package com.atlassian.stash.internal.spring.security;

import com.atlassian.plugin.PluginAccessor;
import com.atlassian.stash.Product;
import com.atlassian.stash.auth.HttpAuthenticationContext;
import com.atlassian.stash.auth.HttpAuthenticationHandler;
import com.atlassian.stash.auth.HttpAuthenticationHandlerModuleDescriptor;
import com.atlassian.stash.exception.NoSuchUserException;
import com.atlassian.stash.i18n.I18nService;
import com.atlassian.stash.i18n.KeyedMessage;
import com.atlassian.stash.internal.annotation.Profiled;
import com.atlassian.stash.internal.auth.CaptchaResponse;
import com.atlassian.stash.internal.user.CaptchaService;
import com.atlassian.stash.internal.user.CaptchaTicket;
import com.atlassian.stash.internal.user.InternalPermissionService;
import com.atlassian.stash.internal.user.StashUserAuthenticationToken;
import com.atlassian.stash.user.AuthenticationSystemException;
import com.atlassian.stash.user.CaptchaAuthenticationException;
import com.atlassian.stash.user.InactiveUserAuthenticationException;
import com.atlassian.stash.user.NoAccessAuthenticationException;
import com.atlassian.stash.user.Permission;
import com.atlassian.stash.user.StashUser;
import com.atlassian.stash.util.ModuleDescriptorUtils;
import com.atlassian.stash.util.Timer;
import com.atlassian.stash.util.TimerUtils;
import com.atlassian.stash.util.UncheckedOperation;
import com.google.common.collect.Lists;
import java.util.ArrayList;
import java.util.Collections;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.stereotype.Component;

@Component("authenticationProvider")
/* loaded from: input_file:WEB-INF/classes/com/atlassian/stash/internal/spring/security/PluginAuthenticationProvider.class */
public class PluginAuthenticationProvider implements AuthenticationProvider {
    private static final String CAPTCHA = "captcha";
    private static final Logger log = LoggerFactory.getLogger((Class<?>) PluginAuthenticationProvider.class);
    private final CaptchaService captchaService;
    private final I18nService i18nService;
    private final InternalPermissionService permissionService;
    private final PluginAccessor pluginAccessor;

    @Autowired
    public PluginAuthenticationProvider(CaptchaService captchaService, I18nService i18nService, InternalPermissionService internalPermissionService, PluginAccessor pluginAccessor) {
        this.captchaService = captchaService;
        this.i18nService = i18nService;
        this.permissionService = internalPermissionService;
        this.pluginAccessor = pluginAccessor;
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    @Profiled
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        StashUser attemptAuthentication = attemptAuthentication(((HttpAuthenticationContextToken) authentication).getContext());
        if (attemptAuthentication == null) {
            return null;
        }
        StashUserAuthenticationToken forUser = StashUserAuthenticationToken.forUser(attemptAuthentication);
        if (this.permissionService.hasGlobalPermission(forUser, Permission.LICENSED_USER)) {
            return forUser;
        }
        KeyedMessage createKeyedMessage = this.i18nService.createKeyedMessage("stash.web.auth.notlicensed", Product.NAME);
        throw new DisabledException(createKeyedMessage.getRootMessage(), (Throwable) new NoAccessAuthenticationException(createKeyedMessage));
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class<?> cls) {
        return HttpAuthenticationContextToken.class.isAssignableFrom(cls);
    }

