package org.elasticsearch.xpack.idp.saml.support;

import java.io.StringWriter;
import java.io.Writer;
import java.net.URISyntaxException;
import java.security.SecureRandom;
import java.security.cert.CertificateEncodingException;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collection;
import java.util.Objects;
import java.util.stream.Collectors;
import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.ErrorListener;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerConfigurationException;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.hash.MessageDigests;
import org.elasticsearch.core.SuppressForbidden;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.core.xml.io.Unmarshaller;
import org.opensaml.core.xml.io.UnmarshallingException;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.x509.X509Credential;
import org.w3c.dom.Element;
import org.xml.sax.ErrorHandler;
import org.xml.sax.SAXException;
import org.xml.sax.SAXParseException;

/* loaded from: input_file:org/elasticsearch/xpack/idp/saml/support/SamlFactory.class */
public class SamlFactory {
    private final XMLObjectBuilderFactory builderFactory;
    private final SecureRandom random;
    private static final Logger LOGGER = LogManager.getLogger(SamlFactory.class);

    /* loaded from: input_file:org/elasticsearch/xpack/idp/saml/support/SamlFactory$DocumentBuilderErrorHandler.class */
    private static class DocumentBuilderErrorHandler implements ErrorHandler {
        private DocumentBuilderErrorHandler() {
        }

        @Override // org.xml.sax.ErrorHandler
        public void warning(SAXParseException sAXParseException) throws SAXException {
            SamlFactory.LOGGER.debug("XML Parser error ", sAXParseException);
            throw sAXParseException;
        }

        @Override // org.xml.sax.ErrorHandler
        public void error(SAXParseException sAXParseException) throws SAXException {
            warning(sAXParseException);
        }

        @Override // org.xml.sax.ErrorHandler
        public void fatalError(SAXParseException sAXParseException) throws SAXException {
            warning(sAXParseException);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/idp/saml/support/SamlFactory$TransformerErrorListener.class */
    public static class TransformerErrorListener implements ErrorListener {
        private TransformerErrorListener() {
        }

        @Override // javax.xml.transform.ErrorListener
        public void warning(TransformerException transformerException) throws TransformerException {
            SamlFactory.LOGGER.debug("XML transformation error", transformerException);
            throw transformerException;
        }

        @Override // javax.xml.transform.ErrorListener
        public void error(TransformerException transformerException) throws TransformerException {
            warning(transformerException);
        }

        @Override // javax.xml.transform.ErrorListener
        public void fatalError(TransformerException transformerException) throws TransformerException {
            warning(transformerException);
        }
    }

    public SamlFactory() {
        SamlInit.initialize();
        this.builderFactory = XMLObjectProviderRegistrySupport.getBuilderFactory();
        this.random = new SecureRandom();
    }

    public <T extends XMLObject> T object(Class<T> cls, QName qName) {
        return (T) cast(cls, qName, this.builderFactory.getBuilder(qName).buildObject(qName));
    }

    public <T extends XMLObject> T object(Class<T> cls, QName qName, QName qName2) {
        return (T) cast(cls, qName, this.builderFactory.getBuilder(qName2).buildObject(qName, qName2));
    }

    private <T extends XMLObject> T cast(Class<T> cls, QName qName, XMLObject xMLObject) {
        if (cls.isInstance(xMLObject)) {
            return cls.cast(xMLObject);
        }
        throw new IllegalArgumentException("Object for element " + qName.getLocalPart() + " is of type " + xMLObject.getClass() + " not " + cls);
    }

    public String secureIdentifier() {
        return randomNCName(20);
    }

    private String randomNCName(int i) {
        byte[] bArr = new byte[i];
        this.random.nextBytes(bArr);
        return "_".concat(MessageDigests.toHexString(bArr));
    }

    public <T extends XMLObject> T buildObject(Class<T> cls, QName qName) {
        XMLObject buildObject = this.builderFactory.getBuilder(qName).buildObject(qName);
        if (cls.isInstance(buildObject)) {
            return cls.cast(buildObject);
        }
        throw new IllegalArgumentException("Object for element " + qName.getLocalPart() + " is of type " + buildObject.getClass() + " not " + cls);
    }

