package org.springframework.security.saml2.provider.service.web.authentication.logout;

import jakarta.servlet.http.HttpServletRequest;
import java.time.Clock;
import java.time.Instant;
import java.util.HashMap;
import java.util.Map;
import java.util.UUID;
import java.util.function.Consumer;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.core.config.ConfigurationService;
import org.opensaml.core.xml.config.XMLObjectProviderRegistry;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.LogoutResponse;
import org.opensaml.saml.saml2.core.Status;
import org.opensaml.saml.saml2.core.StatusCode;
import org.opensaml.saml.saml2.core.impl.IssuerBuilder;
import org.opensaml.saml.saml2.core.impl.LogoutRequestUnmarshaller;
import org.opensaml.saml.saml2.core.impl.LogoutResponseBuilder;
import org.opensaml.saml.saml2.core.impl.LogoutResponseMarshaller;
import org.opensaml.saml.saml2.core.impl.StatusBuilder;
import org.opensaml.saml.saml2.core.impl.StatusCodeBuilder;
import org.springframework.security.core.Authentication;
import org.springframework.security.saml2.core.OpenSamlInitializationService;
import org.springframework.security.saml2.core.Saml2ParameterNames;
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationPlaceholderResolvers;
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
import org.springframework.util.Assert;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:BOOT-INF/lib/spring-security-saml2-service-provider-6.5.1.jar:org/springframework/security/saml2/provider/service/web/authentication/logout/BaseOpenSamlLogoutResponseResolver.class */
public final class BaseOpenSamlLogoutResponseResolver implements Saml2LogoutResponseResolver {
    private final LogoutResponseBuilder logoutResponseBuilder;
    private final IssuerBuilder issuerBuilder;
    private final StatusBuilder statusBuilder;
    private final StatusCodeBuilder statusCodeBuilder;
    private final OpenSamlOperations saml;
    private final RelyingPartyRegistrationRepository registrations;
    private final RelyingPartyRegistrationResolver relyingPartyRegistrationResolver;
    private final Log logger = LogFactory.getLog(getClass());
    private Clock clock = Clock.systemUTC();
    private Consumer<LogoutResponseParameters> parametersConsumer = logoutResponseParameters -> {
    };
    private XMLObjectProviderRegistry registry = (XMLObjectProviderRegistry) ConfigurationService.get(XMLObjectProviderRegistry.class);
    private final LogoutRequestUnmarshaller unmarshaller = (LogoutRequestUnmarshaller) XMLObjectProviderRegistrySupport.getUnmarshallerFactory().getUnmarshaller(LogoutRequest.DEFAULT_ELEMENT_NAME);
    private final LogoutResponseMarshaller marshaller = (LogoutResponseMarshaller) this.registry.getMarshallerFactory().getMarshaller(LogoutResponse.DEFAULT_ELEMENT_NAME);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:BOOT-INF/lib/spring-security-saml2-service-provider-6.5.1.jar:org/springframework/security/saml2/provider/service/web/authentication/logout/BaseOpenSamlLogoutResponseResolver$LogoutResponseParameters.class */
    public static final class LogoutResponseParameters {
        private final HttpServletRequest request;
        private final RelyingPartyRegistration registration;
        private final Authentication authentication;
        private final LogoutRequest logoutRequest;

        LogoutResponseParameters(HttpServletRequest httpServletRequest, RelyingPartyRegistration relyingPartyRegistration, Authentication authentication, LogoutRequest logoutRequest) {
            this.request = httpServletRequest;
            this.registration = relyingPartyRegistration;
            this.authentication = authentication;
            this.logoutRequest = logoutRequest;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public HttpServletRequest getRequest() {
            return this.request;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public RelyingPartyRegistration getRelyingPartyRegistration() {
            return this.registration;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Authentication getAuthentication() {
            return this.authentication;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public LogoutRequest getLogoutRequest() {
            return this.logoutRequest;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public BaseOpenSamlLogoutResponseResolver(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository, RelyingPartyRegistrationResolver relyingPartyRegistrationResolver, OpenSamlOperations openSamlOperations) {
        this.saml = openSamlOperations;
        this.registrations = relyingPartyRegistrationRepository;
        this.relyingPartyRegistrationResolver = relyingPartyRegistrationResolver;
        Assert.notNull(this.marshaller, "logoutResponseMarshaller must be configured in OpenSAML");
        this.logoutResponseBuilder = (LogoutResponseBuilder) this.registry.getBuilderFactory().getBuilder(LogoutResponse.DEFAULT_ELEMENT_NAME);
        Assert.notNull(this.logoutResponseBuilder, "logoutResponseBuilder must be configured in OpenSAML");
        this.issuerBuilder = (IssuerBuilder) this.registry.getBuilderFactory().getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
        Assert.notNull(this.issuerBuilder, "issuerBuilder must be configured in OpenSAML");
        this.statusBuilder = (StatusBuilder) this.registry.getBuilderFactory().getBuilder(Status.DEFAULT_ELEMENT_NAME);
        Assert.notNull(this.statusBuilder, "statusBuilder must be configured in OpenSAML");
        this.statusCodeBuilder = (StatusCodeBuilder) this.registry.getBuilderFactory().getBuilder(StatusCode.DEFAULT_ELEMENT_NAME);
        Assert.notNull(this.statusCodeBuilder, "statusCodeBuilder must be configured in OpenSAML");
    }

