package com.atlassian.security.auth.trustedapps.filter;

import com.atlassian.security.auth.trustedapps.ApplicationCertificate;
import com.atlassian.security.auth.trustedapps.DefaultEncryptedCertificate;
import com.atlassian.security.auth.trustedapps.InvalidCertificateException;
import com.atlassian.security.auth.trustedapps.TransportErrorMessage;
import com.atlassian.security.auth.trustedapps.TrustedApplication;
import com.atlassian.security.auth.trustedapps.TrustedApplicationUtils;
import com.atlassian.security.auth.trustedapps.TrustedApplicationsManager;
import com.atlassian.security.auth.trustedapps.UnableToVerifySignatureException;
import com.atlassian.security.auth.trustedapps.UserResolver;
import com.atlassian.security.auth.trustedapps.filter.Authenticator;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.Principal;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/atlassian-bundled-plugins/atlassian-refapp-sal-plugin-3.4.0-c8ebc54.jar:META-INF/lib/atlassian-trusted-apps-core-4.1.0.jar:com/atlassian/security/auth/trustedapps/filter/TrustedApplicationFilterAuthenticator.class
  input_file:WEB-INF/atlassian-bundled-plugins/atlassian-refapp-sal-trust-plugin-3.4.0-c8ebc54.jar:META-INF/lib/atlassian-trusted-apps-core-4.1.0.jar:com/atlassian/security/auth/trustedapps/filter/TrustedApplicationFilterAuthenticator.class
 */
/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/atlassian-refapp-trusted-apps-plugin-3.4.0-c8ebc54.jar:META-INF/lib/atlassian-trusted-apps-core-4.1.0.jar:com/atlassian/security/auth/trustedapps/filter/TrustedApplicationFilterAuthenticator.class */
public class TrustedApplicationFilterAuthenticator implements Authenticator {
    private static final Logger log = LoggerFactory.getLogger(TrustedApplicationFilterAuthenticator.class);
    protected static final String FORWARD_REQUEST_URI = "javax.servlet.forward.request_uri";
    final TrustedApplicationsManager appManager;
    final UserResolver resolver;
    final AuthenticationController authenticationController;

    public TrustedApplicationFilterAuthenticator(TrustedApplicationsManager trustedApplicationsManager, UserResolver userResolver, AuthenticationController authenticationController) {
        this.appManager = trustedApplicationsManager;
        this.resolver = userResolver;
        this.authenticationController = authenticationController;
    }

    private static boolean atLeast(Integer num, int i) {
        return num != null && num.intValue() >= i;
    }

