package org.springframework.security.saml2.provider.service.authentication.logout;

import java.io.ByteArrayInputStream;
import java.nio.charset.StandardCharsets;
import java.util.Collection;
import java.util.function.Consumer;
import net.shibboleth.utilities.java.support.xml.ParserPool;
import org.opensaml.core.config.ConfigurationService;
import org.opensaml.core.xml.config.XMLObjectProviderRegistry;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.saml2.core.EncryptedID;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.impl.LogoutRequestUnmarshaller;
import org.springframework.security.core.Authentication;
import org.springframework.security.saml2.Saml2Exception;
import org.springframework.security.saml2.core.OpenSamlInitializationService;
import org.springframework.security.saml2.core.Saml2Error;
import org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlVerificationUtils;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;

/* loaded from: input_file:BOOT-INF/lib/spring-security-saml2-service-provider-5.7.3.jar:org/springframework/security/saml2/provider/service/authentication/logout/OpenSamlLogoutRequestValidator.class */
public final class OpenSamlLogoutRequestValidator implements Saml2LogoutRequestValidator {
    private final ParserPool parserPool = ((XMLObjectProviderRegistry) ConfigurationService.get(XMLObjectProviderRegistry.class)).getParserPool();
    private final LogoutRequestUnmarshaller unmarshaller = (LogoutRequestUnmarshaller) XMLObjectProviderRegistrySupport.getUnmarshallerFactory().getUnmarshaller(LogoutRequest.DEFAULT_ELEMENT_NAME);

    @Override // org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidator
    public Saml2LogoutValidatorResult validate(Saml2LogoutRequestValidatorParameters saml2LogoutRequestValidatorParameters) {
        Saml2LogoutRequest logoutRequest = saml2LogoutRequestValidatorParameters.getLogoutRequest();
        RelyingPartyRegistration relyingPartyRegistration = saml2LogoutRequestValidatorParameters.getRelyingPartyRegistration();
        Authentication authentication = saml2LogoutRequestValidatorParameters.getAuthentication();
        LogoutRequest parse = parse(inflateIfRequired(logoutRequest, Saml2Utils.samlDecode(logoutRequest.getSamlRequest())));
        return Saml2LogoutValidatorResult.withErrors(new Saml2Error[0]).errors(verifySignature(logoutRequest, parse, relyingPartyRegistration)).errors(validateRequest(parse, relyingPartyRegistration, authentication)).build();
    }

    private String inflateIfRequired(Saml2LogoutRequest saml2LogoutRequest, byte[] bArr) {
        return saml2LogoutRequest.getBinding() == Saml2MessageBinding.REDIRECT ? Saml2Utils.samlInflate(bArr) : new String(bArr, StandardCharsets.UTF_8);
    }

    private LogoutRequest parse(String str) throws Saml2Exception {
        try {
            return (LogoutRequest) this.unmarshaller.unmarshall(this.parserPool.parse(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8))).getDocumentElement());
        } catch (Exception e) {
            throw new Saml2Exception("Failed to deserialize LogoutRequest", e);
        }
    }

    private Consumer<Collection<Saml2Error>> verifySignature(Saml2LogoutRequest saml2LogoutRequest, LogoutRequest logoutRequest, RelyingPartyRegistration relyingPartyRegistration) {
        return collection -> {
            OpenSamlVerificationUtils.VerifierPartial verifySignature = OpenSamlVerificationUtils.verifySignature(logoutRequest, relyingPartyRegistration);
            if (logoutRequest.isSigned()) {
                collection.addAll(verifySignature.post(logoutRequest.getSignature()));
            } else {
                collection.addAll(verifySignature.redirect(saml2LogoutRequest));
            }
        };
    }

    private Consumer<Collection<Saml2Error>> validateRequest(LogoutRequest logoutRequest, RelyingPartyRegistration relyingPartyRegistration, Authentication authentication) {
        return collection -> {
            validateIssuer(logoutRequest, relyingPartyRegistration).accept(collection);
            validateDestination(logoutRequest, relyingPartyRegistration).accept(collection);
            validateSubject(logoutRequest, relyingPartyRegistration, authentication).accept(collection);
        };
    }

    private Consumer<Collection<Saml2Error>> validateIssuer(LogoutRequest logoutRequest, RelyingPartyRegistration relyingPartyRegistration) {
        return collection -> {
            if (logoutRequest.getIssuer() == null) {
                collection.add(new Saml2Error("invalid_issuer", "Failed to find issuer in LogoutResponse"));
            } else {
                if (logoutRequest.getIssuer().getValue().equals(relyingPartyRegistration.getAssertingPartyDetails().getEntityId())) {
                    return;
                }
                collection.add(new Saml2Error("invalid_issuer", "Failed to match issuer to configured issuer"));
            }
        };
    }

    private Consumer<Collection<Saml2Error>> validateDestination(LogoutRequest logoutRequest, RelyingPartyRegistration relyingPartyRegistration) {
        return collection -> {
            if (logoutRequest.getDestination() == null) {
                collection.add(new Saml2Error("invalid_destination", "Failed to find destination in LogoutResponse"));
            } else {
                if (logoutRequest.getDestination().equals(relyingPartyRegistration.getSingleLogoutServiceLocation())) {
                    return;
                }
                collection.add(new Saml2Error("invalid_destination", "Failed to match destination to configured destination"));
            }
        };
    }

    private Consumer<Collection<Saml2Error>> validateSubject(LogoutRequest logoutRequest, RelyingPartyRegistration relyingPartyRegistration, Authentication authentication) {
        return collection -> {
            if (authentication == null) {
                return;
            }
            NameID nameId = getNameId(logoutRequest, relyingPartyRegistration);
            if (nameId == null) {
                collection.add(new Saml2Error("subject_not_found", "Failed to find subject in LogoutRequest"));
            } else {
                validateNameId(nameId, authentication, collection);
            }
        };
    }

    private NameID getNameId(LogoutRequest logoutRequest, RelyingPartyRegistration relyingPartyRegistration) {
        NameID nameID = logoutRequest.getNameID();
        if (nameID != null) {
            return nameID;
        }
        EncryptedID encryptedID = logoutRequest.getEncryptedID();
        if (encryptedID == null) {
            return null;
        }
        return decryptNameId(encryptedID, relyingPartyRegistration);
    }

    private void validateNameId(NameID nameID, Authentication authentication, Collection<Saml2Error> collection) {
        if (nameID.getValue().equals(authentication.getName())) {
            return;
        }
        collection.add(new Saml2Error("invalid_request", "Failed to match subject in LogoutRequest with currently logged in user"));
    }

    private NameID decryptNameId(EncryptedID encryptedID, RelyingPartyRegistration relyingPartyRegistration) {
        SAMLObject decryptEncryptedId = LogoutRequestEncryptedIdUtils.decryptEncryptedId(encryptedID, relyingPartyRegistration);
        if (decryptEncryptedId instanceof NameID) {
            return (NameID) decryptEncryptedId;
        }
        return null;
    }

    static {
        OpenSamlInitializationService.initialize();
    }
}
