package com.atlassian.seraph.filter;

import com.atlassian.security.auth.trustedapps.ApplicationCertificate;
import com.atlassian.security.auth.trustedapps.CurrentApplication;
import com.atlassian.security.auth.trustedapps.DefaultEncryptedCertificate;
import com.atlassian.security.auth.trustedapps.InvalidCertificateException;
import com.atlassian.security.auth.trustedapps.TransportErrorMessage;
import com.atlassian.security.auth.trustedapps.TrustedApplication;
import com.atlassian.security.auth.trustedapps.TrustedApplicationUtils;
import com.atlassian.security.auth.trustedapps.TrustedApplicationsManager;
import com.atlassian.security.auth.trustedapps.UserResolver;
import com.atlassian.seraph.auth.DefaultAuthenticator;
import com.atlassian.seraph.auth.RoleMapper;
import com.atlassian.seraph.config.SecurityConfigFactory;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.io.Writer;
import java.security.Principal;
import java.security.PublicKey;
import javax.servlet.Filter;
import javax.servlet.FilterConfig;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.bouncycastle.util.encoders.Base64;

/* loaded from: input_file:com/atlassian/seraph/filter/TrustedApplicationsFilter.class */
public class TrustedApplicationsFilter implements Filter {
    private static final Logger log;
    private final CertificateServer certificateServer;
    private final Authenticator authenticator;
    private FilterConfig filterConfig;
    static Class class$com$atlassian$seraph$filter$TrustedApplicationsFilter;

    /* loaded from: input_file:com/atlassian/seraph/filter/TrustedApplicationsFilter$Authenticator.class */
    interface Authenticator {

        /* loaded from: input_file:com/atlassian/seraph/filter/TrustedApplicationsFilter$Authenticator$Result.class */
        public static class Result {
            private final Status status;
            private final TransportErrorMessage message;
            private final Principal user;

            /* loaded from: input_file:com/atlassian/seraph/filter/TrustedApplicationsFilter$Authenticator$Result$Error.class */
            static class Error extends Result {
                Error(TransportErrorMessage transportErrorMessage) {
                    super(Status.ERROR, transportErrorMessage);
                }
            }

            /* loaded from: input_file:com/atlassian/seraph/filter/TrustedApplicationsFilter$Authenticator$Result$Failure.class */
            static class Failure extends Result {
                Failure(TransportErrorMessage transportErrorMessage) {
                    super(Status.FAILED, transportErrorMessage);
                }
            }

            /* loaded from: input_file:com/atlassian/seraph/filter/TrustedApplicationsFilter$Authenticator$Result$NoAttempt.class */
            static class NoAttempt extends Result {
                NoAttempt() {
                    super(Status.NO_ATTEMPT);
                }
            }

            /* JADX INFO: Access modifiers changed from: package-private */
            /* loaded from: input_file:com/atlassian/seraph/filter/TrustedApplicationsFilter$Authenticator$Result$Status.class */
            public static final class Status {
                static final Status SUCCESS = new Status(0, BaseLoginFilter.LOGIN_SUCCESS);
                static final Status FAILED = new Status(1, BaseLoginFilter.LOGIN_FAILED);
                static final Status ERROR = new Status(2, BaseLoginFilter.LOGIN_ERROR);
                static final Status NO_ATTEMPT = new Status(3, "no attempt");
                private final int ordinal;
                private final String name;

                /* loaded from: input_file:com/atlassian/seraph/filter/TrustedApplicationsFilter$Authenticator$Result$Status$Constants.class */
                static final class Constants {
                    static final int SUCCESS = 0;
                    static final int FAILED = 1;
                    static final int ERROR = 2;
                    static final int NO_ATTEMPT = 3;

                    Constants() {
                    }
                }

                private Status(int i, String str) {
                    this.ordinal = i;
                    this.name = str;
                }

                int getOrdinal() {
                    return this.ordinal;
                }

                public String toString() {
                    return this.name;
                }
            }

            /* loaded from: input_file:com/atlassian/seraph/filter/TrustedApplicationsFilter$Authenticator$Result$Success.class */
            static class Success extends Result {
                public Success(Principal principal) {
                    super(Status.SUCCESS, principal);
                }
            }

            Result(Status status) {
                this(status, null, null);
            }

            Result(Status status, TransportErrorMessage transportErrorMessage) {
                this(status, transportErrorMessage, null);
                TrustedApplicationsFilter.notNull("message", transportErrorMessage);
            }

            Result(Status status, Principal principal) {
                this(status, null, principal);
                TrustedApplicationsFilter.notNull("principal", principal);
            }

