package com.floragunn.searchguard.enterprise.auth.saml;

import com.floragunn.codova.config.net.TLSConfig;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.codova.validation.ValidatingDocNode;
import com.floragunn.codova.validation.ValidationErrors;
import com.floragunn.codova.validation.errors.InvalidAttributeValue;
import com.floragunn.codova.validation.errors.MissingAttribute;
import com.floragunn.codova.validation.errors.ValidationError;
import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.searchguard.TypedComponent;
import com.floragunn.searchguard.authc.AuthenticatorUnavailableException;
import com.floragunn.searchguard.authc.CredentialsException;
import com.floragunn.searchguard.authc.base.AuthcResult;
import com.floragunn.searchguard.authc.session.ActivatedFrontendConfig;
import com.floragunn.searchguard.authc.session.ApiAuthenticationFrontend;
import com.floragunn.searchguard.authc.session.GetActivatedFrontendConfigAction;
import com.floragunn.searchguard.configuration.ConfigurationRepository;
import com.floragunn.searchguard.configuration.Destroyable;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchsupport.cstate.ComponentState;
import com.floragunn.searchsupport.privileged_code.PrivilegedCode;
import com.google.common.base.Strings;
import com.onelogin.saml2.authn.AuthnRequest;
import com.onelogin.saml2.authn.SamlResponse;
import com.onelogin.saml2.http.HttpRequest;
import com.onelogin.saml2.logout.LogoutRequest;
import com.onelogin.saml2.settings.Saml2Settings;
import com.onelogin.saml2.util.Util;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.AccessController;
import java.security.PrivateKey;
import java.security.PrivilegedActionException;
import java.util.HashMap;
import java.util.Map;
import javax.xml.xpath.XPathExpressionException;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.DestructableComponent;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.settings.Settings;
import org.opensaml.core.config.InitializationException;
import org.opensaml.core.config.InitializationService;
import org.opensaml.core.xml.io.UnmarshallingException;
import org.opensaml.saml.config.impl.SAMLConfigurationInitializer;
import org.opensaml.saml.config.impl.XMLObjectProviderInitializer;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.opensaml.saml.metadata.resolver.filter.FilterException;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/auth/saml/SamlAuthenticator.class */
public class SamlAuthenticator implements ApiAuthenticationFrontend, Destroyable {
    private static final String SSO_CONTEXT_PREFIX = "saml_request_id:";
    private URI idpMetadataUrl;
    private String idpMetadataXml;
    private String spSignatureAlgorithm;
    private Boolean useForceAuthn;
    private PrivateKey spSignaturePrivateKey;
    private Saml2SettingsProvider saml2SettingsProvider;
    private MetadataResolver metadataResolver;
    private boolean checkIssuer;
    private final ComponentState componentState = new ComponentState(0, "authentication_frontend", "saml", SamlAuthenticator.class).initialized().requiresEnterpriseLicense();
    protected static final Logger log = LogManager.getLogger(SamlAuthenticator.class);
    private static boolean openSamlInitialized = false;
    public static TypedComponent.Info<ApiAuthenticationFrontend> INFO = new TypedComponent.Info<ApiAuthenticationFrontend>() { // from class: com.floragunn.searchguard.enterprise.auth.saml.SamlAuthenticator.1
        public Class<ApiAuthenticationFrontend> getType() {
            return ApiAuthenticationFrontend.class;
        }

        public String getName() {
            return "saml";
        }

        public TypedComponent.Factory<ApiAuthenticationFrontend> getFactory() {
            return (v1, v2) -> {
                return new SamlAuthenticator(v1, v2);
            };
        }
    };

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/searchguard/enterprise/auth/saml/SamlAuthenticator$IdpEndpointType.class */
    public enum IdpEndpointType {
        SSO,
        SLO
    }

