package com.alfaariss.oa.authentication.remote.saml2.profile.sp.sso;

import com.alfaariss.oa.OAException;
import com.alfaariss.oa.RequestorEvent;
import com.alfaariss.oa.UserEvent;
import com.alfaariss.oa.UserException;
import com.alfaariss.oa.api.attribute.ISessionAttributes;
import com.alfaariss.oa.api.configuration.IConfigurationManager;
import com.alfaariss.oa.api.idmapper.IIDMapper;
import com.alfaariss.oa.api.session.ISession;
import com.alfaariss.oa.api.session.SessionState;
import com.alfaariss.oa.api.tgt.ITGT;
import com.alfaariss.oa.authentication.remote.saml2.SAML2AuthNConstants;
import com.alfaariss.oa.authentication.remote.saml2.profile.sp.sso.protocol.SingleLogoutProtocol;
import com.alfaariss.oa.engine.core.Engine;
import com.alfaariss.oa.engine.core.crypto.CryptoException;
import com.alfaariss.oa.engine.core.idp.IDPStorageManager;
import com.alfaariss.oa.engine.core.tgt.factory.ITGTAliasStore;
import com.alfaariss.oa.util.logging.RequestorEventLogItem;
import com.alfaariss.oa.util.logging.UserEventLogItem;
import com.alfaariss.oa.util.saml2.ISAML2Requestors;
import com.alfaariss.oa.util.saml2.NameIDFormatter;
import com.alfaariss.oa.util.saml2.SAML2IssueInstantWindow;
import com.alfaariss.oa.util.saml2.SAML2SecurityException;
import com.alfaariss.oa.util.saml2.StatusException;
import com.alfaariss.oa.util.saml2.binding.AbstractDecodingFactory;
import com.alfaariss.oa.util.saml2.binding.AbstractEncodingFactory;
import com.alfaariss.oa.util.saml2.binding.BindingProperties;
import com.alfaariss.oa.util.saml2.binding.soap11.SOAP11Utils;
import com.alfaariss.oa.util.saml2.crypto.SAML2CryptoUtils;
import com.alfaariss.oa.util.saml2.idp.SAML2IDP;
import com.alfaariss.oa.util.saml2.metadata.role.sso.SPSSODescriptorBuilder;
import com.alfaariss.oa.util.saml2.profile.AbstractSAML2Profile;
import com.alfaariss.oa.util.validation.SessionValidator;
import java.io.IOException;
import java.util.Arrays;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import javax.servlet.RequestDispatcher;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.namespace.QName;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.common.binding.SAMLMessageContext;
import org.opensaml.common.binding.decoding.SAMLMessageDecoder;
import org.opensaml.saml2.binding.artifact.SAML2ArtifactType0004;
import org.opensaml.saml2.binding.artifact.SAML2ArtifactType0004Builder;
import org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule;
import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;
import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.saml2.core.LogoutResponse;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.SingleLogoutService;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.security.MetadataCredentialResolver;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.ws.security.SecurityPolicyException;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.ChainingCredentialResolver;
import org.opensaml.xml.security.credential.StaticCredentialResolver;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;
import org.opensaml.xml.util.Base64;
import org.opensaml.xml.util.DatatypeHelper;
import org.opensaml.xml.validation.ValidationException;
import org.w3c.dom.Element;

/* loaded from: input_file:com/alfaariss/oa/authentication/remote/saml2/profile/sp/sso/SPSingleLogout.class */
public class SPSingleLogout extends AbstractSAML2Profile {
    public static final String SESSION_REQUEST_PROTOCOLBINDING = "ProtocolBinding";
    public static final String SESSION_REQUEST_ID = "ID";
    public static final String SESSION_REQUEST_RELAYSTATE = "RelayState";
    private static final String SSO_LOGOUT_URI = "logout";
    private BindingProperties _bindingProperties;
    private SingleLogoutProtocol _protocol;
    private IIDMapper _idMapper;
    private IDPStorageManager _idpStorageManager;
    private SPSSODescriptor _spSSODescriptor;
    static final /* synthetic */ boolean $assertionsDisabled;
    private Log _logger = LogFactory.getLog(getClass());
    private Hashtable<String, Boolean> _htLogoutReasonActions = new Hashtable<>();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.alfaariss.oa.authentication.remote.saml2.profile.sp.sso.SPSingleLogout$1, reason: invalid class name */
    /* loaded from: input_file:com/alfaariss/oa/authentication/remote/saml2/profile/sp/sso/SPSingleLogout$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$alfaariss$oa$api$session$SessionState = new int[SessionState.values().length];

