package com.appiancorp.security.auth;

import com.appiancorp.core.expr.portable.string.Strings;
import com.appiancorp.security.authz.SystemRoleAeImpl;
import java.util.Optional;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;

/* loaded from: input_file:com/appiancorp/security/auth/ServiceAccountExclusionFilter.class */
public class ServiceAccountExclusionFilter implements AuthenticationFilter {
    private final GroupServiceHelper groupServiceHelper;

    /* loaded from: input_file:com/appiancorp/security/auth/ServiceAccountExclusionFilter$ServiceAccountAuthDisabledException.class */
    static class ServiceAccountAuthDisabledException extends DisabledException {
        ServiceAccountAuthDisabledException() {
            super("Authentication rejected: Service accounts may only authenticate to Web APIs with api key authentication");
        }
    }

    public ServiceAccountExclusionFilter(GroupServiceHelper groupServiceHelper) {
        this.groupServiceHelper = groupServiceHelper;
    }

    public void filter(Authentication authentication) throws AuthenticationException {
        if (!(authentication instanceof ServiceAccountAuthable)) {
            String name = authentication.getName();
            if (!Strings.isNullOrEmpty(name) && isServiceAccount(name)) {
                throw new ServiceAccountAuthDisabledException();
            }
            return;
        }
        Optional<AuthenticationDetails> authenticationDetails = getAuthenticationDetails(authentication.getDetails());
        if (!authenticationDetails.isPresent()) {
            throw new ServiceAccountAuthDisabledException();
        }
        String servletPath = authenticationDetails.get().getServletPath();
        if (!(InternalWebApiPathMatcher.isInternalWebApiPath(servletPath) ? AppianApiKeyFilterPathMatcher.isAuthenticatedPath(servletPath + authenticationDetails.get().getPathInfo()) : AppianApiKeyFilterPathMatcher.isAuthenticatedPath(servletPath))) {
            throw new ServiceAccountAuthDisabledException();
        }
    }

    private boolean isServiceAccount(String str) {
        try {
            return this.groupServiceHelper.isUserMemberOfGroup(str, Long.valueOf(SystemRoleAeImpl.SERVICE_ACCOUNT.getGroupId().longValue()), true);
        } catch (Exception e) {
            return false;
        }
    }

    private Optional<AuthenticationDetails> getAuthenticationDetails(Object obj) {
        AuthenticationDetails authenticationDetails = null;
        if (obj != null && AuthenticationDetails.class.isAssignableFrom(obj.getClass())) {
            authenticationDetails = (AuthenticationDetails) obj;
        }
        return Optional.ofNullable(authenticationDetails);
    }
}
