package net.shibboleth.idp.saml.saml2.profile.impl;

import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.context.SubjectContext;
import net.shibboleth.idp.profile.AbstractProfileAction;
import net.shibboleth.idp.saml.session.SAML2SPSession;
import net.shibboleth.idp.session.IdPSession;
import net.shibboleth.idp.session.SPSession;
import net.shibboleth.idp.session.SessionResolver;
import net.shibboleth.idp.session.context.LogoutContext;
import net.shibboleth.idp.session.context.SessionContext;
import net.shibboleth.idp.session.criterion.SPSessionCriterion;
import net.shibboleth.profile.context.navigate.IssuerLookupFunction;
import net.shibboleth.profile.context.navigate.RelyingPartyIdLookupFunction;
import net.shibboleth.saml.saml2.profile.config.navigate.QualifiedNameIDFormatsLookupFunction;
import net.shibboleth.shared.annotation.constraint.NonnullAfterInit;
import net.shibboleth.shared.annotation.constraint.NonnullBeforeExec;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.component.ComponentInitializationException;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.logic.PredicateSupport;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.resolver.CriteriaSet;
import net.shibboleth.shared.resolver.Criterion;
import net.shibboleth.shared.resolver.ResolverException;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.messaging.context.navigate.MessageLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.InboundMessageContextLookup;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.SessionIndex;
import org.opensaml.saml.saml2.profile.SAML2ObjectSupport;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/saml/saml2/profile/impl/ProcessLogoutRequest.class */
public class ProcessLogoutRequest extends AbstractProfileAction {

    @NonnullAfterInit
    private SessionResolver sessionResolver;

    @Nonnull
    private Function<ProfileRequestContext, LogoutRequest> logoutRequestLookupStrategy;

    @Nonnull
    private Function<ProfileRequestContext, Collection<String>> qualifiedNameIDFormatsLookupStrategy;

    @Nullable
    private Function<ProfileRequestContext, String> assertingPartyLookupStrategy;

    @Nullable
    private Function<ProfileRequestContext, String> relyingPartyLookupStrategy;

    @NonnullBeforeExec
    private LogoutRequest logoutRequest;

    @Nonnull
    private Set<String> qualifiedNameIDFormats;

    @Nullable
    private String assertingParty;

    @Nullable
    private String relyingParty;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(ProcessLogoutRequest.class);

    @Nonnull
    private Function<ProfileRequestContext, SubjectContext> subjectContextCreationStrategy = new ChildContextLookup(SubjectContext.class, true);

    @Nonnull
    private Function<ProfileRequestContext, SessionContext> sessionContextCreationStrategy = new ChildContextLookup(SessionContext.class, true);

    @Nonnull
    private Function<ProfileRequestContext, LogoutContext> logoutContextCreationStrategy = new ChildContextLookup(LogoutContext.class, true);

    @Nonnull
    private Function<ProfileRequestContext, CriteriaSet> sessionResolverCriteriaStrategy = new Function<ProfileRequestContext, CriteriaSet>() { // from class: net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest.1
        static final /* synthetic */ boolean $assertionsDisabled;

        @Override // java.util.function.Function
        public CriteriaSet apply(ProfileRequestContext profileRequestContext) {
            LogoutRequest logoutRequest = ProcessLogoutRequest.this.logoutRequest;
            NameID nameID = logoutRequest == null ? null : logoutRequest.getNameID();
            Issuer issuer = logoutRequest == null ? null : logoutRequest.getIssuer();
            if (logoutRequest == null || issuer == null || nameID == null) {
                return new CriteriaSet();
            }
            String value = nameID.getValue();
            String value2 = issuer.getValue();
            if ($assertionsDisabled || !(value2 == null || value == null)) {
                return new CriteriaSet(new Criterion[]{new SPSessionCriterion(value2, value)});
            }
            throw new AssertionError();
        }

        static {
            $assertionsDisabled = !ProcessLogoutRequest.class.desiredAssertionStatus();
        }
    };

