package com.onelogin.saml2.logout;

import com.onelogin.saml2.exception.SettingsException;
import com.onelogin.saml2.exception.ValidationError;
import com.onelogin.saml2.exception.XMLEntityException;
import com.onelogin.saml2.http.HttpRequest;
import com.onelogin.saml2.settings.Saml2Settings;
import com.onelogin.saml2.util.Constants;
import com.onelogin.saml2.util.SchemaFactory;
import com.onelogin.saml2.util.Util;
import java.io.IOException;
import java.net.URL;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.xml.xpath.XPathExpressionException;
import org.apache.commons.lang3.text.StrSubstitutor;
import org.joda.time.DateTime;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;

/* loaded from: input_file:com/onelogin/saml2/logout/LogoutRequest.class */
public class LogoutRequest {
    private static final Logger LOGGER = LoggerFactory.getLogger(LogoutRequest.class);
    private final String logoutRequestString;
    public String id;
    private final Saml2Settings settings;
    private final HttpRequest request;
    private String nameId;
    private String nameIdFormat;
    private String nameIdNameQualifier;
    private String nameIdSPNameQualifier;
    private String sessionIndex;
    private String currentUrl;
    private Calendar issueInstant;
    private Exception validationException;

    public LogoutRequest(Saml2Settings saml2Settings, HttpRequest httpRequest, String str, String str2, String str3, String str4, String str5) throws XMLEntityException {
        this.settings = saml2Settings;
        this.request = httpRequest;
        String str6 = null;
        if (httpRequest != null) {
            str6 = httpRequest.getParameter("SAMLRequest");
            this.currentUrl = httpRequest.getRequestURL();
        }
        if (str6 != null) {
            this.logoutRequestString = Util.base64decodedInflated(str6);
            this.id = getId(this.logoutRequestString);
            return;
        }
        this.id = Util.generateUniqueID(saml2Settings.getUniqueIDPrefix());
        this.issueInstant = Calendar.getInstance();
        this.nameId = str;
        this.nameIdFormat = str3;
        this.nameIdNameQualifier = str4;
        this.nameIdSPNameQualifier = str5;
        this.sessionIndex = str2;
        this.logoutRequestString = generateSubstitutor(saml2Settings).replace(getLogoutRequestTemplate());
    }

    public LogoutRequest(Saml2Settings saml2Settings, HttpRequest httpRequest, String str, String str2, String str3, String str4) throws XMLEntityException {
        this(saml2Settings, httpRequest, str, str2, str3, str4, null);
    }

    public LogoutRequest(Saml2Settings saml2Settings, HttpRequest httpRequest, String str, String str2, String str3) throws XMLEntityException {
        this(saml2Settings, httpRequest, str, str2, str3, null);
    }

    public LogoutRequest(Saml2Settings saml2Settings, HttpRequest httpRequest, String str, String str2) throws XMLEntityException {
        this(saml2Settings, httpRequest, str, str2, null);
    }

    public LogoutRequest(Saml2Settings saml2Settings) throws XMLEntityException {
        this(saml2Settings, null, null, null);
    }

    public LogoutRequest(Saml2Settings saml2Settings, HttpRequest httpRequest) throws XMLEntityException {
        this(saml2Settings, httpRequest, null, null);
    }

    public String getEncodedLogoutRequest(Boolean bool) throws IOException {
        if (bool == null) {
            bool = Boolean.valueOf(this.settings.isCompressRequestEnabled());
        }
        return bool.booleanValue() ? Util.deflatedBase64encoded(getLogoutRequestXml()) : Util.base64encoder(getLogoutRequestXml());
    }

    public String getEncodedLogoutRequest() throws IOException {
        return getEncodedLogoutRequest(null);
    }

    public String getLogoutRequestXml() {
        return this.logoutRequestString;
    }

