package org.sonar.server.authentication;

import com.google.common.base.Splitter;
import com.google.common.collect.ImmutableMap;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import javax.annotation.CheckForNull;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.time.DateUtils;
import org.sonar.api.Startable;
import org.sonar.api.config.Configuration;
import org.sonar.api.server.authentication.Display;
import org.sonar.api.server.authentication.IdentityProvider;
import org.sonar.api.server.authentication.UserIdentity;
import org.sonar.api.utils.System2;
import org.sonar.api.utils.log.Logger;
import org.sonar.api.utils.log.Loggers;
import org.sonar.db.user.UserDto;
import org.sonar.server.authentication.JwtHttpHandler;
import org.sonar.server.authentication.event.AuthenticationEvent;
import org.sonar.server.authentication.event.AuthenticationException;
import org.sonar.server.exceptions.BadRequestException;
import org.sonar.server.user.ExternalIdentity;

/* loaded from: input_file:org/sonar/server/authentication/SsoAuthenticator.class */
public class SsoAuthenticator implements Startable {
    private static final String ENABLE_PARAM = "sonar.web.sso.enable";
    private static final String LAST_REFRESH_TIME_TOKEN_PARAM = "ssoLastRefreshTime";
    private final System2 system2;
    private final Configuration config;
    private final UserIdentityAuthenticator userIdentityAuthenticator;
    private final JwtHttpHandler jwtHttpHandler;
    private final AuthenticationEvent authenticationEvent;
    private boolean enabled = false;
    private Map<String, String> settingsByKey = new HashMap();
    private static final Logger LOG = Loggers.get(SsoAuthenticator.class);
    private static final Splitter COMA_SPLITTER = Splitter.on(",").trimResults().omitEmptyStrings();
    private static final String LOGIN_HEADER_PARAM = "sonar.web.sso.loginHeader";
    private static final String LOGIN_HEADER_DEFAULT_VALUE = "X-Forwarded-Login";
    private static final String NAME_HEADER_PARAM = "sonar.web.sso.nameHeader";
    private static final String NAME_HEADER_DEFAULT_VALUE = "X-Forwarded-Name";
    private static final String EMAIL_HEADER_PARAM = "sonar.web.sso.emailHeader";
    private static final String EMAIL_HEADER_DEFAULT_VALUE = "X-Forwarded-Email";
    private static final String GROUPS_HEADER_PARAM = "sonar.web.sso.groupsHeader";
    private static final String GROUPS_HEADER_DEFAULT_VALUE = "X-Forwarded-Groups";
    private static final String REFRESH_INTERVAL_PARAM = "sonar.web.sso.refreshIntervalInMinutes";
    private static final String REFRESH_INTERVAL_DEFAULT_VALUE = "5";
    private static final Map<String, String> DEFAULT_VALUES_BY_SETTING_KEYS = ImmutableMap.of(LOGIN_HEADER_PARAM, LOGIN_HEADER_DEFAULT_VALUE, NAME_HEADER_PARAM, NAME_HEADER_DEFAULT_VALUE, EMAIL_HEADER_PARAM, EMAIL_HEADER_DEFAULT_VALUE, GROUPS_HEADER_PARAM, GROUPS_HEADER_DEFAULT_VALUE, REFRESH_INTERVAL_PARAM, REFRESH_INTERVAL_DEFAULT_VALUE);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/server/authentication/SsoAuthenticator$SsoIdentityProvider.class */
    public static class SsoIdentityProvider implements IdentityProvider {
        private SsoIdentityProvider() {
        }

        public String getKey() {
            return ExternalIdentity.SQ_AUTHORITY;
        }

        public String getName() {
            return getKey();
        }

        public Display getDisplay() {
            return null;
        }

        public boolean isEnabled() {
            return true;
        }

        public boolean allowsUsersToSignUp() {
            return true;
        }
    }

    public SsoAuthenticator(System2 system2, Configuration configuration, UserIdentityAuthenticator userIdentityAuthenticator, JwtHttpHandler jwtHttpHandler, AuthenticationEvent authenticationEvent) {
        this.system2 = system2;
        this.config = configuration;
        this.userIdentityAuthenticator = userIdentityAuthenticator;
        this.jwtHttpHandler = jwtHttpHandler;
        this.authenticationEvent = authenticationEvent;
    }

