package org.elasticsearch.xpack.idp.saml.authn;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.zip.Inflater;
import java.util.zip.InflaterInputStream;
import javax.xml.parsers.DocumentBuilder;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.Strings;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.internal.io.Streams;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.rest.RestUtils;
import org.elasticsearch.xpack.idp.action.SamlValidateAuthnRequestResponse;
import org.elasticsearch.xpack.idp.saml.idp.SamlIdentityProvider;
import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProvider;
import org.elasticsearch.xpack.idp.saml.support.SamlAuthenticationState;
import org.elasticsearch.xpack.idp.saml.support.SamlFactory;
import org.elasticsearch.xpack.idp.saml.support.SamlInit;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.NameIDPolicy;
import org.opensaml.security.x509.X509Credential;
import org.w3c.dom.Element;
import org.xml.sax.SAXException;

/* loaded from: input_file:org/elasticsearch/xpack/idp/saml/authn/SamlAuthnRequestValidator.class */
public class SamlAuthnRequestValidator {
    private final SamlFactory samlFactory;
    private final SamlIdentityProvider idp;
    private final Logger logger = LogManager.getLogger(SamlAuthnRequestValidator.class);
    private static final String[] XSD_FILES = {"/org/elasticsearch/xpack/idp/saml/support/saml-schema-protocol-2.0.xsd", "/org/elasticsearch/xpack/idp/saml/support/saml-schema-assertion-2.0.xsd", "/org/elasticsearch/xpack/idp/saml/support/xenc-schema.xsd", "/org/elasticsearch/xpack/idp/saml/support/xmldsig-core-schema.xsd"};
    private static final ThreadLocal<DocumentBuilder> THREAD_LOCAL_DOCUMENT_BUILDER = ThreadLocal.withInitial(() -> {
        try {
            return SamlFactory.getHardenedBuilder(XSD_FILES);
        } catch (Exception e) {
            throw new ElasticsearchSecurityException("Could not load XSD schema file", e, new Object[0]);
        }
    });

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/idp/saml/authn/SamlAuthnRequestValidator$ParsedQueryString.class */
    public class ParsedQueryString {
        private final String queryString;
        private final String samlRequest;

        @Nullable
        private final String relayState;

        @Nullable
        private final String sigAlg;

        @Nullable
        private final String signature;

        private ParsedQueryString(String str, String str2, String str3, String str4, String str5) {
            this.queryString = (String) Objects.requireNonNull(str, "Query string may not be null");
            this.samlRequest = (String) Objects.requireNonNull(str2, "SAML request parameter may not be null");
            this.relayState = str3;
            this.sigAlg = str4;
            this.signature = str5;
        }

        public String reconstructQueryParameters() throws ElasticsearchSecurityException {
            try {
                return this.relayState == null ? "SAMLRequest=" + SamlAuthnRequestValidator.this.urlEncode(this.samlRequest) + "&SigAlg=" + SamlAuthnRequestValidator.this.urlEncode(this.sigAlg) : "SAMLRequest=" + SamlAuthnRequestValidator.this.urlEncode(this.samlRequest) + "&RelayState=" + SamlAuthnRequestValidator.this.urlEncode(this.relayState) + "&SigAlg=" + SamlAuthnRequestValidator.this.urlEncode(this.sigAlg);
            } catch (UnsupportedEncodingException e) {
                throw new ElasticsearchSecurityException("Cannot reconstruct query for signature verification", e, new Object[0]);
            }
        }
    }

    public SamlAuthnRequestValidator(SamlFactory samlFactory, SamlIdentityProvider samlIdentityProvider) {
        SamlInit.initialize();
        this.samlFactory = samlFactory;
        this.idp = samlIdentityProvider;
    }

