package org.springframework.security.saml.websso;

import java.util.Iterator;
import org.joda.time.DateTime;
import org.opensaml.common.SAMLException;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.SAMLObjectBuilder;
import org.opensaml.common.SAMLVersion;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.saml2.core.LogoutResponse;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.SessionIndex;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.StatusMessage;
import org.opensaml.saml2.metadata.Endpoint;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.SingleLogoutService;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.encryption.DecryptionException;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.validation.ValidationException;
import org.springframework.security.saml.SAMLConstants;
import org.springframework.security.saml.SAMLCredential;
import org.springframework.security.saml.SAMLStatusException;
import org.springframework.security.saml.context.SAMLMessageContext;
import org.springframework.security.saml.storage.SAMLMessageStorage;
import org.springframework.security.saml.util.SAMLUtil;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/spring-security-saml2-core-1.0.10.RELEASE.jar:org/springframework/security/saml/websso/SingleLogoutProfileImpl.class */
public class SingleLogoutProfileImpl extends AbstractProfileBase implements SingleLogoutProfile {
    @Override // org.springframework.security.saml.websso.AbstractProfileBase
    public String getProfileIdentifier() {
        return SAMLConstants.SAML2_SLO_PROFILE_URI;
    }

    @Override // org.springframework.security.saml.websso.SingleLogoutProfile
    public void sendLogoutRequest(SAMLMessageContext sAMLMessageContext, SAMLCredential sAMLCredential) throws SAMLException, MetadataProviderException, MessageEncodingException {
        if (sAMLCredential == null) {
            return;
        }
        IDPSSODescriptor iDPSSODescriptor = (IDPSSODescriptor) sAMLMessageContext.getPeerEntityRoleMetadata();
        SingleLogoutService logoutServiceForBinding = SAMLUtil.getLogoutServiceForBinding(iDPSSODescriptor, SAMLUtil.getLogoutBinding(iDPSSODescriptor, (SPSSODescriptor) sAMLMessageContext.getLocalEntityRoleMetadata()));
        LogoutRequest logoutRequest = getLogoutRequest(sAMLMessageContext, sAMLCredential, logoutServiceForBinding);
        sAMLMessageContext.setCommunicationProfileId(getProfileIdentifier());
        sAMLMessageContext.setOutboundMessage(logoutRequest);
        sAMLMessageContext.setOutboundSAMLMessage(logoutRequest);
        sAMLMessageContext.setPeerEntityEndpoint(logoutServiceForBinding);
        SAMLMessageStorage messageStorage = sAMLMessageContext.getMessageStorage();
        if (messageStorage != null) {
            messageStorage.storeMessage(logoutRequest.getID(), logoutRequest);
        }
        sendMessage(sAMLMessageContext, sAMLMessageContext.getPeerExtendedMetadata().isRequireLogoutRequestSigned());
    }

    protected LogoutRequest getLogoutRequest(SAMLMessageContext sAMLMessageContext, SAMLCredential sAMLCredential, Endpoint endpoint) throws SAMLException, MetadataProviderException {
        LogoutRequest logoutRequest = (LogoutRequest) ((SAMLObjectBuilder) this.builderFactory.getBuilder(LogoutRequest.DEFAULT_ELEMENT_NAME)).mo15728buildObject();
        buildCommonAttributes(sAMLMessageContext.getLocalEntityId(), logoutRequest, endpoint);
        SAMLObjectBuilder sAMLObjectBuilder = (SAMLObjectBuilder) this.builderFactory.getBuilder(SessionIndex.DEFAULT_ELEMENT_NAME);
        for (AuthnStatement authnStatement : sAMLCredential.getAuthenticationAssertion().getAuthnStatements()) {
            SessionIndex sessionIndex = (SessionIndex) sAMLObjectBuilder.mo15728buildObject();
            sessionIndex.setSessionIndex(authnStatement.getSessionIndex());
            logoutRequest.getSessionIndexes().add(sessionIndex);
        }
        if (logoutRequest.getSessionIndexes().size() == 0) {
            throw new SAMLException("No session indexes to logout user for were found");
        }
        NameID nameID = (NameID) ((SAMLObjectBuilder) this.builderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME)).mo15728buildObject();
        nameID.setFormat(sAMLCredential.getNameID().getFormat());
        nameID.setNameQualifier(sAMLCredential.getNameID().getNameQualifier());
        nameID.setSPNameQualifier(sAMLCredential.getNameID().getSPNameQualifier());
        nameID.setSPProvidedID(sAMLCredential.getNameID().getSPProvidedID());
        nameID.setValue(sAMLCredential.getNameID().getValue());
        logoutRequest.setNameID(nameID);
        return logoutRequest;
    }

