package org.elasticsearch.xpack.security.authc.saml;

import java.io.IOException;
import java.nio.file.Path;
import java.security.AccessController;
import java.security.GeneralSecurityException;
import java.security.PrivilegedActionException;
import java.time.Clock;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.net.ssl.X509ExtendedKeyManager;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.Criterion;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import net.shibboleth.utilities.java.support.xml.BasicParserPool;
import org.apache.http.client.HttpClient;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.CheckedRunnable;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.SuppressForbidden;
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.lease.Releasable;
import org.elasticsearch.common.lease.Releasables;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.SettingsException;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.common.util.CollectionUtils;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.watcher.FileChangesListener;
import org.elasticsearch.watcher.FileWatcher;
import org.elasticsearch.watcher.ResourceWatcherService;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.core.security.authc.Realm;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.saml.SamlRealmSettings;
import org.elasticsearch.xpack.core.security.authc.support.UserRoleMapper;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.core.ssl.CertParsingUtils;
import org.elasticsearch.xpack.core.ssl.SSLConfiguration;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.core.ssl.X509KeyPairSettings;
import org.elasticsearch.xpack.security.authc.Realms;
import org.elasticsearch.xpack.security.authc.TokenService;
import org.elasticsearch.xpack.security.authc.saml.SamlAttributes;
import org.elasticsearch.xpack.security.authc.saml.SamlAuthnRequestBuilder;
import org.elasticsearch.xpack.security.authc.support.DelegatedAuthorizationSupport;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver;
import org.opensaml.saml.metadata.resolver.impl.FilesystemMetadataResolver;
import org.opensaml.saml.metadata.resolver.impl.HTTPMetadataResolver;
import org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.LogoutResponse;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.security.impl.MetadataCredentialResolver;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.x509.X509Credential;
import org.opensaml.security.x509.impl.X509KeyManagerX509CredentialAdapter;
import org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/saml/SamlRealm.class */
public final class SamlRealm extends Realm implements Releasable {
    private static final Logger logger = LogManager.getLogger(SamlRealm.class);
    public static final String USER_METADATA_NAMEID_VALUE = "saml_nameid";
    public static final String USER_METADATA_NAMEID_FORMAT = "saml_nameid_format";
    public static final String CONTEXT_TOKEN_DATA = "_xpack_saml_tokendata";
    public static final String TOKEN_METADATA_NAMEID_VALUE = "saml_nameid_val";
    public static final String TOKEN_METADATA_NAMEID_FORMAT = "saml_nameid_fmt";
    public static final String TOKEN_METADATA_NAMEID_QUALIFIER = "saml_nameid_qual";
    public static final String TOKEN_METADATA_NAMEID_SP_QUALIFIER = "saml_nameid_sp_qual";
    public static final String TOKEN_METADATA_NAMEID_SP_PROVIDED_ID = "saml_nameid_sp_id";
    public static final String TOKEN_METADATA_SESSION = "saml_session";
    public static final String TOKEN_METADATA_REALM = "saml_realm";
    private final List<Releasable> releasables;
    private final SamlAuthenticator authenticator;
    private final SamlLogoutRequestHandler logoutHandler;
    private final UserRoleMapper roleMapper;
    private final Supplier<EntityDescriptor> idpDescriptor;
    private final SpConfiguration serviceProvider;
    private final SamlAuthnRequestBuilder.NameIDPolicySettings nameIdPolicy;
    private final Boolean forceAuthn;
    private final boolean useSingleLogout;
    private final Boolean populateUserMetadata;
    private final AttributeParser principalAttribute;
    private final AttributeParser groupsAttribute;
    private final AttributeParser dnAttribute;
    private final AttributeParser nameAttribute;
    private final AttributeParser mailAttribute;
    private DelegatedAuthorizationSupport delegatedRealms;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/saml/SamlRealm$AttributeParser.class */
    public static final class AttributeParser {
        private final String name;
        private final Function<SamlAttributes, List<String>> parser;

        AttributeParser(String str, Function<SamlAttributes, List<String>> function) {
            this.name = str;
            this.parser = function;
        }

