package com.appiancorp.security.auth.saml;

import com.appiancorp.ap2.common.RelativeInternalURI;
import com.appiancorp.common.config.ApplicationContextHolder;
import com.appiancorp.common.monitoring.WebApiAggregatedData;
import com.appiancorp.security.auth.AppianRedirectStrategy;
import com.appiancorp.security.auth.AutoSyncUserData;
import com.appiancorp.security.auth.mobile.MobileAuthContext;
import com.appiancorp.security.auth.mobile.MobileAuthContextUtils;
import com.appiancorp.security.auth.saml.exception.AssertionFailedException;
import com.appiancorp.security.auth.saml.exception.IdpEntityMismatchException;
import com.appiancorp.security.auth.saml.exception.IncorrectIdpException;
import com.appiancorp.security.auth.saml.exception.IncorrectTestUserException;
import com.appiancorp.security.auth.saml.exception.InvalidAppianUserException;
import com.appiancorp.security.auth.saml.exception.NoTrustedAssertionException;
import com.appiancorp.security.auth.saml.exception.NonSamlUserException;
import com.appiancorp.security.auth.saml.exception.SecurityPolicyViolatedException;
import com.appiancorp.security.auth.saml.redirecter.SamlIdpRedirecter;
import com.appiancorp.suite.SuiteConfiguration;
import com.appiancorp.suite.cfg.ConfigurationFactory;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.io.IOException;
import java.util.List;
import java.util.Optional;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.opensaml.messaging.decoder.MessageDecodingException;
import org.opensaml.saml.saml2.core.Response;

@SuppressFBWarnings({"SE_BAD_FIELD"})
/* loaded from: input_file:com/appiancorp/security/auth/saml/SamlTestServlet.class */
public class SamlTestServlet extends HttpServlet {
    private static final long serialVersionUID = 1;
    private static final Logger LOG = Logger.getLogger(SamlTestServlet.class);
    static final String ERROR_MESSAGE_ATTRIBUTE = "errorMessage";
    static final String FAILED_DUE_TO_NO_ASSERTION_MESSAGE = "NoAssertion";
    static final String FAILED_TO_DECODE_MESSAGE = "FailedDecode";
    static final String FAILED_TO_FIND_ATTRIBUTES_MESSAGE = "FailedAttribute";
    static final String FAILED_DUE_TO_MISMATCH_IDP_ENTITY = "FailedMismatchIdp";
    static final String FAILED_DUE_TO_ASSERTION_FAILED_STATUS = "FailedAssertionStatus";
    static final String FAILED_DUE_INVALID_APPIAN_USER = "FailedInvalidUser";
    static final String FAILED_DUE_INCORRECT_TEST_USER_USED = "FailedIncorrectUser";
    static final String FAILED_DUE_INCORRECT_IDP = "FailedIncorrectIdp";
    static final String FAILED_DUE_TO_NO_TRUSTED_ASSERTIONS = "FailedNoTrustedAssertions";
    static final String FAILED_DUE_TO_SECURITY_POLICY_MESSAGE = "FailedSecurity";
    static final String FAILED_DUE_NON_SAML_USER = "FailedNonSamlUser";
    private static final String FAILED_DUE_TO_UNEXPECTED_EXCEPTION_MESSAGE = "FailedUnexpected";
    private static final String SAML_TESTCOMPLETED_JSP = "/saml/testcompleted.jsp";
    private static final String SAML_AUTH_TEST_ERROR_MESSAGE = "Error occurred during SAML authentication test: ";
    static final String ERROR_MESSAGE_ARGS = "errorMessageArgs";
    private AppianRedirectStrategy appianRedirectStrategy;
    private transient IdentityProviderManager identityProviderManager;
    private transient SamlTestStateManager samlTestStateManager;
    private transient SamlTestValidator samlTestValidator;
    private SamlIdpRedirecter samlIdpRedirecter;
    private SbafCsAuthzButtonRequestHandler sbafCsAuthzButtonRequestHandler;

    protected void service(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        handleRequest(httpServletRequest, httpServletResponse);
    }

    public void init() throws ServletException {
        super.init();
        this.appianRedirectStrategy = new AppianRedirectStrategy();
        this.identityProviderManager = (IdentityProviderManager) ApplicationContextHolder.getBean(IdentityProviderManager.class);
        this.samlTestStateManager = (SamlTestStateManager) ApplicationContextHolder.getBean(SamlTestStateManager.class);
        this.samlTestValidator = (SamlTestValidator) ApplicationContextHolder.getBean(SamlTestValidator.class);
        this.samlIdpRedirecter = (SamlIdpRedirecter) ApplicationContextHolder.getBean(SamlIdpRedirecter.class);
        this.sbafCsAuthzButtonRequestHandler = (SbafCsAuthzButtonRequestHandler) ApplicationContextHolder.getBean(SbafCsAuthzButtonRequestHandler.class);
    }

