package com.atlassian.jira.security.login;

import com.atlassian.crowd.embedded.api.CrowdService;
import com.atlassian.crowd.exception.AccountNotFoundException;
import com.atlassian.crowd.exception.FailedAuthenticationException;
import com.atlassian.crowd.exception.runtime.CommunicationException;
import com.atlassian.crowd.exception.runtime.OperationFailedException;
import com.atlassian.jira.component.ComponentAccessor;
import com.atlassian.jira.user.ApplicationUser;
import com.atlassian.jira.user.util.UserManager;
import com.atlassian.seraph.auth.AuthenticationContextAwareAuthenticator;
import com.atlassian.seraph.auth.AuthenticationErrorType;
import com.atlassian.seraph.auth.AuthenticatorException;
import com.atlassian.seraph.auth.DefaultAuthenticator;
import com.atlassian.seraph.auth.LoginReason;
import com.atlassian.seraph.elevatedsecurity.ElevatedSecurityGuard;
import com.atlassian.seraph.util.SecurityUtils;
import java.io.IOException;
import java.security.Principal;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@AuthenticationContextAwareAuthenticator
/* loaded from: input_file:com/atlassian/jira/security/login/JiraSeraphAuthenticator.class */
public class JiraSeraphAuthenticator extends DefaultAuthenticator {
    private static final Logger log = LoggerFactory.getLogger(JiraSeraphAuthenticator.class);

    protected Principal getUser(String str) {
        return getUserManager().getUserByName(str);
    }

    protected boolean authenticate(Principal principal, String str) throws AuthenticatorException {
        try {
            crowdServiceAuthenticate(principal, str);
            return true;
        } catch (CommunicationException e) {
            throw new AuthenticatorException(AuthenticationErrorType.CommunicationError);
        } catch (AccountNotFoundException e2) {
            log.debug("authenticate : '" + principal.getName() + "' does not exist and cannot be authenticated.");
            return false;
        } catch (OperationFailedException e3) {
            log.error("Error occurred while trying to authenticate user '" + principal.getName() + "'.", e3);
            throw new AuthenticatorException(AuthenticationErrorType.UnknownError);
        } catch (FailedAuthenticationException e4) {
            log.debug("authentication failed: '" + principal.getName(), e4);
            return false;
        }
    }

    private void crowdServiceAuthenticate(Principal principal, String str) throws FailedAuthenticationException {
        Thread currentThread = Thread.currentThread();
        ClassLoader contextClassLoader = currentThread.getContextClassLoader();
        try {
            currentThread.setContextClassLoader(getClass().getClassLoader());
            getCrowdService().authenticate(principal.getName(), str);
            currentThread.setContextClassLoader(contextClassLoader);
        } catch (Throwable th) {
            currentThread.setContextClassLoader(contextClassLoader);
            throw th;
        }
    }

    protected Principal refreshPrincipalObtainedFromSession(HttpServletRequest httpServletRequest, Principal principal) {
        Principal principal2 = principal;
        if (principal != null && principal.getName() != null) {
            principal2 = principal instanceof ApplicationUser ? getUserManager().getUserByKey(((ApplicationUser) principal).getKey()) : getUser(principal.getName());
            putPrincipalInSessionContext(httpServletRequest, principal2);
        }
        return principal2;
    }

    protected Principal getUserFromBasicAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        boolean isDebugEnabled = log.isDebugEnabled();
        String header = httpServletRequest.getHeader("Authorization");
        LoginReason loginReason = LoginReason.OK;
        if (!SecurityUtils.isBasicAuthorizationHeader(header)) {
            try {
                httpServletResponse.setHeader("WWW-Authenticate", "Basic realm=\"protected-area\"");
                httpServletResponse.sendError(401);
                return null;
            } catch (IOException e) {
                log.warn("getUserFromSession : Exception trying to send Basic Auth failed error: " + e, e);
                return null;
            }
        }
        if (isDebugEnabled) {
            log.debug("getUserFromSession : Looking in Basic Auth headers");
        }
        SecurityUtils.UserPassCredentials decodeBasicAuthorizationCredentials = SecurityUtils.decodeBasicAuthorizationCredentials(header);
        ElevatedSecurityGuard elevatedSecurityGuard = getElevatedSecurityGuard();
        if (elevatedSecurityGuard.performElevatedSecurityCheck(httpServletRequest, decodeBasicAuthorizationCredentials.getUsername())) {
            if (isDebugEnabled) {
                log.debug("getUserFromSession : '" + decodeBasicAuthorizationCredentials.getUsername() + "' does not require elevated security check.  Attempting authentication...");
            }
            try {
                if (login(httpServletRequest, httpServletResponse, decodeBasicAuthorizationCredentials.getUsername(), decodeBasicAuthorizationCredentials.getPassword(), false)) {
                    LoginReason.OK.stampRequestResponse(httpServletRequest, httpServletResponse);
                    elevatedSecurityGuard.onSuccessfulLoginAttempt(httpServletRequest, decodeBasicAuthorizationCredentials.getUsername());
                    if (isDebugEnabled) {
                        log.debug("getUserFromSession : Authenticated '" + decodeBasicAuthorizationCredentials.getUsername() + "' via Basic Auth");
                    }
                    return getUser(decodeBasicAuthorizationCredentials.getUsername());
                }
                loginReason = LoginReason.AUTHENTICATED_FAILED.stampRequestResponse(httpServletRequest, httpServletResponse);
                elevatedSecurityGuard.onFailedLoginAttempt(httpServletRequest, decodeBasicAuthorizationCredentials.getUsername());
            } catch (AuthenticatorException e2) {
                log.warn("getUserFromSession : Exception trying to login '" + decodeBasicAuthorizationCredentials.getUsername() + "' via Basic Auth:" + e2, e2);
            }
        } else {
            if (isDebugEnabled) {
                log.debug("getUserFromSession : '" + decodeBasicAuthorizationCredentials.getUsername() + "' failed elevated security check");
            }
            loginReason = LoginReason.AUTHENTICATION_DENIED.stampRequestResponse(httpServletRequest, httpServletResponse);
            elevatedSecurityGuard.onFailedLoginAttempt(httpServletRequest, decodeBasicAuthorizationCredentials.getUsername());
        }
        try {
            httpServletResponse.sendError(401, "Basic Authentication Failure - Reason : " + loginReason.toString());
            return null;
        } catch (IOException e3) {
            log.warn("getUserFromSession : Exception trying to send Basic Auth failed error: " + e3, e3);
            return null;
        }
    }

    private CrowdService getCrowdService() {
        return (CrowdService) ComponentAccessor.getComponent(CrowdService.class);
    }

    private UserManager getUserManager() {
        return ComponentAccessor.getUserManager();
    }
}
