package com.atlassian.connect.spring.internal.auth.jwt;

import com.atlassian.connect.spring.internal.AtlassianConnectProperties;
import com.atlassian.connect.spring.internal.descriptor.AddonDescriptor;
import com.atlassian.connect.spring.internal.descriptor.AddonDescriptorLoader;
import com.atlassian.connect.spring.internal.jwt.CanonicalHttpServletRequest;
import java.io.IOException;
import java.net.URI;
import java.util.Objects;
import java.util.Optional;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.web.ServerProperties;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.util.UriComponents;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:com/atlassian/connect/spring/internal/auth/jwt/JwtAuthenticationFilter.class */
public class JwtAuthenticationFilter extends OncePerRequestFilter {
    private static final String AUTHORIZATION_HEADER_SCHEME_PREFIX = "JWT ";
    private static final String QUERY_PARAMETER_NAME = "jwt";
    private static final Logger log = LoggerFactory.getLogger(JwtAuthenticationFilter.class);
    private AuthenticationManager authenticationManager;
    private AddonDescriptorLoader addonDescriptorLoader;
    private AtlassianConnectProperties atlassianConnectProperties;
    private AuthenticationFailureHandler failureHandler;

    public JwtAuthenticationFilter(AuthenticationManager authenticationManager, AddonDescriptorLoader addonDescriptorLoader, AtlassianConnectProperties atlassianConnectProperties, ServerProperties serverProperties) {
        this.authenticationManager = authenticationManager;
        this.addonDescriptorLoader = addonDescriptorLoader;
        this.atlassianConnectProperties = atlassianConnectProperties;
        this.failureHandler = createFailureHandler(serverProperties);
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        Optional<String> jwtFromRequest = getJwtFromRequest(httpServletRequest);
        if (jwtFromRequest.isPresent()) {
            try {
                SecurityContextHolder.getContext().setAuthentication(this.authenticationManager.authenticate(createJwtAuthenticationToken(httpServletRequest, jwtFromRequest.get())));
            } catch (AuthenticationException e) {
                if (!shouldIgnoreInvalidJwt(httpServletRequest, e)) {
                    this.failureHandler.onAuthenticationFailure(httpServletRequest, httpServletResponse, e);
                    return;
                }
                log.warn("Received JWT authentication from unknown host ({}), but allowing anyway", e.getIssuer());
            }
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private SimpleUrlAuthenticationFailureHandler createFailureHandler(ServerProperties serverProperties) {
        SimpleUrlAuthenticationFailureHandler simpleUrlAuthenticationFailureHandler = new SimpleUrlAuthenticationFailureHandler(serverProperties.getError().getPath());
        simpleUrlAuthenticationFailureHandler.setAllowSessionCreation(false);
        simpleUrlAuthenticationFailureHandler.setUseForward(true);
        return simpleUrlAuthenticationFailureHandler;
    }

    private static Optional<String> getJwtFromRequest(HttpServletRequest httpServletRequest) {
        Optional<String> jwtFromHeader = getJwtFromHeader(httpServletRequest);
        if (!jwtFromHeader.isPresent()) {
            jwtFromHeader = getJwtFromParameter(httpServletRequest);
        }
        return jwtFromHeader;
    }

    private static Optional<String> getJwtFromHeader(HttpServletRequest httpServletRequest) {
        Optional<String> empty = Optional.empty();
        String header = httpServletRequest.getHeader("Authorization");
        if (!StringUtils.isEmpty(header) && header.startsWith(AUTHORIZATION_HEADER_SCHEME_PREFIX)) {
            empty = Optional.of(header.substring(AUTHORIZATION_HEADER_SCHEME_PREFIX.length()));
        }
        return empty;
    }

    private static Optional<String> getJwtFromParameter(HttpServletRequest httpServletRequest) {
        Optional<String> empty = Optional.empty();
        String parameter = httpServletRequest.getParameter(QUERY_PARAMETER_NAME);
        if (!StringUtils.isEmpty(parameter)) {
            empty = Optional.of(parameter);
        }
        return empty;
    }

    private JwtAuthenticationToken createJwtAuthenticationToken(HttpServletRequest httpServletRequest, String str) {
        log.debug("Retrieved JWT from request");
        return new JwtAuthenticationToken(new JwtCredentials(str, new CanonicalHttpServletRequest(httpServletRequest)));
    }

    private boolean shouldIgnoreInvalidJwt(HttpServletRequest httpServletRequest, AuthenticationException authenticationException) {
        return (authenticationException instanceof UnknownJwtIssuerException) && ((isRequestToInstalledLifecycle(httpServletRequest) && this.atlassianConnectProperties.isAllowReinstallMissingHost()) || isRequestToUninstalledLifecycle(httpServletRequest));
    }

    private boolean isRequestToInstalledLifecycle(HttpServletRequest httpServletRequest) {
        AddonDescriptor descriptor = this.addonDescriptorLoader.getDescriptor();
        return isRequestToUrl(httpServletRequest, descriptor.getBaseUrl() + descriptor.getInstalledLifecycleUrl());
    }

    private boolean isRequestToUninstalledLifecycle(HttpServletRequest httpServletRequest) {
        AddonDescriptor descriptor = this.addonDescriptorLoader.getDescriptor();
        return isRequestToUrl(httpServletRequest, descriptor.getBaseUrl() + descriptor.getUninstalledLifecycleUrl());
    }

    private boolean isRequestToUrl(HttpServletRequest httpServletRequest, String str) {
        UriComponents build = UriComponentsBuilder.fromUri(URI.create(str)).build();
        UriComponents build2 = UriComponentsBuilder.fromUri(URI.create(httpServletRequest.getRequestURL().toString())).query(httpServletRequest.getQueryString()).build();
        return Objects.equals(build2.getPath(), build.getPath()) && build2.getQueryParams().entrySet().containsAll(build.getQueryParams().entrySet());
    }
}
