package com.atlassian.jira.rest.auth;

import com.atlassian.jira.JiraFeatureFlagRegistrar;
import com.atlassian.jira.action.ActionContextKit;
import com.atlassian.jira.bc.security.login.DeniedReason;
import com.atlassian.jira.bc.security.login.LoginReason;
import com.atlassian.jira.bc.security.login.LoginResult;
import com.atlassian.jira.bc.security.login.LoginService;
import com.atlassian.jira.config.FeatureManager;
import com.atlassian.jira.issue.fields.rest.json.beans.JiraBaseUrls;
import com.atlassian.jira.rest.api.http.CacheControl;
import com.atlassian.jira.rest.api.util.ErrorCollection;
import com.atlassian.jira.rest.exception.NotAuthorisedWebException;
import com.atlassian.jira.security.JiraAuthenticationContext;
import com.atlassian.jira.user.ApplicationUser;
import com.atlassian.jira.util.I18nHelper;
import com.atlassian.jira.util.JiraUrlCodec;
import com.atlassian.plugins.rest.api.security.annotation.UnrestrictedAccess;
import com.atlassian.seraph.config.SecurityConfig;
import com.atlassian.seraph.config.SecurityConfigFactory;
import com.atlassian.seraph.filter.PasswordBasedLoginFilter;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.media.Content;
import io.swagger.v3.oas.annotations.media.Schema;
import io.swagger.v3.oas.annotations.parameters.RequestBody;
import io.swagger.v3.oas.annotations.responses.ApiResponse;
import io.swagger.v3.oas.annotations.responses.ApiResponses;
import io.swagger.v3.oas.annotations.security.SecurityRequirement;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Iterator;
import java.util.Set;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;

@Path("session")
@Consumes({"application/json"})
@UnrestrictedAccess
@Produces({"application/json"})
/* loaded from: input_file:com/atlassian/jira/rest/auth/Login.class */
public class Login {
    private final LoginService loginService;
    private final JiraAuthenticationContext jiraAuthenticationContext;
    private final JiraBaseUrls jiraBaseUrls;
    private final I18nHelper i18n;
    private final FeatureManager featureManager;

    /* loaded from: input_file:com/atlassian/jira/rest/auth/Login$LoginResourceFilter.class */
    private class LoginResourceFilter extends PasswordBasedLoginFilter {
        private final String username;
        private final String password;

        private LoginResourceFilter(String str, String str2) {
            this.username = str;
            this.password = str2;
        }

        protected PasswordBasedLoginFilter.UserPasswordPair extractUserPasswordPair(HttpServletRequest httpServletRequest) {
            return new PasswordBasedLoginFilter.UserPasswordPair(this.username, this.password, false);
        }

        protected SecurityConfig getSecurityConfig() {
            return SecurityConfigFactory.getInstance();
        }
    }

    @Inject
    public Login(LoginService loginService, JiraAuthenticationContext jiraAuthenticationContext, JiraBaseUrls jiraBaseUrls, I18nHelper i18nHelper, FeatureManager featureManager) {
        this.loginService = loginService;
        this.jiraAuthenticationContext = jiraAuthenticationContext;
        this.jiraBaseUrls = jiraBaseUrls;
        this.i18n = i18nHelper;
        this.featureManager = featureManager;
    }

    @GET
    @Operation(summary = "Get current user session information", description = "Returns information about the currently authenticated user's session. If the caller is not authenticated they will get a 401 Unauthorized status code.", security = {@SecurityRequirement(name = "basic")})
    @ApiResponses({@ApiResponse(description = "Returned if the currently authenticated user is returned.", responseCode = "200", content = {@Content(schema = @Schema(implementation = CurrentUser.class), mediaType = "application/json")}), @ApiResponse(description = "Returned if the currently authenticated user is not returned.", responseCode = "401")})
    public Response currentUser() throws URISyntaxException {
        ApplicationUser user = this.jiraAuthenticationContext.getUser();
        if (user == null) {
            throw new NotAuthorisedWebException(ErrorCollection.of(this.i18n.getText("rest.authentication.no.user.logged.in")));
        }
        return Response.ok(new CurrentUser().userName(user.getName()).self(new URI(this.jiraBaseUrls.baseUrl() + "/rest/api/latest/user?username=" + JiraUrlCodec.encode(user.getName()))).loginInfo(new LoginInfo(this.loginService.getLoginInfo(user.getName())))).cacheControl(CacheControl.never()).build();
    }

