package com.alfaariss.oa.authentication.remote.saml2.profile.logout;

import com.alfaariss.oa.OAException;
import com.alfaariss.oa.UserEvent;
import com.alfaariss.oa.api.idmapper.IIDMapper;
import com.alfaariss.oa.api.session.ISession;
import com.alfaariss.oa.api.user.IUser;
import com.alfaariss.oa.authentication.remote.saml2.SAML2AuthNConstants;
import com.alfaariss.oa.authentication.remote.saml2.beans.SAMLRemoteUser;
import com.alfaariss.oa.authentication.remote.saml2.profile.AbstractAuthNMethodSAML2Profile;
import com.alfaariss.oa.authentication.remote.saml2.util.ResponseValidator;
import com.alfaariss.oa.engine.core.idp.storage.IIDPStorage;
import com.alfaariss.oa.util.saml2.SAML2ConditionsWindow;
import com.alfaariss.oa.util.saml2.SAML2Exchange;
import com.alfaariss.oa.util.saml2.binding.AbstractEncodingFactory;
import com.alfaariss.oa.util.saml2.crypto.SAML2CryptoUtils;
import com.alfaariss.oa.util.saml2.idp.SAML2IDP;
import java.security.NoSuchAlgorithmException;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.joda.time.DateTime;
import org.opensaml.Configuration;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.SAMLVersion;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.common.binding.BasicSAMLMessageContext;
import org.opensaml.common.binding.SAMLMessageContext;
import org.opensaml.common.binding.encoding.SAMLMessageEncoder;
import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.saml2.core.SessionIndex;
import org.opensaml.saml2.core.Status;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.StatusResponseType;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SingleLogoutService;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.ws.soap.client.BasicSOAPMessageContext;
import org.opensaml.ws.soap.client.http.HttpClientBuilder;
import org.opensaml.ws.soap.client.http.HttpSOAPClient;
import org.opensaml.ws.soap.common.SOAPException;
import org.opensaml.ws.soap.soap11.Body;
import org.opensaml.ws.soap.soap11.Envelope;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.XMLObjectBuilderFactory;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.SecurityException;

/* loaded from: input_file:com/alfaariss/oa/authentication/remote/saml2/profile/logout/LogoutProfile.class */
public class LogoutProfile extends AbstractAuthNMethodSAML2Profile {
    public static final String TGT_LOGOUT_ORGANIZATION = "aslogout_organization";
    public static final String SESSION_LOGOUT_ORGANIZATION = "aslogout_organization";
    private static Log _logger;
    private String _sBinding;
    private BasicParserPool _parserPool;

    public LogoutProfile(String str) {
        _logger = LogFactory.getLog(LogoutProfile.class);
        this._sBinding = str;
        this._parserPool = new BasicParserPool();
        this._parserPool.setNamespaceAware(true);
    }

    public void init(EntityDescriptor entityDescriptor, IIDMapper iIDMapper, IIDPStorage iIDPStorage, String str, String str2, SAML2ConditionsWindow sAML2ConditionsWindow) throws OAException {
        super.init(null, null, entityDescriptor, iIDMapper, iIDPStorage, str, str2, sAML2ConditionsWindow, null, null);
    }

    public SingleLogoutService getService(SAML2IDP saml2idp) {
        IDPSSODescriptor iDPSSODescriptor = getIDPSSODescriptor(saml2idp);
        if (iDPSSODescriptor != null) {
            return getSingleLogoutService(iDPSSODescriptor);
        }
        return null;
    }

