package com.floragunn.dlic.auth.http.saml;

import com.fasterxml.jackson.core.JsonParseException;
import com.fasterxml.jackson.core.JsonParser;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.floragunn.codova.documents.DocNode;
import com.floragunn.codova.documents.DocumentParseException;
import com.floragunn.codova.documents.Format;
import com.floragunn.dlic.auth.http.saml.AuthTokenProcessorAction;
import com.floragunn.dlic.auth.ldap.util.ConfigConstants;
import com.floragunn.searchguard.authc.AuthenticatorUnavailableException;
import com.google.common.base.Strings;
import com.onelogin.saml2.authn.SamlResponse;
import com.onelogin.saml2.exception.SettingsException;
import com.onelogin.saml2.exception.ValidationError;
import com.onelogin.saml2.settings.Saml2Settings;
import com.onelogin.saml2.util.Util;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.xpath.XPathExpressionException;
import org.apache.commons.lang3.StringUtils;
import org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
import org.apache.cxf.rs.security.jose.jwk.KeyType;
import org.apache.cxf.rs.security.jose.jwk.PublicKeyUse;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.JoseJwtProducer;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestResponse;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.xcontent.XContentType;
import org.joda.time.DateTime;
import org.w3c.dom.Document;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;

/* JADX INFO: Access modifiers changed from: package-private */
@Deprecated
/* loaded from: input_file:com/floragunn/dlic/auth/http/saml/AuthTokenProcessorHandler.class */
public class AuthTokenProcessorHandler {
    private static final Logger log = LogManager.getLogger(AuthTokenProcessorHandler.class);
    private static final Logger token_log = LogManager.getLogger("com.floragunn.dlic.auth.http.saml.Token");
    private static final Pattern EXPIRY_SETTINGS_PATTERN = Pattern.compile("\\s*(\\w+)\\s*(?:\\+\\s*(\\w+))?\\s*");
    private Saml2SettingsProvider saml2SettingsProvider;
    private JoseJwtProducer jwtProducer;
    private String jwtSubjectKey;
    private String jwtRolesKey;
    private String samlSubjectKey;
    private String samlRolesKey;
    private String samlRolesSeparator;
    private String kibanaRootUrl;
    private JsonWebKey signingKey;
    private Pattern subjectPattern;
    private long expiryOffset = 0;
    private ExpiryBaseValue expiryBaseValue = ExpiryBaseValue.AUTO;
    private JsonMapObjectReaderWriter jsonMapReaderWriter = new JsonMapObjectReaderWriter();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/dlic/auth/http/saml/AuthTokenProcessorHandler$ExpiryBaseValue.class */
    public enum ExpiryBaseValue {
        AUTO,
        NOW,
        SESSION
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthTokenProcessorHandler(Settings settings, Settings settings2, Saml2SettingsProvider saml2SettingsProvider) {
        this.saml2SettingsProvider = saml2SettingsProvider;
        this.jwtRolesKey = settings2.get("roles_key", ConfigConstants.LDAP_AUTHZ_ROLES);
        this.jwtSubjectKey = settings2.get("subject_key", "sub");
        this.samlRolesKey = settings.get("roles_key");
        this.samlSubjectKey = settings.get("subject_key");
        this.samlRolesSeparator = settings.get("roles_seperator");
        this.kibanaRootUrl = settings.get("kibana_url");
        this.subjectPattern = getSubjectPattern(settings);
        if (this.samlRolesKey == null || this.samlRolesKey.length() == 0) {
            log.warn("roles_key is not configured, will only extract subject from SAML");
            this.samlRolesKey = null;
        }
        if (this.samlSubjectKey == null || this.samlSubjectKey.length() == 0) {
            this.samlSubjectKey = null;
        }
        if (this.samlRolesSeparator == null || this.samlRolesSeparator.length() == 0) {
            this.samlRolesSeparator = null;
        }
        initJwtExpirySettings(settings);
        this.signingKey = createJwkFromSettings(settings, settings2);
        this.jwtProducer = new JoseJwtProducer();
        this.jwtProducer.setSignatureProvider(JwsUtils.getSignatureProvider(this.signingKey));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean handle(final RestRequest restRequest, final RestChannel restChannel) throws Exception {
        try {
            SecurityManager securityManager = System.getSecurityManager();
            if (securityManager != null) {
                securityManager.checkPermission(new SpecialPermission());
            }
            return ((Boolean) AccessController.doPrivileged(new PrivilegedExceptionAction<Boolean>() { // from class: com.floragunn.dlic.auth.http.saml.AuthTokenProcessorHandler.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Boolean run() throws XPathExpressionException, SamlConfigException, IOException, ParserConfigurationException, SAXException, SettingsException, AuthenticatorUnavailableException {
                    return Boolean.valueOf(AuthTokenProcessorHandler.this.handleLowLevel(restRequest, restChannel));
                }
            })).booleanValue();
        } catch (PrivilegedActionException e) {
            if (e.getCause() instanceof Exception) {
                throw ((Exception) e.getCause());
            }
            throw new RuntimeException(e);
        }
    }

