package com.atlassian.jira.web.filters.security;

import com.atlassian.jira.component.ComponentAccessor;
import com.atlassian.jira.security.annotated.AnnotatedSecurityChecker;
import com.atlassian.jira.security.annotated.AnnotatedSecurityEnabledCheck;
import com.atlassian.jira.security.annotated.SecureDefaultsStats;
import com.atlassian.jira.servlet.ServletRequestUtil;
import com.atlassian.jira.web.filters.annotations.CheckResult;
import com.atlassian.plugin.servlet.filter.DelegatingPluginFilter;
import com.atlassian.sal.core.permission.AccessType;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Stopwatch;
import com.google.common.collect.ImmutableMap;
import java.io.IOException;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/jira/web/filters/security/AccessCheckFilter.class */
public class AccessCheckFilter implements Filter {
    private static final Logger log = LoggerFactory.getLogger(AccessCheckFilter.class);
    private static final Map<String, AccessType> FILTER_TO_ACCESS_TYPE_SHORTCUT = new ImmutableMap.Builder().put("com.atlassian.prettyurls.filter.PrettyUrlsCombinedMatchDispatcherFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.prettyurls.filter.PrettyUrlsDispatcherFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.prettyurls.filter.PrettyUrlsMatcherFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFixupFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.web.servlet.plugin.LocationCleanerFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.web.servlet.plugin.ThreadIdFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.web.servlet.plugin.RedirectMeFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.analytics.client.filter.JiraAnalyticsFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.analytics.client.filter.UniversalAnalyticsFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.app.usage.core.features.common.usage.rest.filter.CapturingRestFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.app.usage.core.features.user.interaction.servlet.filter.CapturingServletFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.applinks.basic.rest.context.ContextFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.applinks.core.rest.context.ContextFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.applinks.cors.rest.context.ContextFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.applinks.oauth.rest.context.ContextFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.applinks.trusted.rest.context.ContextFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.diagnostics.internal.platform.monitor.http.HttpRequestMonitoringFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.jira.baseurl.IncludeResourcesFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.jira.tzdetect.IncludeResourcesFilter", AccessType.UNLICENSED_SITE_ACCESS).put("com.atlassian.jira.mobile.servlet.filter.DesktopSwitchFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.jira.mobile.servlet.filter.MobileAuthenticationFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.jira.mobile.servlet.filter.MobileRedirectFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.jira.plugin.mobile.login.MobileLoginSuccessFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.jira.plugin.mobile.web.filter.MobileAppRequestFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.jira.plugin.mobile.web.filter.ServerInfoFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.jwt.internal.servlet.JwtAuthFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.labs.botkiller.BotKillerFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.mywork.client.filter.ServingRequestsFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.oauth2.provider.core.web.AccessTokenFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.oauth2.scopes.web.ReadWriteScopeFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.pats.web.filter.TokenBasedAuthenticationFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.plugin.servlet.filter.DelegatingPluginFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.plugins.authentication.basicauth.filter.DisableBasicAuthFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.plugins.authentication.sso.web.filter.authentication.SeraphAuthenticationFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.plugins.authentication.sso.web.filter.loginform.JsmAwareDisableNativeLoginAuthFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.plugins.authentication.sso.web.filter.logout.LogoutFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.plugins.authentication.sso.web.filter.ErrorHandlingFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.labs.httpservice.resource.ResourceFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.plugins.rest.module.servlet.RestSeraphFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.plugins.rest.module.servlet.RestServletFilterModuleContainerServlet", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.plugins.rest.module.servlet.RestServletUtilsUpdaterFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.plugins.rest.v2.servlet.RestServletFilterModuleContainerServlet", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.plugins.rest.v2.servlet.RestServletUtilsUpdaterFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.ratelimiting.internal.filter.RateLimitFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.ratelimiting.internal.filter.RateLimitPreAuthFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.theme.filter.DefaultRequestOverrideServletFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.troubleshooting.thready.filter.UrlThreadNamingFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.troubleshooting.thready.filter.UserThreadNamingFilter", AccessType.UNLICENSED_SITE_ACCESS).put("com.atlassian.gadgets.renderer.internal.servlet.GadgetSpecUrlRenderPermissionServletFilter", AccessType.LICENSED_ONLY).put("com.atlassian.jira.collector.plugin.components.bootstrap.OldBootstrapScriptUrlRedirectFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.jira.collector.plugin.transformer.IssueCollectorP3PFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.jira.collector.plugin.transformer.LegacyJQueryProviderFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.jira.collector.plugin.transformer.WebResourceFixererUpper", AccessType.UNRESTRICTED_ACCESS).put("org.apache.shindig.auth.AuthenticationServletFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.crowd.plugin.rest.filter.BasicApplicationAuthenticationFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.crowd.plugin.rest.filter.RestServiceVersionFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.crowd.plugin.rest.filter.SeraphDisablerFilter", AccessType.UNRESTRICTED_ACCESS).put("com.atlassian.jira.web.filters.security.TestAccessCheckFilter$AdminOnlyFilter", AccessType.SYSTEM_ADMIN_ONLY).build();
    private final Filter filter;
    private final String innerFilterClassName;
    private final AccessType accessType;
    private final AnnotatedSecurityEnabledCheck annotatedSecurityEnabledCheck;
    private final Supplier<AnnotatedSecurityChecker> securityCheckerSupplier;

