package com.atlassian.stash.internal.spring.security;

import com.atlassian.bitbucket.auth.AuthenticationContext;
import com.atlassian.bitbucket.auth.AuthenticationException;
import com.atlassian.bitbucket.auth.AuthenticationSystemException;
import com.atlassian.bitbucket.auth.HttpAuthenticationContext;
import com.atlassian.bitbucket.auth.HttpAuthenticationFailureHandler;
import com.atlassian.bitbucket.auth.HttpAuthenticationHandler;
import com.atlassian.bitbucket.auth.HttpAuthenticationSuccessHandler;
import com.atlassian.bitbucket.i18n.I18nService;
import com.atlassian.bitbucket.scm.AuthenticationState;
import com.atlassian.bitbucket.util.Timer;
import com.atlassian.bitbucket.util.TimerUtils;
import com.atlassian.stash.internal.ApplicationConstants;
import com.atlassian.stash.internal.auth.AuthenticationHelper;
import com.atlassian.stash.internal.auth.DefaultHttpAuthenticationContext;
import com.atlassian.stash.internal.auth.HttpAuthUtils;
import com.atlassian.stash.internal.user.StashUserAuthenticationToken;
import com.google.common.base.Charsets;
import com.google.common.base.Preconditions;
import java.io.IOException;
import javax.servlet.DispatcherType;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.authentication.ProviderNotFoundException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.crypto.codec.Base64;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:WEB-INF/classes/com/atlassian/stash/internal/spring/security/StashAuthenticationFilter.class */
public class StashAuthenticationFilter extends GenericFilterBean {
    static final String KEY_USERNAME = "j_username";
    static final String KEY_PASSWORD = "j_password";
    private static final Logger log = LoggerFactory.getLogger((Class<?>) StashAuthenticationFilter.class);
    private final AuthenticationContext authenticationContext;
    private final HttpAuthenticationHandler authenticationHandler;
    private final AuthenticationHelper authenticationHelper;
    private final HttpAuthenticationFailureHandler authenticationFailureHandler;
    private final AuthenticationManager authenticationManager;
    private final HttpAuthenticationSuccessHandler authenticationSuccessHandler;
    private final I18nService i18nService;
    private final String loginPageUrl;

    public StashAuthenticationFilter(AuthenticationContext authenticationContext, HttpAuthenticationHandler httpAuthenticationHandler, AuthenticationHelper authenticationHelper, AuthenticationManager authenticationManager, HttpAuthenticationFailureHandler httpAuthenticationFailureHandler, HttpAuthenticationSuccessHandler httpAuthenticationSuccessHandler, I18nService i18nService, String str) {
        this.authenticationContext = (AuthenticationContext) Preconditions.checkNotNull(authenticationContext, "authenticationContext");
        this.authenticationHandler = (HttpAuthenticationHandler) Preconditions.checkNotNull(httpAuthenticationHandler, "authenticationHandler");
        this.authenticationHelper = (AuthenticationHelper) Preconditions.checkNotNull(authenticationHelper, "authenticationHelper");
        this.authenticationFailureHandler = (HttpAuthenticationFailureHandler) Preconditions.checkNotNull(httpAuthenticationFailureHandler, "failureHandler");
        this.authenticationManager = (AuthenticationManager) Preconditions.checkNotNull(authenticationManager, "authenticationManager");
        this.authenticationSuccessHandler = (HttpAuthenticationSuccessHandler) Preconditions.checkNotNull(httpAuthenticationSuccessHandler, "successHandler");
        this.i18nService = (I18nService) Preconditions.checkNotNull(i18nService, "i18nService");
        this.loginPageUrl = (String) Preconditions.checkNotNull(str, "loginPageUrl");
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        clearSecurityContextIfUrlIsSecurityCheck(httpServletRequest);
        DefaultHttpAuthenticationContext createContext = createContext(httpServletRequest, httpServletResponse, filterChain);
        InsufficientAuthenticationException insufficientAuthenticationException = null;
        try {
            if (createContext.isAuthenticated()) {
                this.authenticationHandler.validateAuthentication(createContext);
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            }
        } catch (AuthenticationException e) {
            log.debug("Authentication validation failed {}, logging out user", e.getMessage());
            SecurityContextHolder.clearContext();
            createContext.setAuthenticationState(AuthenticationState.NOT_AUTHENTICATED);
            insufficientAuthenticationException = new InsufficientAuthenticationException(e.getLocalizedMessage(), e);
        }
        if (!shouldAuthenticate(createContext)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        try {
            onSuccess(this.authenticationManager.authenticate(new HttpAuthenticationContextToken(createContext)), createContext);
        } catch (ProviderNotFoundException e2) {
            if (insufficientAuthenticationException != null) {
                onFailure(insufficientAuthenticationException, createContext);
            } else {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
            }
        } catch (org.springframework.security.core.AuthenticationException e3) {
            onFailure(insufficientAuthenticationException == null ? e3 : insufficientAuthenticationException, createContext);
        }
    }

