package dk.digitalidentity.samlmodule.service.validation;

import dk.digitalidentity.samlmodule.service.metadata.DISAML_IdPMetadataService;
import dk.digitalidentity.samlmodule.util.exceptions.ExternalException;
import dk.digitalidentity.samlmodule.util.exceptions.InternalException;
import java.nio.charset.StandardCharsets;
import java.security.PublicKey;
import java.util.Base64;
import java.util.Objects;
import javax.servlet.http.HttpServletRequest;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.binding.security.impl.MessageLifetimeSecurityHandler;
import org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.SessionIndex;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.crypto.SigningUtil;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.xmlsec.algorithm.AlgorithmSupport;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.util.StringUtils;

@Service
/* loaded from: input_file:dk/digitalidentity/samlmodule/service/validation/DISAML_LogoutRequestValidationService.class */
public class DISAML_LogoutRequestValidationService {
    private static final Logger log = LoggerFactory.getLogger(DISAML_LogoutRequestValidationService.class);

    @Autowired
    private DISAML_IdPMetadataService idPMetadataService;

    public void validate(HttpServletRequest httpServletRequest, MessageContext<SAMLObject> messageContext, EntityDescriptor entityDescriptor, PublicKey publicKey) throws InternalException, ExternalException {
        log.debug("Started validation of LogoutRequest");
        LogoutRequest logoutRequest = (LogoutRequest) messageContext.getMessage();
        if (logoutRequest == null) {
            throw new ExternalException("Message did not contain a correct LogoutRequest Object");
        }
        validateDestination(httpServletRequest, messageContext);
        validateLifeTime(messageContext);
        validateIssuer(logoutRequest, entityDescriptor.getEntityID());
        validateSignature(httpServletRequest, publicKey, logoutRequest);
        validateSessionIndex(logoutRequest);
        log.debug("Completed validation of LogoutRequest");
    }

    private void validateDestination(HttpServletRequest httpServletRequest, MessageContext<SAMLObject> messageContext) throws InternalException, ExternalException {
        log.debug("Validating destination");
        ReceivedEndpointSecurityHandler receivedEndpointSecurityHandler = null;
        try {
            try {
                try {
                    receivedEndpointSecurityHandler = new ReceivedEndpointSecurityHandler();
                    receivedEndpointSecurityHandler.setHttpServletRequest(httpServletRequest);
                    receivedEndpointSecurityHandler.initialize();
                    receivedEndpointSecurityHandler.invoke(messageContext);
                    if (receivedEndpointSecurityHandler == null || !receivedEndpointSecurityHandler.isInitialized() || receivedEndpointSecurityHandler.isDestroyed()) {
                        return;
                    }
                    receivedEndpointSecurityHandler.destroy();
                } catch (MessageHandlerException e) {
                    throw new ExternalException("Destination incorrect", e);
                }
            } catch (ComponentInitializationException e2) {
                throw new InternalException("Could not initialize ReceivedEndpointSecurityHandler", e2);
            }
        } catch (Throwable th) {
            if (receivedEndpointSecurityHandler != null && receivedEndpointSecurityHandler.isInitialized() && !receivedEndpointSecurityHandler.isDestroyed()) {
                receivedEndpointSecurityHandler.destroy();
            }
            throw th;
        }
    }

    private void validateLifeTime(MessageContext<SAMLObject> messageContext) throws InternalException, ExternalException {
        log.debug("Validating Lifetime");
        MessageLifetimeSecurityHandler messageLifetimeSecurityHandler = null;
        try {
            try {
                try {
                    messageLifetimeSecurityHandler = new MessageLifetimeSecurityHandler();
                    messageLifetimeSecurityHandler.setClockSkew(300000L);
                    messageLifetimeSecurityHandler.initialize();
                    messageLifetimeSecurityHandler.invoke(messageContext);
                    if (messageLifetimeSecurityHandler == null || !messageLifetimeSecurityHandler.isInitialized() || messageLifetimeSecurityHandler.isDestroyed()) {
                        return;
                    }
                    messageLifetimeSecurityHandler.destroy();
                } catch (MessageHandlerException e) {
                    throw new ExternalException("Message lifetime incorrect", e);
                }
            } catch (ComponentInitializationException e2) {
                throw new InternalException("Could not initialize MessageLifetimeSecurityHandler", e2);
            }
        } catch (Throwable th) {
            if (messageLifetimeSecurityHandler != null && messageLifetimeSecurityHandler.isInitialized() && !messageLifetimeSecurityHandler.isDestroyed()) {
                messageLifetimeSecurityHandler.destroy();
            }
            throw th;
        }
    }

