package com.atlassian.jira.security.login;

import com.atlassian.crowd.embedded.api.CrowdService;
import com.atlassian.crowd.embedded.api.User;
import com.atlassian.crowd.exception.FailedAuthenticationException;
import com.atlassian.event.api.EventPublisher;
import com.atlassian.jira.bc.security.login.CaptchaChallengeRequired;
import com.atlassian.jira.bc.security.login.DeniedReason;
import com.atlassian.jira.bc.security.login.LoginInfoImpl;
import com.atlassian.jira.bc.security.login.LoginLoggers;
import com.atlassian.jira.bc.security.login.LoginReason;
import com.atlassian.jira.bc.security.login.LoginResult;
import com.atlassian.jira.bc.security.login.LoginResultImpl;
import com.atlassian.jira.event.user.LoginEvent;
import com.atlassian.jira.event.user.LogoutEvent;
import com.atlassian.jira.security.JiraAuthenticationContext;
import com.atlassian.jira.security.auth.AuthorisationManager;
import com.atlassian.jira.security.type.SingleUser;
import com.atlassian.jira.service.services.analytics.start.JiraStartAnalyticEvent;
import com.atlassian.jira.servlet.JiraCaptchaService;
import com.atlassian.jira.user.ApplicationUser;
import com.atlassian.jira.util.dbc.Assertions;
import com.atlassian.jira.util.log.Log4jKit;
import com.atlassian.jira.util.velocity.VelocityRequestContextFactory;
import com.atlassian.seraph.auth.Authenticator;
import com.atlassian.seraph.auth.AuthenticatorException;
import com.atlassian.seraph.config.SecurityConfigFactory;
import com.google.common.collect.Sets;
import com.octo.captcha.service.CaptchaServiceException;
import java.util.HashSet;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import webwork.action.ActionContext;
import webwork.action.factory.SessionMap;

/* loaded from: input_file:com/atlassian/jira/security/login/LoginManagerImpl.class */
public class LoginManagerImpl implements LoginManager {
    private static final Logger log = LoggerFactory.getLogger(LoginManagerImpl.class);
    private static final org.apache.log4j.Logger loggerSecurityEvents = LoginLoggers.LOGIN_SECURITY_EVENTS;
    public static final String AUTHORISED_FAILURE = new String("com.atlassian.jira.security.login.LoginManager.AUTHORISED_FAILURE");
    public static final String AUTHORISING_USER_KEY = new String("com.atlassian.jira.security.login.LoginManager.AUTHORISING_USER_KEY");
    private static final String ELEVATED_SECURITY_FAILURE = "com.atlassian.jira.security.login.LoginManager.ELEVATED_SECURITY_FAILURE";
    private static final String OS_CAPTCHA = "os_captcha";
    private final LoginStore loginStore;
    private final JiraAuthenticationContext jiraAuthenticationContext;
    private final CrowdService crowdService;
    private final StaticDependencies staticDependencies;
    private final JiraCaptchaService jiraCaptchaService;
    private final VelocityRequestContextFactory velocityRequestContextFactory;
    private final EventPublisher eventPublisher;
    private final AuthorisationManager authorisationManager;

    /* loaded from: input_file:com/atlassian/jira/security/login/LoginManagerImpl$InternalStaticDependencies.class */
    private static class InternalStaticDependencies implements StaticDependencies {
        final CrowdService crowdService;

        private InternalStaticDependencies(CrowdService crowdService) {
            this.crowdService = crowdService;
        }

        @Override // com.atlassian.jira.security.login.LoginManagerImpl.StaticDependencies
        public Authenticator getAuthenticator() {
            return SecurityConfigFactory.getInstance().getAuthenticator();
        }

        @Override // com.atlassian.jira.security.login.LoginManagerImpl.StaticDependencies
        public boolean authenticate(User user, String str) {
            try {
                return this.crowdService.authenticate(user.getName(), str) != null;
            } catch (FailedAuthenticationException e) {
                return false;
            }
        }
    }

