package com.alfaariss.oa.profile.saml2.listener.slo;

import com.alfaariss.oa.OAException;
import com.alfaariss.oa.RequestorEvent;
import com.alfaariss.oa.UserEvent;
import com.alfaariss.oa.api.attribute.ITGTAttributes;
import com.alfaariss.oa.api.user.IUser;
import com.alfaariss.oa.engine.core.Engine;
import com.alfaariss.oa.engine.core.crypto.CryptoException;
import com.alfaariss.oa.engine.core.crypto.CryptoManager;
import com.alfaariss.oa.profile.saml2.profile.sso.WebBrowserSSO;
import com.alfaariss.oa.util.saml2.NameIDFormatter;
import com.alfaariss.oa.util.saml2.SAML2Requestor;
import com.alfaariss.oa.util.saml2.SAML2SecurityException;
import com.alfaariss.oa.util.saml2.crypto.SAML2CryptoUtils;
import java.security.NoSuchAlgorithmException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.joda.time.DateTime;
import org.opensaml.Configuration;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.SAMLVersion;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.common.binding.BasicSAMLMessageContext;
import org.opensaml.common.binding.SAMLMessageContext;
import org.opensaml.common.impl.SAMLObjectContentReference;
import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
import org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule;
import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.SessionIndex;
import org.opensaml.saml2.core.Status;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.StatusResponseType;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.SingleLogoutService;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.security.MetadataCredentialResolver;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.ws.security.SecurityPolicyException;
import org.opensaml.ws.soap.client.BasicSOAPMessageContext;
import org.opensaml.ws.soap.client.http.HttpClientBuilder;
import org.opensaml.ws.soap.client.http.HttpSOAPClient;
import org.opensaml.ws.soap.common.SOAPException;
import org.opensaml.ws.soap.soap11.Body;
import org.opensaml.ws.soap.soap11.Envelope;
import org.opensaml.ws.transport.http.HTTPInTransport;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.XMLObjectBuilderFactory;
import org.opensaml.xml.io.Marshaller;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityConfiguration;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.SecurityHelper;
import org.opensaml.xml.security.credential.ChainingCredentialResolver;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.credential.StaticCredentialResolver;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.Signer;
import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;
import org.opensaml.xml.util.DatatypeHelper;
import org.opensaml.xml.util.XMLHelper;
import org.opensaml.xml.validation.ValidationException;
import org.w3c.dom.Element;

/* loaded from: input_file:com/alfaariss/oa/profile/saml2/listener/slo/SynchronousSingleLogout.class */
public class SynchronousSingleLogout {
    private static Log _logger;
    private XMLObjectBuilderFactory _builderFactory;
    private CryptoManager _cryptoManager;
    private EntityDescriptor _entityDescriptor;
    private NameIDFormatter _nameIDFormatter;
    private Credential _credential;
    private SAMLSignatureProfileValidator _profileValidator;
    private KeyInfoCredentialResolver _keyInfoCredResolver;
    private BasicParserPool _parserPool;
    static final /* synthetic */ boolean $assertionsDisabled;

    public SynchronousSingleLogout(EntityDescriptor entityDescriptor) throws OAException {
        _logger = LogFactory.getLog(SynchronousSingleLogout.class);
        this._entityDescriptor = entityDescriptor;
        this._builderFactory = Configuration.getBuilderFactory();
        Engine engine = Engine.getInstance();
        this._cryptoManager = engine.getCryptoManager();
        this._nameIDFormatter = new NameIDFormatter(this._cryptoManager, engine.getTGTFactory().getAliasStoreSP());
        this._profileValidator = new SAMLSignatureProfileValidator();
        this._keyInfoCredResolver = Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver();
        try {
            this._credential = SAML2CryptoUtils.retrieveMySigningCredentials(this._cryptoManager, this._entityDescriptor.getEntityID());
        } catch (OAException e) {
        }
        this._parserPool = new BasicParserPool();
        this._parserPool.setNamespaceAware(true);
    }

