package com.liferay.saml.opensaml.integration.internal.servlet.profile;

import com.liferay.petra.string.StringBundler;
import com.liferay.portal.kernel.exception.PortalException;
import com.liferay.portal.kernel.exception.SystemException;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.service.UserLocalService;
import com.liferay.portal.kernel.util.ParamUtil;
import com.liferay.portal.kernel.util.Portal;
import com.liferay.portal.kernel.util.StringUtil;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.saml.opensaml.integration.SamlBinding;
import com.liferay.saml.opensaml.integration.internal.util.OpenSamlUtil;
import com.liferay.saml.opensaml.integration.internal.util.SamlUtil;
import com.liferay.saml.opensaml.integration.metadata.MetadataManager;
import com.liferay.saml.persistence.model.SamlIdpSpSession;
import com.liferay.saml.persistence.model.SamlIdpSsoSession;
import com.liferay.saml.persistence.model.SamlSpSession;
import com.liferay.saml.persistence.service.SamlIdpSpConnectionLocalService;
import com.liferay.saml.persistence.service.SamlIdpSpSessionLocalService;
import com.liferay.saml.persistence.service.SamlIdpSsoSessionLocalService;
import com.liferay.saml.persistence.service.SamlSpSessionLocalService;
import com.liferay.saml.runtime.SamlException;
import com.liferay.saml.runtime.configuration.SamlProviderConfigurationHelper;
import com.liferay.saml.runtime.exception.UnsolicitedLogoutResponseException;
import com.liferay.saml.runtime.exception.UnsupportedBindingException;
import com.liferay.saml.runtime.servlet.profile.SingleLogoutProfile;
import com.liferay.saml.util.JspUtil;
import com.liferay.saml.util.SamlHttpRequestUtil;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.apache.http.client.HttpClient;
import org.apache.http.client.cache.HeaderConstants;
import org.joda.time.DateTime;
import org.joda.time.DateTimeZone;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.messaging.context.InOutOperationContext;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.encoder.servlet.HttpServletResponseMessageEncoder;
import org.opensaml.messaging.pipeline.httpclient.BasicHttpClientMessagePipeline;
import org.opensaml.messaging.pipeline.httpclient.HttpClientMessagePipeline;
import org.opensaml.messaging.pipeline.httpclient.HttpClientMessagePipelineFactory;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.common.messaging.context.SAMLBindingContext;
import org.opensaml.saml.common.messaging.context.SAMLEndpointContext;
import org.opensaml.saml.common.messaging.context.SAMLMetadataContext;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.common.messaging.context.SAMLProtocolContext;
import org.opensaml.saml.common.messaging.context.SAMLSelfEntityContext;
import org.opensaml.saml.common.messaging.context.SAMLSubjectNameIdentifierContext;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.LogoutResponse;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.SessionIndex;
import org.opensaml.saml.saml2.core.StatusCode;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.RoleDescriptor;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml.saml2.metadata.SSODescriptor;
import org.opensaml.saml.saml2.metadata.SingleLogoutService;
import org.opensaml.security.credential.Credential;
import org.opensaml.soap.client.http.PipelineFactoryHttpSOAPClient;
import org.opensaml.xmlsec.context.SecurityParametersContext;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicyOption;

@Component(immediate = true, service = {SingleLogoutProfile.class})
/* loaded from: input_file:com/liferay/saml/opensaml/integration/internal/servlet/profile/SingleLogoutProfileImpl.class */
public class SingleLogoutProfileImpl extends BaseProfile implements SingleLogoutProfile {
    private static final Log _log = LogFactoryUtil.getLog(SingleLogoutProfileImpl.class);

    @Reference
    private HttpClient _httpClient;
    private SamlHttpRequestUtil _samlHttpRequestUtil;
    private SamlIdpSpConnectionLocalService _samlIdpSpConnectionLocalService;
    private SamlIdpSpSessionLocalService _samlIdpSpSessionLocalService;
    private SamlIdpSsoSessionLocalService _samlIdpSsoSessionLocalService;
    private UserLocalService _userLocalService;

    public boolean isSingleLogoutSupported(HttpServletRequest httpServletRequest) {
        SingleLogoutService resolveSingleLogoutService;
        try {
            SamlSpSession samlSpSession = getSamlSpSession(httpServletRequest);
            if (samlSpSession == null || (resolveSingleLogoutService = SamlUtil.resolveSingleLogoutService(this.metadataManager.getMetadataResolver().resolveSingle(new CriteriaSet(new EntityIdCriterion(samlSpSession.getSamlIdpEntityId()))).getIDPSSODescriptor(SAMLConstants.SAML20P_NS), SAMLConstants.SAML2_REDIRECT_BINDING_URI)) == null) {
                return false;
            }
            return !resolveSingleLogoutService.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI);
        } catch (Exception e) {
            String str = "Unable to verify single logout support: " + e.getMessage();
            if (_log.isDebugEnabled()) {
                _log.debug(str, e);
                return false;
            }
            if (!_log.isWarnEnabled()) {
                return false;
            }
            _log.warn(str);
            return false;
        }
    }

