package com.atlassian.bamboo.filter;

import com.atlassian.bamboo.ClusterAwareLifecycleManager;
import com.atlassian.bamboo.NodeLifecycleState;
import com.atlassian.bamboo.accesstoken.AccessToken;
import com.atlassian.bamboo.accesstoken.AccessTokenAnalyticsService;
import com.atlassian.bamboo.accesstoken.AccessTokenService;
import com.atlassian.bamboo.beehive.BambooClusterNodeHeartbeatService;
import com.atlassian.bamboo.configuration.AdministrationConfiguration;
import com.atlassian.bamboo.configuration.AdministrationConfigurationAccessor;
import com.atlassian.bamboo.filter.ServletFilterRegistrar;
import com.atlassian.bamboo.persistence.BambooSessionInViewFilter;
import com.atlassian.bamboo.security.AccessTokenContextHolder;
import com.atlassian.bamboo.security.AnnotatedPermitChecker;
import com.atlassian.bamboo.security.DefaultAnnotatedPermitChecker;
import com.atlassian.bamboo.security.LogoutSupport;
import com.atlassian.bamboo.security.NoCheckAnnotatedPermitChecker;
import com.atlassian.bamboo.servlet.ServletContextRegistrar;
import com.atlassian.bamboo.servlet.UrlPattern;
import com.atlassian.bamboo.spring.ComponentAccessor;
import com.atlassian.bamboo.spring.EventuallyAutowired;
import com.atlassian.bamboo.spring.EventuallyAutowiredSupport;
import com.atlassian.bamboo.user.BambooUser;
import com.atlassian.bamboo.user.BambooUserManager;
import com.atlassian.bamboo.util.Narrow;
import com.atlassian.bamboo.util.RequestCacheThreadLocal;
import com.atlassian.bamboo.utils.HttpUtils;
import com.atlassian.bamboo.utils.SystemProperty;
import com.atlassian.bamboo.utils.scopedcaches.RequestScopedCaches;
import com.atlassian.bamboo.web.utils.JohnsonEventContainerHolder;
import com.atlassian.config.util.BootstrapUtils;
import com.atlassian.core.filters.HeaderSanitisingFilter;
import com.atlassian.johnson.JohnsonEventContainer;
import com.atlassian.johnson.filters.JohnsonFilter;
import com.atlassian.plugin.servlet.util.RequestUtil;
import com.atlassian.sal.api.permission.AuthorisationException;
import com.atlassian.sal.api.permission.NotAuthenticatedException;
import com.atlassian.seraph.auth.LoginReason;
import com.atlassian.seraph.filter.BaseLoginFilter;
import com.atlassian.seraph.filter.LoginFilter;
import com.atlassian.seraph.filter.SecurityFilter;
import com.atlassian.seraph.util.SecurityUtils;
import com.github.ziplet.filter.compression.CompressingFilter;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Suppliers;
import java.io.IOException;
import java.util.Arrays;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.inject.Inject;
import javax.servlet.DispatcherType;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.acegisecurity.context.SecurityContextHolder;
import org.acegisecurity.util.FilterToBeanProxy;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.web.filter.CharacterEncodingFilter;

/* loaded from: input_file:com/atlassian/bamboo/filter/ServletFilters.class */
public enum ServletFilters {
    CHARSET_FILTER(ServletFilterRegistrar.filter("charsetFilter", new CharacterEncodingFilter()).initParam("encoding", "UTF-8").mapping(UrlPattern.ALL_URLS)),
    ENCODING_FILTER(ServletFilterRegistrar.filter("encodingFilter", new BambooEncodingFilter()).initParam("encoding", "UTF-8").initParam("contentType", "text/html;charset=UTF-8").mapping(EnumSet.of(DispatcherType.REQUEST, DispatcherType.FORWARD), UrlPattern.PLUGINS_SERVLET)),
    PRIMARY_NODE_TRAFIC(ServletFilterRegistrar.filter("traffic-through-primary-node-only-filter", new Filter() { // from class: com.atlassian.bamboo.filter.TrafficThroughPrimaryNodeOnlyFilter

        @EventuallyAutowired
        private EventuallyAvailable eventuallyAvailable;
        private final Supplier<Boolean> isPrimary = Suppliers.memoizeWithExpiration(() -> {
            return Boolean.valueOf(((Boolean) Optional.ofNullable(this.eventuallyAvailable.getBambooClusterNodeHeartbeatService()).map((v0) -> {
                return v0.isCurrentNodePrimaryBuffered();
            }).orElse(true)).booleanValue() && ((Boolean) Optional.ofNullable(this.eventuallyAvailable.getClusterAwareLifecycleManager()).map((v0) -> {
                return v0.getBufferedNodeLifecycleState();
            }).map(nodeLifecycleState -> {
                return Boolean.valueOf(nodeLifecycleState != NodeLifecycleState.RUNNING_AS_SECONDARY);
            }).orElse(true)).booleanValue());
        }, 1, TimeUnit.SECONDS);
        private static final Logger log = LogManager.getLogger(TrafficThroughPrimaryNodeOnlyFilter.class);
        private static final String ERROR_ACTION = "secondaryNodeNotAccessible.action";
        private static final List<String> BYPASSING_ENDPOINTS = List.of("rest/api/latest/status", "rest/api/latest/server", ERROR_ACTION, ".css", ".js", ".png", ".jpg", ".svg", ".woff");
        private static final boolean BYPASS_SYSTEM_PROPERTY = new SystemProperty.BooleanSystemProperty(false, false, new String[]{"bypassSecondaryNodeAccessFilter"}).getTypedValue();

