package com.atlassian.plugin.connect.plugin.auth.oauth2;

import com.atlassian.asap.core.JwtConstants;
import com.atlassian.jwt.JwtConstants;
import com.atlassian.plugin.connect.plugin.auth.DefaultMessage;
import com.atlassian.sal.api.auth.Authenticator;
import io.atlassian.micros.oauth2.accesstoken.ConnectSessionAuthToken;
import io.atlassian.micros.oauth2.accesstoken.SessionClaimSet;
import java.security.Principal;
import java.text.ParseException;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.validation.ValidationException;
import org.hsqldb.Tokens;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/atlassian-connect-plugin-1.1.100.jar:com/atlassian/plugin/connect/plugin/auth/oauth2/ConnectAccessTokenAuthenticator.class */
public class ConnectAccessTokenAuthenticator implements Authenticator {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ConnectAccessTokenAuthenticator.class);
    private final ConnectAccessTokenAuthorizationService tokenAuthorizationService;
    private final OAuthClientManager oAuthClientManager;
    private final ACConnectSessionAuthTokenValidator tokenValidator;

    @Autowired
    public ConnectAccessTokenAuthenticator(ConnectAccessTokenAuthorizationService connectAccessTokenAuthorizationService, OAuthClientManager oAuthClientManager, ACConnectSessionAuthTokenValidator aCConnectSessionAuthTokenValidator) {
        this.tokenAuthorizationService = connectAccessTokenAuthorizationService;
        this.oAuthClientManager = oAuthClientManager;
        this.tokenValidator = aCConnectSessionAuthTokenValidator;
    }

    @Override // com.atlassian.sal.api.auth.Authenticator
    public Authenticator.Result authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        log.trace("ConnectAccessTokenAuthenticator: authenticate");
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null) {
            return new Authenticator.Result.NoAttempt();
        }
        try {
            try {
                Optional<AuthorizationHeader> extractForScheme = AuthorizationHeader.extractForScheme(header, JwtConstants.BEARER_AUTHENTICATION_SCHEME);
                if (!extractForScheme.isPresent()) {
                    log.trace("ConnectAccessTokenAuthenticator: no Bearer token in request");
                    return new Authenticator.Result.NoAttempt();
                }
                Optional<ConnectSessionAuthToken> parseAndValidate = this.tokenValidator.parseAndValidate(extractForScheme.get().credentials);
                Optional<SessionClaimSet> empty = Optional.empty();
                if (parseAndValidate.isPresent()) {
                    empty = parseAndValidate.get().getSessionClaimSet();
                }
                if (!empty.isPresent()) {
                    return new Authenticator.Result.NoAttempt();
                }
                SessionClaimSet sessionClaimSet = empty.get();
                Optional<Principal> authorize = this.tokenAuthorizationService.authorize(sessionClaimSet);
                if (authorize.isPresent()) {
                    tagRequest(httpServletRequest, sessionClaimSet);
                }
                if (log.isTraceEnabled()) {
                    log.trace("ConnectAccessTokenAuthenticator: successfully authenticated access token. Principal is: " + authorize);
                }
                return new Authenticator.Result.Success(new DefaultMessage("Successful addon oauth authentication"), authorize.orElse(null));
            } catch (IllegalArgumentException | ParseException | ValidationException e) {
                return handleFailure(e);
            }
        } catch (Exception e2) {
            return handleError(e2);
        }
    }

    private Authenticator.Result handleError(Exception exc) {
        log.warn("Error during Connect Access Token authentication: " + exc.getMessage(), (Throwable) exc);
        return new Authenticator.Result.Error(new DefaultMessage(exc.getMessage()));
    }

    private Authenticator.Result handleFailure(Exception exc) {
        log.info("Connect Access Token authentication failed: " + exc.getMessage());
        log.debug("Stack Trace was: ", (Throwable) exc);
        return new Authenticator.Result.Failure(new DefaultMessage(exc.getMessage()));
    }

    private void tagRequest(HttpServletRequest httpServletRequest, SessionClaimSet sessionClaimSet) {
        httpServletRequest.setAttribute(JwtConstants.HttpRequests.ADD_ON_ID_ATTRIBUTE_NAME, getAddonKey(sessionClaimSet.getOauthClientId()));
        httpServletRequest.setAttribute(JwtConstants.HttpRequests.JWT_SUBJECT_ATTRIBUTE_NAME, sessionClaimSet.getImpersonatedUserId());
    }

    private String getAddonKey(String str) {
        return this.oAuthClientManager.findAddonKeyByClientId(str).orElse(Tokens.T_UNKNOWN);
    }
}