    public String toString(Element element, boolean z) {
        try {
            StringWriter stringWriter = new StringWriter();
            print(element, stringWriter, z);
            return stringWriter.toString();
        } catch (TransformerException e) {
            return "[" + element.getNamespaceURI() + "]" + element.getLocalName();
        }
    }

    public <T extends XMLObject> T buildXmlObject(Element element, Class<T> cls) {
        try {
            Unmarshaller unmarshaller = XMLObjectProviderRegistrySupport.getUnmarshallerFactory().getUnmarshaller(element);
            if (unmarshaller == null) {
                throw new ElasticsearchSecurityException("XML element [{}] cannot be unmarshalled to SAML type [{}] (no unmarshaller)", new Object[]{element.getTagName(), cls});
            }
            XMLObject unmarshall = unmarshaller.unmarshall(element);
            if (cls.isInstance(unmarshall)) {
                return cls.cast(unmarshall);
            }
            throw new ElasticsearchSecurityException("SAML object [{}] is incorrect type. Expected [{}] but was [{}]", new Object[]{element.getTagName(), cls.getName(), unmarshall.getClass().getName()});
        } catch (UnmarshallingException e) {
            throw new ElasticsearchSecurityException("Failed to unmarshall SAML content [{}]", e, new Object[]{element.getTagName()});
        }
    }

    void print(Element element, Writer writer, boolean z) throws TransformerException {
        Transformer hardenedXMLTransformer = getHardenedXMLTransformer();
        if (z) {
            hardenedXMLTransformer.setOutputProperty("indent", "yes");
        }
        hardenedXMLTransformer.transform(new DOMSource(element), new StreamResult(writer));
    }

    public String getXmlContent(SAMLObject sAMLObject) {
        return getXmlContent(sAMLObject, false);
    }

    public String getXmlContent(SAMLObject sAMLObject, boolean z) {
        try {
            return toString(XMLObjectSupport.marshall(sAMLObject), z);
        } catch (MarshallingException e) {
            LOGGER.info("Error marshalling SAMLObject ", e);
            return "_unserializable_";
        }
    }

    public boolean elementNameMatches(Element element, String str, String str2) {
        return str2.equals(element.getLocalName()) && str.equals(element.getNamespaceURI());
    }

    public String text(Element element, int i) {
        return text(element, i, 0);
    }

    public String text(XMLObject xMLObject, int i, int i2) {
        Element dom = xMLObject.getDOM();
        if (dom == null) {
            return null;
        }
        return text(dom, i, i2);
    }

    public String text(XMLObject xMLObject, int i) {
        return text(xMLObject, i, 0);
    }

    protected static String text(Element element, int i, int i2) {
        String trim = element.getTextContent().trim();
        if (trim.length() <= i + i2) {
            return trim;
        }
        String str = Strings.cleanTruncate(trim, i) + "...";
        if (i2 == 0) {
            return str;
        }
        int length = trim.length() - i2;
        if (Character.isHighSurrogate(trim.charAt(length))) {
            length++;
        }
        return str + trim.substring(length);
    }

    public String describeCredentials(Collection<? extends Credential> collection) {
        return (String) collection.stream().map(credential -> {
            byte[] encoded;
            if (credential == null) {
                return "<null>";
            }
            if (credential instanceof X509Credential) {
                try {
                    encoded = ((X509Credential) credential).getEntityCertificate().getEncoded();
                } catch (CertificateEncodingException e) {
                    encoded = credential.getPublicKey().getEncoded();
                }
            } else {
                encoded = credential.getPublicKey().getEncoded();
            }
            return Base64.getEncoder().encodeToString(encoded).substring(0, 64) + "...";
        }).collect(Collectors.joining(","));
    }

    public Element toDomElement(XMLObject xMLObject) {
        try {
            return XMLObjectSupport.marshall(xMLObject);
        } catch (MarshallingException e) {
            throw new ElasticsearchSecurityException("failed to marshall SAML object to DOM element", e, new Object[0]);
        }
    }