    private AuthTokenProcessorAction.Response handleImpl(RestRequest restRequest, RestChannel restChannel, String str, String str2, String str3, Saml2Settings saml2Settings) throws XPathExpressionException, ParserConfigurationException, SAXException, IOException, SettingsException {
        if (token_log.isDebugEnabled()) {
            try {
                token_log.debug("SAMLResponse for " + str2 + "\n" + new String(Util.base64decoder(str), "UTF-8"));
            } catch (Exception e) {
                token_log.warn("SAMLResponse for " + str2 + " cannot be decoded from base64\n" + str, e);
            }
        }
        try {
            SamlResponse samlResponse = new SamlResponse(saml2Settings, str3, str);
            if (!samlResponse.isValid(str2)) {
                log.warn("Error while validating SAML response in /_searchguard/api/authtoken");
                return null;
            }
            AuthTokenProcessorAction.Response response = new AuthTokenProcessorAction.Response();
            response.setAuthorization("bearer " + createJwt(samlResponse));
            return response;
        } catch (Exception e2) {
            log.error("Error while converting SAML to JWT", e2);
            return null;
        } catch (ValidationError e3) {
            log.warn("Error while validating SAML response", e3);
            return null;
        }
    }

    private boolean handleLowLevel(RestRequest restRequest, RestChannel restChannel) throws SamlConfigException, IOException, XPathExpressionException, ParserConfigurationException, SAXException, SettingsException, AuthenticatorUnavailableException {
        try {
            if (restRequest.getXContentType() != XContentType.JSON) {
                throw new ElasticsearchSecurityException("/_searchguard/api/authtoken expects content with type application/json", RestStatus.UNSUPPORTED_MEDIA_TYPE, new Object[0]);
            }
            if (restRequest.method() != RestRequest.Method.POST) {
                throw new ElasticsearchSecurityException("/_searchguard/api/authtoken expects POST requests", RestStatus.METHOD_NOT_ALLOWED, new Object[0]);
            }
            Saml2Settings cached = this.saml2SettingsProvider.getCached();
            DocNode from = DocNode.parse(Format.JSON).from(BytesReference.toBytes(restRequest.requiredContent()));
            if (!from.isMap()) {
                throw new JsonParseException((JsonParser) null, "Unexpected json format: " + String.valueOf(from));
            }
            if (from.get("SAMLResponse") == null) {
                log.warn("SAMLResponse is missing from request ");
                throw new ElasticsearchSecurityException("SAMLResponse is missing from request", RestStatus.BAD_REQUEST, new Object[0]);
            }
            String asString = from.getAsString("SAMLResponse");
            String asString2 = from.get("RequestId") != null ? from.getAsString("RequestId") : null;
            String url = cached.getSpAssertionConsumerServiceUrl().toString();
            if (from.get("acsEndpoint") != null) {
                url = getAbsoluteAcsEndpoint(from.getAsString("acsEndpoint"));
            }
            AuthTokenProcessorAction.Response handleImpl = handleImpl(restRequest, restChannel, asString, asString2, url, cached);
            if (handleImpl == null) {
                return false;
            }
            restChannel.sendResponse(new RestResponse(RestStatus.OK, "application/json", handleImpl.toJsonString()));
            return true;
        } catch (JsonProcessingException | DocumentParseException e) {
            log.warn("Error while parsing JSON for /_searchguard/api/authtoken", e);
            restChannel.sendResponse(new RestResponse(RestStatus.BAD_REQUEST, "JSON could not be parsed"));
            return true;
        }
    }

    JsonWebKey createJwkFromSettings(Settings settings, Settings settings2) {
        String str = settings.get("exchange_key");
        if (!Strings.isNullOrEmpty(str)) {
            JsonWebKey jsonWebKey = new JsonWebKey();
            jsonWebKey.setKeyType(KeyType.OCTET);
            jsonWebKey.setAlgorithm("HS512");
            jsonWebKey.setPublicKeyUse(PublicKeyUse.SIGN);
            jsonWebKey.setProperty("k", str);
            return jsonWebKey;
        }
        Settings asSettings = settings2.getAsSettings("key");
        if (asSettings.isEmpty()) {
            throw new RuntimeException("Settings for key exchange missing. Please specify at least the option exchange_key with a shared secret.");
        }
        JsonWebKey jsonWebKey2 = new JsonWebKey();
        for (String str2 : asSettings.keySet()) {
            jsonWebKey2.setProperty(str2, asSettings.get(str2));
        }
        return jsonWebKey2;
    }

