package org.springframework.security.saml2.provider.service.web.authentication.logout;

import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.core.log.LogMessage;
import org.springframework.security.saml2.core.Saml2Error;
import org.springframework.security.saml2.core.Saml2ParameterNames;
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse;
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponseValidator;
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponseValidatorParameters;
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutValidatorResult;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:WEB-INF/lib/spring-security-saml2-service-provider-5.6.0.jar:org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2LogoutResponseFilter.class */
public final class Saml2LogoutResponseFilter extends OncePerRequestFilter {
    private final RelyingPartyRegistrationResolver relyingPartyRegistrationResolver;
    private final Saml2LogoutResponseValidator logoutResponseValidator;
    private final LogoutSuccessHandler logoutSuccessHandler;
    private final Log logger = LogFactory.getLog(getClass());
    private Saml2LogoutRequestRepository logoutRequestRepository = new HttpSessionLogoutRequestRepository();
    private RequestMatcher logoutRequestMatcher = new AntPathRequestMatcher("/logout/saml2/slo");

    public Saml2LogoutResponseFilter(RelyingPartyRegistrationResolver relyingPartyRegistrationResolver, Saml2LogoutResponseValidator saml2LogoutResponseValidator, LogoutSuccessHandler logoutSuccessHandler) {
        this.relyingPartyRegistrationResolver = relyingPartyRegistrationResolver;
        this.logoutResponseValidator = saml2LogoutResponseValidator;
        this.logoutSuccessHandler = logoutSuccessHandler;
    }

    @Override // org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (!this.logoutRequestMatcher.matches(httpServletRequest)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        if (httpServletRequest.getParameter(Saml2ParameterNames.SAML_RESPONSE) == null) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        Saml2LogoutRequest removeLogoutRequest = this.logoutRequestRepository.removeLogoutRequest(httpServletRequest, httpServletResponse);
        if (removeLogoutRequest == null) {
            this.logger.trace("Did not process logout response since could not find associated LogoutRequest");
            httpServletResponse.sendError(400, "Failed to find associated LogoutRequest");
            return;
        }
        RelyingPartyRegistration resolve = this.relyingPartyRegistrationResolver.resolve(httpServletRequest, removeLogoutRequest.getRelyingPartyRegistrationId());
        if (resolve == null) {
            this.logger.trace("Did not process logout request since failed to find associated RelyingPartyRegistration");
            httpServletResponse.sendError(400, new Saml2Error("relying_party_registration_not_found", "Failed to find associated RelyingPartyRegistration").toString());
            return;
        }
        if (!isCorrectBinding(httpServletRequest, resolve)) {
            this.logger.trace("Did not process logout request since used incorrect binding");
            httpServletResponse.sendError(401);
            return;
        }
        Saml2LogoutValidatorResult validate = this.logoutResponseValidator.validate(new Saml2LogoutResponseValidatorParameters(Saml2LogoutResponse.withRelyingPartyRegistration(resolve).samlResponse(httpServletRequest.getParameter(Saml2ParameterNames.SAML_RESPONSE)).relayState(httpServletRequest.getParameter("RelayState")).binding(resolve.getSingleLogoutServiceBinding()).location(resolve.getSingleLogoutServiceResponseLocation()).parameters(map -> {
            map.put(Saml2ParameterNames.SIG_ALG, httpServletRequest.getParameter(Saml2ParameterNames.SIG_ALG));
        }).parameters(map2 -> {
            map2.put("Signature", httpServletRequest.getParameter("Signature"));
        }).build(), removeLogoutRequest, resolve));
        if (!validate.hasErrors()) {
            this.logoutSuccessHandler.onLogoutSuccess(httpServletRequest, httpServletResponse, null);
        } else {
            httpServletResponse.sendError(401, validate.getErrors().iterator().next().toString());
            this.logger.debug(LogMessage.format("Failed to validate LogoutResponse: %s", validate.getErrors()));
        }
    }

    public void setLogoutRequestMatcher(RequestMatcher requestMatcher) {
        Assert.notNull(requestMatcher, "logoutRequestMatcher cannot be null");
        this.logoutRequestMatcher = requestMatcher;
    }

    public void setLogoutRequestRepository(Saml2LogoutRequestRepository saml2LogoutRequestRepository) {
        Assert.notNull(saml2LogoutRequestRepository, "logoutRequestRepository cannot be null");
        this.logoutRequestRepository = saml2LogoutRequestRepository;
    }

    private boolean isCorrectBinding(HttpServletRequest httpServletRequest, RelyingPartyRegistration relyingPartyRegistration) {
        return relyingPartyRegistration.getSingleLogoutServiceBinding() == Saml2MessageBinding.POST ? "POST".equals(httpServletRequest.getMethod()) : "GET".equals(httpServletRequest.getMethod());
    }
}
