package com.atlassian.seraph.filter;

import com.atlassian.seraph.SecurityService;
import com.atlassian.seraph.auth.AuthType;
import com.atlassian.seraph.auth.AuthenticationContext;
import com.atlassian.seraph.config.SecurityConfig;
import com.atlassian.seraph.config.SecurityConfigFactory;
import com.atlassian.seraph.util.RedirectUtils;
import com.atlassian.seraph.util.SecurityUtils;
import java.io.IOException;
import java.security.Principal;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/lib/atlassian-seraph-4.2.5.jar:com/atlassian/seraph/filter/SecurityFilter.class */
public class SecurityFilter implements Filter {
    private FilterConfig config = null;
    private SecurityConfig securityConfig = null;
    private static final Logger log = LoggerFactory.getLogger(SecurityFilter.class);
    static final String ALREADY_FILTERED = "os_securityfilter_already_filtered";
    public static final String ORIGINAL_URL = "atlassian.core.seraph.original.url";

    public void init(FilterConfig filterConfig) {
        log.debug("SecurityFilter.init");
        this.config = filterConfig;
        String str = null;
        if (filterConfig.getInitParameter("config.file") != null) {
            str = filterConfig.getInitParameter("config.file");
            log.debug("Security config file location: " + str);
        }
        this.securityConfig = SecurityConfigFactory.getInstance(str);
        filterConfig.getServletContext().setAttribute(SecurityConfig.STORAGE_KEY, this.securityConfig);
        log.debug("SecurityFilter.init completed successfully.");
    }

    public void destroy() {
        log.debug("SecurityFilter.destroy");
        if (this.securityConfig == null) {
            log.warn("Trying to destroy a SecurityFilter with null securityConfig.");
        } else {
            this.securityConfig.destroy();
            this.securityConfig = null;
        }
        this.config = null;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (servletRequest.getAttribute(ALREADY_FILTERED) != null || !getSecurityConfig().getController().isSecurityEnabled()) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        servletRequest.setAttribute(ALREADY_FILTERED, Boolean.TRUE);
        boolean isDebugEnabled = log.isDebugEnabled();
        if (!SecurityUtils.isSeraphFilteringDisabled(servletRequest)) {
            log.warn("doFilter : LoginFilter not yet applied to this request - terminating filter chain");
            return;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String str = httpServletRequest.getServletPath() + (httpServletRequest.getPathInfo() == null ? "" : httpServletRequest.getPathInfo()) + (httpServletRequest.getQueryString() == null ? "" : "?" + httpServletRequest.getQueryString());
        httpServletRequest.setAttribute(ORIGINAL_URL, str);
        if (isDebugEnabled) {
            log.debug("doFilter : Storing the originally requested URL (atlassian.core.seraph.original.url=" + str + ")");
        }
        HashSet<String> hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        Iterator<SecurityService> it = getSecurityConfig().getServices().iterator();
        while (it.hasNext()) {
            hashSet.addAll(it.next().getRequiredRoles(httpServletRequest));
        }
        if (isDebugEnabled) {
            log.debug("doFilter : requiredRoles = " + hashSet);
        }
        boolean z = false;
        Principal user = getSecurityConfig().getAuthenticator().getUser(httpServletRequest, httpServletResponse);
        if (user == null) {
            AuthType authTypeInformation = AuthType.getAuthTypeInformation(httpServletRequest, getSecurityConfig());
            if (RedirectUtils.isBasicAuthentication(httpServletRequest, getSecurityConfig().getAuthType())) {
                return;
            }
            if (authTypeInformation == AuthType.COOKIE && httpServletRequest.getSession(false) == null) {
                httpServletResponse.sendError(401, "os_authType was 'cookie' but no valid cookie was sent.");
                return;
            } else if (authTypeInformation == AuthType.ANY && hasJSessionCookie(httpServletRequest.getCookies()) && httpServletRequest.getSession(false) == null) {
                httpServletResponse.sendError(401, "os_authType was 'any' and an invalid cookie was sent.");
                return;
            }
        }
        if (isDebugEnabled) {
            log.debug("doFilter : Setting Auth Context to be '" + (user == null ? "anonymous " : user.getName()) + "'");
        }
        AuthenticationContext authenticationContext = getAuthenticationContext();
        authenticationContext.setUser(user);
        for (String str2 : hashSet) {
            if (!getSecurityConfig().getRoleMapper().hasRole(user, httpServletRequest, str2)) {
                log.info("doFilter : '" + user + "' needs (and lacks) role '" + str2 + "' to access " + str);
                z = true;
                hashSet2.add(str2);
            }
        }
        if (httpServletRequest.getServletPath() != null && httpServletRequest.getServletPath().equals(getSecurityConfig().getLoginURL())) {
            if (isDebugEnabled) {
                log.debug("doFilter : Login page requested so no additional authorization required.");
            }
            z = false;
        }
        if (!z) {
            try {
                filterChain.doFilter(servletRequest, servletResponse);
                authenticationContext.clearUser();
                return;
            } catch (Throwable th) {
                authenticationContext.clearUser();
                throw th;
            }
        }
        String loginForwardPath = getSecurityConfig().getLoginForwardPath();
        if (isPOST(httpServletRequest) && StringUtils.isNotBlank(loginForwardPath)) {
            if (isDebugEnabled) {
                log.debug("doFilter : Need Authentication for POST: Forwarding to: " + loginForwardPath + " from: " + str);
            }
            httpServletRequest.getRequestDispatcher(loginForwardPath).forward(httpServletRequest, httpServletResponse);
        } else {
            if (isDebugEnabled) {
                log.debug("doFilter : Need Authentication: Redirecting to: " + getSecurityConfig().getLoginURL() + " from: " + str);
            }
            httpServletRequest.getSession().setAttribute(getSecurityConfig().getOriginalURLKey(), str);
            if (httpServletResponse.isCommitted()) {
                return;
            }
            httpServletResponse.sendRedirect(getLoginUrl(httpServletRequest, hashSet2));
        }
    }

    protected String getLoginUrl(HttpServletRequest httpServletRequest, Set<String> set) {
        return RedirectUtils.getLoginUrl(httpServletRequest);
    }

    private boolean isPOST(HttpServletRequest httpServletRequest) {
        return "POST".equals(httpServletRequest.getMethod());
    }

    private boolean hasJSessionCookie(Cookie[] cookieArr) {
        if (cookieArr == null) {
            return false;
        }
        for (Cookie cookie : cookieArr) {
            if (cookie.getName().equals("JSESSIONID")) {
                return true;
            }
        }
        return false;
    }

    protected SecurityConfig getSecurityConfig() {
        if (this.securityConfig == null) {
            this.securityConfig = (SecurityConfig) this.config.getServletContext().getAttribute(SecurityConfig.STORAGE_KEY);
        }
        return this.securityConfig;
    }

    protected AuthenticationContext getAuthenticationContext() {
        return getSecurityConfig().getAuthenticationContext();
    }
}
