package com.atlassian.plugins.authentication.impl.web.filter.authentication;

import com.atlassian.plugin.spring.scanner.annotation.imports.ComponentImport;
import com.atlassian.plugins.authentication.impl.config.AuthenticationConfig;
import com.atlassian.plugins.authentication.impl.config.saml.SamlConfigService;
import com.atlassian.plugins.authentication.impl.ui.logout.LogoutPageServlet;
import com.atlassian.plugins.authentication.impl.util.HttpsValidator;
import com.atlassian.plugins.authentication.impl.util.ProductLicenseDataProvider;
import com.atlassian.plugins.authentication.impl.web.AuthenticationHandler;
import com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet;
import com.atlassian.sal.api.ApplicationProperties;
import com.atlassian.sal.api.UrlMode;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableSet;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Set;
import javax.annotation.Nullable;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/atlassian-authentication-plugin-2.1.0.jar:com/atlassian/plugins/authentication/impl/web/filter/authentication/AuthenticationFilter.class */
public abstract class AuthenticationFilter implements Filter {
    protected final Logger log = LoggerFactory.getLogger(getClass());
    public static final String ATLASSIAN_RECOVERY_PASSWORD = "atlassian.recovery.password";
    private static final Set<String> ILLEGAL_DESTINATION_URLS = ImmutableSet.of(SamlConsumerServlet.URL, LogoutPageServlet.URL);
    private final AuthenticationHandler authenticationHandler;
    protected final ApplicationProperties applicationProperties;
    protected final AuthenticationConfig authenticationConfig;
    private final ProductLicenseDataProvider productLicenseDataProvider;
    private final HttpsValidator httpsValidator;
    private final SamlConfigService samlConfigService;

    public AuthenticationFilter(AuthenticationConfig authenticationConfig, AuthenticationHandler authenticationHandler, @ComponentImport ApplicationProperties applicationProperties, ProductLicenseDataProvider productLicenseDataProvider, HttpsValidator httpsValidator, SamlConfigService samlConfigService) {
        this.authenticationConfig = authenticationConfig;
        this.authenticationHandler = authenticationHandler;
        this.applicationProperties = applicationProperties;
        this.productLicenseDataProvider = productLicenseDataProvider;
        this.httpsValidator = httpsValidator;
        this.samlConfigService = samlConfigService;
    }

    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        try {
            if (!shouldAttemptAuthentication(httpServletRequest, httpServletResponse)) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
            } else {
                this.authenticationHandler.processAuthenticationRequest(httpServletRequest, httpServletResponse, getTargetUrl(httpServletRequest));
            }
        } catch (IllegalArgumentException | URISyntaxException e) {
            httpServletResponse.sendError(Response.Status.BAD_REQUEST.getStatusCode(), e.getMessage());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean shouldAttemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException, URISyntaxException {
        if (this.authenticationConfig.isSkipExternalAuthentication(httpServletRequest, httpServletResponse)) {
            this.log.trace("Not attempting external authentication, prevented by AuthenticationConfig");
            return false;
        }
        if (!this.authenticationHandler.isConfigured()) {
            this.log.trace("Not attempting external authentication, AuthenticationHandler not configured");
            return false;
        }
        if (!this.productLicenseDataProvider.isDataCenterProduct()) {
            this.log.warn("Not attempting external authentication, no data center license.");
            return false;
        }
        if (!this.httpsValidator.isBaseUrlSecure(this.samlConfigService.getSamlConfig())) {
            this.log.warn("Not attempting external authentication, base url is not https");
            return false;
        }
        if (System.getProperty(ATLASSIAN_RECOVERY_PASSWORD) == null) {
            return true;
        }
        this.log.trace("Not attempting external authentication, Atlassian password recovery set");
        return false;
    }

    private URI getTargetUrl(HttpServletRequest httpServletRequest) {
        String extractRequestedUrl = extractRequestedUrl(httpServletRequest);
        if (extractRequestedUrl == null) {
            return null;
        }
        URI validateUri = validateUri(extractRequestedUrl);
        if (ILLEGAL_DESTINATION_URLS.contains(validateUri.getPath())) {
            return null;
        }
        return validateUri;
    }

    @Nullable
    protected abstract String extractRequestedUrl(HttpServletRequest httpServletRequest);

    /* JADX INFO: Access modifiers changed from: protected */
    public URI validateUri(String str) {
        try {
            URI relativizeUriIfNeeded = relativizeUriIfNeeded(new URI(str).normalize());
            Preconditions.checkArgument(!relativizeUriIfNeeded.getPath().startsWith("../"), "Requested path traversal outside the context path " + str + ", aborting");
            return relativizeUriIfNeeded;
        } catch (URISyntaxException e) {
            throw new IllegalArgumentException("Error parsing provided url " + str + ", aborting", e);
        }
    }

    private URI relativizeUriIfNeeded(URI uri) throws URISyntaxException {
        return (!uri.isAbsolute() && Strings.emptyToNull(uri.getHost()) == null && uri.getPort() == -1 && Strings.emptyToNull(uri.getUserInfo()) == null && Strings.emptyToNull(uri.getAuthority()) == null) ? uri : removeContextPathFromUriIfNeeded(UriBuilder.fromUri("").replacePath(uri.getPath()).replaceQuery(uri.getRawQuery()).fragment(uri.getFragment()).build(new Object[0]));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public URI removeContextPathFromUriIfNeeded(URI uri) {
        String baseUrl = this.applicationProperties.getBaseUrl(UrlMode.RELATIVE);
        String uri2 = uri.toString();
        return uri2.startsWith(baseUrl) ? UriBuilder.fromUri(uri2.substring(baseUrl.length(), uri2.length())).build(new Object[0]) : uri;
    }

    @Override // javax.servlet.Filter
    public void destroy() {
    }
}
