package com.atlassian.bitbucket.jenkins.internal.applink.oauth.serviceprovider.auth;

import com.atlassian.bitbucket.jenkins.internal.applink.oauth.OAuthConverter;
import com.atlassian.bitbucket.jenkins.internal.applink.oauth.serviceprovider.OAuthRequestUtils;
import com.atlassian.bitbucket.jenkins.internal.applink.oauth.serviceprovider.consumer.Consumer;
import com.atlassian.bitbucket.jenkins.internal.applink.oauth.serviceprovider.consumer.ServiceProviderConsumerStore;
import com.atlassian.bitbucket.jenkins.internal.applink.oauth.serviceprovider.exception.InvalidTokenException;
import com.atlassian.bitbucket.jenkins.internal.applink.oauth.serviceprovider.exception.NoSuchUserException;
import com.atlassian.bitbucket.jenkins.internal.applink.oauth.serviceprovider.token.ServiceProviderToken;
import com.atlassian.bitbucket.jenkins.internal.applink.oauth.serviceprovider.token.ServiceProviderTokenStore;
import com.atlassian.bitbucket.jenkins.internal.applink.oauth.util.OAuthProblemUtils;
import com.google.common.base.Preconditions;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.time.Clock;
import java.util.Collection;
import java.util.Map;
import java.util.Optional;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.CheckForNull;
import javax.annotation.Nullable;
import javax.inject.Inject;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import net.oauth.OAuthException;
import net.oauth.OAuthMessage;
import net.oauth.OAuthProblemException;
import net.oauth.OAuthValidator;
import net.oauth.server.OAuthServlet;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:com/atlassian/bitbucket/jenkins/internal/applink/oauth/serviceprovider/auth/OAuth1aRequestFilter.class */
public class OAuth1aRequestFilter implements Filter {
    private static final Logger log = Logger.getLogger(OAuth1aRequestFilter.class.getName());
    private final ServiceProviderConsumerStore consumerStore;
    private final ServiceProviderTokenStore tokenStore;
    private final OAuthValidator validator;
    private final Clock clock;
    private final TrustedUnderlyingSystemAuthorizerFilter authorizerFilter;
    private final SecurityModeChecker securityChecker;

    /* loaded from: input_file:com/atlassian/bitbucket/jenkins/internal/applink/oauth/serviceprovider/auth/OAuth1aRequestFilter$OAuthWWWAuthenticateAddingResponse.class */
    public static final class OAuthWWWAuthenticateAddingResponse extends HttpServletResponseWrapper {
        private final String baseUrl;

        public OAuthWWWAuthenticateAddingResponse(HttpServletResponse httpServletResponse, String str) {
            super(httpServletResponse);
            this.baseUrl = (String) Preconditions.checkNotNull(str, "baseUrl");
        }

        public void sendError(int i, String str) throws IOException {
            if (i == 401) {
                addOAuthAuthenticateHeader();
            }
            super.sendError(i, str);
        }

        public void sendError(int i) throws IOException {
            if (i == 401) {
                addOAuthAuthenticateHeader();
            }
            super.sendError(i);
        }

        public void setStatus(int i, String str) {
            if (i == 401) {
                addOAuthAuthenticateHeader();
            }
            super.setStatus(i, str);
        }

        public void setStatus(int i) {
            if (i == 401) {
                addOAuthAuthenticateHeader();
            }
            super.setStatus(i);
        }

        private void addOAuthAuthenticateHeader() {
            try {
                addHeader("WWW-Authenticate", new OAuthMessage((String) null, (String) null, (Collection) null).getAuthorizationHeader(this.baseUrl));
            } catch (IOException e) {
                throw new RuntimeException("Somehow the OAuth.net library threw an IOException, even though it's not doing any IO operations", e);
            }
        }
    }

