package com.ibm.ws.security.saml.sso20.slo;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.saml.Constants;
import com.ibm.ws.security.saml.SsoConfig;
import com.ibm.ws.security.saml.SsoSamlService;
import com.ibm.ws.security.saml.error.SamlException;
import com.ibm.ws.security.saml.sso20.binding.BasicMessageContext;
import com.ibm.ws.security.saml.sso20.internal.utils.ForwardRequestInfo;
import com.ibm.ws.security.saml.sso20.internal.utils.RequestUtil;
import com.ibm.ws.security.saml.sso20.internal.utils.SamlUtil;
import com.ibm.ws.security.saml.sso20.metadata.AcsDOMMetadataProvider;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.UnsupportedEncodingException;
import java.util.Iterator;
import net.shibboleth.utilities.java.support.codec.Base64Support;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.Criterion;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import net.shibboleth.utilities.java.support.xml.SerializeSupport;
import org.joda.time.DateTime;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.core.xml.io.Marshaller;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.LogoutResponse;
import org.opensaml.saml.saml2.core.Status;
import org.opensaml.saml.saml2.core.StatusCode;
import org.opensaml.saml.saml2.core.impl.IssuerBuilder;
import org.opensaml.saml.saml2.core.impl.LogoutRequestMarshaller;
import org.opensaml.saml.saml2.core.impl.LogoutResponseBuilder;
import org.opensaml.saml.saml2.core.impl.StatusBuilder;
import org.opensaml.saml.saml2.core.impl.StatusCodeBuilder;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.SingleLogoutService;
import org.opensaml.security.credential.Credential;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.Signer;
import org.opensaml.xmlsec.signature.support.SignerProvider;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/saml/sso20/slo/IdPInitiatedSLO.class */
public class IdPInitiatedSLO {
    public static final TraceComponent tc = Tr.register(IdPInitiatedSLO.class, "SAML20", "com.ibm.ws.security.saml.sso20.internal.resources.SamlSso20Messages");
    SsoSamlService ssoService;
    BasicMessageContext<?, ?> basicMsgCtx;
    String idpRelayState;
    static final String SINDEX = "sessionIndex";
    static final long serialVersionUID = 1524137271191391371L;

    public IdPInitiatedSLO(SsoSamlService ssoSamlService, BasicMessageContext<?, ?> basicMessageContext) {
        this.ssoService = null;
        this.idpRelayState = null;
        this.ssoService = ssoSamlService;
        this.basicMsgCtx = basicMessageContext;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "IdPInitiatedSLO(" + ssoSamlService.getProviderId() + ")", new Object[0]);
        }
    }

    public IdPInitiatedSLO(SsoSamlService ssoSamlService, BasicMessageContext<?, ?> basicMessageContext, String str) {
        this.ssoService = null;
        this.idpRelayState = null;
        this.ssoService = ssoSamlService;
        this.basicMsgCtx = basicMessageContext;
        this.idpRelayState = str;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "IdPInitiatedSLO(" + ssoSamlService.getProviderId() + ")", new Object[0]);
        }
    }

    @FFDCIgnore({SamlException.class})
    public void sendSLOResponseToIdp(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            httpServletRequest.setAttribute(Constants.SLOINPROGRESS, true);
            httpServletRequest.logout();
        } catch (ServletException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.slo.IdPInitiatedSLO", "123", this, new Object[]{httpServletRequest, httpServletResponse});
            this.basicMsgCtx.getSLOResponseStatus().getStatusCode().setValue("urn:oasis:names:tc:SAML:2.0:status:Responder");
        }
        try {
            String handleIdpMetadataAndLogoutUrl = handleIdpMetadataAndLogoutUrl(this.basicMsgCtx);
            LogoutResponse buildLogoutResponse = buildLogoutResponse(this.basicMsgCtx.getInResponseTo(), httpServletRequest, this.basicMsgCtx);
            if (this.basicMsgCtx.getSsoConfig().isAuthnRequestsSigned()) {
                signLogoutResponse(buildLogoutResponse, RequestUtil.getSigningCredential(this.ssoService));
            }
            postIdp(httpServletRequest, httpServletResponse, getSignedLogoutResponseString(buildLogoutResponse), Constants.SP_INITAL + SamlUtil.generateRandom(), handleIdpMetadataAndLogoutUrl);
        } catch (SamlException e2) {
            handleLogoutError(httpServletRequest, httpServletResponse);
        }
    }

    private void handleLogoutError(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
    }