    /* JADX WARN: Type inference failed for: r0v64, types: [org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSamlOperations$SignatureConfigurer] */
    /* JADX WARN: Type inference failed for: r1v40, types: [org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSamlOperations$SignatureConfigurer] */
    @Override // org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutResponseResolver
    public Saml2LogoutResponse resolve(HttpServletRequest httpServletRequest, Authentication authentication) {
        LogoutRequest logoutRequest = (LogoutRequest) this.saml.deserialize(extractSamlRequest(httpServletRequest));
        RelyingPartyRegistration resolve = this.relyingPartyRegistrationResolver.resolve(httpServletRequest, getRegistrationId(authentication));
        if (resolve == null && this.registrations != null) {
            resolve = this.registrations.findUniqueByAssertingPartyEntityId(logoutRequest.getIssuer().getValue());
        }
        if (resolve == null || resolve.getAssertingPartyMetadata().getSingleLogoutServiceResponseLocation() == null) {
            return null;
        }
        String resolve2 = RelyingPartyRegistrationPlaceholderResolvers.uriResolver(httpServletRequest, resolve).resolve(resolve.getEntityId());
        LogoutResponse mo18767buildObject = this.logoutResponseBuilder.mo18767buildObject();
        mo18767buildObject.setDestination(resolve.getAssertingPartyMetadata().getSingleLogoutServiceResponseLocation());
        Issuer mo18767buildObject2 = this.issuerBuilder.mo18767buildObject();
        mo18767buildObject2.setValue(resolve2);
        mo18767buildObject.setIssuer(mo18767buildObject2);
        StatusCode mo18767buildObject3 = this.statusCodeBuilder.mo18767buildObject();
        mo18767buildObject3.setValue(StatusCode.SUCCESS);
        Status mo18767buildObject4 = this.statusBuilder.mo18767buildObject();
        mo18767buildObject4.setStatusCode(mo18767buildObject3);
        mo18767buildObject.setStatus(mo18767buildObject4);
        mo18767buildObject.setInResponseTo(logoutRequest.getID());
        if (mo18767buildObject.getID() == null) {
            mo18767buildObject.setID("LR" + String.valueOf(UUID.randomUUID()));
        }
        mo18767buildObject.setIssueInstant(Instant.now(this.clock));
        this.parametersConsumer.accept(new LogoutResponseParameters(httpServletRequest, resolve, authentication, logoutRequest));
        String parameter = httpServletRequest.getParameter("RelayState");
        Saml2LogoutResponse.Builder withRelyingPartyRegistration = Saml2LogoutResponse.withRelyingPartyRegistration(resolve);
        if (resolve.getAssertingPartyMetadata().getSingleLogoutServiceBinding() == Saml2MessageBinding.POST) {
            withRelyingPartyRegistration.samlResponse(Saml2Utils.withDecoded(serialize((LogoutResponse) this.saml.withSigningKeys(resolve.getSigningX509Credentials()).algorithms(resolve.getAssertingPartyMetadata().getSigningAlgorithms()).sign(mo18767buildObject))).encode());
            if (parameter != null) {
                withRelyingPartyRegistration.relayState(parameter);
            }
            return withRelyingPartyRegistration.build();
        }
        String encode = Saml2Utils.withDecoded(serialize(mo18767buildObject)).deflate(true).encode();
        withRelyingPartyRegistration.samlResponse(encode);
        HashMap hashMap = new HashMap();
        hashMap.put(Saml2ParameterNames.SAML_RESPONSE, encode);
        if (parameter != null) {
            hashMap.put("RelayState", parameter);
        }
        Map<String, String> sign = this.saml.withSigningKeys(resolve.getSigningX509Credentials()).algorithms(resolve.getAssertingPartyMetadata().getSigningAlgorithms()).sign(hashMap);
        return withRelyingPartyRegistration.parameters(map -> {
            map.putAll(sign);
        }).build();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setClock(Clock clock) {
        this.clock = clock;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setParametersConsumer(Consumer<LogoutResponseParameters> consumer) {
        this.parametersConsumer = consumer;
    }

    private String getRegistrationId(Authentication authentication) {
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Attempting to resolve registrationId from " + String.valueOf(authentication));
        }
        if (authentication == null) {
            return null;
        }
        Object principal = authentication.getPrincipal();
        if (principal instanceof Saml2AuthenticatedPrincipal) {
            return ((Saml2AuthenticatedPrincipal) principal).getRelyingPartyRegistrationId();
        }
        return null;
    }

    private String extractSamlRequest(HttpServletRequest httpServletRequest) {
        return Saml2Utils.withEncoded(httpServletRequest.getParameter(Saml2ParameterNames.SAML_REQUEST)).inflate(Saml2MessageBindingUtils.isHttpRedirectBinding(httpServletRequest)).decode();
    }

    private String serialize(LogoutResponse logoutResponse) {
        return this.saml.serialize(logoutResponse).serialize();
    }

    static {
        OpenSamlInitializationService.initialize();
    }
}
