package com.atlassian.applinks.oauth.auth;

import ch.qos.logback.classic.spi.CallerData;
import com.atlassian.activeobjects.internal.ActiveObjectsSettingKeys;
import com.atlassian.applinks.api.ApplicationId;
import com.atlassian.applinks.api.ApplicationLink;
import com.atlassian.applinks.api.ApplicationLinkService;
import com.atlassian.applinks.api.AuthorisationAdminURIGenerator;
import com.atlassian.applinks.api.TypeNotInstalledException;
import com.atlassian.applinks.api.auth.types.OAuthAuthenticationProvider;
import com.atlassian.applinks.core.RedirectController;
import com.atlassian.applinks.core.ServletPathConstants;
import com.atlassian.applinks.core.util.RequestUtil;
import com.atlassian.applinks.core.util.WebResources;
import com.atlassian.applinks.host.spi.InternalHostApplication;
import com.atlassian.applinks.internal.common.auth.oauth.ConsumerTokenStoreService;
import com.atlassian.applinks.internal.common.auth.oauth.OAuthMessageProblemException;
import com.atlassian.applinks.internal.common.net.ResponseHeaderUtil;
import com.atlassian.applinks.oauth.auth.servlets.consumer.AddServiceProviderManuallyServlet;
import com.atlassian.applinks.spi.auth.AuthenticationConfigurationManager;
import com.atlassian.applinks.ui.validators.CallbackParameterValidator;
import com.atlassian.oauth.ServiceProvider;
import com.atlassian.oauth.consumer.ConsumerService;
import com.atlassian.oauth.consumer.ConsumerToken;
import com.atlassian.plugin.webresource.UrlMode;
import com.atlassian.plugin.webresource.WebResourceManager;
import com.atlassian.sal.api.message.I18nResolver;
import com.atlassian.sal.api.net.ResponseException;
import com.atlassian.sal.api.user.UserManager;
import com.atlassian.sal.api.user.UserProfile;
import com.atlassian.streams.internal.applinks.OAuthCompletionServlet;
import com.atlassian.templaterenderer.TemplateRenderer;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.Lists;
import java.io.IOException;
import java.io.StringWriter;
import java.net.URI;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.annotation.Nonnull;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.oauth.OAuth;
import net.oauth.OAuthProblemException;
import org.apache.commons.lang.StringEscapeUtils;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/applinks-oauth-plugin-5.4.4.jar:com/atlassian/applinks/oauth/auth/OAuthApplinksServlet.class */
public class OAuthApplinksServlet extends HttpServlet {
    private static final Logger LOG = LoggerFactory.getLogger(OAuthApplinksServlet.class);
    public static final String AUTHORIZE_PATH = "authorize";
    public static final String ACCESS_PATH = "access";

    @VisibleForTesting
    protected static final String APPLICATION_LINK_ID_PARAM = "applicationLinkID";
    private static final String REDIRECT_URL_PARAM = "redirectUrl";
    private static final String TEMPLATE = "com/atlassian/applinks/oauth/auth/oauth_dance.vm";
    private static final String ADMIN_ERROR_CHECK_CONFIG = "applinks.admin.error.message.check.for.misconfig";
    private static final String ADMIN_ERROR_CHECK_LINK = "applinks.admin.error.message.check.link";
    private static final String USER_ERROR_NOT_LOGGED_IN = "applinks.user.error.message.not.logged.in";
    private static final String USER_ERROR_ACCESS_DENIED = "applinks.user.error.message.access.denied";
    private static final String ERROR_NOT_LOGGED_IN = "auth.oauth.config.error.not.loggedin";
    private static final String ERROR_APPLINK_ID_REQUIRED = "auth.oauth.config.error.link.id.empty";
    private static final String ERROR_TYPE_NOT_LOADED = "auth.oauth.config.error.link.type.not.loaded";
    private static final String ERROR_NO_LINK_FOUND_FOR_ID = "auth.oauth.config.error.link.id";
    private static final String ERROR_OAUTH_DANCE = "auth.oauth.config.error.dance";
    private static final String ERROR_OATH_NOT_CONFIGURED = "auth.oauth.config.error.not.configured";
    private static final String ERROR_CONSUMER_UNKNOWN = "auth.oauth.config.error.dance.oauth.problem.consumer.unknown";
    private static final String ERROR_TOKEN_REJECTED = "auth.oauth.config.error.dance.oauth.problem.token.rejected";
    private static final String ERRROR_OAUTH_DANCE_PROBLEM = "auth.oauth.config.error.dance.oauth.problem";
    private static final String WARNING_TITLE_ACCESS_DENIED = "auth.oauth.config.dance.denied.title";
    private static final String WARNING_MESSAGE_ACCESS_DENIED = "auth.oauth.config.dance.denied.message";
    private final ConsumerTokenStoreService consumerTokenStoreService;
    private final OAuthTokenRetriever oAuthTokenRetriever;
    private final UserManager userManager;
    private final I18nResolver i18nResolver;
    private final WebResourceManager webResourceManager;
    private final TemplateRenderer templateRenderer;
    private final AuthenticationConfigurationManager authenticationConfigurationManager;
    private final ConsumerService consumerService;
    private final InternalHostApplication internalHostApplication;
    private final CallbackParameterValidator callbackParameterValidator;
    private final ApplicationLinkService applicationLinkService;
    private final RedirectController redirectController;