    public SamlAuthenticator(Map<String, Object> map, ConfigurationRepository.Context context) throws ConfigValidationException {
        ensureOpenSamlInitialization();
        ValidationErrors validationErrors = new ValidationErrors();
        ValidatingDocNode validatingDocNode = new ValidatingDocNode(map, validationErrors, context);
        this.idpMetadataUrl = validatingDocNode.get("idp.metadata_url").asURI();
        this.idpMetadataXml = validatingDocNode.get("idp.metadata_xml").asString();
        this.spSignatureAlgorithm = validatingDocNode.get("sp.signature_algorithm").withDefault("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256").asString();
        String asString = validatingDocNode.get("sp.signature_private_key_password").asString();
        this.spSignaturePrivateKey = (PrivateKey) validatingDocNode.get("sp.signature_private_key").byString(str -> {
            return TLSConfig.toPrivateKey(str, asString);
        });
        this.useForceAuthn = validatingDocNode.get("sp.forceAuthn").asBoolean();
        this.checkIssuer = validatingDocNode.get("check_issuer").withDefault(true).asBoolean();
        String asString2 = validatingDocNode.get("idp.entity_id").required().asString();
        String asString3 = validatingDocNode.get("sp.entity_id").asString();
        if (this.idpMetadataUrl == null && this.idpMetadataXml == null) {
            validationErrors.add(new ValidationError("idp.metadata_url", "idp.metadata_url and idp.metadata_xml are unconfigured"));
        }
        TLSConfig tLSConfig = (TLSConfig) validatingDocNode.get("idp.tls").by((v0) -> {
            return TLSConfig.parse(v0);
        });
        if (this.idpMetadataUrl != null) {
            try {
                SamlHTTPMetadataResolver samlHTTPMetadataResolver = new SamlHTTPMetadataResolver(this.idpMetadataUrl, tLSConfig);
                samlHTTPMetadataResolver.setMinRefreshDelay(validatingDocNode.get("idp.min_refresh_delay").withDefault(60000L).asLong());
                samlHTTPMetadataResolver.setMaxRefreshDelay(validatingDocNode.get("idp.max_refresh_delay").withDefault(14400000L).asLong());
                samlHTTPMetadataResolver.setRefreshDelayFactor(validatingDocNode.get("idp.refresh_delay_factor").withDefault(Float.valueOf(0.75f)).asFloat());
                samlHTTPMetadataResolver.initializePrivileged();
                this.metadataResolver = samlHTTPMetadataResolver;
            } catch (ResolverException | ComponentInitializationException e) {
                log.warn("Error while initializing " + this, e);
                validationErrors.add(new ValidationError("idp.metadata_url", e.getMessage()).cause(e));
            }
        } else if (this.idpMetadataXml != null) {
            try {
                StaticMetadataResolver staticMetadataResolver = new StaticMetadataResolver(this.idpMetadataXml.trim());
                staticMetadataResolver.initializePrivileged();
                this.metadataResolver = staticMetadataResolver;
            } catch (ResolverException | FilterException e2) {
                log.warn("Error while initializing " + this, e2);
                validationErrors.add(new ValidationError("idp.metadata_xml", e2.getMessage()).cause(e2));
            } catch (UnmarshallingException e3) {
                log.warn("Error while initializing " + this, e3);
                validationErrors.add(new ValidationError("idp.metadata_xml", "Not a valid XML structure").cause(e3));
            } catch (ComponentInitializationException e4) {
                log.warn("Error while initializing " + this, e4);
                validationErrors.add(new ValidationError("idp.metadata_xml", e4.getMessage()).cause(e4));
            }
        }
        validatingDocNode.used(new String[]{"validator", "idp.min_refresh_delay", "idp.max_refresh_delay", "idp.refresh_delay_factor"});
        validatingDocNode.checkForUnusedAttributes();
        validationErrors.throwExceptionForPresentErrors();
        this.saml2SettingsProvider = new Saml2SettingsProvider(asString2, asString3, Settings.builder().loadFromMap(validatingDocNode.getDocumentNode().toMap()).build().getAsSettings("validator"), this.metadataResolver);
        try {
            this.saml2SettingsProvider.get(URI.create("https://kibana.test"));
        } catch (Exception e5) {
            log.debug("Exception while initializing Saml2SettingsProvider. Possibly, the IdP is unreachable right now. This is recoverable by a meta data refresh.", e5);
        }
    }

