package org.springframework.security.saml2.provider.service.web.authentication.logout;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Objects;
import java.util.function.Function;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.core.log.LogMessage;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.saml2.core.Saml2ParameterNames;
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidator;
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidatorParameters;
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse;
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutValidatorResult;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.RedirectStrategy;
import org.springframework.security.web.authentication.logout.CompositeLogoutHandler;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.util.HtmlUtils;
import org.springframework.web.util.UriComponentsBuilder;
import org.springframework.web.util.UriUtils;

/* loaded from: input_file:WEB-INF/lib/spring-security-saml2-service-provider-5.6.0.jar:org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2LogoutRequestFilter.class */
public final class Saml2LogoutRequestFilter extends OncePerRequestFilter {
    private final Saml2LogoutRequestValidator logoutRequestValidator;
    private final RelyingPartyRegistrationResolver relyingPartyRegistrationResolver;
    private final Saml2LogoutResponseResolver logoutResponseResolver;
    private final LogoutHandler handler;
    private final Log logger = LogFactory.getLog(getClass());
    private final RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
    private RequestMatcher logoutRequestMatcher = new AntPathRequestMatcher("/logout/saml2/slo");

    public Saml2LogoutRequestFilter(RelyingPartyRegistrationResolver relyingPartyRegistrationResolver, Saml2LogoutRequestValidator saml2LogoutRequestValidator, Saml2LogoutResponseResolver saml2LogoutResponseResolver, LogoutHandler... logoutHandlerArr) {
        this.relyingPartyRegistrationResolver = relyingPartyRegistrationResolver;
        this.logoutRequestValidator = saml2LogoutRequestValidator;
        this.logoutResponseResolver = saml2LogoutResponseResolver;
        this.handler = new CompositeLogoutHandler(logoutHandlerArr);
    }

    @Override // org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (!this.logoutRequestMatcher.matches(httpServletRequest)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        if (httpServletRequest.getParameter(Saml2ParameterNames.SAML_REQUEST) == null) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        RelyingPartyRegistration resolve = this.relyingPartyRegistrationResolver.resolve(httpServletRequest, getRegistrationId(authentication));
        if (resolve == null) {
            this.logger.trace("Did not process logout request since failed to find associated RelyingPartyRegistration");
            httpServletResponse.sendError(400);
            return;
        }
        if (!isCorrectBinding(httpServletRequest, resolve)) {
            this.logger.trace("Did not process logout request since used incorrect binding");
            httpServletResponse.sendError(401);
            return;
        }
        Saml2LogoutValidatorResult validate = this.logoutRequestValidator.validate(new Saml2LogoutRequestValidatorParameters(Saml2LogoutRequest.withRelyingPartyRegistration(resolve).samlRequest(httpServletRequest.getParameter(Saml2ParameterNames.SAML_REQUEST)).relayState(httpServletRequest.getParameter("RelayState")).binding(resolve.getSingleLogoutServiceBinding()).location(resolve.getSingleLogoutServiceLocation()).parameters(map -> {
            map.put(Saml2ParameterNames.SIG_ALG, httpServletRequest.getParameter(Saml2ParameterNames.SIG_ALG));
        }).parameters(map2 -> {
            map2.put("Signature", httpServletRequest.getParameter("Signature"));
        }).build(), resolve, authentication));
        if (validate.hasErrors()) {
            httpServletResponse.sendError(401, validate.getErrors().iterator().next().toString());
            this.logger.debug(LogMessage.format("Failed to validate LogoutRequest: %s", validate.getErrors()));
            return;
        }
        this.handler.logout(httpServletRequest, httpServletResponse, authentication);
        Saml2LogoutResponse resolve2 = this.logoutResponseResolver.resolve(httpServletRequest, authentication);
        if (resolve2 == null) {
            this.logger.trace("Returning 401 since no logout response generated");
            httpServletResponse.setStatus(401);
        } else if (resolve2.getBinding() == Saml2MessageBinding.REDIRECT) {
            doRedirect(httpServletRequest, httpServletResponse, resolve2);
        } else {
            doPost(httpServletResponse, resolve2);
        }
    }

    public void setLogoutRequestMatcher(RequestMatcher requestMatcher) {
        Assert.notNull(requestMatcher, "logoutRequestMatcher cannot be null");
        this.logoutRequestMatcher = requestMatcher;
    }

