package org.elasticsearch.xpack.security.authc.saml;

import java.time.Clock;
import java.util.Objects;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.xpack.security.authc.saml.SamlObjectHandler;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.saml2.core.EncryptedID;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.opensaml.xmlsec.signature.Signature;
import org.w3c.dom.Element;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/saml/SamlLogoutRequestHandler.class */
public class SamlLogoutRequestHandler extends SamlObjectHandler {
    private static final String REQUEST_TAG_NAME = "LogoutRequest";

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/saml/SamlLogoutRequestHandler$Result.class */
    public static class Result {
        private final String requestId;
        private final SamlNameId nameId;
        private final String session;
        private final String relayState;

        public Result(String str, SamlNameId samlNameId, String str2, String str3) {
            this.requestId = str;
            this.nameId = samlNameId;
            this.session = str2;
            this.relayState = str3;
        }

        public String getRequestId() {
            return this.requestId;
        }

        public SamlNameId getNameId() {
            return this.nameId;
        }

        public String getSession() {
            return this.session;
        }

        public String getRelayState() {
            return this.relayState;
        }

        public String toString() {
            return "SamlLogoutRequestHandler.Result{requestId='" + this.requestId + "', nameId=" + this.nameId + ", session='" + this.session + "', relayState='" + this.relayState + "'}";
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SamlLogoutRequestHandler(Clock clock, IdpConfiguration idpConfiguration, SpConfiguration spConfiguration, TimeValue timeValue) {
        super(clock, idpConfiguration, spConfiguration, timeValue);
    }

    public Result parseFromQueryString(String str) {
        SamlObjectHandler.ParsedQueryString parseQueryStringAndValidateSignature = parseQueryStringAndValidateSignature(str, "SAMLRequest");
        Element parseSamlMessage = parseSamlMessage(inflate(decodeBase64(parseQueryStringAndValidateSignature.samlMessage)));
        if (!REQUEST_TAG_NAME.equals(parseSamlMessage.getLocalName()) || !"urn:oasis:names:tc:SAML:2.0:protocol".equals(parseSamlMessage.getNamespaceURI())) {
            throw SamlUtils.samlException("SAML content [{}] should have a root element of Namespace=[{}] Tag=[{}]", parseSamlMessage, "urn:oasis:names:tc:SAML:2.0:protocol", REQUEST_TAG_NAME);
        }
        try {
            return parseLogout((LogoutRequest) buildXmlObject(parseSamlMessage, LogoutRequest.class), !parseQueryStringAndValidateSignature.hasSignature, parseQueryStringAndValidateSignature.relayState);
        } catch (ElasticsearchSecurityException e) {
            this.logger.trace("Rejecting SAML logout request {} because {}", SamlUtils.toString(parseSamlMessage), e.getMessage());
            throw e;
        }
    }

    private Result parseLogout(LogoutRequest logoutRequest, boolean z, String str) {
        Signature signature = logoutRequest.getSignature();
        if (signature != null) {
            validateSignature(signature);
        } else if (z) {
            throw SamlUtils.samlException("Logout request is not signed", new Object[0]);
        }
        checkIssuer(logoutRequest.getIssuer(), logoutRequest);
        checkDestination(logoutRequest);
        validateNotOnOrAfter(logoutRequest.getNotOnOrAfter());
        return new Result(logoutRequest.getID(), SamlNameId.fromXml(getNameID(logoutRequest)), getSessionIndex(logoutRequest), str);
    }

    private NameID getNameID(LogoutRequest logoutRequest) {
        EncryptedID encryptedID;
        NameID nameID = logoutRequest.getNameID();
        if (nameID == null && (encryptedID = logoutRequest.getEncryptedID()) != null) {
            NameID decrypt = decrypt(encryptedID);
            if (decrypt instanceof NameID) {
                return decrypt;
            }
        }
        return nameID;
    }

    private SAMLObject decrypt(EncryptedID encryptedID) {
        if (this.decrypter == null) {
            throw SamlUtils.samlException("SAML EncryptedID [" + text(encryptedID, 32) + "] is encrypted, but no decryption key is available", new Object[0]);
        }
        try {
            return this.decrypter.decrypt(encryptedID);
        } catch (DecryptionException e) {
            this.logger.debug(() -> {
                return new ParameterizedMessage("Failed to decrypt SAML EncryptedID [{}] with [{}]", text(encryptedID, 512), describe(getSpConfiguration().getEncryptionCredentials()));
            }, e);
            throw SamlUtils.samlException("Failed to decrypt SAML EncryptedID " + text(encryptedID, 32), e, new Object[0]);
        }
    }

    private String getSessionIndex(LogoutRequest logoutRequest) {
        return (String) logoutRequest.getSessionIndexes().stream().map(sessionIndex -> {
            return sessionIndex.getValue();
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).findFirst().orElse(null);
    }

    private void checkDestination(LogoutRequest logoutRequest) {
        String logoutUrl = getSpConfiguration().getLogoutUrl();
        if (logoutUrl == null) {
            throw SamlUtils.samlException("SAML request " + logoutRequest.getID() + " is for destination " + logoutRequest.getDestination() + " but this realm is not configured for logout", new Object[0]);
        }
        if (!logoutUrl.equals(logoutRequest.getDestination())) {
            throw SamlUtils.samlException("SAML request " + logoutRequest.getID() + " is for destination " + logoutRequest.getDestination() + " but this realm uses " + logoutUrl, new Object[0]);
        }
    }
}