    public ActivatedFrontendConfig.AuthMethod activateFrontendConfig(ActivatedFrontendConfig.AuthMethod authMethod, GetActivatedFrontendConfigAction.Request request) throws AuthenticatorUnavailableException {
        try {
            if (request.getFrontendBaseUrl() == null) {
                throw new AuthenticatorUnavailableException("Configuration error", "frontend_base_url is required for SAML authentication").details("request", request.toBasicObject(), new Object[0]);
            }
            Saml2Settings cached = this.saml2SettingsProvider.getCached(new URI(request.getFrontendBaseUrl()));
            AuthnRequest buildAuthnRequest = buildAuthnRequest(cached);
            try {
                return authMethod.ssoLocation(getSamlRequestRedirectBindingLocation(IdpEndpointType.SSO, cached, buildAuthnRequest.getEncodedAuthnRequest(true), request.getNextURL())).ssoContext(SSO_CONTEXT_PREFIX + buildAuthnRequest.getId());
            } catch (IOException e) {
                throw new AuthenticatorUnavailableException("Internal error while creating SAML request", e);
            }
        } catch (URISyntaxException e2) {
            log.error("Error while activating SAML authenticator", e2);
            throw new AuthenticatorUnavailableException("frontend_base_url is not a valid URL", e2).details("request", request.toBasicObject(), new Object[0]);
        }
    }

    public AuthCredentials extractCredentials(Map<String, Object> map) throws CredentialsException, ConfigValidationException, AuthenticatorUnavailableException {
        String str;
        String str2;
        Map<String, Object> hashMap = new HashMap<>();
        if (!map.containsKey("saml_response")) {
            throw new ConfigValidationException(new MissingAttribute("saml_response"));
        }
        if (!map.containsKey("frontend_base_url")) {
            throw new ConfigValidationException(new MissingAttribute("frontend_base_url"));
        }
        try {
            URI uri = new URI(String.valueOf(map.get("frontend_base_url")));
            String valueOf = String.valueOf(map.get("saml_response"));
            String valueOf2 = map.containsKey("sso_context") ? String.valueOf(map.get("sso_context")) : null;
            hashMap.put("saml_response", valueOf);
            hashMap.put("sso_context", valueOf2);
            Saml2Settings cached = this.saml2SettingsProvider.getCached(uri);
            if (valueOf2 != null) {
                log.debug("Detected IdP initiated SSO; ssoContext: " + valueOf2);
                if (!valueOf2.startsWith(SSO_CONTEXT_PREFIX)) {
                    throw new ConfigValidationException(new InvalidAttributeValue("saml_response", valueOf2, "Must start with saml_request_id:"));
                }
                str2 = valueOf2.substring(SSO_CONTEXT_PREFIX.length());
                str = cached.getSpAssertionConsumerServiceUrl().toString();
            } else {
                log.debug("Detected IdP initiated SSO");
                str = cached.getSpAssertionConsumerServiceUrl().toString() + "/idpinitiated";
                str2 = null;
            }
            try {
                SamlResponse createSamlResponse = createSamlResponse(cached, str, valueOf, hashMap);
                PrivilegedCode.execute(() -> {
                    try {
                        hashMap.put("saml_response_attributes", createSamlResponse.getAttributes());
                        hashMap.put("saml_response_issuer", createSamlResponse.getResponseIssuer());
                        hashMap.put("saml_response_assertion_issuer", createSamlResponse.getAssertionIssuer());
                        hashMap.put("saml_response_audiences", createSamlResponse.getAudiences());
                        hashMap.put("saml_response_name_id_data", createSamlResponse.getNameIdData());
                    } catch (Exception e) {
                        log.warn("Got Exception while collecting debug details", e);
                    }
                });
                if (this.checkIssuer) {
                    ensureResponseFromConfiguredEntity(createSamlResponse, cached, hashMap);
                }
                String str3 = str2;
                if (!((Boolean) PrivilegedCode.execute(() -> {
                    return Boolean.valueOf(createSamlResponse.isValid(str3));
                })).booleanValue()) {
                    log.info("Error while validating SAML response " + str2, createSamlResponse.getValidationException());
                    throw new CredentialsException(new AuthcResult.DebugInfo(getType(), false, "Invalid SAML response: " + createSamlResponse.getValidationException(), hashMap));
                }
                try {
                    String str4 = (String) PrivilegedCode.execute(() -> {
                        return createSamlResponse.getSessionIndex();
                    }, XPathExpressionException.class);
                    String str5 = (String) PrivilegedCode.execute(() -> {
                        return createSamlResponse.getNameId();
                    }, Exception.class);
                    return AuthCredentials.forUser(str5).userMappingAttribute("saml_response", extractAttributes(createSamlResponse)).attribute("__auth_type", "saml").attribute("__saml_si", str4).attribute("__saml_nif", (String) PrivilegedCode.execute(() -> {
                        if (createSamlResponse.getNameIdFormat() != null) {
                            return SamlNameIdFormat.getByUri(createSamlResponse.getNameIdFormat()).getShortName();
                        }
                        return null;
                    }, Exception.class)).attribute("__saml_nid", str5).attribute("__fe_base_url", uri.toString()).complete().build();
                } catch (Exception e) {
                    throw new CredentialsException(new AuthcResult.DebugInfo(getType(), false, "Error while extracting meta data from SAML response: " + e.getMessage(), hashMap), e);
                }
            } catch (com.onelogin.saml2.exception.ValidationError e2) {
                log.warn("Error while validating SAML response", e2);
                throw new CredentialsException(new AuthcResult.DebugInfo(getType(), false, "Invalid SAML response: " + e2.getMessage() + "; error_code: " + e2.getErrorCode(), hashMap), e2);
            }
        } catch (URISyntaxException e3) {
            throw new ConfigValidationException(new InvalidAttributeValue("frontend_base_url", map.get("frontend_base_url"), "A URL"));
        }
    }