        List<String> getAttribute(SamlAttributes samlAttributes) {
            return this.parser.apply(samlAttributes);
        }

        public String toString() {
            return this.name;
        }

        static AttributeParser forSetting(Logger logger, SamlRealmSettings.AttributeSetting attributeSetting, RealmConfig realmConfig, boolean z) {
            if (realmConfig.hasSetting(attributeSetting.getAttribute())) {
                String str = (String) realmConfig.getSetting(attributeSetting.getAttribute());
                if (!realmConfig.hasSetting(attributeSetting.getPattern())) {
                    return new AttributeParser("SAML Attribute [" + str + "] for [" + attributeSetting.name(realmConfig) + "]", samlAttributes -> {
                        return samlAttributes.getAttributeValues(str);
                    });
                }
                Pattern compile = Pattern.compile((String) realmConfig.getSetting(attributeSetting.getPattern()));
                return new AttributeParser("SAML Attribute [" + str + "] with pattern [" + compile.pattern() + "] for [" + attributeSetting.name(realmConfig) + "]", samlAttributes2 -> {
                    return (List) samlAttributes2.getAttributeValues(str).stream().map(str2 -> {
                        Matcher matcher = compile.matcher(str2);
                        if (!matcher.find()) {
                            logger.debug("Attribute [{}] is [{}], which does not match [{}]", str, str2, compile.pattern());
                            return null;
                        }
                        String group = matcher.group(1);
                        if (!Strings.isNullOrEmpty(group)) {
                            return group;
                        }
                        logger.debug("Attribute [{}] is [{}], which does match [{}] but group(1) is empty", str, str2, compile.pattern());
                        return null;
                    }).filter((v0) -> {
                        return Objects.nonNull(v0);
                    }).collect(Collectors.toList());
                });
            }
            if (z) {
                throw new SettingsException("Setting [" + RealmSettings.getFullSettingKey(realmConfig, attributeSetting.getAttribute()) + "] is required");
            }
            if (realmConfig.hasSetting(attributeSetting.getPattern())) {
                throw new SettingsException("Setting [" + RealmSettings.getFullSettingKey(realmConfig, attributeSetting.getPattern()) + "] cannot be set unless [" + RealmSettings.getFullSettingKey(realmConfig, attributeSetting.getAttribute()) + "] is also set");
            }
            return new AttributeParser("No SAML attribute for [" + attributeSetting.name(realmConfig) + "]", samlAttributes3 -> {
                return Collections.emptyList();
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/saml/SamlRealm$FileListener.class */
    public static class FileListener implements FileChangesListener {
        private final Logger logger;
        private final CheckedRunnable<Exception> onChange;

        private FileListener(Logger logger, CheckedRunnable<Exception> checkedRunnable) {
            this.logger = logger;
            this.onChange = checkedRunnable;
        }

        public void onFileCreated(Path path) {
            onFileChanged(path);
        }

        public void onFileDeleted(Path path) {
            onFileChanged(path);
        }

        public void onFileChanged(Path path) {
            try {
                this.onChange.run();
            } catch (Exception e) {
                this.logger.warn(new ParameterizedMessage("An error occurred while reloading file [{}]", path), e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/saml/SamlRealm$PrivilegedHTTPMetadataResolver.class */
    public static final class PrivilegedHTTPMetadataResolver extends HTTPMetadataResolver {
        PrivilegedHTTPMetadataResolver(HttpClient httpClient, String str) throws ResolverException {
            super(httpClient, str);
        }

        protected byte[] fetchMetadata() throws ResolverException {
            try {
                return (byte[]) AccessController.doPrivileged(() -> {
                    return super.fetchMetadata();
                });
            } catch (PrivilegedActionException e) {
                throw e.getCause();
            }
        }
    }

