = this.parser.accepts(LoggingAuditTrail.REALM_FIELD_NAME, "name of the elasticsearch realm for which metadata should be generated").withRequiredArg();
        this.localeSpec = this.parser.accepts("locale", "the locale to be used for elements that require a language").withRequiredArg();
        this.serviceNameSpec = this.parser.accepts("service-name", "the name to apply to the attribute consuming service").withRequiredArg();
        this.attributeSpec = this.parser.accepts("attribute", "additional SAML attributes to request").withRequiredArg();
        this.orgNameSpec = this.parser.accepts("organisation-name", "the name of the organisation operating this service").withRequiredArg();
        this.orgDisplayNameSpec = this.parser.accepts("organisation-display-name", "the display-name of the organisation operating this service").availableIf(this.orgNameSpec, new OptionSpec[0]).withRequiredArg();
        this.orgUrlSpec = this.parser.accepts("organisation-url", "the URL of the organisation operating this service").requiredIf(this.orgNameSpec, new OptionSpec[0]).withRequiredArg();
        this.contactsSpec = this.parser.accepts("contacts", "Include contact information in metadata").availableUnless(this.batchSpec, new OptionSpec[0]);
        this.signingPkcs12PathSpec = this.parser.accepts("signing-bundle", "path to an existing key pair (in PKCS#12 format) to be used for signing ").withRequiredArg();
        this.signingCertPathSpec = this.parser.accepts("signing-cert", "path to an existing signing certificate").availableUnless(this.signingPkcs12PathSpec, new OptionSpec[0]).withRequiredArg();
        this.signingKeyPathSpec = this.parser.accepts("signing-key", "path to an existing signing private key").availableIf(this.signingCertPathSpec, new OptionSpec[0]).requiredIf(this.signingCertPathSpec, new OptionSpec[0]).withRequiredArg();
        this.keyPasswordSpec = this.parser.accepts("signing-key-password", "password for an existing signing private key or keypair").withOptionalArg();
        this.keyStoreFunction = checkedFunction;
    }

    public void close() throws IOException {
        super.close();
        if (this.keyStoreWrapper != null) {
            this.keyStoreWrapper.close();
        }
    }

    public void execute(Terminal terminal, OptionSet optionSet, Environment environment, ProcessInfo processInfo) throws Exception {
        Loggers.setLevel(LogManager.getLogger("org.opensaml"), Level.WARN);
        SamlUtils.initialize(LogManager.getLogger(getClass()));
        validateXml(terminal, writeOutput(terminal, optionSet, possiblySignDescriptor(terminal, optionSet, buildEntityDescriptor(terminal, optionSet, environment), environment)));
    }

