package com.atlassian.plugin.connect.plugin.auth.user;

import com.atlassian.jwt.JwtConstants;
import com.atlassian.jwt.core.http.auth.SimplePrincipal;
import com.atlassian.plugin.connect.api.ConnectAddonAccessor;
import com.atlassian.plugin.connect.modules.beans.AuthenticationType;
import com.atlassian.plugin.connect.modules.beans.ConnectAddonBean;
import com.atlassian.plugin.connect.plugin.ConnectAddonInformationProvider;
import com.atlassian.plugin.connect.plugin.auth.DefaultMessage;
import com.atlassian.plugin.connect.spi.auth.user.ConnectUserService;
import com.atlassian.plugin.spring.scanner.annotation.export.ExportAsService;
import com.atlassian.sal.api.auth.AuthenticationListener;
import com.atlassian.sal.api.auth.Authenticator;
import com.atlassian.sal.api.lifecycle.LifecycleAware;
import com.atlassian.sal.api.message.I18nResolver;
import com.atlassian.sal.api.message.Message;
import com.atlassian.sal.api.user.UserKey;
import com.atlassian.sal.api.user.UserManager;
import com.atlassian.sal.api.user.UserProfile;
import com.google.common.base.Preconditions;
import java.io.IOException;
import java.security.Principal;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@ExportAsService({LifecycleAware.class})
@Component
/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/atlassian-connect-plugin-1.1.100.jar:com/atlassian/plugin/connect/plugin/auth/user/ThreeLeggedAuthFilter.class */
public class ThreeLeggedAuthFilter implements Filter, LifecycleAware {
    private final ThreeLeggedAuthService threeLeggedAuthService;
    private final AuthenticationListener authenticationListener;
    private final UserManager userManager;
    private final ConnectUserService userService;
    private final String badCredentialsMessage;
    private final ConnectAddonInformationProvider connectAddonInformationProvider;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ThreeLeggedAuthFilter.class);
    private static final String MSG_FORMAT_NOT_ALLOWING_IMPERSONATION = "Add-on '%s' disallowed to impersonate user '%s'";
    private final ConnectAddonAccessor addonAccessor;
    private AtomicBoolean started = new AtomicBoolean(false);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/atlassian-connect-plugin-1.1.100.jar:com/atlassian/plugin/connect/plugin/auth/user/ThreeLeggedAuthFilter$InvalidSubjectException.class */
    public static class InvalidSubjectException extends Exception {
        public InvalidSubjectException(String str) {
            super(str);
        }
    }

    @Autowired
    public ThreeLeggedAuthFilter(ThreeLeggedAuthService threeLeggedAuthService, ConnectAddonAccessor connectAddonAccessor, UserManager userManager, ConnectUserService connectUserService, AuthenticationListener authenticationListener, I18nResolver i18nResolver, ConnectAddonInformationProvider connectAddonInformationProvider) {
        this.threeLeggedAuthService = (ThreeLeggedAuthService) Preconditions.checkNotNull(threeLeggedAuthService, "threeLeggedAuthService");
        this.addonAccessor = connectAddonAccessor;
        this.userManager = (UserManager) Preconditions.checkNotNull(userManager, "userManager");
        this.userService = (ConnectUserService) Preconditions.checkNotNull(connectUserService, "userService");
        this.authenticationListener = (AuthenticationListener) Preconditions.checkNotNull(authenticationListener, "authenticationListener");
        this.badCredentialsMessage = i18nResolver.getText("connect.3la.bad_credentials");
        this.connectAddonInformationProvider = connectAddonInformationProvider;
    }

    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (!this.started.get()) {
            log.debug("Application has not started yet, filter skipped.");
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        String addonKeyFromRequest = getAddonKeyFromRequest(servletRequest);
        if (StringUtils.isEmpty(addonKeyFromRequest)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        Optional<ConnectAddonBean> addon = this.addonAccessor.getAddon(addonKeyFromRequest);
        if (addon.isPresent() && isJsonJwtAddon(addon.get())) {
            processAddonRequest(filterChain, httpServletRequest, httpServletResponse, addon.get());
        } else {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        }
    }

    @Override // com.atlassian.sal.api.lifecycle.LifecycleAware
    public void onStart() {
        log.debug("Application started.");
        this.started.set(true);
    }