    public UserEvent processASynchronous(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ISession iSession, SAML2IDP saml2idp, String str, String str2) throws OAException {
        if (saml2idp == null) {
            _logger.warn("No organization available");
            return UserEvent.USER_LOGOUT_FAILED;
        }
        SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> sAMLMessageContext = (SAMLMessageContext) httpServletRequest.getAttribute(SAML2AuthNConstants.SESSION_ATTRIBUTE_NAME);
        if (sAMLMessageContext == null) {
            if (str == null) {
                str = "urn:oasis:names:tc:SAML:2.0:logout:user";
            }
            return processRequest(httpServletRequest, httpServletResponse, iSession, saml2idp, str, str2);
        }
        SAMLRemoteUser user = iSession.getUser();
        String organization = user.getOrganization();
        if (user instanceof SAMLRemoteUser) {
            organization = user.getIDP();
        }
        if (saml2idp.getID().equals(organization)) {
            return processResponse(sAMLMessageContext, saml2idp);
        }
        StringBuffer stringBuffer = new StringBuffer("Session invalid; User was logging out at '");
        stringBuffer.append(saml2idp.getID());
        stringBuffer.append("' instead of: ");
        stringBuffer.append(organization);
        _logger.debug(stringBuffer.toString());
        return UserEvent.USER_LOGOUT_FAILED;
    }

    public UserEvent processSynchronous(IUser iUser, SAML2IDP saml2idp, String str, String str2) {
        try {
            if (saml2idp == null) {
                _logger.warn("No organization available");
                return UserEvent.USER_LOGOUT_FAILED;
            }
            IDPSSODescriptor iDPSSODescriptor = getIDPSSODescriptor(saml2idp);
            if (iDPSSODescriptor == null) {
                _logger.debug("No IDP SSO Descriptor found for organization");
                return UserEvent.USER_LOGOUT_FAILED;
            }
            SingleLogoutService singleLogoutService = getSingleLogoutService(iDPSSODescriptor);
            if (singleLogoutService == null) {
                return UserEvent.USER_LOGOUT_FAILED;
            }
            try {
                LogoutRequest buildLogoutRequest = buildLogoutRequest(new SecureRandomIdentifierGenerator().generateIdentifier(), iUser, str, null, str2);
                String location = singleLogoutService.getLocation();
                _logger.debug("Sending synchronous logout request to location: " + location);
                StatusResponseType sendSOAPMessage = sendSOAPMessage(location, buildLogoutRequest);
                BasicSAMLMessageContext basicSAMLMessageContext = new BasicSAMLMessageContext();
                basicSAMLMessageContext.setInboundSAMLMessage(sendSOAPMessage);
                basicSAMLMessageContext.setInboundMessageIssuer(saml2idp.getID());
                return processResponse(basicSAMLMessageContext, saml2idp);
            } catch (NoSuchAlgorithmException e) {
                _logger.error("Could not generate ID for logout request");
                throw new MessageEncodingException("Could not generate ID for logout request", e);
            }
        } catch (SecurityException e2) {
            _logger.debug("Signing of Logout request failed", e2);
            return UserEvent.USER_LOGOUT_FAILED;
        } catch (ClassCastException e3) {
            _logger.debug("Illegally typed object retrieved from logout response", e3);
            return UserEvent.USER_LOGOUT_FAILED;
        } catch (MessageEncodingException e4) {
            _logger.debug("Encoding of Logout request failed", e4);
            return UserEvent.USER_LOGOUT_FAILED;
        } catch (OAException e5) {
            _logger.debug("Creation of Logout request failed", e5);
            return UserEvent.USER_LOGOUT_FAILED;
        }
    }

    private XMLObject sendSOAPMessage(String str, XMLObject xMLObject) throws SecurityException, MessageEncodingException {
        XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
        Body buildObject = builderFactory.getBuilder(Body.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.getUnknownXMLObjects().add(xMLObject);
        Envelope buildObject2 = builderFactory.getBuilder(Envelope.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject2.setBody(buildObject);
        BasicSOAPMessageContext basicSOAPMessageContext = new BasicSOAPMessageContext();
        basicSOAPMessageContext.setOutboundMessage(buildObject2);
        HttpClientBuilder httpClientBuilder = new HttpClientBuilder();
        httpClientBuilder.setConnectionTimeout(5000);
        HttpSOAPClient httpSOAPClient = new HttpSOAPClient(httpClientBuilder.buildClient(), this._parserPool);
        if (_logger.isDebugEnabled()) {
            logXML(basicSOAPMessageContext.getOutboundMessage());
        }
        try {
            httpSOAPClient.send(str, basicSOAPMessageContext);
            if (_logger.isDebugEnabled()) {
                logXML(basicSOAPMessageContext.getInboundMessage());
            }
            XMLObject xMLObject2 = null;
            Envelope inboundMessage = basicSOAPMessageContext.getInboundMessage();
            if (inboundMessage == null || !(inboundMessage instanceof Envelope)) {
                _logger.debug("No envelope in response message");
            } else {
                Body body = inboundMessage.getBody();
                if (body != null) {
                    xMLObject2 = (XMLObject) body.getUnknownXMLObjects().get(0);
                } else {
                    _logger.debug("No body in response message");
                }
            }
            return xMLObject2;
        } catch (SOAPException e) {
            _logger.warn("Could not process soap message while communitating with: " + str, e);
            throw new MessageEncodingException("Could not process SOAP message");
        }
    }