    public static SamlRealm create(RealmConfig realmConfig, SSLService sSLService, ResourceWatcherService resourceWatcherService, UserRoleMapper userRoleMapper) throws Exception {
        SamlUtils.initialize(logger);
        if (!TokenService.isTokenServiceEnabled(realmConfig.settings()).booleanValue()) {
            throw new IllegalStateException("SAML requires that the token service be enabled (" + XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey() + ")");
        }
        Tuple<AbstractReloadingMetadataResolver, Supplier<EntityDescriptor>> initializeResolver = initializeResolver(logger, realmConfig, sSLService, resourceWatcherService);
        AbstractReloadingMetadataResolver abstractReloadingMetadataResolver = (AbstractReloadingMetadataResolver) initializeResolver.v1();
        Supplier supplier = (Supplier) initializeResolver.v2();
        SpConfiguration spConfiguration = getSpConfiguration(realmConfig);
        Clock systemUTC = Clock.systemUTC();
        IdpConfiguration idpConfiguration = getIdpConfiguration(realmConfig, abstractReloadingMetadataResolver, supplier);
        TimeValue timeValue = (TimeValue) realmConfig.getSetting(SamlRealmSettings.CLOCK_SKEW);
        SamlRealm samlRealm = new SamlRealm(realmConfig, userRoleMapper, new SamlAuthenticator(systemUTC, idpConfiguration, spConfiguration, timeValue), new SamlLogoutRequestHandler(systemUTC, idpConfiguration, spConfiguration, timeValue), supplier, spConfiguration);
        samlRealm.releasables.add(() -> {
            abstractReloadingMetadataResolver.destroy();
        });
        return samlRealm;
    }

    SamlRealm(RealmConfig realmConfig, UserRoleMapper userRoleMapper, SamlAuthenticator samlAuthenticator, SamlLogoutRequestHandler samlLogoutRequestHandler, Supplier<EntityDescriptor> supplier, SpConfiguration spConfiguration) throws Exception {
        super(realmConfig);
        this.roleMapper = userRoleMapper;
        this.authenticator = samlAuthenticator;
        this.logoutHandler = samlLogoutRequestHandler;
        this.idpDescriptor = supplier;
        this.serviceProvider = spConfiguration;
        this.nameIdPolicy = new SamlAuthnRequestBuilder.NameIDPolicySettings(require(realmConfig, SamlRealmSettings.NAMEID_FORMAT), ((Boolean) realmConfig.getSetting(SamlRealmSettings.NAMEID_ALLOW_CREATE)).booleanValue(), (String) realmConfig.getSetting(SamlRealmSettings.NAMEID_SP_QUALIFIER));
        this.forceAuthn = (Boolean) realmConfig.getSetting(SamlRealmSettings.FORCE_AUTHN, () -> {
            return null;
        });
        this.useSingleLogout = ((Boolean) realmConfig.getSetting(SamlRealmSettings.IDP_SINGLE_LOGOUT)).booleanValue();
        this.populateUserMetadata = (Boolean) realmConfig.getSetting(SamlRealmSettings.POPULATE_USER_METADATA);
        this.principalAttribute = AttributeParser.forSetting(logger, SamlRealmSettings.PRINCIPAL_ATTRIBUTE, realmConfig, true);
        this.groupsAttribute = AttributeParser.forSetting(logger, SamlRealmSettings.GROUPS_ATTRIBUTE, realmConfig, false);
        this.dnAttribute = AttributeParser.forSetting(logger, SamlRealmSettings.DN_ATTRIBUTE, realmConfig, false);
        this.nameAttribute = AttributeParser.forSetting(logger, SamlRealmSettings.NAME_ATTRIBUTE, realmConfig, false);
        this.mailAttribute = AttributeParser.forSetting(logger, SamlRealmSettings.MAIL_ATTRIBUTE, realmConfig, false);
        this.releasables = new ArrayList();
    }

    public void initialize(Iterable<Realm> iterable, XPackLicenseState xPackLicenseState) {
        if (this.delegatedRealms != null) {
            throw new IllegalStateException("Realm has already been initialized");
        }
        this.delegatedRealms = new DelegatedAuthorizationSupport(iterable, this.config, xPackLicenseState);
    }

    static String require(RealmConfig realmConfig, Setting.AffixSetting<String> affixSetting) {
        String str = (String) realmConfig.getSetting(affixSetting);
        if (str.isEmpty()) {
            throw new IllegalArgumentException("The configuration setting [" + RealmSettings.getFullSettingKey(realmConfig, affixSetting) + "] is required");
        }
        return str;
    }