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    /* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/applinks-oauth-plugin-5.4.4.jar:com/atlassian/applinks/oauth/auth/OAuthApplinksServlet$TemplateVariable.class */
    public enum TemplateVariable {
        ADMIN_ERROR_MESSAGE("adminError"),
        APPLINK_ID(OAuthCompletionServlet.APPLINK_ID_PARAM),
        AUTH_ADMIN_URI("authAdminUri"),
        ERROR("error"),
        ERROR_DETAILS("errorDetails"),
        REDIRECT_URL(OAuthApplinksServlet.REDIRECT_URL_PARAM),
        USER_ERROR_MESSAGE("userError"),
        WARNING_MESSAGE("warningMessage"),
        WARNING_TITLE("warningTitle"),
        WEB_RESOURCES("webResources");

        final String key;

        TemplateVariable(String str) {
            this.key = str;
        }
    }

    public OAuthApplinksServlet(ConsumerTokenStoreService consumerTokenStoreService, OAuthTokenRetriever oAuthTokenRetriever, UserManager userManager, I18nResolver i18nResolver, WebResourceManager webResourceManager, TemplateRenderer templateRenderer, AuthenticationConfigurationManager authenticationConfigurationManager, ConsumerService consumerService, InternalHostApplication internalHostApplication, CallbackParameterValidator callbackParameterValidator, ApplicationLinkService applicationLinkService, RedirectController redirectController) {
        this.consumerTokenStoreService = consumerTokenStoreService;
        this.oAuthTokenRetriever = oAuthTokenRetriever;
        this.userManager = userManager;
        this.i18nResolver = i18nResolver;
        this.webResourceManager = webResourceManager;
        this.templateRenderer = templateRenderer;
        this.authenticationConfigurationManager = authenticationConfigurationManager;
        this.consumerService = consumerService;
        this.internalHostApplication = internalHostApplication;
        this.callbackParameterValidator = callbackParameterValidator;
        this.applicationLinkService = applicationLinkService;
        this.redirectController = redirectController;
    }