    public ProcessLogoutRequest() {
        Function<ProfileRequestContext, LogoutRequest> compose = new MessageLookup(LogoutRequest.class).compose(new InboundMessageContextLookup());
        if (!$assertionsDisabled && compose == null) {
            throw new AssertionError();
        }
        this.logoutRequestLookupStrategy = compose;
        this.qualifiedNameIDFormatsLookupStrategy = new QualifiedNameIDFormatsLookupFunction();
        this.qualifiedNameIDFormats = CollectionSupport.emptySet();
        setAssertingPartyLookupStrategy(new IssuerLookupFunction());
        setRelyingPartyLookupStrategy(new RelyingPartyIdLookupFunction());
    }

    public void setSessionResolver(@Nonnull SessionResolver sessionResolver) {
        checkSetterPreconditions();
        this.sessionResolver = (SessionResolver) Constraint.isNotNull(sessionResolver, "SessionResolver cannot be null");
    }

    public void setSubjectContextCreationStrategy(@Nonnull Function<ProfileRequestContext, SubjectContext> function) {
        checkSetterPreconditions();
        this.subjectContextCreationStrategy = (Function) Constraint.isNotNull(function, "SubjectContext creation strategy cannot be null");
    }

    public void setSessionContextCreationStrategy(@Nonnull Function<ProfileRequestContext, SessionContext> function) {
        checkSetterPreconditions();
        this.sessionContextCreationStrategy = (Function) Constraint.isNotNull(function, "SessionContext creation strategy cannot be null");
    }

    public void setLogoutContextCreationStrategy(@Nonnull Function<ProfileRequestContext, LogoutContext> function) {
        checkSetterPreconditions();
        this.logoutContextCreationStrategy = (Function) Constraint.isNotNull(function, "LogoutContext creation strategy cannot be null");
    }

    public void setSessionResolverCriteriaStrategy(@Nonnull Function<ProfileRequestContext, CriteriaSet> function) {
        checkSetterPreconditions();
        this.sessionResolverCriteriaStrategy = (Function) Constraint.isNotNull(function, "SessionResolver CriteriaSet strategy cannot be null");
    }

    public void setLogoutRequestLookupStrategy(@Nonnull Function<ProfileRequestContext, LogoutRequest> function) {
        checkSetterPreconditions();
        this.logoutRequestLookupStrategy = (Function) Constraint.isNotNull(function, "LogoutRequest lookup strategy cannot be null");
    }

    public void setQualifiedNameIDFormatsLookupStrategy(@Nonnull Function<ProfileRequestContext, Collection<String>> function) {
        checkSetterPreconditions();
        this.qualifiedNameIDFormatsLookupStrategy = (Function) Constraint.isNotNull(function, "Qualified NameID Formats lookup strategy cannot be null");
    }

    public void setAssertingPartyLookupStrategy(@Nullable Function<ProfileRequestContext, String> function) {
        checkSetterPreconditions();
        this.assertingPartyLookupStrategy = function;
    }