        /* loaded from: input_file:com/atlassian/bamboo/filter/TrafficThroughPrimaryNodeOnlyFilter$EventuallyAvailable.class */
        private static class EventuallyAvailable {

            @Inject
            private BambooClusterNodeHeartbeatService bambooClusterNodeHeartbeatService;

            @Inject
            private ClusterAwareLifecycleManager clusterAwareLifecycleManager;

            private EventuallyAvailable() {
            }

            public BambooClusterNodeHeartbeatService getBambooClusterNodeHeartbeatService() {
                return this.bambooClusterNodeHeartbeatService;
            }

            public ClusterAwareLifecycleManager getClusterAwareLifecycleManager() {
                return this.clusterAwareLifecycleManager;
            }
        }

        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            if (this.isPrimary.get().booleanValue() || BYPASSING_ENDPOINTS.stream().anyMatch(str -> {
                return httpServletRequest.getRequestURI().contains(str);
            }) || BYPASS_SYSTEM_PROPERTY) {
                filterChain.doFilter(servletRequest, servletResponse);
            } else {
                log.debug("Forwarding {} to /{}", httpServletRequest.getServletPath(), ERROR_ACTION);
                servletRequest.getRequestDispatcher("/secondaryNodeNotAccessible.action").forward(servletRequest, servletResponse);
            }
        }

        public void init(FilterConfig filterConfig) throws ServletException {
            EventuallyAutowiredSupport.processInjectionBasedOnServletContext(this, filterConfig.getServletContext());
        }

        public void destroy() {
        }
    }).mapping(UrlPattern.ALL_URLS)),
    PLUGIN_FILTERS_AFTER_ENCODING(PluginFilterLocation.AFTER_ENCODING),
    HEADER_SANITISER(ServletFilterRegistrar.filter("headersanitising", new HeaderSanitisingFilter()).mapping(EnumSet.of(DispatcherType.REQUEST, DispatcherType.FORWARD, DispatcherType.ERROR), UrlPattern.ALL_URLS)),
    URL_REWRITE(ServletFilterRegistrar.filter("urlRewrite", new UrlRewriteFilter()).mapping(UrlPattern.BROWSE_ALL)),
    COOKIE_CACHE_CONTROL(ServletFilterRegistrar.filter("cookieCacheControl", new CookieCacheControlFilter()).mapping(EnumSet.of(DispatcherType.REQUEST, DispatcherType.FORWARD), UrlPattern.ALL_URLS)),
    HTTP_HEADER_SECURITY(ServletFilterRegistrar.filter("httpHeaderSecurityFilter", new Filter() { // from class: com.atlassian.bamboo.filter.BambooHttpHeaderSecurityFilter
        private boolean isHttpHeaderSecurityEnabled;
        private boolean isHstsPreloadEnabled;
        private boolean isHstsIncludingAllSubdomains;
        private boolean isClickJackingProtectionEnabled;
        private boolean isXssProtectionEnabled;
        private String hstsHeaderValue;
        private String cspHeaderValue;
        private String referrerPolicyHeaderValue;
        private String permissionsPolicyHeaderValue;
        private String xFrameOptionsValue;
        public static final String DEFAULT_REFERRER_POLICY_VALUE = "no-referrer-when-downgrade";
        public static final String DEFAULT_X_FRAME_OPTIONS_VALUE = "SAMEORIGIN";
        public static final String DEFAULT_X_CONTENT_TYPE_OPTIONS_VALUE = "nosniff";
        public static final String DEFAULT_XSS_PROTECTION_VALUE = "1; mode=block";
        private static final int MAX_HEADER_LENGTH = 256;
        private static final Logger log = LogManager.getLogger(BambooHttpHeaderSecurityFilter.class);
        public static final String DEFAULT_CSP_VALUE = null;
        public static final String DEFAULT_PERMISSIONS_POLICY_VALUE = null;
        private static final Pattern CSP_PATTERN = Pattern.compile("(?i)^(?:default-src|script-src|style-src|img-src|connect-src|font-src|object-src|media-src|frame-src|worker-src|child-src|form-action|frame-ancestors|plugin-types|sandbox|report-uri|base-uri|manifest-src|prefetch-src|navigate-to|report-to|require-sri-for|trusted-types|upgrade-insecure-requests|block-all-mixed-content|referrer)(?:\\s[^;]+)(?:;\\s*(?:default-src|script-src|style-src|img-src|connect-src|font-src|object-src|media-src|frame-src|worker-src|child-src|form-action|frame-ancestors|plugin-types|sandbox|report-uri|base-uri|manifest-src|prefetch-src|navigate-to|report-to|require-sri-for|trusted-types|upgrade-insecure-requests|block-all-mixed-content|referrer)(?:\\s[^;]+))*;?$");
        private static final Pattern REFERRER_POLICY_PATTERN = Pattern.compile("^(no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|same-origin|strict-origin|strict-origin-when-cross-origin|unsafe-url)$");
        private static final Pattern PERMISSIONS_POLICY_PATTERN = Pattern.compile("^[a-z-]+=\\([^)]*\\)(?:,\\s*[a-z-]+=\\([^)]*\\))*$");
        private static final Pattern X_FRAME_OPTIONS_PATTERN = Pattern.compile("^(?i)(DENY|SAMEORIGIN|ALLOW-FROM\\s+.+)$");