    String handleIdpMetadataAndLogoutUrl(BasicMessageContext<?, ?> basicMessageContext) throws SamlException {
        String str = null;
        AcsDOMMetadataProvider metadataProvider = basicMessageContext.getMetadataProvider();
        if (metadataProvider == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "idp metadata file :" + basicMessageContext.getSsoConfig().getIdpMetadata(), new Object[0]);
            }
            String idpMetadata = this.ssoService.getConfig().getIdpMetadata();
            String providerId = this.ssoService.getProviderId();
            if (idpMetadata == null || idpMetadata.isEmpty()) {
                throw new SamlException("SAML20_NO_IDP_URL_OR_METADATA", (Exception) null, new Object[]{providerId});
            }
            throw new SamlException("SAML20_NO_IDP_URL_ERROR", (Exception) null, new Object[]{idpMetadata, providerId});
        }
        try {
            EntityDescriptor resolveSingle = metadataProvider.resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion(metadataProvider.getEntityId())}));
            if (resolveSingle == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "ERROR: metadata is not an EntityDescriptor", new Object[0]);
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "idp metadata file :" + basicMessageContext.getSsoConfig().getIdpMetadata(), new Object[0]);
                }
                throw new SamlException("SAML20_NO_IDP_URL_ERROR", (Exception) null, new Object[]{this.ssoService.getConfig().getIdpMetadata(), this.ssoService.getProviderId()});
            }
            resolveSingle.getEntityID();
            IDPSSODescriptor iDPSSODescriptor = resolveSingle.getIDPSSODescriptor(Constants.SAML20P_NS);
            if (iDPSSODescriptor == null) {
                throw new SamlException("SAML20_IDP_METADATA_PARSE_ERROR", (Exception) null, new Object[]{this.ssoService.getConfig().getIdpMetadata(), this.ssoService.getProviderId(), "No IDPSSODescriptor"});
            }
            Iterator it = iDPSSODescriptor.getSingleLogoutServices().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SingleLogoutService singleLogoutService = (SingleLogoutService) it.next();
                if (Constants.SAML2_POST_BINDING_URI.equals(singleLogoutService.getBinding())) {
                    basicMessageContext.setPeerEntityEndpoint(singleLogoutService);
                    str = singleLogoutService.getLocation();
                    break;
                }
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "idpLogout url:" + str + "(" + Constants.SAML2_POST_BINDING_URI + ")", new Object[0]);
            }
            return str;
        } catch (ResolverException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.slo.IdPInitiatedSLO", "241", this, new Object[]{basicMessageContext});
            throw new SamlException((Exception) e);
        }
    }

    LogoutResponse buildLogoutResponse(String str, HttpServletRequest httpServletRequest, BasicMessageContext<?, ?> basicMessageContext) throws SamlException {
        LogoutResponse buildObject = new LogoutResponseBuilder().buildObject();
        buildObject.setInResponseTo(str);
        buildObject.setConsent(Constants.SAML2_CONSENT_UNSPECIFIED_URI);
        if (basicMessageContext == null || basicMessageContext.getPeerEntityEndpoint() == null || basicMessageContext.getPeerEntityEndpoint().getLocation() == null) {
            throw new SamlException("SAML20_SLOENDPOINT_NOT_IN_METADATA", (Exception) null, new Object[]{this.ssoService.getProviderId()});
        }
        buildObject.setDestination(basicMessageContext.getPeerEntityEndpoint().getLocation());
        buildObject.setIssueInstant(new DateTime());
        buildObject.setVersion(SAMLVersion.VERSION_20);
        buildObject.setID(SamlUtil.generateRandomID());
        buildObject.setIssuer(getIssuer(RequestUtil.getEntityUrl(httpServletRequest, Constants.SAML20_CONTEXT_PATH, this.ssoService.getProviderId(), this.ssoService.getConfig())));
        Status buildObject2 = new StatusBuilder().buildObject();
        StatusCode buildObject3 = new StatusCodeBuilder().buildObject();
        buildObject3.setValue(getStatus(basicMessageContext));
        buildObject2.setStatusCode(buildObject3);
        buildObject.setStatus(buildObject2);
        return buildObject;
    }