    EntityDescriptor buildEntityDescriptor(Terminal terminal, OptionSet optionSet, Environment environment) throws Exception {
        String requireText;
        String str;
        String requireText2;
        boolean has = optionSet.has(this.batchSpec);
        RealmConfig findRealm = findRealm(terminal, optionSet, environment);
        terminal.println(Terminal.Verbosity.VERBOSE, "Using realm configuration\n=====\n" + findRealm.settings().getByPrefix(RealmSettings.realmSettingPrefix(findRealm.identifier())).toDelimitedString('\n') + "=====");
        Locale findLocale = findLocale(optionSet);
        terminal.println(Terminal.Verbosity.VERBOSE, "Using locale: " + findLocale.toLanguageTag());
        SpConfiguration spConfiguration = SamlRealm.getSpConfiguration(findRealm);
        SamlSpMetadataBuilder serviceName = new SamlSpMetadataBuilder(findLocale, spConfiguration.getEntityId()).assertionConsumerServiceUrl(spConfiguration.getAscUrl()).singleLogoutServiceUrl(spConfiguration.getLogoutUrl()).encryptionCredentials(spConfiguration.getEncryptionCredentials()).signingCredential(spConfiguration.getSigningConfiguration().getCredential()).authnRequestsSigned(Boolean.valueOf(spConfiguration.getSigningConfiguration().shouldSign("AuthnRequest"))).nameIdFormat((String) findRealm.getSetting(SamlRealmSettings.NAMEID_FORMAT)).serviceName((String) option(this.serviceNameSpec, optionSet, environment.settings().get(LoggingAuditTrail.CLUSTER_NAME_FIELD_NAME)));
        Map<String, String> attributeNames = getAttributeNames(optionSet, findRealm);
        for (String str2 : attributeNames.keySet()) {
            String str3 = attributeNames.get(str2);
            String str4 = str3 == null ? "command line" : "\"" + str3 + "\"";
            if (str2.contains(":")) {
                requireText2 = str2;
                if (has) {
                    str = str3;
                } else {
                    str = terminal.readText("What is the friendly name for " + str4 + " attribute \"" + str2 + "\" [default: " + (str3 == null ? "none" : str3) + "] ");
                    if (Strings.isNullOrEmpty(str)) {
                        str = str3;
                    }
                }
            } else {
                if (has) {
                    throw new UserException(78, "Option " + this.batchSpec.toString() + " is specified, but attribute " + str2 + " appears to be a FriendlyName value");
                }
                str = str2;
                requireText2 = requireText(terminal, "What is the standard (urn) name for " + str4 + " attribute \"" + str2 + "\" (required): ");
            }
            terminal.println(Terminal.Verbosity.VERBOSE, "Requesting attribute '" + requireText2 + "' (FriendlyName: '" + str + "')");
            serviceName.withAttribute(str, requireText2);
        }
        if (optionSet.has(this.orgNameSpec) && optionSet.has(this.orgUrlSpec)) {
            String str5 = (String) this.orgNameSpec.value(optionSet);
            serviceName.organization(str5, (String) option(this.orgDisplayNameSpec, optionSet, str5), (String) this.orgUrlSpec.value(optionSet));
        }
        if (optionSet.has(this.contactsSpec)) {
            terminal.println("\nPlease enter the personal details for each contact to be included in the metadata");
            do {
                String requireText3 = requireText(terminal, "What is the given name for the contact: ");
                String requireText4 = requireText(terminal, "What is the surname for the contact: ");
                String str6 = requireText3 + " " + requireText4;
                String requireText5 = requireText(terminal, "What is the email address for " + str6 + ": ");
                while (true) {
                    requireText = requireText(terminal, "What is the contact type for " + str6 + ": ");
                    if (SamlSpMetadataBuilder.ContactInfo.TYPES.containsKey(requireText)) {
                        break;
                    }
                    terminal.errorPrintln("Type '" + requireText + "' is not valid. Valid values are " + Strings.collectionToCommaDelimitedString(SamlSpMetadataBuilder.ContactInfo.TYPES.keySet()));
                }
                serviceName.withContact(requireText, requireText3, requireText4, requireText5);
            } while (terminal.promptYesNo("Enter details for another contact", true));
        }
        return serviceName.build();
    }

    Element possiblySignDescriptor(Terminal terminal, OptionSet optionSet, EntityDescriptor entityDescriptor, Environment environment) throws UserException {
        try {
            EntityDescriptorMarshaller entityDescriptorMarshaller = new EntityDescriptorMarshaller();
            if (!optionSet.has(this.signingPkcs12PathSpec) && (!optionSet.has(this.signingCertPathSpec) || !optionSet.has(this.signingKeyPathSpec))) {
                return entityDescriptorMarshaller.marshall(entityDescriptor);
            }
            Signature buildObject = XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilder(Signature.DEFAULT_ELEMENT_NAME).buildObject(Signature.DEFAULT_ELEMENT_NAME);
            buildObject.setSigningCredential(buildSigningCredential(terminal, optionSet, environment));
            buildObject.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
            buildObject.setCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
            entityDescriptor.setSignature(buildObject);
            Element marshall = entityDescriptorMarshaller.marshall(entityDescriptor);
            Signer.signObject(buildObject);
            return marshall;
        } catch (Exception e) {
            terminal.errorPrintln(Terminal.Verbosity.SILENT, e instanceof MarshallingException ? "Error serializing Metadata to file" : e instanceof SignatureException ? "Error attempting to sign Metadata" : "Error building signing credentials from provided keyPair");
            terminal.errorPrintln("The following errors were found:");
            printExceptions(terminal, e);
            throw new UserException(73, "Unable to create metadata document");
        }
    }

    private Path writeOutput(Terminal terminal, OptionSet optionSet, Element element) throws Exception {
        Path resolvePath = resolvePath((String) option(this.outputPathSpec, optionSet, "saml-elasticsearch-metadata.xml"));
        SamlUtils.print(element, Files.newBufferedWriter(resolvePath, new OpenOption[0]), true);
        terminal.println("\nWrote SAML metadata to " + String.valueOf(resolvePath));
        return resolvePath;
    }

