package edu.internet2.middleware.shibboleth.idp.profile.saml2;

import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
import edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext;
import edu.internet2.middleware.shibboleth.common.relyingparty.provider.AbstractSAMLProfileConfiguration;
import edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.LogoutRequestConfiguration;
import edu.internet2.middleware.shibboleth.common.session.SessionManager;
import edu.internet2.middleware.shibboleth.idp.session.Session;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.util.List;
import javax.servlet.RequestDispatcher;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.velocity.Template;
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
import org.joda.time.DateTime;
import org.opensaml.common.SAMLObjectBuilder;
import org.opensaml.common.binding.BasicEndpointSelector;
import org.opensaml.common.binding.decoding.SAMLMessageDecoder;
import org.opensaml.saml2.common.Extensions;
import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.saml2.core.LogoutResponse;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.Status;
import org.opensaml.saml2.metadata.Endpoint;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.SingleLogoutService;
import org.opensaml.samlext.saml2aslo.Asynchronous;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.ws.transport.InTransport;
import org.opensaml.ws.transport.http.HTTPInTransport;
import org.opensaml.ws.transport.http.HTTPOutTransport;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.util.DatatypeHelper;
import org.owasp.esapi.ESAPI;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/profile/saml2/SLOProfileHandler.class */
public class SLOProfileHandler extends AbstractSAML2ProfileHandler {
    public static final String LOCAL_LOGOUT_BINDING = "urn:mace:shibboleth:2.0:profiles:LocalLogout";
    public static final String HTTP_LOGOUT_BINDING_ATTRIBUTE = "ShibbolethLogoutSession";
    private final String soapFaultResponseMessage = "<env:Envelope xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\"> <env:Body> <env:Fault> <faultcode>env:Client</faultcode> <faultstring>An error occurred processing the request.</faultstring> <detail/> </env:Fault> </env:Body></env:Envelope>";
    private final Logger log = LoggerFactory.getLogger(SLOProfileHandler.class);
    private final SAMLObjectBuilder<SingleLogoutService> sloServiceBuilder;
    private final SAMLObjectBuilder<LogoutResponse> responseBuilder;
    private VelocityEngine velocity;
    private String templatePath;

    /* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/profile/saml2/SLOProfileHandler$SLORequestContext.class */
    public class SLORequestContext extends BaseSAML2ProfileRequestContext<LogoutRequest, LogoutResponse, LogoutRequestConfiguration> {
        private boolean async;

        public SLORequestContext() {
        }

        public boolean isAsynchronous() {
            return this.async;
        }

        public void setAsynchronous(boolean z) {
            this.async = z;
        }
    }

    public SLOProfileHandler(String str) {
        if (DatatypeHelper.isEmpty(str)) {
            throw new IllegalArgumentException("Logout template path may not be null");
        }
        this.templatePath = str;
        this.sloServiceBuilder = getBuilderFactory().getBuilder(SingleLogoutService.DEFAULT_ELEMENT_NAME);
        this.responseBuilder = getBuilderFactory().getBuilder(LogoutResponse.DEFAULT_ELEMENT_NAME);
    }

    public VelocityEngine getVelocityEngine() {
        return this.velocity;
    }

    public void setVelocityEngine(VelocityEngine velocityEngine) {
        this.velocity = velocityEngine;
    }

    public String getProfileId() {
        return "urn:mace:shibboleth:2.0:profiles:saml2:logout";
    }

    public void processRequest(HTTPInTransport hTTPInTransport, HTTPOutTransport hTTPOutTransport) throws ProfileException {
        if (getInboundBinding().equals(LOCAL_LOGOUT_BINDING)) {
            this.log.debug("Processing logout request");
            localLogout(null, hTTPInTransport, hTTPOutTransport);
        } else {
            this.log.debug("Processing incoming SAML LogoutRequest");
            processLogoutRequest(hTTPInTransport, hTTPOutTransport);
        }
    }