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        Map<String, Object> createVelocityContext = createVelocityContext(httpServletResponse);
        String applicationLinkId = getApplicationLinkId(httpServletRequest);
        createVelocityContext.put(TemplateVariable.APPLINK_ID.key, StringEscapeUtils.escapeHtml(applicationLinkId));
        ResponseHeaderUtil.preventCrossFrameClickJacking(httpServletResponse);
        if (this.userManager.getRemoteUser(httpServletRequest) == null) {
            addNotLoggedInUserErrorToContext(createVelocityContext);
            addErrorToContext(createVelocityContext, ERROR_NOT_LOGGED_IN, new String[0]);
            render(createVelocityContext, httpServletResponse);
            return;
        }
        if (StringUtils.isBlank(applicationLinkId)) {
            addErrorToContext(createVelocityContext, ERROR_APPLINK_ID_REQUIRED, new String[0]);
            addCheckConfigAdminErrorToContext(createVelocityContext);
            render(createVelocityContext, httpServletResponse);
            return;
        }
        try {
            ApplicationLink applicationLink = this.applicationLinkService.getApplicationLink(new ApplicationId(applicationLinkId));
            if (applicationLink == null) {
                addErrorToContext(createVelocityContext, ERROR_NO_LINK_FOUND_FOR_ID, applicationLinkId);
                addCheckConfigAdminErrorToContext(createVelocityContext);
                render(createVelocityContext, httpServletResponse);
                return;
            }
            createVelocityContext.put(TemplateVariable.APPLINK_ID.key, applicationLink.getId().toString());
            if (!this.authenticationConfigurationManager.isConfigured(applicationLink.getId(), OAuthAuthenticationProvider.class)) {
                addErrorToContext(createVelocityContext, ERROR_OATH_NOT_CONFIGURED, applicationLink.toString());
                addCheckLinkAdminErrorToContext(createVelocityContext, applicationLink.getName());
                render(createVelocityContext, httpServletResponse);
                return;
            }
            String token = getToken(httpServletRequest);
            try {
                if (StringUtils.isBlank(token) || httpServletRequest.getPathInfo().endsWith(AUTHORIZE_PATH)) {
                    obtainAndAuthorizeRequestToken(applicationLink, httpServletResponse, httpServletRequest);
                } else if (httpServletRequest.getPathInfo().endsWith(ACCESS_PATH)) {
                    getAccessToken(token, applicationLink, httpServletRequest);
                    String redirectUrl = getRedirectUrl(httpServletRequest);
                    if (StringUtils.isBlank(redirectUrl)) {
                        URI uri = null;
                        AuthorisationAdminURIGenerator createAuthenticatedRequestFactory = applicationLink.createAuthenticatedRequestFactory();
                        if (createAuthenticatedRequestFactory instanceof AuthorisationAdminURIGenerator) {
                            uri = createAuthenticatedRequestFactory.getAuthorisationAdminURI();
                        }
                        createVelocityContext.put(TemplateVariable.AUTH_ADMIN_URI.key, uri == null ? "" : uri.toString());
                        render(createVelocityContext, httpServletResponse);
                    } else {
                        this.redirectController.redirectOrPrintRedirectionWarning(httpServletResponse, redirectUrl);
                    }
                }
            } catch (Exception e) {
                handleExceptionThrownDuringTokenRequest(httpServletRequest, httpServletResponse, applicationLink, e, createVelocityContext);
            }
        } catch (TypeNotInstalledException e2) {
            LOG.error("Failed to get application link", e2);
            addErrorToContext(createVelocityContext, ERROR_TYPE_NOT_LOADED, applicationLinkId, e2.getType());
            addCheckConfigAdminErrorToContext(createVelocityContext);
            render(createVelocityContext, httpServletResponse);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void handleExceptionThrownDuringTokenRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, @Nonnull ApplicationLink applicationLink, @Nonnull Exception exc, @Nonnull Map<String, Object> map) throws IOException {
        LOG.error("An error occurred when performing the oauth 'dance' for application link '" + applicationLink + "'", exc);
        addRedirectUrlToContext(httpServletRequest, map);
        if (exc.getCause() instanceof OAuthProblemException) {
            OAuthProblemException oAuthProblemException = (OAuthProblemException) exc.getCause();
            String problem = oAuthProblemException.getProblem();
            if (problem.equals(OAuth.Problems.CONSUMER_KEY_UNKNOWN)) {
                addErrorToContext(map, ERROR_CONSUMER_UNKNOWN, this.internalHostApplication.getName(), applicationLink.getName());
                addCheckLinkAdminErrorToContext(map, applicationLink.getName());
                render(map, httpServletResponse);
                return;
            } else if (problem.equals(OAuth.Problems.TOKEN_REJECTED)) {
                addErrorToContext(map, ERROR_TOKEN_REJECTED, new String[0]);
                addCheckLinkAdminErrorToContext(map, applicationLink.getName());
                render(map, httpServletResponse);
                return;
            } else {
                addErrorToContext(map, ERRROR_OAUTH_DANCE_PROBLEM, applicationLink.toString(), oAuthProblemException.getProblem());
                addCheckLinkAdminErrorToContext(map, applicationLink.getName());
                render(map, httpServletResponse);
                return;
            }
        }
        if (exc instanceof OAuthPermissionDeniedException) {
            addWarningToContext(map, WARNING_TITLE_ACCESS_DENIED, WARNING_MESSAGE_ACCESS_DENIED, applicationLink.getName());
            addAccessDeniedUserErrorToContext(map, applicationLink.getName());
            render(map, httpServletResponse);
            return;
        }
        if (exc instanceof OAuthMessageProblemException) {
            List<String> detailsFromOAuthMessageProblemException = getDetailsFromOAuthMessageProblemException((OAuthMessageProblemException) exc);
            LOG.error("Error during OAuth Dance, OAuth Parameters '{}'", StringUtils.join(detailsFromOAuthMessageProblemException, ","));
            addErrorDetailsToContext(map, detailsFromOAuthMessageProblemException);
            addErrorToContext(map, ERROR_OAUTH_DANCE, applicationLink.toString());
            addCheckLinkAdminErrorToContext(map, applicationLink.getName());
            render(map, httpServletResponse);
            return;
        }
        if (!(exc instanceof ResponseException)) {
            addErrorToContext(map, ERROR_OAUTH_DANCE, applicationLink.toString());
            addCheckLinkAdminErrorToContext(map, applicationLink.getName());
            render(map, httpServletResponse);
        } else {
            addErrorToContext(map, ERROR_OAUTH_DANCE, applicationLink.toString());
            addErrorDetailsToContext(map, Lists.newArrayList(exc.getLocalizedMessage()));
            addCheckLinkAdminErrorToContext(map, applicationLink.getName());
            render(map, httpServletResponse);
        }
    }

