package com.google.gerrit.gpg;

import com.google.common.base.CharMatcher;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Maps;
import com.google.common.collect.UnmodifiableIterator;
import com.google.common.flogger.FluentLogger;
import com.google.common.io.BaseEncoding;
import com.google.gerrit.extensions.registration.DynamicItem;
import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.account.AccountState;
import com.google.gerrit.server.account.externalids.ExternalId;
import com.google.gerrit.server.config.GerritServerConfig;
import com.google.gerrit.server.config.UrlFormatter;
import com.google.gerrit.server.query.account.InternalAccountQuery;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.operator.bc.BcPGPContentVerifierBuilderProvider;
import org.eclipse.jgit.lib.Config;
import org.eclipse.jgit.lib.ConfigConstants;
import org.eclipse.jgit.transport.PushCertificateIdent;

/* loaded from: input_file:com/google/gerrit/gpg/GerritPublicKeyChecker.class */
public class GerritPublicKeyChecker extends PublicKeyChecker {
    private static final FluentLogger logger = FluentLogger.forEnclosingClass();
    private final Provider<InternalAccountQuery> accountQueryProvider;
    private final DynamicItem<UrlFormatter> urlFormatter;
    private final IdentifiedUser.GenericFactory userFactory;
    private IdentifiedUser expectedUser;

    @Singleton
    /* loaded from: input_file:com/google/gerrit/gpg/GerritPublicKeyChecker$Factory.class */
    public static class Factory {
        private final Provider<InternalAccountQuery> accountQueryProvider;
        private final DynamicItem<UrlFormatter> urlFormatter;
        private final IdentifiedUser.GenericFactory userFactory;
        private final int maxTrustDepth;
        private final ImmutableMap<Long, Fingerprint> trusted;

        @Inject
        Factory(@GerritServerConfig Config config, Provider<InternalAccountQuery> provider, IdentifiedUser.GenericFactory genericFactory, DynamicItem<UrlFormatter> dynamicItem) {
            this.accountQueryProvider = provider;
            this.urlFormatter = dynamicItem;
            this.userFactory = genericFactory;
            this.maxTrustDepth = config.getInt(ConfigConstants.CONFIG_RECEIVE_SECTION, null, "maxTrustDepth", 0);
            String[] stringList = config.getStringList(ConfigConstants.CONFIG_RECEIVE_SECTION, null, "trustedKey");
            if (stringList.length == 0) {
                this.trusted = null;
                return;
            }
            HashMap newHashMapWithExpectedSize = Maps.newHashMapWithExpectedSize(stringList.length);
            for (String str : stringList) {
                Fingerprint fingerprint = new Fingerprint(BaseEncoding.base16().decode(CharMatcher.whitespace().removeFrom(str).toUpperCase()));
                newHashMapWithExpectedSize.put(Long.valueOf(fingerprint.getId()), fingerprint);
            }
            this.trusted = ImmutableMap.copyOf((Map) newHashMapWithExpectedSize);
        }

        public GerritPublicKeyChecker create() {
            return new GerritPublicKeyChecker(this);
        }

        public GerritPublicKeyChecker create(IdentifiedUser identifiedUser, PublicKeyStore publicKeyStore) {
            GerritPublicKeyChecker gerritPublicKeyChecker = new GerritPublicKeyChecker(this);
            gerritPublicKeyChecker.setExpectedUser(identifiedUser);
            gerritPublicKeyChecker.setStore(publicKeyStore);
            return gerritPublicKeyChecker;
        }
    }

    private GerritPublicKeyChecker(Factory factory) {
        this.accountQueryProvider = factory.accountQueryProvider;
        this.urlFormatter = factory.urlFormatter;
        this.userFactory = factory.userFactory;
        if (factory.trusted != null) {
            enableTrust(factory.maxTrustDepth, factory.trusted);
        }
    }

    public GerritPublicKeyChecker setExpectedUser(IdentifiedUser identifiedUser) {
        this.expectedUser = identifiedUser;
        return this;
    }

