package com.atlassian.refapp.auth.internal;

import com.atlassian.refapp.auth.external.WebSudoSessionManager;
import com.atlassian.seraph.auth.AbstractAuthenticator;
import com.atlassian.seraph.auth.AuthenticatorException;
import com.atlassian.seraph.auth.RoleMapper;
import com.atlassian.seraph.config.SecurityConfig;
import com.atlassian.seraph.config.SecurityConfigFactory;
import com.atlassian.seraph.cookie.CookieFactory;
import com.atlassian.seraph.cookie.CookieHandler;
import com.atlassian.seraph.interceptor.LogoutInterceptor;
import com.atlassian.seraph.util.RedirectUtils;
import com.atlassian.user.EntityException;
import com.atlassian.user.UserManager;
import com.atlassian.user.security.authentication.Authenticator;
import com.atlassian.user.util.Base64Encoder;
import java.io.IOException;
import java.security.Principal;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/atlassian-refapp-auth-plugin-6.1.1.jar:com/atlassian/refapp/auth/internal/AtlassianUserAuthenticator.class */
public class AtlassianUserAuthenticator extends AbstractAuthenticator {
    public static final String LOGGED_IN_KEY = "seraph_defaultauthenticator_user";
    public static final String LOGGED_OUT_KEY = "seraph_defaultauthenticator_logged_out_user";
    private final transient Logger log = LoggerFactory.getLogger(getClass());
    private final UserManager userManager;
    private final Authenticator authenticator;
    private final WebSudoSessionManager websudoManager;
    private String loginCookieKey;
    private String authType;
    private int autoLoginCookieAge;
    private String loginCookiePath;

    public AtlassianUserAuthenticator(UserManager userManager, Authenticator authenticator, WebSudoSessionManager webSudoSessionManager) {
        this.userManager = userManager;
        this.authenticator = authenticator;
        this.websudoManager = webSudoSessionManager;
    }

    @Override // com.atlassian.seraph.auth.AbstractAuthenticator, com.atlassian.seraph.Initable
    public void init(Map map, SecurityConfig securityConfig) {
        if (this.log.isDebugEnabled()) {
            this.log.debug("{} $Revision: 16581 $ initializing", getClass().getName());
        }
        super.init(map, securityConfig);
        this.loginCookieKey = securityConfig.getLoginCookieKey();
        this.authType = securityConfig.getAuthType();
        this.autoLoginCookieAge = securityConfig.getAutoLoginCookieAge();
        this.loginCookiePath = securityConfig.getLoginCookiePath();
    }

    @Override // com.atlassian.seraph.auth.AbstractAuthenticator, com.atlassian.seraph.auth.Authenticator
    public boolean isUserInRole(HttpServletRequest httpServletRequest, String str) {
        return getRoleMapper().hasRole(getUser(httpServletRequest), httpServletRequest, str);
    }

    @Override // com.atlassian.seraph.auth.AbstractAuthenticator, com.atlassian.seraph.auth.Authenticator
    public boolean login(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, boolean z) throws AuthenticatorException {
        boolean isDebugEnabled = this.log.isDebugEnabled();
        CookieHandler cookieHandler = CookieFactory.getCookieHandler();
        boolean authenticate = authenticate(str, str2);
        if (isDebugEnabled) {
            this.log.debug("User : {} has{} been authenticated", str, authenticate ? "" : " not");
        }
        if (authenticate) {
            Principal user = getUser(str);
            httpServletRequest.getSession().setAttribute("seraph_defaultauthenticator_user", user);
            httpServletRequest.getSession().setAttribute("seraph_defaultauthenticator_logged_out_user", (Object) null);
            if (httpServletRequest.getParameter("os_websudo") != null) {
                this.websudoManager.createWebSudoSession(httpServletRequest);
            }
            boolean canLogin = getRoleMapper().canLogin(user, httpServletRequest);
            if (isDebugEnabled) {
                this.log.debug("User : {} {} login according to the RoleMapper", str, canLogin ? "can" : "CANT");
            }
            if (canLogin) {
                if (!z || httpServletResponse == null) {
                    return true;
                }
                cookieHandler.setCookie(httpServletRequest, httpServletResponse, getLoginCookieKey(), encodeCookie(str, str2), this.autoLoginCookieAge, getCookiePath(httpServletRequest));
                return true;
            }
            httpServletRequest.getSession().removeAttribute("seraph_defaultauthenticator_user");
        }
        if (httpServletResponse == null || cookieHandler.getCookie(httpServletRequest, getLoginCookieKey()) == null) {
            return false;
        }
        this.log.warn("User: {} tried to login but they do not have USE permission or weren't found. Deleting cookie.", str);
        try {
            cookieHandler.invalidateCookie(httpServletRequest, httpServletResponse, getLoginCookieKey(), getCookiePath(httpServletRequest));
            return false;
        } catch (Exception e) {
            this.log.error("Could not invalidate cookie: " + e, (Throwable) e);
            return false;
        }
    }

