package com.appiancorp.security.auth.saml;

import com.appiancorp.common.CastUtil;
import com.appiancorp.common.monitoring.ProductMetricsAggregatedDataCollector;
import com.appiancorp.security.auth.AppianAuthenticationSuccessHandler;
import com.appiancorp.security.auth.rememberme.AppianPersistentTokenBasedRememberMeServices;
import com.appiancorp.security.auth.rememberme.RememberMeSettings;
import com.appiancorp.security.auth.saml.exception.NoTrustedAssertionException;
import com.appiancorp.security.auth.saml.redirecter.SamlIdpRedirecter;
import com.appiancorp.suiteapi.common.spring.security.CompositeSessionAuthenticationStrategy;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import java.io.IOException;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.collections.CollectionUtils;
import org.apache.log4j.Logger;
import org.opensaml.messaging.decoder.MessageDecodingException;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Subject;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.RememberMeServices;

/* loaded from: input_file:com/appiancorp/security/auth/saml/SamlFilter.class */
public class SamlFilter extends AbstractAuthenticationProcessingFilter {
    private static final Logger LOG = Logger.getLogger(SamlFilter.class);
    public static final String SAML_SESSION_INDEX_KEY = "SAML-SESSION-INDEX-KEY";
    public static final String SAML_NAME_ID_KEY = "SAML-NAME-ID-KEY";
    public static final String SAML_RETURN_URL_MAP_KEY = "SAML-RETURN-URL-MAP-KEY";
    public static final String SAML_RETURN_URL_KEY = "SAML-RETURN-URL-KEY";
    private IdentityProviderManager identityProviderManager;
    private SamlSessionTracker samlSessionTracker;
    private SamlIdpRedirecter samlIdpRedirecter;
    private SamlFilterPredicate samlFilterPredicate;
    private RememberMeSettings rememberMeSettings;

    public SamlFilter(AuthenticationManager authenticationManager, IdentityProviderManager identityProviderManager, AppianAuthenticationSuccessHandler appianAuthenticationSuccessHandler, CompositeSessionAuthenticationStrategy compositeSessionAuthenticationStrategy, SamlIdpRedirecter samlIdpRedirecter, SamlSessionTracker samlSessionTracker, SamlFilterPredicate samlFilterPredicate, AuthenticationFailureHandler authenticationFailureHandler, RememberMeSettings rememberMeSettings, RememberMeServices rememberMeServices) {
        super("/j_spring_security_filter");
        this.samlFilterPredicate = (SamlFilterPredicate) Preconditions.checkNotNull(samlFilterPredicate);
        setAuthenticationManager(authenticationManager);
        this.identityProviderManager = identityProviderManager;
        setAuthenticationSuccessHandler(appianAuthenticationSuccessHandler);
        setSessionAuthenticationStrategy(compositeSessionAuthenticationStrategy);
        setAuthenticationFailureHandler(authenticationFailureHandler);
        setRememberMeServices(rememberMeServices);
        this.samlIdpRedirecter = samlIdpRedirecter;
        this.samlSessionTracker = samlSessionTracker;
        this.rememberMeSettings = rememberMeSettings;
    }

    protected boolean requiresAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        SamlFilterPredicateResponse shouldUseSamlFilter = this.samlFilterPredicate.shouldUseSamlFilter(httpServletRequest, httpServletResponse);
        shouldUseSamlFilter.getIdpEntityId().ifPresent(str -> {
            this.samlSessionTracker.setCurrentIdpEntityIdForRequest(httpServletRequest, str);
        });
        return shouldUseSamlFilter.isUseFilter();
    }

    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException {
        if (!this.identityProviderManager.hasSamlAssertion(httpServletRequest)) {
            this.samlIdpRedirecter.redirect(httpServletRequest, httpServletResponse, Optional.empty());
            ProductMetricsAggregatedDataCollector.recordData("saml.spInitiatedAuthnRequests");
            return null;
        }
        Response response = null;
        try {
            LOG.debug("Request contains SAML assertion");
            SamlMessageContextWrapper samlMessageContext = getSamlMessageContext(httpServletRequest);
            response = (Response) samlMessageContext.getMessage();
            setReturnUrlOnRequest(httpServletRequest, response.getInResponseTo());
            SamlAuthToken samlAuthenticationToken = getSamlAuthenticationToken(httpServletRequest, samlMessageContext);
            setSessionIndex(httpServletRequest, samlMessageContext);
            setNameId(httpServletRequest, samlMessageContext);
            Authentication authenticate = getAuthenticationManager().authenticate(samlAuthenticationToken);
            String issuer = samlMessageContext.getIssuer();
            this.samlSessionTracker.setCurrentIdpEntityIdForSession(httpServletRequest, issuer);
            LOG.debug("Logged in with IdP " + issuer);
            recordSuccessfulSigninMetrics(response);
            if (this.rememberMeSettings.isEnabled(httpServletRequest, authenticate.getName())) {
                httpServletRequest.setAttribute(AppianPersistentTokenBasedRememberMeServices.REMEMBER_ME_REQUESTED, true);
            }
            return authenticate;
        } catch (AuthenticationException e) {
            recordUnSuccessfulSigninMetrics(response);
            LOG.info("Authentication Error: " + e.getMessage(), e);
            throw e;
        } catch (Exception e2) {
            recordUnSuccessfulSigninMetrics(response);
            LOG.info("Authentication Error: " + e2.getMessage(), e2);
            throw new InternalAuthenticationServiceException("Invalid Response");
        }
    }

