package com.floragunn.dlic.auth.http.saml;

import com.floragunn.dlic.auth.http.jwt.AbstractHTTPJwtAuthenticator;
import com.floragunn.dlic.auth.http.jwt.keybyoidc.AuthenticatorUnavailableException;
import com.floragunn.dlic.auth.http.jwt.keybyoidc.BadCredentialsException;
import com.floragunn.dlic.auth.http.jwt.keybyoidc.KeyProvider;
import com.floragunn.dlic.auth.http.kerberos.util.KrbConstants;
import com.floragunn.dlic.auth.ldap.util.ConfigConstants;
import com.floragunn.searchguard.auth.Destroyable;
import com.floragunn.searchguard.auth.HTTPAuthenticator;
import com.floragunn.searchguard.support.PemKeyReader;
import com.floragunn.searchguard.user.AuthCredentials;
import com.google.common.base.Strings;
import com.onelogin.saml2.authn.AuthnRequest;
import com.onelogin.saml2.http.HttpRequest;
import com.onelogin.saml2.logout.LogoutRequest;
import com.onelogin.saml2.settings.Saml2Settings;
import com.onelogin.saml2.util.Util;
import java.net.URL;
import java.nio.file.Path;
import java.security.AccessController;
import java.security.PrivateKey;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.DestructableComponent;
import org.apache.commons.lang3.StringEscapeUtils;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.rest.BytesRestResponse;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;
import org.opensaml.core.config.InitializationException;
import org.opensaml.core.config.InitializationService;
import org.opensaml.saml.config.impl.SAMLConfigurationInitializer;
import org.opensaml.saml.config.impl.XMLObjectProviderInitializer;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver;

/* loaded from: input_file:com/floragunn/dlic/auth/http/saml/HTTPSamlAuthenticator.class */
public class HTTPSamlAuthenticator implements HTTPAuthenticator, Destroyable {
    protected static final Logger log = LogManager.getLogger(HTTPSamlAuthenticator.class);
    private static boolean openSamlInitialized = false;
    private String subjectKey;
    private String rolesKey;
    private String kibanaRootUrl;
    private String idpMetadataUrl;
    private String idpMetadataFile;
    private String spSignatureAlgorithm;
    private Boolean useForceAuthn;
    private PrivateKey spSignaturePrivateKey;
    private Saml2SettingsProvider saml2SettingsProvider;
    private MetadataResolver metadataResolver;
    private AuthTokenProcessorHandler authTokenProcessorHandler;
    private HTTPJwtAuthenticator httpJwtAuthenticator;
    private Settings jwtSettings;
    private boolean checkIssuer;

    /* loaded from: input_file:com/floragunn/dlic/auth/http/saml/HTTPSamlAuthenticator$HTTPJwtAuthenticator.class */
    class HTTPJwtAuthenticator extends AbstractHTTPJwtAuthenticator {
        public HTTPJwtAuthenticator(Settings settings, Path path) {
            super(settings, path);
        }

        public String getType() {
            return "saml[jwt]";
        }

        @Override // com.floragunn.dlic.auth.http.jwt.AbstractHTTPJwtAuthenticator
        protected KeyProvider initKeyProvider(Settings settings, Path path) throws Exception {
            return new KeyProvider() { // from class: com.floragunn.dlic.auth.http.saml.HTTPSamlAuthenticator.HTTPJwtAuthenticator.1
                @Override // com.floragunn.dlic.auth.http.jwt.keybyoidc.KeyProvider
                public JsonWebKey getKeyAfterRefresh(String str) throws AuthenticatorUnavailableException, BadCredentialsException {
                    return HTTPSamlAuthenticator.this.authTokenProcessorHandler.getSigningKey();
                }

                @Override // com.floragunn.dlic.auth.http.jwt.keybyoidc.KeyProvider
                public JsonWebKey getKey(String str) throws AuthenticatorUnavailableException, BadCredentialsException {
                    return HTTPSamlAuthenticator.this.authTokenProcessorHandler.getSigningKey();
                }
            };
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/dlic/auth/http/saml/HTTPSamlAuthenticator$IdpEndpointType.class */
    public enum IdpEndpointType {
        SSO,
        SLO
    }

