package com.atlassian.oauth.serviceprovider.internal;

import ch.qos.logback.classic.net.SyslogAppender;
import com.atlassian.oauth.Consumer;
import com.atlassian.oauth.serviceprovider.Clock;
import com.atlassian.oauth.serviceprovider.InvalidTokenException;
import com.atlassian.oauth.serviceprovider.ServiceProviderConsumerStore;
import com.atlassian.oauth.serviceprovider.ServiceProviderToken;
import com.atlassian.oauth.serviceprovider.ServiceProviderTokenStore;
import com.atlassian.oauth.serviceprovider.internal.OAuthProblem;
import com.atlassian.oauth.serviceprovider.internal.servlet.OAuthProblemUtils;
import com.atlassian.oauth.serviceprovider.internal.servlet.OAuthRequestUtils;
import com.atlassian.oauth.util.RequestAnnotations;
import com.atlassian.sal.api.ApplicationProperties;
import com.atlassian.sal.api.auth.AuthenticationController;
import com.atlassian.sal.api.auth.Authenticator;
import com.atlassian.sal.api.transaction.TransactionCallback;
import com.atlassian.sal.api.transaction.TransactionTemplate;
import com.atlassian.sal.api.user.UserManager;
import com.atlassian.user.configuration.Configuration;
import com.google.common.base.Preconditions;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.Principal;
import java.util.Locale;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.oauth.OAuth;
import net.oauth.OAuthAccessor;
import net.oauth.OAuthConsumer;
import net.oauth.OAuthException;
import net.oauth.OAuthMessage;
import net.oauth.OAuthProblemException;
import net.oauth.OAuthValidator;
import net.oauth.server.OAuthServlet;
import net.oauth.signature.RSA_SHA1;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Qualifier;

/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/atlassian-oauth-service-provider-plugin-2.0.3.jar:com/atlassian/oauth/serviceprovider/internal/AuthenticatorImpl.class */
public class AuthenticatorImpl implements Authenticator {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) AuthenticatorImpl.class);
    private static final String FORWARD_REQUEST_URI = "javax.servlet.forward.request_uri";
    private static final String XOAUTH_REQUESTOR_ID = "xoauth_requestor_id";

    @Deprecated
    private static final String REMOTEAPP_REQUESTOR_ID = "user_id";
    private final ServiceProviderTokenStore store;
    private final OAuthValidator validator;
    private final OAuthConverter converter;
    private final AuthenticationController authenticationController;
    private final TransactionTemplate transactionTemplate;
    private final ApplicationProperties applicationProperties;
    private final Clock clock;
    private final ServiceProviderConsumerStore serviceProviderConsumerStore;
    private final UserManager userManager;

    public AuthenticatorImpl(@Qualifier("tokenStore") ServiceProviderTokenStore serviceProviderTokenStore, OAuthValidator oAuthValidator, OAuthConverter oAuthConverter, AuthenticationController authenticationController, TransactionTemplate transactionTemplate, ApplicationProperties applicationProperties, Clock clock, ServiceProviderConsumerStore serviceProviderConsumerStore, UserManager userManager) {
        this.store = (ServiceProviderTokenStore) Preconditions.checkNotNull(serviceProviderTokenStore, "store");
        this.validator = (OAuthValidator) Preconditions.checkNotNull(oAuthValidator, "validator");
        this.converter = (OAuthConverter) Preconditions.checkNotNull(oAuthConverter, "converter");
        this.authenticationController = (AuthenticationController) Preconditions.checkNotNull(authenticationController, "authenticationController");
        this.transactionTemplate = (TransactionTemplate) Preconditions.checkNotNull(transactionTemplate, "transactionTemplate");
        this.applicationProperties = (ApplicationProperties) Preconditions.checkNotNull(applicationProperties, "applicationProperties");
        this.clock = (Clock) Preconditions.checkNotNull(clock, "clock");
        this.serviceProviderConsumerStore = (ServiceProviderConsumerStore) Preconditions.checkNotNull(serviceProviderConsumerStore, "serviceProviderConsumerStore");
        this.userManager = (UserManager) Preconditions.checkNotNull(userManager, Configuration.USERMANAGER);
    }

