package com.atlassian.plugin.connect.plugin.auth.scope;

import com.atlassian.event.api.EventPublisher;
import com.atlassian.jwt.core.Clock;
import com.atlassian.jwt.core.SystemClock;
import com.atlassian.plugin.connect.api.auth.scope.AddonKeyExtractor;
import com.atlassian.plugin.connect.api.util.ServletUtils;
import com.atlassian.sal.api.user.UserKey;
import com.atlassian.sal.api.user.UserManager;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/atlassian-connect-plugin-1.1.100.jar:com/atlassian/plugin/connect/plugin/auth/scope/ApiScopingFilter.class */
public class ApiScopingFilter implements Filter {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ApiScopingFilter.class);
    private final AddonScopeManager addonScopeManager;
    private final UserManager userManager;
    private final EventPublisher eventPublisher;
    private final Clock clock;
    private final AddonKeyExtractor addonKeyExtractor;

    public ApiScopingFilter(AddonScopeManager addonScopeManager, UserManager userManager, EventPublisher eventPublisher, AddonKeyExtractor addonKeyExtractor) {
        this(addonScopeManager, userManager, eventPublisher, addonKeyExtractor, new SystemClock());
    }

    public ApiScopingFilter(AddonScopeManager addonScopeManager, UserManager userManager, EventPublisher eventPublisher, AddonKeyExtractor addonKeyExtractor, Clock clock) {
        this.addonScopeManager = addonScopeManager;
        this.userManager = userManager;
        this.eventPublisher = eventPublisher;
        this.addonKeyExtractor = addonKeyExtractor;
        this.clock = clock;
    }

    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (this.addonKeyExtractor.isAddonRequest(httpServletRequest)) {
            if (ServletUtils.normalisedAndOriginalRequestUrisDiffer(httpServletRequest)) {
                log.warn("Request URI '{}' was deemed as improperly formed as it did not normalise as expected", httpServletRequest.getRequestURI());
                httpServletResponse.sendError(400, "The request URI is improperly formed");
                return;
            } else {
                String addonKeyFromHttpRequest = this.addonKeyExtractor.getAddonKeyFromHttpRequest(httpServletRequest);
                if (addonKeyFromHttpRequest != null) {
                    handleScopedRequest(addonKeyFromHttpRequest, httpServletRequest, httpServletResponse, filterChain);
                    return;
                }
            }
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    private void handleScopedRequest(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        long time = this.clock.now().getTime();
        InputConsumingHttpServletRequest inputConsumingHttpServletRequest = new InputConsumingHttpServletRequest(httpServletRequest);
        UserKey remoteUserKey = this.userManager.getRemoteUserKey(httpServletRequest);
        ContentTypeAwareResponse contentTypeAwareResponse = new ContentTypeAwareResponse(httpServletResponse);
        if (!this.addonScopeManager.isRequestInApiScope(inputConsumingHttpServletRequest, str)) {
            respondOutOfAuthorizedScope(str, httpServletRequest, httpServletResponse, remoteUserKey);
            return;
        }
        log.debug("Authorized add-on '{}' to access API at URL '{} {}' for user '{}'", str, httpServletRequest.getMethod(), httpServletRequest.getRequestURI(), remoteUserKey);
        try {
            filterChain.doFilter(inputConsumingHttpServletRequest, contentTypeAwareResponse);
            if (this.addonScopeManager.isResponseInApiScope(httpServletRequest, contentTypeAwareResponse, str)) {
                this.eventPublisher.publish(new ScopedRequestAllowedEvent(httpServletRequest, str, contentTypeAwareResponse.getStatusCode(), this.clock.now().getTime() - time));
            } else {
                respondOutOfAuthorizedScope(str, httpServletRequest, contentTypeAwareResponse, remoteUserKey);
            }
        } catch (Exception e) {
            this.eventPublisher.publish(new ScopedRequestAllowedEvent(httpServletRequest, str, 500, this.clock.now().getTime() - time));
            throw ((ServletException) ServletException.class.cast(new ServletException("Unhandled error in ApiScopingFilter").initCause(e)));
        }
    }

    private void respondOutOfAuthorizedScope(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, UserKey userKey) throws IOException {
        log.warn("Request not in an authorized API scope from add-on '{}' as user '{}' on URL '{} {}'", str, userKey, httpServletRequest.getMethod(), httpServletRequest.getRequestURI());
        httpServletResponse.sendError(403, "Request not in an authorized API scope");
        this.eventPublisher.publish(new ScopedRequestDeniedEvent(httpServletRequest, str));
    }

    @Override // javax.servlet.Filter
    public void destroy() {
    }
}
