package com.atlassian.stash.internal.auth;

import com.atlassian.crowd.embedded.api.User;
import com.atlassian.crowd.embedded.api.UserWithAttributes;
import com.atlassian.stash.exception.NoSuchUserException;
import com.atlassian.stash.i18n.I18nService;
import com.atlassian.stash.i18n.KeyedMessage;
import com.atlassian.stash.internal.AbstractService;
import com.atlassian.stash.internal.annotation.Unsecured;
import com.atlassian.stash.internal.config.Feature;
import com.atlassian.stash.internal.config.FeatureManager;
import com.atlassian.stash.internal.crowd.CrowdControl;
import com.atlassian.stash.internal.user.CaptchaService;
import com.atlassian.stash.internal.user.CaptchaTicket;
import com.atlassian.stash.server.ApplicationPropertiesService;
import com.atlassian.stash.user.AuthenticationException;
import com.atlassian.stash.user.AuthenticationSystemException;
import com.atlassian.stash.user.CaptchaRequiredAuthenticationException;
import com.atlassian.stash.user.IncorrectCaptchaAuthenticationException;
import com.atlassian.stash.user.IncorrectPasswordAuthenticationException;
import com.atlassian.stash.user.StashUser;
import com.atlassian.stash.util.UncheckedOperation;
import com.google.common.base.Preconditions;
import com.octo.captcha.service.CaptchaServiceException;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;

@Service("captchaService")
/* loaded from: input_file:com/atlassian/stash/internal/auth/DefaultCaptchaService.class */
public class DefaultCaptchaService extends AbstractService implements CaptchaService {
    private static final Logger log = LoggerFactory.getLogger(DefaultCaptchaService.class);
    public static final String FAILED_AUTHENTICATION_ATTEMPT_COUNT = "failedAuthenticationAttemptCount";
    private final com.octo.captcha.service.CaptchaService captchaService;
    private final CrowdControl crowdControl;
    private final FeatureManager featureManager;
    private final I18nService i18nService;
    private final ApplicationPropertiesService propertiesService;

    /* loaded from: input_file:com/atlassian/stash/internal/auth/DefaultCaptchaService$ValidCaptchaTicket.class */
    private class ValidCaptchaTicket implements CaptchaTicket {
        private long attempts;
        private final UserWithAttributes user;

        private ValidCaptchaTicket(UserWithAttributes userWithAttributes) {
            this.attempts = DefaultCaptchaService.this.getAttemptCountFor(userWithAttributes);
            this.user = userWithAttributes;
        }

        public void onAuthenticationFailure(AuthenticationException authenticationException) {
            if (this.user != null) {
                this.attempts = DefaultCaptchaService.this.incrementAttemptCount(this.attempts);
                DefaultCaptchaService.this.crowdControl.setUserAttribute(this.user, DefaultCaptchaService.FAILED_AUTHENTICATION_ATTEMPT_COUNT, Long.valueOf(this.attempts));
                if (DefaultCaptchaService.this.isCaptchaRequired(this.attempts)) {
                    throw new CaptchaRequiredAuthenticationException(authenticationException.getKeyedMessage());
                }
            }
        }

        public void onAuthenticationSuccess() {
            if (this.attempts != 0) {
                DefaultCaptchaService.this.crowdControl.setUserAttribute(this.user, DefaultCaptchaService.FAILED_AUTHENTICATION_ATTEMPT_COUNT, 0L);
            }
        }
    }

    @Autowired
    public DefaultCaptchaService(com.octo.captcha.service.CaptchaService captchaService, CrowdControl crowdControl, FeatureManager featureManager, I18nService i18nService, ApplicationPropertiesService applicationPropertiesService) {
        this.captchaService = captchaService;
        this.crowdControl = crowdControl;
        this.featureManager = featureManager;
        this.i18nService = i18nService;
        this.propertiesService = applicationPropertiesService;
    }

    @Transactional(noRollbackFor = {AuthenticationException.class, NoSuchUserException.class})
    @Unsecured("This needs to be available during authentication")
    public StashUser authenticateWithCaptcha(@Nonnull CaptchaTicket captchaTicket, @Nonnull UncheckedOperation<StashUser> uncheckedOperation) {
        Preconditions.checkNotNull(captchaTicket, "captchaTicket");
        Preconditions.checkNotNull(uncheckedOperation, "authenticateOperation");
        Preconditions.checkArgument(captchaTicket instanceof ValidCaptchaTicket, "invalid CaptchaTicket!");
        ValidCaptchaTicket validCaptchaTicket = (ValidCaptchaTicket) captchaTicket;
        try {
            StashUser stashUser = (StashUser) uncheckedOperation.perform();
            if (stashUser != null) {
                validCaptchaTicket.onAuthenticationSuccess();
            }
            return stashUser;
        } catch (IncorrectPasswordAuthenticationException e) {
            validCaptchaTicket.onAuthenticationFailure(e);
            throw e;
        }
    }