    public UserEvent processSynchronous(IUser iUser, SAML2Requestor sAML2Requestor, SingleLogoutService singleLogoutService, String str, ITGTAttributes iTGTAttributes, String str2, String str3) {
        try {
            try {
                LogoutRequest buildLogoutRequest = buildLogoutRequest(new SecureRandomIdentifierGenerator().generateIdentifier(), iUser, str, iTGTAttributes, str2, str3, sAML2Requestor.getID());
                String location = singleLogoutService.getLocation();
                _logger.debug("Sending synchronous logout request to location: " + location);
                StatusResponseType sendSOAPMessage = sendSOAPMessage(location, buildLogoutRequest);
                if (sendSOAPMessage == null) {
                    _logger.warn("No logout response from: " + location);
                    throw new MessageEncodingException("No response recieved");
                }
                BasicSAMLMessageContext basicSAMLMessageContext = new BasicSAMLMessageContext();
                basicSAMLMessageContext.setInboundSAMLMessage(sendSOAPMessage);
                basicSAMLMessageContext.setInboundMessageIssuer(sAML2Requestor.getID());
                return verifyResponse(basicSAMLMessageContext, sAML2Requestor);
            } catch (NoSuchAlgorithmException e) {
                _logger.error("Could not generate ID for logout request");
                throw new MessageEncodingException("Could not generate ID for logout request", e);
            }
        } catch (SecurityException e2) {
            _logger.debug("Signing of Logout request failed", e2);
            return UserEvent.USER_LOGOUT_FAILED;
        } catch (ClassCastException e3) {
            _logger.debug("Illegally typed object retrieved from logout response", e3);
            return UserEvent.USER_LOGOUT_FAILED;
        } catch (MessageEncodingException e4) {
            _logger.debug("Encoding of Logout request failed", e4);
            return UserEvent.USER_LOGOUT_FAILED;
        } catch (OAException e5) {
            _logger.debug("Creation of Logout request failed", e5);
            return UserEvent.USER_LOGOUT_FAILED;
        }
    }

    private XMLObject sendSOAPMessage(String str, XMLObject xMLObject) throws SecurityException, MessageEncodingException {
        XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
        Body buildObject = builderFactory.getBuilder(Body.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.getUnknownXMLObjects().add(xMLObject);
        Envelope buildObject2 = builderFactory.getBuilder(Envelope.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject2.setBody(buildObject);
        BasicSOAPMessageContext basicSOAPMessageContext = new BasicSOAPMessageContext();
        basicSOAPMessageContext.setOutboundMessage(buildObject2);
        HttpClientBuilder httpClientBuilder = new HttpClientBuilder();
        httpClientBuilder.setConnectionTimeout(5000);
        HttpSOAPClient httpSOAPClient = new HttpSOAPClient(httpClientBuilder.buildClient(), this._parserPool);
        if (_logger.isDebugEnabled()) {
            logXML(xMLObject);
        }
        try {
            httpSOAPClient.send(str, basicSOAPMessageContext);
            if (_logger.isDebugEnabled()) {
                logXML(basicSOAPMessageContext.getInboundMessage());
            }
            XMLObject xMLObject2 = null;
            Envelope inboundMessage = basicSOAPMessageContext.getInboundMessage();
            if (inboundMessage == null || !(inboundMessage instanceof Envelope)) {
                _logger.debug("No envelope in response message");
            } else {
                Body body = inboundMessage.getBody();
                if (body != null) {
                    xMLObject2 = (XMLObject) body.getUnknownXMLObjects().get(0);
                } else {
                    _logger.debug("No body in response message");
                }
            }
            return xMLObject2;
        } catch (SOAPException e) {
            _logger.warn("Could not process soap message while communitating with: " + str, e);
            throw new MessageEncodingException("Could not process SOAP message");
        }
    }

    private UserEvent verifyResponse(SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> sAMLMessageContext, SAML2Requestor sAML2Requestor) throws OAException {
        String value;
        try {
            StatusResponseType inboundSAMLMessage = sAMLMessageContext.getInboundSAMLMessage();
            sAMLMessageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
            validateMessage(sAMLMessageContext, sAML2Requestor);
            Status status = inboundSAMLMessage.getStatus();
            if (status == null) {
                _logger.debug("No status code available");
                return UserEvent.USER_LOGOUT_FAILED;
            }
            StatusCode statusCode = status.getStatusCode();
            if (statusCode == null) {
                _logger.debug("No required top level status code available");
                return UserEvent.USER_LOGOUT_FAILED;
            }
            String value2 = statusCode.getValue();
            if (value2 == null) {
                _logger.debug("No required top level status code available");
                return UserEvent.USER_LOGOUT_FAILED;
            }
            if ("urn:oasis:names:tc:SAML:2.0:status:Success".equals(value2)) {
                StatusCode statusCode2 = statusCode.getStatusCode();
                return (statusCode2 == null || (value = statusCode2.getValue()) == null || !"urn:oasis:names:tc:SAML:2.0:status:PartialLogout".equals(value)) ? UserEvent.USER_LOGGED_OUT : UserEvent.USER_LOGOUT_PARTIALLY;
            }
            _logger.debug("Top level status code: " + value2);
            return UserEvent.USER_LOGOUT_FAILED;
        } catch (OAException e) {
            throw e;
        } catch (Exception e2) {
            _logger.fatal("Internal error when processing logout response", e2);
            throw new OAException(1);
        }
    }

