package com.atlassian.plugins.authentication.basicauth.filter;

import com.atlassian.plugins.authentication.basicauth.service.BasicAuthRequestMatcher;
import com.atlassian.plugins.authentication.basicauth.service.CachingBasicAuthService;
import com.atlassian.plugins.authentication.sso.util.PluginData;
import com.google.common.annotations.VisibleForTesting;
import java.io.IOException;
import java.util.Base64;
import javax.annotation.Nullable;
import javax.inject.Inject;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.util.UrlPathHelper;

/* loaded from: input_file:com/atlassian/plugins/authentication/basicauth/filter/DisableBasicAuthFilter.class */
public class DisableBasicAuthFilter implements Filter {

    @VisibleForTesting
    static final String INVALIDATE_SESSION_SYSTEM_PROPERTY = "com.atlassian.plugins.authentication.basic.auth.filter.invalidate.session";
    private static final String BASIC_AUTH_TYPE_PREFIX = "Basic ";
    private final CachingBasicAuthService cachingBasicAuthService;
    private final DisableBasicAuthResponseWriter disableBasicAuthResponseWriter;
    private static final Logger log = LoggerFactory.getLogger(DisableBasicAuthFilter.class);
    private static final UrlPathHelper URL_PATH_HELPER = new UrlPathHelper();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/atlassian/plugins/authentication/basicauth/filter/DisableBasicAuthFilter$Result.class */
    public enum Result {
        BLOCK_REQUEST,
        INVALIDATE_SESSION,
        ALLOW_REQUEST
    }

    @Inject
    public DisableBasicAuthFilter(CachingBasicAuthService cachingBasicAuthService, DisableBasicAuthResponseWriter disableBasicAuthResponseWriter) {
        this.cachingBasicAuthService = cachingBasicAuthService;
        this.disableBasicAuthResponseWriter = disableBasicAuthResponseWriter;
    }

    public void init(FilterConfig filterConfig) {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpSession session;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        Result checkRequest = checkRequest(httpServletRequest);
        if (checkRequest == Result.BLOCK_REQUEST) {
            log.trace("Blocking HTTP request - Basic Authentication is not allowed: {}", httpServletRequest.getRequestURI());
            this.disableBasicAuthResponseWriter.write(httpServletRequest, httpServletResponse);
            return;
        }
        log.trace("Allowing HTTP request: {}", httpServletRequest.getRequestURI());
        filterChain.doFilter(httpServletRequest, httpServletResponse);
        if (checkRequest != Result.INVALIDATE_SESSION || "false".equalsIgnoreCase(System.getProperty(INVALIDATE_SESSION_SYSTEM_PROPERTY)) || (session = httpServletRequest.getSession(false)) == null) {
            return;
        }
        try {
            log.debug("Invalidating session {} for HTTP request: {}", session.getId(), httpServletRequest.getRequestURI());
            session.invalidate();
        } catch (IllegalStateException e) {
        }
    }

    private Result checkRequest(HttpServletRequest httpServletRequest) {
        String trim = StringUtils.trim(httpServletRequest.getHeader("Authorization"));
        BasicAuthRequestMatcher matcher = this.cachingBasicAuthService.getMatcher();
        if (!matcher.isBlockRequests() || !isBasicAuthorizationHeader(trim)) {
            return Result.ALLOW_REQUEST;
        }
        String pathWithinApplication = URL_PATH_HELPER.getPathWithinApplication(httpServletRequest);
        String decodeBasicAuthorizationUsername = decodeBasicAuthorizationUsername(trim);
        log.debug("Basic Authentication is not allowed, checking if request is allow-listed (path={}, user={})", pathWithinApplication, decodeBasicAuthorizationUsername);
        if (matcher.isPathAllowed(pathWithinApplication)) {
            log.debug("Path is allowed - allowing the request, but will invalidate session afterwards (path={}, user={})", pathWithinApplication, decodeBasicAuthorizationUsername);
            return Result.INVALIDATE_SESSION;
        }
        if (matcher.isUserAllowed(decodeBasicAuthorizationUsername)) {
            log.debug("User is allowed - allowing the request (path={}, user={})", pathWithinApplication, decodeBasicAuthorizationUsername);
            return Result.ALLOW_REQUEST;
        }
        log.debug("Neither path nor user are allowed - blocking the request (path={}, user={})", pathWithinApplication, decodeBasicAuthorizationUsername);
        return Result.BLOCK_REQUEST;
    }

    private boolean isBasicAuthorizationHeader(@Nullable String str) {
        return StringUtils.startsWithIgnoreCase(str, BASIC_AUTH_TYPE_PREFIX);
    }

    @Nullable
    private String decodeBasicAuthorizationUsername(@Nullable String str) {
        try {
            return StringUtils.substringBefore(new String(Base64.getDecoder().decode(StringUtils.substring(str, BASIC_AUTH_TYPE_PREFIX.length()))), PluginData.SEPARATOR);
        } catch (IllegalArgumentException e) {
            log.debug("Could not decode Authorisation header - not a base64 encoded value", e);
            return null;
        }
    }

    public void destroy() {
    }
}
