package pl.edu.icm.unity.saml.slo;

import eu.emi.security.authn.x509.X509Credential;
import eu.unicore.samly2.SAMLConstants;
import eu.unicore.samly2.binding.SAMLMessageType;
import eu.unicore.samly2.elements.NameID;
import eu.unicore.samly2.exceptions.SAMLErrorResponseException;
import eu.unicore.samly2.exceptions.SAMLResponderException;
import eu.unicore.samly2.exceptions.SAMLValidationException;
import eu.unicore.samly2.messages.SAMLMessage;
import eu.unicore.samly2.proto.AbstractSAMLMessage;
import eu.unicore.samly2.proto.LogoutRequest;
import eu.unicore.samly2.slo.LogoutResponseValidator;
import eu.unicore.security.dsig.DSigException;
import eu.unicore.security.wsutil.samlclient.SAMLLogoutClient;
import eu.unicore.util.httpclient.DefaultClientConfiguration;
import eu.unicore.util.httpclient.IClientConfiguration;
import io.imunity.vaadin.endpoint.common.EopException;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.logging.log4j.Logger;
import org.apache.xmlbeans.XmlException;
import pl.edu.icm.unity.base.exceptions.EngineException;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.PKIManagement;
import pl.edu.icm.unity.saml.SAMLEndpointDefinition;
import pl.edu.icm.unity.saml.SAMLProcessingException;
import pl.edu.icm.unity.saml.SAMLSessionParticipant;
import pl.edu.icm.unity.saml.SamlProperties;
import xmlbeans.org.oasis.saml2.assertion.NameIDType;
import xmlbeans.org.oasis.saml2.protocol.LogoutRequestDocument;
import xmlbeans.org.oasis.saml2.protocol.LogoutResponseDocument;
import xmlbeans.org.oasis.saml2.protocol.StatusType;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:pl/edu/icm/unity/saml/slo/InternalLogoutProcessor.class */
public class InternalLogoutProcessor {
    private static final Logger log = Log.getLogger("unity.server.saml", InternalLogoutProcessor.class);
    private static final long DEF_LOGOUT_REQ_VALIDITY = 60000;
    private PKIManagement pkiManagement;
    private LogoutContextsStore contextsStore;
    private SLOAsyncMessageHandler responseHandler;
    private String consumerEndpointUri;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:pl/edu/icm/unity/saml/slo/InternalLogoutProcessor$InterimLogoutRequest.class */
    public static class InterimLogoutRequest {
        final SamlRoutableSignableMessage<LogoutRequestDocument> request;
        final SAMLEndpointDefinition endpoint;

        InterimLogoutRequest(SamlRoutableSignableMessage<LogoutRequestDocument> samlRoutableSignableMessage, SAMLEndpointDefinition sAMLEndpointDefinition) {
            this.request = samlRoutableSignableMessage;
            this.endpoint = sAMLEndpointDefinition;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public InternalLogoutProcessor(PKIManagement pKIManagement, LogoutContextsStore logoutContextsStore, SLOAsyncMessageHandler sLOAsyncMessageHandler, String str) {
        this.pkiManagement = pKIManagement;
        this.contextsStore = logoutContextsStore;
        this.responseHandler = sLOAsyncMessageHandler;
        this.consumerEndpointUri = str;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void continueAsyncLogout(SAMLInternalLogoutContext sAMLInternalLogoutContext, HttpServletResponse httpServletResponse) throws IOException, EopException {
        InterimLogoutRequest selectNextAsyncParticipantForLogout = selectNextAsyncParticipantForLogout(sAMLInternalLogoutContext);
        if (selectNextAsyncParticipantForLogout != null) {
            log.info("Logging out participant in async mode: {}", selectNextAsyncParticipantForLogout.endpoint);
            sendRequest(selectNextAsyncParticipantForLogout, httpServletResponse);
        } else {
            logoutSynchronousParticipants(sAMLInternalLogoutContext);
            log.info("Async logout process of session peers is completed");
            this.contextsStore.removeInternalContext(sAMLInternalLogoutContext.getRelayState());
            sAMLInternalLogoutContext.getFinishCallback().finished(httpServletResponse, sAMLInternalLogoutContext);
        }
    }