    public void processIdpLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws PortalException {
        String requestPath = this._samlHttpRequestUtil.getRequestPath(httpServletRequest);
        try {
            httpServletResponse.addHeader("Cache-Control", "private, no-cache, no-store, must-revalidate");
            httpServletResponse.addHeader("Pragma", HeaderConstants.CACHE_CONTROL_NO_CACHE);
            if (requestPath.equals("/c/portal/logout")) {
                initiateIdpSingleLogout(httpServletRequest, httpServletResponse);
            } else if (requestPath.equals("/c/portal/saml/slo_logout")) {
                SamlSloContext samlSloContext = getSamlSloContext(httpServletRequest, null);
                if (samlSloContext == null) {
                    redirectToLogout(httpServletRequest, httpServletResponse);
                    return;
                }
                String string = ParamUtil.getString(httpServletRequest, "cmd");
                if (Validator.isNull(string)) {
                    httpServletRequest.setAttribute("SAML_SLO_CONTEXT", samlSloContext.toJSONObject());
                    JspUtil.dispatch(httpServletRequest, httpServletResponse, "/portal/saml/slo.jsp", "single-sign-out");
                } else if (string.equals("logout")) {
                    performIdpSpLogout(httpServletRequest, httpServletResponse, samlSloContext);
                } else if (string.equals("finish")) {
                    performIdpFinishLogout(httpServletRequest, httpServletResponse, samlSloContext);
                } else if (string.equals("status")) {
                    performIdpStatus(httpServletRequest, httpServletResponse, samlSloContext);
                }
            }
        } catch (Exception e) {
            ExceptionHandlerUtil.handleException(e);
        }
    }

    public void processSingleLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws PortalException {
        SamlBinding samlBinding;
        String method = httpServletRequest.getMethod();
        String requestPath = this._samlHttpRequestUtil.getRequestPath(httpServletRequest);
        if (requestPath.endsWith("/slo") && StringUtil.equalsIgnoreCase(method, "GET")) {
            samlBinding = getSamlBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
        } else if (requestPath.endsWith("/slo") && StringUtil.equalsIgnoreCase(method, "POST")) {
            samlBinding = getSamlBinding(SAMLConstants.SAML2_POST_BINDING_URI);
        } else {
            if (!requestPath.endsWith("/slo_soap") || !StringUtil.equalsIgnoreCase(method, "POST")) {
                throw new UnsupportedBindingException();
            }
            samlBinding = getSamlBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI);
        }
        try {
            MessageContext decodeSamlMessage = decodeSamlMessage(httpServletRequest, httpServletResponse, samlBinding, true);
            Object message = ((InOutOperationContext) decodeSamlMessage.getSubcontext(InOutOperationContext.class)).getInboundMessageContext().getMessage();
            if (message instanceof LogoutRequest) {
                processSingleLogoutRequest(httpServletRequest, httpServletResponse, decodeSamlMessage);
            } else {
                if (!(message instanceof LogoutResponse)) {
                    throw new SamlException("Unrecognized inbound SAML message " + message.getClass());
                }
                processSingleLogoutResponse(httpServletRequest, httpServletResponse, decodeSamlMessage);
            }
        } catch (Exception e) {
            ExceptionHandlerUtil.handleException(e);
        }
    }

    public void processSpLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws PortalException {
        try {
            sendSpLogoutRequest(httpServletRequest, httpServletResponse);
        } catch (Exception e) {
            ExceptionHandlerUtil.handleException(e);
        }
    }

    @Override // com.liferay.saml.opensaml.integration.internal.servlet.profile.BaseProfile
    @Reference(unbind = "-")
    public void setIdentifierGenerationStrategyFactory(IdentifierGenerationStrategyFactory identifierGenerationStrategyFactory) {
        super.setIdentifierGenerationStrategyFactory(identifierGenerationStrategyFactory);
    }

    @Override // com.liferay.saml.opensaml.integration.internal.servlet.profile.BaseProfile
    @Reference(unbind = "-")
    public void setMetadataManager(MetadataManager metadataManager) {
        super.setMetadataManager(metadataManager);
    }

    @Reference(cardinality = ReferenceCardinality.AT_LEAST_ONE, policyOption = ReferencePolicyOption.GREEDY, unbind = "unsetSamlBinding")
    public void setSamlBinding(SamlBinding samlBinding) {
        addSamlBinding(samlBinding);
    }

    @Override // com.liferay.saml.opensaml.integration.internal.servlet.profile.BaseProfile
    @Reference(unbind = "-")
    public void setSamlProviderConfigurationHelper(SamlProviderConfigurationHelper samlProviderConfigurationHelper) {
        super.setSamlProviderConfigurationHelper(samlProviderConfigurationHelper);
    }

    public void terminateSpSession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            SamlSpSession samlSpSession = getSamlSpSession(httpServletRequest);
            if (samlSpSession == null) {
                return;
            }
            this.samlSpSessionLocalService.deleteSamlSpSession(samlSpSession);
            addCookie(httpServletRequest, httpServletResponse, "SAML_SP_SESSION_KEY", "", 0);
        } catch (SystemException e) {
            if (_log.isDebugEnabled()) {
                _log.debug(e.getMessage(), e);
            } else {
                _log.error(e.getMessage());
            }
        }
    }

