package com.atlassian.seraph.auth;

import com.atlassian.seraph.config.SecurityConfig;
import com.atlassian.seraph.config.SecurityConfigFactory;
import com.atlassian.seraph.elevatedsecurity.ElevatedSecurityGuard;
import com.atlassian.seraph.interceptor.LogoutInterceptor;
import com.atlassian.seraph.service.rememberme.RememberMeService;
import com.atlassian.seraph.util.RedirectUtils;
import com.opensymphony.user.EntityNotFoundException;
import com.opensymphony.user.User;
import com.opensymphony.user.UserManager;
import com.opensymphony.user.provider.ejb.util.Base64;
import java.io.IOException;
import java.security.Principal;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;

/* loaded from: input_file:com/atlassian/seraph/auth/DefaultAuthenticator.class */
public class DefaultAuthenticator extends AbstractAuthenticator {
    public static final String LOGGED_IN_KEY = "seraph_defaultauthenticator_user";
    public static final String LOGGED_OUT_KEY = "seraph_defaultauthenticator_logged_out_user";
    private static final Logger log = Logger.getLogger(DefaultAuthenticator.class);
    private String basicAuthParameterName;

    @Override // com.atlassian.seraph.auth.AbstractAuthenticator, com.atlassian.seraph.Initable
    public void init(Map<String, String> map, SecurityConfig securityConfig) {
        if (log.isDebugEnabled()) {
            log.debug(getClass().getName() + " $Revision: 39543 $ initializing");
        }
        super.init(map, securityConfig);
        this.basicAuthParameterName = securityConfig.getAuthType();
    }

    @Override // com.atlassian.seraph.auth.AbstractAuthenticator, com.atlassian.seraph.auth.Authenticator
    @Deprecated
    public boolean isUserInRole(HttpServletRequest httpServletRequest, String str) {
        return getRoleMapper().hasRole(getUser(httpServletRequest), httpServletRequest, str);
    }

    @Override // com.atlassian.seraph.auth.AbstractAuthenticator, com.atlassian.seraph.auth.Authenticator
    public boolean login(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, boolean z) throws AuthenticatorException {
        boolean isDebugEnabled = log.isDebugEnabled();
        Principal user = getUser(str);
        if (user == null) {
            log.info("login : '" + str + "' does not exist and cannot be authenticated.");
        } else {
            boolean authenticate = authenticate(user, str2);
            if (isDebugEnabled) {
                log.debug("login : '" + str + "' has " + (authenticate ? "been" : "not been") + " authenticated");
            }
            if (!authenticate) {
                log.info("login : '" + str + "' could not be authenticated with the given password");
            } else {
                if (authoriseUserAndEstablishSession(httpServletRequest, httpServletResponse, user)) {
                    if (!z || httpServletResponse == null) {
                        return true;
                    }
                    getRememberMeService().addRememberMeCookie(httpServletRequest, httpServletResponse, str);
                    return true;
                }
                LoginReason.AUTHORISATION_FAILED.stampRequestResponse(httpServletRequest, httpServletResponse);
            }
        }
        if (httpServletResponse == null) {
            return false;
        }
        log.warn("login : '" + str + "' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.");
        getRememberMeService().removeRememberMeCookie(httpServletRequest, httpServletResponse);
        return false;
    }

    @Override // com.atlassian.seraph.auth.AbstractAuthenticator, com.atlassian.seraph.auth.Authenticator
    public boolean logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticatorException {
        if (log.isDebugEnabled()) {
            log.debug("logout : Calling interceptors and clearing remember me cookie");
        }
        List<LogoutInterceptor> logoutInterceptors = getLogoutInterceptors();
        Iterator<LogoutInterceptor> it = logoutInterceptors.iterator();
        while (it.hasNext()) {
            it.next().beforeLogout(httpServletRequest, httpServletResponse);
        }
        removePrincipalFromSessionContext(httpServletRequest);
        LoginReason.OUT.stampRequestResponse(httpServletRequest, httpServletResponse);
        if (httpServletResponse != null) {
            getRememberMeService().removeRememberMeCookie(httpServletRequest, httpServletResponse);
        }
        Iterator<LogoutInterceptor> it2 = logoutInterceptors.iterator();
        while (it2.hasNext()) {
            it2.next().afterLogout(httpServletRequest, httpServletResponse);
        }
        return true;
    }

    protected boolean authoriseUserAndEstablishSession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Principal principal) {
        boolean isDebugEnabled = log.isDebugEnabled();
        String name = principal.getName();
        putPrincipalInSessionContext(httpServletRequest, null);
        boolean isAuthorised = isAuthorised(httpServletRequest, principal);
        if (isDebugEnabled) {
            log.debug("authoriseUser : '" + name + "' " + (isAuthorised ? "can" : "CANT") + " login according to the RoleMapper");
        }
        if (!isAuthorised) {
            return false;
        }
        putPrincipalInSessionContext(httpServletRequest, principal);
        return true;
    }