    private void validateSessionIndex(LogoutRequest logoutRequest) throws ExternalException {
        log.debug("Validating SessionIndex");
        if (logoutRequest.getSessionIndexes().size() != 1) {
            throw new ExternalException("Could not find single sessionIndex in Request");
        }
        if (!StringUtils.hasLength(((SessionIndex) logoutRequest.getSessionIndexes().get(0)).getSessionIndex())) {
            throw new ExternalException("SessionIndex is empty");
        }
    }

    private void validateIssuer(LogoutRequest logoutRequest, String str) throws ExternalException {
        log.debug("Validating Issuer");
        Issuer issuer = logoutRequest.getIssuer();
        if (issuer == null) {
            throw new ExternalException("No Issuer found");
        }
        if (!Objects.equals(str, issuer.getValue())) {
            throw new ExternalException("Issuer does not match Metadata. Expected: " + str + " Was: " + issuer.getValue());
        }
    }

    private void validateSignature(HttpServletRequest httpServletRequest, PublicKey publicKey, LogoutRequest logoutRequest) throws ExternalException, InternalException {
        log.debug("Validating Signature");
        String method = httpServletRequest.getMethod();
        boolean z = -1;
        switch (method.hashCode()) {
            case 70454:
                if (method.equals("GET")) {
                    z = false;
                    break;
                }
                break;
            case 2461856:
                if (method.equals("POST")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (!validateDetachedSignature(httpServletRequest.getQueryString(), publicKey, httpServletRequest.getParameter("Signature"), httpServletRequest.getParameter("SigAlg"))) {
                    throw new ExternalException("LogoutRequest Signature incorrect");
                }
                return;
            case true:
                BasicX509Credential basicX509Credential = new BasicX509Credential(this.idPMetadataService.getX509Certificate(UsageType.SIGNING));
                try {
                    Objects.requireNonNull(logoutRequest.getSignature(), "No signature present on logoutRequest for HTTP POST binding");
                    SignatureValidator.validate(logoutRequest.getSignature(), basicX509Credential);
                    return;
                } catch (NullPointerException e) {
                    throw new ExternalException(e);
                } catch (SignatureException e2) {
                    throw new ExternalException("Could not validate LogoutRequest signature", e2);
                }
            default:
                throw new ExternalException("Could not validate signature, Wrong request method");
        }
    }

    private boolean validateDetachedSignature(String str, PublicKey publicKey, String str2, String str3) throws ExternalException {
        byte[] bArr = new byte[0];
        byte[] bytes = parseSignedQueryString(str).getBytes(StandardCharsets.UTF_8);
        try {
            return SigningUtil.verify(publicKey, AlgorithmSupport.getAlgorithmID(str3), Base64.getDecoder().decode(str2), bytes);
        } catch (SecurityException e) {
            throw new ExternalException("LogoutRequest Signature incorrect", e);
        }
    }

    private String parseSignedQueryString(String str) {
        StringBuilder sb = new StringBuilder();
        String parameter = getParameter("SAMLRequest", str);
        String parameter2 = getParameter("RelayState", str);
        String parameter3 = getParameter("SigAlg", str);
        sb.append("SAMLRequest");
        sb.append("=");
        sb.append(parameter);
        if (parameter2 != null) {
            sb.append("&");
            sb.append("RelayState");
            sb.append("=");
            sb.append(parameter2);
        }
        sb.append("&");
        sb.append("SigAlg");
        sb.append("=");
        sb.append(parameter3);
        return sb.toString();
    }

    private String getParameter(String str, String str2) {
        for (String str3 : str2.split("&")) {
            int indexOf = str3.indexOf(61);
            if (str.equals(str3.substring(0, indexOf))) {
                return str3.substring(indexOf + 1);
            }
        }
        return null;
    }
}
