package org.apereo.cas.support.saml.web.idp.profile.slo;

import java.io.StringWriter;
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.configuration.model.support.saml.idp.SamlIdPLogoutProperties;
import org.apereo.cas.logout.slo.SingleLogoutUrl;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.apereo.cas.support.saml.SamlUtils;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController;
import org.apereo.cas.support.saml.web.idp.profile.SamlProfileHandlerConfigurationContext;
import org.apereo.cas.util.EncodingUtils;
import org.apereo.cas.web.support.WebUtils;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.decoder.servlet.BaseHttpServletRequestXMLMessageDecoder;
import org.opensaml.saml.common.SAMLException;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.common.binding.SAMLBindingSupport;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.LogoutResponse;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/slo/AbstractSamlSLOProfileHandlerController.class */
public abstract class AbstractSamlSLOProfileHandlerController extends AbstractSamlIdPProfileHandlerController {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(AbstractSamlSLOProfileHandlerController.class);

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractSamlSLOProfileHandlerController(SamlProfileHandlerConfigurationContext samlProfileHandlerConfigurationContext) {
        super(samlProfileHandlerConfigurationContext);
    }

    private void handleLogoutResponse(Pair<? extends SignableSAMLObject, MessageContext> pair) {
        LogoutResponse logoutResponse = (LogoutResponse) pair.getKey();
        LOGGER.debug("Received logout response from [{}]", SamlIdPUtils.getIssuerFromSamlObject(logoutResponse.getIssuer()));
        SamlUtils.logSamlObject(getConfigurationContext().getOpenSamlConfigBean(), logoutResponse);
    }

    private void handleLogoutRequest(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest, Pair<? extends SignableSAMLObject, MessageContext> pair) throws Exception {
        SamlProfileHandlerConfigurationContext configurationContext = getConfigurationContext();
        SamlIdPLogoutProperties logout = configurationContext.getCasProperties().getAuthn().getSamlIdp().getLogout();
        LogoutRequest logoutRequest = (LogoutRequest) pair.getKey();
        MessageContext messageContext = (MessageContext) pair.getValue();
        if (logout.isForceSignedLogoutRequests() && !SAMLBindingSupport.isMessageSigned(messageContext)) {
            throw new SAMLException("Logout request is not signed but should be.");
        }
        String issuerFromSamlObject = SamlIdPUtils.getIssuerFromSamlObject(logoutRequest);
        LOGGER.trace("SAML logout request from entity id [{}] is signed", issuerFromSamlObject);
        SamlRegisteredService findServiceBy = configurationContext.getServicesManager().findServiceBy(configurationContext.getWebApplicationServiceFactory().createService(issuerFromSamlObject), SamlRegisteredService.class);
        LOGGER.trace("SAML registered service tied to [{}] is [{}]", issuerFromSamlObject, findServiceBy);
        SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade = (SamlRegisteredServiceServiceProviderMetadataFacade) SamlRegisteredServiceServiceProviderMetadataFacade.get(configurationContext.getSamlRegisteredServiceCachingMetadataResolver(), findServiceBy, issuerFromSamlObject).get();
        if (SAMLBindingSupport.isMessageSigned(messageContext)) {
            LOGGER.trace("Verifying signature on the SAML logout request for [{}]", issuerFromSamlObject);
            configurationContext.getSamlObjectSignatureValidator().verifySamlProfileRequestIfNeeded((RequestAbstractType) logoutRequest, samlRegisteredServiceServiceProviderMetadataFacade, httpServletRequest, messageContext);
        }
        SamlUtils.logSamlObject(configurationContext.getOpenSamlConfigBean(), logoutRequest);
        List from = SingleLogoutUrl.from(findServiceBy);
        if (!from.isEmpty()) {
            WebUtils.putLogoutRedirectUrl(httpServletRequest, ((SingleLogoutUrl) from.iterator().next()).getUrl());
        }
        WebUtils.putRegisteredService(httpServletRequest, findServiceBy);
        StringWriter transformSamlObject = SamlUtils.transformSamlObject(this.configurationContext.getOpenSamlConfigBean(), logoutRequest);
        try {
            WebUtils.putSingleLogoutRequest(httpServletRequest, EncodingUtils.encodeBase64(transformSamlObject.toString().getBytes(StandardCharsets.UTF_8)));
            if (transformSamlObject != null) {
                transformSamlObject.close();
            }
            httpServletRequest.getServletContext().getRequestDispatcher("/logout").forward(httpServletRequest, httpServletResponse);
        } catch (Throwable th) {
            if (transformSamlObject != null) {
                try {
                    transformSamlObject.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void handleSloProfileRequest(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest, BaseHttpServletRequestXMLMessageDecoder baseHttpServletRequestXMLMessageDecoder) throws Exception {
        if (getConfigurationContext().getCasProperties().getAuthn().getSamlIdp().getLogout().isSingleLogoutCallbacksDisabled()) {
            LOGGER.info("Processing SAML2 IdP SLO requests is disabled");
            return;
        }
        Optional<Pair<? extends SignableSAMLObject, MessageContext>> extract = getConfigurationContext().getSamlHttpRequestExtractor().extract(httpServletRequest, baseHttpServletRequestXMLMessageDecoder, SignableSAMLObject.class);
        if (!extract.isPresent()) {
            LOGGER.trace("Unable to process logout request/response");
            return;
        }
        Pair<? extends SignableSAMLObject, MessageContext> pair = extract.get();
        if (pair.getKey() instanceof LogoutResponse) {
            handleLogoutResponse(pair);
        } else if (pair.getKey() instanceof LogoutRequest) {
            handleLogoutRequest(httpServletResponse, httpServletRequest, pair);
        }
    }
}
