package com.appiancorp.security.auth.saml;

import com.appiancorp.common.net.URI;
import com.appiancorp.connectedsystems.http.oauth.OAuthConfigurationValidationStoreCheck;
import com.appiancorp.connectedsystems.http.oauth.SbafCsAuthzButtonTokenManager;
import com.appiancorp.connectedsystems.http.oauth.SbafUserCheck;
import com.appiancorp.features.FeatureToggleClient;
import com.appiancorp.security.auth.saml.oauth.SamlAssertionSerializer;
import java.io.IOException;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.function.Function;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Response;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/appiancorp/security/auth/saml/SbafCsAuthzButtonRequestHandler.class */
public class SbafCsAuthzButtonRequestHandler {
    private static final Logger LOG = LoggerFactory.getLogger(SbafCsAuthzButtonRequestHandler.class);
    public static final String CLOSE_CLIENT_TAB_BODY = "<html><body onload = 'window.close();'></html>";
    public static final String AUTH_ID_PARAM = "authID";
    public static final String STATE_PREFIX = "v-";
    private final SamlAssertionSerializer assertionSerializer;
    private final SbafCsAuthzButtonTokenManager sbafCsAuthzButtonTokenManager;
    private final OAuthConfigurationValidationStoreCheck oAuthConfigurationValidationStoreCheck;
    private final SbafUserCheck sbafUserCheck;
    private final FeatureToggleClient featureToggleClient;

    public SbafCsAuthzButtonRequestHandler(SamlAssertionSerializer samlAssertionSerializer, SbafCsAuthzButtonTokenManager sbafCsAuthzButtonTokenManager, OAuthConfigurationValidationStoreCheck oAuthConfigurationValidationStoreCheck, SbafUserCheck sbafUserCheck, FeatureToggleClient featureToggleClient) {
        this.assertionSerializer = samlAssertionSerializer;
        this.sbafCsAuthzButtonTokenManager = sbafCsAuthzButtonTokenManager;
        this.oAuthConfigurationValidationStoreCheck = oAuthConfigurationValidationStoreCheck;
        this.sbafUserCheck = sbafUserCheck;
        this.featureToggleClient = featureToggleClient;
    }

    public Optional<String> getRelayStateIfSbafAuthzButtonGetReq(HttpServletRequest httpServletRequest) {
        if (!this.featureToggleClient.isFeatureEnabled("ae.identity-and-access-management.sbaf-authorize-button")) {
            LOG.debug("SBAF Auth Button Feature toggle {} is OFF.", "ae.identity-and-access-management.sbaf-authorize-button");
            return Optional.empty();
        }
        URI uri = new URI();
        uri.setQuery(httpServletRequest.getQueryString());
        Map<String, String[]> queryParameters = uri.getQueryParameters();
        if (!queryParameters.containsKey(AUTH_ID_PARAM)) {
            LOG.debug("Request does not contain SBAF Auth ID '{}' query param.", AUTH_ID_PARAM);
            return Optional.empty();
        }
        String[] strArr = queryParameters.get(AUTH_ID_PARAM);
        if (strArr == null) {
            LOG.debug("SBAF Auth ID '{}' query param was null.", AUTH_ID_PARAM);
            return Optional.empty();
        }
        if (strArr.length != 1) {
            LOG.error("Expected one SBAF Auth ID '{}' query param but was: {}", AUTH_ID_PARAM, Integer.valueOf(strArr.length));
            return Optional.empty();
        }
        String str = strArr[0];
        if (!str.startsWith(STATE_PREFIX)) {
            LOG.debug("Auth ID {} does not start with prefix: {}", AUTH_ID_PARAM, STATE_PREFIX);
            return Optional.empty();
        }
        if (!this.oAuthConfigurationValidationStoreCheck.doesOAuthConfigurationExist(str)) {
            LOG.error("No test OAuthConfiguration found for auth id: {}", str);
            return Optional.empty();
        }
        if (this.sbafUserCheck.isValidSbafUserAndAllowedToAuthorize()) {
            LOG.debug("Handle GET request for SBAF Connected System Authorize button, returning auth id: {}", str);
            return Optional.of(str);
        }
        LOG.error("Cannot request SAML Assertion for SBAF Authorize Click since user is not valid for SBAF.");
        return Optional.empty();
    }

