package org.elasticsearch.xpack.idp.saml.idp;

import java.net.MalformedURLException;
import java.net.URL;
import java.security.PrivateKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.net.ssl.X509ExtendedKeyManager;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.ValidationException;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment;
import org.elasticsearch.xpack.core.ssl.CertParsingUtils;
import org.elasticsearch.xpack.core.ssl.X509KeyPairSettings;
import org.elasticsearch.xpack.idp.saml.idp.SamlIdentityProvider;
import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProviderResolver;
import org.elasticsearch.xpack.idp.saml.sp.ServiceProviderDefaults;
import org.elasticsearch.xpack.idp.saml.sp.WildcardServiceProviderResolver;
import org.opensaml.saml.saml2.metadata.ContactPersonTypeEnumeration;
import org.opensaml.security.x509.X509Credential;
import org.opensaml.security.x509.impl.X509KeyManagerX509CredentialAdapter;

/* loaded from: input_file:org/elasticsearch/xpack/idp/saml/idp/SamlIdentityProviderBuilder.class */
public class SamlIdentityProviderBuilder {
    private static final List<String> ALLOWED_NAMEID_FORMATS = Collections.singletonList("urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
    public static final Setting<String> IDP_ENTITY_ID = Setting.simpleString("xpack.idp.entity_id", new Setting.Property[]{Setting.Property.NodeScope});
    public static final Setting<URL> IDP_SSO_REDIRECT_ENDPOINT = new Setting<>("xpack.idp.sso_endpoint.redirect", "https:", str -> {
        return parseUrl("xpack.idp.sso_endpoint.redirect", str);
    }, new Setting.Property[]{Setting.Property.NodeScope});
    public static final Setting<URL> IDP_SSO_POST_ENDPOINT = new Setting<>("xpack.idp.sso_endpoint.post", "https:", str -> {
        return parseUrl("xpack.idp.sso_endpoint.post", str);
    }, new Setting.Property[]{Setting.Property.NodeScope});
    public static final Setting<URL> IDP_SLO_REDIRECT_ENDPOINT = new Setting<>("xpack.idp.slo_endpoint.redirect", "https:", str -> {
        return parseUrl("xpack.idp.slo_endpoint.redirect", str);
    }, new Setting.Property[]{Setting.Property.NodeScope});
    public static final Setting<URL> IDP_SLO_POST_ENDPOINT = new Setting<>("xpack.idp.slo_endpoint.post", "https:", str -> {
        return parseUrl("xpack.idp.slo_endpoint.post", str);
    }, new Setting.Property[]{Setting.Property.NodeScope});
    public static final Setting<List<String>> IDP_ALLOWED_NAMEID_FORMATS = Setting.listSetting("xpack.idp.allowed_nameid_formats", Collections.singletonList("urn:oasis:names:tc:SAML:2.0:nameid-format:transient"), Function.identity(), SamlIdentityProviderBuilder::validateNameIDs, new Setting.Property[]{Setting.Property.NodeScope});
    public static final Setting<String> IDP_SIGNING_KEY_ALIAS = Setting.simpleString("xpack.idp.signing.keystore.alias", new Setting.Property[]{Setting.Property.NodeScope});
    public static final Setting<String> IDP_METADATA_SIGNING_KEY_ALIAS = Setting.simpleString("xpack.idp.metadata.signing.keystore.alias", new Setting.Property[]{Setting.Property.NodeScope});
    public static final Setting<String> IDP_ORGANIZATION_NAME = Setting.simpleString("xpack.idp.organization.name", new Setting.Property[]{Setting.Property.NodeScope});
    public static final Setting<String> IDP_ORGANIZATION_DISPLAY_NAME = Setting.simpleString("xpack.idp.organization.display_name", IDP_ORGANIZATION_NAME, new Setting.Property[]{Setting.Property.NodeScope});
    public static final Setting<URL> IDP_ORGANIZATION_URL = new Setting<>("xpack.idp.organization.url", "http:", str -> {
        return parseUrl("xpack.idp.organization.url", str);
    }, new Setting.Property[]{Setting.Property.NodeScope});
    public static final Setting<String> IDP_CONTACT_GIVEN_NAME = Setting.simpleString("xpack.idp.contact.given_name", new Setting.Property[]{Setting.Property.NodeScope});
    public static final Setting<String> IDP_CONTACT_SURNAME = Setting.simpleString("xpack.idp.contact.surname", new Setting.Property[]{Setting.Property.NodeScope});
    public static final Setting<String> IDP_CONTACT_EMAIL = Setting.simpleString("xpack.idp.contact.email", new Setting.Property[]{Setting.Property.NodeScope});
    private final SamlServiceProviderResolver serviceProviderResolver;
    private final WildcardServiceProviderResolver wildcardServiceResolver;
    private String entityId;
    private Map<String, URL> ssoEndpoints = new HashMap();
    private Map<String, URL> sloEndpoints = new HashMap();
    private Set<String> allowedNameIdFormats;
    private X509Credential signingCredential;
    private X509Credential metadataSigningCredential;
    private SamlIdentityProvider.ContactInfo technicalContact;
    private SamlIdentityProvider.OrganizationInfo organization;
    private ServiceProviderDefaults serviceProviderDefaults;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SamlIdentityProviderBuilder(SamlServiceProviderResolver samlServiceProviderResolver, WildcardServiceProviderResolver wildcardServiceProviderResolver) {
        this.serviceProviderResolver = samlServiceProviderResolver;
        this.wildcardServiceResolver = wildcardServiceProviderResolver;
    }