    private UserEvent processRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ISession iSession, SAML2IDP saml2idp, String str, String str2) throws OAException {
        IDPSSODescriptor iDPSSODescriptor;
        SAMLObject outboundSAMLMessage;
        try {
            iDPSSODescriptor = getIDPSSODescriptor(saml2idp);
        } catch (OAException e) {
            throw e;
        } catch (Exception e2) {
            _logger.debug("Could not send logout request", e2);
        }
        if (iDPSSODescriptor == null) {
            _logger.debug("No IDP SSO Descriptor found for organization");
            return UserEvent.USER_LOGOUT_FAILED;
        }
        SingleLogoutService singleLogoutService = getSingleLogoutService(iDPSSODescriptor);
        if (singleLogoutService != null) {
            LogoutRequest buildLogoutRequest = buildLogoutRequest(generateRequestID(iSession.getId(), iSession.getAttributes()), iSession.getUser(), str, singleLogoutService.getLocation(), str2);
            SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> createEncodingContext = createEncodingContext(httpServletRequest, httpServletResponse);
            createEncodingContext.setInboundMessageIssuer(saml2idp.getID());
            createEncodingContext.setOutboundMessageIssuer(this._entityDescriptor.getEntityID());
            createEncodingContext.setLocalEntityId(this._entityDescriptor.getEntityID());
            createEncodingContext.setLocalEntityMetadata(this._entityDescriptor);
            createEncodingContext.setLocalEntityRoleMetadata(this._entityDescriptor.getSPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol"));
            createEncodingContext.setMetadataProvider(saml2idp.getMetadataProvider());
            createEncodingContext.setOutboundSAMLMessage(buildLogoutRequest);
            createEncodingContext.setPeerEntityEndpoint(buildMetadataEndpoint(AssertionConsumerService.DEFAULT_ELEMENT_NAME, singleLogoutService.getBinding(), singleLogoutService.getLocation(), null));
            if (this._signingEnabled) {
                createEncodingContext.setOutboundSAMLMessageSigningCredential(SAML2CryptoUtils.retrieveMySigningCredentials(this._crypto, this._entityDescriptor.getEntityID()));
            }
            AbstractEncodingFactory createInstance = AbstractEncodingFactory.createInstance(httpServletRequest, httpServletResponse, singleLogoutService.getBinding(), SAML2Exchange.getSPSSOBindingProperties(this._sLinkedIDPProfile));
            if (createInstance == null) {
                _logger.error("No encoding factory available for request");
                throw new OAException(1);
            }
            SAMLMessageEncoder encoder = createInstance.getEncoder();
            iSession.persist();
            encoder.encode(createEncodingContext);
            if (_logger.isDebugEnabled() && (outboundSAMLMessage = createEncodingContext.getOutboundSAMLMessage()) != null) {
                logXML(outboundSAMLMessage);
            }
            return UserEvent.USER_LOGOUT_IN_PROGRESS;
        }
        return UserEvent.USER_LOGOUT_FAILED;
    }

