package com.atlassian.bamboo.sal;

import com.atlassian.bamboo.FeatureManager;
import com.atlassian.bamboo.filter.BambooStrutsSecureAccessFilter;
import com.atlassian.bamboo.security.BambooPermissionManager;
import com.atlassian.bamboo.session.SessionUtils;
import com.atlassian.bamboo.user.BambooAuthenticationContext;
import com.atlassian.bamboo.util.RedirectUtils;
import com.atlassian.bamboo.utils.EscapeChars;
import com.atlassian.bamboo.utils.SystemProperty;
import com.atlassian.bamboo.websudo.WebSudoIpAllowlistService;
import com.atlassian.bamboo.websudo.WebSudoUtils;
import com.atlassian.sal.api.websudo.WebSudoSessionException;
import com.atlassian.user.User;
import com.google.common.annotations.VisibleForTesting;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:com/atlassian/bamboo/sal/BambooWebSudoManagerImpl.class */
public class BambooWebSudoManagerImpl implements BambooWebSudoManager {

    @VisibleForTesting
    static final String WEB_SUDO_TIMESTAMP = "web.sudo.timestamp";

    @VisibleForTesting
    static final String WEB_SUDO_URL = "/admin/webSudoRequired.action";
    private static final Logger log = LogManager.getLogger(BambooWebSudoManagerImpl.class);
    private final Clock clock;
    private final BambooAuthenticationContext bambooAuthenticationContext;
    private final BambooPermissionManager bambooPermissionManager;
    private final WebSudoIpAllowlistService webSudoIpAllowlistService;
    private final FeatureManager featureManager;

    public BambooWebSudoManagerImpl(BambooAuthenticationContext bambooAuthenticationContext, BambooPermissionManager bambooPermissionManager, FeatureManager featureManager, WebSudoIpAllowlistService webSudoIpAllowlistService) {
        this(bambooAuthenticationContext, bambooPermissionManager, Clock.systemUTC(), featureManager, webSudoIpAllowlistService);
    }

    private BambooWebSudoManagerImpl(BambooAuthenticationContext bambooAuthenticationContext, BambooPermissionManager bambooPermissionManager, Clock clock, FeatureManager featureManager, WebSudoIpAllowlistService webSudoIpAllowlistService) {
        this.clock = clock;
        this.bambooAuthenticationContext = bambooAuthenticationContext;
        this.bambooPermissionManager = bambooPermissionManager;
        this.webSudoIpAllowlistService = webSudoIpAllowlistService;
        this.featureManager = featureManager;
    }

    public boolean canExecuteRequest(HttpServletRequest httpServletRequest) {
        if (shouldWebSudoBeIgnored(httpServletRequest)) {
            return true;
        }
        if (shouldWebSudoBeRejected(httpServletRequest)) {
            return false;
        }
        if (isExemptAuthType(httpServletRequest)) {
            return true;
        }
        return ((Boolean) getRawExpiryTimestamp(httpServletRequest.getSession(false)).filter(this::hasNotExpired).map(instant -> {
            setWebSudoAttribute(httpServletRequest);
            return true;
        }).orElse(false)).booleanValue();
    }

    public void enforceWebSudoProtection(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (httpServletResponse != null && httpServletResponse.isCommitted()) {
            log.trace("The response is already committed with a status of {}, so cannot enforce web sudo protection", Integer.valueOf(httpServletResponse.getStatus()));
            return;
        }
        if (canExecuteRequest(httpServletRequest)) {
            return;
        }
        String errorRedirect = getErrorRedirect(httpServletRequest);
        if (StringUtils.isNotBlank(errorRedirect)) {
            try {
                httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + errorRedirect);
            } catch (IOException e) {
                throw new UncheckedIOException("Failed to redirect to " + errorRedirect, e);
            }
        } else {
            try {
                httpServletResponse.sendRedirect(StringUtils.trimToEmpty(httpServletRequest.getContextPath()) + "/admin/webSudoRequired.action?web_sudo_destination=" + EscapeChars.forUrl(RedirectUtils.getRequestUrl(httpServletRequest)));
            } catch (IOException e2) {
                throw new UncheckedIOException("Failed to redirect to web sudo login", e2);
            }
        }
    }

    public void willExecuteWebSudoRequest(HttpServletRequest httpServletRequest) throws WebSudoSessionException {
        if (!canExecuteRequest(httpServletRequest)) {
            throw new WebSudoSessionException("Not in a web sudo session");
        }
        if (httpServletRequest != null) {
            httpServletRequest.setAttribute(BambooWebSudoManager.WEB_SUDO_REQUEST_ATTRIBUTE, true);
        }
    }

    @Override // com.atlassian.bamboo.sal.BambooWebSudoManager
    public void setWebSudoSession(@Nullable HttpServletRequest httpServletRequest, @Nullable HttpServletResponse httpServletResponse) {
        if (isUnableToHoldWebSudo(httpServletRequest)) {
            return;
        }
        setWebSudoAttribute(httpServletRequest);
        if (httpServletResponse != null) {
            httpServletResponse.addHeader(BambooWebSudoManager.WEB_SUDO_HEADER, BambooWebSudoManager.WEB_SUDO_HEADER_VALUE_AUTHORISED);
        }
    }