    /* loaded from: input_file:com/atlassian/jira/security/login/LoginManagerImpl$StaticDependencies.class */
    interface StaticDependencies {
        Authenticator getAuthenticator();

        boolean authenticate(User user, String str);
    }

    public LoginManagerImpl(LoginStore loginStore, JiraAuthenticationContext jiraAuthenticationContext, CrowdService crowdService, JiraCaptchaService jiraCaptchaService, VelocityRequestContextFactory velocityRequestContextFactory, EventPublisher eventPublisher, AuthorisationManager authorisationManager) {
        this(new InternalStaticDependencies(crowdService), loginStore, jiraAuthenticationContext, crowdService, jiraCaptchaService, velocityRequestContextFactory, eventPublisher, authorisationManager);
    }

    LoginManagerImpl(StaticDependencies staticDependencies, LoginStore loginStore, JiraAuthenticationContext jiraAuthenticationContext, CrowdService crowdService, JiraCaptchaService jiraCaptchaService, VelocityRequestContextFactory velocityRequestContextFactory, EventPublisher eventPublisher, AuthorisationManager authorisationManager) {
        this.loginStore = (LoginStore) Assertions.notNull("loginStore", loginStore);
        this.jiraAuthenticationContext = (JiraAuthenticationContext) Assertions.notNull("jiraAuthenticationContext", jiraAuthenticationContext);
        this.crowdService = (CrowdService) Assertions.notNull("crowdService", crowdService);
        this.jiraCaptchaService = (JiraCaptchaService) Assertions.notNull("jiraCaptchaService", jiraCaptchaService);
        this.staticDependencies = (StaticDependencies) Assertions.notNull("staticDependencies", staticDependencies);
        this.velocityRequestContextFactory = (VelocityRequestContextFactory) Assertions.notNull("velocityRequestContextFactory", velocityRequestContextFactory);
        this.eventPublisher = eventPublisher;
        this.authorisationManager = authorisationManager;
    }

    @Override // com.atlassian.jira.security.login.LoginManager
    public com.atlassian.jira.bc.security.login.LoginInfo getLoginInfo(String str) {
        User user = this.crowdService.getUser(str);
        if (user == null) {
            return null;
        }
        return tweakLoginInfo(this.loginStore.getLoginInfo(user));
    }

    @Override // com.atlassian.jira.security.login.LoginManager
    public boolean performElevatedSecurityCheck(HttpServletRequest httpServletRequest, String str) {
        Boolean bool;
        httpServletRequest.removeAttribute(ELEVATED_SECURITY_FAILURE);
        com.atlassian.jira.bc.security.login.LoginInfo loginInfo = getLoginInfo(str);
        if (loginInfo == null || !loginInfo.isElevatedSecurityCheckRequired()) {
            return true;
        }
        try {
            bool = this.jiraCaptchaService.getImageCaptchaService().validateResponseForID(httpServletRequest.getSession(true).getId(), httpServletRequest.getParameter(OS_CAPTCHA));
        } catch (CaptchaServiceException e) {
            bool = false;
        }
        boolean z = bool == null || bool.booleanValue();
        if (!z) {
            httpServletRequest.setAttribute(ELEVATED_SECURITY_FAILURE, true);
        }
        return z;
    }

    @Override // com.atlassian.jira.security.login.LoginManager
    public boolean authoriseForLogin(@Nonnull ApplicationUser applicationUser, HttpServletRequest httpServletRequest) {
        Assertions.notNull(SingleUser.DESC, applicationUser);
        httpServletRequest.removeAttribute(AUTHORISED_FAILURE);
        httpServletRequest.setAttribute(AUTHORISING_USER_KEY, applicationUser.getKey());
        boolean authoriseForLogin = this.authorisationManager.authoriseForLogin(applicationUser, httpServletRequest);
        if (!authoriseForLogin) {
            httpServletRequest.setAttribute(AUTHORISED_FAILURE, true);
        }
        return authoriseForLogin;
    }

