package com.appiancorp.connectedsystems.http.oauth;

import com.appiancorp.security.auth.SpringSecurityContextHelper;
import com.appiancorp.security.auth.saml.oauth.OAuthSamlAuthGrantCsTokenRetrieveToggle;
import com.appiancorp.security.authz.SystemRoleAeImpl;
import com.appiancorp.suiteapi.security.auth.AppianUserDetails;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/appiancorp/connectedsystems/http/oauth/SbafUserCheckImpl.class */
public class SbafUserCheckImpl implements SbafUserCheck {
    private static final Logger LOG = LoggerFactory.getLogger(SbafUserCheckImpl.class);
    private final OAuthSamlAuthGrantCsTokenRetrieveToggle oAuthSamlAuthGrantCsTokenRetrieveToggle;
    private final OAuthSamlMembershipCheck oAuthSamlMembershipCheck;

    public SbafUserCheckImpl(OAuthSamlAuthGrantCsTokenRetrieveToggle oAuthSamlAuthGrantCsTokenRetrieveToggle, OAuthSamlMembershipCheck oAuthSamlMembershipCheck) {
        this.oAuthSamlAuthGrantCsTokenRetrieveToggle = oAuthSamlAuthGrantCsTokenRetrieveToggle;
        this.oAuthSamlMembershipCheck = oAuthSamlMembershipCheck;
    }

    public boolean isValidSbafUser() {
        return isValidSbafUser(false);
    }

    public boolean isValidSbafUserAndAllowedToAuthorize() {
        return isValidSbafUser(true);
    }

    private boolean isValidSbafUser(boolean z) {
        if (!this.oAuthSamlAuthGrantCsTokenRetrieveToggle.isEnabled()) {
            LOG.debug("OAuth SAML Grant CS Token Retrieve Toggle is disabled.");
            return false;
        }
        AppianUserDetails appianUserDetails = (AppianUserDetails) SpringSecurityContextHelper.getCurrentSecurityContext();
        String username = appianUserDetails.getUsername();
        if (!appianUserDetails.isLoggedInThroughSaml()) {
            LOG.debug("User {} did not log through SAML.", username);
            return false;
        }
        if (z && !isPrivilegedUser(appianUserDetails)) {
            LOG.debug("User {} is not an admin nor a designer and hence not allowed to authorize.", username);
            return false;
        }
        if (!this.oAuthSamlAuthGrantCsTokenRetrieveToggle.shouldCheckSBAFGroupMembership()) {
            LOG.debug("SBAF Group Membership check was ignored for User {}.", appianUserDetails.getUsername());
            return true;
        }
        if (this.oAuthSamlMembershipCheck.isMemberOfSBAFGroup(username)) {
            return true;
        }
        LOG.debug("User {} is not a member of the SBAF Users group. ", username);
        return false;
    }

    public boolean isPrivilegedUser() {
        return isPrivilegedUser((AppianUserDetails) SpringSecurityContextHelper.getCurrentSecurityContext());
    }

    private boolean isPrivilegedUser(AppianUserDetails appianUserDetails) {
        return appianUserDetails.getRoles().contains(SystemRoleAeImpl.DESIGNER.getName()) || appianUserDetails.isSysAdmin();
    }
}