    private void sendRequest(InterimLogoutRequest interimLogoutRequest, HttpServletResponse httpServletResponse) throws IOException, EopException {
        try {
            this.responseHandler.sendRequest(interimLogoutRequest.endpoint.getBinding(), interimLogoutRequest.request, httpServletResponse);
        } catch (DSigException e) {
            log.error("Can't sign SLO request to subsequent part, likely configuration problem", e);
            throw new IOException("Error signing SLO request to subsequent peer", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void logoutSynchronousParticipants(SAMLInternalLogoutContext sAMLInternalLogoutContext) {
        Iterator<SAMLSessionParticipant> it = sAMLInternalLogoutContext.getToBeLoggedOut().iterator();
        while (it.hasNext()) {
            SAMLSessionParticipant next = it.next();
            SAMLEndpointDefinition sAMLEndpointDefinition = next.getLogoutEndpoints().get(SamlProperties.Binding.SOAP);
            if (sAMLEndpointDefinition != null) {
                it.remove();
                try {
                    log.info("Logging out participant via SOAP: " + next);
                    LogoutRequest createSignedLogoutRequest = createSignedLogoutRequest(next, sAMLEndpointDefinition);
                    updateContextAfterParicipantLogout(sAMLInternalLogoutContext, next, new SAMLLogoutClient(sAMLEndpointDefinition.getUrl(), createSoapClientConfig(next)).logout(createSignedLogoutRequest.getXMLBeanDoc()));
                } catch (Exception e) {
                    log.warn("Logging out the participant " + next + " via SOAP failed", e);
                    sAMLInternalLogoutContext.getFailed().add(next);
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void handleAsyncLogoutResponse(SAMLMessage<LogoutResponseDocument> sAMLMessage, HttpServletResponse httpServletResponse) throws IOException, EopException {
        if (sAMLMessage.relayState == null) {
            this.responseHandler.showError(new SAMLProcessingException("A logout response was received without relay state. It can not be processed."), httpServletResponse);
            return;
        }
        SAMLInternalLogoutContext internalContext = this.contextsStore.getInternalContext(sAMLMessage.relayState);
        if (internalContext == null) {
            this.responseHandler.showError(new SAMLProcessingException("A logout response was received with invalid relay state. It can not be processed."), httpServletResponse);
            return;
        }
        SAMLSessionParticipant current = internalContext.getCurrent();
        if (current == null || internalContext.getCurrentRequestId() == null) {
            this.responseHandler.showError(new SAMLProcessingException("A logout response was received associated with invalid logout process. It can not be processed."), httpServletResponse);
            return;
        }
        try {
            List<PublicKey> signingKeysForCurrentParticipant = getSigningKeysForCurrentParticipant(current);
            try {
                new LogoutResponseValidator(this.consumerEndpointUri, internalContext.getCurrentRequestId(), nameIDType -> {
                    return getSigningKeysForGivenParticipant(current.getIdentifier(), signingKeysForCurrentParticipant, nameIDType);
                }).validate(sAMLMessage.messageDocument, sAMLMessage.verifiableMessage);
            } catch (SAMLValidationException e) {
                this.responseHandler.showError(new SAMLProcessingException("An invalid logout response was received.", e), httpServletResponse);
                return;
            } catch (SAMLErrorResponseException e2) {
            }
            if (!sAMLMessage.messageDocument.getLogoutResponse().getIssuer().getStringValue().equals(current.getIdentifier())) {
                this.responseHandler.showError(new SAMLProcessingException("An invalid logout response was received - it is not matching the previous request."), httpServletResponse);
            } else {
                updateContextAfterParicipantLogout(internalContext, current, (LogoutResponseDocument) sAMLMessage.messageDocument);
                continueAsyncLogout(internalContext, httpServletResponse);
            }
        } catch (EngineException e3) {
            this.responseHandler.showError(new SAMLProcessingException("Internal error - can't establish valid signing keys for the session participant", e3), httpServletResponse);
        }
    }