    @Override // com.atlassian.jira.security.login.LoginManager
    public Set<String> getRequiredRoles(HttpServletRequest httpServletRequest) {
        return this.authorisationManager.getRequiredRoles(httpServletRequest);
    }

    @Override // com.atlassian.jira.security.login.LoginManager
    public boolean authoriseForRole(@Nullable ApplicationUser applicationUser, HttpServletRequest httpServletRequest, String str) {
        httpServletRequest.removeAttribute(AUTHORISED_FAILURE);
        boolean authoriseForRole = this.authorisationManager.authoriseForRole(applicationUser, httpServletRequest, str);
        if (!authoriseForRole) {
            httpServletRequest.setAttribute(AUTHORISED_FAILURE, true);
        }
        return authoriseForRole;
    }

    @Override // com.atlassian.jira.security.login.LoginManager
    public LoginResult authenticate(User user, String str) {
        LoginReason loginReason;
        Assertions.notNull(SingleUser.DESC, user);
        if (getLoginInfo(user.getName()).isElevatedSecurityCheckRequired()) {
            loginReason = LoginReason.AUTHENTICATION_DENIED;
        } else {
            loginReason = this.staticDependencies.authenticate(user, str) ? LoginReason.OK : LoginReason.AUTHENTICATED_FAILED;
        }
        com.atlassian.jira.bc.security.login.LoginInfo tweakLoginInfo = tweakLoginInfo(recordLoginAttempt(user, loginReason == LoginReason.OK));
        logSecurityEvents(user, tweakLoginInfo, loginReason);
        return new LoginResultImpl(loginReason, tweakLoginInfo, user.getName());
    }

    @Override // com.atlassian.jira.security.login.LoginManager
    public LoginResult authenticateWithoutElevatedCheck(User user, String str) {
        Assertions.notNull(SingleUser.DESC, user);
        String name = user.getName();
        LoginReason loginReason = this.staticDependencies.authenticate(user, str) ? LoginReason.OK : LoginReason.AUTHENTICATED_FAILED;
        com.atlassian.jira.bc.security.login.LoginInfo tweakLoginInfo = tweakLoginInfo(recordLoginAttempt(user, loginReason == LoginReason.OK));
        logSecurityEvents(user, tweakLoginInfo, loginReason);
        return new LoginResultImpl(loginReason, tweakLoginInfo, name);
    }

    @Override // com.atlassian.jira.security.login.LoginManager
    public com.atlassian.jira.bc.security.login.LoginInfo onLoginAttempt(HttpServletRequest httpServletRequest, String str, boolean z) {
        User user = this.crowdService.getUser(str);
        if (user == null) {
            return null;
        }
        com.atlassian.jira.bc.security.login.LoginInfo tweakLoginInfo = tweakLoginInfo(recordLoginAttempt(user, z));
        LoginReason loginReason = z ? LoginReason.OK : LoginReason.AUTHENTICATED_FAILED;
        if (!z) {
            if (httpServletRequest.getAttribute(ELEVATED_SECURITY_FAILURE) != null) {
                loginReason = LoginReason.AUTHENTICATION_DENIED;
            } else if (httpServletRequest.getAttribute(AUTHORISED_FAILURE) != null) {
                loginReason = LoginReason.AUTHORISATION_FAILED;
            }
        }
        recordLoginResultInRequest(httpServletRequest, new LoginResultImpl(loginReason, tweakLoginInfo, str, getLoginDeniedReasons(httpServletRequest)));
        logSecurityEvents(user, tweakLoginInfo, loginReason);
        return tweakLoginInfo;
    }