    @SuppressForbidden(reason = "This is the only allowed way to construct a Transformer")
    public Transformer getHardenedXMLTransformer() throws TransformerConfigurationException {
        TransformerFactory newInstance = TransformerFactory.newInstance();
        newInstance.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
        newInstance.setAttribute("http://javax.xml.XMLConstants/property/accessExternalDTD", "");
        newInstance.setAttribute("http://javax.xml.XMLConstants/property/accessExternalStylesheet", "");
        newInstance.setAttribute("indent-number", 2);
        Transformer newTransformer = newInstance.newTransformer();
        newTransformer.setErrorListener(new TransformerErrorListener());
        return newTransformer;
    }

    @SuppressForbidden(reason = "This is the only allowed way to construct a DocumentBuilder")
    public static DocumentBuilder getHardenedBuilder(String[] strArr) throws ParserConfigurationException {
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setNamespaceAware(true);
        newInstance.setValidating(true);
        newInstance.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        newInstance.setFeature("http://xml.org/sax/features/external-general-entities", false);
        newInstance.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
        newInstance.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
        newInstance.setFeature("http://xml.org/sax/features/validation", true);
        newInstance.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
        newInstance.setIgnoringComments(true);
        newInstance.setFeature("http://apache.org/xml/features/validation/schema/normalized-value", false);
        newInstance.setAttribute("http://javax.xml.XMLConstants/property/accessExternalDTD", "file,jar");
        newInstance.setAttribute("http://javax.xml.XMLConstants/property/accessExternalSchema", "file,jar");
        newInstance.setFeature("http://apache.org/xml/features/honour-all-schemaLocations", true);
        newInstance.setXIncludeAware(false);
        newInstance.setExpandEntityReferences(false);
        newInstance.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
        newInstance.setAttribute("http://apache.org/xml/features/validation/schema", true);
        newInstance.setAttribute("http://apache.org/xml/features/validation/schema-full-checking", true);
        newInstance.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaLanguage", "http://www.w3.org/2001/XMLSchema");
        newInstance.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaSource", resolveSchemaFilePaths(strArr));
        DocumentBuilder newDocumentBuilder = newInstance.newDocumentBuilder();
        newDocumentBuilder.setErrorHandler(new DocumentBuilderErrorHandler());
        return newDocumentBuilder;
    }

    public String getJavaAlorithmNameFromUri(String str) {
        boolean z = -1;
        switch (str.hashCode()) {
            case -1814626454:
                if (str.equals("http://www.w3.org/2000/09/xmldsig#dsa-sha256")) {
                    z = true;
                    break;
                }
                break;
            case -804883594:
                if (str.equals("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256")) {
                    z = 4;
                    break;
                }
                break;
            case -699582070:
                if (str.equals("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256")) {
                    z = 3;
                    break;
                }
                break;
            case 670108474:
                if (str.equals("http://www.w3.org/2000/09/xmldsig#rsa-sha1")) {
                    z = 2;
                    break;
                }
                break;
            case 2040567560:
                if (str.equals("http://www.w3.org/2000/09/xmldsig#dsa-sha1")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return "SHA1withDSA";
            case true:
                return "SHA256withDSA";
            case true:
                return "SHA1withRSA";
            case true:
                return "SHA256withRSA";
            case true:
                return "SHA256withECDSA";
            default:
                throw new IllegalArgumentException("Unsupported signing algorithm identifier: " + str);
        }
    }

    private static String[] resolveSchemaFilePaths(String[] strArr) {
        return (String[]) Arrays.stream(strArr).map(str -> {
            try {
                return SamlFactory.class.getResource(str).toURI().toString();
            } catch (URISyntaxException e) {
                LOGGER.warn("Error resolving schema file path", e);
                return null;
            }
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).toArray(i -> {
            return new String[i];
        });
    }
}