    protected void localLogout(Session session, HTTPInTransport hTTPInTransport, HTTPOutTransport hTTPOutTransport) throws ProfileException {
        HttpServletRequest wrappedRequest = ((HttpServletRequestAdapter) hTTPInTransport).getWrappedRequest();
        HttpServletResponse wrappedResponse = ((HttpServletResponseAdapter) hTTPOutTransport).getWrappedResponse();
        Session userSession = getUserSession((InTransport) hTTPInTransport);
        if (session != null) {
            this.log.info("Invalidating session identified by LogoutRequest: {}", session.getSessionID());
            destroySession(session);
        }
        if (userSession == null) {
            this.log.info("No session to invalidate from client request.");
        } else if (session == null || !DatatypeHelper.safeEquals(userSession.getSessionID(), session.getSessionID())) {
            this.log.info("Invalidating session identified from client request: {}", userSession.getSessionID());
            destroySession(userSession);
        }
        wrappedResponse.setContentType("text/html");
        wrappedResponse.setHeader("Cache-Control", "content=\"no-store,no-cache,must-revalidate\"");
        wrappedResponse.setHeader("Pragma", "no-cache");
        wrappedResponse.setHeader("Expires", "-1");
        if (this.velocity == null) {
            RequestDispatcher requestDispatcher = wrappedRequest.getRequestDispatcher(this.templatePath.startsWith("/") ? this.templatePath : "/" + this.templatePath);
            try {
                wrappedRequest.setAttribute(HTTP_LOGOUT_BINDING_ATTRIBUTE, userSession != null ? userSession : session);
                requestDispatcher.forward(wrappedRequest, wrappedResponse);
                return;
            } catch (Exception e) {
                throw new ProfileException("Could not dispatch to JSP page.", e);
            }
        }
        VelocityContext velocityContext = new VelocityContext();
        velocityContext.put("encoder", ESAPI.encoder());
        velocityContext.put("request", wrappedRequest);
        velocityContext.put("response", wrappedResponse);
        velocityContext.put("session", userSession != null ? userSession : session);
        try {
            Template template = this.velocity.getTemplate(this.templatePath);
            PrintWriter writer = wrappedResponse.getWriter();
            template.merge(velocityContext, writer);
            writer.flush();
        } catch (Exception e2) {
            this.log.error(e2.getMessage());
            throw new ProfileException("Error while processing logout template.", e2);
        }
    }