    public void terminateSsoSession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String samlSsoSessionId = getSamlSsoSessionId(httpServletRequest);
        if (Validator.isNotNull(samlSsoSessionId)) {
            try {
                SamlIdpSsoSession fetchSamlIdpSso = this._samlIdpSsoSessionLocalService.fetchSamlIdpSso(samlSsoSessionId);
                if (fetchSamlIdpSso != null) {
                    this._samlIdpSsoSessionLocalService.deleteSamlIdpSsoSession(fetchSamlIdpSso);
                    Iterator it = this._samlIdpSpSessionLocalService.getSamlIdpSpSessions(fetchSamlIdpSso.getSamlIdpSsoSessionId()).iterator();
                    while (it.hasNext()) {
                        this._samlIdpSpSessionLocalService.deleteSamlIdpSpSession((SamlIdpSpSession) it.next());
                    }
                }
            } catch (SystemException e) {
                if (_log.isDebugEnabled()) {
                    _log.debug(e.getMessage(), e);
                } else {
                    _log.error(e.getMessage());
                }
            }
        }
        addCookie(httpServletRequest, httpServletResponse, "SAML_SSO_SESSION_ID", "", 0);
    }

    protected void addSessionIndex(LogoutRequest logoutRequest, String str) {
        if (Validator.isNull(str)) {
            return;
        }
        logoutRequest.getSessionIndexes().add(OpenSamlUtil.buildSessionIndex(str));
    }

    protected SamlSloContext getSamlSloContext(HttpServletRequest httpServletRequest, MessageContext<?> messageContext) {
        SamlIdpSsoSession fetchSamlIdpSso;
        HttpSession session = httpServletRequest.getSession();
        SamlSloContext samlSloContext = (SamlSloContext) session.getAttribute("SAML_SLO_CONTEXT");
        String samlSsoSessionId = getSamlSsoSessionId(httpServletRequest);
        if (messageContext != null) {
            List<SessionIndex> sessionIndexes = ((LogoutRequest) ((InOutOperationContext) messageContext.getSubcontext(InOutOperationContext.class)).getInboundMessageContext().getMessage()).getSessionIndexes();
            if (!sessionIndexes.isEmpty()) {
                samlSsoSessionId = sessionIndexes.get(0).getSessionIndex();
            }
        }
        if (samlSloContext == null && Validator.isNotNull(samlSsoSessionId) && (fetchSamlIdpSso = this._samlIdpSsoSessionLocalService.fetchSamlIdpSso(samlSsoSessionId)) != null) {
            samlSloContext = new SamlSloContext(fetchSamlIdpSso, messageContext, this._samlIdpSpConnectionLocalService, this._samlIdpSpSessionLocalService, this._userLocalService);
            samlSloContext.setSamlSsoSessionId(samlSsoSessionId);
            samlSloContext.setUserId(this.portal.getUserId(httpServletRequest));
            session.setAttribute("SAML_SLO_CONTEXT", samlSloContext);
        }
        return samlSloContext;
    }

    protected void initiateIdpSingleLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        if (getSamlSloContext(httpServletRequest, null) != null) {
            httpServletResponse.sendRedirect(this.portal.getPortalURL(httpServletRequest).concat(this.portal.getPathMain()).concat("/portal/saml/slo_logout"));
        } else {
            redirectToLogout(httpServletRequest, httpServletResponse);
        }
    }

    protected void performIdpFinishLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SamlSloContext samlSloContext) throws Exception {
        if (samlSloContext.getMessageContext() == null) {
            redirectToLogout(httpServletRequest, httpServletResponse);
            return;
        }
        String str = StatusCode.SUCCESS;
        Iterator<SamlSloRequestInfo> it = samlSloContext.getSamlSloRequestInfos().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            } else if (!it.next().getStatusCode().equals(StatusCode.SUCCESS)) {
                str = StatusCode.PARTIAL_LOGOUT;
                break;
            }
        }
        sendIdpLogoutResponse(httpServletRequest, httpServletResponse, str, samlSloContext);
    }

    protected void performIdpSpLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SamlSloContext samlSloContext) throws Exception {
        String string = ParamUtil.getString(httpServletRequest, "entityId");
        SamlSloRequestInfo samlSloRequestInfo = samlSloContext.getSamlSloRequestInfo(string);
        if (samlSloRequestInfo == null) {
            if (_log.isDebugEnabled()) {
                _log.debug("Received logout request for service provider " + string + " that the user is not logged into");
            }
            JspUtil.dispatch(httpServletRequest, httpServletResponse, "/portal/saml/error.jsp", "single-sign-out", true);
            return;
        }
        if (samlSloRequestInfo.getStatus() == 2) {
            httpServletRequest.setAttribute("SAML_SLO_REQUEST_INFO", samlSloRequestInfo.toJSONObject());
            JspUtil.dispatch(httpServletRequest, httpServletResponse, "/portal/saml/slo_sp_status.jsp", "single-sign-out", true);
            return;
        }
        SingleLogoutService resolveSingleLogoutService = SamlUtil.resolveSingleLogoutService((SPSSODescriptor) ((SAMLMetadataContext) ((SAMLPeerEntityContext) getMessageContext(httpServletRequest, httpServletResponse, string).getSubcontext(SAMLPeerEntityContext.class)).getSubcontext(SAMLMetadataContext.class)).getRoleDescriptor(), SAMLConstants.SAML2_SOAP11_BINDING_URI);
        if (resolveSingleLogoutService == null) {
            if (_log.isDebugEnabled()) {
                _log.debug("Single logout not supported by " + string);
            }
            samlSloRequestInfo.setStatus(4);
            samlSloRequestInfo.setStatusCode(StatusCode.UNSUPPORTED_BINDING);
            httpServletRequest.setAttribute("SAML_SLO_REQUEST_INFO", samlSloRequestInfo.toJSONObject());
            JspUtil.dispatch(httpServletRequest, httpServletResponse, "/portal/saml/slo_sp_status.jsp", "single-sign-out", true);
            return;
        }
        try {
            sendIdpLogoutRequest(httpServletRequest, httpServletResponse, samlSloContext, samlSloRequestInfo);
        } catch (Exception e) {
            if (_log.isDebugEnabled()) {
                StringBundler stringBundler = new StringBundler(7);
                stringBundler.append("Unable to perform a single logout for service ");
                stringBundler.append("provider ");
                stringBundler.append(string);
                stringBundler.append(" with binding ");
                stringBundler.append(resolveSingleLogoutService.getBinding());
                stringBundler.append(" to ");
                stringBundler.append(resolveSingleLogoutService.getLocation());
                _log.debug(stringBundler.toString(), e);
            }
            samlSloRequestInfo.setStatus(3);
            samlSloRequestInfo.setStatusCode(StatusCode.PARTIAL_LOGOUT);
            httpServletRequest.setAttribute("SAML_SLO_REQUEST_INFO", samlSloRequestInfo.toJSONObject());
            JspUtil.dispatch(httpServletRequest, httpServletResponse, "/portal/saml/slo_sp_status.jsp", "single-sign-out", true);
        }
    }