    private StrSubstitutor generateSubstitutor(Saml2Settings saml2Settings) {
        String str;
        List<X509Certificate> idpx509certMulti;
        HashMap hashMap = new HashMap();
        hashMap.put("id", this.id);
        hashMap.put("issueInstant", Util.formatDateTime(this.issueInstant.getTimeInMillis()));
        URL idpSingleLogoutServiceUrl = saml2Settings.getIdpSingleLogoutServiceUrl();
        hashMap.put("destinationStr", idpSingleLogoutServiceUrl != null ? " Destination=\"" + idpSingleLogoutServiceUrl.toString() + "\"" : "");
        hashMap.put("issuer", saml2Settings.getSpEntityId());
        String str2 = this.nameIdSPNameQualifier;
        String str3 = this.nameIdNameQualifier;
        if (this.nameId != null) {
            str = (this.nameIdFormat != null || saml2Settings.getSpNameIDFormat().equals(Constants.NAMEID_UNSPECIFIED)) ? this.nameIdFormat : saml2Settings.getSpNameIDFormat();
        } else {
            this.nameId = saml2Settings.getIdpEntityId();
            str = Constants.NAMEID_ENTITY;
        }
        if (str != null && str.equals(Constants.NAMEID_ENTITY)) {
            str3 = null;
            str2 = null;
        }
        if (str != null && str.equals(Constants.NAMEID_UNSPECIFIED)) {
            str = null;
        }
        X509Certificate x509Certificate = null;
        if (saml2Settings.getNameIdEncrypted()) {
            x509Certificate = saml2Settings.getIdpx509cert();
            if (x509Certificate == null && (idpx509certMulti = saml2Settings.getIdpx509certMulti()) != null && !idpx509certMulti.isEmpty()) {
                x509Certificate = idpx509certMulti.get(0);
            }
        }
        hashMap.put("nameIdStr", Util.generateNameId(this.nameId, str2, str, str3, x509Certificate));
        hashMap.put("sessionIndexStr", this.sessionIndex != null ? " <samlp:SessionIndex>" + this.sessionIndex + "</samlp:SessionIndex>" : "");
        return new StrSubstitutor(hashMap);
    }

    private static StringBuilder getLogoutRequestTemplate() {
        StringBuilder sb = new StringBuilder();
        sb.append("<samlp:LogoutRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ");
        sb.append("ID=\"${id}\" ");
        sb.append("Version=\"2.0\" ");
        sb.append("IssueInstant=\"${issueInstant}\"${destinationStr} >");
        sb.append("<saml:Issuer>${issuer}</saml:Issuer>");
        sb.append("${nameIdStr}${sessionIndexStr}</samlp:LogoutRequest>");
        return sb;
    }

    public Boolean isValid() throws Exception {
        String attribute;
        this.validationException = null;
        try {
            if (this.logoutRequestString == null || this.logoutRequestString.isEmpty()) {
                throw new ValidationError("SAML Logout Request is not loaded", 14);
            }
            if (this.request == null) {
                throw new Exception("The HttpRequest of the current host was not established");
            }
            if (this.currentUrl == null || this.currentUrl.isEmpty()) {
                throw new Exception("The URL of the current host was not established");
            }
            String parameter = this.request.getParameter("Signature");
            Document loadXML = Util.loadXML(this.logoutRequestString);
            if (this.settings.isStrict()) {
                Element documentElement = loadXML.getDocumentElement();
                documentElement.normalize();
                if (this.settings.getWantXMLValidation() && !Util.validateXML(loadXML, SchemaFactory.SAML_SCHEMA_PROTOCOL_2_0)) {
                    throw new ValidationError("Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd", 14);
                }
                if (documentElement.hasAttribute("NotOnOrAfter")) {
                    DateTime parseDateTime = Util.parseDateTime(documentElement.getAttribute("NotOnOrAfter"));
                    if (parseDateTime.isEqualNow() || parseDateTime.isBeforeNow()) {
                        throw new ValidationError("Could not validate timestamp: expired. Check system clock.", 44);
                    }
                }
                if (documentElement.hasAttribute("Destination") && (attribute = documentElement.getAttribute("Destination")) != null && !attribute.isEmpty() && !attribute.equals(this.currentUrl)) {
                    throw new ValidationError("The LogoutRequest was received at " + this.currentUrl + " instead of " + attribute, 24);
                }
                getNameId(loadXML, this.settings.getSPkey());
                String issuer = getIssuer(loadXML);
                if (issuer != null && (issuer.isEmpty() || !issuer.equals(this.settings.getIdpEntityId()))) {
                    throw new ValidationError(String.format("Invalid issuer in the Logout Request. Was '%s', but expected '%s'", issuer, this.settings.getIdpEntityId()), 29);
                }
                if (this.settings.getWantMessagesSigned() && (parameter == null || parameter.isEmpty())) {
                    throw new ValidationError("The Message of the Logout Request is not signed and the SP requires it", 32);
                }
            }
            if (parameter != null && !parameter.isEmpty()) {
                X509Certificate idpx509cert = this.settings.getIdpx509cert();
                ArrayList arrayList = new ArrayList();
                List<X509Certificate> idpx509certMulti = this.settings.getIdpx509certMulti();
                if (idpx509certMulti != null && idpx509certMulti.size() != 0) {
                    arrayList.addAll(idpx509certMulti);
                }
                if (idpx509cert != null && (arrayList.isEmpty() || !arrayList.contains(idpx509cert))) {
                    arrayList.add(0, idpx509cert);
                }
                if (arrayList.isEmpty()) {
                    throw new SettingsException("In order to validate the sign on the Logout Request, the x509cert of the IdP is required", 3);
                }
                String parameter2 = this.request.getParameter("SigAlg");
                if (parameter2 == null || parameter2.isEmpty()) {
                    parameter2 = Constants.RSA_SHA1;
                }
                String encodedParameter = this.request.getEncodedParameter("RelayState");
                String str = "SAMLRequest=" + this.request.getEncodedParameter("SAMLRequest");
                if (encodedParameter != null && !encodedParameter.isEmpty()) {
                    str = str + "&RelayState=" + encodedParameter;
                }
                if (!Util.validateBinarySignature(str + "&SigAlg=" + this.request.getEncodedParameter("SigAlg", parameter2), Util.base64decoder(parameter), arrayList, parameter2).booleanValue()) {
                    throw new ValidationError("Signature validation failed. Logout Request rejected", 42);
                }
            }
            LOGGER.debug("LogoutRequest validated --> " + this.logoutRequestString);
            return true;
        } catch (Exception e) {
            this.validationException = e;
            LOGGER.debug("LogoutRequest invalid --> " + this.logoutRequestString);
            LOGGER.error(this.validationException.getMessage());
            return false;
        }
    }