    private static IdpConfiguration getIdpConfiguration(RealmConfig realmConfig, MetadataResolver metadataResolver, Supplier<EntityDescriptor> supplier) {
        MetadataCredentialResolver metadataCredentialResolver = new MetadataCredentialResolver();
        PredicateRoleDescriptorResolver predicateRoleDescriptorResolver = new PredicateRoleDescriptorResolver(metadataResolver);
        metadataCredentialResolver.setRoleDescriptorResolver(predicateRoleDescriptorResolver);
        metadataCredentialResolver.setKeyInfoCredentialResolver(new BasicProviderKeyInfoCredentialResolver(Collections.singletonList(new InlineX509DataProvider())));
        try {
            predicateRoleDescriptorResolver.initialize();
            metadataCredentialResolver.initialize();
            String entityID = supplier.get().getEntityID();
            return new IdpConfiguration(entityID, () -> {
                try {
                    return CollectionUtils.iterableAsArrayList(metadataCredentialResolver.resolve(new CriteriaSet(new Criterion[]{new EntityIdCriterion(entityID), new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME), new UsageCriterion(UsageType.SIGNING)})));
                } catch (ResolverException e) {
                    throw new IllegalStateException("Cannot resolve SAML IDP credentials resolver for realm " + realmConfig.name(), e);
                }
            });
        } catch (ComponentInitializationException e) {
            throw new IllegalStateException("Cannot initialise SAML IDP resolvers for realm " + realmConfig.name(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SpConfiguration getSpConfiguration(RealmConfig realmConfig) throws IOException, GeneralSecurityException {
        return new SpConfiguration(require(realmConfig, SamlRealmSettings.SP_ENTITY_ID), require(realmConfig, SamlRealmSettings.SP_ACS), (String) realmConfig.getSetting(SamlRealmSettings.SP_LOGOUT), buildSigningConfiguration(realmConfig), buildEncryptionCredential(realmConfig), (List) realmConfig.getSetting(SamlRealmSettings.REQUESTED_AUTHN_CONTEXT_CLASS_REF));
    }

    static List<X509Credential> buildEncryptionCredential(RealmConfig realmConfig) throws IOException, GeneralSecurityException {
        return buildCredential(realmConfig, RealmSettings.realmSettingPrefix(realmConfig.identifier()) + "encryption.", SamlRealmSettings.ENCRYPTION_KEY_ALIAS, true);
    }

    static SigningConfiguration buildSigningConfiguration(RealmConfig realmConfig) throws IOException, GeneralSecurityException {
        List<X509Credential> buildCredential = buildCredential(realmConfig, RealmSettings.realmSettingPrefix(realmConfig.identifier()) + "signing.", SamlRealmSettings.SIGNING_KEY_ALIAS, false);
        if (buildCredential != null && !buildCredential.isEmpty()) {
            return new SigningConfiguration(Sets.newHashSet((List) realmConfig.getSetting(SamlRealmSettings.SIGNING_MESSAGE_TYPES)), buildCredential.get(0));
        }
        if (realmConfig.hasSetting(SamlRealmSettings.SIGNING_MESSAGE_TYPES)) {
            throw new IllegalArgumentException("The setting [" + RealmSettings.getFullSettingKey(realmConfig, SamlRealmSettings.SIGNING_MESSAGE_TYPES) + "] cannot be specified if there are no signing credentials");
        }
        return new SigningConfiguration(Collections.emptySet(), null);
    }