    public SamlIdentityProvider build() throws ValidationException {
        ValidationException validationException = new ValidationException();
        if (Strings.isNullOrEmpty(this.entityId)) {
            validationException.addValidationError("IDP Entity ID must be set (was [" + this.entityId + "])");
        }
        if (this.ssoEndpoints == null || !this.ssoEndpoints.containsKey("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")) {
            validationException.addValidationError("The redirect ([ urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect]) SSO binding is required");
        }
        if (this.signingCredential == null) {
            validationException.addValidationError("Signing credential must be specified");
        } else {
            try {
                validateSigningKey(this.signingCredential.getPrivateKey());
            } catch (ElasticsearchSecurityException e) {
                validationException.addValidationError("Signing credential is invalid - " + e.getMessage());
            }
        }
        if (this.metadataSigningCredential != null) {
            try {
                validateSigningKey(this.metadataSigningCredential.getPrivateKey());
            } catch (ElasticsearchSecurityException e2) {
                validationException.addValidationError("Metadata signing credential is invalid - " + e2.getMessage());
            }
        }
        if (this.serviceProviderDefaults == null) {
            validationException.addValidationError("Service provider defaults must be specified");
        }
        if (validationException.validationErrors().isEmpty()) {
            return new SamlIdentityProvider(this.entityId, Collections.unmodifiableMap(this.ssoEndpoints), this.sloEndpoints == null ? Collections.emptyMap() : Collections.unmodifiableMap(this.sloEndpoints), Collections.unmodifiableSet(this.allowedNameIdFormats), this.signingCredential, this.metadataSigningCredential, this.technicalContact, this.organization, this.serviceProviderDefaults, this.serviceProviderResolver, this.wildcardServiceResolver);
        }
        throw validationException;
    }

    public SamlIdentityProviderBuilder fromSettings(Environment environment) {
        Settings settings = environment.settings();
        this.entityId = require(settings, IDP_ENTITY_ID);
        this.ssoEndpoints = new HashMap();
        this.sloEndpoints = new HashMap();
        this.ssoEndpoints.put("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", requiredUrl(settings, IDP_SSO_REDIRECT_ENDPOINT));
        if (IDP_SSO_POST_ENDPOINT.exists(settings)) {
            this.ssoEndpoints.put("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", (URL) IDP_SSO_POST_ENDPOINT.get(settings));
        }
        if (IDP_SLO_POST_ENDPOINT.exists(settings)) {
            this.sloEndpoints.put("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", (URL) IDP_SLO_POST_ENDPOINT.get(settings));
        }
        if (IDP_SLO_REDIRECT_ENDPOINT.exists(settings)) {
            this.sloEndpoints.put("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", (URL) IDP_SLO_REDIRECT_ENDPOINT.get(settings));
        }
        this.allowedNameIdFormats = new HashSet((Collection) IDP_ALLOWED_NAMEID_FORMATS.get(settings));
        this.signingCredential = buildSigningCredential(environment, settings, "xpack.idp.signing.");
        this.metadataSigningCredential = buildSigningCredential(environment, settings, "xpack.idp.metadata_signing.");
        this.technicalContact = buildContactInfo(settings);
        this.organization = buildOrganization(settings);
        return this;
    }

