package org.springframework.security.saml2.provider.service.authentication.logout;

import java.io.ByteArrayInputStream;
import java.nio.charset.StandardCharsets;
import java.util.Collection;
import java.util.function.Consumer;
import net.shibboleth.utilities.java.support.xml.ParserPool;
import org.opensaml.core.config.ConfigurationService;
import org.opensaml.core.xml.config.XMLObjectProviderRegistry;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.saml.saml2.core.LogoutResponse;
import org.opensaml.saml.saml2.core.StatusCode;
import org.opensaml.saml.saml2.core.impl.LogoutResponseUnmarshaller;
import org.springframework.security.saml2.Saml2Exception;
import org.springframework.security.saml2.core.OpenSamlInitializationService;
import org.springframework.security.saml2.core.Saml2Error;
import org.springframework.security.saml2.core.Saml2ErrorCodes;
import org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlVerificationUtils;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;

/* loaded from: input_file:WEB-INF/lib/spring-security-saml2-service-provider-6.3.7.jar:org/springframework/security/saml2/provider/service/authentication/logout/OpenSamlLogoutResponseValidator.class */
public class OpenSamlLogoutResponseValidator implements Saml2LogoutResponseValidator {
    private final ParserPool parserPool = ((XMLObjectProviderRegistry) ConfigurationService.get(XMLObjectProviderRegistry.class)).getParserPool();
    private final LogoutResponseUnmarshaller unmarshaller = (LogoutResponseUnmarshaller) XMLObjectProviderRegistrySupport.getUnmarshallerFactory().getUnmarshaller(LogoutResponse.DEFAULT_ELEMENT_NAME);

    @Override // org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponseValidator
    public Saml2LogoutValidatorResult validate(Saml2LogoutResponseValidatorParameters saml2LogoutResponseValidatorParameters) {
        Saml2LogoutResponse logoutResponse = saml2LogoutResponseValidatorParameters.getLogoutResponse();
        Saml2LogoutRequest logoutRequest = saml2LogoutResponseValidatorParameters.getLogoutRequest();
        RelyingPartyRegistration relyingPartyRegistration = saml2LogoutResponseValidatorParameters.getRelyingPartyRegistration();
        LogoutResponse parse = parse(inflateIfRequired(logoutResponse, Saml2Utils.samlDecode(logoutResponse.getSamlResponse())));
        return Saml2LogoutValidatorResult.withErrors(new Saml2Error[0]).errors(verifySignature(logoutResponse, parse, relyingPartyRegistration)).errors(validateRequest(parse, relyingPartyRegistration)).errors(validateLogoutRequest(parse, logoutRequest.getId())).build();
    }

    private String inflateIfRequired(Saml2LogoutResponse saml2LogoutResponse, byte[] bArr) {
        return saml2LogoutResponse.getBinding() == Saml2MessageBinding.REDIRECT ? Saml2Utils.samlInflate(bArr) : new String(bArr, StandardCharsets.UTF_8);
    }

    private LogoutResponse parse(String str) throws Saml2Exception {
        try {
            return (LogoutResponse) this.unmarshaller.unmarshall(this.parserPool.parse(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8))).getDocumentElement());
        } catch (Exception e) {
            throw new Saml2Exception("Failed to deserialize LogoutResponse", e);
        }
    }

    private Consumer<Collection<Saml2Error>> verifySignature(Saml2LogoutResponse saml2LogoutResponse, LogoutResponse logoutResponse, RelyingPartyRegistration relyingPartyRegistration) {
        return collection -> {
            OpenSamlVerificationUtils.VerifierPartial verifySignature = OpenSamlVerificationUtils.verifySignature(logoutResponse, relyingPartyRegistration);
            if (logoutResponse.isSigned()) {
                collection.addAll(verifySignature.post(logoutResponse.getSignature()));
            } else {
                collection.addAll(verifySignature.redirect(saml2LogoutResponse));
            }
        };
    }

    private Consumer<Collection<Saml2Error>> validateRequest(LogoutResponse logoutResponse, RelyingPartyRegistration relyingPartyRegistration) {
        return collection -> {
            validateIssuer(logoutResponse, relyingPartyRegistration).accept(collection);
            validateDestination(logoutResponse, relyingPartyRegistration).accept(collection);
            validateStatus(logoutResponse).accept(collection);
        };
    }

    private Consumer<Collection<Saml2Error>> validateIssuer(LogoutResponse logoutResponse, RelyingPartyRegistration relyingPartyRegistration) {
        return collection -> {
            if (logoutResponse.getIssuer() == null) {
                collection.add(new Saml2Error(Saml2ErrorCodes.INVALID_ISSUER, "Failed to find issuer in LogoutResponse"));
            } else {
                if (logoutResponse.getIssuer().getValue().equals(relyingPartyRegistration.getAssertingPartyDetails().getEntityId())) {
                    return;
                }
                collection.add(new Saml2Error(Saml2ErrorCodes.INVALID_ISSUER, "Failed to match issuer to configured issuer"));
            }
        };
    }

    private Consumer<Collection<Saml2Error>> validateDestination(LogoutResponse logoutResponse, RelyingPartyRegistration relyingPartyRegistration) {
        return collection -> {
            if (logoutResponse.getDestination() == null) {
                collection.add(new Saml2Error(Saml2ErrorCodes.INVALID_DESTINATION, "Failed to find destination in LogoutResponse"));
            } else {
                if (logoutResponse.getDestination().equals(relyingPartyRegistration.getSingleLogoutServiceResponseLocation())) {
                    return;
                }
                collection.add(new Saml2Error(Saml2ErrorCodes.INVALID_DESTINATION, "Failed to match destination to configured destination"));
            }
        };
    }

    private Consumer<Collection<Saml2Error>> validateStatus(LogoutResponse logoutResponse) {
        return collection -> {
            if (logoutResponse.getStatus() == null || logoutResponse.getStatus().getStatusCode() == null || StatusCode.SUCCESS.equals(logoutResponse.getStatus().getStatusCode().getValue()) || StatusCode.PARTIAL_LOGOUT.equals(logoutResponse.getStatus().getStatusCode().getValue())) {
                return;
            }
            collection.add(new Saml2Error(Saml2ErrorCodes.INVALID_RESPONSE, "Response indicated logout failed"));
        };
    }

    private Consumer<Collection<Saml2Error>> validateLogoutRequest(LogoutResponse logoutResponse, String str) {
        return collection -> {
            if (logoutResponse.getInResponseTo() == null || logoutResponse.getInResponseTo().equals(str)) {
                return;
            }
            collection.add(new Saml2Error(Saml2ErrorCodes.INVALID_RESPONSE, "LogoutResponse InResponseTo doesn't match ID of associated LogoutRequest"));
        };
    }

    static {
        OpenSamlInitializationService.initialize();
    }
}