        private static String getClassName() {
            return BambooHttpHeaderSecurityFilter.class.getSimpleName();
        }

        public void destroy() {
        }

        public void init(FilterConfig filterConfig) throws ServletException {
            log.info("Initializing {}", getClassName());
            this.isHttpHeaderSecurityEnabled = !SystemProperty.HTTP_HEADER_SECURITY_DISABLED.getTypedValue();
            this.isHstsPreloadEnabled = SystemProperty.HTTP_HEADER_SECURITY_HSTS_PRELOAD_ENABLED.getTypedValue();
            this.isHstsIncludingAllSubdomains = SystemProperty.HTTP_HEADER_SECURITY_HSTS_INCLUDE_SUB_DOMAINS.getTypedValue();
            this.isXssProtectionEnabled = !SystemProperty.HTTP_HEADER_SECURITY_XSS_PROTECTION_DISABLED.getTypedValue();
            boolean z = !SystemProperty.HTTP_HEADER_SECURITY_HSTS_DISABLED.getTypedValue();
            long typedValue = SystemProperty.HTTP_HEADER_SECURITY_HSTS_MAX_AGE.getTypedValue();
            this.hstsHeaderValue = buildHstsValue(typedValue);
            this.isClickJackingProtectionEnabled = !SystemProperty.HTTP_HEADER_SECURITY_ANTI_CLICKJACKING_PROTECTION_DISABLED.getTypedValue();
            this.xFrameOptionsValue = getValidatedXFrameOptionsValue(SystemProperty.HTTP_HEADER_SECURITY_ANTI_CLICKJACKING_X_FRAME_OPTIONS_VALUE.getValue());
            this.cspHeaderValue = getValidatedCspValue(SystemProperty.HTTP_HEADER_SECURITY_CSP.getValue());
            this.referrerPolicyHeaderValue = getValidatedReferrerPolicyValue(SystemProperty.HTTP_HEADER_SECURITY_REFERRER_POLICY.getValue());
            this.permissionsPolicyHeaderValue = getValidatedPermissionsPolicyValue(SystemProperty.HTTP_HEADER_SECURITY_PERMISSIONS_POLICY.getValue());
            if (!this.isHttpHeaderSecurityEnabled) {
                log.warn("HTTP Header Security Filter is disabled via '{}' system property. Security headers will not be added. Restore security headers by removing or forcing the system property to 'true'", SystemProperty.HTTP_HEADER_SECURITY_DISABLED.getKey());
                return;
            }
            log.info("HTTP Header Security Enabled: [true]");
            log.debug("HSTS Enabled: [{}]", Boolean.valueOf(z));
            log.debug("  * HSTS Max Age: [{}]", Long.valueOf(typedValue));
            log.debug("  * HSTS Preload Enabled: [{}]", Boolean.valueOf(this.isHstsPreloadEnabled));
            log.debug("  * HSTS Include Subdomains: [{}]", Boolean.valueOf(this.isHstsIncludingAllSubdomains));
            log.debug("Anti-ClickJacking Enabled: [{}]", Boolean.valueOf(this.isClickJackingProtectionEnabled));
            log.debug("  * X-Frame-Options Header value: [{}]", this.xFrameOptionsValue);
            log.debug("Content-Security-Policy Header value: [{}]", this.cspHeaderValue != null ? this.cspHeaderValue : "undefined");
            log.debug("Referrer-Policy Header value: [{}]", this.referrerPolicyHeaderValue);
            log.debug("XSS Protection Enabled: [{}]", Boolean.valueOf(this.isXssProtectionEnabled));
            log.debug("X-Content-Type-Options Enabled: [{}]", Boolean.valueOf(isXContentTypeOptionsHeaderEnabled()));
            log.debug("Permissions-Policy Header value: [{}]", this.permissionsPolicyHeaderValue != null ? this.permissionsPolicyHeaderValue : "undefined");
        }

        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
            HashMap hashMap = new HashMap();
            if (!this.isHttpHeaderSecurityEnabled) {
                log.debug("HTTP Header Security Filter is disabled via '{}' system property. Security headers will not be added", SystemProperty.HTTP_HEADER_SECURITY_DISABLED.getKey());
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            }
            log.debug("Starting {} for request: {}", getClassName(), httpServletRequest.getRequestURI());
            setHstsHeaders(httpServletRequest, httpServletResponse, hashMap);
            setHeader(httpServletResponse, "Content-Security-Policy", this.cspHeaderValue, hashMap);
            setHeader(httpServletResponse, "Referrer-Policy", this.referrerPolicyHeaderValue, hashMap);
            setHeader(httpServletResponse, "Permissions-Policy", this.permissionsPolicyHeaderValue, hashMap);
            setExtraProtectionHeaders(httpServletResponse, hashMap);
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            log.debug("Revising headers after filter chain execution");
            reviseHeaders(httpServletRequest, httpServletResponse, hashMap);
        }

        private String buildHstsValue(long j) {
            StringBuilder sb = new StringBuilder("max-age=");
            sb.append(j);
            if (this.isHstsIncludingAllSubdomains) {
                sb.append("; includeSubDomains");
            }
            if (this.isHstsPreloadEnabled) {
                sb.append("; preload");
            }
            return sb.toString();
        }

