package com.atlassian.crowd.manager.authentication;

import com.atlassian.crowd.dao.application.ApplicationDAO;
import com.atlassian.crowd.event.application.ApplicationAuthenticatedEvent;
import com.atlassian.crowd.event.token.TokenInvalidatedEvent;
import com.atlassian.crowd.event.user.UserAuthenticationFailedAccessDeniedEvent;
import com.atlassian.crowd.event.user.UserAuthenticationSucceededEvent;
import com.atlassian.crowd.exception.ApplicationNotFoundException;
import com.atlassian.crowd.exception.DirectoryNotFoundException;
import com.atlassian.crowd.exception.ExpiredCredentialException;
import com.atlassian.crowd.exception.InactiveAccountException;
import com.atlassian.crowd.exception.InvalidAuthenticationException;
import com.atlassian.crowd.exception.InvalidTokenException;
import com.atlassian.crowd.exception.ObjectNotFoundException;
import com.atlassian.crowd.exception.OperationFailedException;
import com.atlassian.crowd.exception.TokenExpiredException;
import com.atlassian.crowd.exception.TokenNotFoundException;
import com.atlassian.crowd.exception.UserNotFoundException;
import com.atlassian.crowd.manager.application.ApplicationAccessDeniedException;
import com.atlassian.crowd.manager.application.ApplicationManager;
import com.atlassian.crowd.manager.application.ApplicationService;
import com.atlassian.crowd.manager.cache.CacheManager;
import com.atlassian.crowd.manager.cache.CacheManagerException;
import com.atlassian.crowd.manager.cache.NotInCacheException;
import com.atlassian.crowd.manager.directory.DirectoryManager;
import com.atlassian.crowd.manager.property.PropertyManager;
import com.atlassian.crowd.manager.token.TokenManager;
import com.atlassian.crowd.manager.token.factory.TokenFactory;
import com.atlassian.crowd.model.application.Application;
import com.atlassian.crowd.model.application.DirectoryMapping;
import com.atlassian.crowd.model.application.GroupMapping;
import com.atlassian.crowd.model.authentication.ApplicationAuthenticationContext;
import com.atlassian.crowd.model.authentication.AuthenticationContext;
import com.atlassian.crowd.model.authentication.UserAuthenticationContext;
import com.atlassian.crowd.model.authentication.ValidationFactor;
import com.atlassian.crowd.model.group.GroupType;
import com.atlassian.crowd.model.token.Token;
import com.atlassian.crowd.model.user.User;
import com.atlassian.crowd.search.EntityDescriptor;
import com.atlassian.crowd.search.builder.QueryBuilder;
import com.atlassian.crowd.search.query.entity.EntityQuery;
import com.atlassian.event.api.EventPublisher;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.ConcurrentModificationException;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import org.apache.log4j.Logger;
import org.springframework.util.Assert;

/* loaded from: input_file:com/atlassian/crowd/manager/authentication/TokenAuthenticationManagerImpl.class */
public class TokenAuthenticationManagerImpl implements TokenAuthenticationManager {
    private static final int MILLIS_IN_MINUTE = 60000;
    private final Logger logger = Logger.getLogger(getClass());
    private TokenManager tokenManager;
    private ApplicationDAO applicationDao;
    private TokenFactory tokenFactory;
    private CacheManager cacheManager;
    private EventPublisher eventPublisher;
    private PropertyManager propertyManager;
    private DirectoryManager directoryManager;
    private ApplicationManager applicationManager;
    private ApplicationService applicationService;

    public void invalidateToken(String str) {
        try {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("InvalidateToken: token " + str);
            }
            Token findByRandomHash = this.tokenManager.findByRandomHash(str);
            this.logger.debug("Removing token from the database");
            this.tokenManager.remove(findByRandomHash);
            this.eventPublisher.publish(new TokenInvalidatedEvent(this, findByRandomHash));
        } catch (ObjectNotFoundException e) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("Token does not exist", e);
            }
        }
    }

    public List<Token> searchTokens(EntityQuery entityQuery) {
        return this.tokenManager.search(entityQuery);
    }

    public void removeExpiredTokens() {
        this.tokenManager.removeAccessedBefore(new Date(System.currentTimeMillis() - (this.propertyManager.getSessionTime() * 60000)));
    }