    public void processQueryString(String str, ActionListener<SamlValidateAuthnRequestResponse> actionListener) {
        try {
            ParsedQueryString parseQueryString = parseQueryString(str);
            try {
                Element parseSamlMessage = parseSamlMessage(inflate(decodeBase64(parseQueryString.samlRequest)));
                if (!this.samlFactory.elementNameMatches(parseSamlMessage, "urn:oasis:names:tc:SAML:2.0:protocol", "AuthnRequest")) {
                    logAndRespond(new ParameterizedMessage("SAML message [{}] is not an AuthnRequest", this.samlFactory.text(parseSamlMessage, 128)), actionListener);
                    return;
                }
                AuthnRequest buildXmlObject = this.samlFactory.buildXmlObject(parseSamlMessage, AuthnRequest.class);
                Issuer issuer = buildXmlObject.getIssuer();
                String assertionConsumerServiceURL = buildXmlObject.getAssertionConsumerServiceURL();
                CheckedConsumer checkedConsumer = samlServiceProvider -> {
                    try {
                        validateAuthnRequest(buildXmlObject, samlServiceProvider, parseQueryString, actionListener);
                    } catch (ElasticsearchSecurityException e) {
                        this.logger.debug("Could not validate AuthnRequest", e);
                        actionListener.onFailure(e);
                    } catch (Exception e2) {
                        logAndRespond("Could not validate AuthnRequest", e2, actionListener);
                    }
                };
                Objects.requireNonNull(actionListener);
                getSpFromAuthnRequest(issuer, assertionConsumerServiceURL, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            } catch (ElasticsearchSecurityException e) {
                this.logger.debug("Could not process AuthnRequest", e);
                actionListener.onFailure(e);
            } catch (Exception e2) {
                logAndRespond("Could not process AuthnRequest", e2, actionListener);
            }
        } catch (ElasticsearchSecurityException e3) {
            this.logger.debug("Failed to parse query string for SAML AuthnRequest", e3);
            actionListener.onFailure(e3);
        }
    }

    private ParsedQueryString parseQueryString(String str) throws ElasticsearchSecurityException {
        HashMap hashMap = new HashMap();
        RestUtils.decodeQueryString(str, 0, hashMap);
        if (hashMap.isEmpty()) {
            throw new ElasticsearchSecurityException("Invalid Authentication Request query string (zero parameters)", new Object[0]);
        }
        this.logger.trace(new ParameterizedMessage("Parsed the following parameters from the query string: {}", hashMap));
        String str2 = (String) hashMap.get("SAMLRequest");
        if (null == str2) {
            throw new ElasticsearchSecurityException("Query string [{}] does not contain a SAMLRequest parameter", RestStatus.BAD_REQUEST, new Object[]{str});
        }
        return new ParsedQueryString(str, str2, (String) hashMap.get("RelayState"), (String) hashMap.get("SigAlg"), (String) hashMap.get("Signature"));
    }

    private void validateAuthnRequest(AuthnRequest authnRequest, SamlServiceProvider samlServiceProvider, ParsedQueryString parsedQueryString, ActionListener<SamlValidateAuthnRequestResponse> actionListener) {
        if (samlServiceProvider.shouldSignAuthnRequests()) {
            if (!Strings.hasText(parsedQueryString.signature)) {
                if (Strings.hasText(parsedQueryString.sigAlg)) {
                    logAndRespond(new ParameterizedMessage("Query string [{}] contains a SigAlg parameter but Signature is missing", parsedQueryString.queryString), actionListener);
                    return;
                } else {
                    logAndRespond(new ParameterizedMessage("The Service Provider [{}] must sign authentication requests but no signature was found", samlServiceProvider.getEntityId()), actionListener);
                    return;
                }
            }
            if (!Strings.hasText(parsedQueryString.sigAlg)) {
                logAndRespond(new ParameterizedMessage("Query string [{}] contains a Signature but SigAlg parameter is missing", parsedQueryString.queryString), actionListener);
                return;
            }
            Set<X509Credential> spSigningCredentials = samlServiceProvider.getSpSigningCredentials();
            if (spSigningCredentials == null || spSigningCredentials.isEmpty()) {
                logAndRespond(new ParameterizedMessage("Unable to validate signature of authentication request, Service Provider [{}] hasn't registered signing credentials", samlServiceProvider.getEntityId()), actionListener);
                return;
            } else if (!validateSignature(parsedQueryString, spSigningCredentials)) {
                logAndRespond(new ParameterizedMessage("Unable to validate signature of authentication request [{}] using credentials [{}]", parsedQueryString.queryString, this.samlFactory.describeCredentials(spSigningCredentials)), actionListener);
                return;
            }
        }
        HashMap hashMap = new HashMap();
        checkDestination(authnRequest);
        String checkAcs = checkAcs(authnRequest, samlServiceProvider, hashMap);
        validateNameIdPolicy(authnRequest, samlServiceProvider, hashMap);
        hashMap.put(SamlAuthenticationState.Fields.AUTHN_REQUEST_ID.getPreferredName(), authnRequest.getID());
        SamlValidateAuthnRequestResponse samlValidateAuthnRequestResponse = new SamlValidateAuthnRequestResponse(samlServiceProvider.getEntityId(), checkAcs, authnRequest.isForceAuthn().booleanValue(), hashMap);
        this.logger.trace(new ParameterizedMessage("Validated AuthnResponse from queryString [{}] and extracted [{}]", parsedQueryString.queryString, samlValidateAuthnRequestResponse));
        actionListener.onResponse(samlValidateAuthnRequestResponse);
    }

