package com.evolveum.midpoint.web.security;

import com.evolveum.midpoint.model.api.authentication.MidpointAuthentication;
import com.evolveum.midpoint.model.api.authentication.ModuleAuthentication;
import java.io.IOException;
import java.io.StringWriter;
import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.saml.SamlAuthentication;
import org.springframework.security.saml.SamlException;
import org.springframework.security.saml.SamlTemplateEngine;
import org.springframework.security.saml.provider.provisioning.SamlProviderProvisioning;
import org.springframework.security.saml.provider.service.ServiceProviderService;
import org.springframework.security.saml.provider.service.authentication.ServiceProviderLogoutHandler;
import org.springframework.security.saml.saml2.authentication.LogoutRequest;
import org.springframework.security.saml.saml2.metadata.Binding;
import org.springframework.security.saml.saml2.metadata.IdentityProviderMetadata;
import org.springframework.security.saml.spi.opensaml.OpenSamlVelocityEngine;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.util.StringUtils;
import org.springframework.web.util.HtmlUtils;

/* loaded from: input_file:com/evolveum/midpoint/web/security/MidpointServiceProviderLogoutHandler.class */
public class MidpointServiceProviderLogoutHandler extends ServiceProviderLogoutHandler {
    private static final String POST_TEMPLATE = "/templates/saml2-post-binding.vm";
    private SamlTemplateEngine samlTemplateEngine;
    private SamlProviderProvisioning<ServiceProviderService> provisioning;

    public MidpointServiceProviderLogoutHandler(SamlProviderProvisioning<ServiceProviderService> samlProviderProvisioning) {
        super(samlProviderProvisioning);
        this.samlTemplateEngine = new OpenSamlVelocityEngine();
        this.provisioning = samlProviderProvisioning;
    }

    public SamlProviderProvisioning<ServiceProviderService> getProvisioning() {
        return this.provisioning;
    }

    protected void spInitiatedLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException {
        if (!(authentication instanceof MidpointAuthentication)) {
            throw new IllegalArgumentException("Unsupported type " + (authentication == null ? null : authentication.getClass().getName()) + " of authentication for MidpointLogoutRedirectFilter, supported is only MidpointAuthentication");
        }
        SamlAuthentication samlAuth = getSamlAuth(((MidpointAuthentication) authentication).getProcessingModuleAuthentication());
        if (samlAuth != null) {
            ServiceProviderService serviceProviderService = (ServiceProviderService) this.provisioning.getHostedProvider();
            IdentityProviderMetadata identityProviderMetadata = (IdentityProviderMetadata) serviceProviderService.getRemoteProvider(samlAuth.getAssertingEntityId());
            LogoutRequest logoutRequest = serviceProviderService.logoutRequest(identityProviderMetadata, samlAuth.getSamlPrincipal());
            if (logoutRequest.getDestination().getBinding().equals(Binding.REDIRECT)) {
                super.spInitiatedLogout(httpServletRequest, httpServletResponse, samlAuth);
            } else {
                if (!logoutRequest.getDestination().getBinding().equals(Binding.POST)) {
                    throw new IllegalArgumentException("Unsupported binding for logout " + logoutRequest.getDestination().getBinding());
                }
                processPostLogout(httpServletRequest, httpServletResponse, logoutRequest, identityProviderMetadata, serviceProviderService);
            }
        }
    }

    private SamlAuthentication getSamlAuth(ModuleAuthentication moduleAuthentication) {
        if (moduleAuthentication.getAuthentication() instanceof SamlAuthentication) {
            return moduleAuthentication.getAuthentication();
        }
        if (((moduleAuthentication.getAuthentication() instanceof AnonymousAuthenticationToken) || (moduleAuthentication.getAuthentication() instanceof PreAuthenticatedAuthenticationToken)) && (moduleAuthentication.getAuthentication().getDetails() instanceof SamlAuthentication)) {
            return (SamlAuthentication) moduleAuthentication.getAuthentication().getDetails();
        }
        return null;
    }

    private void processPostLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, LogoutRequest logoutRequest, IdentityProviderMetadata identityProviderMetadata, ServiceProviderService serviceProviderService) {
        String encodedXml = serviceProviderService.toEncodedXml(logoutRequest, false);
        HashMap hashMap = new HashMap();
        hashMap.put("action", logoutRequest.getDestination().getLocation());
        hashMap.put("SAMLRequest", encodedXml);
        String logoutRelayState = getLogoutRelayState(httpServletRequest, identityProviderMetadata);
        if (StringUtils.hasText(logoutRelayState)) {
            hashMap.put("RelayState", HtmlUtils.htmlEscape(logoutRelayState));
        }
        httpServletResponse.setContentType("text/html");
        httpServletResponse.setCharacterEncoding(StandardCharsets.UTF_8.name());
        StringWriter stringWriter = new StringWriter();
        this.samlTemplateEngine.process(httpServletRequest, POST_TEMPLATE, hashMap, stringWriter);
        try {
            httpServletResponse.getWriter().write(stringWriter.toString());
        } catch (IOException e) {
            throw new SamlException(e);
        }
    }
}
