package org.marvelution.jji.security;

import com.nimbusds.jwt.JWTClaimsSet;
import hudson.init.InitMilestone;
import hudson.init.Initializer;
import hudson.util.PluginServletFilter;
import java.io.IOException;
import java.util.Objects;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.marvelution.jji.configuration.JiraSite;
import org.marvelution.jji.configuration.JiraSitesConfiguration;
import org.marvelution.jji.synctoken.SyncTokenAuthenticator;
import org.marvelution.jji.synctoken.exceptions.SyncTokenRequiredException;
import org.marvelution.jji.synctoken.exceptions.UnknownSyncTokenIssuerException;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;

/* loaded from: input_file:org/marvelution/jji/security/SyncTokenAuthenticationFilter.class */
public class SyncTokenAuthenticationFilter implements Filter {
    private static final Logger LOGGER = Logger.getLogger(SyncTokenAuthenticationFilter.class.getName());
    private static final String FILTER_APPLIED = SyncTokenAuthenticationFilter.class.getName();
    private static final String REGISTER_PATH = "/jji/register/";
    private final JiraSitesConfiguration sitesConfiguration;
    private final SyncTokenAuthenticator tokenAuthenticator;

    public SyncTokenAuthenticationFilter() {
        this(JiraSitesConfiguration.get());
    }

    public SyncTokenAuthenticationFilter(JiraSitesConfiguration jiraSitesConfiguration) {
        this.sitesConfiguration = jiraSitesConfiguration;
        this.tokenAuthenticator = new SyncTokenAuthenticator(str -> {
            return this.sitesConfiguration.stream().filter(jiraSite -> {
                return Objects.equals(str, jiraSite.getIdentifier());
            }).findFirst().map((v0) -> {
                return v0.getSharedSecret();
            });
        });
    }

    @Initializer(after = InitMilestone.PLUGINS_STARTED)
    public static void registerFilter() {
        SyncTokenAuthenticationFilter syncTokenAuthenticationFilter = new SyncTokenAuthenticationFilter();
        if (PluginServletFilter.hasFilter(syncTokenAuthenticationFilter)) {
            return;
        }
        try {
            PluginServletFilter.addFilter(syncTokenAuthenticationFilter);
        } catch (ServletException e) {
            LOGGER.log(Level.WARNING, "Failed to set up sync-token authentication servlet filter", e);
        }
    }

    public void init(FilterConfig filterConfig) {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!(servletRequest instanceof HttpServletRequest)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (servletRequest.getAttribute(FILTER_APPLIED) != null) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        servletRequest.setAttribute(FILTER_APPLIED, Boolean.TRUE);
        try {
            try {
                try {
                    JWTClaimsSet authenticate = this.tokenAuthenticator.authenticate((HttpServletRequest) servletRequest);
                    LOGGER.log(Level.FINE, "Authenticated {0} through Sync Token.", authenticate.getIssuer());
                    JiraSite orElseThrow = this.sitesConfiguration.stream().filter(jiraSite -> {
                        return Objects.equals(jiraSite.getIdentifier(), authenticate.getIssuer());
                    }).findFirst().orElseThrow(() -> {
                        return new IllegalStateException("Authenticated by sync-token but unable to find a Jira site for it.");
                    });
                    LOGGER.log(Level.FINE, "Forwarding request with SYSTEM authentication for {0}.", orElseThrow.getName());
                    doFilter(new SyncTokenSecurityContext(authenticate, orElseThrow), (HttpServletRequest) servletRequest, servletResponse, filterChain);
                    servletRequest.removeAttribute(FILTER_APPLIED);
                } catch (SyncTokenRequiredException e) {
                    LOGGER.log(Level.FINE, "No sync token found, forwarding request through the chain for others to handle authentication.");
                    filterChain.doFilter(servletRequest, servletResponse);
                    servletRequest.removeAttribute(FILTER_APPLIED);
                }
            } catch (UnknownSyncTokenIssuerException e2) {
                String pathInfo = ((HttpServletRequest) servletRequest).getPathInfo();
                String str = (pathInfo.endsWith("/") || pathInfo.lastIndexOf(46) > pathInfo.lastIndexOf(47)) ? pathInfo : pathInfo + "/";
                if (REGISTER_PATH.equals(str)) {
                    LOGGER.log(Level.FINE, "Allowing request to {0} for unverified site {1}", new Object[]{str, e2.getUnverifiedClaims().getIssuer()});
                    SyncTokenSecurityContext syncTokenSecurityContext = new SyncTokenSecurityContext(e2.getUnverifiedClaims(), null);
                    syncTokenSecurityContext.setAuthentication(SecurityContextHolder.getContext().getAuthentication());
                    doFilter(syncTokenSecurityContext, (HttpServletRequest) servletRequest, servletResponse, filterChain);
                } else {
                    LOGGER.log(Level.FINE, "Unknown sync token issuer, forwarding request through the chain for others to handle authentication.");
                    filterChain.doFilter(servletRequest, servletResponse);
                }
                servletRequest.removeAttribute(FILTER_APPLIED);
            } catch (SecurityException e3) {
                throw new AccessDeniedException("invalid sync token", e3);
            }
        } catch (Throwable th) {
            servletRequest.removeAttribute(FILTER_APPLIED);
            throw th;
        }
    }

    public void destroy() {
    }

    private void doFilter(SyncTokenSecurityContext syncTokenSecurityContext, HttpServletRequest httpServletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        SecurityContext context = SecurityContextHolder.getContext();
        try {
            SecurityContextHolder.setContext(syncTokenSecurityContext);
            syncTokenSecurityContext.attachToRequest(httpServletRequest);
            filterChain.doFilter(httpServletRequest, servletResponse);
            SecurityContextHolder.setContext(context);
            syncTokenSecurityContext.detachFromRequest(httpServletRequest);
        } catch (Throwable th) {
            SecurityContextHolder.setContext(context);
            syncTokenSecurityContext.detachFromRequest(httpServletRequest);
            throw th;
        }
    }
}