    @Override // com.atlassian.bamboo.sal.BambooWebSudoManager
    @NotNull
    public Optional<Instant> getWebSudoSessionExpiry(@Nullable HttpServletRequest httpServletRequest) {
        return isUnableToHoldWebSudo(httpServletRequest) ? Optional.empty() : getRawExpiryTimestamp(httpServletRequest.getSession(false)).filter(this::hasNotExpired);
    }

    @Override // com.atlassian.bamboo.sal.BambooWebSudoManager
    public void removeWebSudoFromSession(@Nullable HttpServletRequest httpServletRequest) {
        if (isUnableToHoldWebSudo(httpServletRequest)) {
            return;
        }
        try {
            httpServletRequest.getSession(false).removeAttribute(WEB_SUDO_TIMESTAMP);
        } catch (IllegalStateException e) {
            log.trace("Unable to clear web sudo request session attribute because session is invalidated", e);
        }
    }

    @Override // com.atlassian.bamboo.sal.BambooWebSudoManager
    public boolean isUnableToHoldWebSudo(@Nullable HttpServletRequest httpServletRequest) {
        return shouldWebSudoBeIgnored(httpServletRequest) || shouldWebSudoBeRejected(httpServletRequest) || isExemptAuthType(httpServletRequest);
    }

    private Instant getExpiryTimestamp(Instant instant) {
        Instant plus = instant.plus((TemporalAmount) Duration.ofMinutes(10L));
        if (plus.isAfter(this.clock.instant())) {
            return plus;
        }
        return null;
    }

    private Optional<Instant> getRawExpiryTimestamp(HttpSession httpSession) {
        Object attribute = httpSession.getAttribute(WEB_SUDO_TIMESTAMP);
        if (attribute == null) {
            if (log.isTraceEnabled()) {
                User user = this.bambooAuthenticationContext.getUser();
                if (user == null) {
                    log.trace("The session does not contain the web sudo timestamp attribute, and there is no user in the authentication context");
                } else {
                    log.trace("The session for '{}' does not contain the web sudo timestamp attribute", user.getName());
                }
            }
            return Optional.empty();
        }
        if (attribute instanceof Long) {
            return Optional.of(Instant.ofEpochMilli(((Long) attribute).longValue()).plus((TemporalAmount) Duration.ofSeconds((int) SystemProperty.WEBSUDO_SESSION_DURATION.getTypedValue())));
        }
        if (log.isTraceEnabled()) {
            User user2 = this.bambooAuthenticationContext.getUser();
            if (user2 == null) {
                log.trace("Expected the web sudo timestamp attribute for anonymous user to be a Long, but it was '{}'", attribute);
            } else {
                log.trace("Expected the web sudo timestamp attribute for '{}' to be a Long, but it was '{}'", user2.getName(), attribute);
            }
        }
        return Optional.empty();
    }

    private boolean isExemptAuthType(HttpServletRequest httpServletRequest) {
        if (!WebSudoUtils.isExemptAuthType(httpServletRequest)) {
            return false;
        }
        log.trace("Web sudo cannot be applied as the authentication method is used is exempt from web sudo");
        return true;
    }

    private String getErrorRedirect(HttpServletRequest httpServletRequest) {
        if (!this.bambooPermissionManager.isAdmin(this.bambooAuthenticationContext.getUserName())) {
            log.trace("Authenticated user does not have admin permission, redirect to accessDenied");
            return BambooStrutsSecureAccessFilter.ACCESS_DENIED_ACTION;
        }
        if (this.webSudoIpAllowlistService.isIpAddressAllowlisted(httpServletRequest)) {
            return null;
        }
        log.trace("Authenticated user IP address not found in the allowlist, redirect to 400");
        return "/400.action";
    }

    private boolean hasNotExpired(Instant instant) {
        return instant.isAfter(this.clock.instant().minus((TemporalAmount) Duration.ofSeconds((int) SystemProperty.WEBSUDO_SESSION_DURATION_TOLERANCE.getTypedValue())));
    }

    private void setWebSudoAttribute(@NotNull HttpServletRequest httpServletRequest) {
        if (SessionUtils.shouldUpdateLastAccessTime(httpServletRequest)) {
            httpServletRequest.getSession(false).setAttribute(WEB_SUDO_TIMESTAMP, Long.valueOf(this.clock.instant().toEpochMilli()));
        }
    }

    private boolean shouldWebSudoBeIgnored(@Nullable HttpServletRequest httpServletRequest) {
        if (!this.featureManager.isWebSudoEnabled()) {
            log.trace("Web sudo is disabled, so will not use web sudo protection");
            return true;
        }
        if (httpServletRequest == null) {
            log.trace("Request is null, so cannot get a valid session");
            return true;
        }
        if (httpServletRequest.getSession(false) != null) {
            return false;
        }
        log.trace("Session is null, so cannot get a valid session");
        return true;
    }

    private boolean shouldWebSudoBeRejected(HttpServletRequest httpServletRequest) {
        if (!this.bambooPermissionManager.isAdmin(this.bambooAuthenticationContext.getUserName())) {
            log.trace("Authenticated user does not have admin permission, so cannot execute the request");
            return true;
        }
        if (this.webSudoIpAllowlistService.isIpAddressAllowlisted(httpServletRequest)) {
            return false;
        }
        log.trace("Authenticated user IP address not found in the allowlist");
        return true;
    }
}