    protected boolean isAuthorised(HttpServletRequest httpServletRequest, Principal principal) {
        return getRoleMapper().canLogin(principal, httpServletRequest);
    }

    protected void putPrincipalInSessionContext(HttpServletRequest httpServletRequest, Principal principal) {
        HttpSession session = httpServletRequest.getSession();
        session.setAttribute(LOGGED_IN_KEY, principal);
        session.setAttribute(LOGGED_OUT_KEY, (Object) null);
    }

    protected void removePrincipalFromSessionContext(HttpServletRequest httpServletRequest) {
        if (httpServletRequest.getSession() != null) {
            httpServletRequest.getSession().setAttribute(LOGGED_IN_KEY, (Object) null);
            httpServletRequest.getSession().setAttribute(LOGGED_OUT_KEY, Boolean.TRUE);
        }
    }

    protected RoleMapper getRoleMapper() {
        return SecurityConfigFactory.getInstance().getRoleMapper();
    }

    protected Principal getUser(String str) {
        if (log.isDebugEnabled()) {
            log.debug("getUser : Looking in UserManager for '" + str + "'");
        }
        try {
            return UserManager.getInstance().getUser(str);
        } catch (EntityNotFoundException e) {
            log.warn("getUser : Could not find user '" + str + "' in UserManager : " + e);
            return null;
        }
    }

    protected boolean authenticate(Principal principal, String str) {
        return ((User) principal).authenticate(str);
    }

    @Override // com.atlassian.seraph.auth.AbstractAuthenticator, com.atlassian.seraph.auth.Authenticator
    public Principal getUser(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Principal userFromBasicAuthentication;
        boolean isDebugEnabled = log.isDebugEnabled();
        if (httpServletRequest.getSession(false) != null) {
            Principal userFromSession = getUserFromSession(httpServletRequest);
            if (userFromSession != null) {
                LoginReason.OK.stampRequestResponse(httpServletRequest, httpServletResponse);
                return userFromSession;
            }
        } else {
            Principal userFromCookie = getUserFromCookie(httpServletRequest, httpServletResponse);
            if (userFromCookie != null) {
                return userFromCookie;
            }
        }
        if (RedirectUtils.isBasicAuthentication(httpServletRequest, this.basicAuthParameterName) && (userFromBasicAuthentication = getUserFromBasicAuthentication(httpServletRequest, httpServletResponse)) != null) {
            return userFromBasicAuthentication;
        }
        if (!isDebugEnabled) {
            return null;
        }
        log.debug("getUser : User not found in either Session, Cookie or Basic Auth.");
        return null;
    }

    protected Principal getUserFromSession(HttpServletRequest httpServletRequest) {
        boolean isDebugEnabled = log.isDebugEnabled();
        try {
            if (httpServletRequest.getSession().getAttribute(LOGGED_OUT_KEY) != null) {
                if (!isDebugEnabled) {
                    return null;
                }
                log.debug("getUserFromSession : Session found; user has already logged out. eg has LOGGED_OUT_KEY in session");
                return null;
            }
            Principal principal = (Principal) httpServletRequest.getSession().getAttribute(LOGGED_IN_KEY);
            if (isDebugEnabled) {
                if (principal == null) {
                    log.debug("getUserFromSession : Session found; BUT it has no Principal in it");
                } else {
                    log.debug("getUserFromSession : Session found; '" + principal.getName() + "' is present");
                }
            }
            return principal;
        } catch (Exception e) {
            log.warn("getUserFromSession : Exception when retrieving user from session: " + e, e);
            return null;
        }
    }