    private List<PublicKey> getSigningKeysForCurrentParticipant(SAMLSessionParticipant sAMLSessionParticipant) throws EngineException {
        Set<String> participantsCertificates = sAMLSessionParticipant.getParticipantsCertificates();
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = participantsCertificates.iterator();
        while (it.hasNext()) {
            arrayList.add(this.pkiManagement.getCertificate(it.next()).value.getPublicKey());
        }
        return arrayList;
    }

    private List<PublicKey> getSigningKeysForGivenParticipant(String str, List<PublicKey> list, NameIDType nameIDType) {
        if (!str.equals(nameIDType.getStringValue())) {
            return null;
        }
        if (nameIDType.getFormat() == null || nameIDType.getFormat().equals("urn:oasis:names:tc:SAML:2.0:nameid-format:entity")) {
            return list;
        }
        return null;
    }

    private InterimLogoutRequest selectNextAsyncParticipantForLogout(SAMLInternalLogoutContext sAMLInternalLogoutContext) throws IOException {
        SAMLSessionParticipant findNextForAsyncLogout;
        SAMLEndpointDefinition sAMLEndpointDefinition;
        AbstractSAMLMessage abstractSAMLMessage = null;
        do {
            findNextForAsyncLogout = findNextForAsyncLogout(sAMLInternalLogoutContext);
            if (findNextForAsyncLogout == null) {
                return null;
            }
            sAMLEndpointDefinition = findNextForAsyncLogout.getLogoutEndpoints().get(SamlProperties.Binding.HTTP_POST);
            if (sAMLEndpointDefinition == null) {
                sAMLEndpointDefinition = findNextForAsyncLogout.getLogoutEndpoints().get(SamlProperties.Binding.HTTP_REDIRECT);
            }
            if (sAMLEndpointDefinition == null) {
                log.warn("Can not prepare logout request for {} - no logout endpoint", findNextForAsyncLogout);
                sAMLInternalLogoutContext.getFailed().add(findNextForAsyncLogout);
            } else {
                try {
                    abstractSAMLMessage = createLogoutRequest(findNextForAsyncLogout, sAMLEndpointDefinition);
                    break;
                } catch (SAMLResponderException e) {
                    log.warn("Can not prepare logout request for " + findNextForAsyncLogout, e);
                    sAMLInternalLogoutContext.getFailed().add(findNextForAsyncLogout);
                }
            }
        } while (abstractSAMLMessage == null);
        sAMLInternalLogoutContext.setCurrent(findNextForAsyncLogout);
        sAMLInternalLogoutContext.setCurrentRequestId(abstractSAMLMessage.getXMLBean().getID());
        try {
            return new InterimLogoutRequest(new SamlRoutableSignableMessage(abstractSAMLMessage, this.pkiManagement.getCredential(findNextForAsyncLogout.getLocalCredentialName()), SAMLMessageType.SAMLRequest, sAMLInternalLogoutContext.getRelayState(), sAMLEndpointDefinition.getUrl()), sAMLEndpointDefinition);
        } catch (EngineException e2) {
            log.error("Can't get credential for signing request", e2);
            throw new IOException("Can't get credential for signing request", e2);
        }
    }

    private X509Credential getCredential(String str) throws SAMLResponderException {
        try {
            return this.pkiManagement.getCredential(str);
        } catch (EngineException e) {
            log.warn("Unable to extract credential {} to sign SLO request", str, e);
            throw new SAMLResponderException("Internal server error signing request.");
        }
    }