    public User findUserByToken(String str, String str2) throws InvalidTokenException, OperationFailedException, ApplicationAccessDeniedException {
        try {
            Token findByRandomHash = this.tokenManager.findByRandomHash(str);
            if (findByRandomHash.isApplicationToken()) {
                throw new InvalidTokenException("Found token was for an application, not a user");
            }
            User findUserByName = this.directoryManager.findUserByName(findByRandomHash.getDirectoryId(), findByRandomHash.getName());
            if (isAllowedToAuthenticate(findByRandomHash, this.applicationManager.findByName(str2))) {
                return findUserByName;
            }
            throw new ApplicationAccessDeniedException(str2);
        } catch (DirectoryNotFoundException e) {
            throw new InvalidTokenException(e.getMessage(), e);
        } catch (UserNotFoundException e2) {
            throw new InvalidTokenException(e2.getMessage(), e2);
        } catch (ObjectNotFoundException e3) {
            throw new InvalidTokenException(e3.getMessage(), e3);
        }
    }

    public List<Application> findAuthorisedApplications(User user, String str) throws OperationFailedException, DirectoryNotFoundException {
        return this.applicationDao.findAuthorisedApplications(user.getDirectoryId(), this.directoryManager.searchNestedGroupRelationships(user.getDirectoryId(), QueryBuilder.queryFor(String.class, EntityDescriptor.group(GroupType.GROUP)).parentsOf(EntityDescriptor.user()).withName(user.getName()).returningAtMost(-1)));
    }

    public Token authenticateApplication(ApplicationAuthenticationContext applicationAuthenticationContext) throws InvalidAuthenticationException {
        try {
            Application findByName = this.applicationDao.findByName(applicationAuthenticationContext.getName());
            if (!findByName.isActive()) {
                throw new InvalidAuthenticationException("Application is not active");
            }
            if (!this.applicationManager.authenticate(findByName, applicationAuthenticationContext.getCredential())) {
                throw new InvalidAuthenticationException("The password in the application's crowd.properties file does not match the password in Crowd.");
            }
            Token generateApplicationToken = generateApplicationToken(applicationAuthenticationContext);
            this.eventPublisher.publish(new ApplicationAuthenticatedEvent(this, findByName, generateApplicationToken));
            return generateApplicationToken;
        } catch (InvalidTokenException e) {
            throw new InvalidAuthenticationException(applicationAuthenticationContext.getName(), e);
        } catch (ApplicationNotFoundException e2) {
            throw new InvalidAuthenticationException(applicationAuthenticationContext.getName(), e2);
        }
    }

    public Token authenticateUser(UserAuthenticationContext userAuthenticationContext, boolean z, boolean z2) throws InvalidAuthenticationException, OperationFailedException, InactiveAccountException, ApplicationAccessDeniedException, ExpiredCredentialException {
        User findUserByName;
        if (userAuthenticationContext == null) {
            throw new InvalidAuthenticationException("Unable to authenticate with null context");
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Authenticating user: " + userAuthenticationContext.getName());
        }
        try {
            Application findByName = this.applicationDao.findByName(userAuthenticationContext.getApplication());
            if (z) {
                findUserByName = this.applicationService.authenticateUser(findByName, userAuthenticationContext.getName(), userAuthenticationContext.getCredential());
            } else {
                findUserByName = this.applicationService.findUserByName(findByName, userAuthenticationContext.getName());
                if (!findUserByName.isActive()) {
                    throw new InactiveAccountException(findUserByName.getName());
                }
            }
            Token generateUserToken = generateUserToken(findUserByName.getDirectoryId(), userAuthenticationContext);
            if (this.applicationService.isUserAuthorised(findByName, userAuthenticationContext.getName())) {
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("User <" + userAuthenticationContext.getName() + "> has access to the application <" + findByName.getName() + ">");
                }
                this.eventPublisher.publish(new UserAuthenticationSucceededEvent(this, findUserByName, findByName, generateUserToken));
                return generateUserToken;
            }
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("User <" + userAuthenticationContext.getName() + "> does NOT have access to the application <" + findByName.getName() + ">");
            }
            this.eventPublisher.publish(new UserAuthenticationFailedAccessDeniedEvent(this, findUserByName, findByName));
            throw new ApplicationAccessDeniedException(userAuthenticationContext.getApplication());
        } catch (CacheManagerException e) {
            throw new InvalidAuthenticationException(userAuthenticationContext.getName(), e);
        } catch (UserNotFoundException e2) {
            throw new InvalidAuthenticationException(userAuthenticationContext.getName(), e2);
        } catch (InvalidTokenException e3) {
            throw new InvalidAuthenticationException(userAuthenticationContext.getName(), e3);
        } catch (ApplicationNotFoundException e4) {
            throw new InvalidAuthenticationException(userAuthenticationContext.getName(), e4);
        }
    }

