package com.google.gerrit.server.auth.ldap;

import com.google.common.base.Strings;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.flogger.FluentLogger;
import com.google.gerrit.common.data.GroupReference;
import com.google.gerrit.common.data.ParameterizedString;
import com.google.gerrit.entities.Account;
import com.google.gerrit.entities.AccountGroup;
import com.google.gerrit.extensions.client.AccountFieldName;
import com.google.gerrit.extensions.client.AuthType;
import com.google.gerrit.server.account.AbstractRealm;
import com.google.gerrit.server.account.AccountException;
import com.google.gerrit.server.account.AuthRequest;
import com.google.gerrit.server.account.EmailExpander;
import com.google.gerrit.server.account.GroupBackends;
import com.google.gerrit.server.account.externalids.ExternalId;
import com.google.gerrit.server.account.externalids.ExternalIds;
import com.google.gerrit.server.auth.AuthenticationUnavailableException;
import com.google.gerrit.server.auth.NoSuchUserException;
import com.google.gerrit.server.auth.ldap.Helper;
import com.google.gerrit.server.auth.ldap.LdapQuery;
import com.google.gerrit.server.config.AuthConfig;
import com.google.gerrit.server.config.GerritServerConfig;
import com.google.gerrit.server.logging.Metadata;
import com.google.gerrit.server.logging.TraceContext;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import com.google.inject.name.Named;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import javax.naming.CompositeName;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.security.auth.login.LoginException;
import org.eclipse.jgit.lib.Config;

@Singleton
/* loaded from: input_file:com/google/gerrit/server/auth/ldap/LdapRealm.class */
class LdapRealm extends AbstractRealm {
    private static final FluentLogger logger = FluentLogger.forEnclosingClass();
    static final String LDAP = "com.sun.jndi.ldap.LdapCtxFactory";
    static final String USERNAME = "username";
    private final Helper helper;
    private final AuthConfig authConfig;
    private final EmailExpander emailExpander;
    private final LoadingCache<String, Optional<Account.Id>> usernameCache;
    private final Set<AccountFieldName> readOnlyAccountFields = new HashSet();
    private final boolean fetchMemberOfEagerly;
    private final String mandatoryGroup;
    private final LdapGroupBackend groupBackend;
    private final Config config;
    private final LoadingCache<String, Set<AccountGroup.UUID>> membershipCache;

    /* loaded from: input_file:com/google/gerrit/server/auth/ldap/LdapRealm$ExistenceLoader.class */
    static class ExistenceLoader extends CacheLoader<String, Boolean> {
        private final Helper helper;

        @Inject
        ExistenceLoader(Helper helper) {
            this.helper = helper;
        }

        @Override // com.google.common.cache.CacheLoader
        public Boolean load(String str) throws Exception {
            TraceContext.TraceTimer newTimer = TraceContext.newTimer("Loading groupDn", Metadata.builder().authDomainName(str).build());
            try {
                DirContext open = this.helper.open();
                try {
                    try {
                        open.getAttributes(new CompositeName().add(str));
                        this.helper.close(open);
                        if (newTimer != null) {
                            newTimer.close();
                        }
                        return true;
                    } catch (NamingException e) {
                        this.helper.close(open);
                        if (newTimer != null) {
                            newTimer.close();
                        }
                        return false;
                    }
                } catch (Throwable th) {
                    this.helper.close(open);
                    throw th;
                }
            } catch (Throwable th2) {
                if (newTimer != null) {
                    try {
                        newTimer.close();
                    } catch (Throwable th3) {
                        th2.addSuppressed(th3);
                    }
                }
                throw th2;
            }
        }
    }

    /* loaded from: input_file:com/google/gerrit/server/auth/ldap/LdapRealm$MemberLoader.class */
    static class MemberLoader extends CacheLoader<String, Set<AccountGroup.UUID>> {
        private final Helper helper;

        @Inject
        MemberLoader(Helper helper) {
            this.helper = helper;
        }

        @Override // com.google.common.cache.CacheLoader
        public Set<AccountGroup.UUID> load(String str) throws Exception {
            TraceContext.TraceTimer newTimer = TraceContext.newTimer("Loading group for member with username", Metadata.builder().username(str).build());
            try {
                DirContext open = this.helper.open();
                try {
                    Set<AccountGroup.UUID> queryForGroups = this.helper.queryForGroups(open, str, null);
                    this.helper.close(open);
                    if (newTimer != null) {
                        newTimer.close();
                    }
                    return queryForGroups;
                } catch (Throwable th) {
                    this.helper.close(open);
                    throw th;
                }
            } catch (Throwable th2) {
                if (newTimer != null) {
                    try {
                        newTimer.close();
                    } catch (Throwable th3) {
                        th2.addSuppressed(th3);
                    }
                }
                throw th2;
            }
        }
    }