        static {
            try {
                $SwitchMap$com$alfaariss$oa$api$session$SessionState[SessionState.USER_LOGOUT_SUCCESS.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$alfaariss$oa$api$session$SessionState[SessionState.USER_LOGOUT_PARTIAL.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$alfaariss$oa$api$session$SessionState[SessionState.USER_LOGOUT_IN_PROGRESS.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$com$alfaariss$oa$api$session$SessionState[SessionState.USER_LOGOUT_FAILED.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    public void init(IConfigurationManager iConfigurationManager, Element element, EntityDescriptor entityDescriptor, String str, String str2, ISAML2Requestors iSAML2Requestors, SAML2IssueInstantWindow sAML2IssueInstantWindow, String str3) throws OAException {
        super.init(iConfigurationManager, element, entityDescriptor, str, str2, iSAML2Requestors, sAML2IssueInstantWindow, str3);
        Element section = iConfigurationManager.getSection(element, "bindings");
        if (section == null) {
            this._logger.error("No 'bindings' section found in 'profile' section in configuration");
            throw new OAException(17);
        }
        this._bindingProperties = new BindingProperties(iConfigurationManager, section);
        ITGTAliasStore aliasStoreIDP = this._tgtFactory.getAliasStoreIDP();
        if (aliasStoreIDP == null) {
            this._logger.error("TGT Factory has no IdP Role alias support");
            throw new OAException(2);
        }
        Element section2 = iConfigurationManager.getSection(element, "nameid");
        if (section2 == null) {
            this._logger.error("No 'nameid' section found in 'profile' section in configuration with profile id: " + this._sID);
            throw new OAException(17);
        }
        Element section3 = iConfigurationManager.getSection(element, "idmapper");
        if (section3 != null) {
            this._idMapper = createIDMapper(iConfigurationManager, section3);
        }
        this._protocol = new SingleLogoutProtocol(this._cryptoManager.getSecureRandom(), this._sProfileURL, this._tgtFactory, new NameIDFormatter(iConfigurationManager, section2, this._cryptoManager, aliasStoreIDP), this._issueInstantWindow, this._idMapper);
        updateEntityDescriptor(iConfigurationManager, element);
        this._idpStorageManager = Engine.getInstance().getIDPStorageManager();
        Element section4 = iConfigurationManager.getSection(element, "reasons");
        if (section4 == null) {
            this._logger.info("No optional 'reasons' section found in configuration, using defaults");
        } else {
            readReasonConfig(iConfigurationManager, section4);
        }
    }

    public void process(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws OAException {
        try {
            String parameter = httpServletRequest.getParameter("asid");
            if (parameter == null) {
                processSAMLRequest(httpServletRequest, httpServletResponse);
            } else {
                if (!SessionValidator.validateDefaultSessionId(parameter)) {
                    this._logger.warn("Invalid session id in request: " + parameter);
                    throw new UserException(UserEvent.REQUEST_INVALID);
                }
                processResponse(httpServletRequest, httpServletResponse, this._sessionFactory.retrieve(parameter));
            }
        } catch (UserException e) {
            this._eventLogger.info(0 != 0 ? new UserEventLogItem((ISession) null, httpServletRequest.getRemoteAddr(), e.getEvent(), this, (String) null) : new UserEventLogItem((String) null, (String) null, (SessionState) null, e.getEvent(), (String) null, httpServletRequest.getRemoteAddr(), (String) null, this, (String) null));
            if (httpServletResponse.isCommitted()) {
                return;
            }
            try {
                httpServletResponse.sendError(400);
            } catch (IOException e2) {
                this._logger.warn("Could not send response", e2);
            }
        } catch (OAException e3) {
            throw e3;
        } catch (Exception e4) {
            this._logger.fatal("Could not process request", e4);
            throw new OAException(1);
        }
    }

    public void destroy() {
        if (this._idMapper != null) {
            this._idMapper.stop();
        }
        super.destroy();
    }

    protected boolean validateSignature(SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> sAMLMessageContext, SAML2IDP saml2idp, String str) throws OAException {
        MetadataProvider metadataProvider;
        boolean z = false;
        try {
            SignableSAMLObject inboundSAMLMessage = sAMLMessageContext.getInboundSAMLMessage();
            Signature signature = inboundSAMLMessage.getSignature();
            if (inboundSAMLMessage.isSigned()) {
                this._profileValidator.validate(signature);
            }
            ChainingCredentialResolver chainingCredentialResolver = new ChainingCredentialResolver();
            if (saml2idp != null && (metadataProvider = saml2idp.getMetadataProvider()) != null) {
                this._logger.debug("Metadata provider found for issuer: " + str);
                chainingCredentialResolver.getResolverChain().add(new MetadataCredentialResolver(metadataProvider));
            }
            try {
                if (this._signingEnabled) {
                    chainingCredentialResolver.getResolverChain().add(new StaticCredentialResolver(SAML2CryptoUtils.retrieveSigningCredentials(this._cryptoManager, str)));
                }
            } catch (CryptoException e) {
                this._logger.debug("No trusted certificate found for issuer: " + str);
            }
            if (chainingCredentialResolver.getResolverChain().isEmpty()) {
                this._logger.warn("No trusted certificate or metadata found for issuer: " + str);
            } else {
                ExplicitKeySignatureTrustEngine explicitKeySignatureTrustEngine = new ExplicitKeySignatureTrustEngine(chainingCredentialResolver, this._keyInfoCredResolver);
                if (inboundSAMLMessage.isSigned()) {
                    CriteriaSet criteriaSet = new CriteriaSet();
                    criteriaSet.add(new EntityIDCriteria(str));
                    criteriaSet.add(new MetadataCriteria(sAMLMessageContext.getPeerEntityRole(), sAMLMessageContext.getInboundSAMLProtocol()));
                    criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
                    z = explicitKeySignatureTrustEngine.validate(signature, criteriaSet);
                } else {
                    z = true;
                }
                if (z) {
                    new SAML2HTTPRedirectDeflateSignatureRule(explicitKeySignatureTrustEngine).evaluate(sAMLMessageContext);
                    new SAML2HTTPPostSimpleSignRule(explicitKeySignatureTrustEngine, this._pool, this._keyInfoCredResolver).evaluate(sAMLMessageContext);
                }
            }
        } catch (SecurityPolicyException e2) {
            this._logger.debug("Invalid signature", e2);
            z = false;
        } catch (SecurityException e3) {
            this._logger.error("Processing error evaluating the signature", e3);
            throw new OAException(1);
        } catch (ValidationException e4) {
            this._logger.debug("Invalid signature", e4);
            z = false;
        }
        return z;
    }