    public Token authenticateUser(UserAuthenticationContext userAuthenticationContext) throws InvalidAuthenticationException, OperationFailedException, InactiveAccountException, ApplicationAccessDeniedException, ExpiredCredentialException {
        return authenticateUser(userAuthenticationContext, true, false);
    }

    public Token authenticateUserWithoutValidatingPassword(UserAuthenticationContext userAuthenticationContext) throws InvalidAuthenticationException, OperationFailedException, InactiveAccountException, ApplicationAccessDeniedException {
        try {
            return authenticateUser(userAuthenticationContext, false, false);
        } catch (ExpiredCredentialException e) {
            this.logger.fatal("This should never happen! This user is not authenticated by validating the password.");
            throw InvalidAuthenticationException.newInstanceWithName(userAuthenticationContext.getName());
        }
    }

    public Token validateApplicationToken(String str, ValidationFactor[] validationFactorArr) throws InvalidTokenException {
        return genericValidateToken(str, validationFactorArr);
    }

    public Token validateUserToken(String str, ValidationFactor[] validationFactorArr, String str2) throws InvalidTokenException, ApplicationAccessDeniedException, OperationFailedException {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("validateUserToken: " + str);
        }
        Token genericValidateToken = genericValidateToken(str, validationFactorArr);
        try {
            Application findByName = this.applicationDao.findByName(str2);
            try {
                if (isAllowedToAuthenticate(genericValidateToken, findByName)) {
                    if (this.logger.isDebugEnabled()) {
                        this.logger.debug("user has access to the application <" + findByName.getName() + ">");
                    }
                    return genericValidateToken;
                }
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("user does NOT have access to the application <" + findByName.getName() + ">");
                }
                throw new ApplicationAccessDeniedException(str2);
            } catch (DirectoryNotFoundException e) {
                throw new ConcurrentModificationException("Directory mapping removed while validating the user token");
            }
        } catch (ObjectNotFoundException e2) {
            throw new ApplicationAccessDeniedException(str2);
        }
    }

    protected Token generateUserToken(long j, AuthenticationContext authenticationContext) throws InvalidTokenException {
        Token findByIdentifierHash;
        Assert.notNull(authenticationContext);
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("generateUserToken: user " + authenticationContext.getName());
        }
        ValidationFactor[] validationFactors = authenticationContext.getValidationFactors();
        if (validationFactors == null) {
            validationFactors = new ValidationFactor[0];
        }
        Token create = this.tokenFactory.create(j, authenticationContext.getName(), new ArrayList(Arrays.asList(validationFactors)));
        try {
            findByIdentifierHash = this.tokenManager.findByIdentifierHash(create.getIdentifierHash());
        } catch (ObjectNotFoundException e) {
            this.tokenManager.add(create);
            this.logger.debug("Returning newly created token");
        }
        if (isExpired(findByIdentifierHash)) {
            this.logger.debug("Token exists matching identifierHash, but is expired, so need to create a new token");
            this.tokenManager.remove(findByIdentifierHash);
            throw new ObjectNotFoundException(Token.class, create.getIdentifierHash());
        }
        create = this.tokenManager.update(findByIdentifierHash);
        this.logger.debug("Returning existing token that matched identifierHash");
        return create;
    }

    protected Token generateApplicationToken(ApplicationAuthenticationContext applicationAuthenticationContext) throws InvalidTokenException {
        return generateUserToken(-1L, applicationAuthenticationContext);
    }

    protected Token genericValidateToken(String str, ValidationFactor[] validationFactorArr) throws InvalidTokenException {
        Assert.notNull(str, "A token key cannot be null");
        Assert.notNull(validationFactorArr, "The array of ValidationFactors cannot be null");
        this.logger.debug("genericValidateToken");
        try {
            Token findByRandomHash = this.tokenManager.findByRandomHash(str);
            if (isExpired(findByRandomHash)) {
                this.logger.debug("token has expired. removing from db");
                this.tokenManager.remove(findByRandomHash);
                throw new TokenExpiredException("Token has expired.");
            }
            Token create = this.tokenFactory.create(findByRandomHash.getDirectoryId(), findByRandomHash.getName(), new ArrayList(Arrays.asList(validationFactorArr)), findByRandomHash.getRandomNumber());
            if (this.logger.isDebugEnabled()) {
                StringBuffer stringBuffer = new StringBuffer("Current Validation Factors: \n");
                for (ValidationFactor validationFactor : validationFactorArr) {
                    stringBuffer.append(validationFactor);
                }
                this.logger.debug(stringBuffer.toString());
                this.logger.debug("comparing existing token " + findByRandomHash + " with a validation token " + create);
            }
            if (findByRandomHash.getRandomHash().equals(create.getRandomHash())) {
                this.logger.debug("returning validated token, with updated last accessed time");
                return this.tokenManager.update(findByRandomHash);
            }
            this.logger.debug("The token keys don't match");
            throw new InvalidTokenException("Token doesn't match the existing token.");
        } catch (ObjectNotFoundException e) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("The token " + str + " was not found in db");
            }
            throw new TokenNotFoundException("Token does not validate.");
        }
    }

