package com.google.gerrit.server.auth.ldap;

import com.google.common.flogger.FluentLogger;
import com.google.gerrit.extensions.client.AuthType;
import com.google.gerrit.server.account.AccountException;
import com.google.gerrit.server.auth.AuthBackend;
import com.google.gerrit.server.auth.AuthException;
import com.google.gerrit.server.auth.AuthRequest;
import com.google.gerrit.server.auth.AuthUser;
import com.google.gerrit.server.auth.InvalidCredentialsException;
import com.google.gerrit.server.auth.MissingCredentialsException;
import com.google.gerrit.server.auth.UnknownUserException;
import com.google.gerrit.server.auth.UserNotAllowedException;
import com.google.gerrit.server.auth.ldap.LdapQuery;
import com.google.gerrit.server.config.AuthConfig;
import com.google.gerrit.server.config.GerritServerConfig;
import com.google.inject.Inject;
import java.io.IOException;
import java.util.Locale;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.security.auth.login.LoginException;
import org.eclipse.jgit.lib.Config;

/* loaded from: input_file:com/google/gerrit/server/auth/ldap/LdapAuthBackend.class */
public class LdapAuthBackend implements AuthBackend {
    private static final FluentLogger logger = FluentLogger.forEnclosingClass();
    private final Helper helper;
    private final AuthConfig authConfig;
    private final boolean lowerCaseUsername;

    @Inject
    public LdapAuthBackend(Helper helper, AuthConfig authConfig, @GerritServerConfig Config config) {
        this.helper = helper;
        this.authConfig = authConfig;
        this.lowerCaseUsername = config.getBoolean("ldap", "localUsernameToLowerCase", false);
    }

    @Override // com.google.gerrit.server.auth.AuthBackend
    public String getDomain() {
        return "ldap";
    }

    @Override // com.google.gerrit.server.auth.AuthBackend
    public AuthUser authenticate(AuthRequest authRequest) throws MissingCredentialsException, InvalidCredentialsException, UnknownUserException, UserNotAllowedException, AuthException {
        if (!authRequest.getUsername().isPresent() || !authRequest.getPassword().isPresent()) {
            throw new MissingCredentialsException();
        }
        String str = this.lowerCaseUsername ? (String) authRequest.getUsername().map(str2 -> {
            return str2.toLowerCase(Locale.US);
        }).get() : authRequest.getUsername().get();
        try {
            try {
                DirContext authenticate = this.authConfig.getAuthType() == AuthType.LDAP_BIND ? this.helper.authenticate(str, authRequest.getPassword().get()) : this.helper.open();
                try {
                    LdapQuery.Result findAccount = this.helper.findAccount(this.helper.getSchema(authenticate), authenticate, str, false);
                    if (this.authConfig.getAuthType() == AuthType.LDAP) {
                        this.helper.close(this.helper.authenticate(findAccount.getDN(), authRequest.getPassword().get()));
                    }
                    AuthUser authUser = new AuthUser(AuthUser.UUID.create(str), str);
                    this.helper.close(authenticate);
                    return authUser;
                } catch (Throwable th) {
                    this.helper.close(authenticate);
                    throw th;
                }
            } catch (IOException | NamingException e) {
                logger.atSevere().withCause(e).log("Cannot query LDAP to authenticate user");
                throw new AuthException("Cannot query LDAP for account", e);
            }
        } catch (AccountException e2) {
            logger.atSevere().withCause(e2).log("Cannot query LDAP to authenticate user");
            throw new InvalidCredentialsException("Cannot query LDAP for account", e2);
        } catch (LoginException e3) {
            logger.atSevere().withCause(e3).log("Cannot authenticate server via JAAS");
            throw new AuthException("Cannot query LDAP for account", e3);
        }
    }
}
