package com.atlassian.bamboo.filter;

import com.atlassian.annotations.security.UnrestrictedAccess;
import com.atlassian.bamboo.security.AnnotatedPermitChecker;
import com.atlassian.bamboo.security.DefaultAnnotatedPermitChecker;
import com.atlassian.bamboo.user.BambooRemoteUserUtils;
import com.atlassian.bamboo.util.RedirectUtils;
import com.atlassian.bamboo.utils.SystemProperty;
import com.atlassian.core.filters.AbstractHttpFilter;
import com.atlassian.sal.core.permission.AccessType;
import java.io.IOException;
import java.util.List;
import java.util.function.Supplier;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.acegisecurity.Authentication;
import org.acegisecurity.context.SecurityContextHolder;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.struts2.dispatcher.servlet.StrutsServlet;
import org.jetbrains.annotations.NotNull;
import org.jfree.chart.servlet.DisplayChart;

@UnrestrictedAccess
/* loaded from: input_file:com/atlassian/bamboo/filter/BambooSecureServletAccessFilter.class */
public class BambooSecureServletAccessFilter extends AbstractHttpFilter {
    private final AnnotatedPermitChecker permitChecker;
    private static final Logger log = LogManager.getLogger(BambooSecureServletAccessFilter.class);
    private static final List<Class<?>> ALLOW_LIST = List.of(DisplayChart.class, StrutsServlet.class);

    public BambooSecureServletAccessFilter(AnnotatedPermitChecker annotatedPermitChecker) {
        this.permitChecker = annotatedPermitChecker;
    }

    public BambooSecureServletAccessFilter() {
        this.permitChecker = new DefaultAnnotatedPermitChecker((Supplier<Authentication>) () -> {
            return SecurityContextHolder.getContext().getAuthentication();
        }, !SystemProperty.DEFAULT_ENDPOINT_TO_LICENSED_ACCESS.getTypedValue());
    }

    protected void doFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        String servletName = getServletName(httpServletRequest);
        Class<?> servletClass = getServletClass(httpServletRequest, servletName);
        if (ALLOW_LIST.contains(servletClass)) {
            log.trace("{} is on the allow list - request allowed", servletClass);
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        log.trace("Servlet {} requires {} access", servletName, AccessType.getAccessType(servletClass, "", new Class[0]));
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (this.permitChecker.verifyIsPermitted(servletClass)) {
            log.trace("{} has sufficient authority to access servlet {} - request allowed", getPrincipalName(authentication), servletName);
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        log.debug("{} has no authority to access servlet {} - request denied", getPrincipalName(authentication), servletName);
        if (BambooRemoteUserUtils.getRemoteUsername() != null) {
            httpServletResponse.setStatus(401);
        } else {
            RedirectUtils.redirectToLogin(httpServletRequest, httpServletResponse, log);
        }
    }

    @NotNull
    private Class<?> getServletClass(HttpServletRequest httpServletRequest, String str) throws ServletException {
        String className = httpServletRequest.getServletContext().getServletRegistration(str).getClassName();
        try {
            return Class.forName(className);
        } catch (ClassNotFoundException e) {
            throw new ServletException("Failed to load servlet class for class name " + className, e);
        }
    }

    private String getPrincipalName(Authentication authentication) {
        return authentication == null ? "[not authenticated]" : authentication.getName();
    }

    private String getServletName(HttpServletRequest httpServletRequest) throws ServletException {
        try {
            String servletName = httpServletRequest.getHttpServletMapping().getServletName();
            if (servletName == null) {
                throw new RuntimeException("Servlet name is equal to null");
            }
            return servletName;
        } catch (Throwable th) {
            throw new ServletException("Servlet name could not be established.", th);
        }
    }
}
