package pl.edu.icm.unity.saml.slo;

import eu.emi.security.authn.x509.X509Credential;
import eu.unicore.samly2.SAMLBindings;
import eu.unicore.samly2.SAMLConstants;
import eu.unicore.samly2.binding.SAMLMessageType;
import eu.unicore.samly2.elements.NameID;
import eu.unicore.samly2.exceptions.SAMLRequesterException;
import eu.unicore.samly2.exceptions.SAMLResponderException;
import eu.unicore.samly2.exceptions.SAMLServerException;
import eu.unicore.samly2.messages.SAMLMessage;
import eu.unicore.samly2.messages.XMLExpandedMessage;
import eu.unicore.samly2.proto.LogoutResponse;
import eu.unicore.samly2.slo.LogoutRequestParser;
import eu.unicore.samly2.slo.LogoutRequestValidator;
import eu.unicore.samly2.slo.ParsedLogoutRequest;
import eu.unicore.samly2.trust.SamlTrustChecker;
import eu.unicore.samly2.validators.ReplayAttackChecker;
import eu.unicore.security.dsig.DSigException;
import java.io.IOException;
import java.security.PublicKey;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import javax.servlet.http.HttpServletResponse;
import org.apache.logging.log4j.Logger;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.authn.LoginSession;
import pl.edu.icm.unity.engine.api.config.UnityServerConfiguration;
import pl.edu.icm.unity.engine.api.identity.IdentityResolver;
import pl.edu.icm.unity.engine.api.session.SessionManagement;
import pl.edu.icm.unity.engine.api.session.SessionParticipantTypesRegistry;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.saml.SAMLEndpointDefinition;
import pl.edu.icm.unity.saml.SAMLProcessingException;
import pl.edu.icm.unity.saml.SamlProperties;
import pl.edu.icm.unity.saml.idp.IdentityTypeMapper;
import pl.edu.icm.unity.saml.slo.SAMLInternalLogoutContext;
import pl.edu.icm.unity.types.basic.EntityParam;
import pl.edu.icm.unity.webui.idpcommon.EopException;
import xmlbeans.org.oasis.saml2.assertion.NameIDType;
import xmlbeans.org.oasis.saml2.protocol.LogoutRequestDocument;
import xmlbeans.org.oasis.saml2.protocol.LogoutResponseDocument;

/* loaded from: input_file:pl/edu/icm/unity/saml/slo/SAMLLogoutProcessor.class */
public class SAMLLogoutProcessor {
    private static final Logger log = Log.getLogger("unity.server.saml", SAMLLogoutProcessor.class);
    private SessionManagement sessionManagement;
    private UnityServerConfiguration.LogoutMode logoutMode;
    private SessionParticipantTypesRegistry registry;
    private IdentityResolver idResolver;
    private LogoutContextsStore contextsStore;
    private ReplayAttackChecker replayChecker;
    private SLOAsyncMessageHandler responseHandler;
    private InternalLogoutProcessor internalProcessor;
    private IdentityTypeMapper identityTypeMapper;
    private String consumerEndpointUri;
    private long requestValidity;
    private String localSamlId;
    private X509Credential localSamlCredential;
    private SamlTrustProvider trustProvider;
    private String realm;

    /* renamed from: pl.edu.icm.unity.saml.slo.SAMLLogoutProcessor$2, reason: invalid class name */
    /* loaded from: input_file:pl/edu/icm/unity/saml/slo/SAMLLogoutProcessor$2.class */
    static /* synthetic */ class AnonymousClass2 {
        static final /* synthetic */ int[] $SwitchMap$pl$edu$icm$unity$engine$api$config$UnityServerConfiguration$LogoutMode = new int[UnityServerConfiguration.LogoutMode.values().length];

        static {
            try {
                $SwitchMap$pl$edu$icm$unity$engine$api$config$UnityServerConfiguration$LogoutMode[UnityServerConfiguration.LogoutMode.internalAndAsyncPeers.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$pl$edu$icm$unity$engine$api$config$UnityServerConfiguration$LogoutMode[UnityServerConfiguration.LogoutMode.internalAndSyncPeers.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$pl$edu$icm$unity$engine$api$config$UnityServerConfiguration$LogoutMode[UnityServerConfiguration.LogoutMode.internalOnly.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* loaded from: input_file:pl/edu/icm/unity/saml/slo/SAMLLogoutProcessor$SamlTrustProvider.class */
    public interface SamlTrustProvider {
        SamlTrustChecker getTrustChecker();

        Collection<SAMLEndpointDefinition> getSLOEndpoints(NameIDType nameIDType);