    @Override // com.atlassian.sal.api.auth.Authenticator
    public Authenticator.Result authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (OAuthRequestUtils.is2LOAuthAccessAttempt(httpServletRequest)) {
            return authenticate2LORequest(httpServletRequest, httpServletResponse);
        }
        if (OAuthRequestUtils.is3LOAuthAccessAttempt(httpServletRequest)) {
            return authenticate3LORequest(httpServletRequest, httpServletResponse);
        }
        throw new IllegalArgumentException("This Authenticator only works with OAuth requests");
    }

    private Consumer validateConsumer(OAuthMessage oAuthMessage) throws IOException, OAuthException {
        String consumerKey = oAuthMessage.getConsumerKey();
        Consumer consumer = this.serviceProviderConsumerStore.get(consumerKey);
        if (consumer != null) {
            return consumer;
        }
        LOG.info("Unknown consumer key:'{}' supplied in OAuth request" + consumerKey);
        throw new OAuthProblemException(OAuth.Problems.CONSUMER_KEY_UNKNOWN);
    }

    void validate2LOMessage(OAuthMessage oAuthMessage, Consumer consumer) throws OAuthException, IOException, URISyntaxException {
        OAuthConsumer oAuthConsumer = this.converter.toOAuthConsumer(consumer);
        oAuthConsumer.setProperty(RSA_SHA1.PUBLIC_KEY, consumer.getPublicKey().getEncoded());
        OAuthAccessor oAuthAccessor = new OAuthAccessor(oAuthConsumer);
        printMessageToDebug(oAuthMessage);
        this.validator.validateMessage(oAuthMessage, oAuthAccessor);
    }

    private void printMessageToDebug(OAuthMessage oAuthMessage) throws IOException {
        if (LOG.isDebugEnabled()) {
            StringBuilder sb = new StringBuilder("Validating incoming OAuth request:\n");
            sb.append("\turl: ").append(oAuthMessage.URL).append("\n");
            sb.append("\tmethod: ").append(oAuthMessage.method).append("\n");
            for (Map.Entry<String, String> entry : oAuthMessage.getParameters()) {
                sb.append(SyslogAppender.DEFAULT_STACKTRACE_PATTERN).append(entry.getKey()).append(": ").append(entry.getValue()).append("\n");
            }
            LOG.debug(sb.toString());
        }
    }

    void validate3LOMessage(OAuthMessage oAuthMessage, ServiceProviderToken serviceProviderToken) throws OAuthException, IOException, URISyntaxException {
        printMessageToDebug(oAuthMessage);
        this.validator.validateMessage(oAuthMessage, this.converter.toOAuthAccessor(serviceProviderToken));
    }