    /* loaded from: input_file:com/google/gerrit/server/auth/ldap/LdapRealm$UserLoader.class */
    static class UserLoader extends CacheLoader<String, Optional<Account.Id>> {
        private final ExternalIds externalIds;

        @Inject
        UserLoader(ExternalIds externalIds) {
            this.externalIds = externalIds;
        }

        @Override // com.google.common.cache.CacheLoader
        public Optional<Account.Id> load(String str) throws Exception {
            TraceContext.TraceTimer newTimer = TraceContext.newTimer("Loading account for username", Metadata.builder().username(str).build());
            try {
                Optional map = this.externalIds.get(ExternalId.Key.create("gerrit", str)).map((v0) -> {
                    return v0.accountId();
                });
                if (newTimer != null) {
                    newTimer.close();
                }
                return map;
            } catch (Throwable th) {
                if (newTimer != null) {
                    try {
                        newTimer.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
    }

    @Inject
    LdapRealm(Helper helper, AuthConfig authConfig, EmailExpander emailExpander, LdapGroupBackend ldapGroupBackend, @Named("ldap_groups") LoadingCache<String, Set<AccountGroup.UUID>> loadingCache, @Named("ldap_usernames") LoadingCache<String, Optional<Account.Id>> loadingCache2, @GerritServerConfig Config config) {
        this.helper = helper;
        this.authConfig = authConfig;
        this.emailExpander = emailExpander;
        this.groupBackend = ldapGroupBackend;
        this.usernameCache = loadingCache2;
        this.membershipCache = loadingCache;
        this.config = config;
        if (optdef(config, "accountFullName", "DEFAULT") != null) {
            this.readOnlyAccountFields.add(AccountFieldName.FULL_NAME);
        }
        if (optdef(config, "accountSshUserName", "DEFAULT") != null) {
            this.readOnlyAccountFields.add(AccountFieldName.USER_NAME);
        }
        if (!authConfig.isAllowRegisterNewEmail()) {
            this.readOnlyAccountFields.add(AccountFieldName.REGISTER_NEW_EMAIL);
        }
        this.fetchMemberOfEagerly = optional(config, "fetchMemberOfEagerly", true);
        this.mandatoryGroup = optional(config, "mandatoryGroup");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SearchScope scope(Config config, String str) {
        return (SearchScope) config.getEnum("ldap", null, str, SearchScope.SUBTREE);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String optional(Config config, String str) {
        return config.getString("ldap", null, str);
    }

    static int optional(Config config, String str, int i) {
        return config.getInt("ldap", str, i);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String optional(Config config, String str, String str2) {
        String optional = optional(config, str);
        return Strings.isNullOrEmpty(optional) ? str2 : optional;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean optional(Config config, String str, boolean z) {
        return config.getBoolean("ldap", str, z);
    }

    static String required(Config config, String str) {
        String optional = optional(config, str);
        if (optional == null || "".equals(optional)) {
            throw new IllegalArgumentException("No ldap." + str + " configured");
        }
        return optional;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static List<String> optionalList(Config config, String str) {
        return Arrays.asList(config.getStringList("ldap", null, str));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static List<String> requiredList(Config config, String str) {
        List<String> optionalList = optionalList(config, str);
        if (optionalList.isEmpty()) {
            throw new IllegalArgumentException("No ldap " + str + " configured");
        }
        return optionalList;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String optdef(Config config, String str, String str2) {
        String[] stringList = config.getStringList("ldap", null, str);
        if (stringList == null || stringList.length == 0) {
            return str2;
        }
        if (stringList[0] == null || "".equals(stringList[0])) {
            return null;
        }
        checkBackendCompliance(str, stringList[0], Strings.isNullOrEmpty(str2));
        return stringList[0];
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String reqdef(Config config, String str, String str2) {
        String optdef = optdef(config, str, str2);
        if (optdef == null) {
            throw new IllegalArgumentException("No ldap." + str + " configured");
        }
        return optdef;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ParameterizedString paramString(Config config, String str, String str2) {
        String optdef = optdef(config, str, str2);
        if (optdef == null) {
            return null;
        }
        return optdef.contains("${") ? new ParameterizedString(optdef) : new ParameterizedString("${" + optdef + "}");
    }

    private static void checkBackendCompliance(String str, String str2, boolean z) {
        if (!z || Strings.isNullOrEmpty(str2)) {
            return;
        }
        String format = String.format("LDAP backend doesn't support: ldap.%s", str);
        logger.atSevere().log(format);
        throw new IllegalArgumentException(format);
    }

