package com.linecorp.armeria.server.saml;

import com.linecorp.armeria.common.AggregatedHttpRequest;
import com.linecorp.armeria.common.HttpResponse;
import com.linecorp.armeria.common.HttpStatus;
import com.linecorp.armeria.common.MediaType;
import com.linecorp.armeria.common.annotation.Nullable;
import com.linecorp.armeria.server.ServiceRequestContext;
import java.util.Map;
import org.joda.time.DateTime;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.LogoutResponse;
import org.opensaml.saml.saml2.core.Status;
import org.opensaml.saml.saml2.core.StatusCode;
import org.opensaml.security.credential.Credential;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/linecorp/armeria/server/saml/SamlSingleLogoutFunction.class */
public final class SamlSingleLogoutFunction implements SamlServiceFunction {
    private static final Logger logger = LoggerFactory.getLogger(SamlSingleLogoutFunction.class);
    private final SamlEndpoint endpoint;
    private final String entityId;
    private final Credential signingCredential;
    private final String signatureAlgorithm;
    private final Map<String, SamlIdentityProviderConfig> idpConfigs;

    @Nullable
    private final SamlIdentityProviderConfig defaultIdpConfig;
    private final SamlRequestIdManager requestIdManager;
    private final SamlSingleLogoutHandler sloHandler;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SamlSingleLogoutFunction(SamlEndpoint samlEndpoint, String str, Credential credential, String str2, Map<String, SamlIdentityProviderConfig> map, @Nullable SamlIdentityProviderConfig samlIdentityProviderConfig, SamlRequestIdManager samlRequestIdManager, SamlSingleLogoutHandler samlSingleLogoutHandler) {
        this.endpoint = samlEndpoint;
        this.entityId = str;
        this.signingCredential = credential;
        this.signatureAlgorithm = str2;
        this.idpConfigs = map;
        this.defaultIdpConfig = samlIdentityProviderConfig;
        this.requestIdManager = samlRequestIdManager;
        this.sloHandler = samlSingleLogoutHandler;
    }

    @Override // com.linecorp.armeria.server.saml.SamlServiceFunction
    public HttpResponse serve(ServiceRequestContext serviceRequestContext, AggregatedHttpRequest aggregatedHttpRequest, String str, SamlPortConfig samlPortConfig) {
        try {
            MessageContext<LogoutRequest> samlObject = this.endpoint.bindingProtocol() == SamlBindingProtocol.HTTP_REDIRECT ? HttpRedirectBindingUtil.toSamlObject(aggregatedHttpRequest, "SAMLRequest", this.idpConfigs, this.defaultIdpConfig) : HttpPostBindingUtil.toSamlObject(aggregatedHttpRequest, "SAMLRequest");
            String uriString = this.endpoint.toUriString(samlPortConfig.scheme().uriText(), str, samlPortConfig.port());
            LogoutRequest logoutRequest = (LogoutRequest) samlObject.getMessage();
            SamlIdentityProviderConfig validateAndGetIdPConfig = validateAndGetIdPConfig(logoutRequest, uriString);
            if (this.endpoint.bindingProtocol() == SamlBindingProtocol.HTTP_POST) {
                SamlMessageUtil.validateSignature(validateAndGetIdPConfig.signingCredential(), logoutRequest);
            }
            SamlEndpoint sloResEndpoint = validateAndGetIdPConfig.sloResEndpoint();
            if (sloResEndpoint == null) {
                return HttpResponse.of(this.sloHandler.logoutSucceeded(serviceRequestContext, aggregatedHttpRequest, samlObject).thenApply(r2 -> {
                    return HttpResponse.of(HttpStatus.OK);
                }));
            }
            try {
                HttpResponse respond = respond(createLogoutResponse(logoutRequest, "urn:oasis:names:tc:SAML:2.0:status:Success"), sloResEndpoint);
                return HttpResponse.of(this.sloHandler.logoutSucceeded(serviceRequestContext, aggregatedHttpRequest, samlObject).thenApply(r3 -> {
                    return respond;
                }));
            } catch (SamlException e) {
                logger.warn("{} Cannot respond a logout response in response to {}", new Object[]{serviceRequestContext, logoutRequest.getID(), e});
                HttpResponse fail = fail(serviceRequestContext, logoutRequest, sloResEndpoint);
                return HttpResponse.of(this.sloHandler.logoutFailed(serviceRequestContext, aggregatedHttpRequest, e).thenApply(r32 -> {
                    return fail;
                }));
            }
        } catch (SamlException e2) {
            return fail(serviceRequestContext, e2);
        }
    }

    private static HttpResponse fail(ServiceRequestContext serviceRequestContext, Throwable th) {
        logger.warn("{} Cannot handle a logout request", serviceRequestContext, th);
        return HttpResponse.of(HttpStatus.SERVICE_UNAVAILABLE);
    }

    private HttpResponse fail(ServiceRequestContext serviceRequestContext, LogoutRequest logoutRequest, SamlEndpoint samlEndpoint) {
        try {
            return respond(createLogoutResponse(logoutRequest, "urn:oasis:names:tc:SAML:2.0:status:Responder"), samlEndpoint);
        } catch (SamlException e) {
            return fail(serviceRequestContext, e);
        }
    }

    private HttpResponse respond(LogoutResponse logoutResponse, SamlEndpoint samlEndpoint) {
        if (samlEndpoint.bindingProtocol() == SamlBindingProtocol.HTTP_REDIRECT) {
            return HttpRedirectBindingUtil.responseWithLocation(HttpRedirectBindingUtil.toRedirectionUrl(logoutResponse, samlEndpoint.toUriString(), "SAMLResponse", this.signingCredential, this.signatureAlgorithm, null));
        }
        return HttpResponse.of(HttpStatus.OK, MediaType.HTML_UTF_8, HttpPostBindingUtil.getSsoForm(samlEndpoint.toUriString(), "SAMLResponse", HttpPostBindingUtil.toSignedBase64(logoutResponse, this.signingCredential, this.signatureAlgorithm), null));
    }

    private SamlIdentityProviderConfig validateAndGetIdPConfig(LogoutRequest logoutRequest, String str) {
        String value = logoutRequest.getIssuer().getValue();
        if (value == null) {
            throw new InvalidSamlRequestException("no issuer found from the logout request: " + logoutRequest.getID());
        }
        if (!str.equals(logoutRequest.getDestination())) {
            throw new InvalidSamlRequestException("unexpected destination: " + logoutRequest.getDestination());
        }
        SamlIdentityProviderConfig samlIdentityProviderConfig = this.idpConfigs.get(value);
        if (samlIdentityProviderConfig == null) {
            throw new InvalidSamlRequestException("unexpected identity provider: " + value);
        }
        return samlIdentityProviderConfig;
    }

    private LogoutResponse createLogoutResponse(LogoutRequest logoutRequest, String str) {
        StatusCode build = SamlMessageUtil.build(StatusCode.DEFAULT_ELEMENT_NAME);
        build.setValue(str);
        Status build2 = SamlMessageUtil.build(Status.DEFAULT_ELEMENT_NAME);
        build2.setStatusCode(build);
        Issuer build3 = SamlMessageUtil.build(Issuer.DEFAULT_ELEMENT_NAME);
        build3.setValue(this.entityId);
        LogoutResponse build4 = SamlMessageUtil.build(LogoutResponse.DEFAULT_ELEMENT_NAME);
        build4.setIssuer(build3);
        build4.setID(this.requestIdManager.newId());
        build4.setIssueInstant(DateTime.now());
        build4.setStatus(build2);
        build4.setInResponseTo(logoutRequest.getID());
        return build4;
    }
}