            Result(Status status, TransportErrorMessage transportErrorMessage, Principal principal) {
                if (status == null) {
                    throw new IllegalArgumentException("status");
                }
                this.status = status;
                this.message = transportErrorMessage;
                this.user = principal;
            }

            public Status getStatus() {
                return this.status;
            }

            public String getMessage() {
                return this.message.toString();
            }

            public Principal getUser() {
                return this.user;
            }
        }

        Result authenticate(HttpServletRequest httpServletRequest);
    }

    /* loaded from: input_file:com/atlassian/seraph/filter/TrustedApplicationsFilter$AuthenticatorImpl.class */
    static class AuthenticatorImpl implements Authenticator {
        final TrustedApplicationsManager appManager;
        final UserResolver resolver;
        final RoleMapper roleMapper;

        AuthenticatorImpl(TrustedApplicationsManager trustedApplicationsManager, UserResolver userResolver, RoleMapper roleMapper) {
            this.appManager = trustedApplicationsManager;
            this.resolver = userResolver;
            this.roleMapper = roleMapper;
        }

        @Override // com.atlassian.seraph.filter.TrustedApplicationsFilter.Authenticator
        public Authenticator.Result authenticate(HttpServletRequest httpServletRequest) {
            String header = httpServletRequest.getHeader("X-Seraph-Trusted-App-Cert");
            if (TrustedApplicationsFilter.isBlank(header)) {
                return new Authenticator.Result.NoAttempt();
            }
            String header2 = httpServletRequest.getHeader("X-Seraph-Trusted-App-ID");
            if (TrustedApplicationsFilter.isBlank(header2)) {
                return new Authenticator.Result.Error(new TransportErrorMessage.ApplicationIdNotFoundInRequest());
            }
            String header3 = httpServletRequest.getHeader("X-Seraph-Trusted-App-Key");
            if (TrustedApplicationsFilter.isBlank(header3)) {
                return new Authenticator.Result.Error(new TransportErrorMessage.SecretKeyNotFoundInRequest());
            }
            String header4 = httpServletRequest.getHeader(TrustedApplicationUtils.Header.Request.MAGIC);
            String header5 = httpServletRequest.getHeader(TrustedApplicationUtils.Header.Request.VERSION);
            try {
                Integer num = !TrustedApplicationsFilter.isBlank(header5) ? new Integer(header5) : null;
                if (num != null && TrustedApplicationsFilter.isBlank(header4)) {
                    return new Authenticator.Result.Error(new TransportErrorMessage.MagicNumberNotFoundInRequest());
                }
                TrustedApplication trustedApplication = this.appManager.getTrustedApplication(header2);
                if (trustedApplication == null) {
                    return new Authenticator.Result.Failure(new TransportErrorMessage.ApplicationUnknown(header2));
                }
                try {
                    ApplicationCertificate decode = trustedApplication.decode(new DefaultEncryptedCertificate(header2, header3, header, num, header4), httpServletRequest);
                    Principal resolve = this.resolver.resolve(decode);
                    if (resolve == null) {
                        TrustedApplicationsFilter.log.warn(new StringBuffer().append("User '").append(decode.getUserName()).append("' referenced by trusted application: '").append(trustedApplication.getID()).append("' is not found.").toString());
                        return new Authenticator.Result.Failure(new TransportErrorMessage.UserUnknown(decode.getUserName()));
                    }
                    if (this.roleMapper.canLogin(resolve, httpServletRequest)) {
                        return new Authenticator.Result.Success(resolve);
                    }
                    TrustedApplicationsFilter.log.warn(new StringBuffer().append("User '").append(decode.getUserName()).append("' referenced by trusted application: '").append(trustedApplication.getID()).append("' cannot login.").toString());
                    return new Authenticator.Result.Failure(new TransportErrorMessage.PermissionDenied());
                } catch (InvalidCertificateException e) {
                    TrustedApplicationsFilter.log.warn(new StringBuffer().append("Failed to login trusted application: ").append(trustedApplication.getID()).append(" due to: ").append(e).toString());
                    TrustedApplicationsFilter.log.debug("Failed to login trusted application cause", e);
                    return new Authenticator.Result.Error(e.getTransportErrorMessage());
                }
            } catch (NumberFormatException e2) {
                return new Authenticator.Result.Error(new TransportErrorMessage.BadProtocolVersion(header5));
            }
        }
    }

    /* loaded from: input_file:com/atlassian/seraph/filter/TrustedApplicationsFilter$CertificateServer.class */
    interface CertificateServer {
        void writeCertificate(Writer writer) throws IOException;
    }

    /* loaded from: input_file:com/atlassian/seraph/filter/TrustedApplicationsFilter$CertificateServerImpl.class */
    static class CertificateServerImpl implements CertificateServer {
        final TrustedApplicationsManager appManager;

        CertificateServerImpl(TrustedApplicationsManager trustedApplicationsManager) {
            this.appManager = trustedApplicationsManager;
        }

