package com.appiancorp.security.auth;

import com.appian.logging.AppianLogger;
import com.appiancorp.ap2.LoginPageServlet;
import com.appiancorp.security.LogoutSuccessHandlerDelegate;
import com.appiancorp.security.auth.UserStatusService;
import com.appiancorp.security.auth.mobile.InAppBrowserClientRequestMatcher;
import com.appiancorp.security.auth.saml.IdentityProviderManager;
import com.appiancorp.security.auth.saml.SamlFilter;
import com.appiancorp.security.auth.saml.redirecter.AppianLogoutRedirecter;
import com.appiancorp.security.auth.saml.redirecter.SamlAuthProviderQueryStringGenerator;
import com.appiancorp.suite.cfg.SamlConfiguration;
import com.appiancorp.suiteapi.security.auth.AppianUserDetails;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Strings;
import java.io.IOException;
import java.util.Optional;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.NameIDType;
import org.opensaml.saml.saml2.core.impl.NameIDBuilder;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;

/* loaded from: input_file:com/appiancorp/security/auth/LogoutSuccessHandler.class */
public class LogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler {
    private static final AppianLogger LOG = AppianLogger.getLogger(LogoutSuccessHandler.class);
    private final SamlConfiguration samlConfiguration;
    private final IdentityProviderManager identityProviderManager;
    private final AppianLogoutRedirecter appianLogoutRedirecter;
    private final SamlAuthProviderQueryStringGenerator authProviderQueryStringCreator;
    private final UserStatusService userStatusService;
    private final InAppBrowserClientRequestMatcher inAppBrowserClientRequestMatcher;
    private final LogoutSuccessHandlerDelegate oidcLogoutSuccessHandlerDelegate;

    public LogoutSuccessHandler(SamlConfiguration samlConfiguration, IdentityProviderManager identityProviderManager, AppianLogoutRedirecter appianLogoutRedirecter, SamlAuthProviderQueryStringGenerator samlAuthProviderQueryStringGenerator, UserStatusService userStatusService, InAppBrowserClientRequestMatcher inAppBrowserClientRequestMatcher, LogoutSuccessHandlerDelegate logoutSuccessHandlerDelegate) {
        this.samlConfiguration = samlConfiguration;
        this.identityProviderManager = identityProviderManager;
        this.appianLogoutRedirecter = appianLogoutRedirecter;
        this.userStatusService = userStatusService;
        this.authProviderQueryStringCreator = samlAuthProviderQueryStringGenerator;
        this.inAppBrowserClientRequestMatcher = inAppBrowserClientRequestMatcher;
        this.oidcLogoutSuccessHandlerDelegate = logoutSuccessHandlerDelegate;
    }

    public void onLogoutSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
        if (this.inAppBrowserClientRequestMatcher.matches(httpServletRequest)) {
            httpServletResponse.setStatus(200);
            return;
        }
        boolean isEmbeddedLogoutRequest = EmbeddedLogoutHelper.isEmbeddedLogoutRequest(httpServletRequest);
        String returnLinkServletPath = isEmbeddedLogoutRequest ? EmbeddedLogoutHelper.getReturnLinkServletPath(httpServletRequest) : null;
        UserStatusService.UserStatus status = this.userStatusService.getStatus(authentication);
        if (shouldPerformDefaultLogout(status)) {
            if (isEmbeddedLogoutRequest) {
                getRedirectStrategy().sendRedirect(httpServletRequest, httpServletResponse, returnLinkServletPath);
                return;
            } else {
                super.onLogoutSuccess(httpServletRequest, httpServletResponse, authentication);
                return;
            }
        }
        switch (status) {
            case UNKNOWN_USER:
                this.appianLogoutRedirecter.redirectToLogoutPage(httpServletRequest, httpServletResponse, "Success", returnLinkServletPath, this.authProviderQueryStringCreator.generateFromCurrentIdpEntityId().orElse(""));
                return;
            case OIDC_USER:
                if (this.oidcLogoutSuccessHandlerDelegate.delegate(httpServletRequest, httpServletResponse, authentication)) {
                    return;
                }
                this.appianLogoutRedirecter.redirectToLogoutPage(httpServletRequest, httpServletResponse, "Success", returnLinkServletPath, "signin=oidc");
                return;
            case SAML_USER:
                if (shouldSamlUserPerformSamlLogout((AppianUserDetails) authentication.getPrincipal())) {
                    performSamlIdpLogout(httpServletRequest, httpServletResponse, authentication);
                    return;
                } else {
                    this.appianLogoutRedirecter.redirectToLogoutPage(httpServletRequest, httpServletResponse, "Success", returnLinkServletPath, this.authProviderQueryStringCreator.generateFromCurrentIdpEntityId().orElse(""));
                    return;
                }
            case PIEE_USER:
                this.appianLogoutRedirecter.redirectToLogoutPage(httpServletRequest, httpServletResponse, "Success", returnLinkServletPath, "");
                return;
            case OTHER_USER:
                getRedirectStrategy().sendRedirect(httpServletRequest, httpServletResponse, isEmbeddedLogoutRequest ? returnLinkServletPath : LoginPageServlet.PORTAL_LOGIN_JSP);
                return;
            default:
                throw new RuntimeException("Invalid userStatus type returned");
        }
    }

    private boolean shouldPerformDefaultLogout(UserStatusService.UserStatus userStatus) {
        if (userStatus == UserStatusService.UserStatus.PIEE_USER || userStatus == UserStatusService.UserStatus.OIDC_USER) {
            return false;
        }
        if (this.samlConfiguration.isEnabled()) {
            return (userStatus == UserStatusService.UserStatus.SAML_USER || this.samlConfiguration.shouldRedirectWhenUnauthenticated()) ? false : true;
        }
        return true;
    }

    private boolean shouldSamlUserPerformSamlLogout(AppianUserDetails appianUserDetails) {
        return appianUserDetails.isLoggedInThroughSaml() && !Strings.isNullOrEmpty(this.samlConfiguration.getIdpLogoutUrl());
    }

    @VisibleForTesting
    void performSamlIdpLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws ServletException {
        try {
            Optional<String> ofNullable = Optional.ofNullable((String) httpServletRequest.getAttribute(SamlFilter.SAML_SESSION_INDEX_KEY));
            NameID nameID = (NameIDType) httpServletRequest.getAttribute(SamlFilter.SAML_NAME_ID_KEY);
            if (nameID == null) {
                LOG.debug("NameID not present on request, defaulting to an empty NameID");
                nameID = new NameIDBuilder().buildObject();
            }
            this.identityProviderManager.sendSingleLogoutRequest(httpServletRequest, httpServletResponse, authentication.getName(), ofNullable, nameID);
        } catch (Exception e) {
            throw new ServletException("Error trying to send logout redirect", e);
        }
    }
}