    @Operation(summary = "Create new user session", description = "Creates a new session for a user in Jira. Once a session has been successfully created it can be used to access any of Jira's remote APIs and also the web UI by passing the appropriate HTTP Cookie header. Note that it is generally preferrable to use HTTP BASIC authentication with the REST API. However, this resource may be used to mimic the behaviour of Jira's log-in page (e.g. to display log-in errors to a user).", security = {@SecurityRequirement(name = "basic")})
    @POST
    @RequestBody(description = "the username and password to authenticate", required = true, content = {@Content(schema = @Schema(implementation = AuthParams.class))})
    @ApiResponses({@ApiResponse(description = "Returned if the caller is authenticated. Contains information about the caller's session.", responseCode = "200", content = {@Content(schema = @Schema(implementation = AuthSuccess.class))}), @ApiResponse(description = "Returned if the login is denied due to a CAPTCHA requirement, throtting, or any other reason. In case of a 403 status code it is possible that the supplied credentials are valid but the user is not allowed to log in at this point in time.", responseCode = "403"), @ApiResponse(description = "Returned if the login fails due to invalid credentials.", responseCode = "401")})
    public Response login(AuthParams authParams, @Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        String login = new LoginResourceFilter(authParams.username, authParams.password).login(httpServletRequest, httpServletResponse);
        if (!this.featureManager.isEnabled(JiraFeatureFlagRegistrar.ALLOW_LOGIN_FROM_ENDPOINT)) {
            return Response.status(Response.Status.FORBIDDEN).entity(ErrorCollection.of(this.i18n.getText("rest.login.denied"))).build();
        }
        if ("success".equals(login)) {
            return Response.ok(new AuthSuccess(new SessionInfo("JSESSIONID", httpServletRequest.getSession().getId()), new LoginInfo(this.loginService.getLoginInfo(authParams.username)))).build();
        }
        LoginResult loginResult = (LoginResult) httpServletRequest.getAttribute("com.atlassian.jira.security.login.LoginManager.LoginResult");
        if (loginResult == null || loginResult.getReason() != LoginReason.AUTHENTICATION_DENIED) {
            httpServletResponse.setHeader("WWW-Authenticate", "JIRA REST POST");
            return Response.status(Response.Status.UNAUTHORIZED).entity(ErrorCollection.of(this.i18n.getText("rest.login.failed"))).build();
        }
        stampDeniedReasonsOnResponse(httpServletResponse, loginResult.getDeniedReasons());
        return Response.status(Response.Status.FORBIDDEN).entity(ErrorCollection.of(this.i18n.getText("rest.login.denied"))).build();
    }

    @DELETE
    @Operation(summary = "Delete current user session", description = "Logs the current user out of Jira, destroying the existing session, if any.", security = {@SecurityRequirement(name = "basic")})
    @ApiResponses({@ApiResponse(description = "Returned if the user was successfully logged out.", responseCode = "204"), @ApiResponse(description = "Returned if the caller is not authenticated.", responseCode = "401")})
    public Response logout(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        if (this.jiraAuthenticationContext.getUser() == null) {
            throw new NotAuthorisedWebException(ErrorCollection.of(this.i18n.getText("rest.authentication.no.user.logged.in")));
        }
        this.loginService.logout(httpServletRequest, httpServletResponse);
        ActionContextKit.resetContext();
        return Response.noContent().build();
    }

    protected void stampDeniedReasonsOnResponse(HttpServletResponse httpServletResponse, Set<DeniedReason> set) {
        Iterator<DeniedReason> it = set.iterator();
        while (it.hasNext()) {
            httpServletResponse.setHeader("X-Authentication-Denied-Reason", it.next().asString());
        }
    }
}
