package com.google.gerrit.server.auth.ldap;

import com.google.common.base.Optional;
import com.google.common.base.Strings;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.gerrit.common.data.ParameterizedString;
import com.google.gerrit.reviewdb.client.Account;
import com.google.gerrit.reviewdb.client.AccountExternalId;
import com.google.gerrit.reviewdb.client.AccountGroup;
import com.google.gerrit.reviewdb.client.AuthType;
import com.google.gerrit.reviewdb.server.ReviewDb;
import com.google.gerrit.server.account.AccountException;
import com.google.gerrit.server.account.AuthRequest;
import com.google.gerrit.server.account.EmailExpander;
import com.google.gerrit.server.account.Realm;
import com.google.gerrit.server.auth.AuthenticationUnavailableException;
import com.google.gerrit.server.auth.ldap.Helper;
import com.google.gerrit.server.auth.ldap.LdapQuery;
import com.google.gerrit.server.config.AuthConfig;
import com.google.gerrit.server.config.ConfigUtil;
import com.google.gerrit.server.config.GerritServerConfig;
import com.google.gwtorm.server.SchemaFactory;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import com.google.inject.name.Named;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import javax.naming.CompositeName;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.security.auth.login.LoginException;
import org.eclipse.jgit.lib.Config;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:com/google/gerrit/server/auth/ldap/LdapRealm.class */
public class LdapRealm implements Realm {
    static final Logger log = LoggerFactory.getLogger(LdapRealm.class);
    static final String LDAP = "com.sun.jndi.ldap.LdapCtxFactory";
    static final String USERNAME = "username";
    private final Helper helper;
    private final AuthConfig authConfig;
    private final EmailExpander emailExpander;
    private final LoadingCache<String, Optional<Account.Id>> usernameCache;
    private final Set<Account.FieldName> readOnlyAccountFields = new HashSet();
    private final Config config;
    private final LoadingCache<String, Set<AccountGroup.UUID>> membershipCache;

    /* loaded from: input_file:com/google/gerrit/server/auth/ldap/LdapRealm$ExistenceLoader.class */
    static class ExistenceLoader extends CacheLoader<String, Boolean> {
        private final Helper helper;

        @Inject
        ExistenceLoader(Helper helper) {
            this.helper = helper;
        }

        @Override // com.google.common.cache.CacheLoader
        public Boolean load(String str) throws Exception {
            DirContext open = this.helper.open();
            try {
                try {
                    open.getAttributes(new CompositeName().add(str));
                    try {
                        open.close();
                    } catch (NamingException e) {
                        LdapRealm.log.warn("Cannot close LDAP query handle", e);
                    }
                    return true;
                } catch (NamingException e2) {
                    try {
                        open.close();
                    } catch (NamingException e3) {
                        LdapRealm.log.warn("Cannot close LDAP query handle", e3);
                    }
                    return false;
                }
            } catch (Throwable th) {
                try {
                    open.close();
                } catch (NamingException e4) {
                    LdapRealm.log.warn("Cannot close LDAP query handle", e4);
                }
                throw th;
            }
        }
    }

    /* loaded from: input_file:com/google/gerrit/server/auth/ldap/LdapRealm$MemberLoader.class */
    static class MemberLoader extends CacheLoader<String, Set<AccountGroup.UUID>> {
        private final Helper helper;

        @Inject
        MemberLoader(Helper helper) {
            this.helper = helper;
        }

        @Override // com.google.common.cache.CacheLoader
        public Set<AccountGroup.UUID> load(String str) throws Exception {
            DirContext open = this.helper.open();
            try {
                return this.helper.queryForGroups(open, str, null);
            } finally {
                try {
                    open.close();
                } catch (NamingException e) {
                    LdapRealm.log.warn("Cannot close LDAP query handle", e);
                }
            }
        }
    }

    /* loaded from: input_file:com/google/gerrit/server/auth/ldap/LdapRealm$UserLoader.class */
    static class UserLoader extends CacheLoader<String, Optional<Account.Id>> {
        private final SchemaFactory<ReviewDb> schema;

        @Inject
        UserLoader(SchemaFactory<ReviewDb> schemaFactory) {
            this.schema = schemaFactory;
        }

        @Override // com.google.common.cache.CacheLoader
        public Optional<Account.Id> load(String str) throws Exception {
            ReviewDb open = this.schema.open();
            try {
                AccountExternalId accountExternalId = open.accountExternalIds().get(new AccountExternalId.Key(AccountExternalId.SCHEME_GERRIT, str));
                if (accountExternalId != null) {
                    Optional<Account.Id> of = Optional.of(accountExternalId.getAccountId());
                    open.close();
                    return of;
                }
                Optional<Account.Id> absent = Optional.absent();
                open.close();
                return absent;
            } catch (Throwable th) {
                open.close();
                throw th;
            }
        }
    }

