package com.appiancorp.security.auth;

import com.appiancorp.suiteapi.security.auth.AppianUserDetails;
import java.io.IOException;
import java.util.Collections;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.RedirectStrategy;

/* loaded from: input_file:com/appiancorp/security/auth/ForceSetPasswordFilter.class */
public class ForceSetPasswordFilter implements Filter {
    private static final Logger LOG = Logger.getLogger(ForceSetPasswordFilter.class);
    public static final String PATH_SET_PASSWORD = "/personalization/setpassword.none";
    private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
    private Set<String> allowedServletPaths = Collections.emptySet();

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (!isForceSetPassword()) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        String servletPath = httpServletRequest.getServletPath();
        if (isServletPathAllowedDuringForceSetPassword(servletPath)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("User tried to access \"" + servletPath + "\" which is not allowed because the password has not been changed. Redirecting to the change password page: " + PATH_SET_PASSWORD);
        }
        getRedirectStrategy().sendRedirect(httpServletRequest, (HttpServletResponse) servletResponse, PATH_SET_PASSWORD);
    }

    protected boolean isForceSetPassword() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            return false;
        }
        Object principal = authentication.getPrincipal();
        if (!(principal instanceof AppianUserDetails)) {
            return false;
        }
        AppianUserDetails appianUserDetails = (AppianUserDetails) principal;
        return appianUserDetails.isAuthenticatedByAppianInternalProvider() && appianUserDetails.getPasswordStatus().isForceSetPassword();
    }

    protected boolean isServletPathAllowedDuringForceSetPassword(String str) {
        int indexOf = str.indexOf(".");
        String substring = indexOf < 0 ? str : str.substring(0, indexOf);
        return PATH_SET_PASSWORD.startsWith(substring) || this.allowedServletPaths.contains(str) || "/personalization/mfa_verification_code".startsWith(substring) || "/personalization/mfa_resend_verification_code".startsWith(substring);
    }

    public RedirectStrategy getRedirectStrategy() {
        return this.redirectStrategy;
    }

    public void setRedirectStrategy(RedirectStrategy redirectStrategy) {
        if (redirectStrategy == null) {
            throw new NullPointerException("The redirectStrategy must not be null.");
        }
        this.redirectStrategy = redirectStrategy;
    }

    public Set<String> getAllowedServletPaths() {
        return this.allowedServletPaths;
    }

    public void setAllowedServletPaths(Set<String> set) {
        if (set == null) {
            set = Collections.emptySet();
        }
        this.allowedServletPaths = set;
    }

    public void destroy() {
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }
}
