package org.wso2.carbon.identity.sso.saml.processors;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.function.Function;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.LogoutResponse;
import org.opensaml.saml.saml2.core.SessionIndex;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.context.RegistryType;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
import org.wso2.carbon.identity.core.persistence.IdentityPersistenceManager;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
import org.wso2.carbon.identity.sso.saml.SSOServiceProviderConfigManager;
import org.wso2.carbon.identity.sso.saml.builders.SingleLogoutMessageBuilder;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOReqValidationResponseDTO;
import org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager;
import org.wso2.carbon.identity.sso.saml.session.SessionInfoData;
import org.wso2.carbon.identity.sso.saml.util.LambdaExceptionUtils;
import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
import org.wso2.carbon.identity.sso.saml.validators.ValidationResult;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.class */
public class SPInitLogoutRequestProcessor implements SPInitSSOLogoutRequestProcessor {
    private static final Log log = LogFactory.getLog(SPInitLogoutRequestProcessor.class);
    private String defaultSigningAlgoUri = IdentityApplicationManagementUtil.getSigningAlgoURIByConfig();
    private String defaultDigestAlgoUri = IdentityApplicationManagementUtil.getDigestAlgoURIByConfig();

    @Override // org.wso2.carbon.identity.sso.saml.processors.SPInitSSOLogoutRequestProcessor
    public SAMLSSOReqValidationResponseDTO process(LogoutRequest logoutRequest, String str, String str2) throws IdentityException {
        SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO = new SAMLSSOReqValidationResponseDTO();
        sAMLSSOReqValidationResponseDTO.setLogOutReq(true);
        try {
            ArrayList arrayList = new ArrayList();
            arrayList.add(LambdaExceptionUtils.rethrowFunction(this::validateLogoutRequest));
            arrayList.add(LambdaExceptionUtils.rethrowFunction(this::validateIssuer));
            arrayList.add(LambdaExceptionUtils.rethrowFunction(this::validateSubject));
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                ValidationResult validationResult = (ValidationResult) ((Function) it.next()).apply(logoutRequest);
                if (!validationResult.getValidationStatus()) {
                    return (SAMLSSOReqValidationResponseDTO) validationResult.getValue();
                }
            }
            ValidationResult<SAMLSSOReqValidationResponseDTO> validatePrincipleSession = validatePrincipleSession(str, logoutRequest);
            if (!validatePrincipleSession.getValidationStatus()) {
                return validatePrincipleSession.getValue();
            }
            String value = logoutRequest.getIssuer().getValue();
            SSOSessionPersistenceManager persistenceManager = SSOSessionPersistenceManager.getPersistenceManager();
            String sessionIndex = getSessionIndex(str, logoutRequest);
            if (sessionIndex == null) {
