package org.springframework.security.saml.provider.identity;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.http.HttpMethod;
import org.springframework.security.core.Authentication;
import org.springframework.security.saml.SamlException;
import org.springframework.security.saml.SamlMessageStore;
import org.springframework.security.saml.provider.SamlLogoutSuccessHandler;
import org.springframework.security.saml.provider.provisioning.SamlProviderProvisioning;
import org.springframework.security.saml.saml2.Saml2Object;
import org.springframework.security.saml.saml2.authentication.Assertion;
import org.springframework.security.saml.saml2.authentication.LogoutRequest;
import org.springframework.security.saml.saml2.authentication.LogoutResponse;
import org.springframework.security.saml.saml2.authentication.NameIdPrincipal;
import org.springframework.security.saml.saml2.metadata.NameId;
import org.springframework.security.saml.validation.ValidationResult;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.util.StringUtils;
import org.springframework.web.util.UriComponentsBuilder;
import org.springframework.web.util.UriUtils;

/* loaded from: input_file:org/springframework/security/saml/provider/identity/IdentityProviderLogoutHandler.class */
public class IdentityProviderLogoutHandler implements LogoutHandler {
    private static Log logger = LogFactory.getLog(IdentityProviderLogoutHandler.class);
    private final SamlProviderProvisioning<IdentityProviderService> provisioning;
    private final SamlMessageStore<Assertion, HttpServletRequest> assertionStore;
    private final String ATTRIBUTE_NAME = getClass().getName() + ".logout.request";

    public IdentityProviderLogoutHandler(SamlProviderProvisioning<IdentityProviderService> samlProviderProvisioning, SamlMessageStore<Assertion, HttpServletRequest> samlMessageStore) {
        this.provisioning = samlProviderProvisioning;
        this.assertionStore = samlMessageStore;
    }

    private void removeAssertionFromStore(HttpServletRequest httpServletRequest, LogoutRequest logoutRequest) {
        List<Assertion> messages = getAssertionStore().getMessages(httpServletRequest);
        String value = logoutRequest.getIssuer().getValue();
        ((List) messages.stream().filter(assertion -> {
            return value.equals(assertion.getIssuer().getValue());
        }).collect(Collectors.toList())).stream().forEach(assertion2 -> {
            getAssertionStore().removeMessage(httpServletRequest, assertion2.getId());
        });
    }

    private boolean idpHasOtherSessions(HttpServletRequest httpServletRequest, LogoutRequest logoutRequest) {
        List<Assertion> messages = getAssertionStore().getMessages(httpServletRequest);
        if (messages.size() > 1) {
            return true;
        }
        return messages.size() == 1 && !messages.get(0).getSubject().getPrincipal().getSpNameQualifier().equals(logoutRequest.getIssuer().getValue());
    }

    private LogoutRequest getInitialSpRequest(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        if (session == null) {
            return null;
        }
        return (LogoutRequest) session.getAttribute(this.ATTRIBUTE_NAME);
    }

    private void setInitialSpRequest(HttpServletRequest httpServletRequest, LogoutRequest logoutRequest) {
        if (logoutRequest != null) {
            httpServletRequest.getSession(true).setAttribute(this.ATTRIBUTE_NAME, logoutRequest);
        }
    }

    private String getRedirectUrl(HttpServletRequest httpServletRequest, IdentityProviderService identityProviderService, Saml2Object saml2Object, String str, String str2) throws UnsupportedEncodingException {
        String encodedXml = identityProviderService.toEncodedXml(identityProviderService.toXml(saml2Object), true);
        UriComponentsBuilder fromUriString = UriComponentsBuilder.fromUriString(str);
        String parameter = httpServletRequest.getParameter("RelayState");
        if (StringUtils.hasText(parameter)) {
            fromUriString.queryParam("RelayState", new Object[]{UriUtils.encode(parameter, StandardCharsets.UTF_8.name())});
        }
        return fromUriString.queryParam(str2, new Object[]{UriUtils.encode(encodedXml, StandardCharsets.UTF_8.name())}).build().toUriString();
    }

    public SamlProviderProvisioning<IdentityProviderService> getProvisioning() {
        return this.provisioning;
    }

    public SamlMessageStore<Assertion, HttpServletRequest> getAssertionStore() {
        return this.assertionStore;
    }