    @Override // org.springframework.security.saml.websso.SingleLogoutProfile
    public boolean processLogoutRequest(SAMLMessageContext sAMLMessageContext, SAMLCredential sAMLCredential) throws SAMLException {
        SAMLObject inboundSAMLMessage = sAMLMessageContext.getInboundSAMLMessage();
        if (inboundSAMLMessage == null || !(inboundSAMLMessage instanceof LogoutRequest)) {
            throw new SAMLException("Message is not of a LogoutRequest object type");
        }
        LogoutRequest logoutRequest = (LogoutRequest) inboundSAMLMessage;
        if (!sAMLMessageContext.isInboundSAMLMessageAuthenticated() && sAMLMessageContext.getLocalExtendedMetadata().isRequireLogoutRequestSigned()) {
            throw new SAMLStatusException(StatusCode.REQUEST_DENIED_URI, "LogoutRequest is required to be signed by the entity policy");
        }
        try {
            verifyEndpoint(sAMLMessageContext.getLocalEntityEndpoint(), logoutRequest.getDestination());
            try {
                if (logoutRequest.getIssuer() != null) {
                    verifyIssuer(logoutRequest.getIssuer(), sAMLMessageContext);
                }
                if (!SAMLUtil.isDateTimeSkewValid(getResponseSkew(), logoutRequest.getIssueInstant())) {
                    throw new SAMLStatusException(StatusCode.REQUESTER_URI, "LogoutRequest issue instant is either too old or with date in the future");
                }
                if (sAMLCredential == null) {
                    throw new SAMLStatusException(StatusCode.UNKNOWN_PRINCIPAL_URI, "No user is logged in");
                }
                boolean z = false;
                if (logoutRequest.getSessionIndexes() == null || logoutRequest.getSessionIndexes().size() <= 0) {
                    z = true;
                } else {
                    Iterator<AuthnStatement> it = sAMLCredential.getAuthenticationAssertion().getAuthnStatements().iterator();
                    while (it.hasNext()) {
                        String sessionIndex = it.next().getSessionIndex();
                        if (sessionIndex != null) {
                            Iterator<SessionIndex> it2 = logoutRequest.getSessionIndexes().iterator();
                            while (it2.hasNext()) {
                                if (sessionIndex.equals(it2.next().getSessionIndex())) {
                                    z = true;
                                }
                            }
                        }
                    }
                }
                if (!z) {
                    throw new SAMLStatusException(StatusCode.REQUESTER_URI, "The SessionIndex was not found");
                }
                try {
                    NameID nameID = getNameID(sAMLMessageContext, logoutRequest);
                    if (nameID == null || !equalsNameID(sAMLCredential.getNameID(), nameID)) {
                        throw new SAMLStatusException(StatusCode.UNKNOWN_PRINCIPAL_URI, "The requested NameID is invalid");
                    }
                    return true;
                } catch (DecryptionException e) {
                    throw new SAMLStatusException(StatusCode.RESPONDER_URI, "The NameID can't be decrypted", e);
                }
            } catch (SAMLException e2) {
                throw new SAMLStatusException(StatusCode.REQUEST_DENIED_URI, "Issuer of the LogoutRequest is unknown");
            }
        } catch (SAMLException e3) {
            throw new SAMLStatusException(StatusCode.REQUEST_DENIED_URI, "Destination of the LogoutRequest does not match any of the single logout endpoints");
        }
    }

    @Override // org.springframework.security.saml.websso.SingleLogoutProfile
    public void sendLogoutResponse(SAMLMessageContext sAMLMessageContext, String str, String str2) throws MetadataProviderException, SAMLException, MessageEncodingException {
        LogoutResponse logoutResponse = (LogoutResponse) ((SAMLObjectBuilder) this.builderFactory.getBuilder(LogoutResponse.DEFAULT_ELEMENT_NAME)).mo15728buildObject();
        IDPSSODescriptor iDPDescriptor = SAMLUtil.getIDPDescriptor(this.metadata, sAMLMessageContext.getPeerEntityId());
        Endpoint logoutServiceForBinding = SAMLUtil.getLogoutServiceForBinding(iDPDescriptor, SAMLUtil.getLogoutBinding(iDPDescriptor, (SPSSODescriptor) sAMLMessageContext.getLocalEntityRoleMetadata()));
        logoutResponse.setID(generateID());
        logoutResponse.setIssuer(getIssuer(sAMLMessageContext.getLocalEntityId()));
        logoutResponse.setVersion(SAMLVersion.VERSION_20);
        logoutResponse.setIssueInstant(new DateTime());
        logoutResponse.setInResponseTo(sAMLMessageContext.getInboundSAMLMessageId());
        logoutResponse.setDestination(logoutServiceForBinding.getLocation());
        logoutResponse.setStatus(getStatus(str, str2));
        sAMLMessageContext.setCommunicationProfileId(getProfileIdentifier());
        sAMLMessageContext.setOutboundMessage(logoutResponse);
        sAMLMessageContext.setOutboundSAMLMessage(logoutResponse);
        sAMLMessageContext.setPeerEntityEndpoint(logoutServiceForBinding);
        sAMLMessageContext.setPeerEntityRoleMetadata(iDPDescriptor);
        sendMessage(sAMLMessageContext, sAMLMessageContext.getPeerExtendedMetadata().isRequireLogoutResponseSigned());
    }