    public void start() {
        if (((Boolean) this.config.getBoolean(ENABLE_PARAM).orElse(false)).booleanValue()) {
            LOG.info("SSO Authentication enabled");
            this.enabled = true;
            DEFAULT_VALUES_BY_SETTING_KEYS.entrySet().forEach(entry -> {
            });
        }
    }

    public void stop() {
    }

    public Optional<UserDto> authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            return doAuthenticate(httpServletRequest, httpServletResponse);
        } catch (BadRequestException e) {
            throw AuthenticationException.newBuilder().setSource(AuthenticationEvent.Source.sso()).setMessage(e.getMessage()).build();
        }
    }

    private Optional<UserDto> doAuthenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Map<String, String> headers;
        String headerValue;
        if (this.enabled && (headerValue = getHeaderValue((headers = getHeaders(httpServletRequest)), LOGIN_HEADER_PARAM)) != null) {
            Optional<UserDto> userFromToken = getUserFromToken(httpServletRequest, httpServletResponse);
            if (userFromToken.isPresent() && headerValue.equals(userFromToken.get().getLogin())) {
                return userFromToken;
            }
            UserDto doAuthenticate = doAuthenticate(headers, headerValue);
            this.jwtHttpHandler.generateToken(doAuthenticate, ImmutableMap.of(LAST_REFRESH_TIME_TOKEN_PARAM, Long.valueOf(this.system2.now())), httpServletRequest, httpServletResponse);
            this.authenticationEvent.loginSuccess(httpServletRequest, doAuthenticate.getLogin(), AuthenticationEvent.Source.sso());
            return Optional.of(doAuthenticate);
        }
        return Optional.empty();
    }

    private Optional<UserDto> getUserFromToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Optional<JwtHttpHandler.Token> token = this.jwtHttpHandler.getToken(httpServletRequest, httpServletResponse);
        if (!token.isPresent()) {
            return Optional.empty();
        }
        Date date = new Date(this.system2.now());
        int parseInt = Integer.parseInt(this.settingsByKey.get(REFRESH_INTERVAL_PARAM));
        Long l = (Long) token.get().getProperties().get(LAST_REFRESH_TIME_TOKEN_PARAM);
        return (l == null || date.after(DateUtils.addMinutes(new Date(l.longValue()), parseInt))) ? Optional.empty() : Optional.of(token.get().getUserDto());
    }

    private UserDto doAuthenticate(Map<String, String> map, String str) {
        String headerValue = getHeaderValue(map, NAME_HEADER_PARAM);
        UserIdentity.Builder providerLogin = UserIdentity.builder().setLogin(str).setName(headerValue == null ? str : headerValue).setEmail(getHeaderValue(map, EMAIL_HEADER_PARAM)).setProviderLogin(str);
        if (hasHeader(map, GROUPS_HEADER_PARAM)) {
            String headerValue2 = getHeaderValue(map, GROUPS_HEADER_PARAM);
            providerLogin.setGroups(headerValue2 == null ? Collections.emptySet() : new HashSet(COMA_SPLITTER.splitToList(headerValue2)));
        }
        return this.userIdentityAuthenticator.authenticate(providerLogin.build(), new SsoIdentityProvider(), AuthenticationEvent.Source.sso());
    }

    @CheckForNull
    private String getHeaderValue(Map<String, String> map, String str) {
        return map.get(this.settingsByKey.get(str).toLowerCase(Locale.ENGLISH));
    }

    private static Map<String, String> getHeaders(HttpServletRequest httpServletRequest) {
        HashMap hashMap = new HashMap();
        Collections.list(httpServletRequest.getHeaderNames()).forEach(str -> {
        });
        return hashMap;
    }

    private boolean hasHeader(Map<String, String> map, String str) {
        return map.keySet().contains(this.settingsByKey.get(str).toLowerCase(Locale.ENGLISH));
    }
}
