package com.atlassian.bamboo.hibernate;

import com.atlassian.bamboo.bandana.BandanaItem;
import com.atlassian.bamboo.core.BambooIdProvider;
import com.atlassian.bamboo.user.LoginInformationImpl;
import com.atlassian.bamboo.util.BambooHibernateUtils;
import com.atlassian.bamboo.util.RequestCacheThreadLocal;
import com.atlassian.bamboo.utils.XsrfUtils;
import com.atlassian.bamboo.utils.web.HttpServletRequestMatcher;
import com.atlassian.crowd.model.InternalDirectoryEntity;
import com.atlassian.crowd.model.user.InternalUser;
import com.atlassian.crowd.model.user.InternalUserAttribute;
import com.atlassian.sal.api.xsrf.XsrfHeaderValidator;
import com.atlassian.user.impl.hibernate3.DefaultHibernateExternalEntity;
import com.atlassian.user.impl.hibernate3.DefaultHibernateUser;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Objects;
import com.google.common.collect.ImmutableList;
import java.io.Serializable;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.hamcrest.CoreMatchers;
import org.hamcrest.Matcher;
import org.hamcrest.Matchers;
import org.hibernate.CallbackException;
import org.hibernate.type.Type;
import org.jetbrains.annotations.Nullable;
import org.springframework.orm.hibernate.support.ChainedInterceptorSupport;

/* loaded from: input_file:com/atlassian/bamboo/hibernate/ReadOnlyGetMethodEnforcer.class */
public class ReadOnlyGetMethodEnforcer extends ChainedInterceptorSupport {
    private static final XsrfHeaderValidator XSRF_HEADER_VALIDATOR = new XsrfHeaderValidator();
    private static final List<Matcher<? super HttpServletRequest>> XSRF_WHITELIST = ImmutableList.builder().add(HttpServletRequestMatcher.builder().servletPath("/plugins/servlet").pathInfo(CoreMatchers.startsWith("/applinks/auth/conf/oauth/")).build()).add(HttpServletRequestMatcher.builder().servletPath("/plugins/servlet").pathInfo(CoreMatchers.startsWith("/applinks/auth/conf/trusted/")).build()).add(HttpServletRequestMatcher.builder().servletPath("/plugins/servlet").pathInfo(CoreMatchers.startsWith("/applinks/oauth/login-dance/")).build()).add(HttpServletRequestMatcher.builder().servletPath("/plugins/servlet").pathInfo("/oauth/authorize").build()).add(HttpServletRequestMatcher.builder().servletPath("/plugins/servlet").pathInfo("/oauth/consumer-info").build()).add(HttpServletRequestMatcher.builder().servletPath("/rest/ondemand/license/1.0/license/load").build()).add(HttpServletRequestMatcher.builder().servletPath("/rest/stp/1.0/license/status").build()).add(HttpServletRequestMatcher.builder().servletPath("/rest/stp/1.0/license/status").build()).add(HttpServletRequestMatcher.builder().servletPath("/rest/nps/1.0/config").build()).add(HttpServletRequestMatcher.builder().servletPath("/plugins/servlet").pathInfo(CoreMatchers.startsWith("/embedded-crowd/directories/moveUp")).build()).add(HttpServletRequestMatcher.builder().servletPath("/plugins/servlet").pathInfo(CoreMatchers.startsWith("/embedded-crowd/directories/moveDown")).build()).add(HttpServletRequestMatcher.builder().servletPath("/plugins/servlet").pathInfo(CoreMatchers.startsWith("/embedded-crowd/directories/disable")).build()).add(HttpServletRequestMatcher.builder().servletPath("/plugins/servlet").pathInfo(CoreMatchers.startsWith("/embedded-crowd/directories/enable")).build()).add(HttpServletRequestMatcher.builder().servletPath("/plugins/servlet").pathInfo(CoreMatchers.startsWith("/embedded-crowd/directories/remove")).build()).build();
    private static final List<Matcher<? super String>> BANDANA_KEY_WHITELIST = ImmutableList.of(Matchers.startsWith("com.atlassian.oauth.consumer.ConsumerTokenStore.consumerKeys."), Matchers.startsWith("com.atlassian.oauth.consumer.ConsumerTokenStore.keys."), Matchers.startsWith("com.atlassian.upm.core.log.PluginInstallerPluginLogAccessorImpl"), Matchers.startsWith("com.atlassian.upm.log.PluginSettingsAuditLogService"), Matchers.startsWith("com.atlassian.restricted.instance.cipher"));