    private String createJwt(SamlResponse samlResponse) throws Exception {
        JwtClaims jwtClaims = new JwtClaims();
        JwtToken jwtToken = new JwtToken(jwtClaims);
        jwtClaims.setNotBefore(Long.valueOf(System.currentTimeMillis() / 1000));
        jwtClaims.setExpiryTime(Long.valueOf(getJwtExpiration(samlResponse)));
        jwtClaims.setProperty(this.jwtSubjectKey, extractSubject(samlResponse));
        if (this.samlSubjectKey != null) {
            jwtClaims.setProperty("saml_ni", samlResponse.getNameId());
        }
        if (samlResponse.getNameIdFormat() != null) {
            jwtClaims.setProperty("saml_nif", SamlNameIdFormat.getByUri(samlResponse.getNameIdFormat()).getShortName());
        }
        String sessionIndex = samlResponse.getSessionIndex();
        if (sessionIndex != null) {
            jwtClaims.setProperty("saml_si", sessionIndex);
        }
        if (this.samlRolesKey != null && this.jwtRolesKey != null) {
            jwtClaims.setProperty(this.jwtRolesKey, extractRoles(samlResponse));
        }
        String processJwt = this.jwtProducer.processJwt(jwtToken);
        if (token_log.isDebugEnabled()) {
            token_log.debug("Created JWT: " + processJwt + "\n" + this.jsonMapReaderWriter.toJson(jwtToken.getJwsHeaders()) + "\n" + JwtUtils.claimsToJson(jwtToken.getClaims()));
        }
        return processJwt;
    }

    private long getJwtExpiration(SamlResponse samlResponse) throws Exception {
        DateTime sessionNotOnOrAfter = samlResponse.getSessionNotOnOrAfter();
        if (this.expiryBaseValue == ExpiryBaseValue.NOW) {
            return (System.currentTimeMillis() / 1000) + this.expiryOffset;
        }
        if (this.expiryBaseValue == ExpiryBaseValue.SESSION) {
            if (sessionNotOnOrAfter != null) {
                return (sessionNotOnOrAfter.getMillis() / 1000) + this.expiryOffset;
            }
            throw new Exception("Error while determining JWT expiration time: SamlResponse did not contain sessionNotOnOrAfter value");
        }
        if (sessionNotOnOrAfter != null) {
            return sessionNotOnOrAfter.getMillis() / 1000;
        }
        return (System.currentTimeMillis() / 1000) + (this.expiryOffset > 0 ? this.expiryOffset : 3600L);
    }

    private void initJwtExpirySettings(Settings settings) {
        String str = settings.get("jwt.expiry");
        if (Strings.isNullOrEmpty(str)) {
            return;
        }
        Matcher matcher = EXPIRY_SETTINGS_PATTERN.matcher(str);
        if (!matcher.matches()) {
            log.error("Invalid value for jwt.expiry: " + str + "; using defaults.");
            return;
        }
        String group = matcher.group(1);
        String group2 = matcher.group(2);
        if (group2 != null && !StringUtils.isNumeric(group2)) {
            log.error("Invalid offset value for jwt.expiry: " + str + "; using defaults.");
            return;
        }
        if (!Strings.isNullOrEmpty(group)) {
            try {
                this.expiryBaseValue = ExpiryBaseValue.valueOf(group.toUpperCase());
            } catch (IllegalArgumentException e) {
                log.error("Invalid base value for jwt.expiry: " + str + "; using defaults");
                return;
            }
        }
        if (group2 != null) {
            this.expiryOffset = Integer.parseInt(group2) * 60;
        }
    }

    private String extractSubject(SamlResponse samlResponse) throws Exception {
        if (this.samlSubjectKey == null) {
            return applySubjectPattern(samlResponse.getNameId());
        }
        List list = (List) samlResponse.getAttributes().get(this.samlSubjectKey);
        if (list == null || list.size() == 0) {
            return null;
        }
        return applySubjectPattern((String) list.get(0));
    }

    private String applySubjectPattern(String str) {
        if (str == null) {
            return null;
        }
        if (this.subjectPattern == null) {
            return str;
        }
        Matcher matcher = this.subjectPattern.matcher(str);
        if (!matcher.matches()) {
            log.warn("Subject " + str + " does not match subject_pattern " + String.valueOf(this.subjectPattern));
            return null;
        }
        if (matcher.groupCount() == 1) {
            str = matcher.group(1);
        } else if (matcher.groupCount() > 1) {
            StringBuilder sb = new StringBuilder();
            for (int i = 1; i <= matcher.groupCount(); i++) {
                if (matcher.group(i) != null) {
                    sb.append(matcher.group(i));
                }
            }
            str = sb.length() != 0 ? sb.toString() : null;
        }
        return str;
    }