    @Override // com.atlassian.sal.api.lifecycle.LifecycleAware
    public void onStop() {
        this.started.set(false);
    }

    private String getAddonKeyFromRequest(ServletRequest servletRequest) {
        Object attribute = servletRequest.getAttribute(JwtConstants.HttpRequests.ADD_ON_ID_ATTRIBUTE_NAME);
        String str = attribute instanceof String ? (String) attribute : null;
        if (null != attribute && !(attribute instanceof String)) {
            log.warn("The value of the request attribute '{}' should be a string but instead it is a '{}': '{}'. This is a programming error in the code that sets this value.", JwtConstants.HttpRequests.ADD_ON_ID_ATTRIBUTE_NAME, attribute.getClass().getSimpleName(), attribute);
        }
        return str;
    }

    private boolean isJsonJwtAddon(ConnectAddonBean connectAddonBean) {
        return connectAddonBean.getAuthentication() != null && connectAddonBean.getAuthentication().getType() == AuthenticationType.JWT;
    }

    private void processAddonRequest(FilterChain filterChain, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ConnectAddonBean connectAddonBean) throws IOException, ServletException {
        Object attribute = httpServletRequest.getAttribute(JwtConstants.HttpRequests.JWT_SUBJECT_ATTRIBUTE_NAME);
        String str = attribute instanceof String ? (String) attribute : null;
        if ("".equals(str)) {
            rejectEmptyStringSubject(httpServletRequest, httpServletResponse, connectAddonBean.getKey(), str);
            return;
        }
        HttpSession session = httpServletRequest.getSession(false);
        try {
            UserProfile userProfile = null;
            if (null != str) {
                try {
                    userProfile = getUserProfileIfImpersonationAllowed(httpServletRequest, httpServletResponse, str, connectAddonBean);
                } catch (InvalidSubjectException e) {
                    log.error("The subject is invalid (see above for details) and this request is being stopped by the {}.", ThreeLeggedAuthFilter.class.getSimpleName());
                    if (session != null) {
                        try {
                            session.invalidate();
                            return;
                        } catch (IllegalStateException e2) {
                            log.trace("session.invalidate() failed", (Throwable) e2);
                            return;
                        }
                    }
                    return;
                }
            }
            if (userProfile != null) {
                impersonateSubject(filterChain, httpServletRequest, httpServletResponse, userProfile);
            } else {
                actAsAddonUser(filterChain, httpServletRequest, httpServletResponse, connectAddonBean.getKey());
            }
            if (session != null) {
                try {
                    session.invalidate();
                } catch (IllegalStateException e3) {
                    log.trace("session.invalidate() failed", (Throwable) e3);
                }
            }
        } catch (Throwable th) {
            if (session != null) {
                try {
                    session.invalidate();
                } catch (IllegalStateException e4) {
                    log.trace("session.invalidate() failed", (Throwable) e4);
                }
            }
            throw th;
        }
    }

    private void rejectEmptyStringSubject(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2) {
        String format = String.format(MSG_FORMAT_NOT_ALLOWING_IMPERSONATION, str, str2);
        log.warn("{} because an empty-string username is nonsensical and may indicate a programming error in the add-on.", format);
        fail(httpServletRequest, httpServletResponse, format, 400);
    }

    private UserProfile getUserProfileIfImpersonationAllowed(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, ConnectAddonBean connectAddonBean) throws InvalidSubjectException {
        if (Boolean.getBoolean(JwtConstants.AppLinks.SYS_PROP_ALLOW_IMPERSONATION)) {
            log.debug("Allowing add-on '{}' to impersonate the user because the system property '{}' is set to true.", (Object[]) new String[]{connectAddonBean.getKey(), JwtConstants.AppLinks.SYS_PROP_ALLOW_IMPERSONATION});
            return getUserProfile(httpServletRequest, httpServletResponse, connectAddonBean.getKey(), str);
        }
        if (this.threeLeggedAuthService.shouldSilentlyIgnoreUserAgencyRequest(str, connectAddonBean)) {
            if (!log.isDebugEnabled()) {
                return null;
            }
            log.debug("Ignoring subject claim on incoming request '{}' from Connect add-on '{}' because the {} said so.", (Object[]) new String[]{httpServletRequest.getRequestURI(), connectAddonBean.getKey(), this.threeLeggedAuthService.getClass().getSimpleName()});
            return null;
        }
        UserProfile userProfile = getUserProfile(httpServletRequest, httpServletResponse, connectAddonBean.getKey(), str);
        if (this.threeLeggedAuthService.hasGrant(userProfile.getUserKey(), connectAddonBean)) {
            log.info("Allowing add-on '{}' to impersonate the user because a user-agent grant exists.", connectAddonBean.getKey());
            return userProfile;
        }
        String format = String.format(MSG_FORMAT_NOT_ALLOWING_IMPERSONATION, connectAddonBean.getKey(), str);
        log.debug("{} because this user has not granted user-agent rights to this add-on, or the grant has expired.", format);
        fail(httpServletRequest, httpServletResponse, format, 403);
        throw new InvalidSubjectException(str);
    }