        @Override // com.atlassian.seraph.filter.TrustedApplicationsFilter.CertificateServer
        public void writeCertificate(Writer writer) throws IOException {
            CurrentApplication currentApplication = this.appManager.getCurrentApplication();
            PublicKey publicKey = currentApplication.getPublicKey();
            try {
                writer.write(currentApplication.getID());
                writer.write("\n");
                writer.write(new String(Base64.encode(publicKey.getEncoded()), TrustedApplicationUtils.Constant.CHARSET_NAME));
                writer.write("\n");
                writer.write(TrustedApplicationUtils.Constant.VERSION.toString());
                writer.write("\n");
                writer.write(TrustedApplicationUtils.Constant.MAGIC);
                writer.flush();
            } catch (UnsupportedEncodingException e) {
                throw new AssertionError(e);
            } catch (IOException e2) {
                throw new RuntimeException(e2);
            }
        }
    }

    /* loaded from: input_file:com/atlassian/seraph/filter/TrustedApplicationsFilter$Status.class */
    private static final class Status {
        static final String ERROR = "ERROR";
        static final String OK = "OK";

        private Status() {
        }
    }

    public TrustedApplicationsFilter(TrustedApplicationsManager trustedApplicationsManager, UserResolver userResolver) {
        this(trustedApplicationsManager, userResolver, SecurityConfigFactory.getInstance().getRoleMapper());
    }

    public TrustedApplicationsFilter(TrustedApplicationsManager trustedApplicationsManager, UserResolver userResolver, RoleMapper roleMapper) {
        this(new CertificateServerImpl(trustedApplicationsManager), new AuthenticatorImpl(trustedApplicationsManager, userResolver, roleMapper));
    }

    TrustedApplicationsFilter(CertificateServer certificateServer, Authenticator authenticator) {
        this.filterConfig = null;
        notNull("certificateServer", certificateServer);
        notNull("authenticator", authenticator);
        this.certificateServer = certificateServer;
        this.authenticator = authenticator;
    }

    /*  JADX ERROR: JadxRuntimeException in pass: BlockSplitter
        jadx.core.utils.exceptions.JadxRuntimeException: Incorrect nodes count for selectOther: B:17:0x0092 in [B:12:0x0087, B:17:0x0092, B:13:0x008a]
        	at jadx.core.utils.BlockUtils.selectOther(BlockUtils.java:64)
        	at jadx.core.dex.visitors.blocks.ResolveJavaJSR.processBlocks(ResolveJavaJSR.java:101)
        	at jadx.core.dex.visitors.blocks.ResolveJavaJSR.lambda$resolveForRetBlock$1(ResolveJavaJSR.java:59)
        	at jadx.core.utils.BlockUtils.traversePredecessors(BlockUtils.java:548)
        	at jadx.core.utils.BlockUtils.visitPredecessorsUntil(BlockUtils.java:536)
        	at jadx.core.dex.visitors.blocks.ResolveJavaJSR.resolveForRetBlock(ResolveJavaJSR.java:52)
        	at jadx.core.dex.visitors.blocks.ResolveJavaJSR.resolve(ResolveJavaJSR.java:42)
        	at jadx.core.dex.visitors.blocks.ResolveJavaJSR.process(ResolveJavaJSR.java:27)
        	at jadx.core.dex.visitors.blocks.BlockSplitter.visit(BlockSplitter.java:72)
        */
    public void doFilter(javax.servlet.ServletRequest r6, javax.servlet.ServletResponse r7, javax.servlet.FilterChain r8) throws java.io.IOException, javax.servlet.ServletException {
        /*
            r5 = this;
            r0 = r6
            javax.servlet.http.HttpServletRequest r0 = (javax.servlet.http.HttpServletRequest) r0
            r9 = r0
            r0 = r7
            javax.servlet.http.HttpServletResponse r0 = (javax.servlet.http.HttpServletResponse) r0
            r10 = r0
            r0 = r5
            r1 = r9
            java.lang.String r0 = r0.getPathInfo(r1)
            java.lang.String r1 = "/admin/appTrustCertificate"
            boolean r0 = r0.endsWith(r1)
            if (r0 == 0) goto L3b
            r0 = r10
            java.lang.String r1 = "text/plain"
            r0.setContentType(r1)
            r0 = r5
            com.atlassian.seraph.filter.TrustedApplicationsFilter$CertificateServer r0 = r0.certificateServer
            java.io.OutputStreamWriter r1 = new java.io.OutputStreamWriter
            r2 = r1
            r3 = r10
            javax.servlet.ServletOutputStream r3 = r3.getOutputStream()
            r2.<init>(r3)
            r0.writeCertificate(r1)
            return
        L3b:
            r0 = 0
            r11 = r0
            r0 = r9
            java.lang.String r1 = "os_authstatus"
            java.lang.Object r0 = r0.getAttribute(r1)
            if (r0 != 0) goto L7b
            r0 = r5
            r1 = r6
            javax.servlet.http.HttpServletRequest r1 = (javax.servlet.http.HttpServletRequest) r1
            r2 = r7
            javax.servlet.http.HttpServletResponse r2 = (javax.servlet.http.HttpServletResponse) r2
            java.lang.String r0 = r0.authenticate(r1, r2)
            r12 = r0
            java.lang.String r0 = "success"
            r1 = r12
            boolean r0 = r0.equals(r1)
            if (r0 == 0) goto L7b
            r0 = r9
            java.lang.String r1 = "os_authstatus"
            r2 = r12
            r0.setAttribute(r1, r2)
            r0 = r10
            java.lang.String r1 = "X-Seraph-Trusted-App-Status"
            java.lang.String r2 = "OK"
            r0.setHeader(r1, r2)
            r0 = 1
            r11 = r0
        L7b:
            r0 = r8
            r1 = r9
            r2 = r7
            r0.doFilter(r1, r2)     // Catch: java.lang.Throwable -> L8a
            r0 = jsr -> L92
        L87:
            goto Lb2
        L8a:
            r13 = move-exception
            r0 = jsr -> L92
        L8f:
            r1 = r13
            throw r1
        L92:
            r14 = r0
            r0 = r11
            if (r0 == 0) goto Lb0
            r0 = r9
            r1 = 0
            javax.servlet.http.HttpSession r0 = r0.getSession(r1)
            if (r0 == 0) goto Lb0
            r0 = r9
            javax.servlet.http.HttpSession r0 = r0.getSession()
            r0.invalidate()
        Lb0:
            ret r14
        Lb2:
            return
        */
        throw new UnsupportedOperationException("Method not decompiled: com.atlassian.seraph.filter.TrustedApplicationsFilter.doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain):void");
    }

