package org.springframework.security.saml2.provider.service.authentication.logout;

import java.util.Collection;
import java.util.function.Consumer;
import org.opensaml.core.config.ConfigurationService;
import org.opensaml.core.xml.config.XMLObjectProviderRegistry;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.saml.saml2.core.LogoutResponse;
import org.opensaml.saml.saml2.core.StatusCode;
import org.opensaml.saml.saml2.core.impl.LogoutResponseUnmarshaller;
import org.springframework.security.saml2.core.OpenSamlInitializationService;
import org.springframework.security.saml2.core.Saml2Error;
import org.springframework.security.saml2.core.Saml2ErrorCodes;
import org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlOperations;
import org.springframework.security.saml2.provider.service.registration.AssertingPartyMetadata;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;

@Deprecated
/* loaded from: input_file:BOOT-INF/lib/spring-security-saml2-service-provider-6.5.1.jar:org/springframework/security/saml2/provider/service/authentication/logout/OpenSamlLogoutResponseValidator.class */
public class OpenSamlLogoutResponseValidator implements Saml2LogoutResponseValidator {
    private final OpenSamlOperations saml = new OpenSaml4Template();
    private final XMLObjectProviderRegistry registry = (XMLObjectProviderRegistry) ConfigurationService.get(XMLObjectProviderRegistry.class);
    private final LogoutResponseUnmarshaller unmarshaller = (LogoutResponseUnmarshaller) XMLObjectProviderRegistrySupport.getUnmarshallerFactory().getUnmarshaller(LogoutResponse.DEFAULT_ELEMENT_NAME);

    @Override // org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponseValidator
    public Saml2LogoutValidatorResult validate(Saml2LogoutResponseValidatorParameters saml2LogoutResponseValidatorParameters) {
        Saml2LogoutResponse logoutResponse = saml2LogoutResponseValidatorParameters.getLogoutResponse();
        Saml2LogoutRequest logoutRequest = saml2LogoutResponseValidatorParameters.getLogoutRequest();
        RelyingPartyRegistration relyingPartyRegistration = saml2LogoutResponseValidatorParameters.getRelyingPartyRegistration();
        LogoutResponse logoutResponse2 = (LogoutResponse) this.saml.deserialize(Saml2Utils.withEncoded(logoutResponse.getSamlResponse()).inflate(logoutResponse.getBinding() == Saml2MessageBinding.REDIRECT).decode());
        return Saml2LogoutValidatorResult.withErrors(new Saml2Error[0]).errors(verifySignature(logoutResponse, logoutResponse2, relyingPartyRegistration)).errors(validateRequest(logoutResponse2, relyingPartyRegistration)).errors(validateLogoutRequest(logoutResponse2, logoutRequest.getId())).build();
    }

    private Consumer<Collection<Saml2Error>> verifySignature(Saml2LogoutResponse saml2LogoutResponse, LogoutResponse logoutResponse, RelyingPartyRegistration relyingPartyRegistration) {
        return collection -> {
            AssertingPartyMetadata assertingPartyMetadata = relyingPartyRegistration.getAssertingPartyMetadata();
            OpenSamlOperations.VerificationConfigurer entityId = this.saml.withVerificationKeys(assertingPartyMetadata.getVerificationX509Credentials()).entityId(assertingPartyMetadata.getEntityId());
            if (logoutResponse.isSigned()) {
                collection.addAll(entityId.verify(logoutResponse));
            } else {
                collection.addAll(entityId.verify(new OpenSamlOperations.VerificationConfigurer.RedirectParameters(saml2LogoutResponse.getParameters(), saml2LogoutResponse.getParametersQuery(), logoutResponse)));
            }
        };
    }

    private Consumer<Collection<Saml2Error>> validateRequest(LogoutResponse logoutResponse, RelyingPartyRegistration relyingPartyRegistration) {
        return collection -> {
            validateIssuer(logoutResponse, relyingPartyRegistration).accept(collection);
            validateDestination(logoutResponse, relyingPartyRegistration).accept(collection);
            validateStatus(logoutResponse).accept(collection);
        };
    }

    private Consumer<Collection<Saml2Error>> validateIssuer(LogoutResponse logoutResponse, RelyingPartyRegistration relyingPartyRegistration) {
        return collection -> {
            if (logoutResponse.getIssuer() == null) {
                collection.add(new Saml2Error(Saml2ErrorCodes.INVALID_ISSUER, "Failed to find issuer in LogoutResponse"));
            } else {
                if (logoutResponse.getIssuer().getValue().equals(relyingPartyRegistration.getAssertingPartyMetadata().getEntityId())) {
                    return;
                }
                collection.add(new Saml2Error(Saml2ErrorCodes.INVALID_ISSUER, "Failed to match issuer to configured issuer"));
            }
        };
    }

    private Consumer<Collection<Saml2Error>> validateDestination(LogoutResponse logoutResponse, RelyingPartyRegistration relyingPartyRegistration) {
        return collection -> {
            if (logoutResponse.getDestination() == null) {
                collection.add(new Saml2Error(Saml2ErrorCodes.INVALID_DESTINATION, "Failed to find destination in LogoutResponse"));
            } else {
                if (logoutResponse.getDestination().equals(relyingPartyRegistration.getSingleLogoutServiceResponseLocation())) {
                    return;
                }
                collection.add(new Saml2Error(Saml2ErrorCodes.INVALID_DESTINATION, "Failed to match destination to configured destination"));
            }
        };
    }

    private Consumer<Collection<Saml2Error>> validateStatus(LogoutResponse logoutResponse) {
        return collection -> {
            if (logoutResponse.getStatus() == null || logoutResponse.getStatus().getStatusCode() == null || StatusCode.SUCCESS.equals(logoutResponse.getStatus().getStatusCode().getValue()) || StatusCode.PARTIAL_LOGOUT.equals(logoutResponse.getStatus().getStatusCode().getValue())) {
                return;
            }
            collection.add(new Saml2Error(Saml2ErrorCodes.INVALID_RESPONSE, "Response indicated logout failed"));
        };
    }

    private Consumer<Collection<Saml2Error>> validateLogoutRequest(LogoutResponse logoutResponse, String str) {
        return collection -> {
            if (logoutResponse.getInResponseTo() == null || logoutResponse.getInResponseTo().equals(str)) {
                return;
            }
            collection.add(new Saml2Error(Saml2ErrorCodes.INVALID_RESPONSE, "LogoutResponse InResponseTo doesn't match ID of associated LogoutRequest"));
        };
    }

    static {
        OpenSamlInitializationService.initialize();
    }
}