    protected RoleMapper getRoleMapper() {
        return SecurityConfigFactory.getInstance().getRoleMapper();
    }

    @Override // com.atlassian.seraph.auth.AbstractAuthenticator, com.atlassian.seraph.auth.Authenticator
    public boolean logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticatorException {
        if (this.log.isDebugEnabled()) {
            this.log.debug("logout requested.  Calling interceptors and clearing cookies");
        }
        List logoutInterceptors = getLogoutInterceptors();
        CookieHandler cookieHandler = CookieFactory.getCookieHandler();
        Iterator it = logoutInterceptors.iterator();
        while (it.hasNext()) {
            ((LogoutInterceptor) it.next()).beforeLogout(httpServletRequest, httpServletResponse);
        }
        httpServletRequest.getSession().setAttribute("seraph_defaultauthenticator_user", (Object) null);
        httpServletRequest.getSession().setAttribute("seraph_defaultauthenticator_logged_out_user", Boolean.TRUE);
        if (httpServletResponse != null && cookieHandler.getCookie(httpServletRequest, getLoginCookieKey()) != null) {
            try {
                cookieHandler.invalidateCookie(httpServletRequest, httpServletResponse, getLoginCookieKey(), getCookiePath(httpServletRequest));
            } catch (Exception e) {
                this.log.error("Could not invalidate cookie: " + e, (Throwable) e);
            }
        }
        Iterator it2 = logoutInterceptors.iterator();
        while (it2.hasNext()) {
            ((LogoutInterceptor) it2.next()).afterLogout(httpServletRequest, httpServletResponse);
        }
        return true;
    }

    @Override // com.atlassian.seraph.auth.AbstractAuthenticator, com.atlassian.seraph.auth.Authenticator
    public Principal getUser(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Principal userFromBasicAuthentication;
        boolean isDebugEnabled = this.log.isDebugEnabled();
        if (httpServletRequest.getSession(false) != null) {
            Principal userFromSession = getUserFromSession(httpServletRequest);
            if (userFromSession != null) {
                if (isDebugEnabled) {
                    this.log.debug("Session found; BUT user doesn't exist");
                }
                return userFromSession;
            }
        } else {
            Principal userFromCookie = getUserFromCookie(httpServletRequest, httpServletResponse);
            if (userFromCookie != null) {
                return userFromCookie;
            }
            this.log.debug("Cannot log user in via a cookie");
        }
        if (RedirectUtils.isBasicAuthentication(httpServletRequest, this.authType) && (userFromBasicAuthentication = getUserFromBasicAuthentication(httpServletRequest, httpServletResponse)) != null) {
            return userFromBasicAuthentication;
        }
        if (!isDebugEnabled) {
            return null;
        }
        this.log.debug("User not logged in.");
        return null;
    }

    protected Principal getUserFromCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        boolean isDebugEnabled = this.log.isDebugEnabled();
        String loginCookieKey = getLoginCookieKey();
        Cookie cookie = CookieFactory.getCookieHandler().getCookie(httpServletRequest, loginCookieKey);
        if (cookie == null) {
            return null;
        }
        String value = cookie.getValue();
        if (isDebugEnabled) {
            this.log.debug("Found cookie : '{}' with value : '{}'", loginCookieKey, value);
        }
        String[] decodeCookie = decodeCookie(value);
        if (decodeCookie == null) {
            if (!isDebugEnabled) {
                return null;
            }
            this.log.debug("Unable to decode {} cookie with value : '{}'", loginCookieKey, value);
            return null;
        }
        String str = decodeCookie[0];
        String str2 = decodeCookie[1];
        if (isDebugEnabled) {
            this.log.debug("Got username : '{}' and password from cookie, attempting to authenticate user", str);
        }
        try {
            if (!login(httpServletRequest, httpServletResponse, str, str2, false)) {
                return null;
            }
            if (isDebugEnabled) {
                this.log.debug("Logged user : '{}' in via a cookie", str);
            }
            return getUserFromSession(httpServletRequest);
        } catch (Exception e) {
            this.log.warn("Cookie login for user : '" + str + "' failed with exception: " + e, (Throwable) e);
            return null;
        }
    }