    public String getLogoutUrl(User user) throws AuthenticatorUnavailableException {
        if (user == null) {
            return null;
        }
        try {
            if (user.getStructuredAttributes().get("__fe_base_url") == null) {
                return null;
            }
            try {
                Saml2Settings cached = this.saml2SettingsProvider.getCached(new URI(String.valueOf(user.getStructuredAttributes().get("__fe_base_url"))));
                if (!isSingleLogoutAvailable(cached)) {
                    return null;
                }
                return getSamlRequestRedirectBindingLocation(IdpEndpointType.SLO, cached, new LogoutRequest(cached, (HttpRequest) null, user.getStructuredAttributes().get("__saml_nid") != null ? user.getStructuredAttributes().get("__saml_nid").toString() : user.getName(), user.getStructuredAttributes().get("__saml_si") != null ? user.getStructuredAttributes().get("__saml_si").toString() : null, user.getStructuredAttributes().get("__saml_nif") != null ? user.getStructuredAttributes().get("__saml_nif").toString() : null).getEncodedLogoutRequest(true), null);
            } catch (URISyntaxException e) {
                log.error("Cannot parse __fe_base_url of " + user + ": " + user.getStructuredAttributes().get("__fe_base_url"), e);
                return null;
            }
        } catch (IOException e2) {
            log.error("Error while building logout URL for " + this, e2);
            return null;
        }
    }

    public String getType() {
        return "saml";
    }

    private SamlResponse createSamlResponse(Saml2Settings saml2Settings, String str, String str2, Map<String, Object> map) throws com.onelogin.saml2.exception.ValidationError {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        try {
            return (SamlResponse) AccessController.doPrivileged(() -> {
                return new SamlResponse(saml2Settings, str, str2);
            });
        } catch (PrivilegedActionException e) {
            if (e.getCause() instanceof RuntimeException) {
                throw ((RuntimeException) e.getCause());
            }
            if (e.getCause() instanceof com.onelogin.saml2.exception.ValidationError) {
                throw e.getCause();
            }
            throw new RuntimeException(e.getCause());
        }
    }

    private void ensureResponseFromConfiguredEntity(SamlResponse samlResponse, Saml2Settings saml2Settings, Map<String, Object> map) throws CredentialsException {
        try {
            String str = (String) PrivilegedCode.execute(() -> {
                return samlResponse.getResponseIssuer();
            }, com.onelogin.saml2.exception.ValidationError.class, XPathExpressionException.class);
            if (str == null || str.equals(saml2Settings.getIdpEntityId())) {
                return;
            }
            if (log.isDebugEnabled()) {
                log.debug("Response is not from " + saml2Settings.getIdpEntityId() + " but from " + str + "\nWill abort check. If there are other SAML auth frontends, these might be successfully authenticate using this response");
            }
            throw new CredentialsException(new AuthcResult.DebugInfo(getType(), false, "Expected issuer " + saml2Settings.getIdpEntityId(), map));
        } catch (com.onelogin.saml2.exception.ValidationError | XPathExpressionException e) {
            log.error("Error while checking issuer in " + samlResponse, e);
            throw new CredentialsException(new AuthcResult.DebugInfo(getType(), false, "Error while checking issuer: " + e, map), e);
        }
    }