    private UserEvent processResponse(SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> sAMLMessageContext, SAML2IDP saml2idp) throws OAException {
        String value;
        try {
            StatusResponseType inboundSAMLMessage = sAMLMessageContext.getInboundSAMLMessage();
            new ResponseValidator(this._entityDescriptor.getEntityID(), saml2idp, false).validateResponse(sAMLMessageContext);
            if (!saml2idp.getID().equals(sAMLMessageContext.getInboundMessageIssuer())) {
                _logger.debug("Response issuer not equal to query issuer");
                return UserEvent.USER_LOGOUT_FAILED;
            }
            Status status = inboundSAMLMessage.getStatus();
            if (status == null) {
                _logger.debug("No status code available");
                return UserEvent.USER_LOGOUT_FAILED;
            }
            StatusCode statusCode = status.getStatusCode();
            if (statusCode == null) {
                _logger.debug("No required top level status code available");
                return UserEvent.USER_LOGOUT_FAILED;
            }
            String value2 = statusCode.getValue();
            if (value2 == null) {
                _logger.debug("No required top level status code available");
                return UserEvent.USER_LOGOUT_FAILED;
            }
            if ("urn:oasis:names:tc:SAML:2.0:status:Success".equals(value2)) {
                StatusCode statusCode2 = statusCode.getStatusCode();
                return (statusCode2 == null || (value = statusCode2.getValue()) == null || !"urn:oasis:names:tc:SAML:2.0:status:PartialLogout".equals(value)) ? UserEvent.USER_LOGGED_OUT : UserEvent.USER_LOGOUT_PARTIALLY;
            }
            _logger.debug("Top level status code: " + value2);
            return UserEvent.USER_LOGOUT_FAILED;
        } catch (OAException e) {
            throw e;
        } catch (Exception e2) {
            _logger.fatal("Internal error when processing logout response", e2);
            throw new OAException(1);
        }
    }

    private IDPSSODescriptor getIDPSSODescriptor(SAML2IDP saml2idp) {
        try {
            MetadataProvider metadataProvider = saml2idp.getMetadataProvider();
            if (metadataProvider != null) {
                return metadataProvider.getRole(saml2idp.getID(), IDPSSODescriptor.DEFAULT_ELEMENT_NAME, "urn:oasis:names:tc:SAML:2.0:protocol");
            }
            return null;
        } catch (OAException e) {
            return null;
        } catch (MetadataProviderException e2) {
            return null;
        }
    }

    private SingleLogoutService getSingleLogoutService(IDPSSODescriptor iDPSSODescriptor) {
        List<SingleLogoutService> singleLogoutServices = iDPSSODescriptor.getSingleLogoutServices();
        if (singleLogoutServices.size() <= 0) {
            return null;
        }
        for (SingleLogoutService singleLogoutService : singleLogoutServices) {
            if (singleLogoutService.getBinding().equals(this._sBinding)) {
                return singleLogoutService;
            }
        }
        return null;
    }

    private LogoutRequest buildLogoutRequest(String str, IUser iUser, String str2, String str3, String str4) throws OAException {
        String entityID;
        LogoutRequest buildObject = this._builderFactory.getBuilder(LogoutRequest.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.setID(str);
        String str5 = null;
        if (iUser instanceof SAMLRemoteUser) {
            SAMLRemoteUser sAMLRemoteUser = (SAMLRemoteUser) iUser;
            str5 = sAMLRemoteUser.getFormat();
            SessionIndex buildObject2 = this._builderFactory.getBuilder(SessionIndex.DEFAULT_ELEMENT_NAME).buildObject();
            buildObject2.setSessionIndex(str4);
            buildObject.getSessionIndexes().add(buildObject2);
            entityID = sAMLRemoteUser.getOrganization();
        } else {
            entityID = this._entityDescriptor.getEntityID();
        }
        buildObject.setNameID(buildNameID(iUser.getID(), str5, entityID));
        if (str2 != null) {
            buildObject.setReason(str2);
        }
        buildObject.setVersion(SAMLVersion.VERSION_20);
        buildObject.setIssueInstant(new DateTime());
        buildObject.setIssuer(buildIssuer());
        if (str3 != null) {
            buildObject.setDestination(str3);
        }
        if (this._signingEnabled) {
            signSAMLObject(buildObject);
        }
        return buildObject;
    }
}
