package com.appiancorp.security.auth.mfa;

import com.appiancorp.common.config.ApplicationContextHolder;
import com.appiancorp.security.auth.GroupServiceHelper;
import com.appiancorp.security.auth.mfa.exceptions.MfaVerificationCodeException;
import com.appiancorp.suite.cfg.AdminSecurityConfiguration;
import com.appiancorp.suiteapi.common.exceptions.InvalidGroupException;
import com.appiancorp.suiteapi.security.auth.AppianUserDetails;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.server.ServletServerHttpRequest;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.RedirectStrategy;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:com/appiancorp/security/auth/mfa/MfaVerificationCodeFilter.class */
public class MfaVerificationCodeFilter implements Filter {
    public static final Logger LOG = LoggerFactory.getLogger(MfaVerificationCodeFilter.class);
    private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
    private final GroupServiceHelper groupServiceHelper = (GroupServiceHelper) ApplicationContextHolder.getBean(GroupServiceHelper.class);
    private final AdminSecurityConfiguration adminSecurityConfiguration = (AdminSecurityConfiguration) ApplicationContextHolder.getBean(AdminSecurityConfiguration.class);

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (!this.adminSecurityConfiguration.isMfaEnabled().booleanValue()) {
            HttpSession httpSessionIfExists = getHttpSessionIfExists(httpServletRequest);
            if (httpSessionIfExists != null) {
                LOG.debug("FT {} is off or MFA is NOT enabled - setting skip session attribute", "ae.iam.multi-factor-auth-email");
                httpSessionIfExists.setAttribute("skip_verification_code_check", true);
            }
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        try {
            if (skipVerificationCodeCheck(httpServletRequest)) {
                filterChain.doFilter(servletRequest, servletResponse);
                return;
            }
            String uriString = UriComponentsBuilder.fromHttpRequest(new ServletServerHttpRequest(httpServletRequest)).build().toUriString();
            if (!StringUtils.isEmpty(uriString)) {
                LOG.debug("Setting the redirect URL: {}", uriString);
                getHttpSessionIfExists(httpServletRequest).setAttribute("mfa_destination_url", uriString);
            }
            this.redirectStrategy.sendRedirect(httpServletRequest, (HttpServletResponse) servletResponse, "/personalization/mfa_verification_code.none");
        } catch (MfaVerificationCodeException | InvalidGroupException e) {
            throw new ServletException(e);
        }
    }

    private boolean isMfaServletPath(String str) {
        int indexOf = str.indexOf(".");
        String substring = indexOf < 0 ? str : str.substring(0, indexOf);
        return "/personalization/mfa_verification_code".equals(substring) || "/personalization/mfa_resend_verification_code".equals(substring);
    }

    @SuppressFBWarnings({"CRLF_INJECTION_LOGS"})
    private boolean skipVerificationCodeCheck(HttpServletRequest httpServletRequest) throws MfaVerificationCodeException, InvalidGroupException {
        String servletPath = httpServletRequest.getServletPath();
        HttpSession httpSessionIfExists = getHttpSessionIfExists(httpServletRequest);
        if (httpSessionIfExists == null) {
            LOG.trace("httpsession is null for {}", servletPath);
            return true;
        }
        if (Boolean.TRUE.equals(httpSessionIfExists.getAttribute("skip_verification_code_check"))) {
            LOG.trace("{} flag was set to true previously for {}", "skip_verification_code_check", servletPath);
            return true;
        }
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            LOG.debug("Skipping MFA verification code check for {} since authentication is not set on Security Context.", servletPath);
            return true;
        }
        if (isMfaServletPath(servletPath)) {
            LOG.trace("Skipping MFA verification code check for {} since it is a MFA servlet path.", servletPath);
            return true;
        }
        Object principal = authentication.getPrincipal();
        if (!(principal instanceof AppianUserDetails)) {
            LOG.debug("Skipping MFA verification code check for {} since not AppianUserDetail principal.", servletPath);
            return true;
        }
        AppianUserDetails appianUserDetails = (AppianUserDetails) principal;
        if (!appianUserDetails.isAuthenticatedByAppianInternalProvider()) {
            LOG.debug("Skipping MFA verification code check for {} since it not authenticated by Appian internal provider.", servletPath);
            return true;
        }
        String username = appianUserDetails.getUsername();
        String mfaGroupSelection = this.adminSecurityConfiguration.getMfaGroupSelection();
        if (!this.groupServiceHelper.isUserMemberOfAuthGroup(username, mfaGroupSelection, false)) {
            LOG.debug("Skipping MFA verification code check, since user {} is NOT part of the MFA group {} .", username, mfaGroupSelection);
            httpSessionIfExists.setAttribute("skip_verification_code_check", true);
            return true;
        }
        if (Boolean.TRUE.equals(httpSessionIfExists.getAttribute("verification_code_sent"))) {
            return false;
        }
        LOG.debug("Verification Code session attribute not set - generating and persisting code.");
        ((MfaVerificationCodeManager) ApplicationContextHolder.getBean(MfaVerificationCodeManager.class)).generateAndPersistVerificationCode(appianUserDetails);
        return false;
    }

    public void setRedirectStrategy(RedirectStrategy redirectStrategy) {
        if (redirectStrategy == null) {
            throw new NullPointerException("The redirectStrategy must not be null.");
        }
        this.redirectStrategy = redirectStrategy;
    }

    private HttpSession getHttpSessionIfExists(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getSession(false);
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        super.init(filterConfig);
    }

    public void destroy() {
        super.destroy();
    }
}
