package org.pac4j.saml.logout.impl;

import java.util.List;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.saml2.core.EncryptedID;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.LogoutResponse;
import org.opensaml.saml.saml2.core.SessionIndex;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.saml.saml2.metadata.Endpoint;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.credentials.Credentials;
import org.pac4j.core.exception.HttpAction;
import org.pac4j.core.logout.handler.LogoutHandler;
import org.pac4j.saml.context.SAML2MessageContext;
import org.pac4j.saml.crypto.SAML2SignatureTrustEngineProvider;
import org.pac4j.saml.exceptions.SAMLException;
import org.pac4j.saml.profile.impl.AbstractSAML2ResponseValidator;

/* loaded from: input_file:org/pac4j/saml/logout/impl/SAML2LogoutValidator.class */
public class SAML2LogoutValidator extends AbstractSAML2ResponseValidator {
    public SAML2LogoutValidator(SAML2SignatureTrustEngineProvider sAML2SignatureTrustEngineProvider, Decrypter decrypter, LogoutHandler logoutHandler) {
        super(sAML2SignatureTrustEngineProvider, decrypter, logoutHandler);
    }

    @Override // org.pac4j.saml.profile.api.SAML2ResponseValidator
    public Credentials validate(SAML2MessageContext sAML2MessageContext) {
        WebContext webContext = sAML2MessageContext.getWebContext();
        SAMLObject sAMLObject = (SAMLObject) sAML2MessageContext.getMessage();
        if (sAMLObject instanceof LogoutRequest) {
            validateLogoutRequest((LogoutRequest) sAMLObject, sAML2MessageContext, this.signatureTrustEngineProvider.build());
            return null;
        }
        if (!(sAMLObject instanceof LogoutResponse)) {
            throw new SAMLException("Must be a LogoutRequest or LogoutResponse type");
        }
        validateLogoutResponse((LogoutResponse) sAMLObject, sAML2MessageContext, this.signatureTrustEngineProvider.build());
        throw HttpAction.ok(webContext, "");
    }

    protected void validateLogoutRequest(LogoutRequest logoutRequest, SAML2MessageContext sAML2MessageContext, SignatureTrustEngine signatureTrustEngine) {
        validateIssuerIfItExists(logoutRequest.getIssuer(), sAML2MessageContext);
        EncryptedID encryptedID = logoutRequest.getEncryptedID();
        if (encryptedID != null) {
            decryptEncryptedId(encryptedID, this.decrypter);
        }
        List sessionIndexes = logoutRequest.getSessionIndexes();
        if (sessionIndexes == null || sessionIndexes.size() != 1) {
            throw new SAMLException("We must have one session index in the logout request");
        }
        String sessionIndex = ((SessionIndex) sessionIndexes.get(0)).getSessionIndex();
        if ("urn:oasis:names:tc:SAML:2.0:bindings:SOAP".equals(sAML2MessageContext.getSAMLBindingContext().getBindingUri())) {
            this.logoutHandler.destroySessionBack(sAML2MessageContext.getWebContext(), sessionIndex);
        } else {
            this.logoutHandler.destroySessionFront(sAML2MessageContext.getWebContext(), sessionIndex);
        }
    }

    protected void validateLogoutResponse(LogoutResponse logoutResponse, SAML2MessageContext sAML2MessageContext, SignatureTrustEngine signatureTrustEngine) {
        validateSuccess(logoutResponse.getStatus());
        validateSignatureIfItExists(logoutResponse.getSignature(), sAML2MessageContext, signatureTrustEngine);
        validateIssueInstant(logoutResponse.getIssueInstant());
        validateIssuerIfItExists(logoutResponse.getIssuer(), sAML2MessageContext);
        verifyEndpoint((Endpoint) sAML2MessageContext.getSPSSODescriptor().getSingleLogoutServices().get(0), logoutResponse.getDestination());
    }

    @Override // org.pac4j.saml.profile.api.SAML2ResponseValidator
    public final void setMaximumAuthenticationLifetime(int i) {
    }
}