    private LogoutRequest buildLogoutRequest(String str, IUser iUser, String str2, ITGTAttributes iTGTAttributes, String str3, String str4, String str5) throws OAException, SecurityException {
        LogoutRequest buildObject = this._builderFactory.getBuilder(LogoutRequest.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.setID(str);
        SessionIndex buildObject2 = this._builderFactory.getBuilder(SessionIndex.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject2.setSessionIndex(str3);
        buildObject.getSessionIndexes().add(buildObject2);
        String entityID = this._entityDescriptor.getEntityID();
        String str6 = (String) iTGTAttributes.get(WebBrowserSSO.class, "NameIDFormat");
        String str7 = (String) iTGTAttributes.get(WebBrowserSSO.class, "SPNameQualifier");
        String resolve = this._nameIDFormatter.resolve(str6, str5, str4);
        if (resolve == null) {
            StringBuffer stringBuffer = new StringBuffer("No NameID found with format '");
            stringBuffer.append(str6);
            stringBuffer.append("' for requestor: ");
            stringBuffer.append(str5);
            _logger.debug(stringBuffer.toString());
            resolve = iUser.getID();
            str6 = null;
        }
        buildObject.setNameID(buildNameID(resolve, str6, entityID, str7));
        buildObject.setReason(str2);
        buildObject.setVersion(SAMLVersion.VERSION_20);
        buildObject.setIssueInstant(new DateTime());
        buildObject.setIssuer(buildIssuer(null, this._entityDescriptor.getEntityID()));
        if (this._cryptoManager.getPrivateKey() != null) {
            Signature createSignature = createSignature();
            buildObject.setSignature(createSignature);
            ((SAMLObjectContentReference) createSignature.getContentReferences().get(0)).setDigestAlgorithm(SAML2CryptoUtils.getXMLDigestMethodURI(this._cryptoManager.getMessageDigest()));
            signXMLObject(buildObject, createSignature);
        }
        return buildObject;
    }

    private Issuer buildIssuer(String str, String str2) {
        Issuer buildObject = this._builderFactory.getBuilder(Issuer.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.setValue(str2);
        if (str != null) {
            buildObject.setFormat(str);
        }
        return buildObject;
    }

    private NameID buildNameID(String str, String str2, String str3, String str4) {
        NameID buildObject = this._builderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.setValue(str);
        if (str2 != null) {
            buildObject.setFormat(str2);
        }
        if (str3 != null) {
            buildObject.setNameQualifier(str3);
        }
        if (str4 != null) {
            buildObject.setSPNameQualifier(str4);
        }
        return buildObject;
    }

    private Signature createSignature() throws OAException, SecurityException {
        Signature buildObject = this._builderFactory.getBuilder(Signature.DEFAULT_ELEMENT_NAME).buildObject(Signature.DEFAULT_ELEMENT_NAME);
        buildObject.setSignatureAlgorithm(SAML2CryptoUtils.getXMLSignatureURI(this._cryptoManager));
        X509Credential retrieveMySigningCredentials = SAML2CryptoUtils.retrieveMySigningCredentials(this._cryptoManager, this._entityDescriptor.getEntityID());
        buildObject.setSigningCredential(retrieveMySigningCredentials);
        SecurityHelper.prepareSignatureParams(buildObject, retrieveMySigningCredentials, (SecurityConfiguration) null, (String) null);
        return buildObject;
    }

    private void signXMLObject(XMLObject xMLObject, Signature signature) throws OAException {
        try {
            Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(xMLObject);
            if (marshaller == null) {
                _logger.error("No marshaller registered for " + xMLObject.getElementQName() + ", unable to marshall assertion");
                throw new OAException(1);
            }
            if (xMLObject.getDOM() == null) {
                marshaller.marshall(xMLObject);
            }
            Signer.signObject(signature);
        } catch (MarshallingException e) {
            _logger.warn("Marshalling error while signing object", e);
            throw new OAException(1);
        } catch (OAException e2) {
            throw e2;
        } catch (Exception e3) {
            _logger.error("Could not sign object", e3);
            throw new OAException(1);
        }
    }