    private void readReasonConfig(IConfigurationManager iConfigurationManager, Element element) throws OAException {
        this._htLogoutReasonActions.clear();
        Element section = iConfigurationManager.getSection(element, "reason");
        while (true) {
            Element element2 = section;
            if (element2 == null) {
                return;
            }
            String param = iConfigurationManager.getParam(element2, "uri");
            if (param == null) {
                this._logger.error("No 'uri' parameter in 'reason' section found in configuration");
                throw new OAException(17);
            }
            if (this._htLogoutReasonActions.containsKey(param)) {
                this._logger.error("Invalid 'uri' parameter in 'reason' section found in configuration; not unique: " + param);
                throw new OAException(2);
            }
            String param2 = iConfigurationManager.getParam(element2, "partial");
            if (param2 == null) {
                this._logger.error("No 'partial' parameter in 'reason' section found in configuration");
                throw new OAException(17);
            }
            Boolean bool = new Boolean(Boolean.TRUE.booleanValue());
            if (param2.equalsIgnoreCase("FALSE")) {
                bool = new Boolean(Boolean.FALSE.booleanValue());
            } else if (!param2.equalsIgnoreCase("TRUE")) {
                this._logger.error("Unknown value in 'partial' configuration item: " + param2);
                throw new OAException(17);
            }
            this._htLogoutReasonActions.put(param, bool);
            StringBuffer stringBuffer = new StringBuffer("Using logout action for reason is '");
            stringBuffer.append(param);
            stringBuffer.append("': ");
            this._logger.info(stringBuffer.toString() + (bool.booleanValue() ? "partial" : "full"));
            section = iConfigurationManager.getNextSection(element2);
        }
    }