    private void clearSecurityContextIfUrlIsSecurityCheck(HttpServletRequest httpServletRequest) {
        if (isUrl(httpServletRequest, ApplicationConstants.URL_SECURITY_CHECK)) {
            SecurityContextHolder.clearContext();
        }
    }

    private DefaultHttpAuthenticationContext createContext(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) {
        String[] extractBasicAuthentication = extractBasicAuthentication(httpServletRequest);
        String extractBearerAuthentication = extractBearerAuthentication(httpServletRequest);
        DefaultHttpAuthenticationContext defaultHttpAuthenticationContext = extractBasicAuthentication != null ? new DefaultHttpAuthenticationContext(httpServletRequest, httpServletResponse, filterChain, "basic", extractBasicAuthentication[0], extractBasicAuthentication[1]) : extractBearerAuthentication != null ? new DefaultHttpAuthenticationContext(httpServletRequest, httpServletResponse, filterChain, "token", null, extractBearerAuthentication) : createContextFromQueryParameters(httpServletRequest, httpServletResponse, filterChain);
        if (this.authenticationContext.isAuthenticated()) {
            defaultHttpAuthenticationContext.setAuthenticationState(AuthenticationState.AUTHENTICATED);
            defaultHttpAuthenticationContext.setUser(this.authenticationContext.getCurrentUser());
        }
        return defaultHttpAuthenticationContext;
    }

    private DefaultHttpAuthenticationContext createContextFromQueryParameters(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) {
        String parameter = httpServletRequest.getParameter("j_username");
        return new DefaultHttpAuthenticationContext(httpServletRequest, httpServletResponse, filterChain, parameter != null ? HttpAuthenticationContext.METHOD_FORM : "token", parameter, httpServletRequest.getParameter("j_password"));
    }

    private boolean isAlreadyFailed(HttpServletRequest httpServletRequest) {
        return this.authenticationHelper.isAuthenticationFailed(httpServletRequest);
    }

    private void onFailure(org.springframework.security.core.AuthenticationException authenticationException, DefaultHttpAuthenticationContext defaultHttpAuthenticationContext) throws ServletException, IOException {
        log.trace("Authentication failed for user {} and method {} ({})", defaultHttpAuthenticationContext.getUsername(), defaultHttpAuthenticationContext.getMethod(), authenticationException.getMessage());
        defaultHttpAuthenticationContext.onFailure(determineAuthenticationState(authenticationException), toAuthenticationException(authenticationException.getCause()));
        if (HttpAuthenticationContext.METHOD_FORM.equals(defaultHttpAuthenticationContext.getMethod())) {
            defaultHttpAuthenticationContext.getRequest().getSession(true);
        }
        this.authenticationHelper.setAuthenticationException(defaultHttpAuthenticationContext.getRequest(), authenticationException);
        this.authenticationHelper.setCachedUsername(defaultHttpAuthenticationContext.getRequest(), defaultHttpAuthenticationContext.getUsername());
        this.authenticationFailureHandler.onAuthenticationFailure(defaultHttpAuthenticationContext);
    }

    private void onSuccess(Authentication authentication, DefaultHttpAuthenticationContext defaultHttpAuthenticationContext) throws ServletException, IOException {
        log.trace("Authentication succeeded for user {} and method {})", defaultHttpAuthenticationContext.getUsername(), defaultHttpAuthenticationContext.getMethod());
        SecurityContextHolder.getContext().setAuthentication(authentication);
        this.authenticationHelper.setAuthenticationException(defaultHttpAuthenticationContext.getRequest(), null);
        if (authentication instanceof StashUserAuthenticationToken) {
            defaultHttpAuthenticationContext.onSuccess(((StashUserAuthenticationToken) authentication).getPrincipal());
            if (this.authenticationSuccessHandler.onAuthenticationSuccess(defaultHttpAuthenticationContext)) {
                return;
            }
        }
        defaultHttpAuthenticationContext.getFilterChain().doFilter(defaultHttpAuthenticationContext.getRequest(), defaultHttpAuthenticationContext.getResponse());
    }