    private void impersonateSubject(FilterChain filterChain, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, UserProfile userProfile) throws IOException, ServletException {
        this.authenticationListener.authenticationSuccess(new Authenticator.Result.Success(createMessage("Successful three-legged-auth"), new SimplePrincipal(userProfile.getUsername())), httpServletRequest, httpServletResponse);
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private void actAsAddonUser(FilterChain filterChain, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException, ServletException {
        try {
            this.authenticationListener.authenticationSuccess(new Authenticator.Result.Success(createMessage("Successful two-legged-auth"), getPrincipal(str)), httpServletRequest, httpServletResponse);
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } catch (InvalidSubjectException e) {
            createAndSendFailure(e, httpServletResponse, 401, this.badCredentialsMessage);
        }
    }

    private UserProfile getUserProfile(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2) throws InvalidSubjectException {
        UserProfile userProfile = this.userManager.getUserProfile(new UserKey(str2));
        if (null == userProfile) {
            String format = String.format(MSG_FORMAT_NOT_ALLOWING_IMPERSONATION, str, str2);
            log.warn("{} because we can't find a user with this user key.", format);
            fail(httpServletRequest, httpServletResponse, format, 401);
            throw new InvalidSubjectException(str2);
        }
        if (this.userService.isActive(userProfile.getUsername())) {
            return userProfile;
        }
        String format2 = String.format(MSG_FORMAT_NOT_ALLOWING_IMPERSONATION, str, str2);
        log.debug("{} because the crowd service says that this user is inactive.", format2);
        fail(httpServletRequest, httpServletResponse, format2, 401);
        throw new InvalidSubjectException(str2);
    }

    private void fail(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, int i) {
        sendErrorResponse(httpServletResponse, i, str);
        this.authenticationListener.authenticationFailure(new Authenticator.Result.Failure(createMessage("")), httpServletRequest, httpServletResponse);
    }

    @Override // javax.servlet.Filter
    public void destroy() {
    }

    private Principal getPrincipal(String str) throws InvalidSubjectException {
        SimplePrincipal simplePrincipal = null;
        Optional<String> userKey = this.connectAddonInformationProvider.getUserKey(str);
        if (userKey.isPresent()) {
            String str2 = userKey.get();
            if (!this.userService.isActive(str2)) {
                throw new InvalidSubjectException(String.format("The user '%s' is inactive", str2));
            }
            simplePrincipal = new SimplePrincipal(str2);
        } else {
            log.warn(String.format("No user key stored for add-on '%s'. Incoming requests from this issuer will be authenticated as an anonymous request.", str));
        }
        return simplePrincipal;
    }

    private static Message createMessage(String str) {
        return new DefaultMessage(str);
    }

    private static Authenticator.Result.Failure createAndSendFailure(Exception exc, HttpServletResponse httpServletResponse, int i, String str) {
        log.debug("Failure during JWT authentication: ", (Throwable) exc);
        sendErrorResponse(httpServletResponse, i, str);
        return new Authenticator.Result.Failure(createMessage(exc.getLocalizedMessage()));
    }

    private static void sendErrorResponse(HttpServletResponse httpServletResponse, int i, String str) {
        httpServletResponse.reset();
        try {
            httpServletResponse.sendError(i, str);
        } catch (IOException e) {
            log.error("Encountered IOException while trying to report an authentication failure.", (Throwable) e);
            try {
                httpServletResponse.reset();
                httpServletResponse.setStatus(i);
            } catch (IllegalStateException e2) {
            }
        }
    }
}