    @Inject
    LdapRealm(Helper helper, AuthConfig authConfig, EmailExpander emailExpander, @Named("ldap_groups") LoadingCache<String, Set<AccountGroup.UUID>> loadingCache, @Named("ldap_usernames") LoadingCache<String, Optional<Account.Id>> loadingCache2, @GerritServerConfig Config config) {
        this.helper = helper;
        this.authConfig = authConfig;
        this.emailExpander = emailExpander;
        this.usernameCache = loadingCache2;
        this.membershipCache = loadingCache;
        this.config = config;
        if (optdef(config, "accountFullName", "DEFAULT") != null) {
            this.readOnlyAccountFields.add(Account.FieldName.FULL_NAME);
        }
        if (optdef(config, "accountSshUserName", "DEFAULT") != null) {
            this.readOnlyAccountFields.add(Account.FieldName.USER_NAME);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SearchScope scope(Config config, String str) {
        return (SearchScope) ConfigUtil.getEnum(config, "ldap", (String) null, str, SearchScope.SUBTREE);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String optional(Config config, String str) {
        return config.getString("ldap", null, str);
    }

    static String required(Config config, String str) {
        String optional = optional(config, str);
        if (optional == null || "".equals(optional)) {
            throw new IllegalArgumentException("No ldap." + str + " configured");
        }
        return optional;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static List<String> optionalList(Config config, String str) {
        return Arrays.asList(config.getStringList("ldap", null, str));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static List<String> requiredList(Config config, String str) {
        List<String> optionalList = optionalList(config, str);
        if (optionalList.isEmpty()) {
            throw new IllegalArgumentException("No ldap " + str + " configured");
        }
        return optionalList;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String optdef(Config config, String str, String str2) {
        String[] stringList = config.getStringList("ldap", null, str);
        if (stringList == null || stringList.length == 0) {
            return str2;
        }
        if (stringList[0] == null || "".equals(stringList[0])) {
            return null;
        }
        return stringList[0];
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String reqdef(Config config, String str, String str2) {
        String optdef = optdef(config, str, str2);
        if (optdef == null) {
            throw new IllegalArgumentException("No ldap." + str + " configured");
        }
        return optdef;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ParameterizedString paramString(Config config, String str, String str2) {
        String optdef = optdef(config, str, str2);
        if (optdef == null) {
            return null;
        }
        return optdef.contains("${") ? new ParameterizedString(optdef) : new ParameterizedString("${" + optdef + "}");
    }

    @Override // com.google.gerrit.server.account.Realm
    public boolean allowsEdit(Account.FieldName fieldName) {
        return !this.readOnlyAccountFields.contains(fieldName);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String apply(ParameterizedString parameterizedString, LdapQuery.Result result) throws NamingException {
        if (parameterizedString == null) {
            return null;
        }
        HashMap hashMap = new HashMap();
        for (String str : result.attributes()) {
            hashMap.put(str, result.get(str));
        }
        String replace = parameterizedString.replace(hashMap);
        if (replace.isEmpty()) {
            return null;
        }
        return replace;
    }

    @Override // com.google.gerrit.server.account.Realm
    public AuthRequest authenticate(AuthRequest authRequest) throws AccountException {
        if (this.config.getBoolean("ldap", "localUsernameToLowerCase", false)) {
            authRequest.setLocalUser(authRequest.getLocalUser().toLowerCase(Locale.US));
        }
        String localUser = authRequest.getLocalUser();
        try {
            DirContext authenticate = this.authConfig.getAuthType() == AuthType.LDAP_BIND ? this.helper.authenticate(localUser, authRequest.getPassword()) : this.helper.open();
            try {
                Helper.LdapSchema schema = this.helper.getSchema(authenticate);
                LdapQuery.Result findAccount = this.helper.findAccount(schema, authenticate, localUser);
                if (this.authConfig.getAuthType() == AuthType.LDAP && !authRequest.isSkipAuthentication()) {
                    this.helper.authenticate(findAccount.getDN(), authRequest.getPassword()).close();
                }
                authRequest.setDisplayName(apply(schema.accountFullName, findAccount));
                authRequest.setUserName(apply(schema.accountSshUserName, findAccount));
                if (schema.accountEmailAddress != null) {
                    authRequest.setEmailAddress(apply(schema.accountEmailAddress, findAccount));
                } else if (this.emailExpander.canExpand(localUser)) {
                    authRequest.setEmailAddress(this.emailExpander.expand(localUser));
                }
                this.membershipCache.put(localUser, this.helper.queryForGroups(authenticate, localUser, findAccount));
                return authRequest;
            } finally {
                try {
                    authenticate.close();
                } catch (NamingException e) {
                    log.warn("Cannot close LDAP query handle", e);
                }
            }
        } catch (NamingException e2) {
            log.error("Cannot query LDAP to authenticate user", e2);
            throw new AuthenticationUnavailableException("Cannot query LDAP for account", e2);
        } catch (LoginException e3) {
            log.error("Cannot authenticate server via JAAS", (Throwable) e3);
            throw new AuthenticationUnavailableException("Cannot query LDAP for account", e3);
        }
    }

    @Override // com.google.gerrit.server.account.Realm
    public AuthRequest link(ReviewDb reviewDb, Account.Id id, AuthRequest authRequest) {
        return authRequest;
    }

    @Override // com.google.gerrit.server.account.Realm
    public AuthRequest unlink(ReviewDb reviewDb, Account.Id id, AuthRequest authRequest) {
        return authRequest;
    }

    @Override // com.google.gerrit.server.account.Realm
    public void onCreateAccount(AuthRequest authRequest, Account account) {
        this.usernameCache.put(authRequest.getLocalUser(), Optional.of(account.getId()));
    }

    @Override // com.google.gerrit.server.account.Realm
    public Account.Id lookup(String str) {
        if (Strings.isNullOrEmpty(str)) {
            return null;
        }
        try {
            Optional<Account.Id> optional = this.usernameCache.get(str);
            if (optional != null) {
                return optional.orNull();
            }
            return null;
        } catch (ExecutionException e) {
            log.warn(String.format("Cannot lookup account %s in LDAP", str), (Throwable) e);
            return null;
        }
    }
}