    private AuthnRequest buildAuthnRequest(Saml2Settings saml2Settings) {
        boolean z = false;
        if (this.useForceAuthn != null) {
            z = this.useForceAuthn.booleanValue();
        } else if (!isSingleLogoutAvailable(saml2Settings)) {
            z = true;
        }
        return new AuthnRequest(saml2Settings, z, false, true);
    }

    private URL getIdpUrl(IdpEndpointType idpEndpointType, Saml2Settings saml2Settings) {
        return idpEndpointType == IdpEndpointType.SSO ? saml2Settings.getIdpSingleSignOnServiceUrl() : saml2Settings.getIdpSingleLogoutServiceUrl();
    }

    private boolean isSingleLogoutAvailable(Saml2Settings saml2Settings) {
        return saml2Settings.getIdpSingleLogoutServiceUrl() != null;
    }

    public void destroy() {
        if (this.metadataResolver instanceof DestructableComponent) {
            this.metadataResolver.destroy();
        }
    }

    private Map<String, ?> extractAttributes(SamlResponse samlResponse) {
        try {
            return (Map) PrivilegedCode.execute(() -> {
                return samlResponse.getAttributes();
            }, com.onelogin.saml2.exception.ValidationError.class, XPathExpressionException.class);
        } catch (com.onelogin.saml2.exception.ValidationError | XPathExpressionException e) {
            log.warn("Got exception while extracting attributes from " + samlResponse, e);
            return ImmutableMap.empty();
        }
    }

    static void ensureOpenSamlInitialization() {
        if (openSamlInitialized) {
            return;
        }
        try {
            PrivilegedCode.execute(() -> {
                Thread currentThread = Thread.currentThread();
                ClassLoader contextClassLoader = currentThread.getContextClassLoader();
                try {
                    currentThread.setContextClassLoader(InitializationService.class.getClassLoader());
                    InitializationService.initialize();
                    new XMLObjectProviderInitializer().init();
                    new SAMLConfigurationInitializer().init();
                    new org.opensaml.xmlsec.config.impl.XMLObjectProviderInitializer().init();
                    openSamlInitialized = true;
                } finally {
                    currentThread.setContextClassLoader(contextClassLoader);
                }
            }, InitializationException.class);
        } catch (InitializationException e) {
            throw new RuntimeException("Error while initializing SAML", e);
        }
    }

    private String getSamlRequestRedirectBindingLocation(IdpEndpointType idpEndpointType, Saml2Settings saml2Settings, String str, String str2) throws AuthenticatorUnavailableException {
        return Strings.isNullOrEmpty(getIdpUrl(idpEndpointType, saml2Settings).getQuery()) ? getIdpUrl(idpEndpointType, saml2Settings) + "?" + getSamlRequestQueryString(str, str2) : getIdpUrl(idpEndpointType, saml2Settings) + "&" + getSamlRequestQueryString(str, str2);
    }

    private String getSamlRequestQueryString(String str, String str2) throws AuthenticatorUnavailableException {
        String str3 = "SAMLRequest=" + Util.urlEncoder(str);
        if (str2 != null) {
            str3 = str3 + "&RelayState=" + Util.urlEncoder(str2);
        }
        if (this.spSignaturePrivateKey == null) {
            return str3;
        }
        String str4 = str3 + "&SigAlg=" + Util.urlEncoder(this.spSignatureAlgorithm);
        return str4 + "&Signature=" + Util.urlEncoder(getSamlRequestQueryStringSignature(str4));
    }

    private String getSamlRequestQueryStringSignature(String str) throws AuthenticatorUnavailableException {
        try {
            return Util.base64encoder(Util.sign(str, this.spSignaturePrivateKey, this.spSignatureAlgorithm));
        } catch (Exception e) {
            throw new AuthenticatorUnavailableException("Error while signing SAML request", e);
        }
    }

    public ComponentState getComponentState() {
        return this.componentState;
    }
}
