package org.keycloak.adapters.saml.profile.webbrowsersso;

import org.keycloak.adapters.saml.OnSessionCreated;
import org.keycloak.adapters.saml.SamlDeployment;
import org.keycloak.adapters.saml.SamlSession;
import org.keycloak.adapters.saml.SamlSessionStore;
import org.keycloak.adapters.saml.SamlUtil;
import org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler;
import org.keycloak.adapters.saml.profile.SamlAuthenticationHandler;
import org.keycloak.adapters.saml.profile.SamlInvocationContext;
import org.keycloak.adapters.spi.AuthOutcome;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.dom.saml.v2.protocol.LogoutRequestType;
import org.keycloak.saml.BaseSAML2BindingBuilder;
import org.keycloak.saml.SAML2LogoutRequestBuilder;
import org.keycloak.saml.SAML2LogoutResponseBuilder;

/* loaded from: input_file:org/keycloak/adapters/saml/profile/webbrowsersso/WebBrowserSsoAuthenticationHandler.class */
public class WebBrowserSsoAuthenticationHandler extends AbstractSamlAuthenticationHandler {
    public static SamlAuthenticationHandler create(HttpFacade httpFacade, SamlDeployment samlDeployment, SamlSessionStore samlSessionStore) {
        return new WebBrowserSsoAuthenticationHandler(httpFacade, samlDeployment, samlSessionStore);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public WebBrowserSsoAuthenticationHandler(HttpFacade httpFacade, SamlDeployment samlDeployment, SamlSessionStore samlSessionStore) {
        super(httpFacade, samlDeployment, samlSessionStore);
    }

    @Override // org.keycloak.adapters.saml.profile.SamlAuthenticationHandler
    public AuthOutcome handle(OnSessionCreated onSessionCreated) {
        return doHandle(new SamlInvocationContext(this.facade.getRequest().getFirstParam("SAMLRequest"), this.facade.getRequest().getFirstParam("SAMLResponse"), this.facade.getRequest().getFirstParam("RelayState")), onSessionCreated);
    }

    @Override // org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler
    protected AuthOutcome handleRequest() {
        return "true".equals(this.facade.getRequest().getQueryParamValue("GLO")) ? globalLogout() : AuthOutcome.AUTHENTICATED;
    }

    @Override // org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler
    protected AuthOutcome logoutRequest(LogoutRequestType logoutRequestType, String str) {
        if (logoutRequestType.getSessionIndex() == null || logoutRequestType.getSessionIndex().isEmpty()) {
            this.sessionStore.logoutByPrincipal(logoutRequestType.getNameID().getValue());
        } else {
            this.sessionStore.logoutBySsoId(logoutRequestType.getSessionIndex());
        }
        String entityID = this.deployment.getEntityID();
        SAML2LogoutResponseBuilder sAML2LogoutResponseBuilder = new SAML2LogoutResponseBuilder();
        sAML2LogoutResponseBuilder.logoutRequestID(logoutRequestType.getID());
        sAML2LogoutResponseBuilder.destination(this.deployment.getIDP().getSingleLogoutService().getResponseBindingUrl());
        sAML2LogoutResponseBuilder.issuer(entityID);
        BaseSAML2BindingBuilder relayState = new BaseSAML2BindingBuilder().relayState(str);
        if (this.deployment.getIDP().getSingleLogoutService().signResponse()) {
            if (this.deployment.getSignatureCanonicalizationMethod() != null) {
                relayState.canonicalizationMethod(this.deployment.getSignatureCanonicalizationMethod());
            }
            relayState.signatureAlgorithm(this.deployment.getSignatureAlgorithm()).signWith(this.deployment.getSigningKeyPair()).signDocument();
        }
        try {
            SamlUtil.sendSaml(false, this.facade, this.deployment.getIDP().getSingleLogoutService().getResponseBindingUrl(), relayState, sAML2LogoutResponseBuilder.buildDocument(), this.deployment.getIDP().getSingleLogoutService().getResponseBinding());
            return AuthOutcome.NOT_ATTEMPTED;
        } catch (Exception e) {
            log.error("Could not send logout response SAML request", e);
            return AuthOutcome.FAILED;
        }
    }

    private AuthOutcome globalLogout() {
        SamlSession account = this.sessionStore.getAccount();
        if (account == null) {
            return AuthOutcome.NOT_ATTEMPTED;
        }
        SAML2LogoutRequestBuilder destination = new SAML2LogoutRequestBuilder().assertionExpiration(30).issuer(this.deployment.getEntityID()).sessionIndex(account.getSessionIndex()).userPrincipal(account.m4getPrincipal().getSamlSubject(), account.m4getPrincipal().getNameIDFormat()).destination(this.deployment.getIDP().getSingleLogoutService().getRequestBindingUrl());
        BaseSAML2BindingBuilder baseSAML2BindingBuilder = new BaseSAML2BindingBuilder();
        if (this.deployment.getIDP().getSingleLogoutService().signRequest()) {
            if (this.deployment.getSignatureCanonicalizationMethod() != null) {
                baseSAML2BindingBuilder.canonicalizationMethod(this.deployment.getSignatureCanonicalizationMethod());
            }
            baseSAML2BindingBuilder.signatureAlgorithm(this.deployment.getSignatureAlgorithm());
            baseSAML2BindingBuilder.signWith(this.deployment.getSigningKeyPair()).signDocument();
        }
        baseSAML2BindingBuilder.relayState("logout");
        try {
            SamlUtil.sendSaml(true, this.facade, this.deployment.getIDP().getSingleLogoutService().getRequestBindingUrl(), baseSAML2BindingBuilder, destination.buildDocument(), this.deployment.getIDP().getSingleLogoutService().getRequestBinding());
            this.sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.LOGGING_OUT);
            return AuthOutcome.NOT_ATTEMPTED;
        } catch (Exception e) {
            log.error("Could not send global logout SAML request", e);
            return AuthOutcome.FAILED;
        }
    }
}
