package org.springframework.security.saml2.provider.service.web.authentication.logout;

import jakarta.servlet.http.HttpServletRequest;
import java.io.ByteArrayInputStream;
import java.nio.charset.StandardCharsets;
import net.shibboleth.utilities.java.support.xml.ParserPool;
import org.opensaml.core.config.ConfigurationService;
import org.opensaml.core.xml.config.XMLObjectProviderRegistry;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.impl.LogoutRequestUnmarshaller;
import org.springframework.http.HttpMethod;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.client.web.server.DefaultServerOAuth2AuthorizationRequestResolver;
import org.springframework.security.saml2.Saml2Exception;
import org.springframework.security.saml2.core.OpenSamlInitializationService;
import org.springframework.security.saml2.core.Saml2Error;
import org.springframework.security.saml2.core.Saml2ErrorCodes;
import org.springframework.security.saml2.core.Saml2ParameterNames;
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidatorParameters;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationPlaceholderResolvers;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;

/* loaded from: input_file:BOOT-INF/lib/spring-security-saml2-service-provider-6.3.7.jar:org/springframework/security/saml2/provider/service/web/authentication/logout/OpenSamlLogoutRequestValidatorParametersResolver.class */
public final class OpenSamlLogoutRequestValidatorParametersResolver implements Saml2LogoutRequestValidatorParametersResolver {
    private RequestMatcher requestMatcher = new OrRequestMatcher(new AntPathRequestMatcher("/logout/saml2/slo/{registrationId}"), new AntPathRequestMatcher("/logout/saml2/slo"));
    private final RelyingPartyRegistrationRepository registrations;
    private final ParserPool parserPool;
    private final LogoutRequestUnmarshaller unmarshaller;

    public OpenSamlLogoutRequestValidatorParametersResolver(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
        Assert.notNull(relyingPartyRegistrationRepository, "relyingPartyRegistrationRepository cannot be null");
        this.parserPool = ((XMLObjectProviderRegistry) ConfigurationService.get(XMLObjectProviderRegistry.class)).getParserPool();
        this.unmarshaller = (LogoutRequestUnmarshaller) XMLObjectProviderRegistrySupport.getUnmarshallerFactory().getUnmarshaller(LogoutRequest.DEFAULT_ELEMENT_NAME);
        this.registrations = relyingPartyRegistrationRepository;
    }

    @Override // org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestValidatorParametersResolver
    public Saml2LogoutRequestValidatorParameters resolve(HttpServletRequest httpServletRequest, Authentication authentication) {
        if (httpServletRequest.getParameter(Saml2ParameterNames.SAML_REQUEST) == null) {
            return null;
        }
        RequestMatcher.MatchResult matcher = this.requestMatcher.matcher(httpServletRequest);
        if (!matcher.isMatch()) {
            return null;
        }
        String registrationId = getRegistrationId(matcher, authentication);
        return registrationId == null ? logoutRequestByEntityId(httpServletRequest, authentication) : logoutRequestById(httpServletRequest, authentication, registrationId);
    }

    public void setRequestMatcher(RequestMatcher requestMatcher) {
        Assert.notNull(requestMatcher, "requestMatcher cannot be null");
        this.requestMatcher = requestMatcher;
    }

    private String getRegistrationId(RequestMatcher.MatchResult matchResult, Authentication authentication) {
        String str = matchResult.getVariables().get(DefaultServerOAuth2AuthorizationRequestResolver.DEFAULT_REGISTRATION_ID_URI_VARIABLE_NAME);
        if (str != null) {
            return str;
        }
        if (authentication == null) {
            return null;
        }
        Object principal = authentication.getPrincipal();
        if (principal instanceof Saml2AuthenticatedPrincipal) {
            return ((Saml2AuthenticatedPrincipal) principal).getRelyingPartyRegistrationId();
        }
        return null;
    }

    private Saml2LogoutRequestValidatorParameters logoutRequestById(HttpServletRequest httpServletRequest, Authentication authentication, String str) {
        RelyingPartyRegistration findByRegistrationId = this.registrations.findByRegistrationId(str);
        if (findByRegistrationId == null) {
            throw new Saml2AuthenticationException(new Saml2Error(Saml2ErrorCodes.RELYING_PARTY_REGISTRATION_NOT_FOUND, "registration not found"), "registration not found");
        }
        return logoutRequestByRegistration(httpServletRequest, findByRegistrationId, authentication);
    }

    private Saml2LogoutRequestValidatorParameters logoutRequestByEntityId(HttpServletRequest httpServletRequest, Authentication authentication) {
        return logoutRequestByRegistration(httpServletRequest, this.registrations.findUniqueByAssertingPartyEntityId(parse(inflateIfRequired(httpServletRequest, Saml2Utils.samlDecode(httpServletRequest.getParameter(Saml2ParameterNames.SAML_REQUEST)))).getIssuer().getValue()), authentication);
    }

    private Saml2LogoutRequestValidatorParameters logoutRequestByRegistration(HttpServletRequest httpServletRequest, RelyingPartyRegistration relyingPartyRegistration, Authentication authentication) {
        if (relyingPartyRegistration == null) {
            return null;
        }
        Saml2MessageBinding resolveBinding = Saml2MessageBindingUtils.resolveBinding(httpServletRequest);
        RelyingPartyRegistration fromRequest = fromRequest(httpServletRequest, relyingPartyRegistration);
        return new Saml2LogoutRequestValidatorParameters(Saml2LogoutRequest.withRelyingPartyRegistration(fromRequest).samlRequest(httpServletRequest.getParameter(Saml2ParameterNames.SAML_REQUEST)).relayState(httpServletRequest.getParameter("RelayState")).binding(resolveBinding).location(fromRequest.getSingleLogoutServiceLocation()).parameters(map -> {
            map.put(Saml2ParameterNames.SIG_ALG, httpServletRequest.getParameter(Saml2ParameterNames.SIG_ALG));
        }).parameters(map2 -> {
            map2.put("Signature", httpServletRequest.getParameter("Signature"));
        }).parametersQuery(map3 -> {
            return httpServletRequest.getQueryString();
        }).build(), fromRequest, authentication);
    }

    private String inflateIfRequired(HttpServletRequest httpServletRequest, byte[] bArr) {
        return HttpMethod.GET.matches(httpServletRequest.getMethod()) ? Saml2Utils.samlInflate(bArr) : new String(bArr, StandardCharsets.UTF_8);
    }

    private LogoutRequest parse(String str) throws Saml2Exception {
        try {
            return (LogoutRequest) this.unmarshaller.unmarshall(this.parserPool.parse(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8))).getDocumentElement());
        } catch (Exception e) {
            throw new Saml2Exception("Failed to deserialize LogoutRequest", e);
        }
    }

    private RelyingPartyRegistration fromRequest(HttpServletRequest httpServletRequest, RelyingPartyRegistration relyingPartyRegistration) {
        RelyingPartyRegistrationPlaceholderResolvers.UriResolver uriResolver = RelyingPartyRegistrationPlaceholderResolvers.uriResolver(httpServletRequest, relyingPartyRegistration);
        String resolve = uriResolver.resolve(relyingPartyRegistration.getEntityId());
        String resolve2 = uriResolver.resolve(relyingPartyRegistration.getSingleLogoutServiceLocation());
        return relyingPartyRegistration.mutate().entityId(resolve).singleLogoutServiceLocation(resolve2).singleLogoutServiceResponseLocation(uriResolver.resolve(relyingPartyRegistration.getSingleLogoutServiceResponseLocation())).build();
    }

    static {
        OpenSamlInitializationService.initialize();
    }
}