    private static List<X509Credential> buildCredential(RealmConfig realmConfig, String str, Setting.AffixSetting<String> affixSetting, boolean z) {
        X509ExtendedKeyManager keyManager = CertParsingUtils.getKeyManager(X509KeyPairSettings.withPrefix(str, false), realmConfig.settings(), (String) null, realmConfig.env());
        if (keyManager == null) {
            return null;
        }
        HashSet<String> hashSet = new HashSet();
        String str2 = (String) realmConfig.getSetting(affixSetting);
        if (Strings.isNullOrEmpty(str2)) {
            String[] serverAliases = keyManager.getServerAliases("RSA", null);
            if (serverAliases != null) {
                hashSet.addAll(Arrays.asList(serverAliases));
            }
            if (hashSet.isEmpty()) {
                throw new IllegalArgumentException("The configured key store for " + str + " does not contain any RSA key pairs");
            }
            if (!z && hashSet.size() > 1) {
                throw new IllegalArgumentException("The configured key store for " + str + " has multiple keys but no alias has been specified (from setting " + RealmSettings.getFullSettingKey(realmConfig, affixSetting) + ")");
            }
        } else {
            hashSet.add(str2);
        }
        ArrayList arrayList = new ArrayList();
        for (String str3 : hashSet) {
            if (keyManager.getPrivateKey(str3) == null) {
                throw new IllegalArgumentException("The configured key store for " + str + " does not have a key associated with alias [" + str3 + "] " + (!Strings.isNullOrEmpty(str2) ? "(from setting " + RealmSettings.getFullSettingKey(realmConfig, affixSetting) + ")" : ""));
            }
            String algorithm = keyManager.getPrivateKey(str3).getAlgorithm();
            if (!algorithm.equals("RSA")) {
                throw new IllegalArgumentException("The key associated with alias [" + str3 + "] (from setting " + RealmSettings.getFullSettingKey(realmConfig, affixSetting) + ") uses unsupported key algorithm type [" + algorithm + "], only RSA is supported");
            }
            arrayList.add(new X509KeyManagerX509CredentialAdapter(keyManager, str3));
        }
        return arrayList;
    }

    public static List<SamlRealm> findSamlRealms(Realms realms, String str, String str2) {
        Stream map = realms.stream().filter(realm -> {
            return realm instanceof SamlRealm;
        }).map(realm2 -> {
            return (SamlRealm) realm2;
        });
        if (Strings.hasText(str)) {
            map = map.filter(samlRealm -> {
                return str.equals(samlRealm.name());
            });
        }
        if (Strings.hasText(str2)) {
            map = map.filter(samlRealm2 -> {
                return str2.equals(samlRealm2.assertionConsumerServiceURL());
            });
        }
        return (List) map.collect(Collectors.toList());
    }

    public boolean supports(AuthenticationToken authenticationToken) {
        return authenticationToken instanceof SamlToken;
    }

    private boolean isTokenForRealm(SamlToken samlToken) {
        if (samlToken.getAuthenticatingRealm() == null) {
            return true;
        }
        return samlToken.getAuthenticatingRealm().equals(name());
    }

    public AuthenticationToken token(ThreadContext threadContext) {
        return null;
    }

    public void authenticate(AuthenticationToken authenticationToken, ActionListener<AuthenticationResult> actionListener) {
        if (!(authenticationToken instanceof SamlToken) || !isTokenForRealm((SamlToken) authenticationToken)) {
            actionListener.onResponse(AuthenticationResult.notHandled());
            return;
        }
        try {
            SamlToken samlToken = (SamlToken) authenticationToken;
            SamlAttributes authenticate = this.authenticator.authenticate(samlToken);
            logger.debug("Parsed token [{}] to attributes [{}]", samlToken, authenticate);
            buildUser(authenticate, actionListener);
        } catch (ElasticsearchSecurityException e) {
            if (SamlUtils.isSamlException(e)) {
                actionListener.onResponse(AuthenticationResult.unsuccessful("Provided SAML response is not valid for realm " + this, e));
            } else {
                actionListener.onFailure(e);
            }
        }
    }

