package com.atlassian.stash.internal.auth;

import com.atlassian.bitbucket.auth.AuthenticationContext;
import com.atlassian.bitbucket.auth.RememberMeMode;
import com.atlassian.bitbucket.auth.RememberMeService;
import com.atlassian.bitbucket.user.ApplicationUser;
import com.atlassian.bitbucket.user.UserService;
import com.atlassian.plugin.spring.AvailableToPlugins;
import com.atlassian.security.random.SecureTokenGenerator;
import com.atlassian.stash.internal.ApplicationConstants;
import com.atlassian.stash.internal.InternalConverter;
import com.atlassian.stash.internal.auth.InternalRememberMeToken;
import com.atlassian.stash.internal.spring.SpringTransactionUtils;
import com.atlassian.stash.internal.web.HttpRequestInfoHelper;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.primitives.Ints;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.StringUtils;
import org.hibernate.HibernateException;
import org.joda.time.DateTimeUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.beans.propertyeditors.CustomBooleanEditor;
import org.springframework.dao.DataAccessException;
import org.springframework.stereotype.Service;
import org.springframework.transaction.PlatformTransactionManager;
import org.springframework.transaction.annotation.Propagation;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.transaction.support.TransactionTemplate;

@Transactional
@Service("rememberMeService")
@AvailableToPlugins(RememberMeService.class)
/* loaded from: input_file:WEB-INF/lib/bitbucket-service-impl-5.16.0.jar:com/atlassian/stash/internal/auth/DefaultRememberMeService.class */
public class DefaultRememberMeService implements InternalRememberMeService, RememberMeService {
    static final int MAX_ATTEMPTS = 5;
    static final String PARAMETER_REMEMBER_ME = "_atl_remember_me";
    private static final Logger log = LoggerFactory.getLogger((Class<?>) DefaultRememberMeService.class);
    private final AuthenticationContext authenticationContext;
    private final String cookieName;
    private final RememberMeTokenDao dao;
    private final long expirySeconds;
    private final long gracePeriodSeconds;
    private final RememberMeMode rememberMeMode;
    private final HttpRequestInfoHelper requestInfoHelper;
    private final SecureTokenGenerator tokenGenerator;
    private final TransactionTemplate transactionTemplate;
    private final UserService userService;

    @Autowired
    public DefaultRememberMeService(AuthenticationContext authenticationContext, @Value("${auth.remember-me.cookie.name}") String str, RememberMeTokenDao rememberMeTokenDao, @Value("${auth.remember-me.token.expiry}") int i, @Value("${auth.remember-me.token.grace.period}") long j, @Value("${auth.remember-me.enabled}") String str2, HttpRequestInfoHelper httpRequestInfoHelper, SecureTokenGenerator secureTokenGenerator, PlatformTransactionManager platformTransactionManager, UserService userService) {
        this.authenticationContext = authenticationContext;
        this.cookieName = str;
        this.dao = rememberMeTokenDao;
        this.expirySeconds = TimeUnit.DAYS.toSeconds(i);
        this.gracePeriodSeconds = j;
        this.rememberMeMode = RememberMeMode.fromId(str2);
        this.requestInfoHelper = httpRequestInfoHelper;
        this.tokenGenerator = secureTokenGenerator;
        this.transactionTemplate = new TransactionTemplate(platformTransactionManager, SpringTransactionUtils.REQUIRES_NEW);
        this.userService = userService;
    }

