package com.atlassian.seraph.filter;

import com.atlassian.seraph.RequestParameterConstants;
import com.atlassian.seraph.config.SecurityConfigFactory;
import com.atlassian.seraph.filter.PasswordBasedLoginFilter;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.List;
import javax.servlet.FilterConfig;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/lib/atlassian-seraph-4.2.5.jar:com/atlassian/seraph/filter/LoginFilter.class */
public class LoginFilter extends PasswordBasedLoginFilter {
    private static final Logger log = LoggerFactory.getLogger(LoginFilter.class);
    private static final String ALLOW_URL_PARAMETER_LOGIN_PROPERTY = "atlassian.allow.insecure.url.parameter.login";
    private static final String ATLASSIAN_DEV_MODE_PROPERTY = "atlassian.dev.mode";
    private static final String ALLOW_URL_PARAMETER_VALUE_PARAMETER_NAME = "allowUrlParameterValue";
    private static final String DISABLE_LOGGING_DEPRECATION_URL_PARAMETER_VALUE_PARAMETER_NAME = "disableLoggingDeprecationUrlParameterValue";
    private static final String ENCODING = "UTF-8";
    private volatile boolean allowUrlParameterValue = false;
    private volatile boolean disableLoggingDeprecationUrlParameterValue = false;

    @Override // com.atlassian.seraph.filter.BaseLoginFilter
    public void init(FilterConfig filterConfig) {
        super.init(filterConfig);
        String initParameter = filterConfig.getInitParameter(ALLOW_URL_PARAMETER_VALUE_PARAMETER_NAME);
        if (StringUtils.isNotBlank(initParameter)) {
            setAllowUrlParameterValue(Boolean.parseBoolean(initParameter));
        }
        String initParameter2 = filterConfig.getInitParameter(DISABLE_LOGGING_DEPRECATION_URL_PARAMETER_VALUE_PARAMETER_NAME);
        if (StringUtils.isNotBlank(initParameter2)) {
            setDisableLoggingDeprecationUrlParameterValue(Boolean.parseBoolean(initParameter2));
        }
    }

    public void setAllowUrlParameterValue(boolean z) {
        this.allowUrlParameterValue = z;
    }

    public void setDisableLoggingDeprecationUrlParameterValue(boolean z) {
        this.disableLoggingDeprecationUrlParameterValue = z;
    }

    @Override // com.atlassian.seraph.filter.PasswordBasedLoginFilter
    protected PasswordBasedLoginFilter.UserPasswordPair extractUserPasswordPair(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter(RequestParameterConstants.OS_USERNAME);
        String parameter2 = httpServletRequest.getParameter(RequestParameterConstants.OS_PASSWORD);
        boolean equals = "true".equals(httpServletRequest.getParameter(RequestParameterConstants.OS_COOKIE));
        if (StringUtils.isNotEmpty(parameter2) && (hasOsPasswordQueryParam(httpServletRequest) || !isLoginSubmitUrl(httpServletRequest))) {
            if (!shouldAllowUrlParameterValue()) {
                log.info("Not accepting an authentication attempt for user \"{}\", as authentication url parameter values are not being accepted.", parameter);
                return null;
            }
            if (!this.disableLoggingDeprecationUrlParameterValue) {
                log.info("User \"{}\" authenticated using {} as a query parameter, this means of authentication has been deprecated.", parameter, RequestParameterConstants.OS_PASSWORD);
            }
        }
        return new PasswordBasedLoginFilter.UserPasswordPair(parameter, parameter2, equals);
    }

    private boolean shouldAllowUrlParameterValue() {
        return this.allowUrlParameterValue || StringUtils.equalsIgnoreCase("true", System.getProperty(ALLOW_URL_PARAMETER_LOGIN_PROPERTY)) || StringUtils.equalsIgnoreCase("true", System.getProperty("atlassian.dev.mode"));
    }

    private static boolean hasOsPasswordQueryParam(HttpServletRequest httpServletRequest) {
        if (httpServletRequest.getQueryString() == null) {
            return false;
        }
        return decodeQueryString(httpServletRequest.getQueryString()).contains("os_password=");
    }

    private static boolean isLoginSubmitUrl(HttpServletRequest httpServletRequest) {
        List<String> loginSubmitURL = SecurityConfigFactory.getInstance().getLoginSubmitURL();
        String servletPath = httpServletRequest.getServletPath();
        if (loginSubmitURL.isEmpty()) {
            return true;
        }
        return loginSubmitURL.contains(servletPath);
    }

    private static String decodeQueryString(String str) {
        try {
            return URLDecoder.decode(str, ENCODING);
        } catch (UnsupportedEncodingException e) {
            throw new AssertionError(e);
        }
    }
}
