package com.floragunn.searchguard.enterprise.auth.saml;

import com.floragunn.searchguard.authc.AuthenticatorUnavailableException;
import com.floragunn.searchsupport.PrivilegedCode;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.onelogin.saml2.settings.Saml2Settings;
import com.onelogin.saml2.settings.SettingsBuilder;
import java.net.URI;
import java.time.Duration;
import java.util.AbstractMap;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.Criterion;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.settings.Settings;
import org.joda.time.DateTime;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.saml.metadata.resolver.ExtendedRefreshableMetadataResolver;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.opensaml.saml.metadata.resolver.RefreshableMetadataResolver;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.KeyDescriptor;
import org.opensaml.saml.saml2.metadata.SingleLogoutService;
import org.opensaml.saml.saml2.metadata.SingleSignOnService;
import org.opensaml.security.credential.UsageType;
import org.opensaml.xmlsec.signature.X509Certificate;
import org.opensaml.xmlsec.signature.X509Data;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/auth/saml/Saml2SettingsProvider.class */
public class Saml2SettingsProvider {
    protected static final Logger log = LogManager.getLogger(Saml2SettingsProvider.class);
    private MetadataResolver metadataResolver;
    private String idpEntityId;
    private String spEntityId;
    private Settings validatorSettings;
    private Cache<URI, Entry> settingsCache = CacheBuilder.newBuilder().maximumSize(100).expireAfterAccess(Duration.ofDays(10)).build();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/enterprise/auth/saml/Saml2SettingsProvider$Entry.class */
    public static class Entry {
        private final Saml2Settings saml2Settings;
        private final DateTime metadataUpdateTime;

        public Entry(Saml2Settings saml2Settings, DateTime dateTime) {
            this.saml2Settings = saml2Settings;
            this.metadataUpdateTime = dateTime;
        }

        public Saml2Settings getSaml2Settings() {
            return this.saml2Settings;
        }

        public DateTime getMetadataUpdateTime() {
            return this.metadataUpdateTime;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/enterprise/auth/saml/Saml2SettingsProvider$SamlSettingsMap.class */
    public static class SamlSettingsMap implements Map<String, Object> {
        private static final String KEY_PREFIX = "onelogin.saml2.";
        private Settings settings;

        SamlSettingsMap(Settings settings) {
            this.settings = settings;
        }

        @Override // java.util.Map
        public int size() {
            return this.settings.size();
        }

        @Override // java.util.Map
        public boolean isEmpty() {
            return this.settings.isEmpty();
        }

        @Override // java.util.Map
        public boolean containsKey(Object obj) {
            return this.settings.hasValue(adaptKey(obj));
        }

        @Override // java.util.Map
        public boolean containsValue(Object obj) {
            throw new UnsupportedOperationException();
        }

        @Override // java.util.Map
        public Object get(Object obj) {
            return this.settings.get(adaptKey(obj));
        }

        @Override // java.util.Map
        public Object put(String str, Object obj) {
            throw new UnsupportedOperationException();
        }

        @Override // java.util.Map
        public Object remove(Object obj) {
            throw new UnsupportedOperationException();
        }

        @Override // java.util.Map
        public void putAll(Map<? extends String, ? extends Object> map) {
            throw new UnsupportedOperationException();
        }

        @Override // java.util.Map
        public void clear() {
            throw new UnsupportedOperationException();
        }

        @Override // java.util.Map
        public Set<String> keySet() {
            return (Set) this.settings.keySet().stream().map(str -> {
                return "onelogin.saml2." + str;
            }).collect(Collectors.toSet());
        }

        @Override // java.util.Map
        public Collection<Object> values() {
            throw new UnsupportedOperationException();
        }