    @Override // com.atlassian.bitbucket.auth.RememberMeService
    @Nullable
    public ApplicationUser authenticate(@Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse) {
        Cookie cookie = getCookie(httpServletRequest);
        if (cookie == null) {
            log.trace("Remember-me cookie not found, skipping remember-me authentication");
            return null;
        }
        InternalRememberMeToken token = toToken(cookie);
        if (token == null) {
            log.info("Invalid remember-me cookie detected (wrong format: '{}') - canceling the cookie", cookie.getValue());
            setCookie(httpServletRequest, httpServletResponse, null);
            return null;
        }
        if (this.rememberMeMode == RememberMeMode.NEVER) {
            log.trace("Remember-me has been disabled, skipping remember-me authentication");
            return null;
        }
        InternalRememberMeToken claimToken = claimToken(token, getRemoteAddress(httpServletRequest));
        if (claimToken == null) {
            log.info("Invalid remember-me cookie detected (expired) - canceling the cookie");
            setCookie(httpServletRequest, httpServletResponse, null);
            return null;
        }
        ApplicationUser user = claimToken.getUser();
        log.debug("Checking to see if {} is still enabled in the user service", user.getName());
        if (!this.userService.isUserActive(user)) {
            log.info("{} was authenticated via remember-me, but is no longer active in the underlying user directory. The request has been blocked and the remember-me token has been invalidated", user.getName());
            setCookie(httpServletRequest, httpServletResponse, null);
            return null;
        }
        if (!claimToken.getToken().equals(token.getToken())) {
            setCookie(httpServletRequest, httpServletResponse, claimToken);
        }
        log.trace("Remember-me authentication succeeded for series '{}' and user '{}'", claimToken.getSeries(), getUsername(claimToken));
        return user;
    }

    @Override // com.atlassian.stash.internal.auth.InternalRememberMeService
    @Transactional(propagation = Propagation.SUPPORTS)
    public void cancelCookie(@Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse) {
        Cookie cookie = getCookie(httpServletRequest);
        if (cookie != null) {
            if (log.isTraceEnabled()) {
                InternalRememberMeToken token = toToken(cookie);
                if (token == null) {
                    log.trace("Canceling invalid remember-me cookie");
                } else {
                    log.trace("Canceling remember-me cookie for series '{}'", token.getSeries());
                }
            }
            setCookie(httpServletRequest, httpServletResponse, null);
        }
    }

    @Override // com.atlassian.bitbucket.auth.RememberMeService
    public void createCookie(@Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse) {
        ApplicationUser currentUser = this.authenticationContext.getCurrentUser();
        Objects.requireNonNull(currentUser);
        doCreateCookie(currentUser, httpServletRequest, httpServletResponse, false);
    }

    @Override // com.atlassian.stash.internal.auth.InternalRememberMeService
    public void createCookie(@Nonnull ApplicationUser applicationUser, @Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse) {
        doCreateCookie(applicationUser, httpServletRequest, httpServletResponse, true);
    }

    @Override // com.atlassian.stash.internal.auth.InternalRememberMeService
    public void deleteExpiredTokens(long j, @Nonnull TimeUnit timeUnit) {
        Preconditions.checkArgument(j >= 0, "Negative expiry times are not allowed");
        log.debug("Cleaned up {} expired remember-me tokens", Integer.valueOf(this.dao.deleteExpiredTokens(j, timeUnit)));
    }

    @Override // com.atlassian.stash.internal.auth.InternalRememberMeService
    public void deleteForUser(@Nonnull ApplicationUser applicationUser) {
        this.dao.deleteForUser(((ApplicationUser) Preconditions.checkNotNull(applicationUser, "user")).getId());
    }

    @Override // com.atlassian.stash.internal.auth.InternalRememberMeService
    @Transactional(propagation = Propagation.SUPPORTS)
    public boolean isCookieRequested(@Nonnull HttpServletRequest httpServletRequest) {
        if (!StringUtils.substringBefore(httpServletRequest.getRequestURI(), ";").endsWith(ApplicationConstants.URL_SECURITY_CHECK)) {
            return false;
        }
        if (getCookie(httpServletRequest) != null) {
            log.debug("Not providing a remember-me cookie because a cookie was already present on the request");
            return false;
        }
        switch (this.rememberMeMode) {
            case ALWAYS:
                return true;
            case NEVER:
                return false;
            default:
                String parameter = httpServletRequest.getParameter(PARAMETER_REMEMBER_ME);
                return CustomBooleanEditor.VALUE_ON.equals(parameter) || "checked".equals(parameter) || "1".equals(parameter) || "true".equalsIgnoreCase(parameter);
        }
    }