    protected void performIdpStatus(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SamlSloContext samlSloContext) throws Exception {
        for (SamlSloRequestInfo samlSloRequestInfo : samlSloContext.getSamlSloRequestInfos()) {
            if (samlSloRequestInfo.getStatus() == 1 && samlSloRequestInfo.getInitiateTime().plusSeconds(10).isBeforeNow()) {
                samlSloRequestInfo.setStatus(5);
                samlSloRequestInfo.setStatusCode(StatusCode.PARTIAL_LOGOUT);
            }
        }
        httpServletResponse.setContentType("text/javascript");
        httpServletResponse.getWriter().write(samlSloContext.toJSONObject().toString());
    }

    protected void processIdpLogoutRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, MessageContext<?> messageContext) throws Exception {
        SamlSloContext samlSloContext = getSamlSloContext(httpServletRequest, messageContext);
        if (samlSloContext == null) {
            sendIdpLogoutResponse(httpServletRequest, httpServletResponse, StatusCode.UNKNOWN_PRINCIPAL, new SamlSloContext(null, messageContext, this._samlIdpSpConnectionLocalService, this._samlIdpSpSessionLocalService, this._userLocalService));
            return;
        }
        Set<String> samlSpEntityIds = samlSloContext.getSamlSpEntityIds();
        if (((SAMLBindingContext) messageContext.getSubcontext(SAMLBindingContext.class)).getBindingUri().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) {
            sendIdpLogoutResponse(httpServletRequest, httpServletResponse, StatusCode.UNSUPPORTED_BINDING, samlSloContext);
        } else if (samlSpEntityIds.isEmpty()) {
            sendIdpLogoutResponse(httpServletRequest, httpServletResponse, StatusCode.SUCCESS, samlSloContext);
        } else {
            initiateIdpSingleLogout(httpServletRequest, httpServletResponse);
        }
    }

    protected void processIdpLogoutResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, MessageContext<?> messageContext) throws Exception {
        SamlSloContext samlSloContext = getSamlSloContext(httpServletRequest, null);
        SAMLPeerEntityContext sAMLPeerEntityContext = (SAMLPeerEntityContext) messageContext.getSubcontext(SAMLPeerEntityContext.class);
        if (samlSloContext == null) {
            throw new UnsolicitedLogoutResponseException("Received logout response from " + sAMLPeerEntityContext.getEntityId() + " without an active SSO session");
        }
        LogoutResponse logoutResponse = (LogoutResponse) ((InOutOperationContext) messageContext.getSubcontext(InOutOperationContext.class)).getInboundMessageContext().getMessage();
        SamlSloRequestInfo samlSloRequestInfo = samlSloContext.getSamlSloRequestInfo(logoutResponse.getIssuer().getValue());
        if (samlSloRequestInfo == null) {
            throw new UnsolicitedLogoutResponseException("Received unsolicited logout response from " + sAMLPeerEntityContext.getEntityId());
        }
        samlSloRequestInfo.setStatusCode(logoutResponse.getStatus().getStatusCode().getValue());
        httpServletRequest.setAttribute("SAML_SLO_REQUEST_INFO", samlSloRequestInfo.toJSONObject());
        JspUtil.dispatch(httpServletRequest, httpServletResponse, "/portal/saml/slo_sp_status.jsp", "single-sign-out", true);
    }

    protected void processSingleLogoutRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, MessageContext<?> messageContext) throws Exception {
        if (this.samlProviderConfigurationHelper.isRoleIdp()) {
            processIdpLogoutRequest(httpServletRequest, httpServletResponse, messageContext);
        } else if (this.samlProviderConfigurationHelper.isRoleSp()) {
            processSpLogoutRequest(httpServletRequest, httpServletResponse, messageContext);
        }
    }

    protected void processSingleLogoutResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, MessageContext<?> messageContext) throws Exception {
        if (this.samlProviderConfigurationHelper.isRoleIdp()) {
            processIdpLogoutResponse(httpServletRequest, httpServletResponse, messageContext);
        } else if (this.samlProviderConfigurationHelper.isRoleSp()) {
            processSpLogoutResponse(httpServletRequest, httpServletResponse);
        }
    }