    public Authenticator.Result authenticate3LORequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        OAuthMessage message = OAuthServlet.getMessage(httpServletRequest, getLogicalUri(httpServletRequest));
        try {
            String token = message.getToken();
            try {
                try {
                    ServiceProviderToken token2 = getToken(token);
                    if (token2 == null) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug(String.format("3-Legged-OAuth token rejected. Service Provider Token, for Consumer provided token [%s], is null", token));
                        }
                        throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
                    }
                    if (!token2.isAccessToken()) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug(String.format("3-Legged-OAuth token rejected. Service Provider Token, for Consumer provided token [%s], is NOT an access token.", token));
                        }
                        throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
                    }
                    if (!token2.getConsumer().getKey().equals(message.getConsumerKey())) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug(String.format("3-Legged-OAuth token rejected. Service Provider Token, for Consumer provided token [%s], consumer key [%s] does not match request consumer key [%s]", token, token2.getConsumer().getKey(), message.getConsumerKey()));
                        }
                        throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
                    }
                    if (token2.hasExpired(this.clock)) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug(String.format("3-Legged-OAuth token rejected. Token has expired. Token creation time [%d] time to live [%d] clock (contains logging delay) [%d]", Long.valueOf(token2.getCreationTime()), Long.valueOf(token2.getTimeToLive()), Long.valueOf(this.clock.timeInMilliseconds())));
                        }
                        throw new OAuthProblemException(OAuth.Problems.TOKEN_EXPIRED);
                    }
                    validate3LOMessage(message, token2);
                    Consumer validateConsumer = validateConsumer(message);
                    if (!validateConsumer.getThreeLOAllowed()) {
                        LOG.info("3-Legged-OAuth request has been attempted but 3-Legged-OAuth is not enabled for consumer:'{}'." + validateConsumer.getKey());
                        throw new OAuthProblemException(OAuth.Problems.PERMISSION_DENIED);
                    }
                    Principal user = token2.getUser();
                    RequestAnnotations.setOAuthConsumerKey(httpServletRequest, validateConsumer.getKey());
                    LOG.debug(String.format("3-Legged-OAuth successful. Request marked with consumer key set to [%s]", validateConsumer.getKey()));
                    return getUserLoginResult(httpServletRequest, httpServletResponse, message, validateConsumer, user);
                } catch (InvalidTokenException e) {
                    LOG.debug(String.format("3-Legged-OAuth Consumer provided token [%s] rejected by ServiceProviderTokenStore", token), (Throwable) e);
                    throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
                }
            } catch (OAuthProblemException e2) {
                return handleOAuthProblemException(httpServletResponse, message, token, e2);
            } catch (Exception e3) {
                return handleException(httpServletResponse, message, e3);
            }
        } catch (IOException e4) {
            LOG.error("3-Legged-OAuth Failed to read token from request", (Throwable) e4);
            sendError(httpServletResponse, 500, message);
            return new Authenticator.Result.Error(new OAuthProblem.UnreadableToken(e4));
        }
    }

    public Authenticator.Result authenticate2LORequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Principal resolve;
        OAuthMessage message = OAuthServlet.getMessage(httpServletRequest, getLogicalUri(httpServletRequest));
        try {
            Consumer validateConsumer = validateConsumer(message);
            validate2LOMessage(message, validateConsumer);
            String parameter = httpServletRequest.getParameter(XOAUTH_REQUESTOR_ID);
            LOG.debug("2-Legged-OAuth userId [{}] from request parameter [{}].", parameter, XOAUTH_REQUESTOR_ID);
            if (parameter == null) {
                parameter = httpServletRequest.getParameter(REMOTEAPP_REQUESTOR_ID);
                LOG.debug("2-Legged-OAuth userId [{}] from request parameter [{}].", parameter, REMOTEAPP_REQUESTOR_ID);
            }
            if (parameter != null) {
                if (!validateConsumer.getTwoLOImpersonationAllowed()) {
                    LOG.info("2-Legged-OAuth with Impersonation request has been attempted but 2-Legged-OAuth with Impersonation is not enabled for consumer:'{}'. Cannot access resource as user '{}'", validateConsumer.getName(), parameter);
                    sendError(httpServletResponse, 401, message);
                    return new Authenticator.Result.Failure(new OAuthProblem.PermissionDenied(parameter));
                }
                resolve = this.userManager.resolve(parameter);
                LOG.debug("2-Legged-OAuth userId [{}] resolved to [{}].", parameter, resolve != null ? resolve.getName() : "null");
            } else {
                if (!validateConsumer.getTwoLOAllowed()) {
                    LOG.info("2-Legged-OAuth request has been attempted but 2-Legged-OAuth is not enabled for consumer:'{}'.", validateConsumer.getName());
                    sendError(httpServletResponse, 401, message);
                    return new Authenticator.Result.Failure(new OAuthProblem.PermissionDenied());
                }
                if (StringUtils.isBlank(validateConsumer.getExecutingTwoLOUser())) {
                    LOG.debug("No executing user assigned for 2LO requests");
                    resolve = null;
                } else {
                    LOG.debug("User assigned for 2LO requests is '" + validateConsumer.getExecutingTwoLOUser() + "'");
                    resolve = this.userManager.resolve(validateConsumer.getExecutingTwoLOUser());
                }
            }
            RequestAnnotations.setOAuthConsumerKey(httpServletRequest, validateConsumer.getKey());
            return getUserLoginResult(httpServletRequest, httpServletResponse, message, validateConsumer, resolve);
        } catch (OAuthProblemException e) {
            return handleOAuthProblemException(httpServletResponse, message, null, e);
        } catch (Exception e2) {
            return handleException(httpServletResponse, message, e2);
        }
    }

