package com.atlassian.bitbucket.internal.crowd.sso;

import com.atlassian.bitbucket.Product;
import com.atlassian.bitbucket.auth.ExpiredAuthenticationException;
import com.atlassian.bitbucket.auth.ExpiredPasswordAuthenticationException;
import com.atlassian.bitbucket.auth.HttpAuthenticationContext;
import com.atlassian.bitbucket.auth.HttpAuthenticationHandler;
import com.atlassian.bitbucket.auth.HttpAuthenticationSuccessContext;
import com.atlassian.bitbucket.auth.HttpAuthenticationSuccessHandler;
import com.atlassian.bitbucket.auth.HttpLogoutHandler;
import com.atlassian.bitbucket.auth.InactiveUserAuthenticationException;
import com.atlassian.bitbucket.auth.IncorrectPasswordAuthenticationException;
import com.atlassian.bitbucket.crowd.sso.CrowdSsoService;
import com.atlassian.bitbucket.i18n.I18nService;
import com.atlassian.bitbucket.i18n.KeyedMessage;
import com.atlassian.bitbucket.user.ApplicationUser;
import com.atlassian.bitbucket.user.UserService;
import com.atlassian.crowd.exception.ApplicationAccessDeniedException;
import com.atlassian.crowd.exception.ApplicationPermissionException;
import com.atlassian.crowd.exception.CrowdException;
import com.atlassian.crowd.exception.ExpiredCredentialException;
import com.atlassian.crowd.exception.InactiveAccountException;
import com.atlassian.crowd.exception.InvalidAuthenticationException;
import com.atlassian.crowd.exception.InvalidTokenException;
import com.atlassian.crowd.exception.OperationFailedException;
import com.atlassian.crowd.exception.PermissionException;
import com.atlassian.crowd.integration.http.CrowdHttpAuthenticator;
import com.atlassian.crowd.model.user.User;
import java.io.IOException;
import javax.annotation.Nonnull;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/bitbucket/internal/crowd/sso/CrowdSsoAuthenticationHandler.class */
public class CrowdSsoAuthenticationHandler implements HttpAuthenticationHandler, HttpAuthenticationSuccessHandler, HttpLogoutHandler {
    static final String KEY_CROWD_SSO_AUTHENTICATED = "stash.auth.crowd.sso.authenticated";
    private static final Logger log = LoggerFactory.getLogger(CrowdSsoAuthenticationHandler.class);
    private final I18nService i18nService;
    private final CrowdSsoService ssoService;
    private final UserService userService;
    private volatile int logsSuppressed = 0;

    public CrowdSsoAuthenticationHandler(I18nService i18nService, CrowdSsoService crowdSsoService, UserService userService) {
        this.i18nService = i18nService;
        this.ssoService = crowdSsoService;
        this.userService = userService;
    }

    public ApplicationUser authenticate(@Nonnull HttpAuthenticationContext httpAuthenticationContext) {
        HttpServletRequest request = httpAuthenticationContext.getRequest();
        CrowdHttpAuthenticator authenticator = this.ssoService.getAuthenticator();
        if (authenticator == null) {
            log.debug("Skipping Crowd SSO as it is not enabled");
            return null;
        }
        if ("basic".equals(httpAuthenticationContext.getMethod())) {
            log.debug("Skipping Crowd SSO as the request is using BASIC authentication");
            return null;
        }
        if (!this.ssoService.isSsoCandidate(request)) {
            log.debug("Skipping Crowd SSO as the request is using a domain which is not configured for SSO. Domain: {}", request.getServerName());
            return null;
        }
        String username = httpAuthenticationContext.getUsername();
        String str = httpAuthenticationContext.getCredentials() instanceof String ? (String) httpAuthenticationContext.getCredentials() : null;
        User user = null;
        try {
            try {
                if (StringUtils.isBlank(username) || StringUtils.isEmpty(str)) {
                    if (authenticator.getToken(request) != null && !authenticator.isAuthenticated(request, httpAuthenticationContext.getResponse())) {
                        clearRemoteSsoSession(request, httpAuthenticationContext.getResponse());
                        return null;
                    }
                    user = authenticator.getUser(request);
                } else if (this.ssoService.isManagedBySso(username)) {
                    user = authenticator.authenticate(request, httpAuthenticationContext.getResponse(), username, str);
                } else {
                    log.debug("Bypassing SSO for non-Crowd user {}", username);
                }
                if (user == null) {
                    return null;
                }
                request.getSession().setAttribute(KEY_CROWD_SSO_AUTHENTICATED, authenticator.getToken(request));
                return this.userService.getUserByName(user.getName());
            } catch (ApplicationPermissionException | OperationFailedException e) {
                logThrottled("Authentication with remote Crowd server failed.", e);
                return null;
            }
        } catch (InvalidTokenException e2) {
            clearRemoteSsoSession(request, httpAuthenticationContext.getResponse());
            return null;
        } catch (InactiveAccountException e3) {
            throw new InactiveUserAuthenticationException(inactiveAccount());
        } catch (InvalidAuthenticationException e4) {
            throw new IncorrectPasswordAuthenticationException(invalidCredentials());
        } catch (ExpiredCredentialException e5) {
            throw new ExpiredPasswordAuthenticationException(passwordExpired());
        } catch (ApplicationAccessDeniedException e6) {
            throw new InactiveUserAuthenticationException(noAccess());
        }
    }

