package com.atlassian.plugins.authentication.sso.util;

import com.atlassian.plugins.authentication.api.config.IdpConfig;
import com.atlassian.plugins.authentication.api.config.SsoType;
import com.atlassian.plugins.authentication.api.config.saml.SamlConfig;
import com.atlassian.plugins.authentication.sso.config.InsecureUrlException;
import com.atlassian.plugins.authentication.sso.web.AuthenticationHandlerNotConfiguredException;
import com.atlassian.plugins.authentication.sso.web.InvalidLicenseException;
import com.atlassian.plugins.authentication.sso.web.saml.provider.SamlResponse;
import com.google.common.collect.Iterables;
import java.util.Optional;
import javax.inject.Inject;
import javax.inject.Named;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Named
/* loaded from: input_file:com/atlassian/plugins/authentication/sso/util/ApplicationStateValidator.class */
public class ApplicationStateValidator {
    private static final Logger log = LoggerFactory.getLogger(ApplicationStateValidator.class);
    private final HttpsValidator httpsValidator;
    private final ProductLicenseDataProvider productLicenseDataProvider;

    @Inject
    public ApplicationStateValidator(HttpsValidator httpsValidator, ProductLicenseDataProvider productLicenseDataProvider) {
        this.httpsValidator = httpsValidator;
        this.productLicenseDataProvider = productLicenseDataProvider;
    }

    public boolean canProcessAuthenticationRequest(IdpConfig idpConfig) {
        try {
            checkCanProcessAuthenticationRequest(idpConfig);
            return true;
        } catch (InsecureUrlException | AuthenticationHandlerNotConfiguredException | InvalidLicenseException e) {
            log.debug("Authentication request cannot be processed", e);
            return false;
        }
    }

    public void checkCanProcessAuthenticationRequest(IdpConfig idpConfig) {
        checkSsoIsConfigured(idpConfig);
        checkSsoIsAllowed(idpConfig);
    }

    public void checkSsoIsAllowed(IdpConfig idpConfig) {
        SsoType ssoType = idpConfig.getSsoType();
        boolean z = ssoType == SsoType.OIDC;
        boolean z2 = ssoType == SsoType.SAML && ((SamlConfig) idpConfig).getIdpType() == SamlConfig.IdpType.GENERIC;
        if (z || z2) {
            checkIsDataCenterProduct();
        }
        checkBaseUrlIsHttps();
    }

    private void checkBaseUrlIsHttps() {
        if (!this.httpsValidator.isBaseUrlSecure()) {
            throw new InsecureUrlException(InsecureUrlException.FIELD_BASE_URL, "Base Url is not https");
        }
    }

    private void checkSsoIsConfigured(IdpConfig idpConfig) {
        if (idpConfig == null) {
            throw new AuthenticationHandlerNotConfiguredException("Invalid SSO configuration");
        }
    }

    private void checkIsDataCenterProduct() {
        if (!this.productLicenseDataProvider.isDataCenterProduct()) {
            throw new InvalidLicenseException("Current license is not data center");
        }
    }

    public void checkHasAppropriateLicenseForSamlResponse(SamlResponse samlResponse) {
        if (isResponseNotFromCrowd(samlResponse)) {
            checkIsDataCenterProduct();
        }
    }

    private boolean isResponseNotFromCrowd(SamlResponse samlResponse) {
        return ((Boolean) Optional.ofNullable(samlResponse.getAttribute("atl.crowd.properties.remember_me")).map(Iterables::isEmpty).orElse(true)).booleanValue();
    }
}