    private void processSAMLRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws OAException {
        String str = null;
        try {
            AbstractDecodingFactory resolveInstance = AbstractDecodingFactory.resolveInstance(httpServletRequest, httpServletResponse, this._bindingProperties);
            if (resolveInstance == null) {
                this._logger.debug("Decoding factory not created: Invalid request");
                throw new MessageDecodingException("Could not determine binding");
            }
            SAMLMessageDecoder decoder = resolveInstance.getDecoder();
            String bindingURI = decoder.getBindingURI();
            if (!this._bindingProperties.isSupported(bindingURI)) {
                this._logger.error("The binding is not supported by this protocol: " + bindingURI);
                throw new OAException(1);
            }
            this._logger.debug("Binding URI: " + bindingURI);
            SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> context = resolveInstance.getContext();
            context.setLocalEntityId(this._sEntityID);
            context.setLocalEntityMetadata(this._entityDescriptor);
            context.setLocalEntityRoleMetadata(this._spSSODescriptor);
            String parameter = httpServletRequest.getParameter("SAMLart");
            if (parameter != null) {
                SAML2ArtifactType0004 buildArtifact = new SAML2ArtifactType0004Builder().buildArtifact(Base64.decode(parameter));
                SAML2IDP idp = this._idpStorageManager.getIDP(buildArtifact.getSourceID(), "sourceid");
                if (idp == null || !(idp instanceof SAML2IDP)) {
                    StringBuffer stringBuffer = new StringBuffer("Unknown organization specified with with SourceID '");
                    stringBuffer.append(Arrays.toString(buildArtifact.getSourceID()));
                    stringBuffer.append("' in artifact: ");
                    stringBuffer.append(parameter);
                    this._logger.debug(stringBuffer.toString());
                    throw new MessageDecodingException("Could not find metadata for decoding artifact");
                }
                SAML2IDP saml2idp = idp;
                context.setMetadataProvider(saml2idp.getMetadataProvider());
                context.setInboundMessageIssuer(saml2idp.getID());
                context.setOutboundMessageIssuer(this._sEntityID);
            }
            try {
                decoder.decode(context);
                LogoutRequest logoutRequest = (SignableSAMLObject) context.getInboundSAMLMessage();
                if (this._logger.isDebugEnabled() && logoutRequest != null) {
                    logXML(logoutRequest);
                }
                if (logoutRequest instanceof LogoutResponse) {
                    processLogoutResponse(httpServletRequest, httpServletResponse, context, (LogoutResponse) logoutRequest);
                } else {
                    if (!(logoutRequest instanceof LogoutRequest)) {
                        this._logger.debug("Unsupported SAML message in request from issuer: " + context.getInboundMessageIssuer());
                        throw new MessageDecodingException("Unsupported SAML message");
                    }
                    boolean z = bindingURI.equals("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST") || bindingURI.equals("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
                    boolean z2 = !DatatypeHelper.isEmpty(context.getInboundMessageTransport().getParameterValue("Signature")) || logoutRequest.isSigned();
                    if (z && !z2) {
                        this._logger.debug("LogoutRequest MUST be signed if the HTTP POST or Redirect binding is used");
                        throw new SAML2SecurityException(RequestorEvent.REQUEST_INVALID);
                    }
                    processLogoutRequest(httpServletRequest, httpServletResponse, context, bindingURI, logoutRequest.getReason());
                }
            } catch (SecurityException e) {
                this._logger.debug("Could not decode inbound message due to security exception", e);
                throw new SAML2SecurityException(RequestorEvent.REQUEST_INVALID);
            }
        } catch (MessageDecodingException e2) {
            this._logger.debug("Decoding error", e2);
            this._eventLogger.info(new RequestorEventLogItem((String) null, (String) null, (SessionState) null, RequestorEvent.REQUEST_INVALID, (String) null, httpServletRequest.getRemoteAddr(), (String) null, this, (String) null));
            if (0 != 0 && str.equals("urn:oasis:names:tc:SAML:2.0:bindings:SOAP")) {
                SOAP11Utils.sendSOAPFault((SAMLMessageContext) null, RequestorEvent.REQUEST_INVALID);
                return;
            }
            try {
                if (!httpServletResponse.isCommitted()) {
                    httpServletResponse.sendError(400);
                }
            } catch (IOException e3) {
                this._logger.warn("Could not send response", e3);
            }
        } catch (OAException e4) {
            throw e4;
        } catch (Exception e5) {
            this._logger.fatal("Could not process SAML request message", e5);
            throw new OAException(1);
        } catch (SAML2SecurityException e6) {
            this._logger.debug("Security error", e6);
            this._eventLogger.info(new RequestorEventLogItem((String) null, (String) null, (SessionState) null, e6.getEvent(), (String) null, httpServletRequest.getRemoteAddr(), (String) null, this, "Security Fault"));
            try {
                if (!httpServletResponse.isCommitted()) {
                    httpServletResponse.sendError(403);
                }
            } catch (IOException e7) {
                this._logger.warn("Could not send response", e7);
            }
        } catch (StatusException e8) {
            this._eventLogger.info(new RequestorEventLogItem((String) null, (String) null, (SessionState) null, e8.getEvent(), (String) null, httpServletRequest.getRemoteAddr(), e8.getRequestorID(), this, e8.getMessage()));
            sendResponse(null, httpServletRequest, httpServletResponse, null);
        }
    }

    private void processLogoutRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> sAMLMessageContext, String str, String str2) throws OAException, SAML2SecurityException, StatusException {
        SAML2IDP validateRequestMessage = validateRequestMessage(sAMLMessageContext, IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
        ITGT processRequest = this._protocol.processRequest(sAMLMessageContext);
        String inboundSAMLMessageId = sAMLMessageContext.getInboundSAMLMessageId();
        boolean z = false;
        if (str2 != null) {
            if (this._htLogoutReasonActions.containsKey(str2)) {
                z = this._htLogoutReasonActions.get(str2).booleanValue();
            } else if (str2.equals("urn:oasis:names:tc:SAML:2.0:logout:global-timeout")) {
                z = true;
            } else if (str2.equals("urn:oasis:names:tc:SAML:2.0:logout:sp-timeout")) {
                z = false;
            } else if (str2.equals("urn:oasis:names:tc:SAML:2.0:logout:user")) {
                z = false;
            } else if (str2.equals("urn:oasis:names:tc:SAML:2.0:logout:admin")) {
                z = false;
            }
        }
        if (z || str.equals("urn:oasis:names:tc:SAML:2.0:bindings:SOAP")) {
            this._protocol.processResponse(processRequest, inboundSAMLMessageId, sAMLMessageContext, z);
            sAMLMessageContext.setOutboundMessageIssuer(validateRequestMessage.getID());
            sAMLMessageContext.setMetadataProvider(validateRequestMessage.getMetadataProvider());
            sendResponse(sAMLMessageContext, httpServletRequest, httpServletResponse, str);
            this._eventLogger.info(new UserEventLogItem((String) null, processRequest.getId(), (SessionState) null, UserEvent.USER_LOGGED_OUT, processRequest.getUser().getID(), httpServletRequest.getRemoteAddr(), validateRequestMessage.getID(), this, sAMLMessageContext.getOutboundSAMLMessageId()));
            return;
        }
        ISession createSession = this._sessionFactory.createSession(validateRequestMessage.getID());
        ISessionAttributes attributes = createSession.getAttributes();
        attributes.put(getClass(), SESSION_REQUEST_ID, inboundSAMLMessageId);
        attributes.put(getClass(), SESSION_REQUEST_PROTOCOLBINDING, str);
        String relayState = sAMLMessageContext.getRelayState();
        if (relayState != null) {
            attributes.put(getClass(), SESSION_REQUEST_RELAYSTATE, relayState);
        }
        createSession.persist();
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append(this._sProfileURL);
        stringBuffer.append("?");
        stringBuffer.append("asid");
        stringBuffer.append("=");
        stringBuffer.append(createSession.getId());
        createSession.setProfileURL(stringBuffer.toString());
        httpServletRequest.setAttribute("asid", createSession);
        StringBuffer stringBuffer2 = new StringBuffer(this._sWebSSOPath);
        if (!this._sWebSSOPath.endsWith("/")) {
            stringBuffer2.append("/");
        }
        stringBuffer2.append(SSO_LOGOUT_URI);
        this._logger.debug("Forwarding user to: " + stringBuffer2.toString());
        RequestDispatcher requestDispatcher = httpServletRequest.getRequestDispatcher(stringBuffer2.toString());
        if (requestDispatcher == null) {
            this._logger.warn("There is no requestor dispatcher supported with name: " + stringBuffer2.toString());
            throw new OAException(1);
        }
        this._eventLogger.info(new UserEventLogItem(createSession, httpServletRequest.getRemoteAddr(), UserEvent.USER_LOGOUT_IN_PROGRESS, this, (String) null));
        try {
            requestDispatcher.forward(httpServletRequest, httpServletResponse);
        } catch (Exception e) {
            this._logger.fatal("Could not forward user", e);
            throw new OAException(1);
        }
    }

