package com.atlassian.jira.web.filters.annotations;

import com.atlassian.annotations.security.UnrestrictedAccess;
import com.atlassian.core.filters.AbstractHttpFilter;
import com.atlassian.jira.component.ComponentAccessor;
import com.atlassian.jira.security.annotated.AnnotatedSecurityEnabledCheck;
import com.atlassian.jira.security.annotated.SecureDefaultsStats;
import com.atlassian.jira.servlet.ServletRequestUtil;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Stopwatch;
import java.io.IOException;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@UnrestrictedAccess
/* loaded from: input_file:com/atlassian/jira/web/filters/annotations/ServletSecurityAnnotationsFilter.class */
public class ServletSecurityAnnotationsFilter extends AbstractHttpFilter {
    private static final Logger log = LoggerFactory.getLogger(ServletSecurityAnnotationsFilter.class);
    private final AnnotatedSecurityEnabledCheck annotatedSecurityEnabledCheck;
    private final AllowlistChecker allowlistChecker;
    private final JspChecker jspChecker;
    private final AnnotationChecker annotationChecker;

    public ServletSecurityAnnotationsFilter() {
        this(new AnnotatedSecurityEnabledCheck(), new AllowlistChecker(ServletRequestUtil::getSecurityChecker), new JspChecker(ServletRequestUtil::getSecurityChecker), new AnnotationChecker(ServletRequestUtil::getSecurityChecker));
    }

    @VisibleForTesting
    ServletSecurityAnnotationsFilter(AnnotatedSecurityEnabledCheck annotatedSecurityEnabledCheck, AllowlistChecker allowlistChecker, JspChecker jspChecker, AnnotationChecker annotationChecker) {
        this.annotatedSecurityEnabledCheck = annotatedSecurityEnabledCheck;
        this.allowlistChecker = allowlistChecker;
        this.jspChecker = jspChecker;
        this.annotationChecker = annotationChecker;
    }

    protected void doFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (this.annotatedSecurityEnabledCheck.isAnnotatedSecurityDisabled()) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        Stopwatch createStarted = Stopwatch.createStarted();
        Optional<CheckResult> checkAllowlist = this.allowlistChecker.checkAllowlist(httpServletRequest);
        CheckResult orElseGet = checkAllowlist.orElseGet(() -> {
            return this.jspChecker.checkJsps(httpServletRequest).orElseGet(() -> {
                return this.annotationChecker.checkAnnotations(httpServletRequest);
            });
        });
        if (orElseGet.isNotFound()) {
            httpServletResponse.sendError(404);
            return;
        }
        if (orElseGet.isAllowed()) {
            if (checkAllowlist.isEmpty()) {
                ServletRequestUtil.clearRedirectAttributes(httpServletRequest);
            }
            ComponentAccessor.getComponentSafely(SecureDefaultsStats.class).ifPresent(secureDefaultsStats -> {
                secureDefaultsStats.servletAllowed(createStarted.elapsed(TimeUnit.MICROSECONDS));
            });
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        if (log.isDebugEnabled()) {
            log.debug("{}. Redirecting to login screen.", orElseGet.getMessage());
        }
        ServletRequestUtil.redirectToLoginScreen(httpServletRequest, httpServletResponse, orElseGet.getRequiredAccessType());
        ComponentAccessor.getComponentSafely(SecureDefaultsStats.class).ifPresent(secureDefaultsStats2 -> {
            secureDefaultsStats2.servletNotAllowed(createStarted.elapsed(TimeUnit.MICROSECONDS));
        });
    }
}