    @Nonnull
    @Unsecured("This needs to be available during authentication")
    public CaptchaTicket checkCaptcha(@Nonnull String str, @Nullable CaptchaResponse captchaResponse) {
        Preconditions.checkNotNull(str, "username");
        UserWithAttributes findUserWithAttributes = this.crowdControl.findUserWithAttributes(str);
        if (isCaptchaRequired(findUserWithAttributes)) {
            if (captchaResponse == null) {
                throw new CaptchaRequiredAuthenticationException(missingCaptchaResponse());
            }
            if (!captchaResponse.isVerified() && !isCaptchaValid(captchaResponse)) {
                incrementAttemptCountFor(findUserWithAttributes);
                throw new IncorrectCaptchaAuthenticationException(invalidCaptcha());
            }
        }
        return new ValidCaptchaTicket(findUserWithAttributes);
    }

    @Transactional
    @PreAuthorize("hasGlobalPermission('SYS_ADMIN') or (hasGlobalPermission('ADMIN') and not hasGlobalPermission(#username, 'SYS_ADMIN'))")
    public void clearCaptchaChallenge(@Nonnull String str) {
        User findUser = this.crowdControl.findUser(str, false);
        if (findUser == null) {
            throw newNoSuchUserException(str);
        }
        this.crowdControl.setUserAttribute(findUser, FAILED_AUTHENTICATION_ATTEMPT_COUNT, 0L);
    }

    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public boolean isCaptchaChallenged(@Nonnull String str) {
        UserWithAttributes findUserWithAttributes = this.crowdControl.findUserWithAttributes(str);
        if (findUserWithAttributes == null) {
            throw newNoSuchUserException(str);
        }
        return isCaptchaRequired(findUserWithAttributes);
    }

    @Unsecured("This needs to be available during signup")
    public boolean validateCaptchaResponse(@Nonnull CaptchaResponse captchaResponse) {
        return this.captchaService.validateResponseForID(captchaResponse.getChallengeId(), captchaResponse.getUserResponse()).booleanValue();
    }

    private KeyedMessage captchaServiceFail() {
        return this.i18nService.createKeyedMessage("stash.service.user.captchasvcfail", new Object[0]);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public long getAttemptCountFor(UserWithAttributes userWithAttributes) {
        String value;
        if (userWithAttributes == null || (value = userWithAttributes.getValue(FAILED_AUTHENTICATION_ATTEMPT_COUNT)) == null) {
            return 0L;
        }
        try {
            return Long.valueOf(value).longValue();
        } catch (NumberFormatException e) {
            log.warn(String.format("Invalid attribute %s for user %s: %s", FAILED_AUTHENTICATION_ATTEMPT_COUNT, userWithAttributes.getName(), value));
            return 0L;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public long incrementAttemptCount(long j) {
        if (j == Long.MAX_VALUE) {
            return Long.MAX_VALUE;
        }
        return j + 1;
    }

    private long incrementAttemptCountFor(UserWithAttributes userWithAttributes) {
        if (userWithAttributes == null) {
            return 0L;
        }
        long incrementAttemptCount = incrementAttemptCount(getAttemptCountFor(userWithAttributes));
        this.crowdControl.setUserAttribute(userWithAttributes, FAILED_AUTHENTICATION_ATTEMPT_COUNT, Long.valueOf(incrementAttemptCount));
        return incrementAttemptCount;
    }

    private KeyedMessage invalidCaptcha() {
        return this.i18nService.createKeyedMessage("stash.service.user.invalidcaptcha", new Object[0]);
    }

    private boolean isCaptchaRequired(UserWithAttributes userWithAttributes) {
        return isCaptchaRequired(getAttemptCountFor(userWithAttributes));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isCaptchaRequired(long j) {
        return this.featureManager.isEnabled(Feature.AUTH_CAPTCHA) && j > 0 && j >= ((long) this.propertiesService.getMaxCaptchaAttempts());
    }

    private boolean isCaptchaValid(CaptchaResponse captchaResponse) {
        try {
            if (!captchaResponse.isVerified() && this.captchaService.validateResponseForID(captchaResponse.getChallengeId(), captchaResponse.getUserResponse()).booleanValue()) {
                captchaResponse.setVerified(true);
            }
            return captchaResponse.isVerified();
        } catch (CaptchaServiceException e) {
            throw new AuthenticationSystemException(captchaServiceFail());
        }
    }

    private KeyedMessage missingCaptchaResponse() {
        return this.i18nService.createKeyedMessage("stash.service.user.missingcaptcharesponse", new Object[0]);
    }

    private NoSuchUserException newNoSuchUserException(String str) {
        throw new NoSuchUserException(this.i18nService.createKeyedMessage("stash.service.users.noSuchUser", new Object[]{str}), str);
    }
}