                sessionIndex = SSOSessionPersistenceManager.getPersistenceManager().getSessionIndexFromTokenId(str);
            }
            SessionInfoData sessionInfo = persistenceManager.getSessionInfo(sessionIndex);
            String tenantAwareIssuer = getTenantAwareIssuer(value, sessionInfo);
            String issuerQualifier = SAMLSSOUtil.getIssuerQualifier();
            if (issuerQualifier != null) {
                tenantAwareIssuer = SAMLSSOUtil.getIssuerWithQualifier(tenantAwareIssuer, issuerQualifier);
                SAMLSSOUtil.setIssuerWithQualifierInThreadLocal(tenantAwareIssuer);
            }
            String subject = sessionInfo.getSubject(tenantAwareIssuer);
            Map<String, SAMLSSOServiceProviderDO> serviceProviderList = sessionInfo.getServiceProviderList();
            SAMLSSOServiceProviderDO sAMLSSOServiceProviderDO = serviceProviderList.get(tenantAwareIssuer);
            if (sAMLSSOServiceProviderDO.isDoValidateSignatureInRequests()) {
                setX509Certificate(tenantAwareIssuer, sAMLSSOServiceProviderDO);
                ValidationResult<SAMLSSOReqValidationResponseDTO> validateSignature = validateSignature(logoutRequest, sAMLSSOServiceProviderDO, subject, str2);
                if (!validateSignature.getValidationStatus()) {
                    return validateSignature.getValue();
                }
            }
            SAMLSSOServiceProviderDO sAMLSSOServiceProviderDO2 = serviceProviderList.get(tenantAwareIssuer);
            sAMLSSOReqValidationResponseDTO.setIssuer(sAMLSSOServiceProviderDO2.getIssuer());
            sAMLSSOReqValidationResponseDTO.setDoSignResponse(sAMLSSOServiceProviderDO2.isDoSignResponse());
            sAMLSSOReqValidationResponseDTO.setSigningAlgorithmUri(sAMLSSOServiceProviderDO2.getSigningAlgorithmUri());
            sAMLSSOReqValidationResponseDTO.setDigestAlgorithmUri(sAMLSSOServiceProviderDO2.getDigestAlgorithmUri());
            if (StringUtils.isNotBlank(sAMLSSOServiceProviderDO2.getSloResponseURL())) {
                sAMLSSOReqValidationResponseDTO.setAssertionConsumerURL(sAMLSSOServiceProviderDO2.getSloResponseURL());
            } else {
                sAMLSSOReqValidationResponseDTO.setAssertionConsumerURL(sAMLSSOServiceProviderDO2.getAssertionConsumerUrl());
            }
            sAMLSSOReqValidationResponseDTO.setSessionIndex(sessionIndex);
            sAMLSSOReqValidationResponseDTO.setId(logoutRequest.getID());
            sAMLSSOReqValidationResponseDTO.setLogoutResponse(SAMLSSOUtil.encode(SAMLSSOUtil.marshall(new SingleLogoutMessageBuilder().buildLogoutResponse(logoutRequest.getID(), SAMLSSOConstants.StatusCodes.SUCCESS_CODE, null, sAMLSSOReqValidationResponseDTO.getAssertionConsumerURL(), sAMLSSOReqValidationResponseDTO.isDoSignResponse(), SAMLSSOUtil.getTenantDomainFromThreadLocal(), sAMLSSOReqValidationResponseDTO.getSigningAlgorithmUri(), sAMLSSOReqValidationResponseDTO.getDigestAlgorithmUri()))));
            sAMLSSOReqValidationResponseDTO.setValid(true);
            return sAMLSSOReqValidationResponseDTO;
        } catch (UserStoreException | IdentityException | IOException e) {
            throw IdentityException.error("Error Processing the Logout Request", e);
        }
    }