    public String authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Authenticator.Result authenticate = this.authenticator.authenticate(httpServletRequest);
        switch (authenticate.getStatus().getOrdinal()) {
            case 0:
                httpServletRequest.getSession().setAttribute(DefaultAuthenticator.LOGGED_IN_KEY, authenticate.getUser());
                httpServletRequest.getSession().setAttribute(DefaultAuthenticator.LOGGED_OUT_KEY, (Object) null);
                return BaseLoginFilter.LOGIN_SUCCESS;
            case 1:
                setFailureHeader(httpServletResponse, authenticate.getMessage());
                return BaseLoginFilter.LOGIN_FAILED;
            case 2:
                setFailureHeader(httpServletResponse, authenticate.getMessage());
                return BaseLoginFilter.LOGIN_ERROR;
            case 3:
                return BaseLoginFilter.LOGIN_NOATTEMPT;
            default:
                throw new IllegalStateException(new StringBuffer().append("Unknown result: ").append(authenticate.getStatus().getOrdinal()).toString());
        }
    }

    protected String getPathInfo(HttpServletRequest httpServletRequest) {
        String contextPath = httpServletRequest.getContextPath();
        String requestURI = httpServletRequest.getRequestURI();
        return (contextPath == null || contextPath.length() <= 0) ? requestURI : requestURI.substring(contextPath.length());
    }

    private void setFailureHeader(HttpServletResponse httpServletResponse, String str) {
        httpServletResponse.setHeader("X-Seraph-Trusted-App-Status", "ERROR");
        httpServletResponse.addHeader("X-Seraph-Trusted-App-Error", str);
        if (log.isInfoEnabled()) {
            log.info(str, new RuntimeException(str));
        }
    }

    public void init(FilterConfig filterConfig) {
        this.filterConfig = filterConfig;
    }

    public void destroy() {
        this.filterConfig = null;
    }

    public FilterConfig getFilterConfig() {
        return this.filterConfig;
    }

    public void setFilterConfig(FilterConfig filterConfig) {
        if (filterConfig != null) {
            init(filterConfig);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isBlank(String str) {
        return str == null || str.trim().length() == 0;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void notNull(String str, Object obj) {
        if (obj == null) {
            throw new IllegalArgumentException(new StringBuffer().append(str).append(" should not be null").toString());
        }
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$com$atlassian$seraph$filter$TrustedApplicationsFilter == null) {
            cls = class$("com.atlassian.seraph.filter.TrustedApplicationsFilter");
            class$com$atlassian$seraph$filter$TrustedApplicationsFilter = cls;
        } else {
            cls = class$com$atlassian$seraph$filter$TrustedApplicationsFilter;
        }
        log = Logger.getLogger(cls);
    }
}