    @Override // com.google.gerrit.gpg.PublicKeyChecker
    public CheckResult checkCustom(PGPPublicKey pGPPublicKey, int i) {
        if (i == 0) {
            try {
                if (this.expectedUser != null) {
                    return checkIdsForExpectedUser(pGPPublicKey);
                }
            } catch (PGPException | RuntimeException e) {
                logger.atWarning().withCause(e).log("%s %s", "Error checking user IDs for key", PublicKeyStore.keyIdToString(pGPPublicKey.getKeyID()));
                return CheckResult.bad("Error checking user IDs for key");
            }
        }
        return checkIdsForArbitraryUser(pGPPublicKey);
    }

    private CheckResult checkIdsForExpectedUser(PGPPublicKey pGPPublicKey) throws PGPException {
        Set<String> allowedUserIds = getAllowedUserIds(this.expectedUser);
        if (!allowedUserIds.isEmpty()) {
            return hasAllowedUserId(pGPPublicKey, allowedUserIds) ? CheckResult.trusted() : CheckResult.bad(missingUserIds(allowedUserIds));
        }
        Optional<String> settingsUrl = this.urlFormatter.get().getSettingsUrl("Identities");
        String[] strArr = new String[1];
        strArr[0] = "No identities found for user" + (settingsUrl.isPresent() ? "; check " + settingsUrl.get() : "");
        return CheckResult.bad(strArr);
    }

    private CheckResult checkIdsForArbitraryUser(PGPPublicKey pGPPublicKey) throws PGPException {
        List<AccountState> byExternalId = this.accountQueryProvider.get().byExternalId(toExtIdKey(pGPPublicKey));
        if (byExternalId.isEmpty()) {
            return CheckResult.bad("Key is not associated with any users");
        }
        if (byExternalId.size() > 1) {
            return CheckResult.bad("Key is associated with multiple users");
        }
        Set<String> allowedUserIds = getAllowedUserIds(this.userFactory.create(byExternalId.get(0)));
        return allowedUserIds.isEmpty() ? CheckResult.bad("No identities found for user") : hasAllowedUserId(pGPPublicKey, allowedUserIds) ? CheckResult.trusted() : CheckResult.bad("Key does not contain any valid certifications for user's identities");
    }

    private boolean hasAllowedUserId(PGPPublicKey pGPPublicKey, Set<String> set) throws PGPException {
        Iterator userIDs = pGPPublicKey.getUserIDs();
        while (userIDs.hasNext()) {
            String str = (String) userIDs.next();
            if (isAllowed(str, set)) {
                Iterator<PGPSignature> signaturesForId = getSignaturesForId(pGPPublicKey, str);
                while (signaturesForId.hasNext()) {
                    if (isValidCertification(pGPPublicKey, signaturesForId.next(), str)) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    private Iterator<PGPSignature> getSignaturesForId(PGPPublicKey pGPPublicKey, String str) {
        Iterator<PGPSignature> signaturesForID = pGPPublicKey.getSignaturesForID(str);
        return signaturesForID != null ? signaturesForID : Collections.emptyIterator();
    }

    private Set<String> getAllowedUserIds(IdentifiedUser identifiedUser) {
        HashSet hashSet = new HashSet();
        hashSet.addAll(identifiedUser.getEmailAddresses());
        UnmodifiableIterator<ExternalId> it = identifiedUser.state().externalIds().iterator();
        while (it.hasNext()) {
            ExternalId next = it.next();
            if (!next.isScheme(ExternalId.SCHEME_GPGKEY)) {
                hashSet.add(next.key().get());
            }
        }
        return hashSet;
    }

    private static boolean isAllowed(String str, Set<String> set) {
        return set.contains(str) || set.contains(PushCertificateIdent.parse(str).getEmailAddress());
    }

    private static boolean isValidCertification(PGPPublicKey pGPPublicKey, PGPSignature pGPSignature, String str) throws PGPException {
        if ((pGPSignature.getSignatureType() != 16 && pGPSignature.getSignatureType() != 19) || pGPSignature.getKeyID() != pGPPublicKey.getKeyID()) {
            return false;
        }
        pGPSignature.init(new BcPGPContentVerifierBuilderProvider(), pGPPublicKey);
        return pGPSignature.verifyCertification(str, pGPPublicKey);
    }

    private static String missingUserIds(Set<String> set) {
        StringBuilder sb = new StringBuilder("Key must contain a valid certification for one of the following identities:\n");
        Iterator<String> it = set.stream().sorted().iterator();
        while (it.hasNext()) {
            sb.append("  ").append(it.next());
            if (it.hasNext()) {
                sb.append('\n');
            }
        }
        return sb.toString();
    }

    static ExternalId.Key toExtIdKey(PGPPublicKey pGPPublicKey) {
        return ExternalId.Key.create(ExternalId.SCHEME_GPGKEY, BaseEncoding.base16().encode(pGPPublicKey.getFingerprint()));
    }
}