    private void handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        try {
            if (httpServletRequest.getMethod().equalsIgnoreCase("GET")) {
                handleGet(httpServletRequest, httpServletResponse);
            } else if (httpServletRequest.getMethod().equalsIgnoreCase("POST")) {
                handlePost(httpServletRequest, httpServletResponse);
            }
        } finally {
            this.samlTestStateManager.stopUsingTestData();
        }
    }

    private void handleGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        Optional<String> relayStateIfSbafAuthzButtonGetReq = this.sbafCsAuthzButtonRequestHandler.getRelayStateIfSbafAuthzButtonGetReq(httpServletRequest);
        if (relayStateIfSbafAuthzButtonGetReq.isPresent()) {
            LOG.debug("Handling SBAF Connected System Authorize GET request");
            this.samlIdpRedirecter.redirect(httpServletRequest, httpServletResponse, relayStateIfSbafAuthzButtonGetReq);
            return;
        }
        LOG.debug("Handling SAML Admin Console Verify GET request");
        this.samlTestStateManager.startUsingTestData();
        try {
            boolean z = false;
            MobileAuthContext mobileAuthContext = MobileAuthContextUtils.getMobileAuthContext(httpServletRequest.getSession(false));
            if (mobileAuthContext != null) {
                z = mobileAuthContext.isForceAuth();
            }
            this.identityProviderManager.sendSingleSignOnRequest(httpServletResponse, z);
        } catch (Exception e) {
            LOG.error("Error when trying to redirect to IDP: " + e.getMessage(), e);
            httpServletResponse.sendError(WebApiAggregatedData.STATUS_CODE_RANGE_5XX_KEY);
        }
    }

    private String getSamlReturnUrl(SamlAuthToken samlAuthToken, HttpServletRequest httpServletRequest) {
        return SamlFilter.getReturnUrlForRequest(httpServletRequest, samlAuthToken.m4010getCredentials().getMessage().getInResponseTo());
    }

    private void handlePost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        boolean hasSamlAssertion = this.identityProviderManager.hasSamlAssertion(httpServletRequest);
        if (!this.samlTestStateManager.isTestModeUnavailable()) {
            this.samlTestStateManager.startUsingTestData();
            processTestResponse(httpServletRequest, hasSamlAssertion);
            redirectToTestCompletedPage(httpServletRequest, httpServletResponse);
        } else {
            if (this.sbafCsAuthzButtonRequestHandler.processSamlMsgIfSbafAuthzButtonPost(hasSamlAssertion, httpServletRequest, httpServletResponse, this::extractMessageContext)) {
                LOG.debug("Handle POST request for SBAF Connected System Authorize.");
                return;
            }
            String nonTestReturnUrl = getNonTestReturnUrl(httpServletRequest, hasSamlAssertion);
            LOG.debug("Redirecting to non-test URL: " + nonTestReturnUrl);
            this.appianRedirectStrategy.sendRedirect(httpServletRequest, httpServletResponse, nonTestReturnUrl);
        }
    }

    private SamlMessageContextWrapper<Response> extractMessageContext(HttpServletRequest httpServletRequest) {
        try {
            return this.identityProviderManager.extractMessageContext(httpServletRequest);
        } catch (Exception e) {
            LOG.error("Error while extracting saml response from request.", e);
            throw new RuntimeException(e);
        }
    }

