package org.elasticsearch.xpack.security.authc.saml;

import java.time.Clock;
import java.util.Collection;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.xpack.security.authc.saml.SamlObjectHandler;
import org.opensaml.saml.saml2.core.LogoutResponse;
import org.w3c.dom.Element;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/saml/SamlLogoutResponseHandler.class */
public class SamlLogoutResponseHandler extends SamlResponseHandler {
    private static final String LOGOUT_RESPONSE_TAG_NAME = "LogoutResponse";

    public SamlLogoutResponseHandler(Clock clock, IdpConfiguration idpConfiguration, SpConfiguration spConfiguration, TimeValue timeValue) {
        super(clock, idpConfiguration, spConfiguration, timeValue);
    }

    public void handle(boolean z, String str, Collection<String> collection) {
        Element parseSamlMessage;
        if (z) {
            this.logger.debug("Process SAML LogoutResponse with HTTP-Redirect binding");
            SamlObjectHandler.ParsedQueryString parseQueryStringAndValidateSignature = parseQueryStringAndValidateSignature(str, "SAMLResponse");
            if (!parseQueryStringAndValidateSignature.hasSignature) {
                throw SamlUtils.samlException("Query string is not signed, but is required for HTTP-Redirect binding", new Object[0]);
            }
            parseSamlMessage = parseSamlMessage(inflate(decodeBase64(parseQueryStringAndValidateSignature.samlMessage)));
        } else {
            this.logger.debug("Process SAML LogoutResponse with HTTP-POST binding");
            parseSamlMessage = parseSamlMessage(decodeBase64(str));
        }
        if (!LOGOUT_RESPONSE_TAG_NAME.equals(parseSamlMessage.getLocalName()) || !"urn:oasis:names:tc:SAML:2.0:protocol".equals(parseSamlMessage.getNamespaceURI())) {
            throw SamlUtils.samlException("SAML content [{}] should have a root element of Namespace=[{}] Tag=[{}]", parseSamlMessage, "urn:oasis:names:tc:SAML:2.0:protocol", LOGOUT_RESPONSE_TAG_NAME);
        }
        LogoutResponse buildXmlObject = buildXmlObject(parseSamlMessage, LogoutResponse.class);
        if (!z) {
            if (buildXmlObject.getSignature() == null) {
                throw SamlUtils.samlException("LogoutResponse is not signed, but is required for HTTP-Post binding", new Object[0]);
            }
            validateSignature(buildXmlObject.getSignature());
        }
        checkInResponseTo(buildXmlObject, collection);
        checkStatus(buildXmlObject.getStatus());
        checkIssuer(buildXmlObject.getIssuer(), buildXmlObject);
        checkResponseDestination(buildXmlObject, getSpConfiguration().getLogoutUrl());
    }
}