    protected void processLogoutRequest(HTTPInTransport hTTPInTransport, HTTPOutTransport hTTPOutTransport) throws ProfileException {
        LogoutResponse buildLogoutResponse;
        Status buildStatus;
        SLORequestContext sLORequestContext = new SLORequestContext();
        try {
            decodeRequest(sLORequestContext, hTTPInTransport, hTTPOutTransport);
        } catch (ProfileException e) {
            if (sLORequestContext.getPeerEntityEndpoint() == null) {
                if (sLORequestContext.isAsynchronous() || !getInboundBinding().equals("urn:oasis:names:tc:SAML:2.0:bindings:SOAP")) {
                    throw e;
                }
                this.log.debug("Returning SOAP fault", e);
                try {
                    hTTPOutTransport.setCharacterEncoding("UTF-8");
                    hTTPOutTransport.setHeader("Content-Type", "application/soap+xml");
                    hTTPOutTransport.setStatusCode(500);
                    OutputStreamWriter outputStreamWriter = new OutputStreamWriter(hTTPOutTransport.getOutgoingStream(), "UTF-8");
                    outputStreamWriter.write("<env:Envelope xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\"> <env:Body> <env:Fault> <faultcode>env:Client</faultcode> <faultstring>An error occurred processing the request.</faultstring> <detail/> </env:Fault> </env:Body></env:Envelope>");
                    outputStreamWriter.flush();
                    return;
                } catch (Exception e2) {
                    this.log.error("Error returning SOAP fault", e2);
                    return;
                }
            }
            if (sLORequestContext.getFailureStatus() == null) {
                sLORequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", null, e.getMessage()));
            }
            buildLogoutResponse = buildLogoutResponse(sLORequestContext, null);
        }
        if (sLORequestContext.getRelyingPartyConfiguration().getProfileConfiguration(getProfileId()) == null) {
            sLORequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", null, "SAML 2 SLO profile not configured"));
            String str = "SAML 2 SLO profile is not configured for relying party " + sLORequestContext.getInboundMessageIssuer();
            this.log.warn(str);
            throw new ProfileException(str);
        }
        checkSamlVersion(sLORequestContext);
        SessionManager sessionManager = getSessionManager();
        String sessionIndexFromNameID = getSessionIndexFromNameID((NameID) sLORequestContext.getSubjectNameIdentifier());
        this.log.debug("Querying SessionManager based on NameID '{}'", sessionIndexFromNameID);
        Session session = (Session) sessionManager.getSession(sessionIndexFromNameID);
        if (session == null) {
            this.log.info("LogoutRequest did not reference an active session.");
            buildStatus = buildStatus("urn:oasis:names:tc:SAML:2.0:status:Requester", "urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal", null);
        } else if (!session.getServicesInformation().keySet().contains(sLORequestContext.getInboundMessageIssuer())) {
            session = null;
            this.log.warn("Requesting entity is not a participant in the referenced session.");
            buildStatus = buildStatus("urn:oasis:names:tc:SAML:2.0:status:Requester", "urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal", null);
        } else if (getInboundBinding().equals("urn:oasis:names:tc:SAML:2.0:bindings:SOAP")) {
            buildStatus = session.getServicesInformation().keySet().size() > 1 ? buildStatus("urn:oasis:names:tc:SAML:2.0:status:Success", "urn:oasis:names:tc:SAML:2.0:status:PartialLogout", null) : buildStatus("urn:oasis:names:tc:SAML:2.0:status:Success", null, null);
        } else {
            Session userSession = getUserSession((InTransport) hTTPInTransport);
            if (userSession == null || DatatypeHelper.safeEquals(userSession.getSessionID(), session.getSessionID())) {
                buildStatus = session.getServicesInformation().keySet().size() > 1 ? buildStatus("urn:oasis:names:tc:SAML:2.0:status:Success", "urn:oasis:names:tc:SAML:2.0:status:PartialLogout", null) : buildStatus("urn:oasis:names:tc:SAML:2.0:status:Success", null, null);
            } else {
                session = null;
                this.log.warn("LogoutRequest referenced a session other than the client's current one.");
                buildStatus = buildStatus("urn:oasis:names:tc:SAML:2.0:status:Requester", "urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal", null);
            }
        }
        if (!sLORequestContext.isAsynchronous()) {
            if (buildStatus.getStatusCode().getValue().equals("urn:oasis:names:tc:SAML:2.0:status:Success")) {
                this.log.info("Invalidating session identified by LogoutRequest: {}", session.getSessionID());
                destroySession(session);
                buildLogoutResponse = buildLogoutResponse(sLORequestContext, buildStatus);
            } else {
                sLORequestContext.setFailureStatus(buildStatus);
                buildLogoutResponse = buildLogoutResponse(sLORequestContext, null);
            }
            sLORequestContext.setOutboundSAMLMessage(buildLogoutResponse);
            sLORequestContext.setOutboundSAMLMessageId(buildLogoutResponse.getID());
            sLORequestContext.setOutboundSAMLMessageIssueInstant(buildLogoutResponse.getIssueInstant());
            encodeResponse(sLORequestContext);
            writeAuditLogEntry(sLORequestContext);
            return;
        }
        if (getInboundBinding().equals("urn:oasis:names:tc:SAML:2.0:bindings:SOAP")) {
            if (session != null) {
                this.log.info("Invalidating session identified by LogoutRequest: {}", session.getSessionID());
                destroySession(session);
            }
            try {
                hTTPOutTransport.setCharacterEncoding("UTF-8");
                hTTPOutTransport.setHeader("Content-Type", "text/plain");
                hTTPOutTransport.setStatusCode(200);
                new OutputStreamWriter(hTTPOutTransport.getOutgoingStream(), "UTF-8").flush();
            } catch (Exception e3) {
                this.log.error("Error returning empty response.", e3);
            }
        } else {
            localLogout(session, hTTPInTransport, hTTPOutTransport);
        }
        writeAuditLogEntry(sLORequestContext);
    }

