package com.atlassian.seraph.filter;

import com.atlassian.security.auth.trustedapps.ApplicationCertificate;
import com.atlassian.security.auth.trustedapps.CurrentApplication;
import com.atlassian.security.auth.trustedapps.DefaultEncryptedCertificate;
import com.atlassian.security.auth.trustedapps.InvalidCertificateException;
import com.atlassian.security.auth.trustedapps.TrustedApplication;
import com.atlassian.security.auth.trustedapps.TrustedApplicationsManager;
import com.atlassian.security.auth.trustedapps.UserResolver;
import com.atlassian.seraph.auth.DefaultAuthenticator;
import com.atlassian.seraph.auth.RoleMapper;
import com.atlassian.seraph.config.SecurityConfigFactory;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.security.Principal;
import java.security.PublicKey;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.bouncycastle.util.encoders.Base64;

/* loaded from: input_file:com/atlassian/seraph/filter/TrustedApplicationsFilter.class */
public class TrustedApplicationsFilter implements Filter {
    private static final Logger log;
    private final TrustedApplicationsManager appManager;
    private final UserResolver userResolver;
    private FilterConfig filterConfig = null;
    static Class class$com$atlassian$seraph$filter$TrustedApplicationsFilter;

    /* loaded from: input_file:com/atlassian/seraph/filter/TrustedApplicationsFilter$Status.class */
    private static final class Status {
        static final String ERROR = "ERROR";
        static final String OK = "OK";

        private Status() {
        }
    }

    public TrustedApplicationsFilter(TrustedApplicationsManager trustedApplicationsManager, UserResolver userResolver) {
        if (trustedApplicationsManager == null) {
            throw new IllegalArgumentException("appManager");
        }
        if (userResolver == null) {
            throw new IllegalArgumentException("userResolver");
        }
        this.appManager = trustedApplicationsManager;
        this.userResolver = userResolver;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (getPathInfo(httpServletRequest).endsWith("/admin/appTrustCertificate")) {
            CurrentApplication currentApplication = this.appManager.getCurrentApplication();
            PublicKey publicKey = currentApplication.getPublicKey();
            httpServletResponse.setContentType("text/plain");
            OutputStreamWriter outputStreamWriter = new OutputStreamWriter(httpServletResponse.getOutputStream());
            outputStreamWriter.write(currentApplication.getID());
            outputStreamWriter.write("\n");
            outputStreamWriter.write(new String(Base64.encode(publicKey.getEncoded())));
            outputStreamWriter.flush();
            return;
        }
        boolean z = false;
        if (httpServletRequest.getAttribute(BaseLoginFilter.OS_AUTHSTATUS_KEY) == null) {
            String authenticate = authenticate((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse);
            if (BaseLoginFilter.LOGIN_SUCCESS.equals(authenticate)) {
                httpServletRequest.setAttribute(BaseLoginFilter.OS_AUTHSTATUS_KEY, authenticate);
                httpServletResponse.setHeader(CurrentApplication.HEADER_TRUSTED_APP_STATUS, "OK");
                z = true;
            }
        }
        filterChain.doFilter(httpServletRequest, servletResponse);
        if (!z || httpServletRequest.getSession(false) == null) {
            return;
        }
        httpServletRequest.getSession().invalidate();
    }

    public String authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String header = httpServletRequest.getHeader(CurrentApplication.HEADER_TRUSTED_APP_CERT);
        if (header == null || header.length() == 0) {
            return BaseLoginFilter.LOGIN_NOATTEMPT;
        }
        String header2 = httpServletRequest.getHeader(CurrentApplication.HEADER_TRUSTED_APP_ID);
        if (header2 == null || header2.length() == 0) {
            setFailureHeader(httpServletResponse, "Application ID not found in request");
            return BaseLoginFilter.LOGIN_ERROR;
        }
        String header3 = httpServletRequest.getHeader(CurrentApplication.HEADER_TRUSTED_APP_SECRET_KEY);
        if (header3 == null || header3.length() == 0) {
            setFailureHeader(httpServletResponse, "Secret Key not found in request");
            return BaseLoginFilter.LOGIN_ERROR;
        }
        TrustedApplication trustedApplication = this.appManager.getTrustedApplication(header2);
        if (trustedApplication == null) {
            setFailureHeader(httpServletResponse, new StringBuffer().append("Unrecognized application: ").append(header2).toString());
            return BaseLoginFilter.LOGIN_FAILED;
        }
        try {
            ApplicationCertificate decode = trustedApplication.decode(new DefaultEncryptedCertificate(header2, header3, header), httpServletRequest);
            Principal resolve = this.userResolver.resolve(decode);
            if (resolve == null) {
                log.warn(new StringBuffer().append("User '").append(decode.getUserName()).append("' referenced by trusted application: '").append(trustedApplication.getID()).append("' is not found.").toString());
                setFailureHeader(httpServletResponse, "Unrecognized user");
                return BaseLoginFilter.LOGIN_FAILED;
            }
            if (getRoleMapper().canLogin(resolve, httpServletRequest)) {
                httpServletRequest.getSession().setAttribute(DefaultAuthenticator.LOGGED_IN_KEY, resolve);
                httpServletRequest.getSession().setAttribute(DefaultAuthenticator.LOGGED_OUT_KEY, (Object) null);
                return BaseLoginFilter.LOGIN_SUCCESS;
            }
            log.warn(new StringBuffer().append("User '").append(decode.getUserName()).append("' referenced by trusted application: '").append(trustedApplication.getID()).append("' can not login.").toString());
            setFailureHeader(httpServletResponse, "Permission denied");
            return BaseLoginFilter.LOGIN_FAILED;
        } catch (InvalidCertificateException e) {
            log.warn(new StringBuffer().append("Failed to login trusted application: ").append(trustedApplication.getID()).append(" due to: ").append(e).toString());
            log.debug("Failed to login trusted application cause", e);
            setFailureHeader(httpServletResponse, "Invalid certificate");
            return BaseLoginFilter.LOGIN_ERROR;
        }
    }

    protected String getPathInfo(HttpServletRequest httpServletRequest) {
        String contextPath = httpServletRequest.getContextPath();
        String requestURI = httpServletRequest.getRequestURI();
        return (contextPath == null || contextPath.length() <= 0) ? requestURI : requestURI.substring(contextPath.length());
    }

    private void setFailureHeader(HttpServletResponse httpServletResponse, String str) {
        httpServletResponse.setHeader(CurrentApplication.HEADER_TRUSTED_APP_STATUS, "ERROR");
        httpServletResponse.addHeader(CurrentApplication.HEADER_TRUSTED_APP_ERROR, str);
        if (log.isInfoEnabled()) {
            log.info(str, new RuntimeException(str));
        }
    }

    protected RoleMapper getRoleMapper() {
        return SecurityConfigFactory.getInstance().getRoleMapper();
    }

    public void init(FilterConfig filterConfig) {
        this.filterConfig = filterConfig;
    }

    public void destroy() {
        this.filterConfig = null;
    }

    public FilterConfig getFilterConfig() {
        return this.filterConfig;
    }

    public void setFilterConfig(FilterConfig filterConfig) {
        if (filterConfig != null) {
            init(filterConfig);
        }
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$com$atlassian$seraph$filter$TrustedApplicationsFilter == null) {
            cls = class$("com.atlassian.seraph.filter.TrustedApplicationsFilter");
            class$com$atlassian$seraph$filter$TrustedApplicationsFilter = cls;
        } else {
            cls = class$com$atlassian$seraph$filter$TrustedApplicationsFilter;
        }
        log = Logger.getLogger(cls);
    }
}
