package org.springframework.security.saml2.provider.service.authentication.logout;

import java.util.Collection;
import java.util.function.Consumer;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.NameID;
import org.springframework.security.core.Authentication;
import org.springframework.security.saml2.core.OpenSamlInitializationService;
import org.springframework.security.saml2.core.Saml2Error;
import org.springframework.security.saml2.core.Saml2ErrorCodes;
import org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlOperations;
import org.springframework.security.saml2.provider.service.registration.AssertingPartyMetadata;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;

@Deprecated
/* loaded from: input_file:BOOT-INF/lib/spring-security-saml2-service-provider-6.4.5.jar:org/springframework/security/saml2/provider/service/authentication/logout/OpenSamlLogoutRequestValidator.class */
public final class OpenSamlLogoutRequestValidator implements Saml2LogoutRequestValidator {
    private final OpenSamlOperations saml = new OpenSaml4Template();

    @Override // org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidator
    public Saml2LogoutValidatorResult validate(Saml2LogoutRequestValidatorParameters saml2LogoutRequestValidatorParameters) {
        Saml2LogoutRequest logoutRequest = saml2LogoutRequestValidatorParameters.getLogoutRequest();
        RelyingPartyRegistration relyingPartyRegistration = saml2LogoutRequestValidatorParameters.getRelyingPartyRegistration();
        Authentication authentication = saml2LogoutRequestValidatorParameters.getAuthentication();
        LogoutRequest logoutRequest2 = (LogoutRequest) this.saml.deserialize(Saml2Utils.withEncoded(logoutRequest.getSamlRequest()).inflate(logoutRequest.getBinding() == Saml2MessageBinding.REDIRECT).decode());
        return Saml2LogoutValidatorResult.withErrors(new Saml2Error[0]).errors(verifySignature(logoutRequest, logoutRequest2, relyingPartyRegistration)).errors(validateRequest(logoutRequest2, relyingPartyRegistration, authentication)).build();
    }

    private Consumer<Collection<Saml2Error>> verifySignature(Saml2LogoutRequest saml2LogoutRequest, LogoutRequest logoutRequest, RelyingPartyRegistration relyingPartyRegistration) {
        AssertingPartyMetadata assertingPartyMetadata = relyingPartyRegistration.getAssertingPartyMetadata();
        OpenSamlOperations.VerificationConfigurer entityId = this.saml.withVerificationKeys(assertingPartyMetadata.getVerificationX509Credentials()).entityId(assertingPartyMetadata.getEntityId());
        return collection -> {
            if (logoutRequest.isSigned()) {
                collection.addAll(entityId.verify(logoutRequest));
            } else {
                collection.addAll(entityId.verify(new OpenSamlOperations.VerificationConfigurer.RedirectParameters(saml2LogoutRequest.getParameters(), saml2LogoutRequest.getParametersQuery(), logoutRequest)));
            }
        };
    }

    private Consumer<Collection<Saml2Error>> validateRequest(LogoutRequest logoutRequest, RelyingPartyRegistration relyingPartyRegistration, Authentication authentication) {
        return collection -> {
            validateIssuer(logoutRequest, relyingPartyRegistration).accept(collection);
            validateDestination(logoutRequest, relyingPartyRegistration).accept(collection);
            validateSubject(logoutRequest, relyingPartyRegistration, authentication).accept(collection);
        };
    }

    private Consumer<Collection<Saml2Error>> validateIssuer(LogoutRequest logoutRequest, RelyingPartyRegistration relyingPartyRegistration) {
        return collection -> {
            if (logoutRequest.getIssuer() == null) {
                collection.add(new Saml2Error(Saml2ErrorCodes.INVALID_ISSUER, "Failed to find issuer in LogoutRequest"));
            } else {
                if (logoutRequest.getIssuer().getValue().equals(relyingPartyRegistration.getAssertingPartyMetadata().getEntityId())) {
                    return;
                }
                collection.add(new Saml2Error(Saml2ErrorCodes.INVALID_ISSUER, "Failed to match issuer to configured issuer"));
            }
        };
    }

    private Consumer<Collection<Saml2Error>> validateDestination(LogoutRequest logoutRequest, RelyingPartyRegistration relyingPartyRegistration) {
        return collection -> {
            if (logoutRequest.getDestination() == null) {
                collection.add(new Saml2Error(Saml2ErrorCodes.INVALID_DESTINATION, "Failed to find destination in LogoutRequest"));
            } else {
                if (logoutRequest.getDestination().equals(relyingPartyRegistration.getSingleLogoutServiceLocation())) {
                    return;
                }
                collection.add(new Saml2Error(Saml2ErrorCodes.INVALID_DESTINATION, "Failed to match destination to configured destination"));
            }
        };
    }

    private Consumer<Collection<Saml2Error>> validateSubject(LogoutRequest logoutRequest, RelyingPartyRegistration relyingPartyRegistration, Authentication authentication) {
        return collection -> {
            if (authentication == null) {
                return;
            }
            NameID nameId = getNameId(logoutRequest, relyingPartyRegistration);
            if (nameId == null) {
                collection.add(new Saml2Error(Saml2ErrorCodes.SUBJECT_NOT_FOUND, "Failed to find subject in LogoutRequest"));
            } else {
                validateNameId(nameId, authentication, collection);
            }
        };
    }

    private NameID getNameId(LogoutRequest logoutRequest, RelyingPartyRegistration relyingPartyRegistration) {
        this.saml.withDecryptionKeys(relyingPartyRegistration.getDecryptionX509Credentials()).decrypt(logoutRequest);
        return logoutRequest.getNameID();
    }

    private void validateNameId(NameID nameID, Authentication authentication, Collection<Saml2Error> collection) {
        if (nameID.getValue().equals(authentication.getName())) {
            return;
        }
        collection.add(new Saml2Error("invalid_request", "Failed to match subject in LogoutRequest with currently logged in user"));
    }

    static {
        OpenSamlInitializationService.initialize();
    }
}
