package com.atlassian.plugin.connect.plugin.auth.oauth2;

import com.atlassian.plugin.connect.plugin.auth.oauth2.ConnectAccessTokenAuthorizationService;
import com.atlassian.plugin.connect.plugin.lifecycle.ConnectAddonManager;
import com.atlassian.sal.api.features.DarkFeatureManager;
import io.atlassian.micros.oauth2.accesstoken.SessionClaimSet;
import java.security.Principal;
import java.util.Optional;
import javax.annotation.Nonnull;
import org.hsqldb.Tokens;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/atlassian-connect-plugin-1.1.100.jar:com/atlassian/plugin/connect/plugin/auth/oauth2/ConnectAccessTokenAuthorizationServiceImpl.class */
public class ConnectAccessTokenAuthorizationServiceImpl implements ConnectAccessTokenAuthorizationService {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ConnectAccessTokenAuthorizationServiceImpl.class);
    private final AddonPrincipalService addonPrincipalService;
    private final OAuthClientManager oAuthClientManager;
    private final DarkFeatureManager darkFeatureManager;

    @Autowired
    public ConnectAccessTokenAuthorizationServiceImpl(AddonPrincipalService addonPrincipalService, OAuthClientManager oAuthClientManager, DarkFeatureManager darkFeatureManager) {
        this.addonPrincipalService = addonPrincipalService;
        this.oAuthClientManager = oAuthClientManager;
        this.darkFeatureManager = darkFeatureManager;
    }

    @Override // com.atlassian.plugin.connect.plugin.auth.oauth2.ConnectAccessTokenAuthorizationService
    public Optional<Principal> authorize(@Nonnull SessionClaimSet sessionClaimSet) throws IllegalArgumentException, ConnectAccessTokenAuthorizationService.AuthorizationException {
        if (log.isTraceEnabled()) {
            log.trace("ConnectAccessTokenAuthorizationServiceImpl.authorize: claimSet is " + sessionClaimSet);
        }
        String impersonatedUserId = sessionClaimSet.getImpersonatedUserId();
        String oauthClientId = sessionClaimSet.getOauthClientId();
        if (impersonatedUserId == null) {
            throw new IllegalStateException("Non impersonation not currently supported via OAuth2. Missing sub claim");
        }
        if (!this.darkFeatureManager.isFeatureEnabledForCurrentUser(ConnectAddonManager.DARK_FEATURE_OAUTH2_IMPERSONATION)) {
            log.debug("NOT allowing add-on '{}' to impersonate the user because the dark feature '{}' is disabled.", getAddonKey(oauthClientId), ConnectAddonManager.DARK_FEATURE_OAUTH2_IMPERSONATION);
            return Optional.empty();
        }
        log.debug("Allowing add-on '{}' to impersonate the user because the dark feature '{}' is enabled.", getAddonKey(oauthClientId), impersonatedUserId, ConnectAddonManager.DARK_FEATURE_OAUTH2_IMPERSONATION);
        Optional<ImpersonatedPrincipal<AddonPrincipal>> lookupImpersonatingPrincipal = this.addonPrincipalService.lookupImpersonatingPrincipal(impersonatedUserId, oauthClientId);
        if (lookupImpersonatingPrincipal.isPresent()) {
            return lookupImpersonatingPrincipal.flatMap((v0) -> {
                return Optional.of(v0);
            });
        }
        throw new ConnectAccessTokenAuthorizationService.AuthorizationException(String.format("Add-on '%s' disallowed to impersonate the user because '%s'", getAddonKey(oauthClientId), "no valid active user exists"));
    }

    private String getAddonKey(String str) {
        return this.oAuthClientManager.findAddonKeyByClientId(str).orElse(Tokens.T_UNKNOWN);
    }
}
