package com.appiancorp.security.auth.ldap;

import com.appiancorp.security.auth.AutoSyncUserData;
import com.appiancorp.security.auth.ConditionalAuthenticatorWrapper;
import com.appiancorp.security.auth.GroupServiceHelper;
import com.appiancorp.suite.cfg.LdapConfiguration;
import com.appiancorp.suiteapi.common.exceptions.InvalidGroupException;
import com.appiancorp.suiteapi.common.exceptions.InvalidLoginException;
import com.appiancorp.suiteapi.common.exceptions.InvalidUserException;
import com.appiancorp.suiteapi.personalization.UserProfile;
import com.appiancorp.suiteapi.security.auth.AppianUserDetailsService;
import java.util.Optional;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;

/* loaded from: input_file:com/appiancorp/security/auth/ldap/LdapAuthenticatorWrapper.class */
public class LdapAuthenticatorWrapper extends ConditionalAuthenticatorWrapper {
    private static final int AUTH_PRIORITY = 700;
    private LdapConfiguration ldapConfig;
    private LdapAuthenticatorFactory ldapAuthenticatorFactory;
    private final GroupServiceHelper groupServiceHelper;

    public LdapAuthenticatorWrapper(AppianUserDetailsService appianUserDetailsService, LdapConfiguration ldapConfiguration, LdapAuthenticatorFactory ldapAuthenticatorFactory, GroupServiceHelper groupServiceHelper) {
        super(appianUserDetailsService);
        this.ldapConfig = ldapConfiguration;
        this.ldapAuthenticatorFactory = ldapAuthenticatorFactory;
        this.groupServiceHelper = groupServiceHelper;
    }

    @Override // com.appiancorp.security.auth.ConditionalAuthenticatorWrapper
    public boolean shouldUseAuthenticator(Authentication authentication) {
        if (!this.ldapConfig.isEnabled()) {
            return false;
        }
        Optional<String> groupUuid = this.ldapConfig.getGroupUuid();
        Class<?> cls = authentication.getClass();
        boolean supports = supports(cls);
        if (!groupUuid.isPresent()) {
            if (supports) {
                return true;
            }
            throw new BadCredentialsException(cls.getName() + " is not supported");
        }
        try {
            boolean isUserMemberOfAuthGroup = this.groupServiceHelper.isUserMemberOfAuthGroup(authentication.getName(), groupUuid.get(), this.ldapConfig.isLowercaseUsername());
            if (!isUserMemberOfAuthGroup || supports) {
                return isUserMemberOfAuthGroup;
            }
            throw new BadCredentialsException(cls.getName() + " is not supported");
        } catch (InvalidUserException e) {
            return shouldAutoCreateUser(supports);
        } catch (InvalidGroupException e2) {
            throw new InternalAuthenticationServiceException("Configured LDAP group does not exist", e2);
        }
    }

    private boolean shouldAutoCreateUser(boolean z) {
        if (z) {
            return this.ldapConfig.isAutoCreateUsersEnabled();
        }
        return false;
    }

    @Override // com.appiancorp.security.auth.ConditionalAuthenticatorWrapper
    public UserProfile authenticate(Authentication authentication) throws Exception {
        try {
            return this.ldapAuthenticatorFactory.build().authenticateUser((UsernamePasswordAuthenticationToken) authentication);
        } catch (AutoSyncUserData.UserDataMissingException e) {
            throw new AuthenticationServiceException("Expected user creation data missing", e);
        } catch (InvalidLoginException e2) {
            throw new BadCredentialsException(this.ldapConfig.getUsernameWithConfiguredCase(authentication.getName()), e2);
        }
    }

    @Override // com.appiancorp.security.auth.ConditionalAuthenticatorWrapper
    public int getPriority() {
        return AUTH_PRIORITY;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.appiancorp.security.auth.ConditionalAuthenticatorWrapper
    public boolean supports(Class<?> cls) {
        return UsernamePasswordAuthenticationToken.class.isAssignableFrom(cls) && this.ldapConfig.isEnabled();
    }
}