    @Override // org.springframework.orm.hibernate.support.ChainedInterceptorSupport
    public boolean onFlushDirty(Object obj, Serializable serializable, Object[] objArr, Object[] objArr2, String[] strArr, Type[] typeArr) throws CallbackException {
        if (!isStateMutationAllowedInCurrentRequest() && XsrfUtils.areMutativeGetsForbiddenByConfig() && !isEntityMutationAllowed(obj, objArr, objArr2, strArr) && !isAutomatedPasswordConversion(obj, objArr, objArr2, strArr)) {
            this.log.error("Entity mutation is not allowed");
            fail(obj, objArr, objArr2);
        }
        return super.onFlushDirty(obj, serializable, objArr, objArr2, strArr, typeArr);
    }

    @Override // org.springframework.orm.hibernate.support.ChainedInterceptorSupport
    public boolean onSave(Object obj, Serializable serializable, Object[] objArr, String[] strArr, Type[] typeArr) throws CallbackException {
        if (!isEntityCreationAllowed(obj, objArr, strArr)) {
            failIfStateMutationNotAllowed(obj, objArr);
        }
        return super.onSave(obj, serializable, objArr, strArr, typeArr);
    }

    @Override // org.springframework.orm.hibernate.support.ChainedInterceptorSupport
    public void onDelete(Object obj, Serializable serializable, Object[] objArr, String[] strArr, Type[] typeArr) throws CallbackException {
        failIfDeletionNotAllowed(obj, objArr);
        super.onDelete(obj, serializable, objArr, strArr, typeArr);
    }

    private void failIfStateMutationNotAllowed(Object obj, Object[] objArr) {
        if (isStateMutationAllowedInCurrentRequest() || isMutationAllowedToOccurInAnyRequest(obj) || !XsrfUtils.areMutativeGetsForbiddenByConfig()) {
            return;
        }
        this.log.error("State mutation is not allowed");
        fail(obj, objArr, null);
    }

    private void failIfDeletionNotAllowed(Object obj, Object[] objArr) {
        if (isStateMutationAllowedInCurrentRequest() || isMutationAllowedToOccurInAnyRequest(obj) || !XsrfUtils.areMutativeGetsForbiddenByConfig() || isEntityDeletionAllowed(obj)) {
            return;
        }
        this.log.error("Deletion is not allowed");
        fail(obj, objArr, null);
    }

    private void fail(Object obj, Object[] objArr, @Nullable Object[] objArr2) {
        HttpServletRequest nonNullRequest = RequestCacheThreadLocal.getNonNullRequest();
        String stringBuffer = nonNullRequest.getRequestURL().toString();
        String queryString = nonNullRequest.getQueryString();
        XsrfUtils.fail("A mutative operation was attempted on " + obj.getClass().getSimpleName() + (obj instanceof BambooIdProvider ? "(id=" + String.valueOf(((BambooIdProvider) obj).getId()) + ")" : "") + " within a non-mutative HTTP request: " + stringBuffer + (queryString != null ? "?" + queryString : "") + " : " + ("[" + Arrays.toString(objArr2) + "]->\n->[" + Arrays.toString(objArr) + "]\n"));
    }

    private boolean isStateMutationAllowedInCurrentRequest() {
        return XsrfUtils.noRequestOrRequestCanMutateState() || isRequestExplicitlyAllowedToMutateState(RequestCacheThreadLocal.getNonNullRequest());
    }

    private boolean isMutationAllowedToOccurInAnyRequest(Object obj) {
        if (!(obj instanceof BandanaItem)) {
            return false;
        }
        String key = ((BandanaItem) obj).getKey();
        return StringUtils.startsWith(key, "com.atlassian.analytics.client") || CoreMatchers.anyOf(BANDANA_KEY_WHITELIST).matches(key);
    }