    protected void processSpLogoutRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, MessageContext<?> messageContext) throws Exception {
        InOutOperationContext inOutOperationContext = (InOutOperationContext) messageContext.getSubcontext(InOutOperationContext.class);
        LogoutRequest logoutRequest = (LogoutRequest) inOutOperationContext.getInboundMessageContext().getMessage();
        NameID nameID = logoutRequest.getNameID();
        List<SessionIndex> sessionIndexes = logoutRequest.getSessionIndexes();
        String str = StatusCode.SUCCESS;
        if (sessionIndexes.isEmpty()) {
            List<SamlSpSession> samlSpSessions = this.samlSpSessionLocalService.getSamlSpSessions(nameID.getValue());
            if (samlSpSessions.isEmpty()) {
                str = StatusCode.UNKNOWN_PRINCIPAL;
            }
            for (SamlSpSession samlSpSession : samlSpSessions) {
                samlSpSession.setTerminated(true);
                this.samlSpSessionLocalService.updateSamlSpSession(samlSpSession);
            }
        }
        Iterator<SessionIndex> it = sessionIndexes.iterator();
        while (it.hasNext()) {
            SamlSpSession fetchSamlSpSessionBySessionIndex = this.samlSpSessionLocalService.fetchSamlSpSessionBySessionIndex(it.next().getSessionIndex());
            if (fetchSamlSpSessionBySessionIndex == null) {
                str = StatusCode.UNKNOWN_PRINCIPAL;
            } else {
                if (Objects.equals(fetchSamlSpSessionBySessionIndex.getNameIdValue(), nameID.getValue()) && Objects.equals(fetchSamlSpSessionBySessionIndex.getNameIdFormat(), nameID.getFormat())) {
                    fetchSamlSpSessionBySessionIndex.setTerminated(true);
                    this.samlSpSessionLocalService.updateSamlSpSession(fetchSamlSpSessionBySessionIndex);
                } else if (!str.equals(StatusCode.PARTIAL_LOGOUT)) {
                    str = StatusCode.UNKNOWN_PRINCIPAL;
                }
                if (str.equals(StatusCode.UNKNOWN_PRINCIPAL)) {
                    str = StatusCode.PARTIAL_LOGOUT;
                }
            }
        }
        LogoutResponse buildLogoutResponse = OpenSamlUtil.buildLogoutResponse();
        MessageContext outboundMessageContext = inOutOperationContext.getOutboundMessageContext();
        SecurityParametersContext securityParametersContext = (SecurityParametersContext) outboundMessageContext.getSubcontext(SecurityParametersContext.class, true);
        SAMLPeerEntityContext sAMLPeerEntityContext = (SAMLPeerEntityContext) messageContext.getSubcontext(SAMLPeerEntityContext.class);
        SSODescriptor sSODescriptor = (SSODescriptor) ((SAMLMetadataContext) sAMLPeerEntityContext.getSubcontext(SAMLMetadataContext.class)).getRoleDescriptor();
        OpenSamlUtil.prepareSecurityParametersContext(this.metadataManager.getSigningCredential(), securityParametersContext, sSODescriptor);
        outboundMessageContext.setMessage(buildLogoutResponse);
        buildLogoutResponse.setID(generateIdentifier(20));
        buildLogoutResponse.setInResponseTo(logoutRequest.getID());
        buildLogoutResponse.setIssueInstant(new DateTime(DateTimeZone.UTC));
        SAMLSelfEntityContext sAMLSelfEntityContext = (SAMLSelfEntityContext) messageContext.getSubcontext(SAMLSelfEntityContext.class);
        buildLogoutResponse.setIssuer(OpenSamlUtil.buildIssuer(sAMLSelfEntityContext.getEntityId()));
        buildLogoutResponse.setStatus(OpenSamlUtil.buildStatus(OpenSamlUtil.buildStatusCode(str)));
        buildLogoutResponse.setVersion(SAMLVersion.VERSION_20);
        SingleLogoutService resolveSingleLogoutService = SamlUtil.resolveSingleLogoutService(sSODescriptor, ((SAMLBindingContext) messageContext.getSubcontext(SAMLBindingContext.class)).getBindingUri());
        ((SAMLEndpointContext) sAMLPeerEntityContext.getSubcontext(SAMLEndpointContext.class, true)).setEndpoint(resolveSingleLogoutService);
        buildLogoutResponse.setDestination(resolveSingleLogoutService.getLocation());
        outboundMessageContext.addSubcontext(sAMLSelfEntityContext);
        outboundMessageContext.addSubcontext(sAMLPeerEntityContext);
        sendSamlMessage(messageContext, httpServletResponse);
    }

    protected void processSpLogoutResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        redirectToLogout(httpServletRequest, httpServletResponse);
    }

    protected void redirectToLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        if (this.samlProviderConfigurationHelper.isRoleIdp()) {
            terminateSsoSession(httpServletRequest, httpServletResponse);
        } else if (this.samlProviderConfigurationHelper.isRoleSp()) {
            terminateSpSession(httpServletRequest, httpServletResponse);
        }
        httpServletResponse.sendRedirect(this.portal.getPortalURL(httpServletRequest).concat(this.portal.getPathMain()).concat("/portal/logout"));
    }