    private void processResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ISession iSession) throws OAException, UserException {
        UserEvent userEvent;
        try {
            try {
                String requestorId = iSession.getRequestorId();
                if (this._idpStorageManager.existStorage(requestorId)) {
                    this._logger.debug("No IDP found with for issuer: " + requestorId);
                    throw new OAException(1);
                }
                SAML2IDP saml2idp = (SAML2IDP) this._idpStorageManager.getIDP(requestorId);
                SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> createEncodingContext = createEncodingContext(httpServletRequest, httpServletResponse);
                createEncodingContext.setInboundMessageIssuer(this._sEntityID);
                createEncodingContext.setOutboundMessageIssuer(saml2idp.getID());
                createEncodingContext.setMetadataProvider(saml2idp.getMetadataProvider());
                if (iSession.isExpired()) {
                    StringBuffer stringBuffer = new StringBuffer("Expired session with id '");
                    stringBuffer.append(iSession.getId());
                    stringBuffer.append("' found in request sent from IP: ");
                    stringBuffer.append(httpServletRequest.getRemoteAddr());
                    this._logger.debug(stringBuffer.toString());
                    throw new UserException(UserEvent.SESSION_EXPIRED);
                }
                ISessionAttributes attributes = iSession.getAttributes();
                String str = (String) attributes.get(getClass(), SESSION_REQUEST_ID);
                if (str == null) {
                    StringBuffer stringBuffer2 = new StringBuffer("No session attribute available with name '");
                    stringBuffer2.append(SESSION_REQUEST_ID);
                    stringBuffer2.append("' in session with ID: ");
                    stringBuffer2.append(iSession.getId());
                    this._logger.debug(stringBuffer2.toString());
                    throw new UserException(UserEvent.SESSION_INVALID);
                }
                String str2 = (String) attributes.get(getClass(), SESSION_REQUEST_PROTOCOLBINDING);
                if (str2 == null) {
                    StringBuffer stringBuffer3 = new StringBuffer("No session attribute available with name '");
                    stringBuffer3.append(SESSION_REQUEST_PROTOCOLBINDING);
                    stringBuffer3.append("' in session with ID: ");
                    stringBuffer3.append(iSession.getId());
                    this._logger.debug(stringBuffer3.toString());
                    throw new UserException(UserEvent.SESSION_INVALID);
                }
                String str3 = (String) attributes.get(getClass(), SESSION_REQUEST_RELAYSTATE);
                if (str3 != null) {
                    createEncodingContext.setRelayState(str3);
                }
                createEncodingContext.setLocalEntityId(this._sEntityID);
                UserEvent userEvent2 = UserEvent.INTERNAL_ERROR;
                switch (AnonymousClass1.$SwitchMap$com$alfaariss$oa$api$session$SessionState[iSession.getState().ordinal()]) {
                    case 1:
                        this._protocol.processResponse((ITGT) null, str, createEncodingContext);
                        userEvent = UserEvent.USER_LOGGED_OUT;
                        break;
                    case 2:
                        this._protocol.buildErrorResponse(createEncodingContext, "urn:oasis:names:tc:SAML:2.0:status:Success", "urn:oasis:names:tc:SAML:2.0:status:PartialLogout", str);
                        userEvent = UserEvent.USER_LOGOUT_PARTIALLY;
                        break;
                    case 3:
                    case 4:
                        this._protocol.buildErrorResponse(createEncodingContext, "urn:oasis:names:tc:SAML:2.0:status:Responder", null, str);
                        userEvent = UserEvent.USER_LOGOUT_FAILED;
                        break;
                    default:
                        StringBuffer stringBuffer4 = new StringBuffer("Unsupported session state '");
                        stringBuffer4.append(iSession.getState());
                        stringBuffer4.append("' for session with id: ");
                        stringBuffer4.append(iSession.getId());
                        this._logger.debug(stringBuffer4.toString());
                        throw new UserException(UserEvent.REQUEST_INVALID);
                }
                sendASynchronousResponse(createEncodingContext, httpServletRequest, httpServletResponse, str2, saml2idp);
                this._eventLogger.info(new UserEventLogItem(iSession, httpServletRequest.getRemoteAddr(), userEvent, this, createEncodingContext.getOutboundSAMLMessageId()));
                if (iSession != null) {
                    iSession.expire();
                    iSession.persist();
                }
            } catch (UserException e) {
                throw e;
            }
        } catch (Throwable th) {
            if (iSession != null) {
                iSession.expire();
                iSession.persist();
            }
            throw th;
        }
    }