    protected boolean isExpired(Token token) {
        long currentTimeMillis = System.currentTimeMillis();
        long time = currentTimeMillis - token.getLastAccessedDate().getTime();
        long sessionTime = 60000 * this.propertyManager.getSessionTime();
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("checking if the token is expired:");
            this.logger.debug("\tnow: \t\t\t" + currentTimeMillis);
            this.logger.debug("\tlast accessed: \t" + token.getLastAccessedDate());
            this.logger.debug("\tdifference: \t" + time);
            this.logger.debug("\tallowed elapse: " + sessionTime);
        }
        return time > sessionTime;
    }

    public boolean isAllowedToAuthenticate(String str, long j, Application application) throws OperationFailedException, DirectoryNotFoundException {
        if (!application.isActive()) {
            if (!this.logger.isDebugEnabled()) {
                return false;
            }
            this.logger.debug("User does not have access to application '" + application.getName() + "' as the application is inactive");
            return false;
        }
        DirectoryMapping directoryMapping = application.getDirectoryMapping(j);
        if (directoryMapping != null) {
            if (directoryMapping.isAllowAllToAuthenticate()) {
                return true;
            }
            Iterator it = directoryMapping.getAuthorisedGroups().iterator();
            while (it.hasNext()) {
                if (this.directoryManager.isUserNestedGroupMember(j, str, ((GroupMapping) it.next()).getGroupName())) {
                    return true;
                }
            }
        }
        if (!this.logger.isDebugEnabled()) {
            return false;
        }
        this.logger.debug("User does not have access to application '" + application.getName() + "' as the directory is not allow all to authenticate and the user is not a member of any of the authorised groups");
        return false;
    }

    public boolean isAllowedToAuthenticate(Token token, Application application, boolean z) throws OperationFailedException, DirectoryNotFoundException {
        if (z || !this.propertyManager.isCacheEnabled()) {
            return isAllowedToAuthenticate(token.getName(), token.getDirectoryId(), application);
        }
        try {
            if (((Boolean) this.cacheManager.get(application.getName() + token.getRandomHash())).booleanValue()) {
                return true;
            }
        } catch (NotInCacheException e) {
        }
        boolean isAllowedToAuthenticate = isAllowedToAuthenticate(token.getName(), token.getDirectoryId(), application);
        this.cacheManager.put(application.getName() + token.getRandomHash(), Boolean.valueOf(isAllowedToAuthenticate));
        return isAllowedToAuthenticate;
    }

    public boolean isAllowedToAuthenticate(Token token, Application application) throws OperationFailedException, DirectoryNotFoundException {
        return isAllowedToAuthenticate(token, application, false);
    }

    public void setTokenManager(TokenManager tokenManager) {
        this.tokenManager = tokenManager;
    }

    public void setApplicationDao(ApplicationDAO applicationDAO) {
        this.applicationDao = applicationDAO;
    }

    public void setTokenFactory(TokenFactory tokenFactory) {
        this.tokenFactory = tokenFactory;
    }

    public void setCacheManager(CacheManager cacheManager) {
        this.cacheManager = cacheManager;
    }

    public void setEventPublisher(EventPublisher eventPublisher) {
        this.eventPublisher = eventPublisher;
    }

    public void setPropertyManager(PropertyManager propertyManager) {
        this.propertyManager = propertyManager;
    }

    public void setDirectoryManager(DirectoryManager directoryManager) {
        this.directoryManager = directoryManager;
    }

    public void setApplicationManager(ApplicationManager applicationManager) {
        this.applicationManager = applicationManager;
    }

    public void setApplicationService(ApplicationService applicationService) {
        this.applicationService = applicationService;
    }
}
