package com.atlassian.stash.internal.spring.security;

import com.atlassian.stash.internal.user.StashUserAuthenticationToken;
import com.atlassian.stash.user.StashUser;
import com.atlassian.stash.user.UserService;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang.ObjectUtils;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextImpl;
import org.springframework.security.web.context.HttpRequestResponseHolder;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.util.matcher.RequestMatcher;

/* loaded from: input_file:WEB-INF/classes/com/atlassian/stash/internal/spring/security/HttpSessionSecurityContextRepository.class */
public class HttpSessionSecurityContextRepository implements SecurityContextRepository {
    public static final String STASH_SECURITY_CONTEXT_KEY = "STASH_SECURITY_CONTEXT";
    private final RequestMatcher canCreateHttpSessionMatcher;
    private final UserService userService;

    public HttpSessionSecurityContextRepository(RequestMatcher requestMatcher, UserService userService) {
        this.canCreateHttpSessionMatcher = requestMatcher;
        this.userService = userService;
    }

    @Override // org.springframework.security.web.context.SecurityContextRepository
    public void saveContext(SecurityContext securityContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Authentication authentication = securityContext.getAuthentication();
        if (authentication == null) {
            HttpSession session = httpServletRequest.getSession(false);
            if (session != null) {
                session.removeAttribute(STASH_SECURITY_CONTEXT_KEY);
                return;
            }
            return;
        }
        if (authentication instanceof StashUserAuthenticationToken) {
            HttpSession session2 = httpServletRequest.getSession(this.canCreateHttpSessionMatcher.matches(httpServletRequest) && !httpServletResponse.isCommitted());
            if (session2 != null) {
                StashUser principal = ((StashUserAuthenticationToken) authentication).getPrincipal();
                Object attribute = session2.getAttribute(STASH_SECURITY_CONTEXT_KEY);
                if (principal == null || isBasicAuth(httpServletRequest)) {
                    if (attribute != null) {
                        session2.removeAttribute(STASH_SECURITY_CONTEXT_KEY);
                    }
                } else {
                    if (ObjectUtils.equals(attribute, principal.getId())) {
                        return;
                    }
                    session2.setAttribute(STASH_SECURITY_CONTEXT_KEY, principal.getId());
                }
            }
        }
    }

    @Override // org.springframework.security.web.context.SecurityContextRepository
    public SecurityContext loadContext(HttpRequestResponseHolder httpRequestResponseHolder) {
        StashUser userById;
        SecurityContextImpl securityContextImpl = new SecurityContextImpl();
        Integer authenticationId = getAuthenticationId(httpRequestResponseHolder.getRequest());
        if (authenticationId != null && (userById = this.userService.getUserById(authenticationId.intValue())) != null && userById.isActive()) {
            securityContextImpl.setAuthentication(StashUserAuthenticationToken.forUser(userById));
        }
        return securityContextImpl;
    }

    private Integer getAuthenticationId(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        if (session == null) {
            return null;
        }
        Object attribute = session.getAttribute(STASH_SECURITY_CONTEXT_KEY);
        if (attribute instanceof Integer) {
            return (Integer) attribute;
        }
        return null;
    }

    @Override // org.springframework.security.web.context.SecurityContextRepository
    public boolean containsContext(HttpServletRequest httpServletRequest) {
        return getAuthenticationId(httpServletRequest) != null;
    }

    private static boolean isBasicAuth(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        return header != null && header.startsWith("Basic ");
    }
}