    private void processLogoutResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> sAMLMessageContext, LogoutResponse logoutResponse) throws OAException, SAML2SecurityException {
        String str;
        String inResponseTo = logoutResponse.getInResponseTo();
        if (inResponseTo == null) {
            this._logger.debug("Incoming SAML object is missing InResponseTo attribute");
            throw new SAML2SecurityException(RequestorEvent.REQUEST_INVALID);
        }
        if (inResponseTo.length() <= 33) {
            StringBuffer stringBuffer = new StringBuffer("Invalid InResponseTo ID supplied (");
            stringBuffer.append(inResponseTo);
            stringBuffer.append(") is must have a length that is at least bigger then: ");
            stringBuffer.append(33);
            this._logger.warn(stringBuffer.toString());
            throw new SAML2SecurityException(RequestorEvent.REQUEST_INVALID);
        }
        String substring = inResponseTo.substring(0, 33);
        String substring2 = inResponseTo.substring(33);
        if (!SessionValidator.validateDefaultSessionId(substring2)) {
            StringBuffer stringBuffer2 = new StringBuffer("Invalid '");
            stringBuffer2.append("asid");
            stringBuffer2.append("' in request: ");
            stringBuffer2.append(substring2);
            this._logger.debug(stringBuffer2.toString());
            throw new SAML2SecurityException(RequestorEvent.REQUEST_INVALID);
        }
        ISession retrieve = this._sessionFactory.retrieve(substring2);
        if (retrieve == null || retrieve.isExpired()) {
            this._logger.debug("Could not process SAML response; Session expired");
            throw new SAML2SecurityException(RequestorEvent.REQUEST_INVALID);
        }
        if (retrieve.getAttributes().contains(SAML2AuthNConstants.class, SAML2AuthNConstants.AUTHNREQUEST_ID_PREFIX) && (str = (String) retrieve.getAttributes().get(SAML2AuthNConstants.class, SAML2AuthNConstants.AUTHNREQUEST_ID_PREFIX)) != null && substring != null && !str.equals(substring)) {
            StringBuffer stringBuffer3 = new StringBuffer("Invalid InResponseTo session ID prefix in request: expected '");
            stringBuffer3.append(str);
            stringBuffer3.append("' but recieved: ");
            stringBuffer3.append(substring);
            this._logger.debug(stringBuffer3.toString());
            throw new SAML2SecurityException(RequestorEvent.REQUEST_INVALID);
        }
        httpServletRequest.setAttribute(SAML2AuthNConstants.SESSION_ATTRIBUTE_NAME, sAMLMessageContext);
        httpServletRequest.setAttribute("asid", retrieve);
        StringBuffer stringBuffer4 = new StringBuffer(this._sWebSSOPath);
        if (!this._sWebSSOPath.endsWith("/")) {
            stringBuffer4.append("/");
        }
        stringBuffer4.append(SSO_LOGOUT_URI);
        this._logger.debug("Forwarding user to: " + stringBuffer4.toString());
        RequestDispatcher requestDispatcher = httpServletRequest.getRequestDispatcher(stringBuffer4.toString());
        if (requestDispatcher == null) {
            this._logger.warn("There is no requestor dispatcher supported with name: " + stringBuffer4.toString());
            throw new OAException(1);
        }
        try {
            requestDispatcher.forward(httpServletRequest, httpServletResponse);
        } catch (Exception e) {
            this._logger.fatal("Could not forward user", e);
            throw new OAException(1);
        }
    }

    private void updateEntityDescriptor(IConfigurationManager iConfigurationManager, Element element) {
        this._spSSODescriptor = this._entityDescriptor.getSPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
        if (this._spSSODescriptor == null) {
            throw new IllegalArgumentException("No SPSSODescriptor available");
        }
        new SPSSODescriptorBuilder(iConfigurationManager, element, this._spSSODescriptor).buildSingleLogoutService(this._sProfileURL, this._bindingProperties);
    }