    public void setRelyingPartyLookupStrategy(@Nullable Function<ProfileRequestContext, String> function) {
        checkSetterPreconditions();
        this.relyingPartyLookupStrategy = function;
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (!PredicateSupport.isAlwaysFalse(getActivationCondition()) && this.sessionResolver == null) {
            throw new ComponentInitializationException("SessionResolver cannot be null");
        }
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        this.logoutRequest = this.logoutRequestLookupStrategy.apply(profileRequestContext);
        if (this.logoutRequest == null) {
            this.log.warn("{} No LogoutRequest found to process", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        NameID nameID = this.logoutRequest.getNameID();
        if (nameID == null) {
            this.log.warn("{} LogoutRequest did not contain NameID", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessage");
            return false;
        }
        if (nameID.getValue() != null) {
            this.qualifiedNameIDFormats = new HashSet(this.qualifiedNameIDFormatsLookupStrategy.apply(profileRequestContext));
            return true;
        }
        this.log.warn("{} LogoutRequest contained an empty (therefore invalid) NameID", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, "InvalidMessage");
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        SessionContext apply;
        try {
            LogoutContext logoutContext = null;
            int i = 1;
            for (IdPSession idPSession : this.sessionResolver.resolve(this.sessionResolverCriteriaStrategy.apply(profileRequestContext))) {
                if (!$assertionsDisabled && idPSession == null) {
                    throw new AssertionError();
                }
                if (sessionMatches(profileRequestContext, idPSession)) {
                    this.log.debug("{} LogoutRequest matches IdP session {}", getLogPrefix(), idPSession.getId());
                    if (logoutContext == null) {
                        logoutContext = this.logoutContextCreationStrategy.apply(profileRequestContext);
                        if (logoutContext == null) {
                            this.log.error("{} Unable to create or locate LogoutContext", getLogPrefix());
                            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
                            return;
                        } else {
                            SubjectContext apply2 = this.subjectContextCreationStrategy.apply(profileRequestContext);
                            if (apply2 != null) {
                                apply2.setPrincipalName(idPSession.getPrincipalName());
                            }
                        }
                    }
                    logoutContext.getIdPSessions().add(idPSession);
                    for (SPSession sPSession : idPSession.getSPSessions()) {
                        if (!$assertionsDisabled && sPSession == null) {
                            throw new AssertionError();
                        }
                        if (!sessionMatches(profileRequestContext, sPSession)) {
                            logoutContext.getSessionMap().put(sPSession.getId(), sPSession);
                            int i2 = i;
                            i++;
                            logoutContext.getKeyedSessionMap().put(Integer.toString(i2), sPSession);
                        }
                    }
                } else {
                    this.log.debug("{} IdP session {} does not contain a matching SP session", getLogPrefix(), idPSession.getId());
                }
            }
            if (logoutContext == null) {
                this.log.info("{} No active session(s) found matching LogoutRequest", getLogPrefix());
                ActionSupport.buildEvent(profileRequestContext, "SessionNotFound");
            } else if (logoutContext.getIdPSessions().size() == 1 && (apply = this.sessionContextCreationStrategy.apply(profileRequestContext)) != null) {
                apply.setIdPSession((IdPSession) logoutContext.getIdPSessions().iterator().next());
            }
        } catch (ResolverException e) {
            this.log.error("{} Error resolving matching session(s)", getLogPrefix(), e);
            ActionSupport.buildEvent(profileRequestContext, "SessionNotFound");
        }
    }

    private boolean sessionMatches(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull IdPSession idPSession) {
        for (SPSession sPSession : idPSession.getSPSessions()) {
            if (!$assertionsDisabled && sPSession == null) {
                throw new AssertionError();
            }
            if (sessionMatches(profileRequestContext, sPSession)) {
                return true;
            }
        }
        return false;
    }

    private boolean sessionMatches(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull SPSession sPSession) {
        if (!$assertionsDisabled && !isPreExecuteCalled()) {
            throw new AssertionError();
        }
        if (!(sPSession instanceof SAML2SPSession)) {
            return false;
        }
        SAML2SPSession sAML2SPSession = (SAML2SPSession) sPSession;
        Issuer issuer = this.logoutRequest.getIssuer();
        if (issuer == null || !sAML2SPSession.getId().equals(issuer.getValue())) {
            return false;
        }
        String format = sAML2SPSession.getNameID().getFormat();
        if (format == null) {
            format = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified";
        }
        NameID nameID = this.logoutRequest.getNameID();
        if (!$assertionsDisabled && nameID == null) {
            throw new AssertionError();
        }
        if ("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent".equals(format) || "urn:oasis:names:tc:SAML:2.0:nameid-format:transient".equals(format) || this.qualifiedNameIDFormats.contains(format)) {
            if (this.assertingParty == null && this.assertingPartyLookupStrategy != null) {
                this.assertingParty = this.assertingPartyLookupStrategy.apply(profileRequestContext);
            }
            if (this.relyingParty == null && this.relyingPartyLookupStrategy != null) {
                this.relyingParty = this.relyingPartyLookupStrategy.apply(profileRequestContext);
            }
            if (!SAML2ObjectSupport.areNameIDsEquivalent(nameID, sAML2SPSession.getNameID(), this.assertingParty, this.relyingParty)) {
                return false;
            }
        } else if (!SAML2ObjectSupport.areNameIDsEquivalent(nameID, sAML2SPSession.getNameID())) {
            return false;
        }
        if (this.logoutRequest.getSessionIndexes().isEmpty()) {
            return true;
        }
        Iterator it = this.logoutRequest.getSessionIndexes().iterator();
        while (it.hasNext()) {
            String value = ((SessionIndex) it.next()).getValue();
            if (value != null && value.equals(sAML2SPSession.getSessionIndex())) {
                return true;
            }
        }
        return false;
    }

    static {
        $assertionsDisabled = !ProcessLogoutRequest.class.desiredAssertionStatus();
    }
}