    public void logout(@Nonnull ApplicationUser applicationUser, @Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse) {
        HttpSession session;
        CrowdHttpAuthenticator authenticator = this.ssoService.getAuthenticator();
        if (authenticator == null || (session = httpServletRequest.getSession(false)) == null || session.getAttribute(KEY_CROWD_SSO_AUTHENTICATED) == null) {
            return;
        }
        session.removeAttribute(KEY_CROWD_SSO_AUTHENTICATED);
        try {
            authenticator.logout(httpServletRequest, httpServletResponse);
        } catch (CrowdException | PermissionException e) {
            if (log.isDebugEnabled()) {
                log.debug("Could not log out " + applicationUser.getName() + " in remote Crowd {}", e);
            } else {
                log.info("Could not log out {} in remote Crowd {}", applicationUser.getName(), e.getMessage());
            }
        }
    }

    public boolean onAuthenticationSuccess(@Nonnull HttpAuthenticationSuccessContext httpAuthenticationSuccessContext) throws ServletException, IOException {
        String name = httpAuthenticationSuccessContext.getUser().getName();
        if (isAuthenticatedByCrowdSso(httpAuthenticationSuccessContext) || !this.ssoService.isManagedBySso(name)) {
            return false;
        }
        try {
            this.ssoService.getAuthenticator().authenticateWithoutValidatingPassword(httpAuthenticationSuccessContext.getRequest(), httpAuthenticationSuccessContext.getResponse(), name);
            return false;
        } catch (Exception e) {
            log.info("Could not create SSO session for user {}: {}", httpAuthenticationSuccessContext.getUsername(), e.getMessage());
            log.debug("Error while authenticating for Crowd SSO", e);
            return false;
        }
    }

    public void validateAuthentication(@Nonnull HttpAuthenticationContext httpAuthenticationContext) {
        if (isAuthenticatedByCrowdSso(httpAuthenticationContext)) {
            CrowdHttpAuthenticator authenticator = this.ssoService.getAuthenticator();
            if (authenticator != null) {
                String token = authenticator.getToken(httpAuthenticationContext.getRequest());
                String authenticatedToken = getAuthenticatedToken(httpAuthenticationContext.getRequest());
                if (token != null && token.equals(authenticatedToken) && isAuthenticatedRemotely(authenticator, httpAuthenticationContext.getRequest(), httpAuthenticationContext.getResponse())) {
                    return;
                } else {
                    log.debug("Token is no longer valid token: {} session token: {}", token, authenticatedToken);
                }
            }
            logoutUser(httpAuthenticationContext);
            throw new ExpiredAuthenticationException(tokenExpired());
        }
    }

    private KeyedMessage inactiveAccount() {
        return this.i18nService.createKeyedMessage("bitbucket.auth.crowd.sso.inactive.account", new Object[0]);
    }

    private KeyedMessage invalidCredentials() {
        return this.i18nService.createKeyedMessage("bitbucket.auth.failed", new Object[0]);
    }

    private KeyedMessage tokenExpired() {
        return this.i18nService.createKeyedMessage("bitbucket.auth.crowd.sso.token.expired", new Object[0]);
    }

    private KeyedMessage noAccess() {
        return this.i18nService.createKeyedMessage("bitbucket.auth.crowd.sso.no.permission", new Object[]{Product.NAME});
    }

    private KeyedMessage passwordExpired() {
        return this.i18nService.createKeyedMessage("bitbucket.auth.crowd.sso.credentials.expired", new Object[0]);
    }

    private void clearRemoteSsoSession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        CrowdHttpAuthenticator authenticator = this.ssoService.getAuthenticator();
        if (authenticator != null) {
            try {
                authenticator.logout(httpServletRequest, httpServletResponse);
            } catch (Exception e) {
                log.debug("An error occurred during Crowd SSO logout", e);
            }
        }
    }

    private String getAuthenticatedToken(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        if (session != null) {
            return (String) session.getAttribute(KEY_CROWD_SSO_AUTHENTICATED);
        }
        return null;
    }

    private boolean isAuthenticatedRemotely(CrowdHttpAuthenticator crowdHttpAuthenticator, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            return crowdHttpAuthenticator.isAuthenticated(httpServletRequest, httpServletResponse);
        } catch (OperationFailedException e) {
            if (log.isDebugEnabled()) {
                log.debug("Failed to validate SSO session", e);
                return false;
            }
            log.info("Failed to validate SSO session {}", e.getMessage());
            return false;
        }
    }

    private boolean isAuthenticatedByCrowdSso(HttpAuthenticationContext httpAuthenticationContext) {
        HttpSession session = httpAuthenticationContext.getRequest().getSession(false);
        return (session == null || session.getAttribute(KEY_CROWD_SSO_AUTHENTICATED) == null) ? false : true;
    }

    private void logThrottled(String str, Exception exc) {
        int i = this.logsSuppressed + 1;
        this.logsSuppressed = i;
        if (i % 100 != 1) {
            log.debug(str, exc);
        } else {
            this.logsSuppressed = 1;
            log.warn(str, exc);
        }
    }

    private void logoutUser(HttpAuthenticationContext httpAuthenticationContext) {
        HttpServletRequest request = httpAuthenticationContext.getRequest();
        HttpServletResponse response = httpAuthenticationContext.getResponse();
        request.getSession().removeAttribute(KEY_CROWD_SSO_AUTHENTICATED);
        this.userService.unauthenticate();
        clearRemoteSsoSession(request, response);
    }
}
