package com.appiancorp.security.auth.saml;

import com.appian.logging.AppianLogger;
import com.appiancorp.security.auth.AuthProviderFilter;
import com.appiancorp.security.auth.mobile.InAppBrowserClientRequestMatcher;
import com.appiancorp.security.auth.oidc.OidcCommon;
import com.appiancorp.security.auth.oidc.OidcConfiguration;
import com.appiancorp.security.auth.saml.rememberidp.RememberIdpService;
import com.appiancorp.security.auth.saml.service.SamlSettingsService;
import com.appiancorp.suite.SuiteConfiguration;
import com.appiancorp.suite.cfg.ConfigurationFactory;
import com.appiancorp.suite.cfg.SamlConfiguration;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;

/* loaded from: input_file:com/appiancorp/security/auth/saml/SamlFilterPredicate.class */
public class SamlFilterPredicate {
    private static final AppianLogger LOG = AppianLogger.getLogger(SamlFilterPredicate.class);
    protected static final String AUTH_PATH = "/auth";
    static final String EQUALS_OPERATOR = "=";
    private final SamlSettingsService samlSettingsService;
    private final SamlConfiguration samlConfig;
    private final IdentityProviderManager identityProviderManager;
    private final String authUrl = "/" + ((SuiteConfiguration) ConfigurationFactory.getConfiguration(SuiteConfiguration.class)).getContextPath() + AUTH_PATH;
    private final RememberIdpService rememberIdpService;
    private final InAppBrowserClientRequestMatcher inAppBrowserClientRequestMatcher;
    private final OidcConfiguration oidcConfiguration;

    public SamlFilterPredicate(SamlConfiguration samlConfiguration, IdentityProviderManager identityProviderManager, SamlSettingsService samlSettingsService, RememberIdpService rememberIdpService, InAppBrowserClientRequestMatcher inAppBrowserClientRequestMatcher, OidcConfiguration oidcConfiguration) {
        this.samlConfig = (SamlConfiguration) Preconditions.checkNotNull(samlConfiguration);
        this.identityProviderManager = (IdentityProviderManager) Preconditions.checkNotNull(identityProviderManager);
        this.samlSettingsService = (SamlSettingsService) Preconditions.checkNotNull(samlSettingsService);
        this.rememberIdpService = (RememberIdpService) Preconditions.checkNotNull(rememberIdpService);
        this.inAppBrowserClientRequestMatcher = inAppBrowserClientRequestMatcher;
        this.oidcConfiguration = oidcConfiguration;
    }

    public SamlFilterPredicateResponse shouldUseSamlFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        SamlFilterPredicateResponse shouldGoToAppianLoginPage = (isRequestOidcCallbackUri(httpServletRequest) || !this.samlConfig.isEnabled() || isAuthenticated() || this.inAppBrowserClientRequestMatcher.matches(httpServletRequest)) ? SamlFilterPredicateResponse.SKIP_SAML_FILTER : shouldGoToAppianLoginPage(httpServletRequest, httpServletResponse);
        LOG.debug("User will be authenticated using Appian Login page: %b", Boolean.valueOf(shouldGoToAppianLoginPage.isUseFilter()));
        shouldGoToAppianLoginPage.getIdpEntityId().ifPresent(str -> {
            LOG.debug("User will be authenticated using the IDP: %s", str);
        });
        return shouldGoToAppianLoginPage;
    }

    private boolean isRequestOidcCallbackUri(HttpServletRequest httpServletRequest) {
        return this.oidcConfiguration.isEnabled() && OidcCommon.isOidcCallbackUri(((SuiteConfiguration) ConfigurationFactory.getConfiguration(SuiteConfiguration.class)).getBaseUri(), httpServletRequest.getRequestURI());
    }

    private boolean isAuthenticated() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        return authentication != null && authentication.isAuthenticated();
    }