    protected LogoutResponse buildLogoutResponse(SLORequestContext sLORequestContext, Status status) throws ProfileException {
        LogoutResponse buildObject = this.responseBuilder.buildObject();
        buildObject.setIssueInstant(new DateTime());
        populateStatusResponse(sLORequestContext, buildObject);
        if (status != null) {
            buildObject.setStatus(status);
        } else {
            buildObject.setStatus(sLORequestContext.getFailureStatus());
        }
        return buildObject;
    }

    protected void destroySession(Session session) {
        getSessionManager().destroySession(session.getSessionID());
    }

    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    protected void populateSAMLMessageInformation(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
        if (baseSAMLProfileRequestContext.getInboundSAMLMessage() instanceof LogoutRequest) {
            LogoutRequest inboundSAMLMessage = baseSAMLProfileRequestContext.getInboundSAMLMessage();
            baseSAMLProfileRequestContext.setPeerEntityId(inboundSAMLMessage.getIssuer().getValue());
            baseSAMLProfileRequestContext.setInboundSAMLMessageId(inboundSAMLMessage.getID());
            if (inboundSAMLMessage.getNameID() != null) {
                baseSAMLProfileRequestContext.setSubjectNameIdentifier(inboundSAMLMessage.getNameID());
            } else {
                if (inboundSAMLMessage.getEncryptedID() == null) {
                    throw new ProfileException("Incoming LogoutRequest did not contain SAML2 NameID.");
                }
                throw new ProfileException("Use of EncryptedID not supported in LogoutRequest.");
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    public void populateRelyingPartyInformation(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
        super.populateRelyingPartyInformation(baseSAMLProfileRequestContext);
        EntityDescriptor peerEntityMetadata = baseSAMLProfileRequestContext.getPeerEntityMetadata();
        if (peerEntityMetadata != null) {
            baseSAMLProfileRequestContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
            baseSAMLProfileRequestContext.setPeerEntityRoleMetadata(peerEntityMetadata.getSPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol"));
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    public void populateAssertingPartyInformation(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
        super.populateAssertingPartyInformation(baseSAMLProfileRequestContext);
        EntityDescriptor localEntityMetadata = baseSAMLProfileRequestContext.getLocalEntityMetadata();
        if (localEntityMetadata != null) {
            baseSAMLProfileRequestContext.setLocalEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
            baseSAMLProfileRequestContext.setLocalEntityRoleMetadata(localEntityMetadata.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol"));
        }
    }

    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    protected Endpoint selectEndpoint(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
        Endpoint selectEndpoint;
        if (getInboundBinding().equals("urn:oasis:names:tc:SAML:2.0:bindings:SOAP")) {
            selectEndpoint = (Endpoint) this.sloServiceBuilder.buildObject();
            selectEndpoint.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:SOAP");
        } else {
            BasicEndpointSelector basicEndpointSelector = new BasicEndpointSelector();
            basicEndpointSelector.setEndpointType(SingleLogoutService.DEFAULT_ELEMENT_NAME);
            basicEndpointSelector.setMetadataProvider(getMetadataProvider());
            basicEndpointSelector.setEntityMetadata(baseSAMLProfileRequestContext.getPeerEntityMetadata());
            basicEndpointSelector.setEntityRoleMetadata(baseSAMLProfileRequestContext.getPeerEntityRoleMetadata());
            basicEndpointSelector.setSamlRequest(baseSAMLProfileRequestContext.getInboundSAMLMessage());
            basicEndpointSelector.getSupportedIssuerBindings().addAll(getSupportedOutboundBindings());
            selectEndpoint = basicEndpointSelector.selectEndpoint();
        }
        return selectEndpoint;
    }

