package com.onelogin.saml2.logout;

import com.onelogin.saml2.exception.XMLEntityException;
import com.onelogin.saml2.settings.Saml2Settings;
import com.onelogin.saml2.util.Constants;
import com.onelogin.saml2.util.SchemaFactory;
import com.onelogin.saml2.util.Util;
import java.io.IOException;
import java.net.URL;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.HashMap;
import javax.servlet.http.HttpServletRequest;
import javax.xml.xpath.XPathExpressionException;
import org.apache.commons.lang3.text.StrSubstitutor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;

/* loaded from: input_file:com/onelogin/saml2/logout/LogoutResponse.class */
public class LogoutResponse {
    private static final Logger LOGGER = LoggerFactory.getLogger(LogoutResponse.class);
    private String logoutResponseString;
    private Document logoutResponseDocument;
    private String id;
    private final Saml2Settings settings;
    private final HttpServletRequest request;
    private String currentUrl;
    private String inResponseTo;
    private Calendar issueInstant;
    private String error;

    public LogoutResponse(Saml2Settings saml2Settings, HttpServletRequest httpServletRequest) throws XMLEntityException {
        this.settings = saml2Settings;
        this.request = httpServletRequest;
        String str = null;
        if (httpServletRequest != null) {
            this.currentUrl = httpServletRequest.getRequestURL().toString();
            str = httpServletRequest.getParameter("SAMLResponse");
        }
        if (str == null || str.isEmpty()) {
            return;
        }
        this.logoutResponseString = Util.base64decodedInflated(str);
        this.logoutResponseDocument = Util.loadXML(this.logoutResponseString);
    }

    public String getEncodedLogoutResponse() throws IOException {
        return Util.deflatedBase64encoded(getLogoutResponseXml());
    }

    protected String getLogoutResponseXml() {
        return this.logoutResponseString;
    }

    public Boolean isValid(String str) {
        String attribute;
        this.error = null;
        try {
            if (this.logoutResponseDocument == null) {
                throw new Exception("SAML Logout Response is not loaded");
            }
            if (this.currentUrl == null || this.currentUrl.isEmpty()) {
                throw new Exception("The URL of the current host was not established");
            }
            String parameter = this.request.getParameter("Signature");
            if (this.settings.isStrict()) {
                Element documentElement = this.logoutResponseDocument.getDocumentElement();
                documentElement.normalize();
                if (this.settings.getWantXMLValidation().booleanValue() && !Util.validateXML(this.logoutResponseDocument, SchemaFactory.SAML_SCHEMA_PROTOCOL_2_0)) {
                    throw new Exception("Invalid SAML Logout Response. Not match the saml-schema-protocol-2.0.xsd");
                }
                if (str != null && documentElement.hasAttribute("InResponseTo")) {
                    String attribute2 = documentElement.getAttribute("InResponseTo");
                    if (!attribute2.equals(str)) {
                        throw new Exception("The InResponseTo of the Logout Response: " + attribute2 + ", does not match the ID of the Logout request sent by the SP:: " + str);
                    }
                }
                String issuer = getIssuer();
                if (issuer != null && !issuer.isEmpty() && !issuer.equals(this.settings.getIdpEntityId())) {
                    throw new Exception("Invalid issuer in the Logout Response");
                }
                if (documentElement.hasAttribute("Destination") && (attribute = documentElement.getAttribute("Destination")) != null && !attribute.isEmpty() && !attribute.equals(this.currentUrl)) {
                    throw new Exception("The LogoutResponse was received at " + this.currentUrl + " instead of " + attribute);
                }
                if (this.settings.getWantMessagesSigned().booleanValue() && (parameter == null || parameter.isEmpty())) {
                    throw new Exception("The Message of the Logout Response is not signed and the SP requires it");
                }
            }
            if (parameter != null && !parameter.isEmpty()) {
                X509Certificate idpx509cert = this.settings.getIdpx509cert();
                if (idpx509cert == null) {
                    throw new Exception("In order to validate the sign on the Logout Response, the x509cert of the IdP is required");
                }
                String parameter2 = this.request.getParameter("SigAlg");
                if (parameter2 == null || parameter2.isEmpty()) {
                    parameter2 = Constants.RSA_SHA1;
                }
                String str2 = "SAMLResponse=" + Util.urlEncoder(this.request.getParameter("SAMLResponse"));
                String parameter3 = this.request.getParameter("RelayState");
                if (parameter3 != null && !parameter3.isEmpty()) {
                    str2 = str2 + "&RelayState=" + Util.urlEncoder(parameter3);
                }
                if (!Util.validateBinarySignature(str2 + "&SigAlg=" + Util.urlEncoder(parameter2), Util.base64decoder(parameter), idpx509cert, parameter2).booleanValue()) {
                    throw new Exception("Signature validation failed. Logout Response rejected");
                }
            }
            LOGGER.debug("LogoutRequest validated --> " + this.logoutResponseString);
            return true;
        } catch (Exception e) {
            this.error = e.getMessage();
            LOGGER.debug("LogoutResponse invalid --> " + this.logoutResponseString);
            LOGGER.error(this.error);
            return false;
        }
    }

