package de.resolution.samlsso.authenticator;

import com.atlassian.jira.application.ApplicationRoleManager;
import com.atlassian.jira.permission.GlobalPermissionKey;
import com.atlassian.jira.security.GlobalPermissionManager;
import com.atlassian.jira.security.groups.GroupManager;
import com.atlassian.jira.security.login.JiraSeraphAuthenticator;
import com.atlassian.jira.user.ApplicationUser;
import com.atlassian.jira.user.util.UserManager;
import com.atlassian.sal.api.component.ComponentLocator;
import com.atlassian.seraph.auth.AuthenticationContextAwareAuthenticator;
import com.atlassian.seraph.auth.AuthenticatorException;
import com.atlassian.seraph.config.SecurityConfig;
import java.security.Principal;
import java.util.Collection;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@AuthenticationContextAwareAuthenticator
/* loaded from: input_file:de/resolution/samlsso/authenticator/JiraDenyPasswordAuthenticator.class */
public class JiraDenyPasswordAuthenticator extends JiraSeraphAuthenticator implements ConfigurableDenyPasswordAuthenticator {
    private static final Logger logger = LoggerFactory.getLogger(JiraDenyPasswordAuthenticator.class);
    private transient DenyPasswordSupport denyPasswordSupport;

    public void init(Map<String, String> map, SecurityConfig securityConfig) {
        super.init(map, securityConfig);
        this.denyPasswordSupport = new DenyPasswordSupport(map);
    }

    private boolean hasNoApplicationRole(@Nonnull String str) {
        ApplicationUser userByName = ((UserManager) ComponentLocator.getComponent(UserManager.class)).getUserByName(str);
        if (userByName == null) {
            logger.warn("ApplicationUser is null!");
            return false;
        }
        Set rolesForUser = ((ApplicationRoleManager) ComponentLocator.getComponent(ApplicationRoleManager.class)).getRolesForUser(userByName);
        if (rolesForUser.isEmpty()) {
            logger.debug("User {} has no ApplicationRoles", str);
            return true;
        }
        if (!logger.isDebugEnabled()) {
            return false;
        }
        logger.debug("{} has the roles {}", str, rolesForUser.stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.joining(",")));
        return false;
    }

    public boolean authenticate(Principal principal, String str) throws AuthenticatorException {
        if (principal == null) {
            logger.error("Principal is null!");
            return false;
        }
        if (this.denyPasswordSupport.userOnBlacklist(principal.getName())) {
            logger.warn("Denying password access for principal {}, username is on the blacklist.", principal.getName());
            return false;
        }
        if (this.denyPasswordSupport.userOnWhitelist(principal.getName())) {
            return super.authenticate(principal, str);
        }
        if (this.denyPasswordSupport.isAllowWithoutApplicationAccess() && hasNoApplicationRole(principal.getName())) {
            return super.authenticate(principal, str);
        }
        if (this.denyPasswordSupport.groupAllowsPasswordLogin((Collection) ((GroupManager) ComponentLocator.getComponent(GroupManager.class)).getGroupsForUser(principal.getName()).stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toList()))) {
            return super.authenticate(principal, str);
        }
        if (!isAllowSysAdmins()) {
            logger.warn("Denying password access for principal {}", principal.getName());
            return false;
        }
        ApplicationUser userByName = ((UserManager) ComponentLocator.getComponent(UserManager.class)).getUserByName(principal.getName());
        if (userByName == null) {
            logger.warn("Could not load ApplicationUser for {}, denying authentication.", principal.getName());
            return false;
        }
        if (((GlobalPermissionManager) ComponentLocator.getComponent(GlobalPermissionManager.class)).hasPermission(GlobalPermissionKey.SYSTEM_ADMIN, userByName)) {
            return super.authenticate(principal, str);
        }
        logger.warn("Denying password access for principal {}", principal.getName());
        return false;
    }

    @Override // de.resolution.samlsso.authenticator.ConfigurableDenyPasswordAuthenticator
    public DenyPasswordSupport getDenyPasswordSupport() {
        return this.denyPasswordSupport;
    }
}
