package com.atlassian.bitbucket.internal.mirroring.mirror.auth.http;

import com.atlassian.bitbucket.auth.ExpiredAuthenticationException;
import com.atlassian.bitbucket.auth.HttpAuthenticationContext;
import com.atlassian.bitbucket.auth.HttpAuthenticationHandler;
import com.atlassian.bitbucket.i18n.I18nService;
import com.atlassian.bitbucket.internal.mirroring.mirror.InternalUpstreamServer;
import com.atlassian.bitbucket.internal.mirroring.mirror.InternalUpstreamService;
import com.atlassian.bitbucket.internal.mirroring.mirror.MirrorAuthenticationContext;
import com.atlassian.bitbucket.internal.mirroring.mirror.MirrorConstants;
import com.atlassian.bitbucket.internal.mirroring.mirror.UpstreamUserHelper;
import com.atlassian.bitbucket.permission.Permission;
import com.atlassian.bitbucket.user.ApplicationUser;
import com.atlassian.bitbucket.user.ServiceUser;
import com.atlassian.jwt.JwtConstants;
import com.atlassian.sal.api.transaction.TransactionTemplate;
import java.util.Optional;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Qualifier;

/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/bitbucket-mirroring-mirror-5.16.0.jar:com/atlassian/bitbucket/internal/mirroring/mirror/auth/http/UpstreamServerUserAuthenticationHandler.class */
public class UpstreamServerUserAuthenticationHandler implements HttpAuthenticationHandler {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) UpstreamServerUserAuthenticationHandler.class);
    private final MirrorAuthenticationContext mirrorAuthenticationContext;
    private final I18nService i18nService;
    private final InternalUpstreamService upstreamService;
    private final TransactionTemplate transactionTemplate;
    private final UpstreamUserHelper upstreamUserHelper;

    public UpstreamServerUserAuthenticationHandler(InternalUpstreamService internalUpstreamService, TransactionTemplate transactionTemplate, I18nService i18nService, UpstreamUserHelper upstreamUserHelper, @Qualifier("defaultMirrorAuthenticationContext") MirrorAuthenticationContext mirrorAuthenticationContext) {
        this.i18nService = i18nService;
        this.mirrorAuthenticationContext = mirrorAuthenticationContext;
        this.upstreamService = internalUpstreamService;
        this.transactionTemplate = transactionTemplate;
        this.upstreamUserHelper = upstreamUserHelper;
    }

    @Override // com.atlassian.bitbucket.auth.HttpAuthenticationHandler
    public void validateAuthentication(@Nonnull HttpAuthenticationContext httpAuthenticationContext) {
        this.mirrorAuthenticationContext.getCurrentUpstreamUser().ifPresent(serviceUser -> {
            if (getJwtIssuerId(httpAuthenticationContext) != null) {
                log.debug("Re-authenticating upstream user {} because the request is JWT signed", serviceUser.getName());
                throw new ExpiredAuthenticationException(this.i18nService.createKeyedMessage("bitbucket.mirroring.authentication.jwt.session.expired", new Object[0]));
            }
        });
    }

    @Override // com.atlassian.bitbucket.auth.HttpAuthenticationHandler
    @Nullable
    public ApplicationUser authenticate(@Nonnull HttpAuthenticationContext httpAuthenticationContext) {
        if (!this.upstreamService.isMirror() || !"token".equals(httpAuthenticationContext.getMethod())) {
            return null;
        }
        String jwtIssuerId = getJwtIssuerId(httpAuthenticationContext);
        if (StringUtils.isEmpty(jwtIssuerId)) {
            return null;
        }
        return (ApplicationUser) this.transactionTemplate.execute(() -> {
            ServiceUser userForUpstream;
            InternalUpstreamServer internalUpstreamServer = this.upstreamService.get();
            if (internalUpstreamServer == null || !Optional.of(jwtIssuerId).equals(internalUpstreamServer.getIssuerId()) || (userForUpstream = this.upstreamUserHelper.getUserForUpstream(internalUpstreamServer.getId())) == null || !userForUpstream.isActive()) {
                return null;
            }
            HttpServletRequest request = httpAuthenticationContext.getRequest();
            request.setAttribute(MirrorConstants.ATTR_JWT_HIGHEST_PERM, valueOf(request.getParameter(MirrorConstants.PARAM_HIGHEST_PERM)));
            return userForUpstream;
        });
    }

    private String getJwtIssuerId(@Nonnull HttpAuthenticationContext httpAuthenticationContext) {
        return (String) httpAuthenticationContext.getRequest().getAttribute(JwtConstants.HttpRequests.ADD_ON_ID_ATTRIBUTE_NAME);
    }

    private Permission valueOf(String str) {
        if (StringUtils.isEmpty(str)) {
            return null;
        }
        try {
            return Permission.valueOf(str);
        } catch (IllegalArgumentException e) {
            return null;
        }
    }
}