    private void validateNameIdPolicy(AuthnRequest authnRequest, SamlServiceProvider samlServiceProvider, Map<String, Object> map) {
        NameIDPolicy nameIDPolicy = authnRequest.getNameIDPolicy();
        if (null != nameIDPolicy) {
            String format = nameIDPolicy.getFormat();
            String allowedNameIdFormat = samlServiceProvider.getAllowedNameIdFormat();
            if (Strings.hasText(format)) {
                if (allowedNameIdFormat != null && !format.equals("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified") && !format.equals(allowedNameIdFormat)) {
                    throw new ElasticsearchSecurityException("The requested NameID format [{}] doesn't match the allowed NameID format for this Service Provider which is [{}]", new Object[]{format, samlServiceProvider.getAllowedNameIdFormat()});
                }
                map.put(SamlAuthenticationState.Fields.NAMEID_FORMAT.getPreferredName(), format);
            }
        }
    }

    private boolean validateSignature(ParsedQueryString parsedQueryString, Collection<X509Credential> collection) {
        String javaAlorithmNameFromUri = this.samlFactory.getJavaAlorithmNameFromUri(parsedQueryString.sigAlg);
        byte[] bytes = parsedQueryString.reconstructQueryParameters().getBytes(StandardCharsets.UTF_8);
        byte[] decode = Base64.getDecoder().decode(parsedQueryString.signature);
        return collection.stream().anyMatch(x509Credential -> {
            try {
                Signature signature = Signature.getInstance(javaAlorithmNameFromUri);
                signature.initVerify(x509Credential.getEntityCertificate().getPublicKey());
                signature.update(bytes);
                return signature.verify(decode);
            } catch (InvalidKeyException | SignatureException e) {
                this.logger.warn(new ParameterizedMessage("Signature verification failed for credential [{}]", this.samlFactory.describeCredentials(new HashSet(Collections.singletonList(x509Credential)))), e);
                return false;
            } catch (NoSuchAlgorithmException e2) {
                throw new ElasticsearchSecurityException("Java signature algorithm [{}] is not available for SAML/XML-Sig algorithm [{}]", e2, new Object[]{javaAlorithmNameFromUri, parsedQueryString.sigAlg});
            }
        });
    }

    private void getSpFromAuthnRequest(Issuer issuer, String str, ActionListener<SamlServiceProvider> actionListener) {
        if (issuer == null || issuer.getValue() == null) {
            throw new ElasticsearchSecurityException("SAML authentication request has no issuer", RestStatus.BAD_REQUEST, new Object[0]);
        }
        String value = issuer.getValue();
        SamlIdentityProvider samlIdentityProvider = this.idp;
        CheckedConsumer checkedConsumer = samlServiceProvider -> {
            if (null == samlServiceProvider) {
                throw new ElasticsearchSecurityException("Service Provider with Entity ID [{}] and ACS [{}] is not known to this Identity Provider", RestStatus.BAD_REQUEST, new Object[]{value, str});
            }
            actionListener.onResponse(samlServiceProvider);
        };
        Objects.requireNonNull(actionListener);
        samlIdentityProvider.resolveServiceProvider(value, str, false, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private void checkDestination(AuthnRequest authnRequest) {
        String url = this.idp.getSingleSignOnEndpoint("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect").toString();
        if (!url.equals(authnRequest.getDestination())) {
            throw new ElasticsearchSecurityException("SAML authentication request [{}] is for destination [{}] but the SSO endpoint of this Identity Provider is [{}]", RestStatus.BAD_REQUEST, new Object[]{authnRequest.getID(), authnRequest.getDestination(), url});
        }
    }

