package org.elasticsearch.xpack.idp.action;

import java.time.Clock;
import java.util.Objects;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.support.ActionFilters;
import org.elasticsearch.action.support.HandledTransportAction;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.authc.support.SecondaryAuthentication;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.idp.privileges.ServiceProviderPrivileges;
import org.elasticsearch.xpack.idp.privileges.UserPrivilegeResolver;
import org.elasticsearch.xpack.idp.saml.authn.FailedAuthenticationResponseMessageBuilder;
import org.elasticsearch.xpack.idp.saml.authn.SuccessfulAuthenticationResponseMessageBuilder;
import org.elasticsearch.xpack.idp.saml.authn.UserServiceAuthentication;
import org.elasticsearch.xpack.idp.saml.idp.SamlIdentityProvider;
import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProvider;
import org.elasticsearch.xpack.idp.saml.support.SamlAuthenticationState;
import org.elasticsearch.xpack.idp.saml.support.SamlFactory;

/* loaded from: input_file:org/elasticsearch/xpack/idp/action/TransportSamlInitiateSingleSignOnAction.class */
public class TransportSamlInitiateSingleSignOnAction extends HandledTransportAction<SamlInitiateSingleSignOnRequest, SamlInitiateSingleSignOnResponse> {
    private final Logger logger;
    private final SecurityContext securityContext;
    private final SamlIdentityProvider identityProvider;
    private final SamlFactory samlFactory;
    private final UserPrivilegeResolver privilegeResolver;

    @Inject
    public TransportSamlInitiateSingleSignOnAction(TransportService transportService, ActionFilters actionFilters, SecurityContext securityContext, SamlIdentityProvider samlIdentityProvider, SamlFactory samlFactory, UserPrivilegeResolver userPrivilegeResolver) {
        super(SamlInitiateSingleSignOnAction.NAME, transportService, actionFilters, SamlInitiateSingleSignOnRequest::new);
        this.logger = LogManager.getLogger(TransportSamlInitiateSingleSignOnAction.class);
        this.securityContext = securityContext;
        this.identityProvider = samlIdentityProvider;
        this.samlFactory = samlFactory;
        this.privilegeResolver = userPrivilegeResolver;
    }