    public Boolean isValid() {
        return isValid(null);
    }

    public String getIssuer() throws XPathExpressionException {
        String str = null;
        NodeList query = query("/samlp:LogoutResponse/saml:Issuer");
        if (query.getLength() == 1) {
            str = query.item(0).getTextContent();
        }
        return str;
    }

    public String getStatus() throws XPathExpressionException {
        String str = null;
        NodeList query = query("/samlp:LogoutResponse/samlp:Status/samlp:StatusCode");
        if (query.getLength() == 1) {
            str = query.item(0).getAttributes().getNamedItem("Value").getNodeValue();
        }
        return str;
    }

    private NodeList query(String str) throws XPathExpressionException {
        return Util.query(this.logoutResponseDocument, str, null);
    }

    public void build(String str) {
        this.id = Util.generateUniqueID();
        this.issueInstant = Calendar.getInstance();
        this.inResponseTo = str;
        this.logoutResponseString = generateSubstitutor(this.settings).replace(getLogoutResponseTemplate());
    }

    public void build() {
        build(null);
    }

    private StrSubstitutor generateSubstitutor(Saml2Settings saml2Settings) {
        HashMap hashMap = new HashMap();
        hashMap.put("id", this.id);
        hashMap.put("issueInstant", Util.formatDateTime(this.issueInstant.getTimeInMillis()));
        URL idpSingleLogoutServiceUrl = saml2Settings.getIdpSingleLogoutServiceUrl();
        hashMap.put("destinationStr", idpSingleLogoutServiceUrl != null ? " Destination=\"" + idpSingleLogoutServiceUrl.toString() + "\"" : "");
        hashMap.put("inResponseStr", this.inResponseTo != null ? " InResponseTo=\"" + this.inResponseTo + "\"" : "");
        hashMap.put("issuer", saml2Settings.getSpEntityId());
        return new StrSubstitutor(hashMap);
    }

    private static StringBuilder getLogoutResponseTemplate() {
        StringBuilder sb = new StringBuilder();
        sb.append("<samlp:LogoutResponse xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ");
        sb.append("ID=\"${id}\" ");
        sb.append("Version=\"2.0\" ");
        sb.append("IssueInstant=\"${issueInstant}\"${destinationStr}${inResponseStr} >");
        sb.append("<saml:Issuer>${issuer}</saml:Issuer>");
        sb.append("<samlp:Status>");
        sb.append("<samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\" />");
        sb.append("</samlp:Status>");
        sb.append("</samlp:LogoutResponse>");
        return sb;
    }

    public String getError() {
        return this.error;
    }
}
