package com.ibm.ws.security.saml.sso20.slo;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.websphere.security.saml2.Saml20Token;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.saml.Constants;
import com.ibm.ws.security.saml.SsoConfig;
import com.ibm.ws.security.saml.SsoSamlService;
import com.ibm.ws.security.saml.error.SamlException;
import com.ibm.ws.security.saml.sso20.binding.BasicMessageContext;
import com.ibm.ws.security.saml.sso20.binding.BasicMessageContextBuilder;
import com.ibm.ws.security.saml.sso20.internal.utils.ForwardRequestInfo;
import com.ibm.ws.security.saml.sso20.internal.utils.HttpRequestInfo;
import com.ibm.ws.security.saml.sso20.internal.utils.RequestUtil;
import com.ibm.ws.security.saml.sso20.internal.utils.SamlUtil;
import com.ibm.ws.security.sso.common.saml.propagation.SamlCommonUtil;
import com.ibm.wsspi.security.tai.TAIResult;
import java.io.UnsupportedEncodingException;
import java.util.Iterator;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.joda.time.DateTime;
import org.opensaml.Configuration;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.SAMLVersion;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.NameIDPolicy;
import org.opensaml.saml2.core.SessionIndex;
import org.opensaml.saml2.core.impl.IssuerBuilder;
import org.opensaml.saml2.core.impl.LogoutRequestBuilder;
import org.opensaml.saml2.core.impl.LogoutRequestMarshaller;
import org.opensaml.saml2.core.impl.NameIDBuilder;
import org.opensaml.saml2.core.impl.NameIDPolicyBuilder;
import org.opensaml.saml2.core.impl.SessionIndexBuilder;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SingleLogoutService;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.xml.io.Marshaller;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.security.SecurityConfiguration;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.SecurityHelper;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.Signer;
import org.opensaml.xml.util.Base64;
import org.opensaml.xml.util.XMLHelper;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/saml/sso20/slo/SPInitiatedSLO.class */
public class SPInitiatedSLO {
    public static final TraceComponent tc = Tr.register(SPInitiatedSLO.class, "SAML20", "com.ibm.ws.security.saml.sso20.internal.resources.SamlSso20Messages");
    SsoSamlService ssoService;
    Subject subject;
    static final String SINDEX = "sessionIndex";
    static final long serialVersionUID = -2078822354329024931L;

    public SPInitiatedSLO(SsoSamlService ssoSamlService, Subject subject) {
        this.ssoService = null;
        this.subject = null;
        this.ssoService = ssoSamlService;
        this.subject = subject;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "SLOSolicited(" + ssoSamlService.getProviderId() + ")", new Object[0]);
        }
    }

    @FFDCIgnore({SamlException.class})
    public void buildandSendSLORequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws SamlException {
        BasicMessageContext<?, ?, ?> buildIdp = BasicMessageContextBuilder.getInstance().buildIdp(httpServletRequest, httpServletResponse, this.ssoService);
        String handleIdpMetadataAndLogoutUrl = handleIdpMetadataAndLogoutUrl(buildIdp);
        if (this.ssoService.getConfig() != null && handleIdpMetadataAndLogoutUrl != null && this.ssoService.getConfig().isHttpsRequired() && !handleIdpMetadataAndLogoutUrl.startsWith("https")) {
            throw new SamlException("SAML20_IDP_PROTOCOL_NOT_HTTPS", (Exception) null, new Object[]{handleIdpMetadataAndLogoutUrl});
        }
        HttpRequestInfo httpRequestInfo = new HttpRequestInfo(httpServletRequest);
        httpServletRequest.setAttribute(Constants.SP_INITIATED_SLO_IN_PROGRESS, Constants.TRUE);
        httpRequestInfo.restorePostParams(httpServletRequest);
        LogoutRequest buildLogoutRequest = buildLogoutRequest(httpRequestInfo.getInResponseToId(), httpServletRequest, buildIdp);
        try {
            if (buildIdp.getSsoConfig().isAuthnRequestsSigned()) {
                signLogoutRequest(buildLogoutRequest, RequestUtil.getSigningCredential(this.ssoService));
            }
            String logoutRequestString = getLogoutRequestString(buildLogoutRequest);
            String generateRandom = SamlUtil.generateRandom();
            String str = Constants.SP_INITAL + generateRandom;
            RequestUtil.cacheRequestInfo(generateRandom, this.ssoService, httpRequestInfo);
            buildIdp.setCachedRequestInfo(httpRequestInfo);
            postIdp(httpServletRequest, httpServletResponse, logoutRequestString, str, handleIdpMetadataAndLogoutUrl, httpRequestInfo);
        } catch (SamlException e) {
            throw e;
        }
    }