        @Override // java.util.Map
        public Set<Map.Entry<String, Object>> entrySet() {
            HashSet hashSet = new HashSet();
            for (String str : this.settings.keySet()) {
                hashSet.add(new AbstractMap.SimpleEntry("onelogin.saml2." + str, this.settings.get(str)));
            }
            return hashSet;
        }

        private String adaptKey(Object obj) {
            if (obj == null) {
                return null;
            }
            String valueOf = String.valueOf(obj);
            return valueOf.startsWith(KEY_PREFIX) ? valueOf.substring(KEY_PREFIX.length()) : valueOf;
        }
    }

    public Saml2SettingsProvider(String str, String str2, Settings settings, MetadataResolver metadataResolver) {
        this.metadataResolver = metadataResolver;
        this.idpEntityId = str;
        this.spEntityId = str2;
        this.validatorSettings = settings;
    }

    public Saml2Settings get(URI uri) throws AuthenticatorUnavailableException {
        try {
            HashMap<String, Object> hashMap = new HashMap<>();
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            if (this.metadataResolver instanceof ExtendedRefreshableMetadataResolver) {
                linkedHashMap.put("last_successful_refresh", String.valueOf(this.metadataResolver.getLastSuccessfulRefresh()));
            }
            if ((this.metadataResolver instanceof ExtendedRefreshableMetadataResolver) && this.metadataResolver.getLastSuccessfulRefresh() == null) {
                ResolverException resolverException = null;
                if (this.metadataResolver instanceof SamlHTTPMetadataResolver) {
                    resolverException = this.metadataResolver.getLastRefreshException();
                }
                if (resolverException == null) {
                    throw new AuthenticatorUnavailableException("SAML metadata is not yet available", "");
                }
                if (resolverException.getCause() instanceof ResolverException) {
                    resolverException = (ResolverException) resolverException.getCause();
                }
                if (resolverException.getCause() != null) {
                    linkedHashMap.put("cause", resolverException.getCause().toString());
                }
                throw new AuthenticatorUnavailableException("Error retrieving SAML metadata", resolverException.getMessage(), resolverException).details(linkedHashMap);
            }
            EntityDescriptor entityDescriptor = (EntityDescriptor) this.metadataResolver.resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion(this.idpEntityId)}));
            if (entityDescriptor == null) {
                throw new AuthenticatorUnavailableException("IdP configuration error", "Could not find entity descriptor for " + this.idpEntityId).details(linkedHashMap);
            }
            linkedHashMap.put("role_descriptors", entityDescriptor.getRoleDescriptors().toString());
            IDPSSODescriptor iDPSSODescriptor = entityDescriptor.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
            if (iDPSSODescriptor == null) {
                throw new AuthenticatorUnavailableException("IdP configuration error", "Could not find IDPSSODescriptor supporting SAML 2.0 in " + this.idpEntityId).details(linkedHashMap);
            }
            initIdpEndpoints(iDPSSODescriptor, hashMap);
            initIdpCerts(iDPSSODescriptor, hashMap);
            initSpEndpoints(uri, hashMap);
            initMisc(hashMap);
            SettingsBuilder settingsBuilder = new SettingsBuilder();
            settingsBuilder.fromValues(hashMap);
            settingsBuilder.fromValues(new SamlSettingsMap(this.validatorSettings));
            return (Saml2Settings) PrivilegedCode.execute(() -> {
                return settingsBuilder.build();
            });
        } catch (ResolverException e) {
            throw new AuthenticatorUnavailableException("Error retrieving SAML metadata", e);
        }
    }

    public Saml2Settings getCached(URI uri) throws AuthenticatorUnavailableException {
        Entry entry = (Entry) this.settingsCache.getIfPresent(uri);
        DateTime dateTime = null;
        if (entry != null && isUpdateRequired(entry)) {
            entry = null;
            dateTime = this.metadataResolver.getLastUpdate();
        }
        if (entry == null) {
            entry = new Entry(get(uri), dateTime);
            this.settingsCache.put(uri, entry);
        }
        return entry.getSaml2Settings();
    }

    private boolean isUpdateRequired(Entry entry) {
        if (!(this.metadataResolver instanceof RefreshableMetadataResolver)) {
            return false;
        }
        RefreshableMetadataResolver refreshableMetadataResolver = this.metadataResolver;
        return refreshableMetadataResolver.getLastUpdate() == null || refreshableMetadataResolver.getLastUpdate().isAfter(entry.metadataUpdateTime);
    }