    private void sendResponse(SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> sAMLMessageContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws OAException {
        String binding;
        SAMLObject outboundSAMLMessage;
        try {
            LogoutResponse outboundSAMLMessage2 = sAMLMessageContext.getOutboundSAMLMessage();
            LogoutRequest inboundSAMLMessage = sAMLMessageContext.getInboundSAMLMessage();
            if (this._signingEnabled) {
                sAMLMessageContext.setOutboundSAMLMessageSigningCredential(SAML2CryptoUtils.retrieveMySigningCredentials(this._cryptoManager, this._sEntityID));
            }
            if (str.equals("urn:oasis:names:tc:SAML:2.0:bindings:SOAP")) {
                binding = "urn:oasis:names:tc:SAML:2.0:bindings:SOAP";
            } else {
                if (!this._signingEnabled) {
                    this._logger.warn("No outbound signing credential found: responses must be signed, make sure server signing is enabled");
                    throw new OAException(1);
                }
                String inboundMessageIssuer = sAMLMessageContext.getInboundMessageIssuer();
                if (this._idpStorageManager.existStorage(inboundMessageIssuer)) {
                    this._logger.debug("No IDP found with for issuer: " + inboundMessageIssuer);
                    throw new OAException(1);
                }
                SingleLogoutService resolveSingleLogoutServiceEndpoint = resolveSingleLogoutServiceEndpoint((SAML2IDP) this._idpStorageManager.getIDP(inboundMessageIssuer), str);
                if (resolveSingleLogoutServiceEndpoint == null) {
                    this._logger.warn("No SingleLogoutService with supported binding for response available. Request ID: " + inboundSAMLMessage.getID());
                    throw new OAException(1);
                }
                binding = resolveSingleLogoutServiceEndpoint.getBinding();
                String responseLocation = resolveSingleLogoutServiceEndpoint.getResponseLocation();
                if (responseLocation == null) {
                    this._logger.debug("No SingleLogoutService response location for response available, using 'location'. Request ID: " + inboundSAMLMessage.getID());
                    responseLocation = resolveSingleLogoutServiceEndpoint.getLocation();
                } else {
                    resolveSingleLogoutServiceEndpoint.setLocation(responseLocation);
                }
                if (responseLocation == null) {
                    this._logger.warn("No SingleLogoutService location for response available. Request ID: " + inboundSAMLMessage.getID());
                    throw new OAException(1);
                }
                outboundSAMLMessage2.setDestination(responseLocation);
                sAMLMessageContext.setPeerEntityEndpoint(resolveSingleLogoutServiceEndpoint);
            }
            AbstractEncodingFactory.createInstance(httpServletRequest, httpServletResponse, binding, this._bindingProperties).getEncoder().encode(sAMLMessageContext);
            if (this._logger.isDebugEnabled() && (outboundSAMLMessage = sAMLMessageContext.getOutboundSAMLMessage()) != null) {
                logXML(outboundSAMLMessage);
            }
        } catch (Exception e) {
            this._logger.error("Internal error when sending reponse", e);
            throw new OAException(1);
        } catch (MessageEncodingException e2) {
            this._logger.error("Could not send reponse", e2);
            throw new OAException(1);
        }
    }

    private void sendASynchronousResponse(SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> sAMLMessageContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, SAML2IDP saml2idp) throws OAException {
        SAMLObject outboundSAMLMessage;
        try {
            LogoutResponse outboundSAMLMessage2 = sAMLMessageContext.getOutboundSAMLMessage();
            if (!this._signingEnabled) {
                this._logger.warn("No outbound signing credential found: responses must be signed, make sure server signing is enabled");
                throw new OAException(1);
            }
            SingleLogoutService resolveSingleLogoutServiceEndpoint = resolveSingleLogoutServiceEndpoint(saml2idp, str);
            if (resolveSingleLogoutServiceEndpoint == null) {
                StringBuffer stringBuffer = new StringBuffer("No SingleLogoutService with supported binding for response available (");
                stringBuffer.append(str);
                stringBuffer.append(") for SAML2 IdP with ID: ");
                stringBuffer.append(saml2idp.getID());
                this._logger.warn(stringBuffer.toString());
                throw new OAException(1);
            }
            String binding = resolveSingleLogoutServiceEndpoint.getBinding();
            String responseLocation = resolveSingleLogoutServiceEndpoint.getResponseLocation();
            if (responseLocation == null) {
                this._logger.debug("No SingleLogoutService response location for response available, using 'location'");
                responseLocation = resolveSingleLogoutServiceEndpoint.getLocation();
            } else {
                resolveSingleLogoutServiceEndpoint.setLocation(responseLocation);
            }
            if (responseLocation == null) {
                this._logger.warn("No SingleLogoutService location for response available");
                throw new OAException(1);
            }
            outboundSAMLMessage2.setDestination(responseLocation);
            sAMLMessageContext.setLocalEntityMetadata(this._entityDescriptor);
            sAMLMessageContext.setLocalEntityRoleMetadata(this._spSSODescriptor);
            sAMLMessageContext.setPeerEntityEndpoint(resolveSingleLogoutServiceEndpoint);
            if (this._signingEnabled) {
                sAMLMessageContext.setOutboundSAMLMessageSigningCredential(SAML2CryptoUtils.retrieveMySigningCredentials(this._cryptoManager, this._entityDescriptor.getEntityID()));
            }
            AbstractEncodingFactory.createInstance(httpServletRequest, httpServletResponse, binding, this._bindingProperties).getEncoder().encode(sAMLMessageContext);
            if (this._logger.isDebugEnabled() && (outboundSAMLMessage = sAMLMessageContext.getOutboundSAMLMessage()) != null) {
                logXML(outboundSAMLMessage);
            }
        } catch (MessageEncodingException e) {
            this._logger.error("Could not send reponse", e);
            throw new OAException(1);
        }
    }

