package de.resolution.samlsso.authenticator;

import com.atlassian.confluence.security.PermissionManager;
import com.atlassian.confluence.user.ConfluenceAuthenticator;
import com.atlassian.confluence.user.ConfluenceUser;
import com.atlassian.confluence.user.UserAccessor;
import com.atlassian.sal.api.component.ComponentLocator;
import com.atlassian.seraph.auth.AuthenticatorException;
import com.atlassian.seraph.config.SecurityConfig;
import java.security.Principal;
import java.util.Map;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/resolution/samlsso/authenticator/ConfluenceDenyPasswordAuthenticator.class */
public class ConfluenceDenyPasswordAuthenticator extends ConfluenceAuthenticator implements ConfigurableDenyPasswordAuthenticator {
    private static final Logger logger = LoggerFactory.getLogger(ConfluenceDenyPasswordAuthenticator.class);
    private DenyPasswordSupport denyPasswordSupport;

    public void init(Map<String, String> map, SecurityConfig securityConfig) {
        super.init(map, securityConfig);
        this.denyPasswordSupport = new DenyPasswordSupport(map);
    }

    protected boolean authenticate(Principal principal, String str) throws AuthenticatorException {
        if (principal == null) {
            logger.error("Principal is null!");
            return false;
        }
        String name = principal.getName();
        if (this.denyPasswordSupport.userOnBlacklist(name)) {
            logger.warn("Denying password access for principal {}, username is on the blacklist.", name);
            return false;
        }
        if (this.denyPasswordSupport.userOnWhitelist(name)) {
            return super.authenticate(principal, str);
        }
        UserAccessor userAccessor = (UserAccessor) ComponentLocator.getComponent(UserAccessor.class);
        if (this.denyPasswordSupport.groupAllowsPasswordLogin(userAccessor.getGroupNamesForUserName(name))) {
            return super.authenticate(principal, str);
        }
        if (!isAllowSysAdmins()) {
            logger.warn("Denying password access for principal {}, group memberships deny password login and allowSysadmins is not enabled.", name);
            return false;
        }
        PermissionManager permissionManager = (PermissionManager) ComponentLocator.getComponent(PermissionManager.class);
        ConfluenceUser userByName = userAccessor.getUserByName(name);
        if (userByName == null) {
            logger.debug("User {} was not found", name);
            return false;
        }
        if (permissionManager.isSystemAdministrator(userByName)) {
            return super.authenticate(principal, str);
        }
        logger.warn("Denying password access for principal {}, group memberships deny password login and user is no sysadmin.", name);
        return false;
    }

    @Override // de.resolution.samlsso.authenticator.ConfigurableDenyPasswordAuthenticator
    public DenyPasswordSupport getDenyPasswordSupport() {
        return this.denyPasswordSupport;
    }
}