    public HTTPSamlAuthenticator(Settings settings, Path path) {
        try {
            ensureOpenSamlInitialization();
            this.rolesKey = settings.get("roles_key");
            this.subjectKey = settings.get("subject_key");
            this.kibanaRootUrl = settings.get("kibana_url");
            this.idpMetadataUrl = settings.get("idp.metadata_url");
            this.idpMetadataFile = settings.get("idp.metadata_file");
            this.spSignatureAlgorithm = settings.get("sp.signature_algorithm", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
            this.spSignaturePrivateKey = getSpSignaturePrivateKey(settings, path);
            this.useForceAuthn = settings.getAsBoolean("sp.forceAuthn", (Boolean) null);
            this.checkIssuer = settings.getAsBoolean("check_issuer", Boolean.TRUE).booleanValue();
            if (this.rolesKey == null || this.rolesKey.length() == 0) {
                log.warn("roles_key is not configured, will only extract subject from SAML");
                this.rolesKey = null;
            }
            if (this.subjectKey == null || this.subjectKey.length() == 0) {
                this.subjectKey = null;
            }
            if (this.kibanaRootUrl == null) {
                throw new Exception("kibana_url is unconfigured");
            }
            if (this.idpMetadataUrl == null && this.idpMetadataFile == null) {
                throw new Exception("idp.metadata_url and idp.metadata_file are unconfigured");
            }
            this.metadataResolver = createMetadataResolver(settings, path);
            this.saml2SettingsProvider = new Saml2SettingsProvider(settings, this.metadataResolver);
            try {
                this.saml2SettingsProvider.getCached();
            } catch (Exception e) {
                log.debug("Exception while initializing Saml2SettingsProvider. Possibly, the IdP is unreachable right now. This is recoverable by a meta data refresh.", e);
            }
            this.jwtSettings = createJwtAuthenticatorSettings(settings);
            this.authTokenProcessorHandler = new AuthTokenProcessorHandler(settings, this.jwtSettings, this.saml2SettingsProvider);
            this.httpJwtAuthenticator = new HTTPJwtAuthenticator(this.jwtSettings, path);
        } catch (Exception e2) {
            log.error("Error creating HTTPSamlAuthenticator: " + e2 + ". SAML authentication will not work", e2);
        }
    }

    public AuthCredentials extractCredentials(RestRequest restRequest, ThreadContext threadContext) throws ElasticsearchSecurityException {
        if ("/_searchguard/api/authtoken".equals(restRequest.path())) {
            return null;
        }
        AuthCredentials extractCredentials = this.httpJwtAuthenticator.extractCredentials(restRequest, threadContext);
        if ("/_searchguard/authinfo".equals(restRequest.path())) {
            initLogoutUrl(restRequest, threadContext, extractCredentials);
        }
        return extractCredentials;
    }

    public String getType() {
        return "saml";
    }

    public boolean reRequestAuthentication(RestChannel restChannel, AuthCredentials authCredentials) {
        try {
            RestRequest request = restChannel.request();
            if ("/_searchguard/api/authtoken".equals(request.path())) {
                String samlResponseBase64 = this.authTokenProcessorHandler.getSamlResponseBase64(request);
                if (this.checkIssuer && !this.authTokenProcessorHandler.isResponseFromConfiguredEntity(samlResponseBase64)) {
                    return false;
                }
                if (this.authTokenProcessorHandler.handle(request, restChannel)) {
                    return true;
                }
            }
            Saml2Settings cached = this.saml2SettingsProvider.getCached();
            BytesRestResponse bytesRestResponse = new BytesRestResponse(RestStatus.UNAUTHORIZED, "");
            bytesRestResponse.addHeader(KrbConstants.WWW_AUTHENTICATE, getWwwAuthenticateHeader(cached));
            restChannel.sendResponse(bytesRestResponse);
            return true;
        } catch (Exception e) {
            log.error("Error in reRequestAuthentication()", e);
            return false;
        }
    }

    private String getWwwAuthenticateHeader(Saml2Settings saml2Settings) throws Exception {
        AuthnRequest buildAuthnRequest = buildAuthnRequest(saml2Settings);
        return "X-SG-IdP realm=\"Search Guard\" location=\"" + StringEscapeUtils.escapeJava(getSamlRequestRedirectBindingLocation(IdpEndpointType.SSO, saml2Settings, buildAuthnRequest.getEncodedAuthnRequest(true))) + "\" requestId=\"" + StringEscapeUtils.escapeJava(buildAuthnRequest.getId()) + "\"";
    }

    private AuthnRequest buildAuthnRequest(Saml2Settings saml2Settings) {
        boolean z = false;
        if (this.useForceAuthn != null) {
            z = this.useForceAuthn.booleanValue();
        } else if (!isSingleLogoutAvailable(saml2Settings)) {
            z = true;
        }
        return new AuthnRequest(saml2Settings, z, false, true);
    }

    private PrivateKey getSpSignaturePrivateKey(Settings settings, Path path) throws Exception {
        try {
            PrivateKey loadKeyFromStream = PemKeyReader.loadKeyFromStream(settings.get("sp.signature_private_key_password"), PemKeyReader.resolveStream("sp.signature_private_key", settings));
            if (loadKeyFromStream == null) {
                loadKeyFromStream = PemKeyReader.loadKeyFromFile(settings.get("sp.signature_private_key_password"), PemKeyReader.resolve("sp.signature_private_key_filepath", settings, path, false));
            }
            return loadKeyFromStream;
        } catch (Exception e) {
            throw new Exception("Invalid value for sp.signature_private_key", e);
        }
    }

    private URL getIdpUrl(IdpEndpointType idpEndpointType, Saml2Settings saml2Settings) {
        return idpEndpointType == IdpEndpointType.SSO ? saml2Settings.getIdpSingleSignOnServiceUrl() : saml2Settings.getIdpSingleLogoutServiceUrl();
    }