    public boolean processSamlMsgIfSbafAuthzButtonPost(boolean z, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Function<HttpServletRequest, SamlMessageContextWrapper<Response>> function) throws IOException {
        if (!this.sbafUserCheck.isValidSbafUserAndAllowedToAuthorize()) {
            LOG.error("Cannot request SAML Assertion for SBAF Authorize Click since user is not valid for SBAF.");
            return false;
        }
        Optional<SamlMessageContextWrapper<Response>> samlMsgIfSbafAuthzButtonPost = getSamlMsgIfSbafAuthzButtonPost(httpServletRequest, function);
        if (!samlMsgIfSbafAuthzButtonPost.isPresent()) {
            return false;
        }
        handleSbafAuthzButtonSamlMessageResponse(samlMsgIfSbafAuthzButtonPost.get(), z, httpServletResponse);
        return true;
    }

    public Optional<SamlMessageContextWrapper<Response>> getSamlMsgIfSbafAuthzButtonPost(HttpServletRequest httpServletRequest, Function<HttpServletRequest, SamlMessageContextWrapper<Response>> function) {
        if (!this.featureToggleClient.isFeatureEnabled("ae.identity-and-access-management.sbaf-authorize-button")) {
            return Optional.empty();
        }
        try {
            SamlMessageContextWrapper<Response> apply = function.apply(httpServletRequest);
            String relayState = apply.getRelayState();
            if (relayState == null) {
                LOG.debug("No relay state found in message context.");
                return Optional.empty();
            }
            if (!relayState.startsWith(STATE_PREFIX)) {
                LOG.debug("Relay state {} does not start with prefix {}", relayState, STATE_PREFIX);
                return Optional.empty();
            }
            if (this.oAuthConfigurationValidationStoreCheck.doesOAuthConfigurationExist(relayState)) {
                LOG.debug("SBAF CS Authorize POST request will be processed for relay state: {}.", relayState);
                return Optional.of(apply);
            }
            LOG.warn("No test OAuthConfiguration found for relay state: {}", relayState);
            return Optional.empty();
        } catch (Exception e) {
            LOG.error("Error extracting message context from SAML response.", e);
            return Optional.empty();
        }
    }

    public void handleSbafAuthzButtonSamlMessageResponse(SamlMessageContextWrapper<Response> samlMessageContextWrapper, boolean z, HttpServletResponse httpServletResponse) throws IOException {
        String relayState = samlMessageContextWrapper.getRelayState();
        try {
            try {
                if (!z) {
                    LOG.error("Http post response did not contain a saml response parameter for auth id: {}", relayState);
                    this.sbafCsAuthzButtonTokenManager.saveError(relayState, "sbaf_no_assertion_present");
                    closeClientTab(httpServletResponse);
                    return;
                }
                List<Assertion> assertionList = samlMessageContextWrapper.getAssertionList();
                if (assertionList == null) {
                    LOG.error("Assertion list is null or missing in SAML response for auth id: {}", relayState);
                    this.sbafCsAuthzButtonTokenManager.saveError(relayState, "sbaf_no_assertion_present");
                } else if (assertionList.size() > 0) {
                    this.sbafCsAuthzButtonTokenManager.retrieveAndPersistToken(relayState, this.assertionSerializer.serialize(assertionList.get(0)));
                } else {
                    LOG.error("Saml Response must contain at least one assertion for auth id: {}", relayState);
                    this.sbafCsAuthzButtonTokenManager.saveError(relayState, "sbaf_no_assertion_present");
                }
                closeClientTab(httpServletResponse);
            } catch (Exception e) {
                LOG.error("Unexpected error processing saml assertion for SBAF Authz Button for auth id: {}", relayState, e);
                this.sbafCsAuthzButtonTokenManager.saveError(relayState, "sbaf_unexpected_error");
                closeClientTab(httpServletResponse);
            }
        } catch (Throwable th) {
            closeClientTab(httpServletResponse);
            throw th;
        }
    }

    private void closeClientTab(HttpServletResponse httpServletResponse) throws IOException {
        LOG.debug("Closing SBAF Authorize button client tab.");
        httpServletResponse.setContentType("text/html");
        httpServletResponse.getWriter().println(CLOSE_CLIENT_TAB_BODY);
    }
}
