package org.sonar.server.authentication;

import com.google.common.collect.ImmutableSet;
import java.util.Optional;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.sonar.api.config.Configuration;
import org.sonar.api.server.ServerSide;
import org.sonar.api.web.ServletFilter;
import org.sonar.db.user.UserDto;
import org.sonar.server.authentication.event.AuthenticationEvent;
import org.sonar.server.authentication.event.AuthenticationException;
import org.sonar.server.authentication.ws.LoginAction;
import org.sonar.server.authentication.ws.LogoutAction;
import org.sonar.server.authentication.ws.ValidateAction;
import org.sonar.server.issue.IssueFieldsSetter;
import org.sonar.server.user.ThreadLocalUserSession;
import org.sonar.server.user.UserSession;
import org.sonar.server.user.UserSessionFactory;

@ServerSide
/* loaded from: input_file:org/sonar/server/authentication/UserSessionInitializer.class */
public class UserSessionInitializer {
    private static final String ACCESS_LOG_LOGIN = "LOGIN";
    private static final Set<String> SKIPPED_URLS = ImmutableSet.of("/batch/index", "/batch/file", "/maintenance/*", "/setup/*", "/sessions/*", "/oauth2/callback/*", new String[]{"/api/system/db_migration_status", "/api/system/status", "/api/system/migrate_db", "/api/server/version", "/api/users/identity_providers", "/api/l10n/index", LoginAction.LOGIN_URL, LogoutAction.LOGOUT_URL, ValidateAction.VALIDATE_URL});
    private static final ServletFilter.UrlPattern URL_PATTERN = ServletFilter.UrlPattern.builder().includes(new String[]{"/*"}).excludes(ServletFilter.UrlPattern.Builder.staticResourcePatterns()).excludes(SKIPPED_URLS).build();
    private final Configuration config;
    private final ThreadLocalUserSession threadLocalSession;
    private final AuthenticationEvent authenticationEvent;
    private final UserSessionFactory userSessionFactory;
    private final Authenticators authenticators;

    public UserSessionInitializer(Configuration configuration, ThreadLocalUserSession threadLocalUserSession, AuthenticationEvent authenticationEvent, UserSessionFactory userSessionFactory, Authenticators authenticators) {
        this.config = configuration;
        this.threadLocalSession = threadLocalUserSession;
        this.authenticationEvent = authenticationEvent;
        this.userSessionFactory = userSessionFactory;
        this.authenticators = authenticators;
    }

    public boolean initUserSession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String replaceFirst = httpServletRequest.getRequestURI().replaceFirst(httpServletRequest.getContextPath(), IssueFieldsSetter.UNUSED);
        try {
            if (!URL_PATTERN.matches(replaceFirst)) {
                return true;
            }
            loadUserSession(httpServletRequest, httpServletResponse);
            return true;
        } catch (AuthenticationException e) {
            this.authenticationEvent.loginFailure(httpServletRequest, e);
            if (isWsUrl(replaceFirst)) {
                httpServletResponse.setStatus(401);
                return false;
            }
            if (!isNotLocalOrJwt(e.getSource())) {
                return true;
            }
            AuthenticationError.handleAuthenticationError(e, httpServletResponse, httpServletRequest.getContextPath());
            return false;
        }
    }

    private static boolean isNotLocalOrJwt(AuthenticationEvent.Source source) {
        AuthenticationEvent.Provider provider = source.getProvider();
        return (provider == AuthenticationEvent.Provider.LOCAL || provider == AuthenticationEvent.Provider.JWT) ? false : true;
    }

    private void loadUserSession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        UserSession createAnonymous;
        Optional<UserDto> authenticate = this.authenticators.authenticate(httpServletRequest, httpServletResponse);
        if (authenticate.isPresent()) {
            createAnonymous = this.userSessionFactory.create(authenticate.get());
        } else {
            failIfAuthenticationIsRequired();
            createAnonymous = this.userSessionFactory.createAnonymous();
        }
        this.threadLocalSession.set(createAnonymous);
        httpServletRequest.setAttribute(ACCESS_LOG_LOGIN, StringUtils.defaultString(createAnonymous.getLogin(), "-"));
    }

    private void failIfAuthenticationIsRequired() {
        if (((Boolean) this.config.getBoolean("sonar.forceAuthentication").orElse(false)).booleanValue()) {
            throw AuthenticationException.newBuilder().setSource(AuthenticationEvent.Source.local(AuthenticationEvent.Method.BASIC)).setMessage("User must be authenticated").build();
        }
    }

    public void removeUserSession() {
        this.threadLocalSession.unload();
    }

    private static boolean isWsUrl(String str) {
        return str.startsWith("/batch/") || str.startsWith("/api/");
    }
}