        private void setHstsHeaders(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Map<String, String> map) {
            if (!httpServletRequest.isSecure()) {
                log.debug("Request is not secure. Skipping {} header", "Strict-Transport-Security");
            } else {
                log.debug("Request is secure. Setting {} header", "Strict-Transport-Security");
                setHeader(httpServletResponse, "Strict-Transport-Security", this.hstsHeaderValue, map);
            }
        }

        private boolean isXContentTypeOptionsHeaderEnabled() {
            boolean typedValue = SystemProperty.DISABLE_X_CONTENT_TYPE_OPTIONS_NOSNIFF.getTypedValue();
            if (!typedValue) {
                typedValue = SystemProperty.HTTP_HEADER_SECURITY_X_CONTENT_TYPE_OPTIONS_NOSNIFF_DISABLED.getTypedValue();
            }
            return !typedValue;
        }

        private void setExtraProtectionHeaders(HttpServletResponse httpServletResponse, Map<String, String> map) {
            if (this.isXssProtectionEnabled && !httpServletResponse.containsHeader("X-XSS-Protection")) {
                setHeader(httpServletResponse, "X-XSS-Protection", DEFAULT_XSS_PROTECTION_VALUE, map);
            }
            if (this.isClickJackingProtectionEnabled && !httpServletResponse.containsHeader("X-Frame-Options")) {
                setHeader(httpServletResponse, "X-Frame-Options", this.xFrameOptionsValue, map);
            }
            if (!isXContentTypeOptionsHeaderEnabled() || httpServletResponse.containsHeader("X-Content-Type-Options")) {
                return;
            }
            setHeader(httpServletResponse, "X-Content-Type-Options", DEFAULT_X_CONTENT_TYPE_OPTIONS_VALUE, map);
        }

        private String validateHeaderLength(String str, String str2) {
            if (str2 == null || str2.length() <= MAX_HEADER_LENGTH) {
                return str2;
            }
            log.warn("Header [{}] value exceeds the maximum allowed length of {} characters and will not be set", str, Integer.valueOf(MAX_HEADER_LENGTH));
            return null;
        }

        void setHeader(HttpServletResponse httpServletResponse, String str, String str2, Map<String, String> map) {
            String validateHeaderLength = validateHeaderLength(str, str2);
            if (validateHeaderLength == null) {
                log.debug("Header [{}] not set because the value is undefined or too long", str);
                return;
            }
            httpServletResponse.setHeader(str, validateHeaderLength);
            map.put(str, validateHeaderLength);
            log.debug("Set header [{}: {}]", str, validateHeaderLength);
        }

        void reviseHeaders(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Map<String, String> map) {
            map.forEach((str, str2) -> {
                String header = httpServletResponse.getHeader(str);
                if (str2.equals(header)) {
                    return;
                }
                log.warn("Security header \"{}\" value was tampered for URL {}. Expected: {}, Actual: {}", str, httpServletRequest.getRequestURI(), str2, header);
                if (httpServletResponse.isCommitted()) {
                    log.debug("Response already committed. Cannot reset header [{}]", str);
                } else {
                    log.debug("Response not committed. Resetting header [{}: {}]", str, str2);
                    httpServletResponse.setHeader(str, str2);
                }
            });
        }

        private String getValidatedHeaderValue(String str, Pattern pattern, String str2, String str3, String str4) {
            return StringUtils.isEmpty(str) ? str4 : pattern.matcher(str).matches() ? str : fallbackToDefaultSystemProperty(str2, str3, str4);
        }

        private String getValidatedCspValue(String str) {
            return getValidatedHeaderValue(str, CSP_PATTERN, "Content-Security-Policy", SystemProperty.HTTP_HEADER_SECURITY_CSP.getKey(), DEFAULT_CSP_VALUE);
        }

        private String getValidatedReferrerPolicyValue(String str) {
            return getValidatedHeaderValue(str, REFERRER_POLICY_PATTERN, "Referrer-Policy", SystemProperty.HTTP_HEADER_SECURITY_REFERRER_POLICY.getKey(), DEFAULT_REFERRER_POLICY_VALUE);
        }

        private String getValidatedPermissionsPolicyValue(String str) {
            return getValidatedHeaderValue(str, PERMISSIONS_POLICY_PATTERN, "Permissions-Policy", SystemProperty.HTTP_HEADER_SECURITY_PERMISSIONS_POLICY.getKey(), DEFAULT_PERMISSIONS_POLICY_VALUE);
        }

        private String getValidatedXFrameOptionsValue(String str) {
            return StringUtils.isEmpty(str) ? DEFAULT_X_FRAME_OPTIONS_VALUE : X_FRAME_OPTIONS_PATTERN.matcher(str).matches() ? str : fallbackToDefaultSystemProperty("X-Frame-Options", SystemProperty.HTTP_HEADER_SECURITY_ANTI_CLICKJACKING_X_FRAME_OPTIONS_VALUE.getKey(), DEFAULT_X_FRAME_OPTIONS_VALUE);
        }

        private String fallbackToDefaultSystemProperty(String str, String str2, String str3) {
            log.warn("Invalid \"{}\" value provided by the '{}' system property, falling back to default value \"{}\"", str, str2, str3);
            return str3;
        }
    }).mapping(EnumSet.of(DispatcherType.REQUEST, DispatcherType.FORWARD), UrlPattern.ALL_URLS)),
    REQUEST_CACHE(ServletFilterRegistrar.filter("requestCache", new Filter() { // from class: com.atlassian.bamboo.filter.RequestCacheThreadLocalFilter
        private static final String CLEAR_ONCE_KEY = "com.atlassian.bamboo.filter.RequestCacheThreadLocalFilter.CLEAR_ONCE";

