package pl.edu.icm.unity.saml.slo;

import eu.emi.security.authn.x509.X509Credential;
import eu.unicore.samly2.SAMLConstants;
import eu.unicore.samly2.elements.NameID;
import eu.unicore.samly2.exceptions.SAMLErrorResponseException;
import eu.unicore.samly2.exceptions.SAMLResponderException;
import eu.unicore.samly2.exceptions.SAMLValidationException;
import eu.unicore.samly2.proto.LogoutRequest;
import eu.unicore.samly2.trust.SamlTrustChecker;
import eu.unicore.samly2.trust.StrictSamlTrustChecker;
import eu.unicore.samly2.validators.LogoutResponseValidator;
import eu.unicore.security.dsig.DSigException;
import eu.unicore.security.wsutil.samlclient.SAMLLogoutClient;
import eu.unicore.util.httpclient.DefaultClientConfiguration;
import eu.unicore.util.httpclient.IClientConfiguration;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.servlet.http.HttpServletResponse;
import org.apache.logging.log4j.Logger;
import org.apache.xmlbeans.XmlException;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.PKIManagement;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.saml.SAMLEndpointDefinition;
import pl.edu.icm.unity.saml.SAMLProcessingException;
import pl.edu.icm.unity.saml.SAMLSessionParticipant;
import pl.edu.icm.unity.saml.SamlProperties;
import pl.edu.icm.unity.webui.idpcommon.EopException;
import xmlbeans.org.oasis.saml2.assertion.NameIDType;
import xmlbeans.org.oasis.saml2.protocol.LogoutResponseDocument;
import xmlbeans.org.oasis.saml2.protocol.StatusType;

/* loaded from: input_file:pl/edu/icm/unity/saml/slo/InternalLogoutProcessor.class */
public class InternalLogoutProcessor {
    private static final Logger log = Log.getLogger("unity.server.saml", InternalLogoutProcessor.class);
    private static final long DEF_LOGOUT_REQ_VALIDITY = 60000;
    private PKIManagement pkiManagement;
    private LogoutContextsStore contextsStore;
    private SLOAsyncResponseHandler responseHandler;
    private String consumerEndpointUri;

    public InternalLogoutProcessor(PKIManagement pKIManagement, LogoutContextsStore logoutContextsStore, SLOAsyncResponseHandler sLOAsyncResponseHandler, String str) {
        this.pkiManagement = pKIManagement;
        this.contextsStore = logoutContextsStore;
        this.responseHandler = sLOAsyncResponseHandler;
        this.consumerEndpointUri = str;
    }

    public void continueAsyncLogout(SAMLInternalLogoutContext sAMLInternalLogoutContext, HttpServletResponse httpServletResponse) throws IOException, EopException {
        InterimLogoutRequest selectNextAsyncParticipantForLogout = selectNextAsyncParticipantForLogout(sAMLInternalLogoutContext);
        if (selectNextAsyncParticipantForLogout != null) {
            log.debug("Logging out participant in async mode: " + selectNextAsyncParticipantForLogout.getEndpoint());
            this.responseHandler.sendRequest(selectNextAsyncParticipantForLogout.getEndpoint().getBinding(), selectNextAsyncParticipantForLogout.getRequest(), selectNextAsyncParticipantForLogout.getEndpoint().getUrl(), sAMLInternalLogoutContext, httpServletResponse);
        } else {
            logoutSynchronousParticipants(sAMLInternalLogoutContext);
            log.debug("Async logout process of session peers is completed");
            this.contextsStore.removeInternalContext(sAMLInternalLogoutContext.getRelayState());
            sAMLInternalLogoutContext.getFinishCallback().finished(httpServletResponse, sAMLInternalLogoutContext);
        }
    }

    public void logoutSynchronousParticipants(SAMLInternalLogoutContext sAMLInternalLogoutContext) {
        List<SAMLSessionParticipant> toBeLoggedOut = sAMLInternalLogoutContext.getToBeLoggedOut();
        for (int i = 0; i < toBeLoggedOut.size(); i++) {
            SAMLSessionParticipant sAMLSessionParticipant = toBeLoggedOut.get(i);
            SAMLEndpointDefinition sAMLEndpointDefinition = sAMLSessionParticipant.getLogoutEndpoints().get(SamlProperties.Binding.SOAP);
            if (sAMLEndpointDefinition != null) {
                toBeLoggedOut.remove(i);
                try {
                    log.debug("Logging out participant via SOAP: " + sAMLSessionParticipant);
                    updateContextAfterParicipantLogout(sAMLInternalLogoutContext, sAMLSessionParticipant, new SAMLLogoutClient(sAMLEndpointDefinition.getUrl(), createSoapClientConfig(sAMLSessionParticipant)).logout(createLogoutRequest(sAMLSessionParticipant, sAMLEndpointDefinition).getXMLBeanDoc()));
                } catch (Exception e) {
                    log.debug("Logging out the participant " + sAMLSessionParticipant + " via SOAP failed", e);
                    sAMLInternalLogoutContext.getFailed().add(sAMLSessionParticipant);
                }
            }
        }
    }

