package org.pac4j.saml.logout.impl;

import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import java.util.stream.Stream;
import lombok.Generated;
import net.shibboleth.shared.net.URIComparator;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.saml2.core.EncryptedID;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.LogoutResponse;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.SessionIndex;
import org.opensaml.saml.saml2.core.Status;
import org.opensaml.saml.saml2.core.StatusCode;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.saml.saml2.metadata.SingleLogoutService;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.pac4j.core.credentials.Credentials;
import org.pac4j.core.logout.LogoutType;
import org.pac4j.core.logout.handler.SessionLogoutHandler;
import org.pac4j.core.util.CommonHelper;
import org.pac4j.saml.context.SAML2MessageContext;
import org.pac4j.saml.credentials.SAML2AuthenticationCredentials;
import org.pac4j.saml.credentials.SAML2Credentials;
import org.pac4j.saml.crypto.SAML2SignatureTrustEngineProvider;
import org.pac4j.saml.exceptions.SAMLException;
import org.pac4j.saml.profile.impl.AbstractSAML2ResponseValidator;
import org.pac4j.saml.replay.ReplayCacheProvider;
import org.pac4j.saml.util.Configuration;

/* loaded from: input_file:org/pac4j/saml/logout/impl/SAML2LogoutValidator.class */
public class SAML2LogoutValidator extends AbstractSAML2ResponseValidator {
    private boolean isPartialLogoutTreatedAsSuccess;
    private String expectedDestination;

    public SAML2LogoutValidator(SAML2SignatureTrustEngineProvider sAML2SignatureTrustEngineProvider, Decrypter decrypter, SessionLogoutHandler sessionLogoutHandler, ReplayCacheProvider replayCacheProvider, URIComparator uRIComparator) {
        super(sAML2SignatureTrustEngineProvider, decrypter, sessionLogoutHandler, replayCacheProvider, uRIComparator);
        this.isPartialLogoutTreatedAsSuccess = false;
    }

    @Override // org.pac4j.saml.profile.api.SAML2ResponseValidator
    public Credentials validate(SAML2MessageContext sAML2MessageContext) {
        SAMLObject sAMLObject = (SAMLObject) sAML2MessageContext.getMessageContext().getMessage();
        if (sAMLObject instanceof LogoutRequest) {
            validateLogoutRequest((LogoutRequest) sAMLObject, sAML2MessageContext, this.signatureTrustEngineProvider.build());
            return new SAML2Credentials(LogoutType.UNDEFINED, sAML2MessageContext);
        }
        if (!(sAMLObject instanceof LogoutResponse)) {
            throw new SAMLException("SAML message must be a LogoutRequest or LogoutResponse type");
        }
        validateLogoutResponse((LogoutResponse) sAMLObject, sAML2MessageContext, this.signatureTrustEngineProvider.build());
        return new SAML2Credentials(LogoutType.UNDEFINED, sAML2MessageContext);
    }

    protected void validateLogoutRequest(LogoutRequest logoutRequest, SAML2MessageContext sAML2MessageContext, SignatureTrustEngine signatureTrustEngine) {
        SessionIndex sessionIndex;
        this.logger.trace("Validating logout request:\n{}", Configuration.serializeSamlObject(logoutRequest));
        validateSignatureIfItExists(logoutRequest.getSignature(), sAML2MessageContext, signatureTrustEngine);
        validateIssuerIfItExists(logoutRequest.getIssuer(), sAML2MessageContext);
        NameID nameID = logoutRequest.getNameID();
        EncryptedID encryptedID = logoutRequest.getEncryptedID();
        if (encryptedID != null) {
            nameID = decryptEncryptedId(encryptedID, this.decrypter);
        }
        SAML2AuthenticationCredentials.SAMLNameID from = SAML2AuthenticationCredentials.SAMLNameID.from(nameID);
        String str = null;
        List sessionIndexes = logoutRequest.getSessionIndexes();
        if (sessionIndexes != null && !sessionIndexes.isEmpty() && (sessionIndex = (SessionIndex) sessionIndexes.get(0)) != null) {
            str = sessionIndex.getValue();
        }
        String computeSloKey = computeSloKey(str, from);
        if (computeSloKey != null) {
            String bindingUri = sAML2MessageContext.getSAMLBindingContext().getBindingUri();
            this.logger.debug("Using SLO key {} as the session index with the binding uri {}", computeSloKey, bindingUri);
            if ("urn:oasis:names:tc:SAML:2.0:bindings:SOAP".equals(bindingUri)) {
                this.logoutHandler.destroySessionBack(sAML2MessageContext.getCallContext(), computeSloKey);
            } else {
                this.logoutHandler.destroySessionFront(sAML2MessageContext.getCallContext(), computeSloKey);
            }
        }
    }