        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            boolean shouldClearCache = shouldClearCache(servletRequest);
            boolean z = false;
            try {
                HttpServletRequest httpServletRequest = (HttpServletRequest) Narrow.downTo(servletRequest, HttpServletRequest.class);
                HttpServletResponse httpServletResponse = (HttpServletResponse) Narrow.downTo(servletResponse, HttpServletResponse.class);
                if (httpServletRequest != null && httpServletResponse != null) {
                    boolean canMethodMutateState = HttpUtils.canMethodMutateState(httpServletRequest.getMethod());
                    try {
                        RequestCacheThreadLocal.setRequestCache(httpServletRequest, httpServletResponse);
                        if (!canMethodMutateState) {
                            z = true;
                            RequestScopedCaches.enterCachingScope();
                        }
                    } catch (IllegalArgumentException e) {
                        httpServletResponse.sendError(400, e.getMessage());
                        if (shouldClearCache) {
                            RequestCacheThreadLocal.clearRequestCache();
                        }
                        if (0 != 0) {
                            RequestScopedCaches.leaveCachingScope();
                            return;
                        }
                        return;
                    }
                }
                filterChain.doFilter(servletRequest, servletResponse);
                if (shouldClearCache) {
                    RequestCacheThreadLocal.clearRequestCache();
                }
                if (z) {
                    RequestScopedCaches.leaveCachingScope();
                }
            } catch (Throwable th) {
                if (shouldClearCache) {
                    RequestCacheThreadLocal.clearRequestCache();
                }
                if (0 != 0) {
                    RequestScopedCaches.leaveCachingScope();
                }
                throw th;
            }
        }

        public void init(FilterConfig filterConfig) throws ServletException {
        }

        public void destroy() {
        }

        private boolean shouldClearCache(ServletRequest servletRequest) {
            if (servletRequest.getAttribute(CLEAR_ONCE_KEY) == Boolean.TRUE) {
                return false;
            }
            servletRequest.setAttribute(CLEAR_ONCE_KEY, Boolean.TRUE);
            return true;
        }
    }).mapping(EnumSet.of(DispatcherType.REQUEST, DispatcherType.FORWARD), UrlPattern.ALL_URLS)),
    CACHING_URL_REWRITE(ServletFilterRegistrar.filter("cachingUrlRewriteFilter", new org.tuckey.web.filters.urlrewrite.UrlRewriteFilter()).mapping(UrlPattern.AGENT_SERVER, UrlPattern.S, UrlPattern.BROWSE_ALL, UrlPattern.DOWNLOAD, UrlPattern.DEPLOYMENT_DOWNLOAD, UrlPattern.SPECS_LOGS, UrlPattern.ARTIFACT, UrlPattern.SPECS_EXPORT, UrlPattern.GLOBAL_ARTIFACT)),
    PAGECOMPRESSION(ServletFilterRegistrar.filter("pageCompression", new Filter() { // from class: com.atlassian.bamboo.filter.BambooCompressingFilter
        private static final org.apache.log4j.Logger log = org.apache.log4j.Logger.getLogger(BambooCompressingFilter.class);
        private Supplier<AdministrationConfigurationAccessor> administrationConfigurationAccessor = ComponentAccessor.ADMINISTRATION_CONFIGURATION_ACCESSOR;
        private Filter compressingFilter = new CompressingFilter();

        public void init(FilterConfig filterConfig) throws ServletException {
            this.compressingFilter.init(filterConfig);
        }

        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            if (BootstrapUtils.getBootstrapManager() != null && BootstrapUtils.getBootstrapManager().isSetupComplete() && shouldCompress()) {
                this.compressingFilter.doFilter(servletRequest, servletResponse, filterChain);
            } else {
                filterChain.doFilter(servletRequest, servletResponse);
            }
        }

        public void destroy() {
            this.compressingFilter.destroy();
        }

        @VisibleForTesting
        boolean shouldCompress() {
            AdministrationConfiguration administrationConfiguration = this.administrationConfigurationAccessor.get().getAdministrationConfiguration();
            if (log.isDebugEnabled()) {
                log.debug("GZIP compression required = " + administrationConfiguration.isUseGzipCompression());
            }
            return administrationConfiguration.isUseGzipCompression();
        }