    @Override // com.atlassian.bitbucket.auth.RememberMeService
    public void logout(@Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse) {
        InternalRememberMeToken token;
        Cookie cookie = getCookie(httpServletRequest);
        if (cookie == null || (token = toToken(cookie)) == null) {
            return;
        }
        log.trace("Canceling remember-me series '{}' on logout", token.getSeries());
        this.dao.deleteForSeries(token.getSeries());
        cancelCookie(httpServletRequest, httpServletResponse);
    }

    @VisibleForTesting
    protected String[] decodeCookieValue(String str) {
        String str2 = str + StringUtils.repeat('=', str.length() % 4);
        if (Base64.isBase64(str2)) {
            return StringUtils.split(new String(Base64.decodeBase64(str2.getBytes())), ':');
        }
        return null;
    }

    @VisibleForTesting
    protected String encodeCookie(String... strArr) {
        return StringUtils.stripEnd(new String(Base64.encodeBase64(StringUtils.join(strArr, ":").getBytes())), "=");
    }

    private InternalRememberMeToken claimToken(InternalRememberMeToken internalRememberMeToken, String str) {
        int i = 0;
        while (i < 5) {
            try {
                return (InternalRememberMeToken) this.transactionTemplate.execute(transactionStatus -> {
                    return doClaimToken(internalRememberMeToken, str);
                });
            } catch (HibernateException | DataAccessException e) {
                i++;
                if (i < 5) {
                    log.debug("Could not claim token for series {}: '{}'. Retrying", internalRememberMeToken.getSeries(), e.getMessage());
                } else {
                    log.error("Could not claim token for series {} after {} attempts", internalRememberMeToken.getSeries(), Integer.valueOf(i), e);
                }
            }
        }
        return null;
    }

    private InternalRememberMeToken doClaimToken(InternalRememberMeToken internalRememberMeToken, String str) {
        InternalRememberMeToken findBySeriesAndToken = this.dao.findBySeriesAndToken(internalRememberMeToken.getSeries(), internalRememberMeToken.getToken());
        if (findBySeriesAndToken == null) {
            return null;
        }
        if (findBySeriesAndToken.isClaimed()) {
            return handleClaimedToken(findBySeriesAndToken, str);
        }
        String username = getUsername(findBySeriesAndToken);
        if (findBySeriesAndToken.isExpired()) {
            log.debug("Provided token for remember-me series '{}' for user '{}' has expired. Ignoring the token", internalRememberMeToken.getSeries(), username);
            return null;
        }
        if (this.dao.claim(new InternalRememberMeToken.Builder(findBySeriesAndToken).claimed().expiresAfter(this.gracePeriodSeconds, TimeUnit.SECONDS).remoteAddress(str).build())) {
            log.debug("Refreshed token for remember-me series '{}' for user '{}'", internalRememberMeToken.getSeries(), username);
            return this.dao.create(new InternalRememberMeToken.Builder(findBySeriesAndToken).id(0L).token(this.tokenGenerator.generateToken()).expiresAfter(this.expirySeconds, TimeUnit.SECONDS).build());
        }
        this.dao.refresh(findBySeriesAndToken);
        if (findBySeriesAndToken.isClaimed()) {
            return handleClaimedToken(findBySeriesAndToken, str);
        }
        return null;
    }

    private void doCreateCookie(@Nonnull ApplicationUser applicationUser, @Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse, boolean z) {
        Cookie cookie = getCookie(httpServletRequest);
        if (cookie != null) {
            if (z) {
                cancelCookie(httpServletRequest, httpServletResponse);
                InternalRememberMeToken token = toToken(cookie);
                throw new IllegalStateException("A remember-me cookie for series '+" + (token != null ? token.getSeries() : "invalid") + "' is already present. Cannot provide a remember-me cookie for a new series. Canceling the existing cookie");
            }
            logout(httpServletRequest, httpServletResponse);
        }
        InternalRememberMeToken create = this.dao.create(new InternalRememberMeToken.Builder().series(this.tokenGenerator.generateToken()).token(this.tokenGenerator.generateToken()).user(InternalConverter.convertToInternalUser(applicationUser)).expiresAfter(this.expirySeconds, TimeUnit.SECONDS).build());
        setCookie(httpServletRequest, httpServletResponse, create);
        log.debug("Created new remember-me series '{}' for user '{}'", create.getSeries(), applicationUser.getName());
    }