    private Credential buildSigningCredential(Terminal terminal, OptionSet optionSet, Environment environment) throws Exception {
        X509Certificate readX509Certificate;
        PrivateKey readSigningKey;
        char[] chars = getChars((String) this.keyPasswordSpec.value(optionSet));
        if (optionSet.has(this.signingPkcs12PathSpec)) {
            Path resolvePath = resolvePath((String) this.signingPkcs12PathSpec.value(optionSet));
            Map map = (Map) withPassword("certificate bundle (" + String.valueOf(resolvePath) + ")", chars, terminal, cArr -> {
                return CertParsingUtils.readPkcs12KeyPairs(resolvePath, cArr, str -> {
                    return cArr;
                });
            });
            if (map.size() != 1) {
                throw new IllegalArgumentException("expected a single key in file [" + String.valueOf(resolvePath.toAbsolutePath()) + "] but found [" + map.size() + "]");
            }
            Map.Entry entry = (Map.Entry) map.entrySet().iterator().next();
            readX509Certificate = (X509Certificate) entry.getKey();
            readSigningKey = (PrivateKey) entry.getValue();
        } else {
            Path resolvePath2 = resolvePath((String) this.signingCertPathSpec.value(optionSet));
            Path resolvePath3 = resolvePath((String) this.signingKeyPathSpec.value(optionSet));
            readX509Certificate = CertParsingUtils.readX509Certificate(resolvePath2);
            readSigningKey = readSigningKey(resolvePath3, chars, terminal);
        }
        return new BasicX509Credential(readX509Certificate, readSigningKey);
    }

    private static <T, E extends Exception> T withPassword(String str, char[] cArr, Terminal terminal, CheckedFunction<char[], T, E> checkedFunction) throws Exception {
        if (cArr != null) {
            return (T) checkedFunction.apply(cArr);
        }
        char[] readSecret = terminal.readSecret("Enter password for " + str + " : ");
        try {
            T t = (T) checkedFunction.apply(readSecret);
            Arrays.fill(readSecret, (char) 0);
            return t;
        } catch (Throwable th) {
            Arrays.fill(readSecret, (char) 0);
            throw th;
        }
    }

    private static char[] getChars(String str) {
        if (str == null) {
            return null;
        }
        return str.toCharArray();
    }

    private static PrivateKey readSigningKey(Path path, char[] cArr, Terminal terminal) throws Exception {
        AtomicReference atomicReference = new AtomicReference(cArr);
        try {
            PrivateKey readPrivateKey = PemUtils.readPrivateKey(path, () -> {
                if (cArr != null) {
                    return cArr;
                }
                char[] readSecret = terminal.readSecret("Enter password for the signing key (" + String.valueOf(path.getFileName()) + ") : ");
                atomicReference.set(readSecret);
                return readSecret;
            });
            if (atomicReference.get() != null) {
                Arrays.fill((char[]) atomicReference.get(), (char) 0);
            }
            return readPrivateKey;
        } catch (Throwable th) {
            if (atomicReference.get() != null) {
                Arrays.fill((char[]) atomicReference.get(), (char) 0);
            }
            throw th;
        }
    }

    private static void validateXml(Terminal terminal, Path path) throws Exception {
        try {
            InputStream newInputStream = Files.newInputStream(path, new OpenOption[0]);
            try {
                SamlUtils.validate(newInputStream, METADATA_SCHEMA);
                terminal.println(Terminal.Verbosity.VERBOSE, "The generated metadata file conforms to the SAML metadata schema");
                if (newInputStream != null) {
                    newInputStream.close();
                }
            } finally {
            }
        } catch (SAXException e) {
            terminal.errorPrintln(Terminal.Verbosity.SILENT, "Error - The generated metadata file does not conform to the SAML metadata schema");
            terminal.errorPrintln("While validating " + path.toString() + " the follow errors were found:");
            printExceptions(terminal, e);
            throw new UserException(70, "Generated metadata is not valid");
        }
    }

    private static void printExceptions(Terminal terminal, Throwable th) {
        terminal.errorPrintln(" - " + th.getMessage());
        for (Throwable th2 : th.getSuppressed()) {
            printExceptions(terminal, th2);
        }
        if (th.getCause() == null || th.getCause() == th) {
            return;
        }
        printExceptions(terminal, th.getCause());
    }