    private void validateMessage(SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> sAMLMessageContext, SAML2Requestor sAML2Requestor) throws SAML2SecurityException, OAException {
        SignableSAMLObject inboundSAMLMessage = sAMLMessageContext.getInboundSAMLMessage();
        String str = null;
        HTTPInTransport inboundMessageTransport = sAMLMessageContext.getInboundMessageTransport();
        if (inboundMessageTransport != null) {
            str = inboundMessageTransport.getParameterValue("Signature");
        }
        if (!DatatypeHelper.isEmpty(str) || inboundSAMLMessage.isSigned()) {
            String inboundMessageIssuer = sAMLMessageContext.getInboundMessageIssuer();
            if (validateSignature(sAMLMessageContext, sAML2Requestor.getMetadataProvider(), inboundMessageIssuer)) {
                _logger.debug("XML signature validation okay");
            } else {
                _logger.debug("Invalid XML signature received for message from issuer: " + inboundMessageIssuer);
                throw new SAML2SecurityException(RequestorEvent.REQUEST_INVALID);
            }
        }
    }

    private boolean validateSignature(SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> sAMLMessageContext, MetadataProvider metadataProvider, String str) throws OAException {
        boolean z = false;
        try {
            SignableSAMLObject inboundSAMLMessage = sAMLMessageContext.getInboundSAMLMessage();
            Signature signature = inboundSAMLMessage.getSignature();
            if (inboundSAMLMessage.isSigned()) {
                this._profileValidator.validate(signature);
            }
            ChainingCredentialResolver chainingCredentialResolver = new ChainingCredentialResolver();
            if (metadataProvider != null) {
                _logger.debug("Metadata provider found for issuer: " + str);
                chainingCredentialResolver.getResolverChain().add(new MetadataCredentialResolver(metadataProvider));
            }
            try {
                if (this._credential != null) {
                    chainingCredentialResolver.getResolverChain().add(new StaticCredentialResolver(SAML2CryptoUtils.retrieveSigningCredentials(this._cryptoManager, str)));
                }
            } catch (CryptoException e) {
                _logger.debug("No trusted certificate found for issuer: " + str);
            }
            if (chainingCredentialResolver.getResolverChain().isEmpty()) {
                _logger.warn("No trusted certificate or metadata found for issuer: " + str);
            } else {
                ExplicitKeySignatureTrustEngine explicitKeySignatureTrustEngine = new ExplicitKeySignatureTrustEngine(chainingCredentialResolver, this._keyInfoCredResolver);
                if (inboundSAMLMessage.isSigned()) {
                    CriteriaSet criteriaSet = new CriteriaSet();
                    criteriaSet.add(new EntityIDCriteria(str));
                    criteriaSet.add(new MetadataCriteria(sAMLMessageContext.getPeerEntityRole(), sAMLMessageContext.getInboundSAMLProtocol()));
                    criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
                    z = explicitKeySignatureTrustEngine.validate(signature, criteriaSet);
                } else {
                    z = true;
                }
                if (z) {
                    new SAML2HTTPRedirectDeflateSignatureRule(explicitKeySignatureTrustEngine).evaluate(sAMLMessageContext);
                    new SAML2HTTPPostSimpleSignRule(explicitKeySignatureTrustEngine, this._parserPool, this._keyInfoCredResolver).evaluate(sAMLMessageContext);
                }
            }
        } catch (SecurityPolicyException e2) {
            _logger.debug("Invalid signature", e2);
            z = false;
        } catch (ValidationException e3) {
            _logger.debug("Invalid signature", e3);
            z = false;
        } catch (SecurityException e4) {
            _logger.error("Processing error evaluating the signature", e4);
            throw new OAException(1);
        }
        return z;
    }

    private void logXML(XMLObject xMLObject) {
        Marshaller marshaller;
        if (!$assertionsDisabled && !_logger.isDebugEnabled()) {
            throw new AssertionError("Logger debug state not checked");
        }
        Element dom = xMLObject.getDOM();
        if (dom == null && (marshaller = Configuration.getMarshallerFactory().getMarshaller(xMLObject)) != null) {
            try {
                marshaller.marshall(xMLObject);
            } catch (MarshallingException e) {
                _logger.debug("Could not prettyPrint XML object", e);
            }
        }
        if (dom != null) {
            _logger.info(XMLHelper.prettyPrintXML(dom));
        }
    }

    static {
        $assertionsDisabled = !SynchronousSingleLogout.class.desiredAssertionStatus();
    }
}
