package org.elasticsearch.xpack.idp.action;

import java.time.Clock;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.support.ActionFilters;
import org.elasticsearch.action.support.HandledTransportAction;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.logging.LoggerMessageFormat;
import org.elasticsearch.common.util.concurrent.EsExecutors;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.authc.support.SecondaryAuthentication;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.idp.privileges.UserPrivilegeResolver;
import org.elasticsearch.xpack.idp.saml.authn.FailedAuthenticationResponseMessageBuilder;
import org.elasticsearch.xpack.idp.saml.authn.SuccessfulAuthenticationResponseMessageBuilder;
import org.elasticsearch.xpack.idp.saml.authn.UserServiceAuthentication;
import org.elasticsearch.xpack.idp.saml.idp.SamlIdentityProvider;
import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProvider;
import org.elasticsearch.xpack.idp.saml.support.SamlAuthenticationState;
import org.elasticsearch.xpack.idp.saml.support.SamlFactory;
import org.elasticsearch.xpack.idp.saml.support.SamlInitiateSingleSignOnException;

/* loaded from: input_file:org/elasticsearch/xpack/idp/action/TransportSamlInitiateSingleSignOnAction.class */
public class TransportSamlInitiateSingleSignOnAction extends HandledTransportAction<SamlInitiateSingleSignOnRequest, SamlInitiateSingleSignOnResponse> {
    private static final Logger logger = LogManager.getLogger(TransportSamlInitiateSingleSignOnAction.class);
    private final SecurityContext securityContext;
    private final SamlIdentityProvider identityProvider;
    private final SamlFactory samlFactory;
    private final UserPrivilegeResolver privilegeResolver;

    @Inject
    public TransportSamlInitiateSingleSignOnAction(TransportService transportService, ActionFilters actionFilters, SecurityContext securityContext, SamlIdentityProvider samlIdentityProvider, SamlFactory samlFactory, UserPrivilegeResolver userPrivilegeResolver) {
        super(SamlInitiateSingleSignOnAction.NAME, transportService, actionFilters, SamlInitiateSingleSignOnRequest::new, EsExecutors.DIRECT_EXECUTOR_SERVICE);
        this.securityContext = securityContext;
        this.identityProvider = samlIdentityProvider;
        this.samlFactory = samlFactory;
        this.privilegeResolver = userPrivilegeResolver;
    }

    protected void doExecute(Task task, SamlInitiateSingleSignOnRequest samlInitiateSingleSignOnRequest, ActionListener<SamlInitiateSingleSignOnResponse> actionListener) {
        SamlAuthenticationState samlAuthenticationState = samlInitiateSingleSignOnRequest.getSamlAuthenticationState();
        this.identityProvider.resolveServiceProvider(samlInitiateSingleSignOnRequest.getSpEntityId(), samlInitiateSingleSignOnRequest.getAssertionConsumerService(), false, ActionListener.wrap(samlServiceProvider -> {
            if (null == samlServiceProvider) {
                writeFailureResponse(actionListener, buildSamlInitiateSingleSignOnException(samlAuthenticationState, samlInitiateSingleSignOnRequest.getSpEntityId(), samlInitiateSingleSignOnRequest.getAssertionConsumerService(), "urn:oasis:names:tc:SAML:2.0:status:Responder", RestStatus.BAD_REQUEST, "Service Provider with Entity ID [{}] and ACS [{}] is not known to this Identity Provider", null, samlInitiateSingleSignOnRequest.getSpEntityId(), samlInitiateSingleSignOnRequest.getAssertionConsumerService()));
                return;
            }
            SecondaryAuthentication readFromContext = SecondaryAuthentication.readFromContext(this.securityContext);
            if (readFromContext == null) {
                writeFailureResponse(actionListener, buildSamlInitiateSingleSignOnException(samlAuthenticationState, samlInitiateSingleSignOnRequest.getSpEntityId(), samlInitiateSingleSignOnRequest.getAssertionConsumerService(), "urn:oasis:names:tc:SAML:2.0:status:Requester", RestStatus.FORBIDDEN, "Request is missing secondary authentication", null, new Object[0]));
            } else {
                buildUserFromAuthentication(readFromContext, samlServiceProvider, ActionListener.wrap(userServiceAuthentication -> {
                    if (userServiceAuthentication == null) {
                        writeFailureResponse(actionListener, buildSamlInitiateSingleSignOnException(samlAuthenticationState, samlInitiateSingleSignOnRequest.getSpEntityId(), samlInitiateSingleSignOnRequest.getAssertionConsumerService(), "urn:oasis:names:tc:SAML:2.0:status:Requester", RestStatus.FORBIDDEN, "User [{}] is not permitted to access service [{}]", null, readFromContext.getUser().principal(), samlServiceProvider.getEntityId()));
                        return;
                    }
                    try {
                        actionListener.onResponse(new SamlInitiateSingleSignOnResponse(userServiceAuthentication.getServiceProvider().getEntityId(), userServiceAuthentication.getServiceProvider().getAssertionConsumerService().toString(), this.samlFactory.getXmlContent(new SuccessfulAuthenticationResponseMessageBuilder(this.samlFactory, Clock.systemUTC(), this.identityProvider).build(userServiceAuthentication, samlAuthenticationState)), "urn:oasis:names:tc:SAML:2.0:status:Success", null));
                    } catch (ElasticsearchException e) {
                        actionListener.onFailure(e);
                    }
                }, exc -> {
                    writeFailureResponse(actionListener, buildResponderSamlInitiateSingleSignOnException(samlAuthenticationState, samlInitiateSingleSignOnRequest.getSpEntityId(), samlInitiateSingleSignOnRequest.getAssertionConsumerService(), exc));
                }));
            }
        }, exc -> {
            writeFailureResponse(actionListener, buildResponderSamlInitiateSingleSignOnException(samlAuthenticationState, samlInitiateSingleSignOnRequest.getSpEntityId(), samlInitiateSingleSignOnRequest.getAssertionConsumerService(), exc));
        }));
    }