    @Override // com.atlassian.jira.security.login.LoginManager
    public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Assertions.notNull("request", httpServletRequest);
        Assertions.notNull("response", httpServletResponse);
        User loggedInUser = this.jiraAuthenticationContext.getLoggedInUser();
        String name = loggedInUser == null ? JiraStartAnalyticEvent.UNKNOWN : loggedInUser.getName();
        HttpSession session = httpServletRequest.getSession(false);
        if (session != null) {
            session.invalidate();
        }
        ActionContext.setSession(new SessionMap(httpServletRequest.getSession(true)));
        try {
            this.staticDependencies.getAuthenticator().logout(httpServletRequest, httpServletResponse);
        } catch (AuthenticatorException e) {
            log.error(e.getMessage(), e);
        }
        loggerSecurityEvents.info("The user '" + name + "' has logged out.");
        this.jiraAuthenticationContext.clearLoggedInUser();
        httpServletRequest.setAttribute("jira.logout.page.executed", Boolean.TRUE);
        this.eventPublisher.publish(new LogoutEvent(loggedInUser));
    }

    @Override // com.atlassian.jira.security.login.LoginManager
    public boolean isElevatedSecurityCheckAlwaysShown() {
        return getMaxAuthenticationAttemptsAllowed() <= 0;
    }

    @Override // com.atlassian.jira.security.login.LoginManager
    public void resetFailedLoginCount(User user) {
        this.loginStore.resetFailedLoginCount(user);
    }

    protected Set<DeniedReason> getLoginDeniedReasons(HttpServletRequest httpServletRequest) {
        HashSet newHashSet = Sets.newHashSet();
        if (httpServletRequest.getAttribute(ELEVATED_SECURITY_FAILURE) != null) {
            newHashSet.add(new CaptchaChallengeRequired(String.format("%s/login.jsp", this.velocityRequestContextFactory.getJiraVelocityRequestContext().getCanonicalBaseUrl())));
        }
        return newHashSet;
    }

    private void logSecurityEvents(User user, com.atlassian.jira.bc.security.login.LoginInfo loginInfo, LoginReason loginReason) {
        String name = user != null ? user.getName() : "null";
        if (loginReason == LoginReason.AUTHENTICATION_DENIED) {
            loggerSecurityEvents.warn("The user '" + name + "' is required to answer a CAPTCHA elevated security check.  Failure count equals " + loginInfo.getCurrentFailedLoginCount());
            return;
        }
        if (loginReason == LoginReason.AUTHENTICATED_FAILED) {
            loggerSecurityEvents.warn("The user '" + name + "' has FAILED authentication.  Failure count equals " + loginInfo.getCurrentFailedLoginCount());
        } else {
            if (loginReason == LoginReason.AUTHORISATION_FAILED) {
                loggerSecurityEvents.warn("The user '" + name + "' is NOT AUTHORIZED to perform this request");
                return;
            }
            Log4jKit.putUserToMDC(name);
            loggerSecurityEvents.info("The user '" + name + "' has PASSED authentication.");
            this.eventPublisher.publish(new LoginEvent(user));
        }
    }

    private com.atlassian.jira.bc.security.login.LoginInfo recordLoginAttempt(User user, boolean z) {
        return this.loginStore.recordLoginAttempt(user, z);
    }

    private LoginResultImpl recordLoginResultInRequest(HttpServletRequest httpServletRequest, LoginResultImpl loginResultImpl) {
        httpServletRequest.setAttribute("com.atlassian.jira.security.login.LoginManager.LoginResult", loginResultImpl);
        return loginResultImpl;
    }

    private com.atlassian.jira.bc.security.login.LoginInfo tweakLoginInfo(com.atlassian.jira.bc.security.login.LoginInfo loginInfo) {
        return new LoginInfoImpl(loginInfo, nvl(loginInfo.getCurrentFailedLoginCount(), 0L) >= getMaxAuthenticationAttemptsAllowed());
    }

    private long nvl(Long l, long j) {
        return l == null ? j : l.longValue();
    }

    private long getMaxAuthenticationAttemptsAllowed() {
        return this.loginStore.getMaxAuthenticationAttemptsAllowed();
    }
}