    private void setX509Certificate(String str, SAMLSSOServiceProviderDO sAMLSSOServiceProviderDO) {
        try {
            SAMLSSOServiceProviderDO serviceProviderConfig = getServiceProviderConfig(str, sAMLSSOServiceProviderDO.getTenantDomain());
            if (serviceProviderConfig != null) {
                sAMLSSOServiceProviderDO.setX509Certificate(serviceProviderConfig.getX509Certificate());
            }
        } catch (IdentityException e) {
            log.error(String.format("An error occurred while retrieving the application certificate for file based SAML service provider with the issuer name '%s'. The service provider will NOT be loaded.", str), e);
        }
    }

    private String getTenantAwareIssuer(String str, SessionInfoData sessionInfoData) throws UserStoreException, IdentityException {
        String str2 = null;
        if (StringUtils.isNotBlank(str) && str.contains("@")) {
            str2 = str.substring(str.lastIndexOf(64) + 1);
            str = str.substring(0, str.lastIndexOf(64));
        }
        setTenantDomainToThreadLocal(str, sessionInfoData, str2);
        return str;
    }

    private SAMLSSOReqValidationResponseDTO buildErrorResponse(String str, String str2, String str3, String str4, String str5, String str6) throws IdentityException {
        SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO = new SAMLSSOReqValidationResponseDTO();
        LogoutResponse buildLogoutResponse = new SingleLogoutMessageBuilder().buildLogoutResponse(str, str2, str3, str4, false, null, str5, str6);
        sAMLSSOReqValidationResponseDTO.setLogOutReq(true);
        sAMLSSOReqValidationResponseDTO.setValid(false);
        try {
            sAMLSSOReqValidationResponseDTO.setResponse(SAMLSSOUtil.compressResponse(SAMLSSOUtil.marshall(buildLogoutResponse)));
            return sAMLSSOReqValidationResponseDTO;
        } catch (IOException e) {
            throw IdentityException.error("Error while creating logout response", e);
        }
    }

    private SAMLSSOServiceProviderDO getServiceProviderConfig(String str, String str2) throws IdentityException {
        try {
            SAMLSSOServiceProviderDO serviceProvider = SSOServiceProviderConfigManager.getInstance().getServiceProvider(str);
            if (serviceProvider == null) {
                try {
                    PrivilegedCarbonContext.startTenantFlow();
                    PrivilegedCarbonContext threadLocalCarbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
                    int tenantId = SAMLSSOUtil.getRealmService().getTenantManager().getTenantId(str2);
                    threadLocalCarbonContext.setTenantId(tenantId);
                    threadLocalCarbonContext.setTenantDomain(str2);
                    IdentityTenantUtil.initializeRegistry(tenantId, str2);
                    serviceProvider = IdentityPersistenceManager.getPersistanceManager().getServiceProvider(PrivilegedCarbonContext.getThreadLocalCarbonContext().getRegistry(RegistryType.SYSTEM_CONFIGURATION), str);
                    PrivilegedCarbonContext.endTenantFlow();
                } catch (Throwable th) {
                    PrivilegedCarbonContext.endTenantFlow();
                    throw th;
                }
            }
            return serviceProvider;
        } catch (Exception e) {
            throw new IdentityException("Error while reading Service Provider configurations", e);
        }
    }

    private SAMLSSOReqValidationResponseDTO buildErrorResponse(String str, String str2, String str3, String str4, String str5, String str6, String str7) throws IdentityException, IOException {
        SAMLSSOServiceProviderDO serviceProviderConfig = getServiceProviderConfig(str7, PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain());
        SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO = new SAMLSSOReqValidationResponseDTO();
        LogoutResponse buildLogoutResponse = new SingleLogoutMessageBuilder().buildLogoutResponse(str, str2, str3, str4, false, null, str5, str6);
        sAMLSSOReqValidationResponseDTO.setLogOutReq(true);
        sAMLSSOReqValidationResponseDTO.setValid(false);
        sAMLSSOReqValidationResponseDTO.setResponse(SAMLSSOUtil.compressResponse(SAMLSSOUtil.marshall(buildLogoutResponse)));
        if (serviceProviderConfig != null) {
            if (StringUtils.isNotBlank(serviceProviderConfig.getSloResponseURL())) {
                sAMLSSOReqValidationResponseDTO.setAssertionConsumerURL(serviceProviderConfig.getSloResponseURL());
            }
            if (StringUtils.isNotBlank(serviceProviderConfig.getAssertionConsumerUrl())) {
                sAMLSSOReqValidationResponseDTO.setAssertionConsumerURL(serviceProviderConfig.getAssertionConsumerUrl());
            } else {
                sAMLSSOReqValidationResponseDTO.setAssertionConsumerURL(serviceProviderConfig.getDefaultAssertionConsumerUrl());
            }
            sAMLSSOReqValidationResponseDTO.setIssuer(str7);
        }
        return sAMLSSOReqValidationResponseDTO;
    }

