package com.atlassian.bitbucket.internal.mirroring.mirror.auth.http;

import com.atlassian.bitbucket.auth.HttpAuthenticationContext;
import com.atlassian.bitbucket.auth.HttpAuthenticationHandler;
import com.atlassian.bitbucket.i18n.I18nService;
import com.atlassian.bitbucket.internal.mirroring.mirror.InternalUpstreamServer;
import com.atlassian.bitbucket.internal.mirroring.mirror.InternalUpstreamService;
import com.atlassian.bitbucket.internal.mirroring.mirror.MirrorDescriptionUtils;
import com.atlassian.bitbucket.internal.mirroring.mirror.auth.CloudAuthenticator;
import com.atlassian.bitbucket.internal.mirroring.mirror.auth.DelegatedAuthenticationHandlerBase;
import com.atlassian.bitbucket.internal.mirroring.mirror.auth.DelegatedAuthorisationException;
import com.atlassian.bitbucket.internal.mirroring.mirror.auth.ServerAuthenticator;
import com.atlassian.bitbucket.internal.mirroring.mirror.auth.SimpleUser;
import com.atlassian.bitbucket.internal.mirroring.mirror.auth.UpstreamAuthenticatorFactory;
import com.atlassian.bitbucket.internal.mirroring.mirror.dao.AoRepositoryMapping;
import com.atlassian.bitbucket.internal.mirroring.mirror.dao.RepositoryMappingDao;
import com.atlassian.bitbucket.internal.mirroring.user.ApplicationUserWithPermissions;
import com.atlassian.bitbucket.internal.mirroring.user.SimpleApplicationUserWithPermissions;
import com.atlassian.bitbucket.mirroring.mirror.UpstreamServer;
import com.atlassian.bitbucket.permission.Permission;
import com.atlassian.bitbucket.permission.SimpleEffectiveGlobalPermission;
import com.atlassian.bitbucket.permission.SimpleEffectiveRepositoryPermission;
import com.atlassian.bitbucket.repository.Repository;
import com.atlassian.bitbucket.repository.RepositoryService;
import com.atlassian.bitbucket.scm.http.RepositoryUrlFragment;
import com.atlassian.bitbucket.user.ApplicationUser;
import com.atlassian.bitbucket.user.DetailedUser;
import com.atlassian.bitbucket.user.SecurityService;
import com.atlassian.bitbucket.user.UserAdminService;
import com.atlassian.bitbucket.util.DevModeUtils;
import com.atlassian.crowd.embedded.api.DirectoryType;
import com.atlassian.crowd.exception.DirectoryNotFoundException;
import com.atlassian.crowd.manager.directory.DirectoryManager;
import com.atlassian.sal.api.transaction.TransactionTemplate;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableList;
import java.util.Collections;
import java.util.List;
import javax.annotation.Nonnull;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/bitbucket-mirroring-mirror-5.16.0.jar:com/atlassian/bitbucket/internal/mirroring/mirror/auth/http/DelegatedHttpAuthenticationHandler.class */
public class DelegatedHttpAuthenticationHandler extends DelegatedAuthenticationHandlerBase implements HttpAuthenticationHandler {
    private final DirectoryManager directoryManager;
    private final RepositoryMappingDao repositoryMappingDao;
    private final RepositoryService repositoryService;
    private final SecurityService securityService;
    private final UserAdminService userAdminService;

    public DelegatedHttpAuthenticationHandler(UpstreamAuthenticatorFactory upstreamAuthenticatorFactory, DirectoryManager directoryManager, I18nService i18nService, RepositoryMappingDao repositoryMappingDao, RepositoryService repositoryService, SecurityService securityService, TransactionTemplate transactionTemplate, InternalUpstreamService internalUpstreamService, UserAdminService userAdminService) {
        super(upstreamAuthenticatorFactory, i18nService, securityService, transactionTemplate, internalUpstreamService);
        this.directoryManager = directoryManager;
        this.repositoryMappingDao = repositoryMappingDao;
        this.repositoryService = repositoryService;
        this.securityService = securityService;
        this.userAdminService = userAdminService;
    }