    String handleIdpMetadataAndLogoutUrl(BasicMessageContext<?, ?, ?> basicMessageContext) throws SamlException {
        String str = null;
        MetadataProvider metadataProvider = basicMessageContext.getMetadataProvider();
        if (metadataProvider == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "idp metadata file :" + basicMessageContext.getSsoConfig().getIdpMetadata(), new Object[0]);
            }
            String idpMetadata = this.ssoService.getConfig().getIdpMetadata();
            String providerId = this.ssoService.getProviderId();
            if (idpMetadata == null || idpMetadata.isEmpty()) {
                throw new SamlException("SAML20_NO_IDP_URL_OR_METADATA", (Exception) null, new Object[]{providerId});
            }
            throw new SamlException("SAML20_NO_IDP_URL_ERROR", (Exception) null, new Object[]{idpMetadata, providerId});
        }
        try {
            EntityDescriptor metadata = metadataProvider.getMetadata();
            if (!(metadata instanceof EntityDescriptor)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "ERROR: metadata is not an EntityDescriptor", new Object[0]);
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "idp metadata file :" + basicMessageContext.getSsoConfig().getIdpMetadata(), new Object[0]);
                }
                throw new SamlException("SAML20_NO_IDP_URL_ERROR", (Exception) null, new Object[]{this.ssoService.getConfig().getIdpMetadata(), this.ssoService.getProviderId()});
            }
            EntityDescriptor entityDescriptor = metadata;
            basicMessageContext.setPeerEntityId(entityDescriptor.getEntityID());
            IDPSSODescriptor iDPSSODescriptor = entityDescriptor.getIDPSSODescriptor(Constants.SAML20P_NS);
            if (iDPSSODescriptor == null) {
                throw new SamlException("SAML20_IDP_METADATA_PARSE_ERROR", (Exception) null, new Object[]{this.ssoService.getConfig().getIdpMetadata(), this.ssoService.getProviderId(), "No IDPSSODescriptor"});
            }
            Iterator it = iDPSSODescriptor.getSingleLogoutServices().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SingleLogoutService singleLogoutService = (SingleLogoutService) it.next();
                if (Constants.SAML2_POST_BINDING_URI.equals(singleLogoutService.getBinding())) {
                    basicMessageContext.setPeerEntityEndpoint(singleLogoutService);
                    str = singleLogoutService.getLocation();
                    break;
                }
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "idpLogout url:" + str + "(" + Constants.SAML2_POST_BINDING_URI + ")", new Object[0]);
            }
            return str;
        } catch (MetadataProviderException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.slo.SPInitiatedSLO", "217", this, new Object[]{basicMessageContext});
            throw new SamlException((Exception) e);
        }
    }

    LogoutRequest buildLogoutRequest(String str, HttpServletRequest httpServletRequest, BasicMessageContext<?, ?, ?> basicMessageContext) throws SamlException {
        LogoutRequest buildObject = new LogoutRequestBuilder().buildObject();
        buildObject.setID(str);
        RequestUtil.getAcsUrl(httpServletRequest, Constants.SAML20_CONTEXT_PATH, this.ssoService.getProviderId(), this.ssoService.getConfig());
        buildObject.setVersion(SAMLVersion.VERSION_20);
        buildObject.setIssuer(getIssuer(RequestUtil.getEntityUrl(httpServletRequest, Constants.SAML20_CONTEXT_PATH, this.ssoService.getProviderId(), this.ssoService.getConfig())));
        buildObject.setIssueInstant(new DateTime());
        if (basicMessageContext == null || basicMessageContext.getPeerEntityEndpoint() == null || basicMessageContext.getPeerEntityEndpoint().getLocation() == null) {
            throw new SamlException("SAML20_SLOENDPOINT_NOT_IN_METADATA", (Exception) null, new Object[]{this.ssoService.getProviderId()});
        }
        buildObject.setDestination(basicMessageContext.getPeerEntityEndpoint().getLocation());
        NameID buildObject2 = new NameIDBuilder().buildObject();
        Saml20Token saml20TokenFromSubject = SamlCommonUtil.getSaml20TokenFromSubject(this.subject, true);
        if (saml20TokenFromSubject == null) {
            throw new SamlException("LOGOUT_CANNOT_FIND_SAMLTOKEN");
        }
        NameID nameID = (NameID) saml20TokenFromSubject.getProperties().get(Constants.LOCAL_NAME_NameID);
        buildObject2.setFormat(saml20TokenFromSubject.getSAMLNameIDFormat());
        buildObject2.setValue(saml20TokenFromSubject.getSAMLNameID());
        buildObject2.setSPNameQualifier(nameID.getSPNameQualifier());
        buildObject2.setNameQualifier(nameID.getNameQualifier());
        String str2 = (String) saml20TokenFromSubject.getProperties().get(SINDEX);
        buildObject.setNameID(buildObject2);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "session index = ", new Object[]{str2});
        }
        SessionIndex buildObject3 = new SessionIndexBuilder().buildObject();
        buildObject3.setSessionIndex(str2);
        buildObject.getSessionIndexes().add(buildObject3);
        return buildObject;
    }