    private void addErrorToContext(@Nonnull Map<String, Object> map, @Nonnull String str, @Nonnull String... strArr) {
        addVariableToContext(map, TemplateVariable.ERROR, str, strArr);
    }

    private void addErrorDetailsToContext(@Nonnull Map<String, Object> map, @Nonnull List<String> list) {
        map.put(TemplateVariable.ERROR_DETAILS.key, list);
    }

    private void addWarningToContext(@Nonnull Map<String, Object> map, @Nonnull String str, @Nonnull String str2, @Nonnull String... strArr) {
        addVariableToContext(map, TemplateVariable.WARNING_TITLE, str, new String[0]);
        addVariableToContext(map, TemplateVariable.WARNING_MESSAGE, str2, strArr);
    }

    private void addCheckConfigAdminErrorToContext(@Nonnull Map<String, Object> map) {
        addVariableToContext(map, TemplateVariable.ADMIN_ERROR_MESSAGE, ADMIN_ERROR_CHECK_CONFIG, this.internalHostApplication.getName());
    }

    private void addCheckLinkAdminErrorToContext(@Nonnull Map<String, Object> map, @Nonnull String str) {
        addVariableToContext(map, TemplateVariable.ADMIN_ERROR_MESSAGE, ADMIN_ERROR_CHECK_LINK, this.internalHostApplication.getName(), str);
    }

    private void addNotLoggedInUserErrorToContext(@Nonnull Map<String, Object> map) {
        addVariableToContext(map, TemplateVariable.USER_ERROR_MESSAGE, USER_ERROR_NOT_LOGGED_IN, this.internalHostApplication.getName());
    }

    private void addAccessDeniedUserErrorToContext(@Nonnull Map<String, Object> map, @Nonnull String str) {
        addVariableToContext(map, TemplateVariable.USER_ERROR_MESSAGE, USER_ERROR_ACCESS_DENIED, this.internalHostApplication.getName(), str);
    }

    private void addVariableToContext(@Nonnull Map<String, Object> map, @Nonnull TemplateVariable templateVariable, @Nonnull String str, @Nonnull String... strArr) {
        map.put(templateVariable.key, strArr.length > 0 ? this.i18nResolver.getText(str, strArr) : this.i18nResolver.getText(str));
    }

    private void render(@Nonnull Map<String, Object> map, @Nonnull HttpServletResponse httpServletResponse) throws IOException {
        this.templateRenderer.render(TEMPLATE, map, httpServletResponse.getWriter());
    }

    private List<String> getDetailsFromOAuthMessageProblemException(@Nonnull OAuthMessageProblemException oAuthMessageProblemException) {
        ArrayList newArrayList = Lists.newArrayList();
        for (Map.Entry<String, String> entry : oAuthMessageProblemException.getParameters().entrySet()) {
            newArrayList.add(entry.getKey() + ": '" + entry.getValue() + "'");
        }
        return newArrayList;
    }

    private void addRedirectUrlToContext(@Nonnull HttpServletRequest httpServletRequest, @Nonnull Map<String, Object> map) {
        String validatedRedirectUrl = getValidatedRedirectUrl(httpServletRequest);
        if (validatedRedirectUrl == null) {
            validatedRedirectUrl = ActiveObjectsSettingKeys.MODEL_VERSION;
        }
        map.put(TemplateVariable.REDIRECT_URL.key, validatedRedirectUrl);
    }