    @VisibleForTesting
    boolean isRequestExplicitlyAllowedToMutateState(HttpServletRequest httpServletRequest) {
        return XSRF_HEADER_VALIDATOR.requestHasValidXsrfHeader(httpServletRequest) || CoreMatchers.anyOf(XSRF_WHITELIST).matches(httpServletRequest);
    }

    @VisibleForTesting
    static boolean isAutomatedPasswordConversion(Object obj, Object[] objArr, Object[] objArr2, String[] strArr) {
        if (!(obj instanceof DefaultHibernateUser) || objArr2 == null) {
            return false;
        }
        for (int i = 0; i < objArr2.length; i++) {
            Object obj2 = objArr2[i];
            Object obj3 = objArr[i];
            if (!Objects.equal(obj2, obj3)) {
                if (!strArr[i].equals("password")) {
                    return false;
                }
                String str = (String) obj2;
                String str2 = (String) obj3;
                if (StringUtils.contains(str, "{PKCS5S2}") || !StringUtils.contains(str2, "{PKCS5S2}")) {
                    return false;
                }
            }
        }
        return true;
    }

    public boolean isEntityCreationAllowed(Object obj, Object[] objArr, String[] strArr) {
        if (!(obj instanceof InternalUserAttribute)) {
            return (obj instanceof DefaultHibernateExternalEntity) || (obj instanceof LoginInformationImpl) || (obj instanceof InternalDirectoryEntity);
        }
        Object internalUserAttributeName = getInternalUserAttributeName(objArr, strArr);
        return internalUserAttributeName.equals("lastAuthenticated") || internalUserAttributeName.equals("requiresPasswordChange") || internalUserAttributeName.equals("invalidPasswordAttempts");
    }

    @VisibleForTesting
    boolean isEntityDeletionAllowed(Object obj) {
        if (obj instanceof BandanaItem) {
            return CoreMatchers.anyOf(BANDANA_KEY_WHITELIST).matches(((BandanaItem) obj).getKey());
        }
        return false;
    }

    private boolean isInternalUserAttributeWhitelisted(Object obj) {
        return obj.equals("lastAuthenticated") || obj.equals("requiresPasswordChange") || obj.equals("invalidPasswordAttempts") || obj.equals("mail");
    }

    private boolean isEntityMutationAllowed(Object obj, Object[] objArr, Object[] objArr2, String[] strArr) {
        if (obj instanceof LoginInformationImpl) {
            return true;
        }
        if (obj instanceof InternalUser) {
            Map propertyChanges = BambooHibernateUtils.getPropertyChanges(objArr, objArr2, strArr);
            if (propertyChanges.size() == 1 && propertyChanges.containsKey("updatedDate")) {
                return true;
            }
            this.log.error(BambooHibernateUtils.describePropertyChanges(propertyChanges));
            return false;
        }
        if (obj instanceof InternalUserAttribute) {
            Object internalUserAttributeName = getInternalUserAttributeName(objArr2, strArr);
            Object internalUserAttributeName2 = getInternalUserAttributeName(objArr, strArr);
            return internalUserAttributeName2 != null && internalUserAttributeName2.equals(internalUserAttributeName) && isInternalUserAttributeWhitelisted(internalUserAttributeName);
        }
        if (obj instanceof BandanaItem) {
            return CoreMatchers.anyOf(BANDANA_KEY_WHITELIST).matches(((BandanaItem) obj).getKey());
        }
        return false;
    }

    private Object getInternalUserAttributeName(Object[] objArr, String[] strArr) {
        return BambooHibernateUtils.getPropertyByName("name", strArr, objArr);
    }
}