    protected void sendAsyncLogoutRequest(MessageContext messageContext, SamlSloContext samlSloContext, HttpServletResponse httpServletResponse) throws Exception {
        SAMLPeerEntityContext sAMLPeerEntityContext = (SAMLPeerEntityContext) messageContext.getSubcontext(SAMLPeerEntityContext.class);
        SingleLogoutService singleLogoutService = (SingleLogoutService) ((SAMLEndpointContext) sAMLPeerEntityContext.getSubcontext(SAMLEndpointContext.class)).getEndpoint();
        LogoutRequest buildLogoutRequest = OpenSamlUtil.buildLogoutRequest();
        buildLogoutRequest.setDestination(singleLogoutService.getLocation());
        buildLogoutRequest.setID(generateIdentifier(20));
        buildLogoutRequest.setIssueInstant(new DateTime(DateTimeZone.UTC));
        buildLogoutRequest.setIssuer(OpenSamlUtil.buildIssuer(((SAMLSelfEntityContext) messageContext.getSubcontext(SAMLSelfEntityContext.class)).getEntityId()));
        buildLogoutRequest.setNameID(((SAMLSubjectNameIdentifierContext) messageContext.getSubcontext(SAMLSubjectNameIdentifierContext.class)).getSAML2SubjectNameID());
        buildLogoutRequest.setVersion(SAMLVersion.VERSION_20);
        addSessionIndex(buildLogoutRequest, samlSloContext.getSamlSsoSessionId());
        messageContext.setMessage(buildLogoutRequest);
        Credential signingCredential = this.metadataManager.getSigningCredential();
        ((SAMLProtocolContext) messageContext.getSubcontext(SAMLProtocolContext.class, true)).setProtocol(SAMLConstants.SAML20P_NS);
        RoleDescriptor roleDescriptor = ((SAMLMetadataContext) sAMLPeerEntityContext.getSubcontext(SAMLMetadataContext.class)).getRoleDescriptor();
        OpenSamlUtil.signObject(buildLogoutRequest, signingCredential, roleDescriptor);
        HttpServletResponseMessageEncoder httpServletResponseMessageEncoder = getSamlBinding(singleLogoutService.getBinding()).getHttpServletResponseMessageEncoderSupplier().get();
        OpenSamlUtil.prepareSecurityParametersContext(signingCredential, (SecurityParametersContext) messageContext.getSubcontext(SecurityParametersContext.class), roleDescriptor);
        httpServletResponseMessageEncoder.setHttpServletResponse(httpServletResponse);
        httpServletResponseMessageEncoder.setMessageContext(messageContext);
        httpServletResponseMessageEncoder.initialize();
        httpServletResponseMessageEncoder.encode();
    }

    protected void sendIdpLogoutRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SamlSloContext samlSloContext, SamlSloRequestInfo samlSloRequestInfo) throws Exception {
        MessageContext<?> messageContext = getMessageContext(httpServletRequest, httpServletResponse, samlSloRequestInfo.getEntityId());
        SAMLPeerEntityContext sAMLPeerEntityContext = (SAMLPeerEntityContext) messageContext.getSubcontext(SAMLPeerEntityContext.class);
        SingleLogoutService resolveSingleLogoutService = SamlUtil.resolveSingleLogoutService((SPSSODescriptor) ((SAMLMetadataContext) sAMLPeerEntityContext.getSubcontext(SAMLMetadataContext.class)).getRoleDescriptor(), SAMLConstants.SAML2_REDIRECT_BINDING_URI);
        ((SAMLEndpointContext) sAMLPeerEntityContext.getSubcontext(SAMLEndpointContext.class, true)).setEndpoint(resolveSingleLogoutService);
        SamlIdpSpSession samlIdpSpSession = samlSloRequestInfo.getSamlIdpSpSession();
        ((SAMLSubjectNameIdentifierContext) messageContext.getSubcontext(SAMLSubjectNameIdentifierContext.class, true)).setSubjectNameIdentifier(OpenSamlUtil.buildNameId(samlIdpSpSession.getNameIdFormat(), samlIdpSpSession.getNameIdValue()));
        samlSloRequestInfo.setInitiateTime(new DateTime(DateTimeZone.UTC));
        samlSloRequestInfo.setStatus(1);
        if (!resolveSingleLogoutService.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) {
            sendAsyncLogoutRequest(messageContext, samlSloContext, httpServletResponse);
            return;
        }
        samlSloRequestInfo.setStatusCode(sendSyncLogoutRequest(messageContext, samlSloContext));
        httpServletRequest.setAttribute("SAML_SLO_REQUEST_INFO", samlSloRequestInfo.toJSONObject());
        JspUtil.dispatch(httpServletRequest, httpServletResponse, "/portal/saml/slo_sp_status.jsp", "single-sign-out", true);
    }