    private void buildUserFromAuthentication(SecondaryAuthentication secondaryAuthentication, SamlServiceProvider samlServiceProvider, ActionListener<UserServiceAuthentication> actionListener) {
        User user = secondaryAuthentication.getUser();
        secondaryAuthentication.execute(storedContext -> {
            this.privilegeResolver.resolve(samlServiceProvider.getPrivileges(), actionListener.delegateFailureAndWrap((actionListener2, userPrivileges) -> {
                if (!userPrivileges.hasAccess) {
                    actionListener2.onResponse((Object) null);
                } else {
                    logger.debug("Resolved [{}] for [{}]", userPrivileges, user);
                    actionListener2.onResponse(new UserServiceAuthentication(user.principal(), user.fullName(), user.email(), userPrivileges.roles, samlServiceProvider));
                }
            }));
            return null;
        });
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void writeFailureResponse(ActionListener<SamlInitiateSingleSignOnResponse> actionListener, SamlInitiateSingleSignOnException samlInitiateSingleSignOnException) {
        logger.debug("Failed to generate a successful SAML response: ", samlInitiateSingleSignOnException);
        actionListener.onFailure(samlInitiateSingleSignOnException);
    }

    private SamlInitiateSingleSignOnException buildSamlInitiateSingleSignOnException(SamlAuthenticationState samlAuthenticationState, String str, String str2, String str3, RestStatus restStatus, String str4, Exception exc, Object... objArr) {
        SamlInitiateSingleSignOnException samlInitiateSingleSignOnException;
        String format = LoggerMessageFormat.format(str4, objArr);
        if (samlAuthenticationState != null) {
            samlInitiateSingleSignOnException = new SamlInitiateSingleSignOnException(format, restStatus, exc, new SamlInitiateSingleSignOnResponse(str, str2, this.samlFactory.getXmlContent(new FailedAuthenticationResponseMessageBuilder(this.samlFactory, Clock.systemUTC(), this.identityProvider).setInResponseTo(samlAuthenticationState.getAuthnRequestId()).setAcsUrl(str2).setPrimaryStatusCode(str3).build()), str3, format));
        } else {
            samlInitiateSingleSignOnException = new SamlInitiateSingleSignOnException(format, restStatus, exc);
        }
        return samlInitiateSingleSignOnException;
    }

    private SamlInitiateSingleSignOnException buildResponderSamlInitiateSingleSignOnException(SamlAuthenticationState samlAuthenticationState, String str, String str2, Exception exc) {
        return buildSamlInitiateSingleSignOnException(samlAuthenticationState, str, str2, "urn:oasis:names:tc:SAML:2.0:status:Responder", ExceptionsHelper.status(exc), exc.getMessage(), exc, new Object[0]);
    }

    protected /* bridge */ /* synthetic */ void doExecute(Task task, ActionRequest actionRequest, ActionListener actionListener) {
        doExecute(task, (SamlInitiateSingleSignOnRequest) actionRequest, (ActionListener<SamlInitiateSingleSignOnResponse>) actionListener);
    }
}