    @Override // com.atlassian.security.auth.trustedapps.filter.Authenticator
    public Authenticator.Result authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String header = httpServletRequest.getHeader("X-Seraph-Trusted-App-Cert");
        if (isBlank(header)) {
            return new Authenticator.Result.NoAttempt();
        }
        String header2 = httpServletRequest.getHeader(TrustedApplicationUtils.Header.Request.VERSION);
        try {
            Integer valueOf = Integer.valueOf(!isBlank(header2) ? Integer.parseInt(header2) : 0);
            if (!valueOf.equals(TrustedApplicationUtils.getProtocolVersionInUse())) {
                Authenticator.Result.Error error = new Authenticator.Result.Error(new TransportErrorMessage.UnSupportedProtocolVersion(valueOf));
                setFailureHeader(httpServletResponse, error.getMessage());
                return error;
            }
            String header3 = httpServletRequest.getHeader("X-Seraph-Trusted-App-ID");
            if (isBlank(header3)) {
                Authenticator.Result.Error error2 = new Authenticator.Result.Error(new TransportErrorMessage.ApplicationIdNotFoundInRequest());
                setFailureHeader(httpServletResponse, error2.getMessage());
                return error2;
            }
            String header4 = httpServletRequest.getHeader("X-Seraph-Trusted-App-Key");
            String header5 = httpServletRequest.getHeader(TrustedApplicationUtils.Header.Request.MAGIC);
            if (TrustedApplicationUtils.Constant.VERSION_TWO.equals(TrustedApplicationUtils.getProtocolVersionInUse())) {
                if (isBlank(header4)) {
                    Authenticator.Result.Error error3 = new Authenticator.Result.Error(new TransportErrorMessage.SecretKeyNotFoundInRequest());
                    setFailureHeader(httpServletResponse, error3.getMessage());
                    return error3;
                }
                if (isBlank(header5)) {
                    Authenticator.Result.Error error4 = new Authenticator.Result.Error(new TransportErrorMessage.MagicNumberNotFoundInRequest());
                    setFailureHeader(httpServletResponse, error4.getMessage());
                    return error4;
                }
            }
            TrustedApplication trustedApplication = this.appManager.getTrustedApplication(header3);
            if (trustedApplication == null) {
                Authenticator.Result.Failure failure = new Authenticator.Result.Failure(new TransportErrorMessage.ApplicationUnknown(header3));
                setFailureHeader(httpServletResponse, failure.getMessage());
                return failure;
            }
            try {
                ApplicationCertificate decode = trustedApplication.decode(new DefaultEncryptedCertificate(header3, header4, header, valueOf, header5), httpServletRequest);
                String header6 = httpServletRequest.getHeader(TrustedApplicationUtils.Header.Request.SIGNATURE);
                if (header6 == null) {
                    Authenticator.Result.Error error5 = new Authenticator.Result.Error(new TransportErrorMessage.BadSignature());
                    setFailureHeader(httpServletResponse, error5.getMessage());
                    return error5;
                }
                String logicalUri = getLogicalUri(httpServletRequest);
                log.debug("Got forward URI: {}", logicalUri);
                StringBuffer requestURL = logicalUri == null ? httpServletRequest.getRequestURL() : new StringBuffer(logicalUri);
                log.debug("Going ahead with URI: {}", requestURL);
                String queryString = httpServletRequest.getQueryString();
                if (queryString != null) {
                    requestURL.append('?');
                    requestURL.append(queryString);
                }
                String stringBuffer = requestURL.toString();
                try {
                    if (!trustedApplication.verifySignature(decode.getCreationTime().getTime(), stringBuffer, decode.getUserName(), header6)) {
                        log.warn(String.format("Failed to login trusted application [%s] due to bad URL signature. Received protocol version [%d]. Required protocol version [%d]", trustedApplication.getID(), decode.getProtocolVersion(), TrustedApplicationUtils.getProtocolVersionInUse()));
                        Authenticator.Result.Error error6 = new Authenticator.Result.Error(new TransportErrorMessage.BadSignature(stringBuffer));
                        setFailureHeader(httpServletResponse, error6.getMessage());
                        return error6;
                    }
                    Principal resolve = this.resolver.resolve(decode);
                    if (resolve == null) {
                        log.warn("User '" + decode.getUserName() + "' referenced by trusted application: '" + trustedApplication.getID() + "' is not found.");
                        Authenticator.Result.Failure failure2 = new Authenticator.Result.Failure(new TransportErrorMessage.UserUnknown(decode.getUserName()));
                        setFailureHeader(httpServletResponse, failure2.getMessage());
                        return failure2;
                    }
                    if (this.authenticationController.canLogin(resolve, httpServletRequest)) {
                        return stringBuffer != null ? new Authenticator.Result.Success(resolve, stringBuffer) : new Authenticator.Result.Success(resolve);
                    }
                    log.warn("User '" + decode.getUserName() + "' referenced by trusted application: '" + trustedApplication.getID() + "' cannot login.");
                    Authenticator.Result.Failure failure3 = new Authenticator.Result.Failure(new TransportErrorMessage.PermissionDenied());
                    setFailureHeader(httpServletResponse, failure3.getMessage());
                    return failure3;
                } catch (UnableToVerifySignatureException e) {
                    log.warn("Failed to login trusted application: " + trustedApplication.getID() + " due to: " + e);
                    Authenticator.Result.Error error7 = new Authenticator.Result.Error(new TransportErrorMessage.BadSignature(stringBuffer));
                    setFailureHeader(httpServletResponse, error7.getMessage());
                    return error7;
                }
            } catch (InvalidCertificateException e2) {
                log.warn("Failed to login trusted application: " + trustedApplication.getID() + " due to: " + e2);
                log.debug("Failed to login trusted application cause", e2);
                Authenticator.Result.Error error8 = new Authenticator.Result.Error(e2.getTransportErrorMessage());
                setFailureHeader(httpServletResponse, error8.getMessage());
                return error8;
            }
        } catch (NumberFormatException e3) {
            Authenticator.Result.Error error9 = new Authenticator.Result.Error(new TransportErrorMessage.BadProtocolVersion(header2));
            setFailureHeader(httpServletResponse, error9.getMessage());
            return error9;
        }
    }

    protected String getLogicalUri(HttpServletRequest httpServletRequest) {
        String str = (String) httpServletRequest.getAttribute(FORWARD_REQUEST_URI);
        if (str == null) {
            return null;
        }
        URI create = URI.create(httpServletRequest.getRequestURL().toString());
        try {
            return new URI(create.getScheme(), create.getAuthority(), str, create.getQuery(), create.getFragment()).toString();
        } catch (URISyntaxException e) {
            log.warn("forwarded request had invalid original URI path: " + str);
            return null;
        }
    }

    private static void setFailureHeader(HttpServletResponse httpServletResponse, String str) {
        httpServletResponse.setHeader("X-Seraph-Trusted-App-Status", "ERROR");
        httpServletResponse.addHeader("X-Seraph-Trusted-App-Error", str);
        if (log.isDebugEnabled()) {
            log.debug(str, new RuntimeException(str));
        }
    }

    private static boolean isBlank(String str) {
        return str == null || str.trim().length() == 0;
    }
}
