package com.atlassian.seraph.filter;

import com.atlassian.seraph.RequestParameterConstants;
import com.atlassian.seraph.auth.AuthenticationContext;
import com.atlassian.seraph.auth.AuthenticationContextAwareAuthenticator;
import com.atlassian.seraph.auth.Authenticator;
import com.atlassian.seraph.auth.SessionInvalidator;
import com.atlassian.seraph.config.SecurityConfig;
import com.atlassian.seraph.config.SecurityConfigFactory;
import com.atlassian.seraph.elevatedsecurity.ElevatedSecurityGuard;
import com.atlassian.seraph.util.RedirectUtils;
import com.atlassian.seraph.util.SecurityUtils;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.Principal;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/seraph/filter/BaseLoginFilter.class */
public abstract class BaseLoginFilter implements Filter {
    public static final String LOGIN_SUCCESS = "success";
    public static final String LOGIN_FAILED = "failed";
    public static final String LOGIN_ERROR = "error";
    public static final String OS_AUTHSTATUS_KEY = "os_authstatus";
    public static final String AUTHENTICATION_ERROR_TYPE = "auth_error_type";
    private static final Logger log = LoggerFactory.getLogger(BaseLoginFilter.class);
    public static final String LOGIN_NOATTEMPT = null;
    private FilterConfig filterConfig = null;
    private SecurityConfig securityConfig = null;

    /* loaded from: input_file:com/atlassian/seraph/filter/BaseLoginFilter$SecurityHttpRequestWrapper.class */
    class SecurityHttpRequestWrapper extends HttpServletRequestWrapper {
        private HttpServletRequest delegateHttpServletRequest;

        public SecurityHttpRequestWrapper(HttpServletRequest httpServletRequest) {
            super(httpServletRequest);
            this.delegateHttpServletRequest = httpServletRequest;
        }

        public String getRemoteUser() {
            Principal userPrincipal = getUserPrincipal();
            if (userPrincipal == null) {
                return null;
            }
            return userPrincipal.getName();
        }

        public Principal getUserPrincipal() {
            return BaseLoginFilter.this.getAuthenticator().getClass().isAnnotationPresent(AuthenticationContextAwareAuthenticator.class) ? BaseLoginFilter.this.getAuthenticationContext().getUser() : BaseLoginFilter.this.getAuthenticator().getUser(this.delegateHttpServletRequest);
        }
    }

    public void init(FilterConfig filterConfig) {
        this.filterConfig = filterConfig;
    }

    public void destroy() {
        this.filterConfig = null;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        boolean isDebugEnabled = log.isDebugEnabled();
        HttpServletRequest securityHttpRequestWrapper = new SecurityHttpRequestWrapper((HttpServletRequest) servletRequest);
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (!SecurityUtils.isSeraphFilteringDisabled(securityHttpRequestWrapper) && getSecurityConfig().getController().isSecurityEnabled()) {
            SecurityUtils.disableSeraphFiltering(securityHttpRequestWrapper);
            securityHttpRequestWrapper.setAttribute(OS_AUTHSTATUS_KEY, LOGIN_NOATTEMPT);
            if (isDebugEnabled) {
                log.debug("doFilter : ____ Attempting login for : '" + getRequestUrl(securityHttpRequestWrapper) + "'");
            }
            String login = login(securityHttpRequestWrapper, httpServletResponse);
            securityHttpRequestWrapper.setAttribute(OS_AUTHSTATUS_KEY, login);
            if (isDebugEnabled) {
                log.debug("doFilter : Login completed for '" + securityHttpRequestWrapper.getRemoteUser() + "' - " + OS_AUTHSTATUS_KEY + " = '" + login + "'");
            }
            if (LOGIN_SUCCESS.equals(login) && redirectToOriginalDestination(securityHttpRequestWrapper, httpServletResponse)) {
                return;
            }
            if (login == LOGIN_NOATTEMPT && redirectIfUserIsAlreadyLoggedIn(securityHttpRequestWrapper, httpServletResponse)) {
                return;
            }
        } else if (getSecurityConfig().isInvalidateSessionOnWebsudo() && securityHttpRequestWrapper.getAttribute(getSecurityConfig().getWebsudoRequestKey()) != null) {
            if (isDebugEnabled) {
                log.debug("doFilter : ____ Invalidating session for websudo");
            }
            new SessionInvalidator(getSecurityConfig().getInvalidateWebsudoSessionExcludeList()).invalidateSession(securityHttpRequestWrapper);
        }
        filterChain.doFilter(securityHttpRequestWrapper, httpServletResponse);
    }

    private String getRequestUrl(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getServletPath() + (httpServletRequest.getPathInfo() == null ? "" : httpServletRequest.getPathInfo()) + (httpServletRequest.getQueryString() == null ? "" : "?" + httpServletRequest.getQueryString());
    }

    private boolean redirectIfUserIsAlreadyLoggedIn(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        HttpSession session;
        if (httpServletRequest.getParameterMap().get(RequestParameterConstants.OS_DESTINATION) == null || getAuthenticator().getUser(httpServletRequest, httpServletResponse) == null || (session = httpServletRequest.getSession()) == null || session.getAttribute(SecurityConfigFactory.getInstance().getOriginalURLKey()) != null) {
            return false;
        }
        return redirectToOriginalDestination(httpServletRequest, httpServletResponse);
    }

    public abstract String login(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse);

    protected boolean redirectToOriginalDestination(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        boolean isDebugEnabled = log.isDebugEnabled();
        String parameter = httpServletRequest.getParameter(RequestParameterConstants.OS_DESTINATION);
        String originalURLKey = getSecurityConfig().getOriginalURLKey();
        HttpSession session = httpServletRequest.getSession();
        if (parameter == null) {
            parameter = (String) session.getAttribute(originalURLKey);
        }
        session.removeAttribute(originalURLKey);
        if (parameter == null) {
            return false;
        }
        if (!getSecurityConfig().getRedirectPolicy().allowedRedirectDestination(parameter, httpServletRequest)) {
            log.warn("redirectToOriginalDestination : Redirect request to '" + parameter + "' is not allowed. Will send user to the context root instead.");
            parameter = "/";
        }
        if (!isAbsoluteUrl(parameter)) {
            parameter = RedirectUtils.appendPathToContext(httpServletRequest.getContextPath(), parameter);
        }
        if (isDebugEnabled) {
            log.debug("redirectToOriginalDestination : Login redirect to: " + parameter);
        }
        httpServletResponse.sendRedirect(parameter);
        return true;
    }

    protected boolean isAbsoluteUrl(String str) {
        try {
            return new URI(str).getHost() != null;
        } catch (URISyntaxException e) {
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Authenticator getAuthenticator() {
        return getSecurityConfig().getAuthenticator();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ElevatedSecurityGuard getElevatedSecurityGuard() {
        return getSecurityConfig().getElevatedSecurityGuard();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecurityConfig getSecurityConfig() {
        if (this.securityConfig == null) {
            this.securityConfig = (SecurityConfig) this.filterConfig.getServletContext().getAttribute(SecurityConfig.STORAGE_KEY);
        }
        return this.securityConfig;
    }

    protected AuthenticationContext getAuthenticationContext() {
        return getSecurityConfig().getAuthenticationContext();
    }
}
