package com.google.gerrit.gpg;

import com.google.gerrit.gpg.GerritPushCertificateChecker;
import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.util.MagicBranch;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
import java.util.Collection;
import java.util.Iterator;
import org.eclipse.jgit.transport.PreReceiveHook;
import org.eclipse.jgit.transport.PushCertificate;
import org.eclipse.jgit.transport.ReceiveCommand;
import org.eclipse.jgit.transport.ReceivePack;

@Singleton
/* loaded from: input_file:com/google/gerrit/gpg/SignedPushPreReceiveHook.class */
public class SignedPushPreReceiveHook implements PreReceiveHook {
    private final Provider<IdentifiedUser> user;
    private final GerritPushCertificateChecker.Factory checkerFactory;

    /* loaded from: input_file:com/google/gerrit/gpg/SignedPushPreReceiveHook$Required.class */
    public static class Required implements PreReceiveHook {
        public static final Required INSTANCE = new Required();

        @Override // org.eclipse.jgit.transport.PreReceiveHook
        public void onPreReceive(ReceivePack receivePack, Collection<ReceiveCommand> collection) {
            if (receivePack.getPushCertificate() == null) {
                receivePack.sendMessage("ERROR: Signed push is required");
                SignedPushPreReceiveHook.reject(collection, "push cert error");
            }
        }

        private Required() {
        }
    }

    @Inject
    public SignedPushPreReceiveHook(Provider<IdentifiedUser> provider, GerritPushCertificateChecker.Factory factory) {
        this.user = provider;
        this.checkerFactory = factory;
    }

    @Override // org.eclipse.jgit.transport.PreReceiveHook
    public void onPreReceive(ReceivePack receivePack, Collection<ReceiveCommand> collection) {
        PushCertificate pushCertificate = receivePack.getPushCertificate();
        if (pushCertificate == null) {
            return;
        }
        CheckResult checkResult = this.checkerFactory.create(this.user.get()).setCheckNonce(true).check(pushCertificate).getCheckResult();
        if (isAllowed(checkResult, collection)) {
            return;
        }
        Iterator<String> it = checkResult.getProblems().iterator();
        while (it.hasNext()) {
            receivePack.sendMessage(it.next());
        }
        reject(collection, "invalid push cert");
    }

    private static boolean isAllowed(CheckResult checkResult, Collection<ReceiveCommand> collection) {
        return onlyMagicBranches(collection) ? checkResult.isOk() : checkResult.isTrusted();
    }

    private static boolean onlyMagicBranches(Iterable<ReceiveCommand> iterable) {
        Iterator<ReceiveCommand> it = iterable.iterator();
        while (it.hasNext()) {
            if (!MagicBranch.isMagicBranch(it.next().getRefName())) {
                return false;
            }
        }
        return true;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void reject(Collection<ReceiveCommand> collection, String str) {
        for (ReceiveCommand receiveCommand : collection) {
            if (receiveCommand.getResult() == ReceiveCommand.Result.NOT_ATTEMPTED) {
                receiveCommand.setResult(ReceiveCommand.Result.REJECTED_OTHER_REASON, str);
            }
        }
    }
}