    private SingleLogoutService resolveSingleLogoutServiceEndpoint(SAML2IDP saml2idp, String str) throws OAException {
        if (!$assertionsDisabled && saml2idp == null) {
            throw new AssertionError("Empty SAML2 IDP supplied");
        }
        try {
            MetadataProvider metadataProvider = saml2idp.getMetadataProvider();
            if (metadataProvider == null) {
                this._logger.warn("No MetadataProvider found for IDP: " + saml2idp.getID());
                throw new OAException(1);
            }
            IDPSSODescriptor role = metadataProvider.getRole(saml2idp.getID(), IDPSSODescriptor.DEFAULT_ELEMENT_NAME, "urn:oasis:names:tc:SAML:2.0:protocol");
            if (role == null) {
                this._logger.warn("No IDPSSODescriptor in metadata: Can't resolve response target for IDP: " + saml2idp.getID());
                throw new OAException(1);
            }
            SingleLogoutService singleLogoutService = null;
            List singleLogoutServices = role.getSingleLogoutServices();
            String str2 = this._bindingProperties.getDefault();
            SingleLogoutService singleLogoutService2 = null;
            Iterator it = singleLogoutServices.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SingleLogoutService singleLogoutService3 = (SingleLogoutService) it.next();
                String binding = singleLogoutService3.getBinding();
                if (binding != null && this._bindingProperties.isSupported(binding)) {
                    if (binding.equals(str)) {
                        singleLogoutService = singleLogoutService3;
                        break;
                    }
                    if (singleLogoutService2 == null && binding.equals(str2)) {
                        singleLogoutService2 = singleLogoutService3;
                    }
                }
            }
            if (singleLogoutService == null) {
                singleLogoutService = singleLogoutService2;
            }
            return singleLogoutService;
        } catch (Exception e) {
            this._logger.fatal("Could not resolve SingleLogoutService for: " + saml2idp.getID(), e);
            throw new OAException(1);
        } catch (OAException e2) {
            throw e2;
        }
    }

    private IIDMapper createIDMapper(IConfigurationManager iConfigurationManager, Element element) throws OAException {
        try {
            String param = iConfigurationManager.getParam(element, "class");
            if (param == null) {
                this._logger.error("No 'class' parameter found in 'idmapper' section in configuration");
                throw new OAException(17);
            }
            try {
                try {
                    IIDMapper iIDMapper = (IIDMapper) Class.forName(param).newInstance();
                    iIDMapper.start(iConfigurationManager, element);
                    return iIDMapper;
                } catch (Exception e) {
                    this._logger.error("Could not create an 'IIDMapper' instance of the configured 'class' found with name: " + param, e);
                    throw new OAException(2);
                }
            } catch (Exception e2) {
                this._logger.error("No 'class' found with name: " + param, e2);
                throw new OAException(2);
            }
        } catch (OAException e3) {
            throw e3;
        } catch (Exception e4) {
            this._logger.fatal("Internal error during creation of id mapper", e4);
            throw new OAException(1);
        }
    }

    private SAML2IDP validateRequestMessage(SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> sAMLMessageContext, QName qName) throws SAML2SecurityException, OAException {
        sAMLMessageContext.setPeerEntityRole(qName);
        String inboundMessageIssuer = sAMLMessageContext.getInboundMessageIssuer();
        SignableSAMLObject inboundSAMLMessage = sAMLMessageContext.getInboundSAMLMessage();
        if (this._idpStorageManager.existStorage(inboundMessageIssuer)) {
            this._logger.debug("No IDP found with for issuer: " + inboundMessageIssuer);
            throw new OAException(1);
        }
        SAML2IDP saml2idp = (SAML2IDP) this._idpStorageManager.getIDP(inboundMessageIssuer);
        if ((!DatatypeHelper.isEmpty(sAMLMessageContext.getInboundMessageTransport().getParameterValue("Signature"))) || inboundSAMLMessage.isSigned()) {
            if (!validateSignature(sAMLMessageContext, saml2idp, inboundMessageIssuer)) {
                this._logger.debug("Invalid XML signature received for message from issuer: " + inboundMessageIssuer);
                throw new SAML2SecurityException(RequestorEvent.REQUEST_INVALID);
            }
            this._logger.debug("XML signature validation okay");
        }
        return saml2idp;
    }

    static {
        $assertionsDisabled = !SPSingleLogout.class.desiredAssertionStatus();
    }
}
