package com.atlassian.bitbucket.internal.accesstokens.auth;

import com.atlassian.bitbucket.auth.ExpiredPasswordAuthenticationException;
import com.atlassian.bitbucket.auth.InactiveUserAuthenticationException;
import com.atlassian.bitbucket.i18n.I18nService;
import com.atlassian.bitbucket.internal.accesstokens.AccessToken;
import com.atlassian.bitbucket.internal.accesstokens.AccessTokenExpiryHelper;
import com.atlassian.bitbucket.internal.accesstokens.AccessTokenGenerator;
import com.atlassian.bitbucket.internal.accesstokens.AccessTokenSettingsService;
import com.atlassian.bitbucket.internal.accesstokens.AuthenticateAccessTokenRequest;
import com.atlassian.bitbucket.internal.accesstokens.DateProvider;
import com.atlassian.bitbucket.internal.accesstokens.SimpleAccessToken;
import com.atlassian.bitbucket.internal.accesstokens.dao.AccessTokenDao;
import com.atlassian.bitbucket.server.FeatureManager;
import com.atlassian.bitbucket.server.StandardFeature;
import com.atlassian.bitbucket.user.ApplicationUser;
import com.atlassian.bitbucket.user.NoSuchUserException;
import com.atlassian.bitbucket.user.UserService;
import com.atlassian.bitbucket.user.UserType;
import com.atlassian.sal.api.transaction.TransactionTemplate;
import java.util.Date;
import java.util.Objects;
import java.util.Optional;
import javax.annotation.Nonnull;
import org.apache.commons.lang3.time.DateUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:com/atlassian/bitbucket/internal/accesstokens/auth/DefaultAccessTokenAuthenticationService.class */
public class DefaultAccessTokenAuthenticationService implements AccessTokenAuthenticationService {
    private static final Logger log = LoggerFactory.getLogger(DefaultAccessTokenAuthenticationService.class);
    private final AccessTokenDao accessTokenDao;
    private final AccessTokenGenerator accessTokenGenerator;
    private final AccessTokenSettingsService accessTokenSettingsService;
    private final DateProvider dateProvider;
    private final FeatureManager featureManager;
    private final I18nService i18nService;
    private final TransactionTemplate transactionTemplate;
    private final UserService userService;

    @Autowired
    DefaultAccessTokenAuthenticationService(AccessTokenDao accessTokenDao, AccessTokenGenerator accessTokenGenerator, AccessTokenSettingsService accessTokenSettingsService, DateProvider dateProvider, FeatureManager featureManager, I18nService i18nService, TransactionTemplate transactionTemplate, UserService userService) {
        this.accessTokenDao = accessTokenDao;
        this.accessTokenGenerator = accessTokenGenerator;
        this.accessTokenSettingsService = accessTokenSettingsService;
        this.dateProvider = dateProvider;
        this.featureManager = featureManager;
        this.i18nService = i18nService;
        this.transactionTemplate = transactionTemplate;
        this.userService = userService;
    }

    @Override // com.atlassian.bitbucket.internal.accesstokens.auth.AccessTokenAuthenticationService
    @Nonnull
    public Optional<AccessToken> authenticate(@Nonnull AuthenticateAccessTokenRequest authenticateAccessTokenRequest) {
        Objects.requireNonNull(authenticateAccessTokenRequest, "request");
        String token = authenticateAccessTokenRequest.getToken();
        if (!this.accessTokenGenerator.isValidToken(token)) {
            return Optional.empty();
        }
        String id = this.accessTokenGenerator.getId(token);
        return (Optional) this.transactionTemplate.execute(() -> {
            return this.accessTokenDao.getById(id).map(aoAccessToken -> {
                if (!this.accessTokenGenerator.authenticateToken(token, aoAccessToken.getHashedToken())) {
                    return null;
                }
                Optional<ApplicationUser> user = authenticateAccessTokenRequest.getUser();
                if (user.isPresent() && user.get().getId() != aoAccessToken.getUserId()) {
                    log.warn("The user provided on the request ({}) does not match the user associated with token {} ({})", new Object[]{user.get(), id, Integer.valueOf(aoAccessToken.getUserId())});
                    return null;
                }
                Integer orElse = this.accessTokenSettingsService.getMaxExpiry().orElse(null);
                if (hasExpired(aoAccessToken.getCreatedDate(), aoAccessToken.getExpiryDays(), orElse)) {
                    throw new ExpiredPasswordAuthenticationException(this.i18nService.createKeyedMessage("bitbucket.access.tokens.error.expired", new Object[0]));
                }
                ApplicationUser orElseGet = user.orElseGet(() -> {
                    ApplicationUser userById = this.userService.getUserById(aoAccessToken.getUserId());
                    if (userById == null) {
                        throw new NoSuchUserException(this.i18nService.createKeyedMessage("bitbucket.access.tokens.error.nosuchuser", new Object[]{Integer.valueOf(aoAccessToken.getUserId())}), "id:" + aoAccessToken.getUserId());
                    }
                    return userById;
                });
                if (orElseGet.getType() == UserType.SERVICE) {
                    this.featureManager.requireEnabled(StandardFeature.PROJECT_REPO_ACCESS_TOKENS);
                }
                if (this.userService.isUserActive(orElseGet)) {
                    this.accessTokenDao.updateLastAuthenticated(aoAccessToken, this.dateProvider.getDate());
                    return new SimpleAccessToken.Builder(aoAccessToken, orElseGet, AccessTokenExpiryHelper.getEffectiveExpiryDays(aoAccessToken.getExpiryDays(), orElse)).build();
                }
                log.info("User \"{}\" attempted to authenticate via a personal access token, but is no longer active in the underlying user directory. The request has been blocked.", orElseGet.getName());
                throw new InactiveUserAuthenticationException(this.i18nService.createKeyedMessage("bitbucket.access.tokens.error.inactive", new Object[0]));
            });
        });
    }

    @Override // com.atlassian.bitbucket.internal.accesstokens.auth.AccessTokenAuthenticationService
    @Nonnull
    public Optional<AccessToken> unAuthenticatedGetById(@Nonnull String str) {
        Objects.requireNonNull(str, "tokenId");
        return (Optional) this.transactionTemplate.execute(() -> {
            return this.accessTokenDao.getById(str).flatMap(aoAccessToken -> {
                ApplicationUser userById = this.userService.getUserById(aoAccessToken.getUserId());
                return userById == null ? Optional.empty() : Optional.of(new SimpleAccessToken.Builder(aoAccessToken, userById, AccessTokenExpiryHelper.getEffectiveExpiryDays(aoAccessToken.getExpiryDays(), this.accessTokenSettingsService.getMaxExpiry().orElse(null))).build());
            });
        });
    }

    private boolean hasExpired(Date date, Integer num, Integer num2) {
        Integer effectiveExpiryDays = AccessTokenExpiryHelper.getEffectiveExpiryDays(num, num2);
        return effectiveExpiryDays != null && DateUtils.addDays(date, effectiveExpiryDays.intValue()).before(this.dateProvider.getDate());
    }
}
