package com.atlassian.crowd.integration.seraph.v22;

import com.atlassian.crowd.exception.InvalidAuthenticationException;
import com.atlassian.crowd.exception.OperationFailedException;
import com.atlassian.crowd.exception.UserNotFoundException;
import com.atlassian.crowd.integration.http.CacheAwareCrowdHttpAuthenticator;
import com.atlassian.crowd.integration.http.CrowdHttpAuthenticator;
import com.atlassian.crowd.service.AuthenticatorUserCache;
import com.atlassian.seraph.auth.AuthenticatorException;
import com.atlassian.seraph.auth.DefaultAuthenticator;
import com.atlassian.seraph.auth.LoginReason;
import com.atlassian.seraph.elevatedsecurity.ElevatedSecurityGuard;
import com.atlassian.seraph.util.RedirectUtils;
import java.security.Principal;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;

/* loaded from: input_file:com/atlassian/crowd/integration/seraph/v22/CrowdAuthenticator.class */
public abstract class CrowdAuthenticator extends DefaultAuthenticator {
    private static final String SESSION_TOKEN_KEY = CrowdAuthenticator.class.getName() + "#SESSION_TOKEN_KEY";
    protected static final Logger logger = Logger.getLogger(CrowdAuthenticator.class);
    private static final String CORRECT_PASSWORD = "c";
    private static final String INCORRECT_PASSWORD = "i";
    private final CrowdHttpAuthenticator crowdHttpAuthenticator;

    public CrowdAuthenticator(CrowdHttpAuthenticator crowdHttpAuthenticator) {
        this.crowdHttpAuthenticator = new CacheAwareCrowdHttpAuthenticator(crowdHttpAuthenticator, new AuthenticatorUserCache() { // from class: com.atlassian.crowd.integration.seraph.v22.CrowdAuthenticator.1
            public void fetchInCache(String str) throws UserNotFoundException, InvalidAuthenticationException, OperationFailedException {
                CrowdAuthenticator.this.fetchUserInCache(str);
            }
        });
    }

    protected void fetchUserInCache(String str) throws UserNotFoundException, InvalidAuthenticationException, OperationFailedException {
        getUser(str);
    }

    protected boolean authenticate(Principal principal, String str) {
        return CORRECT_PASSWORD.equals(str);
    }

    public boolean login(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, boolean z) throws AuthenticatorException {
        boolean z2;
        try {
            logout(httpServletRequest, httpServletResponse);
            httpServletRequest.setAttribute(LoginReason.REQUEST_ATTR_NAME, (Object) null);
            logger.debug("Authenticating user with Crowd");
            this.crowdHttpAuthenticator.authenticate(httpServletRequest, httpServletResponse, str, str2);
            z2 = true;
        } catch (Exception e) {
            logger.info(e.getMessage(), e);
            z2 = false;
        }
        String str3 = z2 ? CORRECT_PASSWORD : INCORRECT_PASSWORD;
        logger.debug("Updating user session for Seraph");
        return super.login(httpServletRequest, httpServletResponse, str, str3, z);
    }

    public boolean logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticatorException {
        try {
            logger.debug("Logging off from Crowd");
            this.crowdHttpAuthenticator.logout(httpServletRequest, httpServletResponse);
            logger.debug("Invalidating user in Crowd-Seraph specific session variables");
            logoutUser(httpServletRequest);
        } catch (Exception e) {
            logger.info(e.getMessage(), e);
        }
        logger.debug("Invalidating user in Seraph specific session variables");
        return super.logout(httpServletRequest, httpServletResponse);
    }

