package com.atlassian.stash.internal.spring.security;

import com.atlassian.bitbucket.Product;
import com.atlassian.bitbucket.auth.AuthenticationSystemException;
import com.atlassian.bitbucket.auth.CaptchaAuthenticationException;
import com.atlassian.bitbucket.auth.HttpAuthenticationContext;
import com.atlassian.bitbucket.auth.InactiveUserAuthenticationException;
import com.atlassian.bitbucket.auth.NoAccessAuthenticationException;
import com.atlassian.bitbucket.i18n.I18nService;
import com.atlassian.bitbucket.permission.Permission;
import com.atlassian.bitbucket.user.NoSuchUserException;
import com.atlassian.stash.internal.annotation.Profiled;
import com.atlassian.stash.internal.auth.InternalAuthenticationService;
import com.atlassian.stash.internal.user.InternalPermissionService;
import com.atlassian.stash.internal.user.StashUserAuthenticationToken;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.stereotype.Component;

@Component("authenticationProvider")
/* loaded from: input_file:WEB-INF/classes/com/atlassian/stash/internal/spring/security/PluginAuthenticationProvider.class */
public class PluginAuthenticationProvider implements AuthenticationProvider {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) PluginAuthenticationProvider.class);
    private final InternalAuthenticationService authenticationService;
    private final I18nService i18nService;
    private final InternalPermissionService permissionService;

    @Autowired
    public PluginAuthenticationProvider(InternalAuthenticationService internalAuthenticationService, I18nService i18nService, InternalPermissionService internalPermissionService) {
        this.authenticationService = internalAuthenticationService;
        this.i18nService = i18nService;
        this.permissionService = internalPermissionService;
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    @Profiled
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        HttpAuthenticationContext context = ((HttpAuthenticationContextToken) authentication).getContext();
        try {
            Optional<StashUserAuthenticationToken> authenticate = this.authenticationService.authenticate(context);
            authenticate.ifPresent(stashUserAuthenticationToken -> {
                if (!this.permissionService.hasGlobalPermission(stashUserAuthenticationToken, Permission.LICENSED_USER)) {
                    throw new NoAccessAuthenticationException(this.i18nService.createKeyedMessage("bitbucket.web.auth.notlicensed", Product.NAME));
                }
            });
            return authenticate.orElse(null);
        } catch (AuthenticationSystemException e) {
            log.warn("Could not authenticate {}", context.getUsername(), e);
            throw new AuthenticationServiceException(e.getLocalizedMessage(), e);
        } catch (CaptchaAuthenticationException e2) {
            log.debug("Authentication failed - CAPTCHA required");
            throw new LockedException(e2.getLocalizedMessage(), e2);
        } catch (InactiveUserAuthenticationException e3) {
            log.debug("Authentication failed - User is inactive");
            throw new DisabledException(e3.getLocalizedMessage(), e3);
        } catch (NoAccessAuthenticationException e4) {
            log.debug("Authentication failed - User is not licensed");
            throw new DisabledException(e4.getLocalizedMessage(), e4);
        } catch (com.atlassian.bitbucket.auth.AuthenticationException e5) {
            log.debug("Authentication failed - Bad credentials");
            throw new BadCredentialsException(e5.getLocalizedMessage(), e5);
        } catch (NoSuchUserException e6) {
            log.debug("Authentication failed - User not found");
            throw new BadCredentialsException(e6.getLocalizedMessage(), e6);
        }
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class<?> cls) {
        return HttpAuthenticationContextToken.class.isAssignableFrom(cls);
    }
}