    public static String getId(Document document) {
        String str = null;
        try {
            Element documentElement = document.getDocumentElement();
            documentElement.normalize();
            str = documentElement.getAttribute("ID");
        } catch (Exception e) {
        }
        return str;
    }

    public static String getId(String str) {
        return getId(Util.loadXML(str));
    }

    public static Map<String, String> getNameIdData(Document document, PrivateKey privateKey) throws Exception {
        NodeList query;
        NodeList query2 = Util.query(document, "/samlp:LogoutRequest/saml:EncryptedID");
        if (query2.getLength() != 1) {
            query = Util.query(document, "/samlp:LogoutRequest/saml:NameID");
        } else {
            if (privateKey == null) {
                throw new SettingsException("Key is required in order to decrypt the NameID", 4);
            }
            Util.decryptElement((Element) query2.item(0), privateKey);
            query = Util.query(document, "/samlp:LogoutRequest/saml:NameID");
            if (query == null || query.getLength() != 1) {
                throw new Exception("Not able to decrypt the EncryptedID and get a NameID");
            }
        }
        if (query == null || query.getLength() != 1) {
            throw new ValidationError("No name id found in Logout Request.", 38);
        }
        Element element = (Element) query.item(0);
        HashMap hashMap = new HashMap();
        if (element != null) {
            hashMap.put("Value", element.getTextContent());
            if (element.hasAttribute("Format")) {
                hashMap.put("Format", element.getAttribute("Format"));
            }
            if (element.hasAttribute("SPNameQualifier")) {
                hashMap.put("SPNameQualifier", element.getAttribute("SPNameQualifier"));
            }
            if (element.hasAttribute("NameQualifier")) {
                hashMap.put("NameQualifier", element.getAttribute("NameQualifier"));
            }
        }
        return hashMap;
    }

    public static Map<String, String> getNameIdData(String str, PrivateKey privateKey) throws Exception {
        return getNameIdData(Util.loadXML(str), privateKey);
    }

    public static String getNameId(Document document, PrivateKey privateKey) throws Exception {
        Map<String, String> nameIdData = getNameIdData(document, privateKey);
        LOGGER.debug("LogoutRequest has NameID --> " + nameIdData.get("Value"));
        return nameIdData.get("Value");
    }

    public static String getNameId(Document document) throws Exception {
        return getNameId(document, (PrivateKey) null);
    }

    public static String getNameId(String str, PrivateKey privateKey) throws Exception {
        return getNameIdData(str, privateKey).get("Value");
    }

    public static String getNameId(String str) throws Exception {
        return getNameId(str, (PrivateKey) null);
    }

    public static String getIssuer(Document document) throws XPathExpressionException {
        String str = null;
        NodeList query = Util.query(document, "/samlp:LogoutRequest/saml:Issuer");
        if (query.getLength() == 1) {
            str = query.item(0).getTextContent();
        }
        return str;
    }

    public static String getIssuer(String str) throws XPathExpressionException {
        return getIssuer(Util.loadXML(str));
    }

    public static List<String> getSessionIndexes(Document document) throws XPathExpressionException {
        ArrayList arrayList = new ArrayList();
        NodeList query = Util.query(document, "/samlp:LogoutRequest/samlp:SessionIndex");
        for (int i = 0; i < query.getLength(); i++) {
            arrayList.add(query.item(i).getTextContent());
        }
        return arrayList;
    }

    public static List<String> getSessionIndexes(String str) throws XPathExpressionException {
        return getSessionIndexes(Util.loadXML(str));
    }

    public String getError() {
        if (this.validationException != null) {
            return this.validationException.getMessage();
        }
        return null;
    }

    public Exception getValidationException() {
        return this.validationException;
    }

    public String getId() {
        return this.id;
    }
}
