package com.appiancorp.ag.security;

import com.appiancorp.security.auth.AuthenticationDetails;
import com.appiancorp.security.auth.ConditionalAuthenticatorWrapper;
import com.appiancorp.security.auth.GroupServiceHelper;
import com.appiancorp.security.auth.LoginEntryPoint;
import com.appiancorp.suite.cfg.SamlConfiguration;
import com.appiancorp.suiteapi.common.exceptions.InvalidGroupException;
import com.appiancorp.suiteapi.common.exceptions.InvalidLoginException;
import com.appiancorp.suiteapi.common.exceptions.LockedAccountException;
import com.appiancorp.suiteapi.common.exceptions.PasswordExpiredException;
import com.appiancorp.suiteapi.common.exceptions.TemporaryPasswordExpiredException;
import com.appiancorp.suiteapi.common.spring.security.TemporaryCredentialsExpiredException;
import com.appiancorp.suiteapi.common.spring.security.TemporaryPasswordException;
import com.appiancorp.suiteapi.personalization.UserProfile;
import com.appiancorp.suiteapi.security.auth.AppianUserDetails;
import com.appiancorp.suiteapi.security.auth.AppianUserDetailsService;
import com.appiancorp.suiteapi.security.auth.PasswordStatus;
import com.google.common.annotations.VisibleForTesting;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.CredentialsExpiredException;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;

/* loaded from: input_file:com/appiancorp/ag/security/DefaultAuthenticatorWrapper.class */
public class DefaultAuthenticatorWrapper extends ConditionalAuthenticatorWrapper {
    private static final int AUTH_PRIORITY = 1000;
    public static final String BASIC_AUTH_TYPE = "basic";
    private final DefaultAuthenticator authenticator;
    private final SamlConfiguration samlConfig;
    private final GroupServiceHelper groupServiceHelper;

    public DefaultAuthenticatorWrapper(AppianUserDetailsService appianUserDetailsService, DefaultAuthenticator defaultAuthenticator, SamlConfiguration samlConfiguration, GroupServiceHelper groupServiceHelper) {
        super(appianUserDetailsService, ConditionalAuthenticatorWrapper.AuthenticationProviderType.INTERNAL_PROVIDER);
        this.authenticator = defaultAuthenticator;
        this.samlConfig = samlConfiguration;
        this.groupServiceHelper = groupServiceHelper;
    }

    @Override // com.appiancorp.security.auth.ConditionalAuthenticatorWrapper
    public boolean shouldUseAuthenticator(Authentication authentication) {
        return true;
    }

    @Override // com.appiancorp.security.auth.ConditionalAuthenticatorWrapper
    public UserProfile authenticate(Authentication authentication) {
        UserProfile user;
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = (UsernamePasswordAuthenticationToken) authentication;
        String name = usernamePasswordAuthenticationToken.getName();
        char[] charArray = usernamePasswordAuthenticationToken.getCredentials().toString().toCharArray();
        try {
            verifyNotPreviousCloudSamlUser(name);
            user = this.authenticator.authenticateUser(name, charArray);
        } catch (PasswordExpiredException e) {
            user = e.getUser();
        } catch (TemporaryPasswordExpiredException e2) {
            throw new TemporaryCredentialsExpiredException(name, e2);
        } catch (LockedAccountException e3) {
            throw new LockedException(name, e3);
        } catch (InvalidLoginException e4) {
            throw new BadCredentialsException(name, e4);
        }
        return user;
    }

    @VisibleForTesting
    void verifyNotPreviousCloudSamlUser(String str) throws InvalidLoginException {
        int oldCloudGroupId = this.samlConfig.getOldCloudGroupId();
        if (SamlConfiguration.SamlProperty.OldCloudGroupId.getDisabledValue().equals(Integer.valueOf(oldCloudGroupId))) {
            return;
        }
        try {
            if (this.groupServiceHelper.isUserMemberOfGroup(str, Long.valueOf(oldCloudGroupId), true)) {
                throw new InvalidLoginException(str);
            }
        } catch (InvalidGroupException e) {
        }
    }

    @Override // com.appiancorp.security.auth.ConditionalAuthenticatorWrapper
    public void postAuthenticate(AppianUserDetails appianUserDetails, Authentication authentication) {
        AuthenticationDetails authenticationDetails = (AuthenticationDetails) authentication.getDetails();
        if (authenticationDetails != null && LoginEntryPoint.WEB_API == authenticationDetails.getEntryPoint()) {
            authenticationDetails.setAuthType(BASIC_AUTH_TYPE);
        }
        if (!appianUserDetails.getPasswordStatus().isForceSetPassword() || authenticationDetails.getEntryPoint() == LoginEntryPoint.PORTAL) {
            return;
        }
        if (appianUserDetails.getPasswordStatus() != PasswordStatus.TEMPORARY) {
            throw new CredentialsExpiredException(appianUserDetails.getUsername());
        }
        throw new TemporaryPasswordException(appianUserDetails.getUsername());
    }

    @Override // com.appiancorp.security.auth.ConditionalAuthenticatorWrapper
    public int getPriority() {
        return 1000;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.appiancorp.security.auth.ConditionalAuthenticatorWrapper
    public boolean supports(Class<? extends Object> cls) {
        return UsernamePasswordAuthenticationToken.class.isAssignableFrom(cls);
    }
}