    @SuppressForbidden(reason = "CLI tool working from current directory")
    private static Path resolvePath(String str) {
        return PathUtils.get(str, new String[0]).normalize();
    }

    private static String requireText(Terminal terminal, String str) {
        String str2 = null;
        while (true) {
            String str3 = str2;
            if (!Strings.isNullOrEmpty(str3)) {
                return str3;
            }
            str2 = terminal.readText(str);
        }
    }

    private static <T> T option(OptionSpec<T> optionSpec, OptionSet optionSet, T t) {
        return optionSet.has(optionSpec) ? (T) optionSpec.value(optionSet) : t;
    }

    private Map<String, String> getAttributeNames(OptionSet optionSet, RealmConfig realmConfig) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        Iterator it = this.attributeSpec.values(optionSet).iterator();
        while (it.hasNext()) {
            linkedHashMap.put((String) it.next(), null);
        }
        Settings byPrefix = realmConfig.settings().getByPrefix(RealmSettings.realmSettingPrefix(realmConfig.identifier()) + "attributes.");
        for (String str : sorted(byPrefix.keySet())) {
            linkedHashMap.put(byPrefix.get(str), str);
        }
        return linkedHashMap;
    }

    private static SortedSet<String> sorted(Set<String> set) {
        return new TreeSet(set);
    }

    private RealmConfig findRealm(Terminal terminal, OptionSet optionSet, Environment environment) throws Exception {
        Settings settings;
        this.keyStoreWrapper = (KeyStoreWrapper) this.keyStoreFunction.apply(environment);
        if (this.keyStoreWrapper != null) {
            decryptKeyStore(this.keyStoreWrapper, terminal);
            Settings.Builder builder = Settings.builder();
            builder.put(environment.settings(), true);
            if (builder.getSecureSettings() == null) {
                builder.setSecureSettings(this.keyStoreWrapper);
            }
            settings = builder.build();
        } else {
            settings = environment.settings();
        }
        Map realmSettings = RealmSettings.getRealmSettings(settings);
        if (optionSet.has(this.realmSpec)) {
            String str = (String) this.realmSpec.value(optionSet);
            RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("saml", str);
            if (((Settings) realmSettings.get(realmIdentifier)) == null) {
                throw new UserException(78, "No such realm '" + str + "' defined in " + String.valueOf(environment.configDir()));
            }
            if (isSamlRealm(realmIdentifier)) {
                return buildRealm(realmIdentifier, environment, settings);
            }
            throw new UserException(78, "Realm '" + str + "' is not a SAML realm (is '" + realmIdentifier.getType() + "')");
        }
        List list = realmSettings.entrySet().stream().filter(entry -> {
            return isSamlRealm((RealmConfig.RealmIdentifier) entry.getKey());
        }).toList();
        if (list.isEmpty()) {
            throw new UserException(78, "There is no SAML realm configured in " + String.valueOf(environment.configDir()));
        }
        if (list.size() <= 1) {
            Map.Entry entry2 = (Map.Entry) list.get(0);
            terminal.println("Building metadata for SAML realm " + String.valueOf(entry2.getKey()));
            return buildRealm((RealmConfig.RealmIdentifier) entry2.getKey(), environment, settings);
        }
        terminal.errorPrintln("Using configuration in " + String.valueOf(environment.configDir()));
        terminal.errorPrintln("Found multiple SAML realms: " + ((String) list.stream().map((v0) -> {
            return v0.getKey();
        }).map((v0) -> {
            return v0.toString();
        }).collect(Collectors.joining(", "))));
        terminal.errorPrintln("Use the -" + optionName(this.realmSpec) + " option to specify an explicit realm");
        throw new UserException(78, "Found multiple SAML realms, please specify one with '-" + optionName(this.realmSpec) + "'");
    }

    private static String optionName(OptionSpec<?> optionSpec) {
        return (String) optionSpec.options().get(0);
    }

    private static RealmConfig buildRealm(RealmConfig.RealmIdentifier realmIdentifier, Environment environment, Settings settings) {
        return new RealmConfig(realmIdentifier, settings, environment, new ThreadContext(settings));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isSamlRealm(RealmConfig.RealmIdentifier realmIdentifier) {
        return "saml".equals(realmIdentifier.getType());
    }

    private Locale findLocale(OptionSet optionSet) {
        return optionSet.has(this.localeSpec) ? LocaleUtils.parse((String) this.localeSpec.value(optionSet)) : Locale.getDefault();
    }

    OptionParser getParser() {
        return this.parser;
    }
}