    @Override // com.google.gerrit.server.account.Realm
    public boolean allowsEdit(AccountFieldName accountFieldName) {
        return !this.readOnlyAccountFields.contains(accountFieldName);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String apply(ParameterizedString parameterizedString, LdapQuery.Result result) throws NamingException {
        if (parameterizedString == null) {
            return null;
        }
        HashMap hashMap = new HashMap();
        for (String str : result.attributes()) {
            hashMap.put(str, result.get(str));
        }
        String replace = parameterizedString.replace(hashMap);
        if (replace.isEmpty()) {
            return null;
        }
        return replace;
    }

    @Override // com.google.gerrit.server.account.Realm
    public AuthRequest authenticate(AuthRequest authRequest) throws AccountException {
        if (this.config.getBoolean("ldap", "localUsernameToLowerCase", false)) {
            authRequest.setLocalUser(authRequest.getLocalUser().toLowerCase(Locale.US));
        }
        String localUser = authRequest.getLocalUser();
        try {
            try {
                DirContext authenticate = this.authConfig.getAuthType() == AuthType.LDAP_BIND ? this.helper.authenticate(localUser, authRequest.getPassword()) : this.helper.open();
                try {
                    Helper.LdapSchema schema = this.helper.getSchema(authenticate);
                    authRequest.setAuthProvidesAccountActiveStatus(true);
                    LdapQuery.Result findAccount = this.helper.findAccount(schema, authenticate, localUser, this.fetchMemberOfEagerly);
                    authRequest.setActive(true);
                    if (this.authConfig.getAuthType() == AuthType.LDAP && !authRequest.isSkipAuthentication()) {
                        this.helper.close(this.helper.authenticate(findAccount.getDN(), authRequest.getPassword()));
                    }
                    authRequest.setDisplayName(apply(schema.accountFullName, findAccount));
                    authRequest.setUserName(apply(schema.accountSshUserName, findAccount));
                    if (schema.accountEmailAddress != null) {
                        authRequest.setEmailAddress(apply(schema.accountEmailAddress, findAccount));
                    } else if (this.emailExpander.canExpand(localUser)) {
                        authRequest.setEmailAddress(this.emailExpander.expand(localUser));
                    }
                    if (this.fetchMemberOfEagerly || this.mandatoryGroup != null) {
                        Set<AccountGroup.UUID> queryForGroups = this.helper.queryForGroups(authenticate, localUser, findAccount);
                        if (this.mandatoryGroup != null) {
                            GroupReference findExactSuggestion = GroupBackends.findExactSuggestion(this.groupBackend, this.mandatoryGroup);
                            if (findExactSuggestion == null) {
                                throw new AccountException("Could not identify mandatory group: " + this.mandatoryGroup);
                            }
                            if (!queryForGroups.contains(findExactSuggestion.getUUID())) {
                                throw new AccountException("Not member of mandatory LDAP group: " + findExactSuggestion.getName());
                            }
                        }
                        this.membershipCache.put(localUser, queryForGroups);
                    }
                    return authRequest;
                } finally {
                    this.helper.close(authenticate);
                }
            } catch (IOException | NamingException e) {
                logger.atSevere().withCause(e).log("Cannot query LDAP to authenticate user");
                throw new AuthenticationUnavailableException("Cannot query LDAP for account", e);
            }
        } catch (LoginException e2) {
            logger.atSevere().withCause(e2).log("Cannot authenticate server via JAAS");
            throw new AuthenticationUnavailableException("Cannot query LDAP for account", e2);
        }
    }

    @Override // com.google.gerrit.server.account.Realm
    public void onCreateAccount(AuthRequest authRequest, Account account) {
        this.usernameCache.put(authRequest.getLocalUser(), Optional.of(account.id()));
    }

    @Override // com.google.gerrit.server.account.Realm
    public Account.Id lookup(String str) {
        if (Strings.isNullOrEmpty(str)) {
            return null;
        }
        try {
            Optional<Account.Id> optional = this.usernameCache.get(str);
            if (optional != null) {
                return optional.orElse(null);
            }
            return null;
        } catch (ExecutionException e) {
            logger.atWarning().withCause(e).log("Cannot lookup account %s in LDAP", str);
            return null;
        }
    }

    @Override // com.google.gerrit.server.account.Realm
    public boolean isActive(String str) throws LoginException, NamingException, AccountException, IOException {
        DirContext open = this.helper.open();
        try {
            this.helper.findAccount(this.helper.getSchema(open), open, str, false);
            this.helper.close(open);
            return true;
        } catch (NoSuchUserException e) {
            this.helper.close(open);
            return false;
        } catch (Throwable th) {
            this.helper.close(open);
            throw th;
        }
    }

    @Override // com.google.gerrit.server.account.Realm
    public boolean accountBelongsToRealm(Collection<ExternalId> collection) {
        Iterator<ExternalId> it = collection.iterator();
        while (it.hasNext()) {
            if (it.next().toString().contains("gerrit")) {
                return true;
            }
        }
        return false;
    }
}