    protected void sendIdpLogoutResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, SamlSloContext samlSloContext) throws Exception {
        LogoutResponse buildLogoutResponse = OpenSamlUtil.buildLogoutResponse();
        MessageContext<?> messageContext = samlSloContext.getMessageContext();
        InOutOperationContext inOutOperationContext = (InOutOperationContext) messageContext.getSubcontext(InOutOperationContext.class);
        MessageContext inboundMessageContext = inOutOperationContext.getInboundMessageContext();
        SAMLPeerEntityContext sAMLPeerEntityContext = (SAMLPeerEntityContext) messageContext.getSubcontext(SAMLPeerEntityContext.class);
        SSODescriptor sSODescriptor = (SSODescriptor) ((SAMLMetadataContext) sAMLPeerEntityContext.getSubcontext(SAMLMetadataContext.class)).getRoleDescriptor();
        SingleLogoutService resolveSingleLogoutService = SamlUtil.resolveSingleLogoutService(sSODescriptor, ((SAMLBindingContext) messageContext.getSubcontext(SAMLBindingContext.class)).getBindingUri());
        buildLogoutResponse.setDestination(resolveSingleLogoutService.getLocation());
        buildLogoutResponse.setID(generateIdentifier(20));
        buildLogoutResponse.setInResponseTo(((LogoutRequest) inboundMessageContext.getMessage()).getID());
        buildLogoutResponse.setIssueInstant(new DateTime(DateTimeZone.UTC));
        buildLogoutResponse.setIssuer(OpenSamlUtil.buildIssuer(((SAMLSelfEntityContext) messageContext.getSubcontext(SAMLSelfEntityContext.class)).getEntityId()));
        buildLogoutResponse.setStatus(OpenSamlUtil.buildStatus(OpenSamlUtil.buildStatusCode(str)));
        buildLogoutResponse.setVersion(SAMLVersion.VERSION_20);
        MessageContext outboundMessageContext = inOutOperationContext.getOutboundMessageContext();
        outboundMessageContext.setMessage(buildLogoutResponse);
        outboundMessageContext.addSubcontext(sAMLPeerEntityContext);
        OpenSamlUtil.prepareSecurityParametersContext(this.metadataManager.getSigningCredential(), (SecurityParametersContext) outboundMessageContext.getSubcontext(SecurityParametersContext.class, true), sSODescriptor);
        ((SAMLProtocolContext) outboundMessageContext.getSubcontext(SAMLProtocolContext.class, true)).setProtocol(SAMLConstants.SAML20P_NS);
        ((SAMLEndpointContext) sAMLPeerEntityContext.getSubcontext(SAMLEndpointContext.class, true)).setEndpoint(resolveSingleLogoutService);
        if (!str.equals(StatusCode.UNSUPPORTED_BINDING)) {
            terminateSsoSession(httpServletRequest, httpServletResponse);
            logout(httpServletRequest, httpServletResponse);
        }
        sendSamlMessage(messageContext, httpServletResponse);
    }

    protected void sendSpLogoutRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        SamlSpSession samlSpSession = getSamlSpSession(httpServletRequest);
        if (samlSpSession == null || samlSpSession.isTerminated()) {
            redirectToLogout(httpServletRequest, httpServletResponse);
            return;
        }
        LogoutRequest buildLogoutRequest = OpenSamlUtil.buildLogoutRequest();
        MessageContext<?> messageContext = getMessageContext(httpServletRequest, httpServletResponse, samlSpSession.getSamlIdpEntityId());
        InOutOperationContext inOutOperationContext = new InOutOperationContext(new MessageContext(), new MessageContext());
        messageContext.addSubcontext(inOutOperationContext);
        MessageContext outboundMessageContext = inOutOperationContext.getOutboundMessageContext();
        outboundMessageContext.setMessage(buildLogoutRequest);
        SAMLPeerEntityContext sAMLPeerEntityContext = (SAMLPeerEntityContext) messageContext.getSubcontext(SAMLPeerEntityContext.class);
        outboundMessageContext.addSubcontext(sAMLPeerEntityContext);
        IDPSSODescriptor iDPSSODescriptor = (IDPSSODescriptor) ((SAMLMetadataContext) sAMLPeerEntityContext.getSubcontext(SAMLMetadataContext.class, true)).getRoleDescriptor();
        SingleLogoutService resolveSingleLogoutService = SamlUtil.resolveSingleLogoutService(iDPSSODescriptor, SAMLConstants.SAML2_POST_BINDING_URI);
        buildLogoutRequest.setDestination(resolveSingleLogoutService.getLocation());
        buildLogoutRequest.setID(generateIdentifier(20));
        buildLogoutRequest.setIssueInstant(new DateTime(DateTimeZone.UTC));
        SAMLSelfEntityContext sAMLSelfEntityContext = (SAMLSelfEntityContext) messageContext.getSubcontext(SAMLSelfEntityContext.class);
        Issuer buildIssuer = OpenSamlUtil.buildIssuer(sAMLSelfEntityContext.getEntityId());
        outboundMessageContext.addSubcontext(sAMLSelfEntityContext);
        OpenSamlUtil.prepareSecurityParametersContext(this.metadataManager.getSigningCredential(), (SecurityParametersContext) outboundMessageContext.getSubcontext(SecurityParametersContext.class, true), iDPSSODescriptor);
        buildLogoutRequest.setIssuer(buildIssuer);
        buildLogoutRequest.setNameID(OpenSamlUtil.buildNameId(samlSpSession.getNameIdFormat(), samlSpSession.getNameIdNameQualifier(), samlSpSession.getNameIdSPNameQualifier(), samlSpSession.getNameIdValue()));
        buildLogoutRequest.setVersion(SAMLVersion.VERSION_20);
        addSessionIndex(buildLogoutRequest, samlSpSession.getSessionIndex());
        ((SAMLEndpointContext) sAMLPeerEntityContext.getSubcontext(SAMLEndpointContext.class, true)).setEndpoint(resolveSingleLogoutService);
        sendSamlMessage(messageContext, httpServletResponse);
    }