    protected void receivedLogoutRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication, String str) throws IOException {
        IdentityProviderService hostedProvider = this.provisioning.getHostedProvider();
        LogoutRequest logoutRequest = (LogoutRequest) hostedProvider.fromXml(str, true, HttpMethod.GET.name().equalsIgnoreCase(httpServletRequest.getMethod()), LogoutRequest.class);
        ValidationResult validate = hostedProvider.validate(logoutRequest);
        if (validate.hasErrors()) {
            throw new SamlException(validate.toString());
        }
        logger.debug("Local IDP received logout request.");
        removeAssertionFromStore(httpServletRequest, logoutRequest);
        if (idpHasOtherSessions(httpServletRequest, logoutRequest)) {
            logger.debug("Multiple SP sessions present, starting logout sequence.");
            setInitialSpRequest(httpServletRequest, logoutRequest);
            idpInitiatedLogout(httpServletRequest, httpServletResponse, authentication);
        } else {
            logger.debug("No SP sessions found, returning logout response");
            LogoutResponse logoutResponse = hostedProvider.logoutResponse(logoutRequest, hostedProvider.getRemoteProvider(logoutRequest));
            String redirectUrl = getRedirectUrl(httpServletRequest, hostedProvider, logoutResponse, logoutResponse.getDestination(), "SAMLResponse");
            httpServletRequest.setAttribute(SamlLogoutSuccessHandler.RUN_SUCCESS, SamlLogoutSuccessHandler.LogoutStatus.REDIRECT);
            httpServletResponse.sendRedirect(redirectUrl);
        }
    }

    protected void receivedLogoutResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication, String str) throws IOException {
        IdentityProviderService hostedProvider = getProvisioning().getHostedProvider();
        hostedProvider.validate((LogoutResponse) hostedProvider.fromXml(str, true, HttpMethod.GET.name().equalsIgnoreCase(httpServletRequest.getMethod()), LogoutResponse.class));
        if (getAssertionStore().hasMessages(httpServletRequest)) {
            idpInitiatedLogout(httpServletRequest, httpServletResponse, authentication);
            return;
        }
        LogoutRequest initialSpRequest = getInitialSpRequest(httpServletRequest);
        if (initialSpRequest == null) {
            httpServletRequest.setAttribute(SamlLogoutSuccessHandler.RUN_SUCCESS, SamlLogoutSuccessHandler.LogoutStatus.SUCCESS);
            return;
        }
        LogoutResponse logoutResponse = hostedProvider.logoutResponse(initialSpRequest, hostedProvider.getRemoteProvider(initialSpRequest));
        String redirectUrl = getRedirectUrl(httpServletRequest, hostedProvider, logoutResponse, logoutResponse.getDestination(), "SAMLResponse");
        httpServletRequest.setAttribute(SamlLogoutSuccessHandler.RUN_SUCCESS, SamlLogoutSuccessHandler.LogoutStatus.REDIRECT);
        httpServletResponse.sendRedirect(redirectUrl);
    }

    protected void idpInitiatedLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException {
        if (authentication == null || !authentication.isAuthenticated()) {
            return;
        }
        Assertion removeFirst = getAssertionStore().removeFirst(httpServletRequest);
        if (removeFirst == null) {
            httpServletRequest.setAttribute(SamlLogoutSuccessHandler.RUN_SUCCESS, Boolean.TRUE);
            return;
        }
        IdentityProviderService hostedProvider = this.provisioning.getHostedProvider();
        logger.debug(String.format("Sending IDP logout request to SP:%s", removeFirst.getIssuer().getValue()));
        LogoutRequest logoutRequest = hostedProvider.logoutRequest(hostedProvider.getRemoteProvider(removeFirst), new NameIdPrincipal().setFormat(NameId.PERSISTENT).setValue(authentication.getName()));
        if (logoutRequest.getDestination() == null) {
            logger.debug("Unable to send logout request. No destination set.");
        } else {
            logger.debug("Sending logout request through redirect.");
            httpServletResponse.sendRedirect(getRedirectUrl(httpServletRequest, hostedProvider, logoutRequest, logoutRequest.getDestination().getLocation(), "SAMLRequest"));
        }
    }

    public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) {
        String parameter = httpServletRequest.getParameter("SAMLRequest");
        String parameter2 = httpServletRequest.getParameter("SAMLResponse");
        try {
            if (StringUtils.hasText(parameter)) {
                receivedLogoutRequest(httpServletRequest, httpServletResponse, authentication, parameter);
            } else if (StringUtils.hasText(parameter2)) {
                receivedLogoutResponse(httpServletRequest, httpServletResponse, authentication, parameter2);
            } else {
                idpInitiatedLogout(httpServletRequest, httpServletResponse, authentication);
            }
        } catch (IOException e) {
            throw new SamlException(e);
        }
    }
}
