package com.atlassian.crowd.manager.application;

import com.atlassian.crowd.embedded.api.PasswordCredential;
import com.atlassian.crowd.embedded.spi.DcLicenseChecker;
import com.atlassian.crowd.event.user.UserAuthenticatedByEmailAddressEvent;
import com.atlassian.crowd.event.user.UserAuthenticationFailedInvalidAuthenticationEvent;
import com.atlassian.crowd.event.user.UserEmailAuthenticationDuplicatedEmailEvent;
import com.atlassian.crowd.exception.ExpiredCredentialException;
import com.atlassian.crowd.exception.InactiveAccountException;
import com.atlassian.crowd.exception.InvalidAuthenticationException;
import com.atlassian.crowd.exception.OperationFailedException;
import com.atlassian.crowd.exception.UserNotFoundException;
import com.atlassian.crowd.model.application.Application;
import com.atlassian.crowd.model.authentication.UserAuthenticationContext;
import com.atlassian.crowd.model.user.User;
import com.atlassian.crowd.validator.EmailAddressValidator;
import com.atlassian.event.api.EventPublisher;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/crowd/manager/application/AllowingAuthenticateByEmailApplicationService.class */
public class AllowingAuthenticateByEmailApplicationService extends AbstractDelegatingApplicationService {
    private static final Logger logger = LoggerFactory.getLogger(AllowingAuthenticateByEmailApplicationService.class);
    private final EmailAddressValidator emailValidator;
    private final EventPublisher eventPublisher;
    private final CanonicalUsersByEmailFinder canonicalUsersByEmailFinder;
    private final DcLicenseChecker dcLicenseChecker;

    public AllowingAuthenticateByEmailApplicationService(ApplicationService applicationService, EmailAddressValidator emailAddressValidator, EventPublisher eventPublisher, CanonicalUsersByEmailFinder canonicalUsersByEmailFinder, DcLicenseChecker dcLicenseChecker) {
        super(applicationService);
        this.emailValidator = emailAddressValidator;
        this.eventPublisher = eventPublisher;
        this.canonicalUsersByEmailFinder = canonicalUsersByEmailFinder;
        this.dcLicenseChecker = dcLicenseChecker;
    }

    @Override // com.atlassian.crowd.manager.application.AbstractDelegatingApplicationService
    public User authenticateUser(Application application, String str, PasswordCredential passwordCredential) throws OperationFailedException, InactiveAccountException, InvalidAuthenticationException, ExpiredCredentialException, UserNotFoundException {
        try {
            logger.debug("Trying to authenticate user in application '{}' by treating '{}' as username", application.getName(), str);
            return super.authenticateUser(application, str, passwordCredential);
        } catch (UserNotFoundException e) {
            if (!application.isAuthenticationViaEmailEnabled() || !this.dcLicenseChecker.isDcLicense()) {
                throw e;
            }
            logger.debug("User with username '{}' not found in application '{}'. Trying to authenticate by treating '{}' as email", new Object[]{str, application.getName(), str});
            return tryToLoginByEmail(application, passwordCredential, str, e);
        }
    }

    @Override // com.atlassian.crowd.manager.application.AbstractDelegatingApplicationService
    public User authenticateUser(Application application, UserAuthenticationContext userAuthenticationContext) throws OperationFailedException, InactiveAccountException, InvalidAuthenticationException, ExpiredCredentialException, UserNotFoundException {
        String name = userAuthenticationContext.getName();
        try {
            logger.debug("Trying to authenticate user in application '{}' by treating '{}' as username - with user authentication context defined", application.getName(), name);
            return super.authenticateUser(application, userAuthenticationContext);
        } catch (UserNotFoundException e) {
            if (!application.isAuthenticationViaEmailEnabled() || !this.dcLicenseChecker.isDcLicense()) {
                throw e;
            }
            logger.debug("User with username '{}' not found in application '{}'. Trying to authenticate by treating '{}' as email", new Object[]{name, application.getName(), name});
            return tryToLoginByEmail(application, userAuthenticationContext, e);
        }
    }

    private User tryToLoginByEmail(Application application, UserAuthenticationContext userAuthenticationContext, UserNotFoundException userNotFoundException) throws InvalidAuthenticationException, OperationFailedException, InactiveAccountException, ExpiredCredentialException, UserNotFoundException {
        try {
            User authenticateUser = super.authenticateUser(application, userAuthenticationContext.withName(getCanonicalOwners(application, userAuthenticationContext.getName(), userNotFoundException).get(0)));
            this.eventPublisher.publish(new UserAuthenticatedByEmailAddressEvent());
            return authenticateUser;
        } catch (InvalidAuthenticationException e) {
            maybePublishEvent(e);
            throw e;
        }
    }

    private User tryToLoginByEmail(Application application, PasswordCredential passwordCredential, String str, UserNotFoundException userNotFoundException) throws InvalidAuthenticationException, OperationFailedException, InactiveAccountException, ExpiredCredentialException, UserNotFoundException {
        try {
            User authenticateUser = super.authenticateUser(application, getCanonicalOwners(application, str, userNotFoundException).get(0), passwordCredential);
            this.eventPublisher.publish(new UserAuthenticatedByEmailAddressEvent());
            return authenticateUser;
        } catch (InvalidAuthenticationException e) {
            maybePublishEvent(e);
            throw e;
        }
    }

    private List<String> getCanonicalOwners(Application application, String str, UserNotFoundException userNotFoundException) throws UserNotFoundException {
        if (!this.emailValidator.isValidSyntax(str)) {
            logger.debug("'{}' is not a valid email. We will not try to authenticate user in app '{}' by email", str, application.getName());
            throw userNotFoundException;
        }
        List<String> findCanonicalUsersByEmail = this.canonicalUsersByEmailFinder.findCanonicalUsersByEmail(application, str);
        if (findCanonicalUsersByEmail.isEmpty()) {
            logger.debug("There are no users owning '{}' email in app '{}'. Rejecting authentication", str, application.getName());
            throw userNotFoundException;
        }
        if (findCanonicalUsersByEmail.size() <= 1) {
            logger.debug("Matched email '{}' to username '{}'. Trying to authenticate user", str, findCanonicalUsersByEmail.get(0));
            return findCanonicalUsersByEmail;
        }
        logger.debug("There is more than one user in app '{}' who owns '{}' email. Rejecting authentication.", application.getName(), str);
        this.eventPublisher.publish(new UserEmailAuthenticationDuplicatedEmailEvent());
        throw userNotFoundException;
    }

    private void maybePublishEvent(InvalidAuthenticationException invalidAuthenticationException) {
        if (invalidAuthenticationException.getDirectory() == null || invalidAuthenticationException.getUsername() == null) {
            return;
        }
        logger.info("Invalid credentials for user '{}' in directory '{}', aborting", invalidAuthenticationException.getUsername(), invalidAuthenticationException.getDirectory().getName());
        this.eventPublisher.publish(new UserAuthenticationFailedInvalidAuthenticationEvent(this, invalidAuthenticationException.getDirectory(), invalidAuthenticationException.getUsername()));
    }
}