    private ValidationResult<SAMLSSOReqValidationResponseDTO> validateLogoutRequest(LogoutRequest logoutRequest) {
        ValidationResult<SAMLSSOReqValidationResponseDTO> validationResult = new ValidationResult<>();
        validationResult.setValidationStatus(true);
        if (logoutRequest == null) {
            SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO = new SAMLSSOReqValidationResponseDTO();
            sAMLSSOReqValidationResponseDTO.setLogOutReq(true);
            validationResult.setValue(sAMLSSOReqValidationResponseDTO);
            validationResult.setValidationStatus(false);
        }
        return validationResult;
    }

    private ValidationResult<SAMLSSOReqValidationResponseDTO> validateIssuer(LogoutRequest logoutRequest) throws IdentityException {
        ValidationResult<SAMLSSOReqValidationResponseDTO> validationResult = new ValidationResult<>();
        validationResult.setValidationStatus(true);
        if (logoutRequest.getIssuer() == null) {
            log.error("Issuer should be mentioned in the Logout Request");
            validationResult.setValue(buildErrorResponse(logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Issuer should be mentioned in the Logout Request", logoutRequest.getDestination(), this.defaultSigningAlgoUri, this.defaultDigestAlgoUri));
            validationResult.setValidationStatus(false);
        } else if (logoutRequest.getIssuer().getValue() == null) {
            log.error("Issuer value cannot be null in the Logout Request");
            validationResult.setValue(buildErrorResponse(logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Issuer value cannot be null in the Logout Request", logoutRequest.getDestination(), this.defaultSigningAlgoUri, this.defaultDigestAlgoUri));
            validationResult.setValidationStatus(false);
        }
        return validationResult;
    }

    private ValidationResult<SAMLSSOReqValidationResponseDTO> validateSubject(LogoutRequest logoutRequest) throws IOException, IdentityException {
        String value = logoutRequest.getIssuer().getValue();
        ValidationResult<SAMLSSOReqValidationResponseDTO> validationResult = new ValidationResult<>();
        validationResult.setValidationStatus(true);
        if (logoutRequest.getNameID() == null && logoutRequest.getBaseID() == null && logoutRequest.getEncryptedID() == null) {
            log.error("Subject Name should be specified in the Logout Request");
            validationResult.setValue(buildErrorResponse(logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Subject Name should be specified in the Logout Request", logoutRequest.getDestination(), this.defaultSigningAlgoUri, this.defaultDigestAlgoUri, value));
            validationResult.setValidationStatus(false);
        }
        return validationResult;
    }

    private ValidationResult<SAMLSSOReqValidationResponseDTO> validatePrincipleSession(String str, LogoutRequest logoutRequest) throws IOException, IdentityException {
        String value = logoutRequest.getIssuer().getValue();
        ValidationResult<SAMLSSOReqValidationResponseDTO> validationResult = new ValidationResult<>();
        validationResult.setValidationStatus(true);
        if ((logoutRequest.getSessionIndexes() == null || logoutRequest.getSessionIndexes().isEmpty()) && StringUtils.isBlank(str)) {
            validationResult.setValue(buildErrorResponse(logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Session index should be present in the logout request or in request cookies.", logoutRequest.getDestination(), this.defaultSigningAlgoUri, this.defaultDigestAlgoUri, value));
            validationResult.setValidationStatus(false);
            log.error("Session index should be present in the logout request or in request cookies.");
            return validationResult;
        }
        String sessionIndex = getSessionIndex(str, logoutRequest);
        if (StringUtils.isBlank(sessionIndex)) {
            log.error("Error in retrieving sessionIndex : " + sessionIndex);
            SAMLSSOReqValidationResponseDTO buildErrorResponse = buildErrorResponse(logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Error while retrieving the Session Index ", null, this.defaultSigningAlgoUri, this.defaultDigestAlgoUri, value);
            buildErrorResponse.setLogoutFromAuthFramework(true);
            validationResult.setValue(buildErrorResponse);
            validationResult.setValidationStatus(false);
        }
        if (SSOSessionPersistenceManager.getPersistenceManager().getSessionInfo(sessionIndex) == null) {
            log.error("No Established Sessions corresponding to Session Indexes provided.");
            SAMLSSOReqValidationResponseDTO buildErrorResponse2 = buildErrorResponse(logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "No Established Sessions corresponding to Session Indexes provided.", null, this.defaultSigningAlgoUri, this.defaultDigestAlgoUri, value);
            buildErrorResponse2.setLogoutFromAuthFramework(true);
            validationResult.setValue(buildErrorResponse2);
            validationResult.setValidationStatus(false);
        }
        return validationResult;
    }