    private StashUser attemptAuthentication(final HttpAuthenticationContext httpAuthenticationContext) {
        CaptchaResponse extractCaptchaResponse = extractCaptchaResponse(httpAuthenticationContext);
        StashUser stashUser = null;
        CaptchaTicket captchaTicket = null;
        for (HttpAuthenticationHandlerModuleDescriptor httpAuthenticationHandlerModuleDescriptor : getSortedAuthenticationModuleDescriptors()) {
            Timer start = TimerUtils.start("attemptAuthentication - " + httpAuthenticationHandlerModuleDescriptor.getCompleteKey());
            Throwable th = null;
            try {
                final HttpAuthenticationHandler instantiateModule = instantiateModule(httpAuthenticationHandlerModuleDescriptor);
                if (instantiateModule != null) {
                    log.debug("attempting authentication with authenticator {}", httpAuthenticationHandlerModuleDescriptor.getCompleteKey());
                    UncheckedOperation<StashUser> uncheckedOperation = new UncheckedOperation<StashUser>() { // from class: com.atlassian.stash.internal.spring.security.PluginAuthenticationProvider.1
                        @Override // com.atlassian.stash.util.UncheckedOperation, com.atlassian.stash.util.Operation
                        /* renamed from: perform */
                        public StashUser mo1438perform() {
                            return instantiateModule.authenticate(httpAuthenticationContext);
                        }
                    };
                    try {
                        if (httpAuthenticationHandlerModuleDescriptor.isCaptchaSupported() && isCredentialsProvided(httpAuthenticationContext)) {
                            if (captchaTicket == null) {
                                captchaTicket = this.captchaService.checkCaptcha(httpAuthenticationContext.getUsername(), extractCaptchaResponse);
                            }
                            stashUser = this.captchaService.authenticateWithCaptcha(captchaTicket, uncheckedOperation);
                        } else {
                            stashUser = uncheckedOperation.mo1438perform();
                        }
                    } catch (NoSuchUserException e) {
                        log.debug("Authentication for {} failed - User not found", httpAuthenticationHandlerModuleDescriptor.getCompleteKey());
                        throw new BadCredentialsException(e.getLocalizedMessage(), (Throwable) e);
                    } catch (AuthenticationSystemException e2) {
                        log.warn("Could not authenticate " + httpAuthenticationContext.getUsername() + "; authentication by " + httpAuthenticationHandlerModuleDescriptor.getCompleteKey() + " failed", (Throwable) e2);
                        throw new AuthenticationServiceException(e2.getLocalizedMessage(), e2);
                    } catch (CaptchaAuthenticationException e3) {
                        log.debug("Authentication for {} failed - CAPTCHA required", httpAuthenticationHandlerModuleDescriptor.getCompleteKey());
                        throw new LockedException(e3.getLocalizedMessage(), (Throwable) e3);
                    } catch (InactiveUserAuthenticationException e4) {
                        log.debug("Authentication for {} failed - User is inactive", httpAuthenticationHandlerModuleDescriptor.getCompleteKey());
                        throw new DisabledException(e4.getLocalizedMessage(), (Throwable) e4);
                    } catch (com.atlassian.stash.user.AuthenticationException e5) {
                        log.debug("Authentication for {} failed - Bad credentials", httpAuthenticationHandlerModuleDescriptor.getCompleteKey());
                        throw new BadCredentialsException(e5.getLocalizedMessage(), (Throwable) e5);
                    } catch (RuntimeException e6) {
                        log.warn("Authenticator '{}' threw an exception", httpAuthenticationHandlerModuleDescriptor.getCompleteKey(), e6);
                    }
                    if (stashUser != null) {
                        break;
                    }
                } else {
                    log.debug("not attempting authentication with authenticator {} because it could not be instantiated", httpAuthenticationHandlerModuleDescriptor.getCompleteKey());
                    if (start != null) {
                        if (0 != 0) {
                            try {
                                start.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            start.close();
                        }
                    }
                }
            } finally {
                if (start != null) {
                    if (0 != 0) {
                        try {
                            start.close();
                        } catch (Throwable th3) {
                            th.addSuppressed(th3);
                        }
                    } else {
                        start.close();
                    }
                }
            }
        }
        return stashUser;
    }

    private CaptchaResponse extractCaptchaResponse(HttpAuthenticationContext httpAuthenticationContext) {
        HttpSession session = httpAuthenticationContext.getRequest().getSession(false);
        String id = session == null ? null : session.getId();
        String trimToNull = StringUtils.trimToNull(httpAuthenticationContext.getRequest().getParameter(CAPTCHA));
        if (!StringUtils.isNotEmpty(id) || trimToNull == null) {
            return null;
        }
        return new CaptchaResponse(id, trimToNull);
    }

    private Iterable<HttpAuthenticationHandlerModuleDescriptor> getSortedAuthenticationModuleDescriptors() {
        ArrayList newArrayList = Lists.newArrayList(this.pluginAccessor.getEnabledModuleDescriptorsByClass(HttpAuthenticationHandlerModuleDescriptor.class));
        Collections.sort(newArrayList);
        return newArrayList;
    }

    private HttpAuthenticationHandler instantiateModule(HttpAuthenticationHandlerModuleDescriptor httpAuthenticationHandlerModuleDescriptor) {
        return (HttpAuthenticationHandler) ModuleDescriptorUtils.toModule().apply(httpAuthenticationHandlerModuleDescriptor);
    }

    private boolean isCredentialsProvided(HttpAuthenticationContext httpAuthenticationContext) {
        Object credentials = httpAuthenticationContext.getCredentials();
        return StringUtils.isNotBlank(httpAuthenticationContext.getUsername()) && (credentials instanceof String) && StringUtils.isNotEmpty((String) credentials);
    }
}