        @VisibleForTesting
        void setWrappedFilter(Filter filter) {
            this.compressingFilter = filter;
        }
    }).mapping(EnumSet.of(DispatcherType.REQUEST, DispatcherType.FORWARD), UrlPattern.ALL_ACTIONS, UrlPattern.CSS, UrlPattern.JS, UrlPattern.HTML, UrlPattern.HTM, UrlPattern.XML, UrlPattern.LOG)),
    SESSIONINVIEW(ServletFilterRegistrar.filter("sessioninview", new BambooSessionInViewFilter()).mapping(EnumSet.of(DispatcherType.REQUEST, DispatcherType.FORWARD), UrlPattern.ALL_ACTIONS, UrlPattern.DOWNLOAD, UrlPattern.DEPLOYMENT_DOWNLOAD, UrlPattern.SPECS_LOGS, UrlPattern.ARTIFACT, UrlPattern.SPECS_EXPORT, UrlPattern.GLOBAL_ARTIFACT, UrlPattern.PLUGINS, UrlPattern.REST)),
    PLUGIN_FILTERS_BEFORE_LOGIN(PluginFilterLocation.BEFORE_LOGIN),
    TOKEN_LOGIN(ServletFilterRegistrar.filter("token-login", new BaseLoginFilter() { // from class: com.atlassian.seraph.filter.AccessTokenLoginFilter
        public static final String AUTHORIZED_BY_TOKEN = "authByAccessToken";
        public static final String ACCESS_TOKEN = "accessToken";
        private static final org.apache.log4j.Logger log = org.apache.log4j.Logger.getLogger(AccessTokenLoginFilter.class);
        private static final String BEARER = "Bearer";
        private static final int BEARER_HEADER_LENGTH = BEARER.length();

        @EventuallyAutowired
        private EventuallyAvailable eventuallyAvailable;

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:com/atlassian/seraph/filter/AccessTokenLoginFilter$EventuallyAvailable.class */
        public static class EventuallyAvailable {

            @Inject
            private AccessTokenService accessTokenService;

            @Inject
            private BambooUserManager bambooUserManager;

            @Inject
            private AccessTokenAnalyticsService accessTokenAnalyticsService;

            private EventuallyAvailable() {
            }

            public AccessTokenService getAccessTokenService() {
                return this.accessTokenService;
            }

            public BambooUserManager getBambooUserManager() {
                return this.bambooUserManager;
            }

            public AccessTokenAnalyticsService getAccessTokenAnalyticsService() {
                return this.accessTokenAnalyticsService;
            }
        }

        public void init(FilterConfig filterConfig) {
            super.init(filterConfig);
            EventuallyAutowiredSupport.processInjectionBasedOnServletContext(this, filterConfig.getServletContext());
        }

        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            try {
                super.doFilter(servletRequest, servletResponse, filterChain);
                AccessTokenContextHolder.clearContext();
                invalidateSession(httpServletRequest);
            } catch (Throwable th) {
                AccessTokenContextHolder.clearContext();
                invalidateSession(httpServletRequest);
                throw th;
            }
        }

        public String login(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
            boolean z = false;
            recordAuthenticationTry(httpServletRequest);
            Optional<String> bearerToken = getBearerToken(httpServletRequest);
            if (bearerToken.isPresent()) {
                log.debug("Try to authenticate with personal access token...");
                Optional authenticate = this.eventuallyAvailable.getAccessTokenService().authenticate(bearerToken.get());
                if (authenticate.isPresent()) {
                    z = true;
                    putPrincipalInSessionContext(httpServletRequest, this.eventuallyAvailable.getBambooUserManager().getBambooUser((AccessToken) authenticate.get()));
                    log.debug("Authentication finished with success");
                } else {
                    log.debug("Authentication finished with failure");
                }
            } else {
                log.debug("Could not find personal access token in request header");
            }
            if (z) {
                LoginReason.OK.stampRequestResponse(httpServletRequest, httpServletResponse);
            } else {
                LoginReason.AUTHENTICATED_FAILED.stampRequestResponse(httpServletRequest, httpServletResponse);
                enableSeraphFiltering(httpServletRequest);
            }
            return z ? "success" : "failed";
        }

        @VisibleForTesting
        void enableSeraphFiltering(HttpServletRequest httpServletRequest) {
            httpServletRequest.setAttribute("loginfilter.already.filtered", (Object) null);
        }

        private void recordAuthenticationTry(HttpServletRequest httpServletRequest) {
            String header = httpServletRequest.getHeader("Authorization");
            if (StringUtils.startsWith(header, BEARER)) {
                this.eventuallyAvailable.getAccessTokenAnalyticsService().incrementTokenAuthenticationCount();
            } else {
                if (!StringUtils.startsWith(header, "Basic") || StringUtils.startsWith(httpServletRequest.getServletPath(), "/rest/backdoor/")) {
                    return;
                }
                this.eventuallyAvailable.getAccessTokenAnalyticsService().incrementBasicAuthenticationCount();
            }
        }

        private Optional<String> getBearerToken(HttpServletRequest httpServletRequest) {
            String trim = StringUtils.defaultString(httpServletRequest.getHeader("Authorization")).trim();
            return (!trim.startsWith(BEARER) || trim.length() <= BEARER_HEADER_LENGTH) ? Optional.empty() : Optional.of(trim.substring(BEARER_HEADER_LENGTH + 1).trim());
        }

        protected void putPrincipalInSessionContext(HttpServletRequest httpServletRequest, BambooUser bambooUser) {
            HttpSession session = httpServletRequest.getSession();
            session.setAttribute("seraph_defaultauthenticator_user", bambooUser);
            session.setAttribute("seraph_defaultauthenticator_logged_out_user", (Object) null);
            session.setAttribute(AUTHORIZED_BY_TOKEN, true);
            session.setAttribute(ACCESS_TOKEN, bambooUser.getAccessToken());
            AccessTokenContextHolder.setContext(new AccessTokenContextHolder.AccessTokenContext(bambooUser.getAccessToken()));
        }