    protected void doExecute(Task task, SamlInitiateSingleSignOnRequest samlInitiateSingleSignOnRequest, ActionListener<SamlInitiateSingleSignOnResponse> actionListener) {
        SamlAuthenticationState samlAuthenticationState = samlInitiateSingleSignOnRequest.getSamlAuthenticationState();
        this.identityProvider.resolveServiceProvider(samlInitiateSingleSignOnRequest.getSpEntityId(), samlInitiateSingleSignOnRequest.getAssertionConsumerService(), false, ActionListener.wrap(samlServiceProvider -> {
            if (null == samlServiceProvider) {
                possiblyReplyWithSamlFailure(samlAuthenticationState, samlInitiateSingleSignOnRequest.getSpEntityId(), samlInitiateSingleSignOnRequest.getAssertionConsumerService(), "urn:oasis:names:tc:SAML:2.0:status:Responder", new IllegalArgumentException("Service Provider with Entity ID [" + samlInitiateSingleSignOnRequest.getSpEntityId() + "] and ACS [" + samlInitiateSingleSignOnRequest.getAssertionConsumerService() + "] is not known to this Identity Provider"), actionListener);
                return;
            }
            SecondaryAuthentication readFromContext = SecondaryAuthentication.readFromContext(this.securityContext);
            if (readFromContext == null) {
                possiblyReplyWithSamlFailure(samlAuthenticationState, samlInitiateSingleSignOnRequest.getSpEntityId(), samlInitiateSingleSignOnRequest.getAssertionConsumerService(), "urn:oasis:names:tc:SAML:2.0:status:Requester", new ElasticsearchSecurityException("Request is missing secondary authentication", RestStatus.FORBIDDEN, new Object[0]), actionListener);
            } else {
                buildUserFromAuthentication(readFromContext, samlServiceProvider, ActionListener.wrap(userServiceAuthentication -> {
                    if (userServiceAuthentication == null) {
                        possiblyReplyWithSamlFailure(samlAuthenticationState, samlInitiateSingleSignOnRequest.getSpEntityId(), samlInitiateSingleSignOnRequest.getAssertionConsumerService(), "urn:oasis:names:tc:SAML:2.0:status:Requester", new ElasticsearchSecurityException("User [{}] is not permitted to access service [{}]", RestStatus.FORBIDDEN, new Object[]{readFromContext.getUser().principal(), samlServiceProvider.getEntityId()}), actionListener);
                        return;
                    }
                    try {
                        actionListener.onResponse(new SamlInitiateSingleSignOnResponse(userServiceAuthentication.getServiceProvider().getEntityId(), userServiceAuthentication.getServiceProvider().getAssertionConsumerService().toString(), this.samlFactory.getXmlContent(new SuccessfulAuthenticationResponseMessageBuilder(this.samlFactory, Clock.systemUTC(), this.identityProvider).build(userServiceAuthentication, samlAuthenticationState)), "urn:oasis:names:tc:SAML:2.0:status:Success", null));
                    } catch (ElasticsearchException e) {
                        actionListener.onFailure(e);
                    }
                }, exc -> {
                    possiblyReplyWithSamlFailure(samlAuthenticationState, samlInitiateSingleSignOnRequest.getSpEntityId(), samlInitiateSingleSignOnRequest.getAssertionConsumerService(), "urn:oasis:names:tc:SAML:2.0:status:Responder", exc, actionListener);
                }));
            }
        }, exc -> {
            possiblyReplyWithSamlFailure(samlAuthenticationState, samlInitiateSingleSignOnRequest.getSpEntityId(), samlInitiateSingleSignOnRequest.getAssertionConsumerService(), "urn:oasis:names:tc:SAML:2.0:status:Responder", exc, actionListener);
        }));
    }

    private void buildUserFromAuthentication(SecondaryAuthentication secondaryAuthentication, SamlServiceProvider samlServiceProvider, ActionListener<UserServiceAuthentication> actionListener) {
        User user = secondaryAuthentication.getUser();
        secondaryAuthentication.execute(storedContext -> {
            UserPrivilegeResolver userPrivilegeResolver = this.privilegeResolver;
            ServiceProviderPrivileges privileges = samlServiceProvider.getPrivileges();
            CheckedConsumer checkedConsumer = userPrivileges -> {
                if (!userPrivileges.hasAccess) {
                    actionListener.onResponse((Object) null);
                } else {
                    this.logger.debug("Resolved [{}] for [{}]", userPrivileges, user);
                    actionListener.onResponse(new UserServiceAuthentication(user.principal(), user.fullName(), user.email(), userPrivileges.roles, samlServiceProvider));
                }
            };
            Objects.requireNonNull(actionListener);
            userPrivilegeResolver.resolve(privileges, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            return null;
        });
    }

    private void possiblyReplyWithSamlFailure(SamlAuthenticationState samlAuthenticationState, String str, String str2, String str3, Exception exc, ActionListener<SamlInitiateSingleSignOnResponse> actionListener) {
        this.logger.debug("Failed to generate a successful SAML response: ", exc);
        if (samlAuthenticationState == null) {
            actionListener.onFailure(exc);
        } else {
            actionListener.onResponse(new SamlInitiateSingleSignOnResponse(str, str2, this.samlFactory.getXmlContent(new FailedAuthenticationResponseMessageBuilder(this.samlFactory, Clock.systemUTC(), this.identityProvider).setInResponseTo(samlAuthenticationState.getAuthnRequestId()).setAcsUrl(str2).setPrimaryStatusCode(str3).build()), str3, exc.getMessage()));
        }
    }

    protected /* bridge */ /* synthetic */ void doExecute(Task task, ActionRequest actionRequest, ActionListener actionListener) {
        doExecute(task, (SamlInitiateSingleSignOnRequest) actionRequest, (ActionListener<SamlInitiateSingleSignOnResponse>) actionListener);
    }
}
