package com.appiancorp.security.auth.piee;

import com.appiancorp.core.expr.portable.string.Strings;
import com.appiancorp.security.auth.AppianAuthenticationSuccessHandler;
import com.appiancorp.security.auth.AppianRedirectStrategy;
import com.appiancorp.security.auth.AuthenticationDetails;
import com.appiancorp.security.auth.LoginEntryPoint;
import com.appiancorp.security.auth.piee.persistence.PieeSettings;
import com.appiancorp.security.auth.piee.persistence.PieeSettingsDaoService;
import com.appiancorp.suite.cfg.PieeConfiguration;
import com.appiancorp.suiteapi.common.spring.security.CompositeSessionAuthenticationStrategy;
import java.io.IOException;
import java.net.URISyntaxException;
import java.util.Map;
import java.util.Optional;
import java.util.UUID;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.http.client.utils.URIBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;

/* loaded from: input_file:com/appiancorp/security/auth/piee/PieeFilter.class */
public class PieeFilter extends AbstractAuthenticationProcessingFilter {
    private static final String AUTH_PROVIDER_QUERY_PARAM = "signin";
    private static final String NATIVE_PROVIDER_QUERY_PARAM = "native";
    private static final String AUTH_CODE_PARAM_KEY = "code";
    private static final String PIEE_IDP_FRIENDLY_NAME = "piee";
    private static final String STATE_PARAM_KEY = "state";
    private static final String RESPONSE_TYPE_KEY = "response_type";
    private static final String RESPONSE_TYPE_VAL = "code";
    private static final String CLIENT_ID_KEY = "client_id";
    private static final String REDIRECT_URI_KEY = "redirect_uri";
    private static final Logger LOG = LoggerFactory.getLogger(PieeFilter.class);
    private final AppianRedirectStrategy appianRedirectStrategy;
    private final PieeConfiguration pieeConfiguration;
    private final PieeOAuthTokenRetriever pieeOAuthTokenRetriever;
    private final PieeUserDataRetriever pieeUserDataRetriever;
    private final PieeReturnUrlManager pieeReturnUrlManager;
    private final PieeSettingsDaoService pieeSettingsDaoService;

    public PieeFilter(AppianRedirectStrategy appianRedirectStrategy, AuthenticationManager authenticationManager, AppianAuthenticationSuccessHandler appianAuthenticationSuccessHandler, CompositeSessionAuthenticationStrategy compositeSessionAuthenticationStrategy, PieeConfiguration pieeConfiguration, PieeOAuthTokenRetriever pieeOAuthTokenRetriever, PieeUserDataRetriever pieeUserDataRetriever, PieeReturnUrlManager pieeReturnUrlManager, PieeSettingsDaoService pieeSettingsDaoService) {
        super("/j_spring_security_filter");
        setAuthenticationManager(authenticationManager);
        this.appianRedirectStrategy = appianRedirectStrategy;
        this.pieeConfiguration = pieeConfiguration;
        this.pieeOAuthTokenRetriever = pieeOAuthTokenRetriever;
        this.pieeUserDataRetriever = pieeUserDataRetriever;
        this.pieeReturnUrlManager = pieeReturnUrlManager;
        this.pieeSettingsDaoService = pieeSettingsDaoService;
        setAuthenticationSuccessHandler(appianAuthenticationSuccessHandler);
        setSessionAuthenticationStrategy(compositeSessionAuthenticationStrategy);
    }

    protected boolean requiresAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!this.pieeConfiguration.isEnabled()) {
            return false;
        }
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication != null && authentication.isAuthenticated()) {
            return false;
        }
        String queryParamStringValue = PieeAuthUtils.getQueryParamStringValue("signin", httpServletRequest);
        return queryParamStringValue == null || !queryParamStringValue.equals("native");
    }