    private void buildUser(SamlAttributes samlAttributes, ActionListener<AuthenticationResult> actionListener) {
        String resolveSingleValueAttribute = resolveSingleValueAttribute(samlAttributes, this.principalAttribute, SamlRealmSettings.PRINCIPAL_ATTRIBUTE.name(this.config));
        if (Strings.isNullOrEmpty(resolveSingleValueAttribute)) {
            actionListener.onResponse(AuthenticationResult.unsuccessful(this.principalAttribute + " not found in saml attributes" + samlAttributes.attributes() + " or NameID [" + samlAttributes.name() + "]", (Exception) null));
            return;
        }
        Map<String, Object> createTokenMetadata = createTokenMetadata(samlAttributes.name(), samlAttributes.session());
        CheckedConsumer checkedConsumer = authenticationResult -> {
            if (authenticationResult.isAuthenticated()) {
                HashMap hashMap = new HashMap(authenticationResult.getMetadata());
                hashMap.put(CONTEXT_TOKEN_DATA, createTokenMetadata);
                authenticationResult = AuthenticationResult.success(authenticationResult.getUser(), hashMap);
            }
            actionListener.onResponse(authenticationResult);
        };
        Objects.requireNonNull(actionListener);
        ActionListener<AuthenticationResult> wrap = ActionListener.wrap(checkedConsumer, actionListener::onFailure);
        if (this.delegatedRealms.hasDelegation()) {
            this.delegatedRealms.resolve(resolveSingleValueAttribute, wrap);
            return;
        }
        HashMap hashMap = new HashMap();
        if (this.populateUserMetadata.booleanValue()) {
            for (SamlAttributes.SamlAttribute samlAttribute : samlAttributes.attributes()) {
                hashMap.put("saml(" + samlAttribute.name + ")", samlAttribute.values);
                if (Strings.hasText(samlAttribute.friendlyName)) {
                    hashMap.put("saml_" + samlAttribute.friendlyName, samlAttribute.values);
                }
            }
        }
        if (samlAttributes.name() != null) {
            hashMap.put(USER_METADATA_NAMEID_VALUE, samlAttributes.name().value);
            if (samlAttributes.name().format != null) {
                hashMap.put(USER_METADATA_NAMEID_FORMAT, samlAttributes.name().format);
            }
        }
        List<String> attribute = this.groupsAttribute.getAttribute(samlAttributes);
        String resolveSingleValueAttribute2 = resolveSingleValueAttribute(samlAttributes, this.dnAttribute, SamlRealmSettings.DN_ATTRIBUTE.name(this.config));
        String resolveSingleValueAttribute3 = resolveSingleValueAttribute(samlAttributes, this.nameAttribute, SamlRealmSettings.NAME_ATTRIBUTE.name(this.config));
        String resolveSingleValueAttribute4 = resolveSingleValueAttribute(samlAttributes, this.mailAttribute, SamlRealmSettings.MAIL_ATTRIBUTE.name(this.config));
        UserRoleMapper.UserData userData = new UserRoleMapper.UserData(resolveSingleValueAttribute, resolveSingleValueAttribute2, attribute, hashMap, this.config);
        UserRoleMapper userRoleMapper = this.roleMapper;
        CheckedConsumer checkedConsumer2 = set -> {
            wrap.onResponse(AuthenticationResult.success(new User(resolveSingleValueAttribute, (String[]) set.toArray(new String[set.size()]), resolveSingleValueAttribute3, resolveSingleValueAttribute4, hashMap, true)));
        };
        Objects.requireNonNull(wrap);
        userRoleMapper.resolveRoles(userData, ActionListener.wrap(checkedConsumer2, wrap::onFailure));
    }

    public Map<String, Object> createTokenMetadata(SamlNameId samlNameId, String str) {
        HashMap hashMap = new HashMap();
        if (samlNameId != null) {
            hashMap.put(TOKEN_METADATA_NAMEID_VALUE, samlNameId.value);
            hashMap.put(TOKEN_METADATA_NAMEID_FORMAT, samlNameId.format);
            hashMap.put(TOKEN_METADATA_NAMEID_QUALIFIER, samlNameId.idpNameQualifier);
            hashMap.put(TOKEN_METADATA_NAMEID_SP_QUALIFIER, samlNameId.spNameQualifier);
            hashMap.put(TOKEN_METADATA_NAMEID_SP_PROVIDED_ID, samlNameId.spProvidedId);
        } else {
            hashMap.put(TOKEN_METADATA_NAMEID_VALUE, null);
            hashMap.put(TOKEN_METADATA_NAMEID_FORMAT, null);
            hashMap.put(TOKEN_METADATA_NAMEID_QUALIFIER, null);
            hashMap.put(TOKEN_METADATA_NAMEID_SP_QUALIFIER, null);
            hashMap.put(TOKEN_METADATA_NAMEID_SP_PROVIDED_ID, null);
        }
        hashMap.put(TOKEN_METADATA_SESSION, str);
        hashMap.put(TOKEN_METADATA_REALM, name());
        return hashMap;
    }