    public void handleAsyncLogoutResponse(LogoutResponseDocument logoutResponseDocument, String str, HttpServletResponse httpServletResponse) throws IOException, EopException {
        if (str == null) {
            this.responseHandler.showError(new SAMLProcessingException("A logout response was received without relay state. It can not be processed."), httpServletResponse);
            return;
        }
        SAMLInternalLogoutContext internalContext = this.contextsStore.getInternalContext(str);
        if (internalContext == null) {
            this.responseHandler.showError(new SAMLProcessingException("A logout response was received with invalid relay state. It can not be processed."), httpServletResponse);
            return;
        }
        if (internalContext.getCurrent() == null || internalContext.getCurrentRequestId() == null) {
            this.responseHandler.showError(new SAMLProcessingException("A logout response was received associated with invalid logout process. It can not be processed."), httpServletResponse);
            return;
        }
        try {
            try {
                new LogoutResponseValidator(this.consumerEndpointUri, internalContext.getCurrentRequestId(), prepareResponseTrustChecker(internalContext.getCurrent())).validate(logoutResponseDocument);
            } catch (SAMLValidationException e) {
                this.responseHandler.showError(new SAMLProcessingException("An invalid logout response was received.", e), httpServletResponse);
                return;
            } catch (SAMLErrorResponseException e2) {
            }
            if (!logoutResponseDocument.getLogoutResponse().getIssuer().getStringValue().equals(internalContext.getCurrent().getIdentifier())) {
                this.responseHandler.showError(new SAMLProcessingException("An invalid logout response was received - it is not matching the previous request."), httpServletResponse);
            } else {
                updateContextAfterParicipantLogout(internalContext, internalContext.getCurrent(), logoutResponseDocument);
                continueAsyncLogout(internalContext, httpServletResponse);
            }
        } catch (EngineException e3) {
            this.responseHandler.showError(new SAMLProcessingException("Internal error - can't establish valid certificates for the session participant", e3), httpServletResponse);
        }
    }

    private SamlTrustChecker prepareResponseTrustChecker(SAMLSessionParticipant sAMLSessionParticipant) throws EngineException {
        Set<String> participantsCertificates = sAMLSessionParticipant.getParticipantsCertificates();
        StrictSamlTrustChecker strictSamlTrustChecker = new StrictSamlTrustChecker();
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = participantsCertificates.iterator();
        while (it.hasNext()) {
            arrayList.add(this.pkiManagement.getCertificate(it.next()).value.getPublicKey());
        }
        strictSamlTrustChecker.addTrustedIssuer(sAMLSessionParticipant.getIdentifier(), (String) null, arrayList);
        return strictSamlTrustChecker;
    }

    private InterimLogoutRequest selectNextAsyncParticipantForLogout(SAMLInternalLogoutContext sAMLInternalLogoutContext) {
        SAMLSessionParticipant findNextForAsyncLogout;
        SAMLEndpointDefinition sAMLEndpointDefinition;
        LogoutRequest logoutRequest = null;
        do {
            findNextForAsyncLogout = findNextForAsyncLogout(sAMLInternalLogoutContext);
            if (findNextForAsyncLogout == null) {
                return null;
            }
            sAMLEndpointDefinition = findNextForAsyncLogout.getLogoutEndpoints().get(SamlProperties.Binding.HTTP_POST);
            if (sAMLEndpointDefinition == null) {
                sAMLEndpointDefinition = findNextForAsyncLogout.getLogoutEndpoints().get(SamlProperties.Binding.HTTP_REDIRECT);
            }
            try {
                logoutRequest = createLogoutRequest(findNextForAsyncLogout, sAMLEndpointDefinition);
                break;
            } catch (SAMLResponderException e) {
                log.debug("Can not prepare logout request for " + findNextForAsyncLogout, e);
                sAMLInternalLogoutContext.getFailed().add(findNextForAsyncLogout);
            }
        } while (logoutRequest == null);
        sAMLInternalLogoutContext.setCurrent(findNextForAsyncLogout);
        sAMLInternalLogoutContext.setCurrentRequestId(logoutRequest.getXMLBean().getID());
        return new InterimLogoutRequest(logoutRequest.getXMLBeanDoc(), sAMLInternalLogoutContext.getRelayState(), sAMLEndpointDefinition);
    }