    protected Principal getUserFromCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Principal user;
        boolean isDebugEnabled = log.isDebugEnabled();
        String rememberMeCookieAuthenticatedUsername = getRememberMeService().getRememberMeCookieAuthenticatedUsername(httpServletRequest, httpServletResponse);
        if (isDebugEnabled) {
            log.debug("getUserFromCookie : Got username : '" + rememberMeCookieAuthenticatedUsername + "' from cookie, attempting to authenticate user is known");
        }
        if (!StringUtils.isNotBlank(rememberMeCookieAuthenticatedUsername) || (user = getUser(rememberMeCookieAuthenticatedUsername)) == null) {
            return null;
        }
        ElevatedSecurityGuard elevatedSecurityGuard = getElevatedSecurityGuard();
        if (!elevatedSecurityGuard.performElevatedSecurityCheck(httpServletRequest, rememberMeCookieAuthenticatedUsername)) {
            if (isDebugEnabled) {
                log.debug("getUserFromCookie : '" + rememberMeCookieAuthenticatedUsername + "' failed elevated security check");
            }
            LoginReason.AUTHENTICATION_DENIED.stampRequestResponse(httpServletRequest, httpServletResponse);
            elevatedSecurityGuard.onFailedLoginAttempt(httpServletRequest, rememberMeCookieAuthenticatedUsername);
            return null;
        }
        if (authoriseUserAndEstablishSession(httpServletRequest, httpServletResponse, user)) {
            if (isDebugEnabled) {
                log.debug("getUserFromCookie : Authenticated '" + rememberMeCookieAuthenticatedUsername + "' via Remember Me Cookie");
            }
            LoginReason.OK.stampRequestResponse(httpServletRequest, httpServletResponse);
            elevatedSecurityGuard.onSuccessfulLoginAttempt(httpServletRequest, rememberMeCookieAuthenticatedUsername);
            return user;
        }
        if (isDebugEnabled) {
            log.debug("getUserFromCookie : '" + rememberMeCookieAuthenticatedUsername + "' failed authorisation security check");
        }
        LoginReason.AUTHORISATION_FAILED.stampRequestResponse(httpServletRequest, httpServletResponse);
        elevatedSecurityGuard.onFailedLoginAttempt(httpServletRequest, rememberMeCookieAuthenticatedUsername);
        return null;
    }

    protected Principal getUserFromBasicAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        boolean isDebugEnabled = log.isDebugEnabled();
        String header = httpServletRequest.getHeader("Authorization");
        LoginReason loginReason = LoginReason.OK;
        if (header == null || !header.startsWith("Basic ")) {
            httpServletResponse.setStatus(401);
            httpServletResponse.setHeader("WWW-Authenticate", "BASIC realm=\"protected-area\"");
            return null;
        }
        if (isDebugEnabled) {
            log.debug("getUserFromSession : Looking in Basic Auth headers");
        }
        String str = new String(Base64.decode(header.substring(6).getBytes()));
        String str2 = "";
        String str3 = "";
        int indexOf = str.indexOf(":");
        if (indexOf != -1) {
            str2 = str.substring(0, indexOf);
            str3 = str.substring(indexOf + 1);
        }
        ElevatedSecurityGuard elevatedSecurityGuard = getElevatedSecurityGuard();
        if (elevatedSecurityGuard.performElevatedSecurityCheck(httpServletRequest, str2)) {
            if (isDebugEnabled) {
                log.debug("getUserFromSession : '" + str2 + "' does not require elevated security check.  Attempting authentication...");
            }
            try {
                if (login(httpServletRequest, httpServletResponse, str2, str3, false)) {
                    LoginReason.OK.stampRequestResponse(httpServletRequest, httpServletResponse);
                    elevatedSecurityGuard.onSuccessfulLoginAttempt(httpServletRequest, str2);
                    if (isDebugEnabled) {
                        log.debug("getUserFromSession : Authenticated '" + str2 + "' via Basic Auth");
                    }
                    return getUser(str2);
                }
                loginReason = LoginReason.AUTHENTICATED_FAILED.stampRequestResponse(httpServletRequest, httpServletResponse);
                elevatedSecurityGuard.onFailedLoginAttempt(httpServletRequest, str2);
            } catch (AuthenticatorException e) {
                log.warn("getUserFromSession : Exception trying to login '" + str2 + "' via Basic Auth:" + e, e);
            }
        } else {
            if (isDebugEnabled) {
                log.debug("getUserFromSession : '" + str2 + "' failed elevated security check");
            }
            loginReason = LoginReason.AUTHENTICATION_DENIED.stampRequestResponse(httpServletRequest, httpServletResponse);
            elevatedSecurityGuard.onFailedLoginAttempt(httpServletRequest, str2);
        }
        try {
            httpServletResponse.sendError(401, "Basic Authentication Failure - Reason : " + loginReason.toString());
            return null;
        } catch (IOException e2) {
            log.warn("getUserFromSession : Exception trying to send Basic Auth failed error: " + e2, e2);
            return null;
        }
    }

    public String getAuthType() {
        return this.basicAuthParameterName;
    }

    protected List<LogoutInterceptor> getLogoutInterceptors() {
        return getConfig().getInterceptors(LogoutInterceptor.class);
    }

    protected ElevatedSecurityGuard getElevatedSecurityGuard() {
        return getConfig().getElevatedSecurityGuard();
    }

    protected RememberMeService getRememberMeService() {
        return getConfig().getRememberMeService();
    }
}