    Issuer getIssuer(String str) {
        Issuer buildObject = new IssuerBuilder().buildObject();
        buildObject.setValue(str);
        return buildObject;
    }

    NameIDPolicy buildNameIdPolicy(SsoConfig ssoConfig) {
        NameIDPolicy buildObject = new NameIDPolicyBuilder().buildObject();
        String nameIDFormat = ssoConfig.getNameIDFormat();
        if (nameIDFormat != null && !nameIDFormat.isEmpty()) {
            buildObject.setFormat(nameIDFormat);
        }
        Boolean allowCreate = ssoConfig.getAllowCreate();
        if (allowCreate != null) {
            buildObject.setAllowCreate(allowCreate);
        }
        return buildObject;
    }

    TAIResult postIdp(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, String str3, HttpRequestInfo httpRequestInfo) throws SamlException {
        try {
            String encodeBytes = Base64.encodeBytes(str.getBytes(Constants.UTF8), 8);
            if (str2 == null || encodeBytes == null || str3 == null) {
                throw new SamlException("RelayState, Single-Sign-On URL, and Saml Logout Request must be provided");
            }
            httpServletResponse.setStatus(200);
            ForwardRequestInfo forwardRequestInfo = new ForwardRequestInfo(str3);
            forwardRequestInfo.setFragmentCookieId(httpRequestInfo.getFragmentCookieId());
            forwardRequestInfo.setParameter(Constants.RELAY_STATE, new String[]{str2});
            forwardRequestInfo.setParameter(Constants.SAMLRequest, new String[]{encodeBytes});
            forwardRequestInfo.redirectPostRequest(httpServletRequest, httpServletResponse, null, null);
            try {
                return TAIResult.create(403);
            } catch (WebTrustAssociationFailedException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.slo.SPInitiatedSLO", "375", this, new Object[]{httpServletRequest, httpServletResponse, str, str2, str3, httpRequestInfo});
                throw new SamlException((Exception) e);
            }
        } catch (UnsupportedEncodingException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.saml.sso20.slo.SPInitiatedSLO", "342", this, new Object[]{httpServletRequest, httpServletResponse, str, str2, str3, httpRequestInfo});
            throw new SamlException(e2);
        }
    }

    void signLogoutRequest(SAMLObject sAMLObject, Credential credential) throws SamlException {
        SsoConfig config = this.ssoService.getConfig();
        if (!(sAMLObject instanceof SignableSAMLObject) || credential == null) {
            return;
        }
        SignableSAMLObject signableSAMLObject = (SignableSAMLObject) sAMLObject;
        Signature buildObject = Configuration.getBuilderFactory().getBuilder(Signature.DEFAULT_ELEMENT_NAME).buildObject(Signature.DEFAULT_ELEMENT_NAME);
        buildObject.setSignatureAlgorithm(config.getSignatureMethodAlgorithm());
        buildObject.setCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
        buildObject.setSigningCredential(credential);
        try {
            SecurityHelper.prepareSignatureParams(buildObject, credential, (SecurityConfiguration) null, (String) null);
            signableSAMLObject.setSignature(buildObject);
            try {
                Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(signableSAMLObject);
                if (marshaller == null) {
                    throw new SamlException("SAML20_AUTHENTICATION_FAIL", (Exception) null, new Object[0]);
                }
                marshaller.marshall(signableSAMLObject);
                Signer.signObject(buildObject);
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.slo.SPInitiatedSLO", "421", this, new Object[]{sAMLObject, credential});
                throw new SamlException(e, true);
            }
        } catch (SecurityException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.saml.sso20.slo.SPInitiatedSLO", "403", this, new Object[]{sAMLObject, credential});
            throw new SamlException((Exception) e2, true);
        }
    }

    String getLogoutRequestString(LogoutRequest logoutRequest) throws SamlException {
        String str = null;
        if (logoutRequest != null) {
            try {
                str = XMLHelper.nodeToString(new LogoutRequestMarshaller().marshall(logoutRequest));
            } catch (MarshallingException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.slo.SPInitiatedSLO", "434", this, new Object[]{logoutRequest});
                throw new SamlException((Exception) e, true);
            }
        }
        return str;
    }
}
