package org.nuxeo.ecm.platform.auth.saml.slo;

import java.util.Iterator;
import org.joda.time.DateTime;
import org.nuxeo.ecm.platform.auth.saml.AbstractSAMLProfile;
import org.nuxeo.ecm.platform.auth.saml.SAMLCredential;
import org.opensaml.common.SAMLException;
import org.opensaml.common.SAMLVersion;
import org.opensaml.common.binding.SAMLMessageContext;
import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.saml2.core.LogoutResponse;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.SessionIndex;
import org.opensaml.saml2.metadata.SingleLogoutService;
import org.opensaml.xml.encryption.DecryptionException;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.validation.ValidationException;

/* loaded from: input_file:org/nuxeo/ecm/platform/auth/saml/slo/SLOProfileImpl.class */
public class SLOProfileImpl extends AbstractSAMLProfile implements SLOProfile {
    public SLOProfileImpl(SingleLogoutService singleLogoutService) {
        super(singleLogoutService);
    }

    @Override // org.nuxeo.ecm.platform.auth.saml.AbstractSAMLProfile
    public String getProfileIdentifier() {
        return SLOProfile.PROFILE_URI;
    }

    @Override // org.nuxeo.ecm.platform.auth.saml.slo.SLOProfile
    public LogoutRequest buildLogoutRequest(SAMLMessageContext sAMLMessageContext, SAMLCredential sAMLCredential) throws SAMLException {
        LogoutRequest build = build(LogoutRequest.DEFAULT_ELEMENT_NAME);
        build.setID(newUUID());
        build.setVersion(SAMLVersion.VERSION_20);
        build.setIssueInstant(new DateTime());
        build.setDestination(getEndpoint().getLocation());
        if (sAMLCredential.getSessionIndexes() == null || sAMLCredential.getSessionIndexes().isEmpty()) {
            throw new SAMLException("No session indexes found");
        }
        for (String str : sAMLCredential.getSessionIndexes()) {
            SessionIndex build2 = build(SessionIndex.DEFAULT_ELEMENT_NAME);
            build2.setSessionIndex(str);
            build.getSessionIndexes().add(build2);
        }
        build.setNameID(sAMLCredential.getNameID());
        return build;
    }

    @Override // org.nuxeo.ecm.platform.auth.saml.slo.SLOProfile
    public boolean processLogoutRequest(SAMLMessageContext sAMLMessageContext, SAMLCredential sAMLCredential) throws SAMLException {
        NameID nameID;
        LogoutRequest inboundSAMLMessage = sAMLMessageContext.getInboundSAMLMessage();
        if (inboundSAMLMessage == null || !(inboundSAMLMessage instanceof LogoutRequest)) {
            throw new SAMLException("Message is not of a LogoutRequest object type");
        }
        LogoutRequest logoutRequest = inboundSAMLMessage;
        if (logoutRequest.getSignature() != null) {
            log.debug("Verifying message signature");
            try {
                validateSignature(logoutRequest.getSignature(), sAMLMessageContext.getPeerEntityId());
            } catch (ValidationException e) {
                log.error("Error validating signature", e);
            } catch (SecurityException e2) {
                e2.printStackTrace();
            }
            sAMLMessageContext.setInboundSAMLMessageAuthenticated(true);
        }
        if (logoutRequest.getIssuer() != null) {
            log.debug("Verifying issuer of the message");
            validateIssuer(logoutRequest.getIssuer(), sAMLMessageContext);
        }
        if (getDecrypter() == null || logoutRequest.getEncryptedID() == null) {
            nameID = logoutRequest.getNameID();
        } else {
            try {
                nameID = (NameID) getDecrypter().decrypt(logoutRequest.getEncryptedID());
            } catch (DecryptionException e3) {
                throw new SAMLException("Failed to decrypt NameID", e3);
            }
        }
        if (nameID == null) {
            throw new SAMLException("The requested NameID is invalid");
        }
        if (logoutRequest.getSessionIndexes() == null || logoutRequest.getSessionIndexes().isEmpty()) {
            return true;
        }
        Iterator it = logoutRequest.getSessionIndexes().iterator();
        while (it.hasNext()) {
            if (sAMLCredential.getSessionIndexes().contains(((SessionIndex) it.next()).getSessionIndex())) {
                return true;
            }
        }
        return false;
    }

    @Override // org.nuxeo.ecm.platform.auth.saml.slo.SLOProfile
    public void processLogoutResponse(SAMLMessageContext sAMLMessageContext) throws SAMLException {
        LogoutResponse inboundSAMLMessage = sAMLMessageContext.getInboundSAMLMessage();
        if (!(inboundSAMLMessage instanceof LogoutResponse)) {
            throw new SAMLException("Message is not of a LogoutResponse object type");
        }
        LogoutResponse logoutResponse = inboundSAMLMessage;
        if (logoutResponse.getSignature() != null) {
            log.debug("Verifying message signature");
            try {
                validateSignature(logoutResponse.getSignature(), sAMLMessageContext.getPeerEntityId());
            } catch (SecurityException e) {
                e.printStackTrace();
            } catch (ValidationException e2) {
                log.error("Error validating signature", e2);
            }
            sAMLMessageContext.setInboundSAMLMessageAuthenticated(true);
        }
        if (logoutResponse.getIssuer() != null) {
            log.debug("Verifying issuer of the message");
            validateIssuer(logoutResponse.getIssuer(), sAMLMessageContext);
        }
        String value = logoutResponse.getStatus().getStatusCode().getValue();
        if (value.equals("urn:oasis:names:tc:SAML:2.0:status:Success") || value.equals("urn:oasis:names:tc:SAML:2.0:status:PartialLogout")) {
            return;
        }
        log.warn("Invalid status code " + value + ": " + logoutResponse.getStatus().getStatusMessage());
    }
}