    protected Principal getUserFromSession(HttpServletRequest httpServletRequest) {
        boolean isDebugEnabled = this.log.isDebugEnabled();
        try {
            if (httpServletRequest.getSession().getAttribute("seraph_defaultauthenticator_logged_out_user") != null) {
                if (!isDebugEnabled) {
                    return null;
                }
                this.log.debug("Session found; user has already logged out");
                return null;
            }
            if (httpServletRequest.getSession().getAttribute("seraph_defaultauthenticator_user") == null) {
                return null;
            }
            Principal principal = (Principal) httpServletRequest.getSession().getAttribute("seraph_defaultauthenticator_user");
            if (isDebugEnabled) {
                if (principal == null) {
                    this.log.debug("Session found; BUT it has no Principal in it");
                } else {
                    this.log.debug("Session found; user : '{}' already logged in", principal.getName());
                }
            }
            return principal;
        } catch (Exception e) {
            this.log.warn("Exception when retrieving user from session: " + e, (Throwable) e);
            return null;
        }
    }

    protected Principal getUserFromBasicAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        boolean isDebugEnabled = this.log.isDebugEnabled();
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null || !header.startsWith("Basic ")) {
            if (httpServletResponse == null) {
                return null;
            }
            httpServletResponse.setStatus(401);
            httpServletResponse.setHeader("WWW-Authenticate", "BASIC realm=\"protected-area\"");
            return null;
        }
        if (isDebugEnabled) {
            this.log.debug("Looking in Basic Auth headers");
        }
        String str = new String(Base64Encoder.decode(header.substring(6).getBytes()));
        String str2 = "";
        String str3 = "";
        int indexOf = str.indexOf(":");
        if (indexOf != -1) {
            str2 = str.substring(0, indexOf);
            str3 = str.substring(indexOf + 1);
        }
        try {
            if (login(httpServletRequest, httpServletResponse, str2, str3, false)) {
                if (isDebugEnabled) {
                    this.log.debug("Logged in user : '{}' via basic auth", str2);
                }
                return getUser(str2);
            }
        } catch (AuthenticatorException e) {
            this.log.warn("Exception trying to login user : '" + str2 + "' via basic auth:" + e, (Throwable) e);
        }
        try {
            httpServletResponse.sendError(401);
            return null;
        } catch (IOException e2) {
            this.log.warn("Exception trying to send basic auth failed error: " + e2, (Throwable) e2);
            return null;
        }
    }

    protected String getCookiePath(HttpServletRequest httpServletRequest) {
        if (getLoginCookiePath() != null) {
            return getLoginCookiePath();
        }
        String contextPath = httpServletRequest.getContextPath();
        return (contextPath == null || contextPath.equals("")) ? "/" : !contextPath.startsWith("/") ? "/" + contextPath : contextPath;
    }

    protected String getLoginCookieKey() {
        return this.loginCookieKey;
    }

    public String getAuthType() {
        return this.authType;
    }

    protected List getLogoutInterceptors() {
        return getConfig().getInterceptors(LogoutInterceptor.class);
    }

    protected String encodeCookie(String str, String str2) {
        return CookieFactory.getCookieEncoder().encodePasswordCookie(str, str2, getConfig().getCookieEncoding());
    }

    protected String[] decodeCookie(String str) {
        return CookieFactory.getCookieEncoder().decodePasswordCookie(str, getConfig().getCookieEncoding());
    }

    protected String getLoginCookiePath() {
        return this.loginCookiePath;
    }

    protected Principal getUser(String str) {
        try {
            return this.userManager.getUser(str);
        } catch (EntityException e) {
            return null;
        }
    }

    protected boolean authenticate(String str, String str2) {
        try {
            boolean authenticate = this.authenticator.authenticate(str, str2);
            if (authenticate) {
                this.log.info("User '{}' successfully logged in", str);
            } else {
                this.log.info("Cannot login user '{}' as they used an incorrect password", str);
            }
            return authenticate;
        } catch (EntityException e) {
            this.log.info("Cannot login user '{}' as they do not exist.", str);
            return false;
        }
    }
}