    private Map<String, Object> createVelocityContext(HttpServletResponse httpServletResponse) {
        HashMap hashMap = new HashMap();
        hashMap.put("i18n", this.i18nResolver);
        httpServletResponse.setContentType("text/html");
        this.webResourceManager.requireResource("com.atlassian.applinks.applinks-oauth-plugin:oauth-dance");
        StringWriter stringWriter = new StringWriter();
        this.webResourceManager.includeResources(stringWriter, UrlMode.RELATIVE);
        WebResources webResources = new WebResources();
        webResources.setIncludedResources(stringWriter.getBuffer().toString());
        hashMap.put(TemplateVariable.WEB_RESOURCES.key, webResources);
        return hashMap;
    }

    private String getToken(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter(OAuth.OAUTH_TOKEN);
    }

    private void getAccessToken(String str, ApplicationLink applicationLink, HttpServletRequest httpServletRequest) throws ResponseException {
        String remoteUsername = getRemoteUsername(httpServletRequest);
        ConsumerToken consumerToken = this.consumerTokenStoreService.getConsumerToken(applicationLink, remoteUsername);
        if (consumerToken == null) {
            throw new ResponseException("Cannot get access token as no request token pair can be found");
        }
        if (consumerToken.isAccessToken()) {
            return;
        }
        if (!str.equals(consumerToken.getToken())) {
            throw new ResponseException("The oauth_token in the request is not the same as the token persisted in the system.");
        }
        ConsumerToken accessToken = this.oAuthTokenRetriever.getAccessToken(ServiceProviderUtil.getServiceProvider((Map<String, String>) this.authenticationConfigurationManager.getConfiguration(applicationLink.getId(), OAuthAuthenticationProvider.class), applicationLink), consumerToken, httpServletRequest.getParameter(OAuth.OAUTH_VERIFIER), getConsumerKey(applicationLink));
        this.consumerTokenStoreService.removeConsumerToken(applicationLink.getId(), remoteUsername);
        this.consumerTokenStoreService.addConsumerToken(applicationLink, remoteUsername, accessToken);
    }

    private void obtainAndAuthorizeRequestToken(ApplicationLink applicationLink, HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest) throws ResponseException, IOException {
        ServiceProvider serviceProvider = ServiceProviderUtil.getServiceProvider((Map<String, String>) this.authenticationConfigurationManager.getConfiguration(applicationLink.getId(), OAuthAuthenticationProvider.class), applicationLink);
        String consumerKey = getConsumerKey(applicationLink);
        String redirectUrl = getRedirectUrl(httpServletRequest);
        String str = RequestUtil.getBaseURLFromRequest(httpServletRequest, this.internalHostApplication.getBaseUrl()) + ServletPathConstants.APPLINKS_SERVLETS_PATH + "/oauth/login-dance/" + ACCESS_PATH + CallerData.NA + APPLICATION_LINK_ID_PARAM + "=" + applicationLink.getId() + (redirectUrl != null ? "&redirectUrl=" + URLEncoder.encode(redirectUrl, "UTF-8") : "");
        ConsumerToken requestToken = this.oAuthTokenRetriever.getRequestToken(serviceProvider, consumerKey, str);
        this.consumerTokenStoreService.addConsumerToken(applicationLink, getRemoteUsername(httpServletRequest), requestToken);
        HashMap hashMap = new HashMap();
        hashMap.put(OAuth.OAUTH_TOKEN, requestToken.getToken());
        hashMap.put(OAuth.OAUTH_CALLBACK, str);
        httpServletResponse.sendRedirect(serviceProvider.getAuthorizeUri() + CallerData.NA + OAuth.formEncode(hashMap.entrySet()));
    }

    private String getRemoteUsername(HttpServletRequest httpServletRequest) {
        UserProfile remoteUser = this.userManager.getRemoteUser(httpServletRequest);
        if (remoteUser == null) {
            return null;
        }
        return remoteUser.getUsername();
    }

    private String getConsumerKey(ApplicationLink applicationLink) {
        Map configuration = this.authenticationConfigurationManager.getConfiguration(applicationLink.getId(), OAuthAuthenticationProvider.class);
        return configuration.containsKey(AddServiceProviderManuallyServlet.CONSUMER_KEY_OUTBOUND) ? (String) configuration.get(AddServiceProviderManuallyServlet.CONSUMER_KEY_OUTBOUND) : this.consumerService.getConsumer().getKey();
    }

    private String getApplicationLinkId(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter(APPLICATION_LINK_ID_PARAM);
    }

    private String getRedirectUrl(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter(REDIRECT_URL_PARAM);
    }

    private String getValidatedRedirectUrl(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter(REDIRECT_URL_PARAM);
        if (parameter != null) {
            this.callbackParameterValidator.validate(parameter);
        }
        return parameter;
    }
}