    private SAMLSessionParticipant findNextForAsyncLogout(SAMLInternalLogoutContext sAMLInternalLogoutContext) {
        List<SAMLSessionParticipant> toBeLoggedOut = sAMLInternalLogoutContext.getToBeLoggedOut();
        for (int i = 0; i < toBeLoggedOut.size(); i++) {
            SAMLSessionParticipant sAMLSessionParticipant = toBeLoggedOut.get(i);
            if (sAMLSessionParticipant.getLogoutEndpoints().containsKey(SamlProperties.Binding.HTTP_POST) || sAMLSessionParticipant.getLogoutEndpoints().containsKey(SamlProperties.Binding.HTTP_REDIRECT)) {
                toBeLoggedOut.remove(i);
                return sAMLSessionParticipant;
            }
        }
        return null;
    }

    private NameIDType getIssuer(String str) {
        return new NameID(str, "urn:oasis:names:tc:SAML:2.0:nameid-format:entity").getXBean();
    }

    private LogoutRequest createLogoutRequest(SAMLSessionParticipant sAMLSessionParticipant, SAMLEndpointDefinition sAMLEndpointDefinition) throws SAMLResponderException {
        try {
            LogoutRequest logoutRequest = new LogoutRequest(getIssuer(sAMLSessionParticipant.getLocalSamlId()), NameIDType.Factory.parse(sAMLSessionParticipant.getPrincipalNameAtParticipant()));
            logoutRequest.setNotAfter(new Date(System.currentTimeMillis() + DEF_LOGOUT_REQ_VALIDITY));
            logoutRequest.setSessionIds(new String[]{sAMLSessionParticipant.getSessionIndex()});
            logoutRequest.getXMLBean().setDestination(sAMLEndpointDefinition.getUrl());
            try {
                X509Credential credential = this.pkiManagement.getCredential(sAMLSessionParticipant.getLocalCredentialName());
                logoutRequest.sign(credential.getKey(), credential.getCertificateChain());
                return logoutRequest;
            } catch (DSigException e) {
                log.warn("Unable to sign SLO request", e);
                throw new SAMLResponderException("Internal server error signing request.");
            } catch (EngineException e2) {
                log.warn("Unable to extract credential " + sAMLSessionParticipant.getLocalCredentialName() + " to sign SLO request", e2);
                throw new SAMLResponderException("Internal server error signing request.");
            }
        } catch (XmlException e3) {
            log.error("Can't parse a stored logged user's identity", e3);
            throw new SAMLResponderException("Internal error");
        }
    }

    private void updateContextAfterParicipantLogout(SAMLInternalLogoutContext sAMLInternalLogoutContext, SAMLSessionParticipant sAMLSessionParticipant, LogoutResponseDocument logoutResponseDocument) {
        StatusType status = logoutResponseDocument.getLogoutResponse().getStatus();
        if (SAMLConstants.Status.STATUS_OK.toString().equals(status.getStatusCode().getValue())) {
            log.debug("Successful logout of participant " + sAMLSessionParticipant);
            sAMLInternalLogoutContext.getLoggedOut().add(sAMLSessionParticipant);
        } else {
            log.debug("Logging out the participant " + sAMLSessionParticipant + " failed, received status is: " + status.getStatusCode().getValue() + " - " + status.getStatusMessage() + " " + status.getStatusDetail());
            sAMLInternalLogoutContext.getFailed().add(sAMLSessionParticipant);
        }
        sAMLInternalLogoutContext.setCurrent(null);
        sAMLInternalLogoutContext.setCurrentRequestId(null);
    }

    private IClientConfiguration createSoapClientConfig(SAMLSessionParticipant sAMLSessionParticipant) throws EngineException {
        return new DefaultClientConfiguration(this.pkiManagement.getMainAuthnAndTrust().getValidator(), this.pkiManagement.getCredential(sAMLSessionParticipant.getLocalCredentialName()));
    }
}