        List<PublicKey> getTrustedKeys(NameIDType nameIDType);
    }

    public SAMLLogoutProcessor(SessionManagement sessionManagement, SessionParticipantTypesRegistry sessionParticipantTypesRegistry, IdentityResolver identityResolver, LogoutContextsStore logoutContextsStore, ReplayAttackChecker replayAttackChecker, SLOAsyncMessageHandler sLOAsyncMessageHandler, InternalLogoutProcessor internalLogoutProcessor, IdentityTypeMapper identityTypeMapper, String str, long j, String str2, X509Credential x509Credential, SamlTrustProvider samlTrustProvider, String str3, UnityServerConfiguration unityServerConfiguration) {
        this.sessionManagement = sessionManagement;
        this.registry = sessionParticipantTypesRegistry;
        this.idResolver = identityResolver;
        this.contextsStore = logoutContextsStore;
        this.replayChecker = replayAttackChecker;
        this.responseHandler = sLOAsyncMessageHandler;
        this.internalProcessor = internalLogoutProcessor;
        this.identityTypeMapper = identityTypeMapper;
        this.consumerEndpointUri = str;
        this.requestValidity = j;
        this.localSamlId = str2;
        this.localSamlCredential = x509Credential;
        this.trustProvider = samlTrustProvider;
        this.realm = str3;
        this.logoutMode = unityServerConfiguration.getEnumValue("logoutMode", UnityServerConfiguration.LogoutMode.class);
    }

    public LogoutResponseDocument handleSynchronousLogoutFromSAML(LogoutRequestDocument logoutRequestDocument) {
        try {
            SAMLExternalLogoutContext initFromSAML = initFromSAML(new SAMLMessage<>(new XMLExpandedMessage(logoutRequestDocument, logoutRequestDocument.getLogoutRequest()), (String) null, SAMLBindings.SOAP, logoutRequestDocument), false);
            SAMLInternalLogoutContext sAMLInternalLogoutContext = new SAMLInternalLogoutContext(initFromSAML.getSession(), logoutRequestDocument.getLogoutRequest().getIssuer().getStringValue(), null, this.registry, null);
            if (this.logoutMode != UnityServerConfiguration.LogoutMode.internalOnly) {
                this.internalProcessor.logoutSynchronousParticipants(sAMLInternalLogoutContext);
            }
            boolean z = !sAMLInternalLogoutContext.allCorrectlyLoggedOut();
            this.sessionManagement.removeSession(sAMLInternalLogoutContext.getSession().getId(), false);
            return prepareFinalLogoutResponse(initFromSAML, initFromSAML.getInitiator().getLogoutEndpoints().get(SamlProperties.Binding.SOAP), z);
        } catch (SAMLServerException e) {
            log.warn("SOAP Logout request processing finished with error, converting it to SAML error response", e);
            return new LogoutResponse(getIssuer(this.localSamlId), logoutRequestDocument.getLogoutRequest().getID(), e).getXMLBeanDoc();
        }
    }

    public void handleAsyncLogoutFromSAML(SAMLMessage<LogoutRequestDocument> sAMLMessage, HttpServletResponse httpServletResponse) throws IOException, EopException {
        try {
            SAMLExternalLogoutContext initFromSAML = initFromSAML(sAMLMessage, true);
            log.info("Handling SAML logout request from " + initFromSAML.getRequest().getIssuer().getStringValue());
            SAMLInternalLogoutContext sAMLInternalLogoutContext = new SAMLInternalLogoutContext(initFromSAML.getSession(), sAMLMessage.messageDocument.getLogoutRequest().getIssuer().getStringValue(), new SAMLInternalLogoutContext.AsyncLogoutFinishCallback() { // from class: pl.edu.icm.unity.saml.slo.SAMLLogoutProcessor.1
                @Override // pl.edu.icm.unity.saml.slo.SAMLInternalLogoutContext.AsyncLogoutFinishCallback
                public void finished(HttpServletResponse httpServletResponse2, SAMLInternalLogoutContext sAMLInternalLogoutContext2) {
                    try {
                        SAMLLogoutProcessor.this.internalLogoutFinished(httpServletResponse2, sAMLInternalLogoutContext2);
                    } catch (EopException e) {
                    }
                }
            }, this.registry, initFromSAML.getInternalRelayState());
            switch (AnonymousClass2.$SwitchMap$pl$edu$icm$unity$engine$api$config$UnityServerConfiguration$LogoutMode[this.logoutMode.ordinal()]) {
                case 1:
                    this.contextsStore.addInternalContext(initFromSAML.getInternalRelayState(), sAMLInternalLogoutContext);
                    this.internalProcessor.continueAsyncLogout(sAMLInternalLogoutContext, httpServletResponse);
                    return;
                case 2:
                    this.internalProcessor.logoutSynchronousParticipants(sAMLInternalLogoutContext);
                    internalLogoutFinished(httpServletResponse, sAMLInternalLogoutContext);
                    return;
                case 3:
                    internalLogoutFinished(httpServletResponse, sAMLInternalLogoutContext);
                    return;
                default:
                    return;
            }
        } catch (SAMLServerException e) {
            handleEarlyError(e, (LogoutRequestDocument) sAMLMessage.messageDocument, sAMLMessage.relayState, httpServletResponse, SamlProperties.Binding.of(sAMLMessage.binding));
        }
    }