    public static List<? extends Setting<?>> getSettings() {
        return Arrays.asList(IDP_ENTITY_ID, IDP_SLO_REDIRECT_ENDPOINT, IDP_SLO_POST_ENDPOINT, IDP_SSO_REDIRECT_ENDPOINT, IDP_SSO_POST_ENDPOINT, IDP_ALLOWED_NAMEID_FORMATS, IDP_SIGNING_KEY_ALIAS, IDP_METADATA_SIGNING_KEY_ALIAS, IDP_ORGANIZATION_NAME, IDP_ORGANIZATION_DISPLAY_NAME, IDP_ORGANIZATION_URL, IDP_CONTACT_GIVEN_NAME, IDP_CONTACT_SURNAME, IDP_CONTACT_EMAIL);
    }

    public SamlIdentityProviderBuilder serviceProviderDefaults(ServiceProviderDefaults serviceProviderDefaults) {
        this.serviceProviderDefaults = serviceProviderDefaults;
        return this;
    }

    public SamlIdentityProviderBuilder entityId(String str) {
        this.entityId = str;
        return this;
    }

    public SamlIdentityProviderBuilder singleSignOnEndpoints(Map<String, URL> map) {
        this.ssoEndpoints = map;
        return this;
    }

    public SamlIdentityProviderBuilder singleLogoutEndpoints(Map<String, URL> map) {
        this.sloEndpoints = map;
        return this;
    }

    public SamlIdentityProviderBuilder singleSignOnEndpoint(String str, URL url) {
        this.ssoEndpoints.put(str, url);
        return this;
    }

    public SamlIdentityProviderBuilder singleLogoutEndpoint(String str, URL url) {
        this.sloEndpoints.put(str, url);
        return this;
    }

    public SamlIdentityProviderBuilder allowedNameIdFormat(String str) {
        this.allowedNameIdFormats.add(str);
        return this;
    }

    public SamlIdentityProviderBuilder signingCredential(X509Credential x509Credential) {
        this.signingCredential = x509Credential;
        return this;
    }

    public SamlIdentityProviderBuilder metadataSigningCredential(X509Credential x509Credential) {
        this.metadataSigningCredential = x509Credential;
        return this;
    }

    public SamlIdentityProviderBuilder technicalContact(SamlIdentityProvider.ContactInfo contactInfo) {
        this.technicalContact = contactInfo;
        return this;
    }

    public SamlIdentityProviderBuilder organization(SamlIdentityProvider.OrganizationInfo organizationInfo) {
        this.organization = organizationInfo;
        return this;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static URL parseUrl(String str, String str2) {
        try {
            return new URL(str2);
        } catch (MalformedURLException e) {
            throw new IllegalArgumentException("Invalid value [" + str2 + "] for [" + str + "]. Not a valid URL", e);
        }
    }

    private static void validateNameIDs(List<String> list) {
        Set set = (Set) list.stream().distinct().filter(str -> {
            return !ALLOWED_NAMEID_FORMATS.contains(str);
        }).collect(Collectors.toSet());
        if (set.size() > 0) {
            throw new IllegalArgumentException(set + " are not valid NameID formats. Allowed values are " + ALLOWED_NAMEID_FORMATS);
        }
    }

    static String require(Settings settings, Setting<String> setting) {
        if (settings.hasValue(setting.getKey())) {
            return (String) setting.get(settings);
        }
        throw new IllegalArgumentException("The configuration setting [" + setting.getKey() + "] is required");
    }