    private String getRegistrationId(Authentication authentication) {
        if (authentication == null) {
            return null;
        }
        Object principal = authentication.getPrincipal();
        if (principal instanceof Saml2AuthenticatedPrincipal) {
            return ((Saml2AuthenticatedPrincipal) principal).getRelyingPartyRegistrationId();
        }
        return null;
    }

    private boolean isCorrectBinding(HttpServletRequest httpServletRequest, RelyingPartyRegistration relyingPartyRegistration) {
        return relyingPartyRegistration.getSingleLogoutServiceBinding() == Saml2MessageBinding.POST ? "POST".equals(httpServletRequest.getMethod()) : "GET".equals(httpServletRequest.getMethod());
    }

    private void doRedirect(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Saml2LogoutResponse saml2LogoutResponse) throws IOException {
        UriComponentsBuilder fromUriString = UriComponentsBuilder.fromUriString(saml2LogoutResponse.getResponseLocation());
        Objects.requireNonNull(saml2LogoutResponse);
        addParameter(Saml2ParameterNames.SAML_RESPONSE, saml2LogoutResponse::getParameter, fromUriString);
        Objects.requireNonNull(saml2LogoutResponse);
        addParameter("RelayState", saml2LogoutResponse::getParameter, fromUriString);
        Objects.requireNonNull(saml2LogoutResponse);
        addParameter(Saml2ParameterNames.SIG_ALG, saml2LogoutResponse::getParameter, fromUriString);
        Objects.requireNonNull(saml2LogoutResponse);
        addParameter("Signature", saml2LogoutResponse::getParameter, fromUriString);
        this.redirectStrategy.sendRedirect(httpServletRequest, httpServletResponse, fromUriString.build(true).toUriString());
    }

    private void addParameter(String str, Function<String, String> function, UriComponentsBuilder uriComponentsBuilder) {
        Assert.hasText(str, "name cannot be empty or null");
        if (StringUtils.hasText(function.apply(str))) {
            uriComponentsBuilder.queryParam(UriUtils.encode(str, StandardCharsets.ISO_8859_1), UriUtils.encode(function.apply(str), StandardCharsets.ISO_8859_1));
        }
    }

    private void doPost(HttpServletResponse httpServletResponse, Saml2LogoutResponse saml2LogoutResponse) throws IOException {
        String createSamlPostRequestFormData = createSamlPostRequestFormData(saml2LogoutResponse.getResponseLocation(), saml2LogoutResponse.getSamlResponse(), saml2LogoutResponse.getRelayState());
        httpServletResponse.setContentType("text/html");
        httpServletResponse.getWriter().write(createSamlPostRequestFormData);
    }

    private String createSamlPostRequestFormData(String str, String str2, String str3) {
        StringBuilder sb = new StringBuilder();
        sb.append("<!DOCTYPE html>\n");
        sb.append("<html>\n").append("    <head>\n");
        sb.append("        <meta charset=\"utf-8\" />\n");
        sb.append("    </head>\n");
        sb.append("    <body onload=\"document.forms[0].submit()\">\n");
        sb.append("        <noscript>\n");
        sb.append("            <p>\n");
        sb.append("                <strong>Note:</strong> Since your browser does not support JavaScript,\n");
        sb.append("                you must press the Continue button once to proceed.\n");
        sb.append("            </p>\n");
        sb.append("        </noscript>\n");
        sb.append("        \n");
        sb.append("        <form action=\"");
        sb.append(str);
        sb.append("\" method=\"post\">\n");
        sb.append("            <div>\n");
        sb.append("                <input type=\"hidden\" name=\"SAMLResponse\" value=\"");
        sb.append(HtmlUtils.htmlEscape(str2));
        sb.append("\"/>\n");
        if (StringUtils.hasText(str3)) {
            sb.append("                <input type=\"hidden\" name=\"RelayState\" value=\"");
            sb.append(HtmlUtils.htmlEscape(str3));
            sb.append("\"/>\n");
        }
        sb.append("            </div>\n");
        sb.append("            <noscript>\n");
        sb.append("                <div>\n");
        sb.append("                    <input type=\"submit\" value=\"Continue\"/>\n");
        sb.append("                </div>\n");
        sb.append("            </noscript>\n");
        sb.append("        </form>\n");
        sb.append("        \n");
        sb.append("    </body>\n");
        sb.append("</html>");
        return sb.toString();
    }
}