    private boolean equalsNameID(NameID nameID, NameID nameID2) {
        return (((((!differ(nameID.getSPProvidedID(), nameID2.getSPProvidedID())) && !differ(nameID.getValue(), nameID2.getValue())) && !differ(nameID.getFormat(), nameID2.getFormat())) && !differ(nameID.getNameQualifier(), nameID2.getNameQualifier())) && !differ(nameID.getSPNameQualifier(), nameID2.getSPNameQualifier())) && !differ(nameID.getSPProvidedID(), nameID2.getSPProvidedID());
    }

    private boolean differ(Object obj, Object obj2) {
        return obj == null ? obj2 != null : !obj.equals(obj2);
    }

    protected NameID getNameID(SAMLMessageContext sAMLMessageContext, LogoutRequest logoutRequest) throws DecryptionException {
        NameID nameID;
        if (logoutRequest.getEncryptedID() != null) {
            Assert.notNull(sAMLMessageContext.getLocalDecrypter(), "Can't decrypt NameID, no decrypter is set in the context");
            nameID = (NameID) sAMLMessageContext.getLocalDecrypter().decrypt(logoutRequest.getEncryptedID());
        } else {
            nameID = logoutRequest.getNameID();
        }
        return nameID;
    }

    @Override // org.springframework.security.saml.websso.SingleLogoutProfile
    public void processLogoutResponse(SAMLMessageContext sAMLMessageContext) throws SAMLException, SecurityException, ValidationException {
        SAMLObject inboundSAMLMessage = sAMLMessageContext.getInboundSAMLMessage();
        if (!(inboundSAMLMessage instanceof LogoutResponse)) {
            throw new SAMLException("Message is not of a LogoutResponse object type");
        }
        LogoutResponse logoutResponse = (LogoutResponse) inboundSAMLMessage;
        if (!sAMLMessageContext.isInboundSAMLMessageAuthenticated() && sAMLMessageContext.getLocalExtendedMetadata().isRequireLogoutResponseSigned()) {
            throw new SAMLException("Logout Response object is required to be signed by the entity policy: " + sAMLMessageContext.getInboundSAMLMessageId());
        }
        if (!SAMLUtil.isDateTimeSkewValid(getResponseSkew(), logoutResponse.getIssueInstant())) {
            throw new SAMLException("Response issue time in LogoutResponse is either too old or with date in the future");
        }
        SAMLMessageStorage messageStorage = sAMLMessageContext.getMessageStorage();
        if (messageStorage != null && logoutResponse.getInResponseTo() != null) {
            XMLObject retrieveMessage = messageStorage.retrieveMessage(logoutResponse.getInResponseTo());
            if (retrieveMessage == null) {
                throw new SAMLException("InResponseToField in LogoutResponse doesn't correspond to sent message " + logoutResponse.getInResponseTo());
            }
            if (!(retrieveMessage instanceof LogoutRequest)) {
                throw new SAMLException("Sent request was of different type than the expected LogoutRequest " + logoutResponse.getInResponseTo());
            }
        }
        if (logoutResponse.getDestination() != null) {
            boolean z = false;
            Iterator<SingleLogoutService> it = ((SPSSODescriptor) sAMLMessageContext.getLocalEntityRoleMetadata()).getSingleLogoutServices().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SingleLogoutService next = it.next();
                if (logoutResponse.getDestination().equals(next.getLocation()) && sAMLMessageContext.getInboundSAMLBinding().equals(next.getBinding())) {
                    z = true;
                    break;
                }
            }
            if (!z) {
                throw new SAMLException("Destination in the LogoutResponse was not the expected value " + logoutResponse.getDestination());
            }
        }
        if (logoutResponse.getIssuer() != null) {
            verifyIssuer(logoutResponse.getIssuer(), sAMLMessageContext);
        }
        String value = logoutResponse.getStatus().getStatusCode().getValue();
        if (StatusCode.SUCCESS_URI.equals(value)) {
            this.log.debug("Single Logout was successful");
        } else {
            if (StatusCode.PARTIAL_LOGOUT_URI.equals(value)) {
                this.log.debug("Single Logout was partially successful");
                return;
            }
            String value2 = logoutResponse.getStatus().getStatusCode().getValue();
            StatusMessage statusMessage = logoutResponse.getStatus().getStatusMessage();
            this.log.warn("Received LogoutResponse has invalid status code: %s; message: %s", value2, statusMessage != null ? statusMessage.getMessage() : "N/A");
        }
    }
}
