package com.atlassian.bamboo.accesstoken;

import com.atlassian.bamboo.accesstoken.event.AccessTokenCreatedEvent;
import com.atlassian.bamboo.accesstoken.event.AccessTokenDeletedEvent;
import com.atlassian.bamboo.accesstoken.event.AllUserAccessTokensDeletedEvent;
import com.atlassian.bamboo.accesstoken.exception.CreateTokenFailedException;
import com.atlassian.bamboo.accesstoken.exception.TokenLimitExceededException;
import com.atlassian.bamboo.accesstoken.exception.TokenWithNameExistsException;
import com.atlassian.bamboo.exception.UnauthorisedException;
import com.atlassian.bamboo.persister.AuditLogService;
import com.atlassian.bamboo.security.AccessTokenContextHolder;
import com.atlassian.bamboo.security.BambooPermissionManager;
import com.atlassian.bamboo.security.acegi.acls.BambooPermission;
import com.atlassian.bamboo.user.BambooAuthenticationContext;
import com.atlassian.bamboo.user.BambooUser;
import com.atlassian.bamboo.user.BambooUserManager;
import com.atlassian.bamboo.util.BambooStringUtils;
import com.atlassian.bamboo.utils.SystemProperty;
import com.atlassian.event.api.EventPublisher;
import java.util.Collection;
import java.util.Comparator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.commons.lang3.StringUtils;
import org.apache.log4j.Logger;
import org.jetbrains.annotations.NotNull;
import org.springframework.util.CollectionUtils;

/* loaded from: input_file:com/atlassian/bamboo/accesstoken/DefaultAccessTokenService.class */
public class DefaultAccessTokenService implements AccessTokenService {
    private static final int MAX_TOKEN_NAME_LENGTH = 255;
    private static final Logger log = Logger.getLogger(DefaultAccessTokenService.class);
    private static int MAX_GENERATE_TOKEN_ID_RETRY = 10;
    private final AccessTokenDao accessTokenDao;
    private final AccessTokenGenerator accessTokenGenerator;
    private final BambooAuthenticationContext bambooAuthenticationContext;
    private final BambooPermissionManager bambooPermissionManager;
    private final EventPublisher eventPublisher;
    private final BambooUserManager bambooUserManager;
    private final AuditLogService auditLogService;

    public DefaultAccessTokenService(AccessTokenDao accessTokenDao, AccessTokenGenerator accessTokenGenerator, BambooAuthenticationContext bambooAuthenticationContext, BambooPermissionManager bambooPermissionManager, EventPublisher eventPublisher, BambooUserManager bambooUserManager, AuditLogService auditLogService) {
        this.accessTokenDao = accessTokenDao;
        this.accessTokenGenerator = accessTokenGenerator;
        this.bambooAuthenticationContext = bambooAuthenticationContext;
        this.bambooPermissionManager = bambooPermissionManager;
        this.eventPublisher = eventPublisher;
        this.bambooUserManager = bambooUserManager;
        this.auditLogService = auditLogService;
    }

    public Optional<AccessToken> authenticate(@NotNull String str) {
        validateNotEmpty(str, "rawToken");
        if (!this.accessTokenGenerator.isValidToken(str)) {
            log.debug("Can not authenticate - token is not valid");
            return Optional.empty();
        }
        String id = this.accessTokenGenerator.getId(str);
        Optional findByTokenId = this.accessTokenDao.findByTokenId(id);
        if (findByTokenId.isPresent()) {
            MutableAccessToken mutableAccessToken = (MutableAccessToken) findByTokenId.get();
            BambooUser bambooUser = this.bambooUserManager.getBambooUser(mutableAccessToken.getUserName());
            if (bambooUser == null || !bambooUser.isEnabled()) {
                log.info(String.format("User correlated with token id %s does not exist or is disabled", mutableAccessToken.getTokenId()));
            } else {
                if (this.accessTokenGenerator.authenticateToken(str, mutableAccessToken.getHashedToken())) {
                    return Optional.of(mutableAccessToken.toAccessToken());
                }
                log.warn(String.format("Someone tried to authenticate with token id %s and invalid secret", id));
            }
        } else {
            log.info(String.format("Token with id %s does not exist", id));
        }
        return Optional.empty();
    }

    @NotNull
    public RawAccessToken create(@NotNull CreateAccessTokenRequest createAccessTokenRequest) throws TokenLimitExceededException, CreateTokenFailedException, TokenWithNameExistsException {
        String generateToken;
        String id;
        String userName = createAccessTokenRequest.getUserName();
        String name = createAccessTokenRequest.getName();
        Set permissions = createAccessTokenRequest.getPermissions();
        validateNotEmpty(userName, "requestUserName");
        validateNotEmpty(name, "requestTokenName");
        validateTokenNameMaxLenght(name);
        validateNotEmpty(permissions, "requestPermissions");
        AccessTokenServiceUtils.validateRequestedPermissionsDependencies(permissions);
        if (!isCurrentUser(userName)) {
            throw new UnauthorisedException(String.format("User %s tried to create rawToken for %s. Creating tokens are allowed only for current user.", this.bambooAuthenticationContext.getUserName(), userName));
        }
        validateNotAuthorisedByRestrictedToken(userName);
        long countByUserName = this.accessTokenDao.countByUserName(userName);
        if (countByUserName >= SystemProperty.MAX_TOKENS_PER_USER.getTypedValue()) {
            throw new TokenLimitExceededException(String.format("User %s has %s tokens. Max number of tokens is : %s, can not create new token", userName, Long.valueOf(countByUserName), Long.valueOf(SystemProperty.MAX_TOKENS_PER_USER.getTypedValue())));
        }
        if (this.accessTokenDao.tokenWithNameAndUserNameExists(userName, name)) {
            throw new TokenWithNameExistsException(String.format("Token with name %s already exists", name));
        }
        int i = 0;
        do {
            int i2 = i;
            i++;
            if (i2 >= MAX_GENERATE_TOKEN_ID_RETRY) {
                throw new CreateTokenFailedException("There was an error creating an access token");
            }
            generateToken = this.accessTokenGenerator.generateToken();
            id = this.accessTokenGenerator.getId(generateToken);
        } while (this.accessTokenDao.findByTokenId(id).isPresent());
        MutableAccessToken saveToken = saveToken(id, this.accessTokenGenerator.hashToken(generateToken), createAccessTokenRequest.getName(), userName, permissions);
        SimpleRawAccessToken simpleRawAccessToken = new SimpleRawAccessToken(saveToken.getCreationDate(), saveToken.getTokenId(), saveToken.getName(), saveToken.getUserName(), saveToken.getPermissions(), generateToken);
        this.eventPublisher.publish(new AccessTokenCreatedEvent(simpleRawAccessToken.toAccessToken()));
        this.auditLogService.log(String.format("New access token '%s' has been created for user %s with permissions: [%s]", saveToken.getName(), userName, BambooStringUtils.enumSetToString(saveToken.getPermissions())));
        return simpleRawAccessToken;
    }