    private SamlFilterPredicateResponse shouldGoToAppianLoginPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (httpServletRequest.getRequestURI().startsWith(this.authUrl)) {
            return SamlFilterPredicateResponse.SKIP_SAML_FILTER;
        }
        Optional<String> idpEntityIdFromIssuer = getIdpEntityIdFromIssuer(httpServletRequest);
        return idpEntityIdFromIssuer.isPresent() ? new SamlFilterPredicateResponse(idpEntityIdFromIssuer.get()) : shouldRedirectWhenUnauthenticated(httpServletRequest, httpServletResponse);
    }

    private Optional<String> getIdpEntityIdFromIssuer(HttpServletRequest httpServletRequest) {
        if (this.identityProviderManager.hasSamlAssertion(httpServletRequest)) {
            try {
                SamlMessageContextWrapper extractRawMessageContext = this.identityProviderManager.extractRawMessageContext(httpServletRequest);
                if (extractRawMessageContext != null) {
                    LOG.debug("Request contains SAML assertion: " + extractRawMessageContext.getMessageId());
                    return Optional.of(extractRawMessageContext.getIssuer());
                }
            } catch (Exception e) {
                LOG.error(e, "Error extracting SAML message: " + e.getMessage());
            }
        }
        return Optional.empty();
    }

    private SamlFilterPredicateResponse shouldRedirectWhenUnauthenticated(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String queryParameter = getQueryParameter(httpServletRequest, SamlConstants.AUTH_PROVIDER_QUERY_PARAM);
        LOG.debug("Found Authentication Provider: " + queryParameter + " on request");
        if (SamlConstants.AUTH_PROVIDER_NATIVE.equalsIgnoreCase(queryParameter)) {
            return SamlFilterPredicateResponse.SKIP_SAML_FILTER;
        }
        if (this.oidcConfiguration.isEnabled() && "oidc".equals(queryParameter)) {
            return SamlFilterPredicateResponse.SKIP_SAML_FILTER;
        }
        String convertFriendlyNameToIdpEntityId = convertFriendlyNameToIdpEntityId(queryParameter);
        if (Strings.isNullOrEmpty(convertFriendlyNameToIdpEntityId)) {
            if (this.oidcConfiguration.isEnabled() && "oidc".equals(this.samlConfig.getDefaultIdpEntityId())) {
                return SamlFilterPredicateResponse.SKIP_SAML_FILTER;
            }
            convertFriendlyNameToIdpEntityId = this.rememberIdpService.retrieveSavedIdp(httpServletRequest, httpServletResponse);
        }
        return !Strings.isNullOrEmpty(convertFriendlyNameToIdpEntityId) ? SamlConstants.AUTH_PROVIDER_NATIVE.equalsIgnoreCase(convertFriendlyNameToIdpEntityId) ? SamlFilterPredicateResponse.SKIP_SAML_FILTER : new SamlFilterPredicateResponse(convertFriendlyNameToIdpEntityId) : new SamlFilterPredicateResponse(this.samlConfig.shouldRedirectWhenUnauthenticated());
    }

    private String getQueryParameter(HttpServletRequest httpServletRequest, String str) {
        String queryString = httpServletRequest.getQueryString();
        if (queryString == null || str == null) {
            return "";
        }
        String[] split = ((String) Lists.newArrayList(queryString.split(AuthProviderFilter.QUERY_STRING_SEPARATOR)).stream().filter(str2 -> {
            return str2.startsWith(str + "=");
        }).findFirst().orElse("")).split("=");
        return split.length == 2 ? split[1] : "";
    }

    private String convertFriendlyNameToIdpEntityId(String str) {
        return (String) this.samlSettingsService.getPriorityOrderedSettings().stream().filter(samlSettings -> {
            return StringUtils.isNotEmpty(samlSettings.getFriendlyName());
        }).filter(samlSettings2 -> {
            return str.equalsIgnoreCase(samlSettings2.getFriendlyName());
        }).map((v0) -> {
            return v0.getIdpEntityId();
        }).findFirst().orElse("");
    }
}