    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException {
        Optional<PieeSettings> pieeSettingsByFriendlyName = this.pieeSettingsDaoService.getPieeSettingsByFriendlyName(PIEE_IDP_FRIENDLY_NAME);
        if (!pieeSettingsByFriendlyName.isPresent()) {
            throw new PieeAuthenticationException("A PIEE provider does not currently exist.");
        }
        PieeSettings pieeSettings = pieeSettingsByFriendlyName.get();
        if (!this.pieeConfiguration.getRedirectUri().getPath().equalsIgnoreCase(httpServletRequest.getRequestURI())) {
            String uuid = UUID.randomUUID().toString();
            this.pieeReturnUrlManager.saveReturnUrl(httpServletRequest, uuid);
            String pieeAuthorizationUrl = getPieeAuthorizationUrl(pieeSettings, uuid);
            LOG.debug("Redirecting browser to: {}", pieeAuthorizationUrl);
            this.appianRedirectStrategy.sendRedirect(httpServletRequest, httpServletResponse, pieeAuthorizationUrl);
            return null;
        }
        try {
            Map<String, String[]> queryParams = PieeAuthUtils.getQueryParams(httpServletRequest);
            String authCode = getAuthCode(httpServletRequest, queryParams);
            if (LOG.isDebugEnabled()) {
                LOG.debug("Received piee auth code. SHA256Hex Auth Code: {}", DigestUtils.sha256Hex(authCode));
            }
            setReturnUrlOnRequest(httpServletRequest, queryParams);
            PieeTokenResponse retrieve = this.pieeOAuthTokenRetriever.retrieve(pieeSettings, authCode);
            String accessToken = retrieve.getAccessToken();
            String userId = retrieve.getUserId();
            if (LOG.isDebugEnabled()) {
                LOG.debug("Received user id '{}' and access token (SHA256 HEX) '{}' from token endpoint.", userId, DigestUtils.sha256Hex(accessToken));
            }
            PieeUserData retrieve2 = this.pieeUserDataRetriever.retrieve(pieeSettings, accessToken, userId);
            LOG.debug("Received piee username '{}' from user data endpoint.", retrieve2.getUsername());
            PieeAuthToken pieeAuthToken = new PieeAuthToken(retrieve2);
            pieeAuthToken.setDetails(new AuthenticationDetails(httpServletRequest, LoginEntryPoint.PORTAL));
            Authentication authenticate = getAuthenticationManager().authenticate(pieeAuthToken);
            LOG.debug("Successful authentication of username: {}", authenticate.getName());
            return authenticate;
        } catch (Exception e) {
            if (LOG.isErrorEnabled()) {
                LOG.error("Unable to parse query string from request: {}", StringUtils.normalizeSpace(httpServletRequest.getQueryString()));
            }
            throw new PieeAuthenticationException("Unable to parse query string from request.", e);
        }
    }

    private String getAuthCode(HttpServletRequest httpServletRequest, Map<String, String[]> map) {
        String queryParamStringValue = PieeAuthUtils.getQueryParamStringValue("code", map);
        if (!Strings.isNullOrEmpty(queryParamStringValue)) {
            return queryParamStringValue;
        }
        if (LOG.isErrorEnabled()) {
            LOG.error("Missing or empty auth code. Query string: {}", StringUtils.normalizeSpace(httpServletRequest.getQueryString()));
        }
        throw new PieeAuthenticationException("Missing or empty auth code on request query string.");
    }

    private void setReturnUrlOnRequest(HttpServletRequest httpServletRequest, Map<String, String[]> map) {
        String queryParamStringValue = PieeAuthUtils.getQueryParamStringValue("state", map);
        if (Strings.isNullOrEmpty(queryParamStringValue)) {
            return;
        }
        PieeReturnUrlManager pieeReturnUrlManager = this.pieeReturnUrlManager;
        httpServletRequest.setAttribute(PieeReturnUrlManager.PIEE_RETURN_URL_KEY, PieeReturnUrlManager.getReturnUrlForRequest(httpServletRequest, queryParamStringValue));
    }

    public String getPieeAuthorizationUrl(PieeSettings pieeSettings, String str) {
        String authorizationEndpoint = pieeSettings.getAuthorizationEndpoint();
        try {
            String clientId = pieeSettings.getClientId();
            URIBuilder uRIBuilder = new URIBuilder(authorizationEndpoint);
            uRIBuilder.addParameter(RESPONSE_TYPE_KEY, "code");
            uRIBuilder.addParameter("client_id", clientId);
            uRIBuilder.addParameter(REDIRECT_URI_KEY, this.pieeConfiguration.getRedirectUri().toString());
            if (!Strings.isNullOrEmpty(str)) {
                uRIBuilder.addParameter("state", str);
            }
            return uRIBuilder.build().toString();
        } catch (URISyntaxException e) {
            LOG.error("Invalid authorization url {}", authorizationEndpoint, e);
            throw new PieeAuthenticationException("Invalid authorization url " + authorizationEndpoint, e);
        }
    }
}
