package com.appiancorp.security.auth.session;

import com.appiancorp.ap2.ServletScopesKeys;
import com.appiancorp.common.config.ApplicationContextHolder;
import com.appiancorp.security.auth.AppianAuthenticationEventPublisher;
import com.appiancorp.security.auth.AppianSessionLimitExceededEvent;
import com.appiancorp.security.auth.AuthenticationDetails;
import com.appiancorp.security.auth.SessionUuidAttributeSetter;
import com.appiancorp.security.auth.activity.UserActivityInfo;
import com.appiancorp.security.auth.activity.UserActivityService;
import com.appiancorp.security.auth.activity.UserSessionDestroyedInfo;
import com.appiancorp.suite.cfg.AdminSecurityConfiguration;
import com.appiancorp.suiteapi.security.auth.AppianUserDetails;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.net.HostAndPort;
import java.sql.Timestamp;
import java.util.concurrent.TimeUnit;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.session.SessionAuthenticationException;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;

/* loaded from: input_file:com/appiancorp/security/auth/session/AppianConcurrentSessionControlStrategy.class */
public class AppianConcurrentSessionControlStrategy implements SessionAuthenticationStrategy {
    private final UserActivityService uas;
    private final AppianAuthenticationEventPublisher eventPublisher;
    private int maxSessions;
    private static HostAndPort serverAddr;

    public AppianConcurrentSessionControlStrategy(UserActivityService userActivityService, AppianAuthenticationEventPublisher appianAuthenticationEventPublisher) {
        this.uas = userActivityService;
        this.eventPublisher = appianAuthenticationEventPublisher;
    }

    public void onAuthentication(Authentication authentication, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!(authentication.getPrincipal() instanceof AppianUserDetails) || ((AppianUserDetails) authentication.getPrincipal()).getAppianLoginContext().isUserLoggedInThroughSSO()) {
            return;
        }
        SessionUuidAttributeSetter.setSessionUuidAttribute(httpServletRequest.getSession());
        this.maxSessions = ((AdminSecurityConfiguration) ApplicationContextHolder.getBean(AdminSecurityConfiguration.class)).getMaxConcurrentSessions().intValue();
        checkThatUserIsUnderMaxSessionLimit(authentication, httpServletRequest);
    }

    public void checkThatUserIsUnderMaxSessionLimit(Authentication authentication, HttpServletRequest httpServletRequest) {
        if (isSessionLimitEnforced(this.maxSessions)) {
            clearDeadUserSessionsIfFirstLoginAttempt(httpServletRequest);
            String uuid = ((AppianUserDetails) authentication.getPrincipal()).getUserProfile().getUuid();
            long millis = TimeUnit.SECONDS.toMillis(httpServletRequest.getSession().getMaxInactiveInterval());
            if (this.uas.getActivityCountForUser(uuid, millis) >= this.maxSessions) {
                logFailureInSessionParametersAndThrowException(authentication, httpServletRequest, this.maxSessions);
            }
            this.uas.recordLogin(buildUserActivityInfo(uuid, httpServletRequest));
            if (this.uas.getActivityCountForUser(uuid, millis) > this.maxSessions) {
                this.uas.recordSessionDestroyed(buildUserSessionDestroyedInfo(uuid, httpServletRequest));
                logFailureInSessionParametersAndThrowException(authentication, httpServletRequest, this.maxSessions);
            }
        }
    }

    private void clearDeadUserSessionsIfFirstLoginAttempt(HttpServletRequest httpServletRequest) {
        if (serverAddr == null) {
            serverAddr = HostAndPort.fromParts(httpServletRequest.getLocalAddr(), httpServletRequest.getLocalPort());
            this.uas.deleteStatefulSessionsForServer(serverAddr);
        }
    }

    private UserActivityInfo buildUserActivityInfo(String str, HttpServletRequest httpServletRequest) {
        return new UserActivityInfo(str, false, (AuthenticationDetails) null, new Timestamp(System.currentTimeMillis()), httpServletRequest.getRequestURI(), (String) null, HostAndPort.fromParts(httpServletRequest.getLocalAddr(), httpServletRequest.getLocalPort()), (String) httpServletRequest.getSession().getAttribute(ServletScopesKeys.KEY_SESSION_UUID));
    }

    private UserSessionDestroyedInfo buildUserSessionDestroyedInfo(String str, HttpServletRequest httpServletRequest) {
        return new UserSessionDestroyedInfo(str, (AuthenticationDetails) null, (String) httpServletRequest.getSession().getAttribute(ServletScopesKeys.KEY_SESSION_UUID));
    }

    private boolean isSessionLimitEnforced(int i) {
        return i > AdminSecurityConfiguration.SecurityProperty.MaxConcurrentSessions.disabledValue.intValue();
    }

    private void logFailureInSessionParametersAndThrowException(Authentication authentication, HttpServletRequest httpServletRequest, int i) {
        SessionAuthenticationException sessionLimitException = new SessionLimitException("Users cannot have more than " + i + " active sessions.", authentication.getName(), i);
        this.eventPublisher.publishApplicationEvent(new AppianSessionLimitExceededEvent(authentication, sessionLimitException), httpServletRequest);
        throw sessionLimitException;
    }

    @VisibleForTesting
    public void setMaxSessions(int i) {
        this.maxSessions = i;
    }

    @VisibleForTesting
    public static void refreshServerAddr() {
        serverAddr = null;
    }
}