    private String resolveSingleValueAttribute(SamlAttributes samlAttributes, AttributeParser attributeParser, String str) {
        List<String> attribute = attributeParser.getAttribute(samlAttributes);
        switch (attribute.size()) {
            case 0:
                return null;
            case 1:
                return attribute.get(0);
            default:
                logger.info("SAML assertion contains multiple values for attribute [{}] returning first one", str);
                return attribute.get(0);
        }
    }

    public void lookupUser(String str, ActionListener<User> actionListener) {
        actionListener.onResponse((Object) null);
    }

    static Tuple<AbstractReloadingMetadataResolver, Supplier<EntityDescriptor>> initializeResolver(Logger logger2, RealmConfig realmConfig, SSLService sSLService, ResourceWatcherService resourceWatcherService) throws ResolverException, ComponentInitializationException, PrivilegedActionException, IOException {
        String require = require(realmConfig, SamlRealmSettings.IDP_METADATA_PATH);
        if (require.startsWith("http://")) {
            throw new IllegalArgumentException("The [http] protocol is not supported as it is insecure. Use [https] instead");
        }
        return require.startsWith("https://") ? parseHttpMetadata(require, realmConfig, sSLService) : parseFileSystemMetadata(logger2, require, realmConfig, resourceWatcherService);
    }

    private static Tuple<AbstractReloadingMetadataResolver, Supplier<EntityDescriptor>> parseHttpMetadata(String str, RealmConfig realmConfig, SSLService sSLService) throws ResolverException, ComponentInitializationException, PrivilegedActionException {
        String require = require(realmConfig, SamlRealmSettings.IDP_ENTITY_ID);
        HttpClientBuilder create = HttpClientBuilder.create();
        SSLConfiguration sSLConfiguration = sSLService.getSSLConfiguration(RealmSettings.realmSslPrefix(realmConfig.identifier()));
        create.setSSLSocketFactory(new SSLConnectionSocketFactory(sSLService.sslSocketFactory(sSLConfiguration), SSLService.getHostnameVerifier(sSLConfiguration)));
        PrivilegedHTTPMetadataResolver privilegedHTTPMetadataResolver = new PrivilegedHTTPMetadataResolver(create.build(), str);
        TimeValue timeValue = (TimeValue) realmConfig.getSetting(SamlRealmSettings.IDP_METADATA_HTTP_REFRESH);
        privilegedHTTPMetadataResolver.setMinRefreshDelay(timeValue.millis());
        privilegedHTTPMetadataResolver.setMaxRefreshDelay(timeValue.millis());
        initialiseResolver(privilegedHTTPMetadataResolver, realmConfig);
        return new Tuple<>(privilegedHTTPMetadataResolver, () -> {
            SpecialPermission.check();
            try {
                return (EntityDescriptor) AccessController.doPrivileged(() -> {
                    return resolveEntityDescriptor(privilegedHTTPMetadataResolver, require, str);
                });
            } catch (PrivilegedActionException e) {
                throw ExceptionsHelper.convertToRuntime((Exception) ExceptionsHelper.unwrapCause(e));
            }
        });
    }