        protected void invalidateSession(HttpServletRequest httpServletRequest) {
            HttpSession session = httpServletRequest.getSession(false);
            if (session == null || session.getAttribute(AUTHORIZED_BY_TOKEN) == null) {
                return;
            }
            session.invalidate();
        }
    }).mapping(EnumSet.of(DispatcherType.REQUEST, DispatcherType.FORWARD), UrlPattern.REST, UrlPattern.GLOBAL_ARTIFACT, UrlPattern.ARTIFACT, UrlPattern.AGENT_SERVER, UrlPattern.ARTIFACT_URL_REDIRECT_ACTION, UrlPattern.DOWNLOAD, UrlPattern.DEPLOYMENT_DOWNLOAD)),
    LOGIN(ServletFilterRegistrar.filter("login", new LoginFilter() { // from class: com.atlassian.seraph.filter.BambooLoginFilter
        protected static final Logger log = LogManager.getLogger(BambooLoginFilter.class);
        private final LoginRedirector redirector = new LoginRedirector();

        public void init(FilterConfig filterConfig) {
            super.init(filterConfig);
            setAllowUrlParameterValue(SystemProperty.ALLOW_URL_PARAMETERS_LOGIN.getTypedValue());
        }

        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            if (this.redirector.redirectIfNecessary((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse)) {
                return;
            }
            if (!isAlreadyAuthenticated(servletRequest)) {
                super.doFilter(servletRequest, servletResponse, filterChain);
                return;
            }
            SecurityUtils.disableSeraphFiltering(servletRequest);
            servletRequest.setAttribute("os_securityfilter_already_filtered", true);
            filterChain.doFilter(servletRequest, servletResponse);
        }

        private boolean isAlreadyAuthenticated(ServletRequest servletRequest) {
            if (!"success".equals(servletRequest.getAttribute("os_authstatus"))) {
                return false;
            }
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("User IS authenticated via previous filter");
            return true;
        }
    }).mapping(EnumSet.of(DispatcherType.REQUEST, DispatcherType.FORWARD), UrlPattern.ALL_URLS)),
    LOGOUT(ServletFilterRegistrar.filter("logout", new Filter() { // from class: com.atlassian.seraph.filter.BambooLogoutFilter
        private static final org.apache.log4j.Logger logger = org.apache.log4j.LogManager.getLogger(BambooLogoutFilter.class);

        public void init(FilterConfig filterConfig) throws ServletException {
        }

        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            try {
                try {
                    LogoutSupport.logout(servletRequest, servletResponse);
                    filterChain.doFilter(servletRequest, servletResponse);
                } catch (Exception e) {
                    logger.error(e);
                    filterChain.doFilter(servletRequest, servletResponse);
                }
            } catch (Throwable th) {
                filterChain.doFilter(servletRequest, servletResponse);
                throw th;
            }
        }

        public void destroy() {
        }
    }).mapping(EnumSet.of(DispatcherType.REQUEST, DispatcherType.FORWARD), UrlPattern.USER_LOGOUT)),
    SERAPH_SECURITY(ServletFilterRegistrar.filter("security", new SecurityFilter()).mapping(EnumSet.of(DispatcherType.REQUEST, DispatcherType.FORWARD), UrlPattern.ALL_URLS)),
    JOHNSON(ServletFilterRegistrar.filter("johnson", new JohnsonFilter() { // from class: com.atlassian.bamboo.filter.BambooJohnsonFilter
        protected JohnsonEventContainer getContainerAndRunEventChecks(HttpServletRequest httpServletRequest) {
            JohnsonEventContainer johnsonEventContainer = JohnsonEventContainerHolder.get(httpServletRequest.getServletContext());
            this.config.getRequestEventChecks().forEach(requestEventCheck -> {
                requestEventCheck.check(johnsonEventContainer, httpServletRequest);
            });
            return johnsonEventContainer;
        }
    }).mapping(EnumSet.of(DispatcherType.REQUEST, DispatcherType.FORWARD), UrlPattern.ALL_URLS)),
    ACEGI(ServletFilterRegistrar.filter("acegi", new FilterToBeanProxy() { // from class: com.atlassian.bamboo.filter.BambooAcegiProxyFilter
        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            if (BootstrapUtils.getBootstrapManager().isSetupComplete()) {
                super.doFilter(servletRequest, servletResponse, filterChain);
            } else {
                filterChain.doFilter(servletRequest, servletResponse);
            }
        }
    }).initParam("targetClass", "org.acegisecurity.util.FilterChainProxy").initParam("init", "lazy").mapping(EnumSet.of(DispatcherType.REQUEST, DispatcherType.FORWARD), UrlPattern.ALL_ACTIONS, UrlPattern.DOWNLOAD, UrlPattern.DEPLOYMENT_DOWNLOAD, UrlPattern.SPECS_LOGS, UrlPattern.SPECS_EXPORT, UrlPattern.GLOBAL_ARTIFACT, UrlPattern.ARTIFACT, UrlPattern.AGENT_INSTALLER, UrlPattern.PLUGINS, UrlPattern.REST)),
    SECURE_ACCESS(ServletFilterRegistrar.filter("secureaccess", new HttpFilter() { // from class: com.atlassian.bamboo.filter.SecureAccessFilter
        private static final Logger logger = LogManager.getLogger(SecureAccessFilter.class);
        public static final String NOT_PERMITTED_ERROR_PATH = "403.action";
        public static final String ORIGINAL_URL = "bamboo.secure.access.original.url";
        private transient SecureAccessFilterService secureAccessFilterService;
        private transient Supplier<List<ServletContextRegistrar>> servletContextRegistrarListSupplier = () -> {
            return (List) Arrays.stream(SecureAccessFilters.values()).map((v0) -> {
                return v0.getRegistrar();
            }).collect(Collectors.toList());
        };

