package com.google.gerrit.httpd;

import com.google.common.base.MoreObjects;
import com.google.common.base.Strings;
import com.google.gerrit.extensions.registration.DynamicItem;
import com.google.gerrit.server.AccessPath;
import com.google.gerrit.server.account.AccountCache;
import com.google.gerrit.server.account.AccountState;
import com.google.gerrit.server.config.AuthConfig;
import com.google.gerrit.server.config.GerritServerConfig;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import java.io.IOException;
import java.util.Locale;
import java.util.Optional;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.jgit.lib.Config;

@Singleton
/* loaded from: input_file:com/google/gerrit/httpd/ContainerAuthFilter.class */
class ContainerAuthFilter implements Filter {
    private final DynamicItem<WebSession> session;
    private final AccountCache accountCache;
    private final Config config;
    private final String loginHttpHeader;

    @Inject
    ContainerAuthFilter(DynamicItem<WebSession> dynamicItem, AccountCache accountCache, AuthConfig authConfig, @GerritServerConfig Config config) {
        this.session = dynamicItem;
        this.accountCache = accountCache;
        this.config = config;
        this.loginHttpHeader = (String) MoreObjects.firstNonNull(Strings.emptyToNull(authConfig.getLoginHttpHeader()), "Authorization");
    }

    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) {
    }

    @Override // javax.servlet.Filter
    public void destroy() {
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (verify(httpServletRequest, (HttpServletResponse) servletResponse)) {
            filterChain.doFilter(httpServletRequest, servletResponse);
        }
    }

    private boolean verify(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String remoteUser = RemoteUserUtil.getRemoteUser(httpServletRequest, this.loginHttpHeader);
        if (remoteUser == null) {
            httpServletResponse.sendError(403);
            return false;
        }
        if (this.config.getBoolean("auth", "userNameToLowerCase", false)) {
            remoteUser = remoteUser.toLowerCase(Locale.US);
        }
        Optional<AccountState> filter = this.accountCache.getByUsername(remoteUser).filter(accountState -> {
            return accountState.getAccount().isActive();
        });
        if (!filter.isPresent()) {
            httpServletResponse.sendError(401);
            return false;
        }
        WebSession webSession = this.session.get();
        webSession.setUserAccountId(filter.get().getAccount().getId());
        webSession.setAccessPathOk(AccessPath.GIT, true);
        webSession.setAccessPathOk(AccessPath.REST_API, true);
        return true;
    }
}