    protected boolean isAuthenticated(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        boolean isTrustedAppsRequest = isTrustedAppsRequest(httpServletRequest);
        if (!isTrustedAppsRequest) {
            try {
                isTrustedAppsRequest = this.crowdHttpAuthenticator.isAuthenticated(httpServletRequest, httpServletResponse);
                if (isTrustedAppsRequest && logger.isDebugEnabled()) {
                    logger.debug("User IS authenticated via the Crowd session-token");
                } else if (logger.isDebugEnabled()) {
                    logger.debug("User is NOT authenticated via the Crowd session-token");
                }
            } catch (Exception e) {
                logger.info("Error while attempting to check if user isAuthenticated with Crowd", e);
            }
        }
        if (!isTrustedAppsRequest) {
            isTrustedAppsRequest = rememberMeLoginToCrowd(httpServletRequest, httpServletResponse);
            if (isTrustedAppsRequest && logger.isDebugEnabled()) {
                logger.debug("Authenticated via remember-me cookie");
            } else if (logger.isDebugEnabled()) {
                logger.debug("Failed to authenticate via remember-me cookie");
            }
        }
        if (!isTrustedAppsRequest && RedirectUtils.isBasicAuthentication(httpServletRequest, getAuthType()) && getUserFromBasicAuthentication(httpServletRequest, httpServletResponse) != null) {
            isTrustedAppsRequest = true;
        }
        if (!isTrustedAppsRequest) {
            logger.debug("Request is not authenticated, logging out the user");
            try {
                logoutUser(httpServletRequest);
                if (httpServletResponse != null) {
                    super.logout(httpServletRequest, httpServletResponse);
                }
            } catch (AuthenticatorException e2) {
                logger.error(e2.getMessage(), e2);
            }
            isTrustedAppsRequest = false;
        }
        return isTrustedAppsRequest;
    }

    protected boolean rememberMeLoginToCrowd(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Principal userFromCookie = getUserFromCookie(httpServletRequest, httpServletResponse);
        if (userFromCookie == null) {
            return false;
        }
        logger.debug("User successfully authenticated via remember-me cookie verification");
        try {
            this.crowdHttpAuthenticator.authenticateWithoutValidatingPassword(httpServletRequest, httpServletResponse, userFromCookie.getName());
            return true;
        } catch (Exception e) {
            logger.debug("Could not register remember-me cookie authenticated user with Crowd SSO: " + userFromCookie.getName() + ", reason: " + e.getMessage(), e);
            removePrincipalFromSessionContext(httpServletRequest);
            return false;
        }
    }

    protected abstract void logoutUser(HttpServletRequest httpServletRequest);

    public Principal getUser(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        ElevatedSecurityGuard elevatedSecurityGuard = getElevatedSecurityGuard();
        Principal principal = null;
        if (isTrustedAppsRequest(httpServletRequest)) {
            return getUserFromSession(httpServletRequest);
        }
        if (isAuthenticated(httpServletRequest, httpServletResponse)) {
            String token = this.crowdHttpAuthenticator.getToken(httpServletRequest);
            if (token == null) {
                logger.error("Could not find cookieToken from authenticated request");
                return null;
            }
            if (token.equals(httpServletRequest.getSession().getAttribute(SESSION_TOKEN_KEY))) {
                principal = getUserFromSession(httpServletRequest);
            }
            if (principal == null) {
                try {
                    principal = getUser(this.crowdHttpAuthenticator.getUser(httpServletRequest).getName());
                } catch (Exception e) {
                    logger.info(e.getMessage(), e);
                }
                if (principal != null) {
                    if (!authoriseUserAndEstablishSession(httpServletRequest, httpServletResponse, principal)) {
                        return null;
                    }
                    LoginReason.OK.stampRequestResponse(httpServletRequest, httpServletResponse);
                    elevatedSecurityGuard.onSuccessfulLoginAttempt(httpServletRequest, principal.getName());
                    httpServletRequest.getSession().setAttribute(SESSION_TOKEN_KEY, token);
                }
            } else {
                LoginReason.OK.stampRequestResponse(httpServletRequest, httpServletResponse);
            }
        }
        return principal;
    }

    private boolean isTrustedAppsRequest(HttpServletRequest httpServletRequest) {
        if (!"success".equals(httpServletRequest.getAttribute("os_authstatus"))) {
            return false;
        }
        if (!logger.isDebugEnabled()) {
            return true;
        }
        logger.debug("User IS authenticated via previous filter/trusted apps");
        return true;
    }
}
