package com.appiancorp.security.auth.saml;

import com.appiancorp.security.auth.ConditionalAuthenticatorWrapper;
import com.appiancorp.security.auth.saml.oauth.SamlAssertionRetriever;
import com.appiancorp.security.auth.saml.service.SamlSettings;
import com.appiancorp.security.auth.saml.service.SamlSettingsService;
import com.appiancorp.suite.cfg.SamlConfiguration;
import com.appiancorp.suiteapi.common.exceptions.InvalidUserException;
import com.appiancorp.suiteapi.personalization.UserProfile;
import com.appiancorp.suiteapi.security.auth.AppianUserDetails;
import com.appiancorp.suiteapi.security.auth.AppianUserDetailsService;
import com.google.common.base.Optional;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;

/* loaded from: input_file:com/appiancorp/security/auth/saml/SamlAuthenticatorWrapper.class */
public class SamlAuthenticatorWrapper extends ConditionalAuthenticatorWrapper {
    private static final int AUTH_PRIORITY = 600;
    private final SamlConfiguration samlConfig;
    private final SamlAuthenticator samlAuthenticator;
    private final SamlSettingsService samlSettingsService;
    private final SamlSettingsSelector samlSettingsSelector;
    private final SamlAssertionRetriever samlAssertionRetriever;

    public SamlAuthenticatorWrapper(AppianUserDetailsService appianUserDetailsService, SamlConfiguration samlConfiguration, SamlAuthenticator samlAuthenticator, SamlSettingsService samlSettingsService, SamlSettingsSelector samlSettingsSelector, SamlAssertionRetriever samlAssertionRetriever) {
        super(appianUserDetailsService);
        this.samlConfig = samlConfiguration;
        this.samlAuthenticator = samlAuthenticator;
        this.samlSettingsService = samlSettingsService;
        this.samlSettingsSelector = samlSettingsSelector;
        this.samlAssertionRetriever = samlAssertionRetriever;
    }

    @Override // com.appiancorp.security.auth.ConditionalAuthenticatorWrapper
    public boolean shouldUseAuthenticator(Authentication authentication) {
        if (!this.samlConfig.isEnabled()) {
            return false;
        }
        String name = authentication.getName();
        Class<?> cls = authentication.getClass();
        boolean supports = supports(cls);
        try {
            Optional<SamlSettings> samlSettings = getSamlSettings(name);
            if (!supports && samlSettings.isPresent()) {
                throw new BadCredentialsException("Missing Saml token in " + cls.getName());
            }
            if (supports && invalidSamlSettings(samlSettings)) {
                throw new BadCredentialsException("Invalid Saml settings for " + cls.getName());
            }
            return supports;
        } catch (InvalidUserException e) {
            return shouldAutoCreateUser(supports);
        } catch (Exception e2) {
            throw new InternalAuthenticationServiceException("Failed to process authentication request", e2);
        } catch (AuthenticationException e3) {
            throw e3;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.appiancorp.security.auth.ConditionalAuthenticatorWrapper
    public boolean supports(Class<?> cls) {
        return SamlAuthToken.class.isAssignableFrom(cls) && this.samlConfig.isEnabled();
    }

    private boolean shouldAutoCreateUser(boolean z) {
        if (z) {
            return this.samlConfig.isAutoCreateUsersEnabled();
        }
        return false;
    }

    @Override // com.appiancorp.security.auth.ConditionalAuthenticatorWrapper
    protected UserProfile authenticate(Authentication authentication) throws Exception {
        return this.samlAuthenticator.authenticateUser((SamlAuthToken) authentication, this.samlConfig.alsoAllowLowercaseUsername());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.appiancorp.security.auth.ConditionalAuthenticatorWrapper
    public void postAuthenticate(AppianUserDetails appianUserDetails, Authentication authentication) {
        super.postAuthenticate(appianUserDetails, authentication);
        appianUserDetails.setLoggedInThroughSaml(true);
        appianUserDetails.setAppianLoginContext(new SamlAppianLoginContext());
        this.samlAssertionRetriever.getAssertion(authentication).ifPresent(str -> {
            appianUserDetails.setEncryptedSamlAssertion(str);
        });
    }

    @Override // com.appiancorp.security.auth.ConditionalAuthenticatorWrapper
    public int getPriority() {
        return AUTH_PRIORITY;
    }

    private boolean invalidSamlSettings(Optional<SamlSettings> optional) {
        return (optional.isPresent() && ((SamlSettings) optional.get()).getIdpEntityId().equalsIgnoreCase(this.samlConfig.getIdpEntityId())) ? false : true;
    }

    private Optional<SamlSettings> getSamlSettings(String str) throws InvalidUserException {
        return this.samlSettingsSelector.selectSettingsForUser(this.samlSettingsService.getPriorityOrderedSettings(), str);
    }
}