    static URL requiredUrl(Settings settings, Setting<URL> setting) {
        if (settings.hasValue(setting.getKey())) {
            return (URL) setting.get(settings);
        }
        throw new IllegalArgumentException("The configuration setting [" + setting.getKey() + "] is required");
    }

    static X509Credential buildSigningCredential(Environment environment, Settings settings, String str) {
        List<X509Credential> buildCredentials = buildCredentials(environment, settings, str, false);
        if (buildCredentials.isEmpty()) {
            return null;
        }
        return buildCredentials.get(0);
    }

    static List<X509Credential> buildCredentials(Environment environment, Settings settings, String str, boolean z) {
        X509ExtendedKeyManager keyManager = CertParsingUtils.getKeyManager(X509KeyPairSettings.withPrefix(str, false), settings, (String) null, environment);
        if (keyManager == null) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        HashSet<String> hashSet = new HashSet();
        String str2 = settings.get(str + "keystore.alias");
        if (Strings.isNullOrEmpty(str2)) {
            String[] serverAliases = keyManager.getServerAliases("RSA", null);
            if (null != serverAliases) {
                hashSet.addAll(Arrays.asList(serverAliases));
            }
            String[] serverAliases2 = keyManager.getServerAliases("EC", null);
            if (null != serverAliases2) {
                hashSet.addAll(Arrays.asList(serverAliases2));
            }
            if (hashSet.isEmpty()) {
                throw new IllegalArgumentException("The configured keystore for [" + str + "keystore] does not contain any RSA or EC key pairs.");
            }
            if (hashSet.size() > 1 && !z) {
                throw new IllegalArgumentException("The configured keystore for [" + str + "keystore] contains multiple private key entries, when one was expected.");
            }
        } else {
            hashSet.add(str2);
        }
        for (String str3 : hashSet) {
            try {
                validateSigningKey(keyManager.getPrivateKey(str3));
                arrayList.add(new X509KeyManagerX509CredentialAdapter(keyManager, str3));
            } catch (ElasticsearchSecurityException e) {
                throw new IllegalArgumentException("The configured credential [" + str + "keystore] with alias [" + str3 + "] is not a valid signing key - " + e.getMessage());
            }
        }
        return arrayList;
    }

    private static void validateSigningKey(PrivateKey privateKey) {
        if (privateKey == null) {
            throw new ElasticsearchSecurityException("There is no private key available for this credential", new Object[0]);
        }
        String algorithm = privateKey.getAlgorithm();
        if (!algorithm.equals("RSA") && !algorithm.equals("EC")) {
            throw new ElasticsearchSecurityException("The private key uses unsupported key algorithm type [" + algorithm + "], only RSA and EC are supported", new Object[0]);
        }
    }

    private static SamlIdentityProvider.OrganizationInfo buildOrganization(Settings settings) {
        String str = settings.hasValue(IDP_ORGANIZATION_NAME.getKey()) ? (String) IDP_ORGANIZATION_NAME.get(settings) : null;
        String str2 = settings.hasValue(IDP_ORGANIZATION_DISPLAY_NAME.getKey()) ? (String) IDP_ORGANIZATION_DISPLAY_NAME.get(settings) : null;
        String url = settings.hasValue(IDP_ORGANIZATION_URL.getKey()) ? ((URL) IDP_ORGANIZATION_URL.get(settings)).toString() : null;
        if (Stream.of((Object[]) new String[]{str, str2, url}).allMatch((v0) -> {
            return Objects.isNull(v0);
        })) {
            return null;
        }
        return new SamlIdentityProvider.OrganizationInfo(str, str2, url);
    }

    private static SamlIdentityProvider.ContactInfo buildContactInfo(Settings settings) {
        if (settings.hasValue(IDP_CONTACT_EMAIL.getKey())) {
            return new SamlIdentityProvider.ContactInfo(ContactPersonTypeEnumeration.TECHNICAL, (String) IDP_CONTACT_GIVEN_NAME.get(settings), (String) IDP_CONTACT_SURNAME.get(settings), (String) IDP_CONTACT_EMAIL.get(settings));
        }
        return null;
    }
}