    @SuppressForbidden(reason = "uses toFile")
    private static Tuple<AbstractReloadingMetadataResolver, Supplier<EntityDescriptor>> parseFileSystemMetadata(Logger logger2, String str, RealmConfig realmConfig, ResourceWatcherService resourceWatcherService) throws ResolverException, ComponentInitializationException, IOException, PrivilegedActionException {
        String require = require(realmConfig, SamlRealmSettings.IDP_ENTITY_ID);
        Path resolve = realmConfig.env().configFile().resolve(str);
        FilesystemMetadataResolver filesystemMetadataResolver = new FilesystemMetadataResolver(resolve.toFile());
        if (realmConfig.hasSetting(SamlRealmSettings.IDP_METADATA_HTTP_REFRESH)) {
            logger2.info("Ignoring setting [{}] because the IdP metadata is being loaded from a file", RealmSettings.getFullSettingKey(realmConfig, SamlRealmSettings.IDP_METADATA_HTTP_REFRESH));
        }
        long millis = TimeValue.timeValueHours(24L).millis();
        filesystemMetadataResolver.setMinRefreshDelay(millis);
        filesystemMetadataResolver.setMaxRefreshDelay(millis);
        initialiseResolver(filesystemMetadataResolver, realmConfig);
        FileWatcher fileWatcher = new FileWatcher(resolve);
        Objects.requireNonNull(filesystemMetadataResolver);
        fileWatcher.addListener(new FileListener(logger2, filesystemMetadataResolver::refresh));
        resourceWatcherService.add(fileWatcher, ResourceWatcherService.Frequency.MEDIUM);
        return new Tuple<>(filesystemMetadataResolver, () -> {
            return resolveEntityDescriptor(filesystemMetadataResolver, require, resolve.toString());
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static EntityDescriptor resolveEntityDescriptor(AbstractReloadingMetadataResolver abstractReloadingMetadataResolver, String str, String str2) {
        try {
            EntityDescriptor resolveSingle = abstractReloadingMetadataResolver.resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion(str)}));
            if (resolveSingle == null) {
                throw SamlUtils.samlException("Cannot find metadata for entity [{}] in [{}]", str, str2);
            }
            return resolveSingle;
        } catch (ResolverException e) {
            throw SamlUtils.samlException("Cannot resolve entity metadata", e, new Object[0]);
        }
    }

    public void close() {
        Releasables.close(this.releasables);
    }

    private static void initialiseResolver(AbstractReloadingMetadataResolver abstractReloadingMetadataResolver, RealmConfig realmConfig) throws ComponentInitializationException, PrivilegedActionException {
        abstractReloadingMetadataResolver.setRequireValidMetadata(true);
        BasicParserPool basicParserPool = new BasicParserPool();
        basicParserPool.initialize();
        abstractReloadingMetadataResolver.setParserPool(basicParserPool);
        abstractReloadingMetadataResolver.setId(realmConfig.name());
        SpecialPermission.check();
        AccessController.doPrivileged(() -> {
            abstractReloadingMetadataResolver.initialize();
            return null;
        });
    }

    public String serviceProviderEntityId() {
        return this.serviceProvider.getEntityId();
    }

    public String assertionConsumerServiceURL() {
        return this.serviceProvider.getAscUrl();
    }

    public AuthnRequest buildAuthenticationRequest() {
        AuthnRequest build = new SamlAuthnRequestBuilder(this.serviceProvider, "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", this.idpDescriptor.get(), "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", Clock.systemUTC()).nameIDPolicy(this.nameIdPolicy).forceAuthn(this.forceAuthn).build();
        if (logger.isTraceEnabled()) {
            logger.trace("Constructed SAML Authentication Request: {}", SamlUtils.samlObjectToString(build));
        }
        return build;
    }

    public LogoutRequest buildLogoutRequest(NameID nameID, String str) {
        if (!this.useSingleLogout) {
            return null;
        }
        LogoutRequest build = new SamlLogoutRequestMessageBuilder(Clock.systemUTC(), this.serviceProvider, this.idpDescriptor.get(), nameID, str).build();
        if (build != null && logger.isTraceEnabled()) {
            logger.trace("Constructed SAML Logout Request: {}", SamlUtils.samlObjectToString(build));
        }
        return build;
    }

    public LogoutResponse buildLogoutResponse(String str) {
        LogoutResponse build = new SamlLogoutResponseBuilder(Clock.systemUTC(), this.serviceProvider, this.idpDescriptor.get(), str, "urn:oasis:names:tc:SAML:2.0:status:Success").build();
        if (build != null && logger.isTraceEnabled()) {
            logger.trace("Constructed SAML Logout Response: {}", SamlUtils.samlObjectToString(build));
        }
        return build;
    }

    public SigningConfiguration getSigningConfiguration() {
        return this.serviceProvider.getSigningConfiguration();
    }

    public SamlLogoutRequestHandler getLogoutHandler() {
        return this.logoutHandler;
    }
}
