package com.appiancorp.security.auth.oidc;

import com.appiancorp.security.auth.ConditionalAuthenticatorWrapper;
import com.appiancorp.security.auth.SpringSecurityContextHelper;
import com.appiancorp.security.auth.oidc.persistence.entities.OidcSettings;
import com.appiancorp.security.auth.oidc.persistence.service.OidcSettingsService;
import com.appiancorp.suiteapi.common.exceptions.InvalidUserException;
import com.appiancorp.suiteapi.personalization.UserProfile;
import com.appiancorp.suiteapi.security.auth.AppianUserDetails;
import com.appiancorp.suiteapi.security.auth.AppianUserDetailsService;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;

/* loaded from: input_file:com/appiancorp/security/auth/oidc/OidcAuthenticatorWrapper.class */
public class OidcAuthenticatorWrapper extends ConditionalAuthenticatorWrapper {
    private static final Logger LOG = LoggerFactory.getLogger(OidcAuthenticatorWrapper.class);
    private static final int AUTH_PRIORITY = 500;
    private final OidcAuthenticator oidcAuthenticator;
    private final OidcConfiguration oidcConfiguration;
    private final OidcSettingsSelector oidcSettingsSelector;
    private final OidcSettingsService oidcSettingsService;

    public OidcAuthenticatorWrapper(AppianUserDetailsService appianUserDetailsService, OidcConfiguration oidcConfiguration, OidcAuthenticator oidcAuthenticator, OidcSettingsSelector oidcSettingsSelector, OidcSettingsService oidcSettingsService) {
        super(appianUserDetailsService);
        this.oidcConfiguration = oidcConfiguration;
        this.oidcAuthenticator = oidcAuthenticator;
        this.oidcSettingsSelector = oidcSettingsSelector;
        this.oidcSettingsService = oidcSettingsService;
    }

    public boolean shouldUseAuthenticator(Authentication authentication) {
        String name;
        if (!this.oidcConfiguration.isEnabled()) {
            return false;
        }
        Class<?> cls = authentication.getClass();
        boolean supports = supports(cls);
        if (supports) {
            Optional oidcSettingsByFriendlyName = this.oidcSettingsService.getOidcSettingsByFriendlyName("oidc");
            if (!oidcSettingsByFriendlyName.isPresent()) {
                throw new OidcAuthenticationException("Unable to find OIDC settings.");
            }
            name = OidcUserDataParser.returnUsernameUsingSettings(((OAuth2LoginAuthenticationToken) authentication.getPrincipal()).getPrincipal(), (OidcSettings) oidcSettingsByFriendlyName.get());
        } else {
            name = authentication.getName();
        }
        try {
            Optional<OidcSettings> oidcSettings = getOidcSettings(name);
            if (!supports && oidcSettings.isPresent()) {
                LOG.error("OIDC user '{}' is being authenticated by another auth scheme via token {}.", name, cls.getSimpleName());
                throw new BadCredentialsException(String.format("Failed to authenticate using %s. Expected OidcAuthToken.", cls.getSimpleName()));
            }
            if (!supports || oidcSettings.isPresent()) {
                return supports;
            }
            LOG.error("User did not belong to valid OIDC auth group.");
            throw new OidcAuthenticationException("Unable to find OIDC settings.");
        } catch (Exception e) {
            LOG.error("Unexpected exception processing authentication request for user {} due to {}", new Object[]{name, e.getCause(), e});
            throw new InternalAuthenticationServiceException("Failed to process authentication request", e);
        } catch (InvalidUserException e2) {
            LOG.error("Received InvalidUserException for user {} due to {}", new Object[]{name, e2.getCause(), e2});
            return shouldAutoCreateUser(supports, name);
        } catch (AuthenticationException e3) {
            LOG.error("Received AuthenticationException for user {} due to {}", new Object[]{name, e3.getCause(), e3});
            throw e3;
        }
    }

    protected boolean supports(Class<?> cls) {
        return this.oidcConfiguration.isEnabled() && OidcAuthToken.class.isAssignableFrom(cls);
    }

    protected UserProfile authenticate(Authentication authentication) throws Exception {
        return (UserProfile) SpringSecurityContextHelper.runAsAdminWithException(() -> {
            return getUserProfile(authentication);
        });
    }

    protected void postAuthenticate(AppianUserDetails appianUserDetails, Authentication authentication) {
        super.postAuthenticate(appianUserDetails, authentication);
        OAuth2LoginAuthenticationToken oAuth2LoginAuthenticationToken = (OAuth2LoginAuthenticationToken) authentication.getPrincipal();
        appianUserDetails.setAppianLoginContext(new OidcAppianLoginContext(oAuth2LoginAuthenticationToken.getPrincipal().getIdToken().getTokenValue(), oAuth2LoginAuthenticationToken.getClientRegistration().getClientId()));
    }

    public int getPriority() {
        return AUTH_PRIORITY;
    }

    public UserProfile getUserProfile(Authentication authentication) {
        return this.oidcAuthenticator.authenticateUser((OidcUser) ((OAuth2LoginAuthenticationToken) authentication.getPrincipal()).getPrincipal());
    }

    private boolean shouldAutoCreateUser(boolean z, String str) {
        if (!z) {
            return false;
        }
        Optional oidcSettingsByFriendlyName = this.oidcSettingsService.getOidcSettingsByFriendlyName("oidc");
        if (oidcSettingsByFriendlyName.isPresent()) {
            LOG.debug("{} user will {}be created.", str, ((OidcSettings) oidcSettingsByFriendlyName.get()).isAutoCreateUsers() ? "" : "NOT ");
            return ((OidcSettings) oidcSettingsByFriendlyName.get()).isAutoCreateUsers();
        }
        LOG.error("Cannot determine oidc settings for user in order to create it.");
        throw new OidcAuthenticationException("Unable to find OIDC settings when auto create user is enabled.");
    }

    private Optional<OidcSettings> getOidcSettings(String str) throws InvalidUserException {
        return this.oidcSettingsSelector.selectSettingsForUser(this.oidcSettingsService.getAllOidcSettings(), str);
    }
}
