package com.google.gerrit.httpd;

import com.google.common.base.MoreObjects;
import com.google.common.base.Strings;
import com.google.common.flogger.FluentLogger;
import com.google.gerrit.entities.Account;
import com.google.gerrit.extensions.client.GitBasicAuthPolicy;
import com.google.gerrit.extensions.registration.DynamicItem;
import com.google.gerrit.server.AccessPath;
import com.google.gerrit.server.account.AccountCache;
import com.google.gerrit.server.account.AccountException;
import com.google.gerrit.server.account.AccountManager;
import com.google.gerrit.server.account.AccountState;
import com.google.gerrit.server.account.AuthRequest;
import com.google.gerrit.server.account.AuthenticationFailedException;
import com.google.gerrit.server.account.externalids.PasswordVerifier;
import com.google.gerrit.server.auth.NoSuchUserException;
import com.google.gerrit.server.config.AuthConfig;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Locale;
import java.util.Optional;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import org.apache.commons.codec.binary.Base64;

@Singleton
/* loaded from: input_file:com/google/gerrit/httpd/ProjectBasicAuthFilter.class */
class ProjectBasicAuthFilter implements Filter {
    private static final FluentLogger logger = FluentLogger.forEnclosingClass();
    public static final String REALM_NAME = "Gerrit Code Review";
    private static final String AUTHORIZATION = "Authorization";
    private static final String LIT_BASIC = "Basic ";
    private final DynamicItem<WebSession> session;
    private final AccountCache accountCache;
    private final AccountManager accountManager;
    private final AuthConfig authConfig;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/google/gerrit/httpd/ProjectBasicAuthFilter$Response.class */
    public static class Response extends HttpServletResponseWrapper {
        private static final String WWW_AUTHENTICATE = "WWW-Authenticate";

        Response(HttpServletResponse httpServletResponse) {
            super(httpServletResponse);
        }

        private void status(int i) {
            if (i != 401) {
                if (containsHeader("WWW-Authenticate")) {
                    setHeader("WWW-Authenticate", null);
                }
            } else {
                StringBuilder sb = new StringBuilder();
                sb.append(ProjectBasicAuthFilter.LIT_BASIC);
                sb.append("realm=\"").append("Gerrit Code Review").append("\"");
                setHeader("WWW-Authenticate", sb.toString());
            }
        }

        @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
        public void sendError(int i, String str) throws IOException {
            status(i);
            super.sendError(i, str);
        }

        @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
        public void sendError(int i) throws IOException {
            status(i);
            super.sendError(i);
        }

        @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
        @Deprecated
        public void setStatus(int i, String str) {
            status(i);
            super.setStatus(i, str);
        }

        @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
        public void setStatus(int i) {
            status(i);
            super.setStatus(i);
        }
    }

    @Inject
    ProjectBasicAuthFilter(DynamicItem<WebSession> dynamicItem, AccountCache accountCache, AccountManager accountManager, AuthConfig authConfig) {
        this.session = dynamicItem;
        this.accountCache = accountCache;
        this.accountManager = accountManager;
        this.authConfig = authConfig;
    }

    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) {
    }

    @Override // javax.servlet.Filter
    public void destroy() {
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        Response response = new Response((HttpServletResponse) servletResponse);
        if (verify(httpServletRequest, response)) {
            filterChain.doFilter(httpServletRequest, response);
        }
    }

    private boolean verify(HttpServletRequest httpServletRequest, Response response) throws IOException {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null || !header.startsWith(LIT_BASIC)) {
            return true;
        }
        String str = new String(Base64.decodeBase64(header.substring(LIT_BASIC.length())), encoding(httpServletRequest));
        int indexOf = str.indexOf(58);
        if (indexOf < 1) {
            response.sendError(401);
            return false;
        }
        String substring = str.substring(0, indexOf);
        String substring2 = str.substring(indexOf + 1);
        if (Strings.isNullOrEmpty(substring2)) {
            response.sendError(401);
            return false;
        }
        if (this.authConfig.isUserNameToLowerCase()) {
            substring = substring.toLowerCase(Locale.US);
        }
        Optional<AccountState> filter = this.accountCache.getByUsername(substring).filter(accountState -> {
            return accountState.account().isActive();
        });
        if (!filter.isPresent()) {
            logger.atWarning().log("Authentication failed for %s: account inactive or not provisioned in Gerrit", substring);
            response.sendError(401);
            return false;
        }
        AccountState accountState2 = filter.get();
        GitBasicAuthPolicy gitBasicAuthPolicy = this.authConfig.getGitBasicAuthPolicy();
        if ((gitBasicAuthPolicy == GitBasicAuthPolicy.HTTP || gitBasicAuthPolicy == GitBasicAuthPolicy.HTTP_LDAP) && PasswordVerifier.checkPassword(accountState2.externalIds(), substring, substring2)) {
            return succeedAuthentication(accountState2);
        }
        if (gitBasicAuthPolicy == GitBasicAuthPolicy.HTTP) {
            return failAuthentication(response, substring, httpServletRequest);
        }
        AuthRequest forUser = AuthRequest.forUser(substring);
        forUser.setPassword(substring2);
        try {
            setUserIdentified(this.accountManager.authenticate(forUser).getAccountId());
            return true;
        } catch (AuthenticationFailedException e) {
            logger.atWarning().log(authenticationFailedMsg(substring, httpServletRequest) + ": %s", e.getMessage());
            response.sendError(401);
            return false;
        } catch (NoSuchUserException e2) {
            if (PasswordVerifier.checkPassword(accountState2.externalIds(), substring, substring2)) {
                return succeedAuthentication(accountState2);
            }
            logger.atWarning().withCause(e2).log(authenticationFailedMsg(substring, httpServletRequest));
            response.sendError(401);
            return false;
        } catch (AccountException e3) {
            logger.atWarning().withCause(e3).log(authenticationFailedMsg(substring, httpServletRequest));
            response.sendError(401);
            return false;
        }
    }

    private boolean succeedAuthentication(AccountState accountState) {
        setUserIdentified(accountState.account().id());
        return true;
    }

    private boolean failAuthentication(Response response, String str, HttpServletRequest httpServletRequest) throws IOException {
        logger.atWarning().log(authenticationFailedMsg(str, httpServletRequest) + ": password does not match the one stored in Gerrit");
        response.sendError(401);
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String authenticationFailedMsg(String str, HttpServletRequest httpServletRequest) {
        return String.format("Authentication from %s failed for %s", httpServletRequest.getRemoteAddr(), str);
    }

    private void setUserIdentified(Account.Id id) {
        WebSession webSession = this.session.get();
        webSession.setUserAccountId(id);
        webSession.setAccessPathOk(AccessPath.GIT, true);
        webSession.setAccessPathOk(AccessPath.REST_API, true);
    }

    private String encoding(HttpServletRequest httpServletRequest) {
        return (String) MoreObjects.firstNonNull(httpServletRequest.getCharacterEncoding(), StandardCharsets.UTF_8.name());
    }
}