    protected String sendSyncLogoutRequest(MessageContext<?> messageContext, SamlSloContext samlSloContext) throws Exception {
        SAMLPeerEntityContext sAMLPeerEntityContext = (SAMLPeerEntityContext) messageContext.getSubcontext(SAMLPeerEntityContext.class);
        SAMLEndpointContext sAMLEndpointContext = (SAMLEndpointContext) sAMLPeerEntityContext.getSubcontext(SAMLEndpointContext.class);
        SingleLogoutService singleLogoutService = (SingleLogoutService) sAMLEndpointContext.getEndpoint();
        LogoutRequest buildLogoutRequest = OpenSamlUtil.buildLogoutRequest();
        buildLogoutRequest.setDestination(singleLogoutService.getLocation());
        buildLogoutRequest.setID(generateIdentifier(20));
        buildLogoutRequest.setIssueInstant(new DateTime(DateTimeZone.UTC));
        buildLogoutRequest.setIssuer(OpenSamlUtil.buildIssuer(((SAMLSelfEntityContext) messageContext.getSubcontext(SAMLSelfEntityContext.class)).getEntityId()));
        buildLogoutRequest.setNameID(((SAMLSubjectNameIdentifierContext) messageContext.getSubcontext(SAMLSubjectNameIdentifierContext.class)).getSAML2SubjectNameID());
        buildLogoutRequest.setVersion(SAMLVersion.VERSION_20);
        addSessionIndex(buildLogoutRequest, samlSloContext.getSamlSsoSessionId());
        InOutOperationContext inOutOperationContext = (InOutOperationContext) messageContext.getSubcontext(InOutOperationContext.class);
        MessageContext outboundMessageContext = inOutOperationContext.getOutboundMessageContext();
        outboundMessageContext.addSubcontext(sAMLEndpointContext);
        outboundMessageContext.setMessage(buildLogoutRequest);
        Credential signingCredential = this.metadataManager.getSigningCredential();
        SecurityParametersContext securityParametersContext = (SecurityParametersContext) outboundMessageContext.getSubcontext(SecurityParametersContext.class, true);
        RoleDescriptor roleDescriptor = ((SAMLMetadataContext) sAMLPeerEntityContext.getSubcontext(SAMLMetadataContext.class)).getRoleDescriptor();
        OpenSamlUtil.prepareSecurityParametersContext(signingCredential, securityParametersContext, roleDescriptor);
        ((SAMLProtocolContext) outboundMessageContext.getSubcontext(SAMLProtocolContext.class)).setProtocol(SAMLConstants.SAML20P_NS);
        OpenSamlUtil.signObject(buildLogoutRequest, signingCredential, roleDescriptor);
        final SamlBinding samlBinding = getSamlBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI);
        PipelineFactoryHttpSOAPClient pipelineFactoryHttpSOAPClient = new PipelineFactoryHttpSOAPClient();
        pipelineFactoryHttpSOAPClient.setPipelineFactory(new HttpClientMessagePipelineFactory<Object, Object>() { // from class: com.liferay.saml.opensaml.integration.internal.servlet.profile.SingleLogoutProfileImpl.1
            @Override // org.opensaml.messaging.pipeline.httpclient.HttpClientMessagePipelineFactory
            @Nonnull
            public HttpClientMessagePipeline<Object, Object> newInstance() {
                return new BasicHttpClientMessagePipeline(samlBinding.getHttpServletResponseMessageEncoderSupplier().get(), samlBinding.getHttpServletRequestMessageDecoderSupplier().get());
            }

            @Override // org.opensaml.messaging.pipeline.httpclient.HttpClientMessagePipelineFactory
            @Nonnull
            public HttpClientMessagePipeline<Object, Object> newInstance(@Nullable String str) {
                return newInstance();
            }
        });
        pipelineFactoryHttpSOAPClient.setHttpClient(this._httpClient);
        pipelineFactoryHttpSOAPClient.initialize();
        pipelineFactoryHttpSOAPClient.send(singleLogoutService.getLocation(), inOutOperationContext);
        return ((LogoutResponse) inOutOperationContext.getInboundMessageContext().getMessage()).getStatus().getStatusCode().getValue();
    }

    @Reference(unbind = "-")
    protected void setPortal(Portal portal) {
        this.portal = portal;
    }

    @Reference(unbind = "-")
    protected void setSamlHttpRequestUtil(SamlHttpRequestUtil samlHttpRequestUtil) {
        this._samlHttpRequestUtil = samlHttpRequestUtil;
    }

    @Reference(unbind = "-")
    protected void setSamlIdpSpConnectionLocalService(SamlIdpSpConnectionLocalService samlIdpSpConnectionLocalService) {
        this._samlIdpSpConnectionLocalService = samlIdpSpConnectionLocalService;
    }

    @Reference(unbind = "-")
    protected void setSamlIdpSpSessionLocalService(SamlIdpSpSessionLocalService samlIdpSpSessionLocalService) {
        this._samlIdpSpSessionLocalService = samlIdpSpSessionLocalService;
    }

    @Reference(unbind = "-")
    protected void setSamlIdpSsoSessionLocalService(SamlIdpSsoSessionLocalService samlIdpSsoSessionLocalService) {
        this._samlIdpSsoSessionLocalService = samlIdpSsoSessionLocalService;
    }

    @Reference(unbind = "-")
    protected void setSamlSpSessionLocalService(SamlSpSessionLocalService samlSpSessionLocalService) {
        this.samlSpSessionLocalService = samlSpSessionLocalService;
    }

    @Reference(unbind = "-")
    protected void setUserLocalService(UserLocalService userLocalService) {
        this._userLocalService = userLocalService;
    }
}