    private void handleEarlyError(SAMLServerException sAMLServerException, LogoutRequestDocument logoutRequestDocument, String str, HttpServletResponse httpServletResponse, SamlProperties.Binding binding) throws IOException, EopException {
        NameIDType issuer = logoutRequestDocument.getLogoutRequest().getIssuer();
        if (issuer == null || issuer.getStringValue() == null) {
            this.responseHandler.showError(new SAMLProcessingException("A logout process can not be started", sAMLServerException), httpServletResponse);
        }
        Collection<SAMLEndpointDefinition> sLOEndpoints = this.trustProvider.getSLOEndpoints(issuer);
        if (sLOEndpoints == null) {
            this.responseHandler.showError(new SAMLProcessingException("A logout process can not be started", sAMLServerException), httpServletResponse);
        }
        SAMLEndpointDefinition sAMLEndpointDefinition = null;
        Iterator<SAMLEndpointDefinition> it = sLOEndpoints.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            SAMLEndpointDefinition next = it.next();
            if (next.getBinding() == binding) {
                sAMLEndpointDefinition = next;
                break;
            }
        }
        if (sAMLEndpointDefinition == null) {
            this.responseHandler.showError(new SAMLProcessingException("A logout process can not be started", sAMLServerException), httpServletResponse);
        }
        this.responseHandler.sendErrorResponse(binding, sAMLServerException, sAMLEndpointDefinition.getReturnUrl(), this.localSamlId, str, logoutRequestDocument.getLogoutRequest().getID(), httpServletResponse);
    }

    private SAMLExternalLogoutContext initFromSAML(SAMLMessage<LogoutRequestDocument> sAMLMessage, boolean z) throws SAMLServerException {
        LoginSession resolveRequest = resolveRequest(parseRequest(sAMLMessage));
        SamlProperties.Binding of = SamlProperties.Binding.of(sAMLMessage.binding);
        SAMLExternalLogoutContext sAMLExternalLogoutContext = new SAMLExternalLogoutContext(this.localSamlId, sAMLMessage.messageDocument, sAMLMessage.relayState, of, resolveRequest, this.registry);
        if (sAMLExternalLogoutContext.getInitiator() == null) {
            throw new SAMLRequesterException(SAMLConstants.SubStatus.STATUS2_REQUEST_DENIED, "The request issuer is not among session participants");
        }
        if (!sAMLExternalLogoutContext.getInitiator().getLogoutEndpoints().containsKey(of)) {
            throw new SAMLResponderException(SAMLConstants.SubStatus.STATUS2_REQUEST_DENIED, "The request issuer has no logout endpoint defined with a binding used to submit the request: " + of);
        }
        if (z) {
            this.contextsStore.addSAMLExternalContext(sAMLExternalLogoutContext);
        }
        return sAMLExternalLogoutContext;
    }

    private void internalLogoutFinished(HttpServletResponse httpServletResponse, SAMLInternalLogoutContext sAMLInternalLogoutContext) throws EopException {
        String relayState = sAMLInternalLogoutContext.getRelayState();
        boolean z = !sAMLInternalLogoutContext.allCorrectlyLoggedOut();
        SAMLExternalLogoutContext sAMLExternalContext = this.contextsStore.getSAMLExternalContext(relayState);
        try {
            if (sAMLExternalContext != null) {
                finishAsyncLogoutFromSAML(sAMLExternalContext, z, httpServletResponse, relayState);
            } else {
                log.error("Can not find SAML external logout context " + relayState);
                this.responseHandler.showError(new SAMLProcessingException("Can not find SAML external logout context"), httpServletResponse);
            }
        } catch (IOException e) {
            log.error("Finalization of logout failed", e);
            try {
                this.responseHandler.showError(new SAMLProcessingException("Internal error handling logout request"), httpServletResponse);
            } catch (IOException e2) {
                log.error("Showing error failed", e2);
            }
        }
    }