    private Authenticator.Result handleException(HttpServletResponse httpServletResponse, OAuthMessage oAuthMessage, Exception exc) {
        LOG.error("Failed to validate OAuth message", (Throwable) exc);
        sendError(httpServletResponse, 500, oAuthMessage);
        return new Authenticator.Result.Error(new OAuthProblem.System(exc));
    }

    private Authenticator.Result getUserLoginResult(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuthMessage oAuthMessage, Consumer consumer, Principal principal) {
        if (principal == null || this.authenticationController.canLogin(principal, httpServletRequest)) {
            LOG.info("Authenticated app '{}' as user '{}' successfully", consumer.getKey(), principal == null ? "null" : principal.getName());
            return new Authenticator.Result.Success(principal);
        }
        LOG.info("Access denied because user:'{}' cannot login", principal.getName());
        sendError(httpServletResponse, 401, oAuthMessage);
        return new Authenticator.Result.Failure(new OAuthProblem.PermissionDenied(principal.getName()));
    }

    private Authenticator.Result handleOAuthProblemException(HttpServletResponse httpServletResponse, OAuthMessage oAuthMessage, String str, OAuthProblemException oAuthProblemException) {
        OAuthProblemUtils.logOAuthProblem(oAuthMessage, oAuthProblemException, LOG);
        try {
            OAuthServlet.handleException(httpServletResponse, oAuthProblemException, this.applicationProperties.getBaseUrl());
        } catch (Exception e) {
            LOG.error("Failure reporting OAuth error to client", (Throwable) e);
        }
        if (!oAuthProblemException.getProblem().equals(OAuth.Problems.CONSUMER_KEY_UNKNOWN) && str != null) {
            return new Authenticator.Result.Failure(new OAuthProblem(OAuthProblem.Problem.valueOf(oAuthProblemException.getProblem().toUpperCase(Locale.ENGLISH)), str));
        }
        return new Authenticator.Result.Failure(new OAuthProblem(OAuthProblem.Problem.valueOf(oAuthProblemException.getProblem().toUpperCase(Locale.ENGLISH))));
    }

    private ServiceProviderToken getToken(final String str) {
        return (ServiceProviderToken) this.transactionTemplate.execute(new TransactionCallback() { // from class: com.atlassian.oauth.serviceprovider.internal.AuthenticatorImpl.1
            @Override // com.atlassian.sal.api.transaction.TransactionCallback
            public Object doInTransaction() {
                return AuthenticatorImpl.this.store.get(str);
            }
        });
    }

    private String getLogicalUri(HttpServletRequest httpServletRequest) {
        String str = (String) httpServletRequest.getAttribute("javax.servlet.forward.request_uri");
        if (str == null) {
            return null;
        }
        URI create = URI.create(httpServletRequest.getRequestURL().toString());
        try {
            return new URI(create.getScheme(), create.getAuthority(), str, create.getQuery(), create.getFragment()).toString();
        } catch (URISyntaxException e) {
            LOG.warn("forwarded request had invalid original URI path: " + str);
            return null;
        }
    }

    private void sendError(HttpServletResponse httpServletResponse, int i, OAuthMessage oAuthMessage) {
        httpServletResponse.setStatus(i);
        try {
            httpServletResponse.addHeader("WWW-Authenticate", oAuthMessage.getAuthorizationHeader(this.applicationProperties.getBaseUrl()));
        } catch (IOException e) {
            LOG.error("Failure reporting OAuth error to client", (Throwable) e);
        }
    }
}