    public static Filter maybeWrap(Filter filter) {
        return maybeWrap(filter, filter, new AnnotatedSecurityEnabledCheck(), ServletRequestUtil::getSecurityChecker);
    }

    public static Filter maybeWrap(DelegatingPluginFilter delegatingPluginFilter) {
        return maybeWrap(delegatingPluginFilter, delegatingPluginFilter.getDelegatingFilter(), new AnnotatedSecurityEnabledCheck(), ServletRequestUtil::getSecurityChecker);
    }

    @VisibleForTesting
    static Filter maybeWrap(Filter filter, Filter filter2, AnnotatedSecurityEnabledCheck annotatedSecurityEnabledCheck, Supplier<AnnotatedSecurityChecker> supplier) {
        AccessType accessType = getAccessType(filter2);
        return accessType == AccessType.UNRESTRICTED_ACCESS ? filter : new AccessCheckFilter(filter, filter2.getClass().getName(), accessType, annotatedSecurityEnabledCheck, supplier);
    }

    private AccessCheckFilter(Filter filter, String str, AccessType accessType, AnnotatedSecurityEnabledCheck annotatedSecurityEnabledCheck, Supplier<AnnotatedSecurityChecker> supplier) {
        Preconditions.checkArgument(accessType != AccessType.UNRESTRICTED_ACCESS);
        this.filter = (Filter) Objects.requireNonNull(filter);
        this.innerFilterClassName = (String) Objects.requireNonNull(str);
        this.accessType = (AccessType) Objects.requireNonNull(accessType);
        this.annotatedSecurityEnabledCheck = annotatedSecurityEnabledCheck;
        this.securityCheckerSupplier = (Supplier) Objects.requireNonNull(supplier);
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        this.filter.init(filterConfig);
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        Stopwatch createStarted = Stopwatch.createStarted();
        if (this.annotatedSecurityEnabledCheck.isAnnotatedSecurityDisabled() || this.securityCheckerSupplier.get().isAllowedFor(this.accessType)) {
            ComponentAccessor.getComponentSafely(SecureDefaultsStats.class).ifPresent(secureDefaultsStats -> {
                secureDefaultsStats.filterAllowed(createStarted.elapsed(TimeUnit.MICROSECONDS));
            });
            this.filter.doFilter(servletRequest, servletResponse, filterChain);
            return;
        }
        if (log.isDebugEnabled()) {
            if (this.accessType == AccessType.EMPTY) {
                log.debug("{} Skipping filter {} as it is not allowed for the current user. The filter has no security annotation and so we use the default value.", CheckResult.CHECK_TAG, this.innerFilterClassName);
            } else {
                log.debug("{} Skipping filter {} as it is not allowed for the current user. The filter has accessType={}.", new Object[]{CheckResult.CHECK_TAG, this.innerFilterClassName, this.accessType});
            }
        }
        ComponentAccessor.getComponentSafely(SecureDefaultsStats.class).ifPresent(secureDefaultsStats2 -> {
            secureDefaultsStats2.filterNotAllowed(createStarted.elapsed(TimeUnit.MICROSECONDS));
        });
        filterChain.doFilter(servletRequest, servletResponse);
    }

    @VisibleForTesting
    Filter getFilter() {
        return this.filter;
    }

    private static AccessType getAccessType(Filter filter) {
        AccessType accessType = FILTER_TO_ACCESS_TYPE_SHORTCUT.get(filter.getClass().getName());
        if (accessType == null) {
            accessType = AccessType.getAccessType(filter.getClass(), "doFilter", new Class[]{ServletRequest.class, ServletResponse.class, FilterChain.class});
        }
        return accessType;
    }
}