    private void finishAsyncLogoutFromSAML(SAMLExternalLogoutContext sAMLExternalLogoutContext, boolean z, HttpServletResponse httpServletResponse, String str) throws IOException, EopException {
        this.sessionManagement.removeSession(sAMLExternalLogoutContext.getSession().getId(), false);
        SamlProperties.Binding requestBinding = sAMLExternalLogoutContext.getRequestBinding();
        SAMLEndpointDefinition sAMLEndpointDefinition = sAMLExternalLogoutContext.getInitiator().getLogoutEndpoints().get(requestBinding);
        try {
            SamlRoutableSignableMessage<LogoutResponseDocument> prepareLogoutResponse = prepareLogoutResponse(sAMLExternalLogoutContext, sAMLEndpointDefinition, z);
            this.contextsStore.removeSAMLExternalContext(str);
            this.responseHandler.sendResponse(requestBinding, prepareLogoutResponse, httpServletResponse);
        } catch (DSigException e) {
            log.error("Problem signing SLO response", e);
            this.responseHandler.sendErrorResponse(requestBinding, new SAMLResponderException("Server error signing response"), sAMLEndpointDefinition.getReturnUrl(), sAMLExternalLogoutContext, httpServletResponse);
        } catch (SAMLResponderException e2) {
            this.responseHandler.sendErrorResponse(requestBinding, e2, sAMLEndpointDefinition.getReturnUrl(), sAMLExternalLogoutContext, httpServletResponse);
        }
    }

    private SamlRoutableSignableMessage<LogoutResponseDocument> prepareLogoutResponse(SAMLExternalLogoutContext sAMLExternalLogoutContext, SAMLEndpointDefinition sAMLEndpointDefinition, boolean z) throws SAMLResponderException {
        LogoutResponse logoutResponse = new LogoutResponse(getIssuer(sAMLExternalLogoutContext.getLocalSessionAuthorityId()), sAMLExternalLogoutContext.getRequest().getID());
        logoutResponse.getXMLBean().setDestination(sAMLEndpointDefinition.getReturnUrl());
        if (z) {
            logoutResponse.setPartialLogout();
        }
        return new SamlRoutableSignableMessage<>(logoutResponse, this.localSamlCredential, SAMLMessageType.SAMLResponse, sAMLExternalLogoutContext.getRequestersRelayState(), sAMLEndpointDefinition.getReturnUrl());
    }

    private LogoutResponseDocument prepareFinalLogoutResponse(SAMLExternalLogoutContext sAMLExternalLogoutContext, SAMLEndpointDefinition sAMLEndpointDefinition, boolean z) throws SAMLResponderException {
        try {
            return prepareLogoutResponse(sAMLExternalLogoutContext, sAMLEndpointDefinition, z).getSignedMessage();
        } catch (DSigException e) {
            log.warn("Unable to sign SLO response", e);
            throw new SAMLResponderException("Internal server error signing response.");
        }
    }

    private LoginSession resolveRequest(ParsedLogoutRequest parsedLogoutRequest) throws SAMLRequesterException {
        NameIDType subject = parsedLogoutRequest.getSubject();
        if (subject.getFormat() == null) {
        }
        String mapIdentity = this.identityTypeMapper.mapIdentity(subject.getFormat());
        try {
            try {
                return this.sessionManagement.getOwnedSession(new EntityParam(Long.valueOf(this.idResolver.resolveIdentity(subject.getStringValue(), new String[]{mapIdentity}, parsedLogoutRequest.getIssuer().getStringValue(), this.realm))), this.realm);
            } catch (EngineException e) {
                throw new SAMLRequesterException(SAMLConstants.SubStatus.STATUS2_NO_AUTHN_CONTEXT, "The login session was not found");
            }
        } catch (EngineException e2) {
            throw new SAMLRequesterException(SAMLConstants.SubStatus.STATUS2_UNKNOWN_PRINCIPAL, "The principal is not known");
        }
    }

    private ParsedLogoutRequest parseRequest(SAMLMessage<LogoutRequestDocument> sAMLMessage) throws SAMLRequesterException {
        String str = this.consumerEndpointUri;
        long j = this.requestValidity;
        ReplayAttackChecker replayAttackChecker = this.replayChecker;
        SamlTrustProvider samlTrustProvider = this.trustProvider;
        Objects.requireNonNull(samlTrustProvider);
        try {
            return new LogoutRequestParser(new LogoutRequestValidator(str, j, replayAttackChecker, samlTrustProvider::getTrustedKeys), this.localSamlCredential.getKey()).parseRequest(sAMLMessage);
        } catch (Exception e) {
            throw new SAMLRequesterException("Can't parse SAML SLO request", e);
        } catch (SAMLRequesterException e2) {
            throw e2;
        }
    }

    private NameIDType getIssuer(String str) {
        return new NameID(str, "urn:oasis:names:tc:SAML:2.0:nameid-format:entity").getXBean();
    }
}