    private Cookie getCookie(HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return null;
        }
        for (Cookie cookie : cookies) {
            if (this.cookieName.equals(cookie.getName())) {
                return cookie;
            }
        }
        return null;
    }

    private String getRemoteAddress(HttpServletRequest httpServletRequest) {
        String remoteAddress = this.requestInfoHelper.getRemoteAddress(httpServletRequest);
        return remoteAddress.length() < 256 ? remoteAddress : remoteAddress.substring(0, 255);
    }

    private String getUsername(InternalRememberMeToken internalRememberMeToken) {
        return StringUtils.defaultString(internalRememberMeToken.getUser() == null ? null : internalRememberMeToken.getUser().getName(), "<unknown>");
    }

    private InternalRememberMeToken handleClaimedToken(InternalRememberMeToken internalRememberMeToken, String str) {
        boolean equals = Objects.equals(str, internalRememberMeToken.getRemoteAddress());
        if (equals && !internalRememberMeToken.isExpired()) {
            log.trace("Accepting remember-me token for series '{}' for user '{}' that was already used for authentication from '{}'", internalRememberMeToken.getSeries(), getUsername(internalRememberMeToken), internalRememberMeToken.getRemoteAddress());
            return internalRememberMeToken;
        }
        int deleteForSeries = this.dao.deleteForSeries(internalRememberMeToken.getSeries());
        if (deleteForSeries <= 0) {
            return null;
        }
        if (equals) {
            log.info("Expired remember-me token detected for series '{}' for user '{}' (used from '{}'). As a safety precaution, all ({}) tokens from that series have been canceled.", internalRememberMeToken.getSeries(), getUsername(internalRememberMeToken), internalRememberMeToken.getRemoteAddress(), Integer.valueOf(deleteForSeries));
            return null;
        }
        log.info("Remember-me token detected for series '{}' for user '{}' (used from '{}'). Current request is from a different address ('{}')! As a safety precaution, all ({}) tokens from that series have been canceled.", internalRememberMeToken.getSeries(), getUsername(internalRememberMeToken), internalRememberMeToken.getRemoteAddress(), str, Integer.valueOf(deleteForSeries));
        return null;
    }

    @VisibleForTesting
    void setCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, InternalRememberMeToken internalRememberMeToken) {
        String str = null;
        if (internalRememberMeToken != null) {
            str = encodeCookie(internalRememberMeToken.getSeries(), internalRememberMeToken.getToken());
        }
        Cookie cookie = new Cookie(this.cookieName, str);
        cookie.setHttpOnly(true);
        cookie.setSecure(httpServletRequest.isSecure());
        String contextPath = httpServletRequest.getContextPath();
        cookie.setPath(StringUtils.isNotBlank(contextPath) ? contextPath : "/");
        long seconds = internalRememberMeToken == null ? 0L : TimeUnit.MILLISECONDS.toSeconds(internalRememberMeToken.getExpiryDate().getTime() - DateTimeUtils.currentTimeMillis());
        cookie.setMaxAge(Ints.saturatedCast(seconds));
        if (seconds < 1) {
            cookie.setVersion(1);
        }
        httpServletResponse.addCookie(cookie);
    }

    private InternalRememberMeToken toToken(Cookie cookie) {
        String[] decodeCookieValue = decodeCookieValue(cookie.getValue());
        if (decodeCookieValue == null || decodeCookieValue.length != 2) {
            return null;
        }
        return new InternalRememberMeToken.Builder().series(decodeCookieValue[0]).token(decodeCookieValue[1]).build();
    }
}
