package com.appiancorp.security.auth.saml;

import com.appian.logging.AppianLogger;
import com.appiancorp.security.auth.saml.service.SamlSettings;
import com.appiancorp.security.auth.session.LogoutReasonFilter;
import com.appiancorp.security.auth.session.SessionDeletionReason;
import com.appiancorp.suite.cfg.SamlConfiguration;
import com.appiancorp.suiteapi.personalization.UserProfile;
import com.google.common.base.Optional;
import com.google.common.base.Preconditions;
import java.io.IOException;
import java.util.Objects;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.messaging.encoder.MessageEncodingException;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.opensaml.saml.common.SAMLRuntimeException;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.NameIDType;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;

/* loaded from: input_file:com/appiancorp/security/auth/saml/SamlLogoutRequestConsumer.class */
public class SamlLogoutRequestConsumer {
    private static final AppianLogger LOG = AppianLogger.getLogger(SamlLogoutRequestConsumer.class);
    private final SecurityContextLogoutHandler securityContextLogoutHandler;
    private final SamlMessageValidator samlMessageValidator;
    private final IdentityProviderManager identityProviderManager;
    private final SamlSettingsSelector samlSettingsSelector;
    private final SamlConfiguration samlConfig;

    public SamlLogoutRequestConsumer(SecurityContextLogoutHandler securityContextLogoutHandler, SamlMessageValidator samlMessageValidator, IdentityProviderManager identityProviderManager, SamlSettingsSelector samlSettingsSelector, SamlConfiguration samlConfiguration) {
        this.securityContextLogoutHandler = (SecurityContextLogoutHandler) Preconditions.checkNotNull(securityContextLogoutHandler);
        this.samlMessageValidator = (SamlMessageValidator) Preconditions.checkNotNull(samlMessageValidator);
        this.identityProviderManager = (IdentityProviderManager) Preconditions.checkNotNull(identityProviderManager);
        this.samlSettingsSelector = (SamlSettingsSelector) Preconditions.checkNotNull(samlSettingsSelector);
        this.samlConfig = (SamlConfiguration) Preconditions.checkNotNull(samlConfiguration);
    }

    public void consume(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SamlMessageContextWrapper<LogoutRequest> samlMessageContextWrapper) throws IOException {
        HttpSession session = httpServletRequest.getSession(false);
        try {
            if (!this.samlConfig.isEnabled() || !validateLogoutRequest(samlMessageContextWrapper, httpServletRequest)) {
                this.identityProviderManager.sendUnsuccessfulLogoutResponse(httpServletResponse, samlMessageContextWrapper.getMessage(), samlMessageContextWrapper.getRelayState());
                throw new SAMLRuntimeException("Logout was unsuccessful");
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Logging out user '" + ((UserProfile) session.getAttribute("upfs")).getUsername() + "'");
            }
            try {
                this.identityProviderManager.sendSuccessfulLogoutResponse(httpServletResponse, samlMessageContextWrapper.getMessage(), samlMessageContextWrapper.getRelayState());
                session.setAttribute(LogoutReasonFilter.DELETION_REASON_ATTRIBUTE, SessionDeletionReason.LOGOUT);
                this.securityContextLogoutHandler.logout(httpServletRequest, httpServletResponse, (Authentication) null);
            } catch (Throwable th) {
                session.setAttribute(LogoutReasonFilter.DELETION_REASON_ATTRIBUTE, SessionDeletionReason.LOGOUT);
                this.securityContextLogoutHandler.logout(httpServletRequest, httpServletResponse, (Authentication) null);
                throw th;
            }
        } catch (MessageEncodingException | ComponentInitializationException | ResolverException | MessageHandlerException e) {
            LOG.error(e, "Failed to send SAML LogoutResponse");
        }
    }

    private boolean validateLogoutRequest(SamlMessageContextWrapper<LogoutRequest> samlMessageContextWrapper, HttpServletRequest httpServletRequest) {
        try {
            this.samlMessageValidator.validateLogoutRequest(httpServletRequest, samlMessageContextWrapper);
            return isValidUsername(httpServletRequest.getSession(false), samlMessageContextWrapper);
        } catch (Exception e) {
            LOG.error(e, "failed to validate SAML logout request");
            return false;
        }
    }

    private boolean isValidUsername(HttpSession httpSession, SamlMessageContextWrapper samlMessageContextWrapper) {
        if (Objects.isNull(httpSession)) {
            return true;
        }
        UserProfile userProfile = (UserProfile) httpSession.getAttribute("upfs");
        if (Objects.isNull(userProfile)) {
            return true;
        }
        String username = userProfile.getUsername();
        String value = ((NameIDType) httpSession.getAttribute(SamlFilter.SAML_NAME_ID_KEY)).getValue();
        Optional<SamlSettings> selectSettingsForUser = this.samlSettingsSelector.selectSettingsForUser(username);
        if (selectSettingsForUser.isPresent() && ((SamlSettings) selectSettingsForUser.get()).getIdpEntityId().equals(samlMessageContextWrapper.getIssuer())) {
            return value.equals(((LogoutRequest) samlMessageContextWrapper.getMessage()).getNameID().getValue());
        }
        return false;
    }
}
