package com.atlassian.seraph.filter;

import com.atlassian.bamboo.accesstoken.AccessToken;
import com.atlassian.bamboo.accesstoken.AccessTokenAnalyticsService;
import com.atlassian.bamboo.accesstoken.AccessTokenService;
import com.atlassian.bamboo.security.AccessTokenContextHolder;
import com.atlassian.bamboo.spring.EventuallyAutowired;
import com.atlassian.bamboo.spring.EventuallyAutowiredSupport;
import com.atlassian.bamboo.user.BambooUser;
import com.atlassian.bamboo.user.BambooUserManager;
import com.atlassian.seraph.auth.LoginReason;
import java.io.IOException;
import java.util.Optional;
import javax.inject.Inject;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang3.StringUtils;
import org.apache.log4j.Logger;

/* loaded from: input_file:com/atlassian/seraph/filter/AccessTokenLoginFilter.class */
public class AccessTokenLoginFilter extends BaseLoginFilter {
    public static final String AUTHORIZED_BY_TOKEN = "authByAccessToken";
    public static final String ACCESS_TOKEN = "accessToken";
    private static final Logger log = Logger.getLogger(AccessTokenLoginFilter.class);
    private static final String BEARER = "Bearer";

    @EventuallyAutowired
    private EventuallyAvailable eventuallyAvailable;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/atlassian/seraph/filter/AccessTokenLoginFilter$EventuallyAvailable.class */
    public static class EventuallyAvailable {

        @Inject
        private AccessTokenService accessTokenService;

        @Inject
        private BambooUserManager bambooUserManager;

        @Inject
        private AccessTokenAnalyticsService accessTokenAnalyticsService;

        private EventuallyAvailable() {
        }

        public AccessTokenService getAccessTokenService() {
            return this.accessTokenService;
        }

        public BambooUserManager getBambooUserManager() {
            return this.bambooUserManager;
        }

        public AccessTokenAnalyticsService getAccessTokenAnalyticsService() {
            return this.accessTokenAnalyticsService;
        }
    }

    public void init(FilterConfig filterConfig) {
        super.init(filterConfig);
        EventuallyAutowiredSupport.processInjectionBasedOnServletContext(this, filterConfig.getServletContext());
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        try {
            super.doFilter(servletRequest, servletResponse, filterChain);
            AccessTokenContextHolder.clearContext();
            invalidateSession(httpServletRequest);
        } catch (Throwable th) {
            AccessTokenContextHolder.clearContext();
            invalidateSession(httpServletRequest);
            throw th;
        }
    }

    public String login(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        boolean z = false;
        recordAuthenticationTry(httpServletRequest);
        Optional<String> bearerToken = getBearerToken(httpServletRequest);
        if (bearerToken.isPresent()) {
            log.debug("Try to authenticate with personal access token...");
            Optional authenticate = this.eventuallyAvailable.getAccessTokenService().authenticate(bearerToken.get());
            if (authenticate.isPresent()) {
                z = true;
                putPrincipalInSessionContext(httpServletRequest, this.eventuallyAvailable.getBambooUserManager().getBambooUser((AccessToken) authenticate.get()));
                log.debug("Authentication finished with success");
            } else {
                log.debug("Authentication finished with failure");
            }
        } else {
            log.debug("Could not find personal access token in request header");
        }
        if (z) {
            LoginReason.OK.stampRequestResponse(httpServletRequest, httpServletResponse);
        } else {
            LoginReason.AUTHENTICATED_FAILED.stampRequestResponse(httpServletRequest, httpServletResponse);
        }
        return z ? "success" : "failed";
    }

    private void recordAuthenticationTry(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        if (StringUtils.startsWith(header, BEARER)) {
            this.eventuallyAvailable.getAccessTokenAnalyticsService().incrementTokenAuthenticationCount();
        } else {
            if (!StringUtils.startsWith(header, "Basic") || StringUtils.startsWith(httpServletRequest.getServletPath(), "/rest/backdoor/")) {
                return;
            }
            this.eventuallyAvailable.getAccessTokenAnalyticsService().incrementBasicAuthenticationCount();
        }
    }

    private Optional<String> getBearerToken(HttpServletRequest httpServletRequest) {
        String trim = StringUtils.defaultString(httpServletRequest.getHeader("Authorization")).trim();
        return trim.startsWith(BEARER) ? Optional.of(trim.substring(BEARER.length() + 1).trim()) : Optional.empty();
    }

    protected void putPrincipalInSessionContext(HttpServletRequest httpServletRequest, BambooUser bambooUser) {
        HttpSession session = httpServletRequest.getSession();
        session.setAttribute("seraph_defaultauthenticator_user", bambooUser);
        session.setAttribute("seraph_defaultauthenticator_logged_out_user", (Object) null);
        session.setAttribute(AUTHORIZED_BY_TOKEN, true);
        session.setAttribute(ACCESS_TOKEN, bambooUser.getAccessToken());
        AccessTokenContextHolder.setContext(new AccessTokenContextHolder.AccessTokenContext(bambooUser.getAccessToken()));
    }

    protected void invalidateSession(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        if (session == null || session.getAttribute(AUTHORIZED_BY_TOKEN) == null) {
            return;
        }
        session.invalidate();
    }
}