    private void recordUnSuccessfulSigninMetrics(Response response) {
        if (response == null) {
            ProductMetricsAggregatedDataCollector.recordData("saml.unrecognizedUnsuccessfulSignIns");
        } else if (Strings.isNullOrEmpty(response.getInResponseTo())) {
            ProductMetricsAggregatedDataCollector.recordData("saml.idpInitiatedUnsuccessfulSignIns");
        } else {
            ProductMetricsAggregatedDataCollector.recordData("saml.spInitiatedUnsuccessfulSignIns");
        }
    }

    private void recordSuccessfulSigninMetrics(Response response) {
        if (Strings.isNullOrEmpty(response.getInResponseTo())) {
            ProductMetricsAggregatedDataCollector.recordData("saml.idpInitiatedSuccessfulSignIns");
        } else {
            ProductMetricsAggregatedDataCollector.recordData("saml.spInitiatedSuccessfulSignIns");
        }
    }

    private SamlMessageContextWrapper getSamlMessageContext(HttpServletRequest httpServletRequest) {
        try {
            return this.identityProviderManager.extractMessageContext(httpServletRequest);
        } catch (Exception e) {
            throw new InternalAuthenticationServiceException("Error while trying to extract SAML message context", e);
        }
    }

    private void setSessionIndex(HttpServletRequest httpServletRequest, SamlMessageContextWrapper samlMessageContextWrapper) {
        if (CollectionUtils.isEmpty(samlMessageContextWrapper.getAssertionList())) {
            throw new NoTrustedAssertionException("No assertions found in SAML Message");
        }
        try {
            httpServletRequest.setAttribute(SAML_SESSION_INDEX_KEY, this.identityProviderManager.getSessionIndexFromSamlMessage(samlMessageContextWrapper));
        } catch (MessageDecodingException | SecurityException e) {
            LOG.debug("Failed to retrieve session index from assertion", e);
        }
    }

    @VisibleForTesting
    void setNameId(HttpServletRequest httpServletRequest, SamlMessageContextWrapper<Response> samlMessageContextWrapper) {
        List<Assertion> assertionList = samlMessageContextWrapper.getAssertionList();
        if (CollectionUtils.isEmpty(assertionList)) {
            throw new NoTrustedAssertionException("No assertions found in SAML Message");
        }
        try {
            Assertion assertion = assertionList.get(0);
            Subject subject = assertion.getSubject();
            if (subject != null) {
                NameID nameID = subject.getNameID();
                if (nameID != null) {
                    httpServletRequest.setAttribute(SAML_NAME_ID_KEY, new NameIDSerializable(nameID));
                } else if (LOG.isDebugEnabled()) {
                    LOG.debug("Response Subject did not contain a nameId. " + assertion);
                }
            } else if (LOG.isDebugEnabled()) {
                LOG.debug("Response did not contain a Subject. " + assertion);
            }
        } catch (NullPointerException e) {
            LOG.error("Error processing Response, no assertions found.", e);
        }
    }

    private SamlAuthToken getSamlAuthenticationToken(HttpServletRequest httpServletRequest, SamlMessageContextWrapper<Response> samlMessageContextWrapper) throws InternalAuthenticationServiceException {
        try {
            return this.identityProviderManager.createSamlAuthenticationToken(httpServletRequest, samlMessageContextWrapper);
        } catch (Exception e) {
            throw new InternalAuthenticationServiceException("Error while trying to extract SAML Auth Token", e);
        }
    }

    private void setReturnUrlOnRequest(HttpServletRequest httpServletRequest, String str) {
        httpServletRequest.setAttribute(SAML_RETURN_URL_KEY, getReturnUrlForRequest(httpServletRequest, str));
    }

    public static String getReturnUrlForRequest(HttpServletRequest httpServletRequest, String str) {
        Map map = (Map) CastUtil.cast(httpServletRequest.getSession().getAttribute(SAML_RETURN_URL_MAP_KEY));
        if (Objects.isNull(map)) {
            LOG.debug("SAML return url is null for SAML Response ID: " + str);
            return null;
        }
        if (Objects.isNull(str)) {
            return null;
        }
        String str2 = (String) map.get(str);
        LOG.debug("SAML return url is " + str2 + " for SAML Response ID: " + str);
        map.remove(str);
        return str2;
    }
}