    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    protected void populateProfileInformation(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
        AbstractSAMLProfileConfiguration profileConfiguration = baseSAMLProfileRequestContext.getRelyingPartyConfiguration().getProfileConfiguration(getProfileId());
        if (profileConfiguration != null) {
            baseSAMLProfileRequestContext.setProfileConfiguration(profileConfiguration);
            baseSAMLProfileRequestContext.setOutboundMessageArtifactType(profileConfiguration.getOutboundArtifactType());
        }
        if (((SLORequestContext) baseSAMLProfileRequestContext).isAsynchronous()) {
            this.log.debug("No response requested, so skipping endpoint selection.");
            return;
        }
        Endpoint selectEndpoint = selectEndpoint(baseSAMLProfileRequestContext);
        if (selectEndpoint == null) {
            this.log.warn("No return endpoint available for relying party {}, treating LogoutRequest as Asynchronous", baseSAMLProfileRequestContext.getInboundMessageIssuer());
            ((SLORequestContext) baseSAMLProfileRequestContext).setAsynchronous(true);
        }
        baseSAMLProfileRequestContext.setPeerEntityEndpoint(selectEndpoint);
    }

    protected void decodeRequest(SLORequestContext sLORequestContext, HTTPInTransport hTTPInTransport, HTTPOutTransport hTTPOutTransport) throws ProfileException {
        this.log.debug("Decoding message with decoder binding '{}'", getInboundBinding());
        sLORequestContext.setCommunicationProfileId(getProfileId());
        sLORequestContext.setMetadataProvider(getMetadataProvider());
        sLORequestContext.setInboundMessageTransport(hTTPInTransport);
        sLORequestContext.setInboundSAMLProtocol("urn:oasis:names:tc:SAML:2.0:protocol");
        sLORequestContext.setSecurityPolicyResolver(getSecurityPolicyResolver());
        sLORequestContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
        sLORequestContext.setOutboundMessageTransport(hTTPOutTransport);
        sLORequestContext.setOutboundSAMLProtocol("urn:oasis:names:tc:SAML:2.0:protocol");
        try {
            try {
                SAMLMessageDecoder inboundMessageDecoder = getInboundMessageDecoder(sLORequestContext);
                sLORequestContext.setMessageDecoder(inboundMessageDecoder);
                inboundMessageDecoder.decode(sLORequestContext);
                this.log.debug("Decoded request from relying party '{}'", sLORequestContext.getInboundMessageIssuer());
                if (!(sLORequestContext.getInboundSAMLMessage() instanceof LogoutRequest)) {
                    this.log.warn("Incoming message was not a LogoutRequest, it was a {}", sLORequestContext.getInboundSAMLMessage().getClass().getName());
                    sLORequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Requester", null, "Invalid SAML LogoutRequest message."));
                    throw new ProfileException("Invalid SAML LogoutRequest message.");
                }
                Extensions extensions = sLORequestContext.getInboundSAMLMessage().getExtensions();
                if (extensions != null) {
                    List unknownXMLObjects = extensions.getUnknownXMLObjects(Asynchronous.DEFAULT_ELEMENT_NAME);
                    sLORequestContext.setAsynchronous((unknownXMLObjects == null || unknownXMLObjects.isEmpty()) ? false : true);
                    if (sLORequestContext.isAsynchronous()) {
                        this.log.debug("Incoming LogoutRequest contains aslo:Asynchronous extension.");
                    }
                }
            } catch (MessageDecodingException e) {
                this.log.warn("Error decoding logout request message", e);
                sLORequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", null, "Error decoding logout request message"));
                throw new ProfileException("Error decoding logout request message", e);
            } catch (SecurityException e2) {
                this.log.warn("Message did not meet security requirements", e2);
                sLORequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:RequestDenied", "Message did not meet security requirements"));
                throw new ProfileException("Message did not meet security requirements", e2);
            }
        } finally {
            populateRequestContext(sLORequestContext);
        }
    }
}