    @Inject
    public OAuth1aRequestFilter(ServiceProviderConsumerStore serviceProviderConsumerStore, ServiceProviderTokenStore serviceProviderTokenStore, OAuthValidator oAuthValidator, Clock clock, TrustedUnderlyingSystemAuthorizerFilter trustedUnderlyingSystemAuthorizerFilter, SecurityModeChecker securityModeChecker) {
        this.consumerStore = serviceProviderConsumerStore;
        this.tokenStore = serviceProviderTokenStore;
        this.validator = oAuthValidator;
        this.clock = clock;
        this.authorizerFilter = trustedUnderlyingSystemAuthorizerFilter;
        this.securityChecker = securityModeChecker;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (!this.securityChecker.isSecurityEnabled()) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (!isOauthRequest(httpServletRequest)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        OAuthMessage message = OAuthServlet.getMessage(httpServletRequest, getLogicalUri(httpServletRequest));
        String tokenFromRequest = getTokenFromRequest(httpServletRequest, httpServletResponse, message);
        if (tokenFromRequest == null) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        try {
            String verifyToken = verifyToken(message, tokenFromRequest);
            try {
                this.authorizerFilter.authorize(verifyToken, httpServletRequest, new OAuthWWWAuthenticateAddingResponse(httpServletResponse, getBaseUrl(httpServletRequest)), filterChain);
                OAuthProblemUtils.logOAuthRequest(httpServletRequest, "OAuth authentication successful. Request marked as OAuth.", log);
            } catch (NoSuchUserException e) {
                OAuthServlet.handleException(httpServletResponse, new OAuthProblemException(String.format("User %s associated with the token %s not found in the system", verifyToken, tokenFromRequest)), getBaseUrl(httpServletRequest));
            }
        } catch (OAuthProblemException e2) {
            handleOAuthProblemException(httpServletRequest, httpServletResponse, message, e2);
        } catch (Exception e3) {
            handleException(httpServletRequest, httpServletResponse, message, e3);
        }
    }

    public void init(FilterConfig filterConfig) {
    }

    public void destroy() {
    }

    private String verifyToken(OAuthMessage oAuthMessage, String str) throws OAuthException, IOException, URISyntaxException {
        try {
            Optional<ServiceProviderToken> optional = this.tokenStore.get(str);
            if (!optional.isPresent()) {
                if (log.isLoggable(Level.FINE)) {
                    log.log(Level.FINE, String.format("3-Legged-OAuth token rejected. Service Provider Token, for Consumer provided token [%s], is null", str));
                }
                throw new OAuthProblemException("token_rejected");
            }
            ServiceProviderToken serviceProviderToken = optional.get();
            if (!serviceProviderToken.isAccessToken()) {
                if (log.isLoggable(Level.FINE)) {
                    log.log(Level.FINE, String.format("3-Legged-OAuth token rejected. Service Provider Token, for Consumer provided token [%s], is NOT an access token.", str));
                }
                throw new OAuthProblemException("token_rejected");
            }
            if (serviceProviderToken.getUser() == null) {
                if (log.isLoggable(Level.FINE)) {
                    log.log(Level.FINE, String.format("3-Legged-OAuth token rejected. Service Provider Token, for Consumer provided token [%s], does not have a corresponding user.", str));
                }
                throw new OAuthProblemException("No user associated with the token");
            }
            if (!serviceProviderToken.getConsumer().getKey().equals(oAuthMessage.getConsumerKey())) {
                if (log.isLoggable(Level.FINE)) {
                    log.log(Level.FINE, String.format("3-Legged-OAuth token rejected. Service Provider Token, for Consumer provided token [%s], consumer key [%s] does not match request consumer key [%s]", str, serviceProviderToken.getConsumer().getKey(), oAuthMessage.getConsumerKey()));
                }
                throw new OAuthProblemException("token_rejected");
            }
            if (serviceProviderToken.hasExpired(this.clock)) {
                if (log.isLoggable(Level.FINE)) {
                    log.log(Level.FINE, String.format("3-Legged-OAuth token rejected. Token has expired. Token creation time [%d] time to live [%d] clock (contains logging delay) [%d]", Long.valueOf(serviceProviderToken.getCreationTime()), Long.valueOf(serviceProviderToken.getTimeToLive()), Long.valueOf(this.clock.millis())));
                }
                throw new OAuthProblemException("token_expired");
            }
            validate3LOMessage(oAuthMessage, serviceProviderToken);
            validateConsumer(oAuthMessage);
            return serviceProviderToken.getUser();
        } catch (InvalidTokenException e) {
            log.log(Level.FINE, String.format("3-Legged-OAuth Consumer provided token [%s] rejected by ServiceProviderTokenStore", str), (Throwable) e);
            throw new OAuthProblemException("token_rejected");
        }
    }