    private String checkAcs(AuthnRequest authnRequest, SamlServiceProvider samlServiceProvider, Map<String, Object> map) {
        String assertionConsumerServiceURL = authnRequest.getAssertionConsumerServiceURL();
        if (!Strings.hasText(assertionConsumerServiceURL)) {
            throw new ElasticsearchSecurityException(authnRequest.getAssertionConsumerServiceIndex() == null ? "SAML authentication does not contain an AssertionConsumerService URL" : "SAML authentication does not contain an AssertionConsumerService URL. It contains an Assertion Consumer Service Index but this IDP doesn't support multiple AssertionConsumerService URLs.", RestStatus.BAD_REQUEST, new Object[0]);
        }
        if (assertionConsumerServiceURL.equals(samlServiceProvider.getAssertionConsumerService().toString())) {
            return assertionConsumerServiceURL;
        }
        throw new ElasticsearchSecurityException("The registered ACS URL for this Service Provider is [{}] but the authentication request contained [{}]", RestStatus.BAD_REQUEST, new Object[]{samlServiceProvider.getAssertionConsumerService(), assertionConsumerServiceURL});
    }

    protected Element parseSamlMessage(byte[] bArr) {
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
            try {
                Element documentElement = THREAD_LOCAL_DOCUMENT_BUILDER.get().parse(byteArrayInputStream).getDocumentElement();
                if (this.logger.isTraceEnabled()) {
                    this.logger.trace("Received SAML Message: {} \n", this.samlFactory.toString(documentElement, true));
                }
                byteArrayInputStream.close();
                return documentElement;
            } finally {
            }
        } catch (IOException | SAXException e) {
            throw new ElasticsearchSecurityException("Failed to parse SAML message", RestStatus.BAD_REQUEST, e, new Object[0]);
        }
    }

    private byte[] decodeBase64(String str) {
        try {
            return Base64.getDecoder().decode(str.replaceAll("\\s+", ""));
        } catch (IllegalArgumentException e) {
            this.logger.info("Failed to decode base64 string [{}] - {}", str, e);
            throw new ElasticsearchSecurityException("SAML message cannot be Base64 decoded", RestStatus.BAD_REQUEST, e, new Object[0]);
        }
    }

    private byte[] inflate(byte[] bArr) {
        Inflater inflater = new Inflater(true);
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
            try {
                InflaterInputStream inflaterInputStream = new InflaterInputStream(byteArrayInputStream, inflater);
                try {
                    ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream((bArr.length * 3) / 2);
                    try {
                        Streams.copy(inflaterInputStream, byteArrayOutputStream);
                        byte[] byteArray = byteArrayOutputStream.toByteArray();
                        byteArrayOutputStream.close();
                        inflaterInputStream.close();
                        byteArrayInputStream.close();
                        return byteArray;
                    } catch (Throwable th) {
                        try {
                            byteArrayOutputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                        throw th;
                    }
                } catch (Throwable th3) {
                    try {
                        inflaterInputStream.close();
                    } catch (Throwable th4) {
                        th3.addSuppressed(th4);
                    }
                    throw th3;
                }
            } finally {
            }
        } catch (IOException e) {
            throw new ElasticsearchSecurityException("SAML message cannot be inflated", RestStatus.BAD_REQUEST, e, new Object[0]);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String urlEncode(String str) throws UnsupportedEncodingException {
        return URLEncoder.encode(str, StandardCharsets.UTF_8.name());
    }

    private void logAndRespond(String str, ActionListener<SamlValidateAuthnRequestResponse> actionListener) {
        this.logger.debug(str);
        actionListener.onFailure(new ElasticsearchSecurityException(str, new Object[0]));
    }

    private void logAndRespond(ParameterizedMessage parameterizedMessage, ActionListener<SamlValidateAuthnRequestResponse> actionListener) {
        logAndRespond(parameterizedMessage.getFormattedMessage(), actionListener);
    }

    private void logAndRespond(String str, Throwable th, ActionListener<SamlValidateAuthnRequestResponse> actionListener) {
        this.logger.debug(str);
        actionListener.onFailure(new ElasticsearchSecurityException(str, new Object[]{th}));
    }
}
