package org.elasticsearch.xpack.idp.saml.idp;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.xpack.idp.action.SamlMetadataResponse;
import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProvider;
import org.elasticsearch.xpack.idp.saml.support.SamlFactory;
import org.elasticsearch.xpack.idp.saml.support.SamlInit;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.impl.EntityDescriptorMarshaller;
import org.opensaml.security.x509.X509Credential;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.Signer;
import org.w3c.dom.Element;

/* loaded from: input_file:org/elasticsearch/xpack/idp/saml/idp/SamlMetadataGenerator.class */
public class SamlMetadataGenerator {
    private final SamlFactory samlFactory;
    private final SamlIdentityProvider idp;
    private static final Logger logger = LogManager.getLogger(SamlMetadataGenerator.class);

    public SamlMetadataGenerator(SamlFactory samlFactory, SamlIdentityProvider samlIdentityProvider) {
        this.samlFactory = samlFactory;
        this.idp = samlIdentityProvider;
        SamlInit.initialize();
    }

    public void generateMetadata(String str, String str2, ActionListener<SamlMetadataResponse> actionListener) {
        this.idp.resolveServiceProvider(str, str2, true, actionListener.delegateFailureAndWrap((actionListener2, samlServiceProvider) -> {
            try {
                if (null == samlServiceProvider) {
                    actionListener2.onFailure(new IllegalArgumentException("Service provider with Entity ID [" + str + "] is not registered with this Identity Provider"));
                } else {
                    actionListener2.onResponse(new SamlMetadataResponse(this.samlFactory.toString(possiblySignDescriptor(buildEntityDescriptor(samlServiceProvider), this.idp.getMetadataSigningCredential()), false)));
                }
            } catch (Exception e) {
                logger.debug("Error generating IDP metadata to share with [" + str + "]", e);
                actionListener2.onFailure(e);
            }
        }));
    }

    EntityDescriptor buildEntityDescriptor(SamlServiceProvider samlServiceProvider) throws Exception {
        SamlIdPMetadataBuilder withContact = new SamlIdPMetadataBuilder(this.idp.getEntityId()).wantAuthnRequestsSigned(samlServiceProvider.shouldSignAuthnRequests()).withSingleSignOnServiceUrl("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", this.idp.getSingleSignOnEndpoint("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")).withSingleSignOnServiceUrl("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", this.idp.getSingleSignOnEndpoint("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST")).withSingleLogoutServiceUrl("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", this.idp.getSingleLogoutEndpoint("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")).withSingleLogoutServiceUrl("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", this.idp.getSingleLogoutEndpoint("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST")).withNameIdFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent").withNameIdFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:transient").organization(this.idp.getOrganization()).withContact(this.idp.getTechnicalContact());
        X509Credential signingCredential = this.idp.getSigningCredential();
        if (null != signingCredential) {
            withContact.withSigningCertificate(signingCredential.getEntityCertificate());
        }
        return withContact.build();
    }

    Element possiblySignDescriptor(EntityDescriptor entityDescriptor, X509Credential x509Credential) throws MarshallingException, SignatureException {
        EntityDescriptorMarshaller entityDescriptorMarshaller = new EntityDescriptorMarshaller();
        if (null == x509Credential) {
            return entityDescriptorMarshaller.marshall(entityDescriptor);
        }
        Signature buildObject = this.samlFactory.buildObject(Signature.class, Signature.DEFAULT_ELEMENT_NAME);
        buildObject.setSigningCredential(x509Credential);
        buildObject.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
        buildObject.setCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
        entityDescriptor.setSignature(buildObject);
        Element marshall = new EntityDescriptorMarshaller().marshall(entityDescriptor);
        Signer.signObject(buildObject);
        return marshall;
    }
}