    protected void validateLogoutResponse(LogoutResponse logoutResponse, SAML2MessageContext sAML2MessageContext, SignatureTrustEngine signatureTrustEngine) {
        this.logger.trace("Validating logout response:\n{}", Configuration.serializeSamlObject(logoutResponse));
        validateSuccess(logoutResponse.getStatus());
        validateSignatureIfItExists(logoutResponse.getSignature(), sAML2MessageContext, signatureTrustEngine);
        validateIssueInstant(logoutResponse.getIssueInstant());
        validateIssuerIfItExists(logoutResponse.getIssuer(), sAML2MessageContext);
        validateDestinationEndpoint(logoutResponse, sAML2MessageContext);
    }

    protected void validateDestinationEndpoint(LogoutResponse logoutResponse, SAML2MessageContext sAML2MessageContext) {
        ArrayList arrayList = new ArrayList();
        if (CommonHelper.isBlank(this.expectedDestination)) {
            SingleLogoutService singleLogoutService = (SingleLogoutService) Objects.requireNonNull((SingleLogoutService) sAML2MessageContext.getSPSSODescriptor().getSingleLogoutServices().get(0));
            if (singleLogoutService.getLocation() != null) {
                arrayList.add(singleLogoutService.getLocation());
            }
            if (singleLogoutService.getResponseLocation() != null) {
                arrayList.add(singleLogoutService.getResponseLocation());
            }
        } else {
            arrayList.add(this.expectedDestination);
        }
        verifyEndpoint(arrayList, logoutResponse.getDestination(), sAML2MessageContext.getSaml2Configuration().isResponseDestinationAttributeMandatory());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.pac4j.saml.profile.impl.AbstractSAML2ResponseValidator
    public void validateSuccess(Status status) {
        if (this.isPartialLogoutTreatedAsSuccess && status != null && status.getStatusCode() != null) {
            if ("urn:oasis:names:tc:SAML:2.0:status:PartialLogout".equals(status.getStatusCode().getValue())) {
                this.logger.debug("Response status code is {} and partial logouts are configured to be treated as success => validation successful!", "urn:oasis:names:tc:SAML:2.0:status:PartialLogout");
                return;
            }
            this.logger.debug("Response status code: {}", status.getStatusCode().getValue());
            if ("urn:oasis:names:tc:SAML:2.0:status:Responder".equals(status.getStatusCode().getValue())) {
                Stream stream = status.getStatusCode().getOrderedChildren().stream();
                Class<StatusCode> cls = StatusCode.class;
                Objects.requireNonNull(StatusCode.class);
                Stream filter = stream.filter((v1) -> {
                    return r1.isInstance(v1);
                });
                Class<StatusCode> cls2 = StatusCode.class;
                Objects.requireNonNull(StatusCode.class);
                if (filter.map((v1) -> {
                    return r1.cast(v1);
                }).anyMatch(statusCode -> {
                    return "urn:oasis:names:tc:SAML:2.0:status:PartialLogout".equals(statusCode.getValue());
                })) {
                    this.logger.debug("Response sub-status code is {} and partial logouts are configured to be treated as success => validation successful!", "urn:oasis:names:tc:SAML:2.0:status:PartialLogout");
                    return;
                }
            }
        }
        super.validateSuccess(status);
    }

    @SuppressFBWarnings(justification = "generated code")
    @Generated
    public boolean isPartialLogoutTreatedAsSuccess() {
        return this.isPartialLogoutTreatedAsSuccess;
    }

    @SuppressFBWarnings(justification = "generated code")
    @Generated
    public String getExpectedDestination() {
        return this.expectedDestination;
    }

    @SuppressFBWarnings(justification = "generated code")
    @Generated
    public void setPartialLogoutTreatedAsSuccess(boolean z) {
        this.isPartialLogoutTreatedAsSuccess = z;
    }

    @SuppressFBWarnings(justification = "generated code")
    @Generated
    public void setExpectedDestination(String str) {
        this.expectedDestination = str;
    }
}