    private ValidationResult<SAMLSSOReqValidationResponseDTO> validateSignature(LogoutRequest logoutRequest, SAMLSSOServiceProviderDO sAMLSSOServiceProviderDO, String str, String str2) throws IdentityException, IOException {
        String value = logoutRequest.getIssuer().getValue();
        ValidationResult<SAMLSSOReqValidationResponseDTO> validationResult = new ValidationResult<>();
        validationResult.setValidationStatus(true);
        List<String> destinationFromTenantDomain = SAMLSSOUtil.getDestinationFromTenantDomain(SAMLSSOUtil.getTenantDomainFromThreadLocal());
        if (logoutRequest.getDestination() == null || !destinationFromTenantDomain.contains(logoutRequest.getDestination())) {
            String str3 = "Destination validation for Logout Request failed. Received: [" + logoutRequest.getDestination() + "]. Expected: [" + StringUtils.join(destinationFromTenantDomain, ',') + "]";
            log.error(str3);
            validationResult.setValue(buildErrorResponse(logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, str3, logoutRequest.getDestination(), sAMLSSOServiceProviderDO.getSigningAlgorithmUri(), sAMLSSOServiceProviderDO.getDigestAlgorithmUri(), value));
            validationResult.setValidationStatus(false);
        }
        if (!SAMLSSOUtil.validateLogoutRequestSignature(logoutRequest, sAMLSSOServiceProviderDO.getX509Certificate(), str2)) {
            log.error("Signature validation for Logout Request failed");
            validationResult.setValue(buildErrorResponse(logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Signature validation for Logout Request failed", logoutRequest.getDestination(), sAMLSSOServiceProviderDO.getSigningAlgorithmUri(), sAMLSSOServiceProviderDO.getDigestAlgorithmUri()));
            validationResult.setValidationStatus(false);
        }
        return validationResult;
    }

    private void setTenantDomainToThreadLocal(String str, SessionInfoData sessionInfoData, String str2) throws UserStoreException, IdentityException {
        if (IdentityUtil.isBlank(SAMLSSOUtil.getTenantDomainFromThreadLocal())) {
            if (StringUtils.isNotBlank(str) && StringUtils.isNotBlank(str2)) {
                SAMLSSOUtil.setTenantDomainInThreadLocal(str2);
                if (log.isDebugEnabled()) {
                    log.debug("Tenant Domain: " + str2 + " & Issuer name: " + str + "has been split");
                    return;
                }
                return;
            }
            SAMLSSOServiceProviderDO sAMLSSOServiceProviderDO = sessionInfoData.getServiceProviderList().get(str);
            if (sAMLSSOServiceProviderDO == null) {
                throw IdentityException.error("Service provider :" + str + " does not exist in session info data.");
            }
            SAMLSSOUtil.setTenantDomainInThreadLocal(sAMLSSOServiceProviderDO.getTenantDomain());
        }
    }

    private String getSessionIndex(String str, LogoutRequest logoutRequest) {
        return !logoutRequest.getSessionIndexes().isEmpty() ? ((SessionIndex) logoutRequest.getSessionIndexes().get(0)).getSessionIndex() : SSOSessionPersistenceManager.getPersistenceManager().getSessionIndexFromTokenId(str);
    }
}