    private SAMLSessionParticipant findNextForAsyncLogout(SAMLInternalLogoutContext sAMLInternalLogoutContext) {
        Iterator<SAMLSessionParticipant> it = sAMLInternalLogoutContext.getToBeLoggedOut().iterator();
        while (it.hasNext()) {
            SAMLSessionParticipant next = it.next();
            if (next.getLogoutEndpoints().containsKey(SamlProperties.Binding.HTTP_POST) || next.getLogoutEndpoints().containsKey(SamlProperties.Binding.HTTP_REDIRECT)) {
                it.remove();
                return next;
            }
        }
        return null;
    }

    private NameIDType getIssuer(String str) {
        return new NameID(str, "urn:oasis:names:tc:SAML:2.0:nameid-format:entity").getXBean();
    }

    private LogoutRequest createLogoutRequest(SAMLSessionParticipant sAMLSessionParticipant, SAMLEndpointDefinition sAMLEndpointDefinition) throws SAMLResponderException {
        try {
            LogoutRequest logoutRequest = new LogoutRequest(getIssuer(sAMLSessionParticipant.getLocalSamlId()), NameIDType.Factory.parse(sAMLSessionParticipant.getPrincipalNameAtParticipant()));
            logoutRequest.setNotAfter(new Date(System.currentTimeMillis() + DEF_LOGOUT_REQ_VALIDITY));
            logoutRequest.setSessionIds(new String[]{sAMLSessionParticipant.getSessionIndex()});
            logoutRequest.getXMLBean().setDestination(sAMLEndpointDefinition.getUrl());
            return logoutRequest;
        } catch (XmlException e) {
            log.error("Can't parse a stored logged user's identity", e);
            throw new SAMLResponderException("Internal error");
        }
    }

    private LogoutRequest createSignedLogoutRequest(SAMLSessionParticipant sAMLSessionParticipant, SAMLEndpointDefinition sAMLEndpointDefinition) throws SAMLResponderException {
        LogoutRequest createLogoutRequest = createLogoutRequest(sAMLSessionParticipant, sAMLEndpointDefinition);
        X509Credential credential = getCredential(sAMLSessionParticipant.getLocalCredentialName());
        try {
            createLogoutRequest.sign(credential.getKey(), credential.getCertificateChain());
            return createLogoutRequest;
        } catch (DSigException e) {
            log.warn("Unable to sign SLO request", e);
            throw new SAMLResponderException("Internal server error signing request.");
        }
    }

    private void updateContextAfterParicipantLogout(SAMLInternalLogoutContext sAMLInternalLogoutContext, SAMLSessionParticipant sAMLSessionParticipant, LogoutResponseDocument logoutResponseDocument) {
        StatusType status = logoutResponseDocument.getLogoutResponse().getStatus();
        if (SAMLConstants.Status.STATUS_OK.toString().equals(status.getStatusCode().getValue())) {
            log.info("Successful logout of participant " + sAMLSessionParticipant);
            sAMLInternalLogoutContext.getLoggedOut().add(sAMLSessionParticipant);
        } else {
            log.warn("Logging out the participant " + sAMLSessionParticipant + " failed, received status is: " + status.getStatusCode().getValue() + " - " + status.getStatusMessage() + " " + status.getStatusDetail());
            sAMLInternalLogoutContext.getFailed().add(sAMLSessionParticipant);
        }
        sAMLInternalLogoutContext.setCurrent(null);
        sAMLInternalLogoutContext.setCurrentRequestId(null);
    }

    private IClientConfiguration createSoapClientConfig(SAMLSessionParticipant sAMLSessionParticipant) throws EngineException {
        return new DefaultClientConfiguration(this.pkiManagement.getMainAuthnAndTrust().getValidator(), this.pkiManagement.getCredential(sAMLSessionParticipant.getLocalCredentialName()));
    }
}