    private boolean shouldAuthenticate(DefaultHttpAuthenticationContext defaultHttpAuthenticationContext) {
        HttpServletRequest request = defaultHttpAuthenticationContext.getRequest();
        Timer start = TimerUtils.start(getClass().getCanonicalName() + ".requiresAuthentication");
        Throwable th = null;
        try {
            try {
                if ((isUrl(request, this.loginPageUrl) || request.getDispatcherType() == DispatcherType.ERROR) && isAlreadyFailed(request)) {
                    if (start != null) {
                        if (0 != 0) {
                            try {
                                start.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            start.close();
                        }
                    }
                    return false;
                }
                if (isUrl(request, ApplicationConstants.URL_SECURITY_CHECK)) {
                    if (start != null) {
                        if (0 != 0) {
                            try {
                                start.close();
                            } catch (Throwable th3) {
                                th.addSuppressed(th3);
                            }
                        } else {
                            start.close();
                        }
                    }
                    return true;
                }
                if ("basic".equals(defaultHttpAuthenticationContext.getMethod())) {
                    if (start != null) {
                        if (0 != 0) {
                            try {
                                start.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            start.close();
                        }
                    }
                    return true;
                }
                boolean z = defaultHttpAuthenticationContext.getAuthenticationState() != AuthenticationState.AUTHENTICATED;
                if (start != null) {
                    if (0 != 0) {
                        try {
                            start.close();
                        } catch (Throwable th5) {
                            th.addSuppressed(th5);
                        }
                    } else {
                        start.close();
                    }
                }
                return z;
            } finally {
            }
        } catch (Throwable th6) {
            if (start != null) {
                if (th != null) {
                    try {
                        start.close();
                    } catch (Throwable th7) {
                        th.addSuppressed(th7);
                    }
                } else {
                    start.close();
                }
            }
            throw th6;
        }
    }

    private static AuthenticationState determineAuthenticationState(org.springframework.security.core.AuthenticationException authenticationException) {
        return authenticationException instanceof LockedException ? AuthenticationState.CAPTCHA_REQUIRED : authenticationException instanceof DisabledException ? AuthenticationState.UNLICENSED : AuthenticationState.NOT_AUTHENTICATED;
    }

    private static String[] extractBasicAuthentication(HttpServletRequest httpServletRequest) {
        String basicAuthHeaderValue = HttpAuthUtils.getBasicAuthHeaderValue(httpServletRequest);
        if (basicAuthHeaderValue == null) {
            return null;
        }
        log.trace("Basic authentication header found");
        try {
            String str = new String(Base64.decode(basicAuthHeaderValue.getBytes(Charsets.UTF_8)), Charsets.UTF_8);
            int indexOf = str.indexOf(":");
            if (indexOf == -1) {
                log.debug("Invalid basic authentication header (no ':' separator detected); it will be ignored");
                return null;
            }
            String substring = str.substring(0, indexOf);
            String substring2 = str.substring(indexOf + 1);
            log.trace("Found Basic authentication credentials for {}", substring);
            return new String[]{substring, substring2};
        } catch (IllegalArgumentException e) {
            log.debug("Unable to decode basic authentication header; it will be ignored", (Throwable) e);
            return null;
        }
    }

    private static String extractBearerAuthentication(HttpServletRequest httpServletRequest) {
        String bearerAuthHeaderValue = HttpAuthUtils.getBearerAuthHeaderValue(httpServletRequest);
        if (bearerAuthHeaderValue == null) {
            return null;
        }
        log.trace("Bearer authentication header found");
        return bearerAuthHeaderValue;
    }

    private AuthenticationException toAuthenticationException(Throwable th) {
        return th instanceof AuthenticationException ? (AuthenticationException) th : new AuthenticationSystemException(this.i18nService.createKeyedMessage("bitbucket.web.auth.unexpectedexception", new Object[0]), th);
    }

    private static boolean isUrl(HttpServletRequest httpServletRequest, String str) {
        return StringUtils.substringBefore(httpServletRequest.getRequestURI(), ";").endsWith(str);
    }
}