    private void initMisc(HashMap<String, Object> hashMap) {
        hashMap.put("onelogin.saml2.strict", true);
        hashMap.put("onelogin.saml2.security.reject_unsolicited_responses_with_inresponseto", true);
    }

    private void initSpEndpoints(URI uri, HashMap<String, Object> hashMap) {
        hashMap.put("onelogin.saml2.sp.assertion_consumer_service.url", buildKibanaAssertionConsumerEndpoint(uri.toASCIIString()));
        hashMap.put("onelogin.saml2.sp.assertion_consumer_service.binding", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        hashMap.put("onelogin.saml2.sp.entityid", this.spEntityId);
    }

    private void initIdpEndpoints(IDPSSODescriptor iDPSSODescriptor, HashMap<String, Object> hashMap) throws AuthenticatorUnavailableException {
        SingleSignOnService findSingleSignOnService = findSingleSignOnService(iDPSSODescriptor, "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
        hashMap.put("onelogin.saml2.idp.single_sign_on_service.url", findSingleSignOnService.getLocation());
        hashMap.put("onelogin.saml2.idp.single_sign_on_service.binding", findSingleSignOnService.getBinding());
        hashMap.put("onelogin.saml2.idp.entityid", this.idpEntityId);
        SingleLogoutService findSingleLogoutService = findSingleLogoutService(iDPSSODescriptor, "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
        if (findSingleLogoutService == null) {
            log.warn("The IdP does not provide a Single Logout Service. In order to ensure that users have to re-enter their password after logging out, Search Guard will issue all SAML authentication requests with a mandatory password input (ForceAuthn=true)");
        } else {
            hashMap.put("onelogin.saml2.idp.single_logout_service.url", findSingleLogoutService.getLocation());
            hashMap.put("onelogin.saml2.idp.single_logout_service.binding", findSingleLogoutService.getBinding());
        }
    }

    private void initIdpCerts(IDPSSODescriptor iDPSSODescriptor, HashMap<String, Object> hashMap) {
        int i = 0;
        for (KeyDescriptor keyDescriptor : iDPSSODescriptor.getKeyDescriptors()) {
            if (UsageType.SIGNING.equals(keyDescriptor.getUse()) || UsageType.UNSPECIFIED.equals(keyDescriptor.getUse())) {
                Iterator it = keyDescriptor.getKeyInfo().getX509Datas().iterator();
                while (it.hasNext()) {
                    Iterator it2 = ((X509Data) it.next()).getX509Certificates().iterator();
                    while (it2.hasNext()) {
                        int i2 = i;
                        i++;
                        hashMap.put("onelogin.saml2.idp.x509certMulti." + i2, ((X509Certificate) it2.next()).getValue());
                    }
                }
            }
        }
    }

    private SingleSignOnService findSingleSignOnService(IDPSSODescriptor iDPSSODescriptor, String str) throws AuthenticatorUnavailableException {
        for (SingleSignOnService singleSignOnService : iDPSSODescriptor.getSingleSignOnServices()) {
            if (str.equals(singleSignOnService.getBinding())) {
                return singleSignOnService;
            }
        }
        throw new AuthenticatorUnavailableException("IdP configuration error", "Could not find SingleSignOnService endpoint for binding " + str + "; available services: " + iDPSSODescriptor.getSingleSignOnServices());
    }

    private SingleLogoutService findSingleLogoutService(IDPSSODescriptor iDPSSODescriptor, String str) throws AuthenticatorUnavailableException {
        for (SingleLogoutService singleLogoutService : iDPSSODescriptor.getSingleLogoutServices()) {
            if (str.equals(singleLogoutService.getBinding())) {
                return singleLogoutService;
            }
        }
        return null;
    }

    private String buildKibanaAssertionConsumerEndpoint(String str) {
        return str.endsWith("/") ? str + "searchguard/saml/acs" : str + "/searchguard/saml/acs";
    }
}