    @Override // com.atlassian.bitbucket.auth.HttpAuthenticationHandler
    public ApplicationUser authenticate(@Nonnull HttpAuthenticationContext httpAuthenticationContext) {
        if (!this.upstreamService.isMirror()) {
            this.log.trace("Not delegating HTTP authentication because this is not a mirror");
            return null;
        }
        String username = httpAuthenticationContext.getUsername();
        String str = httpAuthenticationContext.getCredentials() instanceof String ? (String) httpAuthenticationContext.getCredentials() : null;
        if (StringUtils.isBlank(username)) {
            this.log.trace("Not delegating HTTP authentication because username not provided");
            return null;
        }
        if (StringUtils.isBlank(str)) {
            this.log.trace("Not delegating HTTP authentication because no password provided or credentials are of an unrecognised kind");
            return null;
        }
        if (isDevMode() && isLocalEmbeddedCrowdUser(httpAuthenticationContext.getUsername())) {
            this.log.trace("Not delegating HTTP authentication because we are in dev mode and user {} exists locally", httpAuthenticationContext.getUsername());
            return null;
        }
        InternalUpstreamServer internalUpstreamServer = this.upstreamService.get();
        if (internalUpstreamServer == null) {
            this.log.info("Not delegating HTTP authentication because this mirror is not installed on an upstream server");
            return null;
        }
        Repository repositoryFromRequest = getRepositoryFromRequest(httpAuthenticationContext.getRequest());
        switch (internalUpstreamServer.getType()) {
            case BITBUCKET_CLOUD:
                return authenticateCloud(internalUpstreamServer, repositoryFromRequest, httpAuthenticationContext.getMethod(), username, str);
            case BITBUCKET_SERVER:
                return authenticateServer(internalUpstreamServer, repositoryFromRequest, username, str);
            default:
                this.log.info("Delegation failed due to unknown upstream type. Upstream: {}", MirrorDescriptionUtils.describe(internalUpstreamServer));
                return null;
        }
    }

    @Override // com.atlassian.bitbucket.auth.HttpAuthenticationHandler
    public void validateAuthentication(@Nonnull HttpAuthenticationContext httpAuthenticationContext) {
    }

    @VisibleForTesting
    protected boolean isDevMode() {
        return DevModeUtils.isEnabled();
    }

    private ApplicationUserWithPermissions authenticateCloud(UpstreamServer upstreamServer, Repository repository, String str, String str2, String str3) {
        List singletonList;
        if (!"basic".equals(str)) {
            this.log.trace("Authentication header is not of type {}. Skipping delegation.", "basic");
            return null;
        }
        if (repository == null) {
            this.log.trace("Repository not found");
            return null;
        }
        CloudAuthenticator createForCloud = this.authenticatorFactory.createForCloud(upstreamServer);
        if (!createForCloud.isAvailable(upstreamServer)) {
            return null;
        }
        String externalSlugByLocalId = this.repositoryMappingDao.getExternalSlugByLocalId(repository.getId());
        if (externalSlugByLocalId == null) {
            this.log.trace("No mapping for repository {}.", repository);
            return null;
        }
        try {
            createForCloud.checkRepositoryReadAccess(repository, externalSlugByLocalId, str2, str3);
            this.log.trace("Delegated authentication successful.");
            singletonList = ImmutableList.of((SimpleEffectiveRepositoryPermission) new SimpleEffectiveGlobalPermission(Permission.LICENSED_USER), new SimpleEffectiveRepositoryPermission(repository.getId(), Permission.REPO_READ));
        } catch (DelegatedAuthorisationException e) {
            this.log.debug("{}: delegated authorisation for repository {} by user {} - user lacks read privileges on the upstream server", repository, str2);
            singletonList = Collections.singletonList(new SimpleEffectiveGlobalPermission(Permission.LICENSED_USER));
        }
        return new SimpleApplicationUserWithPermissions(new SimpleUser(str2), singletonList);
    }

    private ApplicationUser authenticateServer(UpstreamServer upstreamServer, Repository repository, String str, String str2) {
        ServerAuthenticator createForServer = this.authenticatorFactory.createForServer(upstreamServer);
        if (!createForServer.isAvailable(upstreamServer)) {
            return null;
        }
        Integer num = null;
        if (repository != null) {
            AoRepositoryMapping byLocalId = this.repositoryMappingDao.getByLocalId(repository.getId());
            if (byLocalId == null) {
                this.log.trace("No mapping for repository {}.", repository);
                return null;
            }
            num = Integer.valueOf(byLocalId.getExternalId());
        }
        return localiseResourcePermissions(createForServer.authenticateUser(str, str2, num));
    }

    private Repository getRepositoryFromRequest(HttpServletRequest httpServletRequest) {
        RepositoryUrlFragment fromNamespacedPathInfo = httpServletRequest.getPathInfo() == null ? null : RepositoryUrlFragment.fromNamespacedPathInfo(httpServletRequest.getPathInfo());
        if (fromNamespacedPathInfo != null) {
            return (Repository) this.securityService.withPermission(Permission.REPO_READ, "Delegated HTTP authentication").call(() -> {
                return this.repositoryService.getBySlug(fromNamespacedPathInfo.getProjectNamespace(), fromNamespacedPathInfo.getProjectKey(), fromNamespacedPathInfo.getRepositorySlug());
            });
        }
        return null;
    }

    private boolean isLocalEmbeddedCrowdUser(String str) {
        return ((Boolean) this.securityService.withPermission(Permission.SYS_ADMIN, "Checking directory type during delegated authentication").call(() -> {
            String directoryName;
            DetailedUser userDetails = this.userAdminService.getUserDetails(str);
            if (userDetails != null && (directoryName = userDetails.getDirectoryName()) != null) {
                try {
                    return Boolean.valueOf(this.directoryManager.findDirectoryByName(directoryName).getType() == DirectoryType.INTERNAL);
                } catch (DirectoryNotFoundException e) {
                }
            }
            return false;
        })).booleanValue();
    }
}