    private void processTestResponse(HttpServletRequest httpServletRequest, boolean z) {
        boolean z2 = false;
        try {
            try {
                try {
                    try {
                        try {
                            try {
                                try {
                                    try {
                                        if (z) {
                                            this.samlTestValidator.validate(this.identityProviderManager.createSamlAuthenticationToken(httpServletRequest, this.identityProviderManager.extractMessageContext(httpServletRequest)));
                                            z2 = true;
                                        } else {
                                            httpServletRequest.setAttribute("errorMessage", FAILED_DUE_TO_NO_ASSERTION_MESSAGE);
                                        }
                                        this.samlTestStateManager.markTestCompletedWithSuccess(z2);
                                    } catch (InvalidAppianUserException e) {
                                        setErrorPageMessage(httpServletRequest, e, FAILED_DUE_INVALID_APPIAN_USER);
                                        this.samlTestStateManager.markTestCompletedWithSuccess(z2);
                                    }
                                } catch (NonSamlUserException e2) {
                                    setErrorPageMessage(httpServletRequest, e2, FAILED_DUE_NON_SAML_USER);
                                    this.samlTestStateManager.markTestCompletedWithSuccess(z2);
                                }
                            } catch (IncorrectTestUserException e3) {
                                setErrorPageMessage(httpServletRequest, e3, FAILED_DUE_INCORRECT_TEST_USER_USED);
                                this.samlTestStateManager.markTestCompletedWithSuccess(z2);
                            }
                        } catch (SecurityPolicyViolatedException e4) {
                            setErrorPageMessage(httpServletRequest, e4, FAILED_DUE_TO_SECURITY_POLICY_MESSAGE);
                            this.samlTestStateManager.markTestCompletedWithSuccess(z2);
                        } catch (Exception e5) {
                            LOG.error("Unexpected exception during SAML authentication test: " + e5.getMessage(), e5);
                            httpServletRequest.setAttribute("errorMessage", FAILED_DUE_TO_UNEXPECTED_EXCEPTION_MESSAGE);
                            this.samlTestStateManager.markTestCompletedWithSuccess(z2);
                        }
                    } catch (IdpEntityMismatchException e6) {
                        setErrorPageMessage(httpServletRequest, e6, FAILED_DUE_TO_MISMATCH_IDP_ENTITY);
                        this.samlTestStateManager.markTestCompletedWithSuccess(z2);
                    } catch (IncorrectIdpException e7) {
                        setErrorPageMessage(httpServletRequest, e7, FAILED_DUE_INCORRECT_IDP, e7.getErrorMessageArgs());
                        this.samlTestStateManager.markTestCompletedWithSuccess(z2);
                    }
                } catch (MessageDecodingException | IllegalArgumentException e8) {
                    setErrorPageMessage(httpServletRequest, e8, FAILED_TO_DECODE_MESSAGE);
                    this.samlTestStateManager.markTestCompletedWithSuccess(z2);
                } catch (AutoSyncUserData.UserDataMissingException e9) {
                    setErrorPageMessage(httpServletRequest, e9, FAILED_TO_FIND_ATTRIBUTES_MESSAGE);
                    this.samlTestStateManager.markTestCompletedWithSuccess(z2);
                }
            } catch (AssertionFailedException e10) {
                setErrorPageMessage(httpServletRequest, e10, FAILED_DUE_TO_ASSERTION_FAILED_STATUS);
                this.samlTestStateManager.markTestCompletedWithSuccess(z2);
            } catch (NoTrustedAssertionException e11) {
                setErrorPageMessage(httpServletRequest, e11, FAILED_DUE_TO_NO_TRUSTED_ASSERTIONS);
                this.samlTestStateManager.markTestCompletedWithSuccess(z2);
            }
        } catch (Throwable th) {
            this.samlTestStateManager.markTestCompletedWithSuccess(z2);
            throw th;
        }
    }

    private String getNonTestReturnUrl(HttpServletRequest httpServletRequest, boolean z) {
        String str = null;
        if (z) {
            try {
                str = getSamlReturnUrl(this.identityProviderManager.createSamlAuthenticationToken(httpServletRequest, this.identityProviderManager.extractMessageContext(httpServletRequest)), httpServletRequest);
            } catch (Exception e) {
                LOG.error("Unable to determine return url for SAML request, using default value instead", e);
            }
        }
        return str == null ? ((SuiteConfiguration) ConfigurationFactory.getConfiguration(SuiteConfiguration.class)).getBaseUri() : str;
    }

    private void setErrorPageMessage(HttpServletRequest httpServletRequest, Exception exc, String str, List<String> list) {
        setErrorPageMessage(httpServletRequest, exc, str);
        httpServletRequest.setAttribute(ERROR_MESSAGE_ARGS, list);
    }

    private void setErrorPageMessage(HttpServletRequest httpServletRequest, Exception exc, String str) {
        LOG.error(SAML_AUTH_TEST_ERROR_MESSAGE + exc.getMessage(), exc);
        httpServletRequest.setAttribute("errorMessage", str);
    }

    private void redirectToTestCompletedPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        try {
            RelativeInternalURI relativeInternalURI = new RelativeInternalURI(httpServletRequest, httpServletResponse);
            relativeInternalURI.setPath(SAML_TESTCOMPLETED_JSP);
            relativeInternalURI.setDecorator(null);
            relativeInternalURI.addContextPath(false);
            httpServletRequest.getRequestDispatcher(relativeInternalURI.toString()).forward(httpServletRequest, httpServletResponse);
        } catch (ServletException e) {
            LOG.error("Failed to redirect to testcompleted.jsp", e);
            httpServletResponse.sendError(WebApiAggregatedData.STATUS_CODE_RANGE_5XX_KEY);
        }
    }
}