        public void init(FilterConfig filterConfig) throws ServletException {
            super.init(filterConfig);
            this.secureAccessFilterService = new SecureAccessFilterService(filterConfig, this.servletContextRegistrarListSupplier.get());
            this.secureAccessFilterService.initSecureAccessServletFilter();
        }

        /* JADX WARN: Multi-variable type inference failed */
        /* JADX WARN: Type inference failed for: r0v31, types: [com.atlassian.bamboo.security.AnnotatedPermitChecker] */
        protected void doFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
            DefaultAnnotatedPermitChecker defaultAnnotatedPermitChecker;
            if (httpServletRequest.getDispatcherType().equals(DispatcherType.ERROR)) {
                handleErrorDispatching(httpServletRequest, httpServletResponse);
                logger.debug("Skip access check for error page");
                runFilterChainWithNoAccessCheck(httpServletRequest, httpServletResponse, filterChain);
                return;
            }
            httpServletRequest.setAttribute(ORIGINAL_URL, httpServletRequest.getServletPath() + (httpServletRequest.getPathInfo() == null ? "" : httpServletRequest.getPathInfo()) + (httpServletRequest.getQueryString() == null ? "" : "?" + httpServletRequest.getQueryString()));
            if (httpServletRequest.getAttribute("3af_annotated_permitted_checker") != null) {
                defaultAnnotatedPermitChecker = (AnnotatedPermitChecker) httpServletRequest.getAttribute("3af_annotated_permitted_checker");
            } else if (BootstrapUtils.getBootstrapManager() == null || !BootstrapUtils.getBootstrapManager().isSetupComplete()) {
                httpServletRequest.setAttribute("3af_annotated_permitted_checker", new NoCheckAnnotatedPermitChecker());
                logger.debug("Setup is not complete. We dont do access check");
                runFilterChainWithNoAccessCheck(httpServletRequest, httpServletResponse, filterChain);
                return;
            } else {
                logger.debug("Apply access check for sub sequence filters");
                defaultAnnotatedPermitChecker = new DefaultAnnotatedPermitChecker(SecurityContextHolder.getContext().getAuthentication(), !SystemProperty.DEFAULT_ENDPOINT_TO_LICENSED_ACCESS.getTypedValue());
                httpServletRequest.setAttribute("3af_annotated_permitted_checker", defaultAnnotatedPermitChecker);
            }
            Filter bambooSecureServletAccessFilter = new BambooSecureServletAccessFilter(defaultAnnotatedPermitChecker);
            List<Filter> filter = this.secureAccessFilterService.getFilter(getPath(httpServletRequest), httpServletRequest.getDispatcherType());
            filter.add(bambooSecureServletAccessFilter);
            new SecureAccessFilterChain(filterChain, filter, defaultAnnotatedPermitChecker).doFilter(httpServletRequest, httpServletResponse);
        }

        private void handleErrorDispatching(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
            Object attribute = httpServletRequest.getAttribute("javax.servlet.error.exception");
            String str = (String) httpServletRequest.getAttribute("atlassian.core.seraph.original.url");
            String str2 = (String) httpServletRequest.getAttribute(ORIGINAL_URL);
            boolean z = str == null || str.contains(NOT_PERMITTED_ERROR_PATH);
            if (str2 != null && z) {
                httpServletRequest.setAttribute("atlassian.core.seraph.original.url", str2);
            }
            if (attribute instanceof AuthorisationException) {
                httpServletResponse.setStatus(401);
            }
            if (attribute instanceof NotAuthenticatedException) {
                httpServletResponse.setStatus(200);
            }
        }

        private void runFilterChainWithNoAccessCheck(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
            new SecureAccessFilterChain(filterChain, this.secureAccessFilterService.getFilter(getPath(httpServletRequest), httpServletRequest.getDispatcherType()), new NoCheckAnnotatedPermitChecker()).doFilter(httpServletRequest, httpServletResponse);
        }

        public static String getPath(HttpServletRequest httpServletRequest) {
            return RequestUtil.getServletPath(httpServletRequest) + RequestUtil.getPathInfo(httpServletRequest);
        }
    }).mapping(EnumSet.of(DispatcherType.ASYNC, DispatcherType.REQUEST, DispatcherType.FORWARD, DispatcherType.INCLUDE, DispatcherType.ERROR), UrlPattern.ALL_URLS));

    private final ServletContextRegistrar registrar;

    ServletFilters(ServletContextRegistrar servletContextRegistrar) {
        this.registrar = servletContextRegistrar;
    }

    ServletFilters(ServletFilterRegistrar.Builder builder) {
        this(builder.build());
    }

    public static void registerAll(ServletContext servletContext) throws ServletException {
        for (ServletFilters servletFilters : values()) {
            servletFilters.registrar.register(servletContext);
        }
    }
}