    @NotNull
    public List<AccessToken> getAccessTokensByUserName(@NotNull String str) {
        validateNotEmpty(str, "userName");
        validateCurrentUserPermissionToGetOrDelete(str);
        return (List) this.accessTokenDao.findByUserName(str).stream().map((v0) -> {
            return v0.toAccessToken();
        }).sorted(Comparator.comparing(accessToken -> {
            return accessToken.getName().toUpperCase();
        })).collect(Collectors.toList());
    }

    public void deleteByTokenId(@NotNull String str) {
        validateNotEmpty(str, MutableAccessTokenImpl_.TOKEN_ID);
        this.accessTokenDao.findByTokenId(str).ifPresent(mutableAccessToken -> {
            validateCurrentUserPermissionToGetOrDelete(mutableAccessToken.getUserName());
            validateNotAuthorisedByRestrictedToken(mutableAccessToken.getUserName());
            this.accessTokenDao.delete(mutableAccessToken);
            String userName = this.bambooAuthenticationContext.getUserName();
            this.auditLogService.log(String.format("Access token '%s' for user %s has been revoked", mutableAccessToken.getName(), mutableAccessToken.getUserName()));
            this.eventPublisher.publish(new AccessTokenDeletedEvent(mutableAccessToken.toAccessToken(), StringUtils.defaultString(userName)));
        });
    }

    public void deleteByUserName(@NotNull String str) throws UnauthorisedException {
        validateCurrentUserPermissionToGetOrDelete(str);
        validateNotAuthorisedByRestrictedToken(str);
        this.accessTokenDao.deleteByUserName(str);
        this.auditLogService.log(String.format("All access tokens of user %s has been revoked", str));
        this.eventPublisher.publish(new AllUserAccessTokensDeletedEvent(str));
    }

    private MutableAccessToken saveToken(String str, String str2, String str3, String str4, Iterable<AccessTokenPermission> iterable) {
        MutableAccessTokenImpl mutableAccessTokenImpl = new MutableAccessTokenImpl();
        mutableAccessTokenImpl.setTokenId(str);
        mutableAccessTokenImpl.setHashedToken(str2);
        mutableAccessTokenImpl.setUserName(str4);
        mutableAccessTokenImpl.setName(str3);
        mutableAccessTokenImpl.setPermissions(iterable);
        this.accessTokenDao.save(mutableAccessTokenImpl);
        return mutableAccessTokenImpl;
    }

    private void validateCurrentUserPermissionToGetOrDelete(String str) {
        if (!isAdminOrRestrictedAdmin() && !isCurrentUser(str)) {
            throw new UnauthorisedException(String.format("User %s is not authorised to perform get or delete for %s's access tokens", this.bambooAuthenticationContext.getUserName(), str));
        }
    }

    private void validateNotAuthorisedByRestrictedToken(String str) {
        Optional<AccessToken> accessToken = AccessTokenContextHolder.getAccessToken();
        if (accessToken.isPresent()) {
            AccessToken accessToken2 = accessToken.get();
            if (!accessToken2.getPermissions().contains(AccessTokenPermission.USER)) {
                throw new UnauthorisedException(String.format("Operation not allowed due to permission restrictions of the access token: user %s token %s", str, accessToken2.getName()));
            }
        }
    }

    private boolean isAdminOrRestrictedAdmin() {
        return this.bambooPermissionManager.hasGlobalPermission(BambooPermission.ADMINISTRATION) || this.bambooPermissionManager.hasGlobalPermission(BambooPermission.RESTRICTEDADMINISTRATION);
    }

    private boolean isCurrentUser(String str) {
        return Objects.equals(this.bambooAuthenticationContext.getUserName(), str);
    }

    private void validateNotEmpty(String str, String str2) {
        if (StringUtils.isEmpty(str)) {
            throw new IllegalArgumentException(String.format("Field %s can not be empty", str2));
        }
    }

    private void validateNotEmpty(Collection<?> collection, String str) {
        if (CollectionUtils.isEmpty(collection)) {
            throw new IllegalArgumentException(String.format("Field %s can not be empty", str));
        }
    }

    private void validateTokenNameMaxLenght(String str) {
        if (str.length() > 255) {
            throw new IllegalArgumentException("Token name cannot be longer than 255characters");
        }
    }
}