    @CheckForNull
    private String getTokenFromRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuthMessage oAuthMessage) {
        try {
            return oAuthMessage.getToken();
        } catch (IOException e) {
            log.log(Level.SEVERE, "3-Legged-OAuth Failed to read token from request", (Throwable) e);
            sendError(httpServletRequest, httpServletResponse, 500, oAuthMessage);
            OAuthProblemUtils.logOAuthRequest(httpServletRequest, "OAuth authentication FAILED - Unreadable token", log);
            return null;
        }
    }

    private boolean isOauthRequest(HttpServletRequest httpServletRequest) {
        return StringUtils.startsWithIgnoreCase(httpServletRequest.getHeader("Authorization"), "OAuth") && OAuthRequestUtils.isOAuthAccessAttempt(httpServletRequest);
    }

    private void printMessageToDebug(OAuthMessage oAuthMessage) throws IOException {
        if (log.isLoggable(Level.FINE)) {
            StringBuilder sb = new StringBuilder("Validating incoming OAuth request:\n");
            sb.append("\turl: ").append(oAuthMessage.URL).append("\n");
            sb.append("\tmethod: ").append(oAuthMessage.method).append("\n");
            for (Map.Entry entry : oAuthMessage.getParameters()) {
                sb.append("\t").append((String) entry.getKey()).append(": ").append((String) entry.getValue()).append("\n");
            }
            log.log(Level.FINE, sb.toString());
        }
    }

    private void sendError(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, int i, OAuthMessage oAuthMessage) {
        httpServletResponse.setStatus(i);
        try {
            httpServletResponse.addHeader("WWW-Authenticate", oAuthMessage.getAuthorizationHeader(getBaseUrl(httpServletRequest)));
        } catch (IOException e) {
            log.log(Level.SEVERE, "Failure reporting OAuth error to client", (Throwable) e);
        }
    }

    private Consumer validateConsumer(OAuthMessage oAuthMessage) throws IOException, OAuthException {
        String consumerKey = oAuthMessage.getConsumerKey();
        return this.consumerStore.get(consumerKey).orElseThrow(() -> {
            log.log(Level.INFO, "Unknown consumer key:'{}' supplied in OAuth request" + consumerKey);
            return new OAuthProblemException("consumer_key_unknown");
        });
    }

    private void handleOAuthProblemException(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuthMessage oAuthMessage, OAuthProblemException oAuthProblemException) {
        OAuthProblemUtils.logOAuthProblem(oAuthMessage, oAuthProblemException, log);
        try {
            OAuthServlet.handleException(httpServletResponse, oAuthProblemException, getBaseUrl(httpServletRequest));
        } catch (Exception e) {
            log.log(Level.SEVERE, "Failure reporting OAuth error to client", (Throwable) e);
        }
    }

    private void handleException(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuthMessage oAuthMessage, Exception exc) {
        log.log(Level.SEVERE, "Failed to process OAuth message", (Throwable) exc);
        sendError(httpServletRequest, httpServletResponse, 500, oAuthMessage);
    }

    @Nullable
    private String getLogicalUri(HttpServletRequest httpServletRequest) {
        String str = (String) httpServletRequest.getAttribute("javax.servlet.forward.request_uri");
        if (str == null) {
            return null;
        }
        URI create = URI.create(httpServletRequest.getRequestURL().toString());
        try {
            return new URI(create.getScheme(), create.getAuthority(), str, create.getQuery(), create.getFragment()).toString();
        } catch (URISyntaxException e) {
            log.log(Level.WARNING, "forwarded request had invalid original URI path: " + str);
            return null;
        }
    }

    private void validate3LOMessage(OAuthMessage oAuthMessage, ServiceProviderToken serviceProviderToken) throws OAuthException, IOException, URISyntaxException {
        printMessageToDebug(oAuthMessage);
        this.validator.validateMessage(oAuthMessage, OAuthConverter.createOAuthAccessor(serviceProviderToken));
    }

    private static String getBaseUrl(HttpServletRequest httpServletRequest) {
        return (httpServletRequest.getScheme() + "://") + httpServletRequest.getServerName() + (httpServletRequest.getServerPort() == 80 ? "" : ":" + httpServletRequest.getServerPort()) + httpServletRequest.getContextPath();
    }
}