    private String getStatus(BasicMessageContext<?, ?> basicMessageContext) {
        return basicMessageContext.getSLOResponseStatus().getStatusCode().getValue();
    }

    Issuer getIssuer(String str) {
        Issuer buildObject = new IssuerBuilder().buildObject();
        buildObject.setValue(str);
        return buildObject;
    }

    void postIdp(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, String str3) throws SamlException {
        try {
            String encode = Base64Support.encode(str.getBytes(Constants.UTF8), false);
            if (str2 == null || encode == null || str3 == null) {
                throw new SamlException("RelayState, Single-Sign-On URL, and Saml Logout Response must be provided");
            }
            httpServletResponse.setStatus(200);
            ForwardRequestInfo forwardRequestInfo = new ForwardRequestInfo(str3);
            if (this.idpRelayState != null) {
                forwardRequestInfo.setParameter(Constants.RELAY_STATE, new String[]{this.idpRelayState});
            }
            forwardRequestInfo.setParameter(Constants.SAMLResponse, new String[]{encode});
            forwardRequestInfo.redirectPostRequest(httpServletRequest, httpServletResponse, null, null);
        } catch (UnsupportedEncodingException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.slo.IdPInitiatedSLO", "337", this, new Object[]{httpServletRequest, httpServletResponse, str, str2, str3});
            throw new SamlException(e);
        }
    }

    /* JADX WARN: Finally extract failed */
    void signLogoutResponse(SAMLObject sAMLObject, Credential credential) throws SamlException {
        SsoConfig config = this.ssoService.getConfig();
        if (!(sAMLObject instanceof SignableSAMLObject) || credential == null) {
            return;
        }
        SignableSAMLObject signableSAMLObject = (SignableSAMLObject) sAMLObject;
        Signature buildObject = XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilder(Signature.DEFAULT_ELEMENT_NAME).buildObject(Signature.DEFAULT_ELEMENT_NAME);
        buildObject.setSignatureAlgorithm(config.getSignatureMethodAlgorithm());
        buildObject.setCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
        buildObject.setSigningCredential(credential);
        signableSAMLObject.setSignature(buildObject);
        ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
        try {
            try {
                Marshaller marshaller = XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(signableSAMLObject);
                if (marshaller == null) {
                    throw new SamlException("SAML20_AUTHENTICATION_FAIL", (Exception) null, new Object[0]);
                }
                marshaller.marshall(signableSAMLObject);
                Thread.currentThread().setContextClassLoader(SignerProvider.class.getClassLoader());
                Signer.signObject(buildObject);
                Thread.currentThread().setContextClassLoader(contextClassLoader);
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.slo.IdPInitiatedSLO", "408", this, new Object[]{sAMLObject, credential});
                throw new SamlException(e, true);
            }
        } catch (Throwable th) {
            Thread.currentThread().setContextClassLoader(contextClassLoader);
            throw th;
        }
    }

    String getSignedLogoutResponseString(LogoutResponse logoutResponse) throws SamlException {
        String str = null;
        if (logoutResponse != null) {
            try {
                str = SerializeSupport.nodeToString(new LogoutRequestMarshaller().marshall(logoutResponse));
            } catch (MarshallingException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.slo.IdPInitiatedSLO", "424", this, new Object[]{logoutResponse});
                throw new SamlException((Exception) e, true);
            }
        }
        return str;
    }
}