    private String[] extractRoles(SamlResponse samlResponse) throws XPathExpressionException, ValidationError {
        if (this.samlRolesKey == null) {
            return new String[0];
        }
        List<String> list = (List) samlResponse.getAttributes().get(this.samlRolesKey);
        if (list == null || list.size() == 0) {
            return null;
        }
        List<String> splitRoles = this.samlRolesSeparator != null ? splitRoles(list) : trimRoles(list);
        return (String[]) splitRoles.toArray(new String[splitRoles.size()]);
    }

    private List<String> splitRoles(List<String> list) {
        ArrayList arrayList = new ArrayList(list.size() * 5);
        for (String str : list) {
            if (str != null) {
                for (String str2 : str.split(this.samlRolesSeparator)) {
                    arrayList.add(str2.trim());
                }
            }
        }
        return arrayList;
    }

    private List<String> trimRoles(List<String> list) {
        ArrayList arrayList = new ArrayList(list);
        for (int i = 0; i < arrayList.size(); i++) {
            if (arrayList.get(i) != null) {
                arrayList.set(i, ((String) arrayList.get(i)).trim());
            }
        }
        return arrayList;
    }

    private String getAbsoluteAcsEndpoint(String str) {
        try {
            URI uri = new URI(str);
            return uri.isAbsolute() ? str : new URI(this.kibanaRootUrl).resolve(uri).toString();
        } catch (URISyntaxException e) {
            log.error("Could not parse URI for acsEndpoint: " + str);
            return str;
        }
    }

    public JsonWebKey getSigningKey() {
        return this.signingKey;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getSamlResponseBase64(RestRequest restRequest) {
        try {
            DocNode from = DocNode.parse(Format.JSON).from(BytesReference.toBytes(restRequest.requiredContent()));
            if (!from.isMap()) {
                throw new ElasticsearchSecurityException("Unexpected json format: " + String.valueOf(from), RestStatus.BAD_REQUEST, new Object[0]);
            }
            if (from.get("SAMLResponse") != null) {
                return from.getAsString("SAMLResponse");
            }
            log.warn("SAMLResponse is missing from request ");
            throw new ElasticsearchSecurityException("SAMLResponse is missing from request", RestStatus.BAD_REQUEST, new Object[0]);
        } catch (DocumentParseException e) {
            throw new ElasticsearchSecurityException("Bad Request: " + String.valueOf(e), RestStatus.BAD_REQUEST, new Object[0]);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isResponseFromConfiguredEntity(String str) throws SamlConfigException {
        try {
            SecurityManager securityManager = System.getSecurityManager();
            if (securityManager != null) {
                securityManager.checkPermission(new SpecialPermission());
            }
            return ((Boolean) AccessController.doPrivileged(() -> {
                return Boolean.valueOf(isResponseFromConfiguredEntityImpl(str));
            })).booleanValue();
        } catch (PrivilegedActionException e) {
            if (e.getCause() instanceof SamlConfigException) {
                throw ((SamlConfigException) e.getCause());
            }
            throw new RuntimeException(e);
        }
    }

    private boolean isResponseFromConfiguredEntityImpl(String str) throws SamlConfigException, AuthenticatorUnavailableException {
        try {
            Document loadXML = Util.loadXML(new String(Util.base64decoder(str), "UTF-8"));
            Saml2Settings cached = this.saml2SettingsProvider.getCached();
            String issuer = getIssuer(loadXML);
            if (log.isDebugEnabled()) {
                log.debug("Checking SAML response issuer:\nIssuer: " + issuer + "\nExpected: " + cached.getIdpEntityId());
            }
            if (issuer == null) {
                return true;
            }
            return issuer.equals(cached.getIdpEntityId());
        } catch (UnsupportedEncodingException e) {
            log.error("Error in isResponseFromConfiguredEntity()", e);
            return false;
        }
    }

    private String getIssuer(Document document) {
        try {
            NodeList query = Util.query(document, "/samlp:Response/saml:Issuer");
            if (query.getLength() >= 1) {
                return query.item(0).getTextContent();
            }
            log.warn("SAMLResponse does not contain issuer: " + String.valueOf(document));
            return null;
        } catch (XPathExpressionException e) {
            log.error("Error in getIssuer()", e);
            return null;
        }
    }

    private static Pattern getSubjectPattern(Settings settings) {
        String str = settings.get("subject_pattern");
        if (str == null) {
            return null;
        }
        try {
            return Pattern.compile(str);
        } catch (PatternSyntaxException e) {
            log.error("Invalid regular expression for subject_pattern: " + str, e);
            return null;
        }
    }
}