    private boolean isSingleLogoutAvailable(Saml2Settings saml2Settings) {
        return saml2Settings.getIdpSingleLogoutServiceUrl() != null;
    }

    public void destroy() {
        if (this.metadataResolver instanceof DestructableComponent) {
            this.metadataResolver.destroy();
        }
    }

    static void ensureOpenSamlInitialization() {
        if (openSamlInitialized) {
            return;
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        try {
            AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() { // from class: com.floragunn.dlic.auth.http.saml.HTTPSamlAuthenticator.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws InitializationException {
                    Thread currentThread = Thread.currentThread();
                    ClassLoader contextClassLoader = currentThread.getContextClassLoader();
                    try {
                        currentThread.setContextClassLoader(InitializationService.class.getClassLoader());
                        InitializationService.initialize();
                        new XMLObjectProviderInitializer().init();
                        new SAMLConfigurationInitializer().init();
                        new org.opensaml.xmlsec.config.impl.XMLObjectProviderInitializer().init();
                        boolean unused = HTTPSamlAuthenticator.openSamlInitialized = true;
                        return null;
                    } finally {
                        currentThread.setContextClassLoader(contextClassLoader);
                    }
                }
            });
        } catch (PrivilegedActionException e) {
            throw new RuntimeException(e.getCause());
        }
    }

    private AbstractReloadingMetadataResolver createMetadataResolver(Settings settings, Path path) throws Exception {
        AbstractReloadingMetadataResolver samlHTTPMetadataResolver = this.idpMetadataUrl != null ? new SamlHTTPMetadataResolver(settings, path) : new SamlFilesystemMetadataResolver(settings, path);
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        try {
            final AbstractReloadingMetadataResolver abstractReloadingMetadataResolver = samlHTTPMetadataResolver;
            AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() { // from class: com.floragunn.dlic.auth.http.saml.HTTPSamlAuthenticator.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws ComponentInitializationException {
                    abstractReloadingMetadataResolver.initialize();
                    return null;
                }
            });
            return samlHTTPMetadataResolver;
        } catch (PrivilegedActionException e) {
            if (e.getCause() instanceof ComponentInitializationException) {
                throw e.getCause();
            }
            throw new RuntimeException(e.getCause());
        }
    }

    private Settings createJwtAuthenticatorSettings(Settings settings) {
        Settings.Builder builder = Settings.builder();
        Settings asSettings = settings.getAsSettings("jwt");
        builder.put(asSettings);
        if (asSettings.get("roles_key") == null && settings.get("roles_key") != null) {
            builder.put("roles_key", ConfigConstants.LDAP_AUTHZ_ROLES);
        }
        if (asSettings.get("subject_key") == null) {
            builder.put("subject_key", "sub");
        }
        return builder.build();
    }

    String buildLogoutUrl(AuthCredentials authCredentials) {
        if (authCredentials == null) {
            return null;
        }
        try {
            Saml2Settings cached = this.saml2SettingsProvider.getCached();
            if (isSingleLogoutAvailable(cached)) {
                return getSamlRequestRedirectBindingLocation(IdpEndpointType.SLO, cached, new LogoutRequest(cached, (HttpRequest) null, (String) authCredentials.getAttributes().get("attr.jwt." + (this.subjectKey == null ? "sub" : "saml_ni")), (String) authCredentials.getAttributes().get("attr.jwt.saml_si"), SamlNameIdFormat.getByShortName((String) authCredentials.getAttributes().get("attr.jwt.saml_nif")).getUri()).getEncodedLogoutRequest(true));
            }
            return null;
        } catch (Exception e) {
            log.error("Error while creating logout URL. Logout will be not available", e);
            return null;
        }
    }

    private void initLogoutUrl(RestRequest restRequest, ThreadContext threadContext, AuthCredentials authCredentials) {
        threadContext.putTransient("_sg_sso_logout_url", buildLogoutUrl(authCredentials));
    }

    private String getSamlRequestRedirectBindingLocation(IdpEndpointType idpEndpointType, Saml2Settings saml2Settings, String str) throws Exception {
        return Strings.isNullOrEmpty(getIdpUrl(idpEndpointType, saml2Settings).getQuery()) ? getIdpUrl(idpEndpointType, saml2Settings) + "?" + getSamlRequestQueryString(str) : getIdpUrl(idpEndpointType, saml2Settings) + "&" + getSamlRequestQueryString(str);
    }

    private String getSamlRequestQueryString(String str) throws Exception {
        if (this.spSignaturePrivateKey == null) {
            return "SAMLRequest=" + Util.urlEncoder(str);
        }
        String str2 = "SAMLRequest=" + Util.urlEncoder(str) + "&SigAlg=" + Util.urlEncoder(this.spSignatureAlgorithm);
        return str2 + "&Signature=" + Util.urlEncoder(getSamlRequestQueryStringSignature(str2));
    }

    private String getSamlRequestQueryStringSignature(String str) throws Exception {
        try {
            return Util.base64encoder(Util.sign(str, this.spSignaturePrivateKey, this.spSignatureAlgorithm));
        } catch (Exception e) {
            throw new Exception("Error while signing SAML request", e);
        }
    }
}
