package com.google.gerrit.httpd;

import com.google.common.base.MoreObjects;
import com.google.common.base.Strings;
import com.google.common.collect.Iterables;
import com.google.common.flogger.FluentLogger;
import com.google.common.io.BaseEncoding;
import com.google.gerrit.entities.Account;
import com.google.gerrit.extensions.auth.oauth.OAuthLoginProvider;
import com.google.gerrit.extensions.registration.DynamicItem;
import com.google.gerrit.extensions.registration.DynamicMap;
import com.google.gerrit.extensions.registration.Extension;
import com.google.gerrit.server.AccessPath;
import com.google.gerrit.server.account.AccountCache;
import com.google.gerrit.server.account.AccountException;
import com.google.gerrit.server.account.AccountManager;
import com.google.gerrit.server.account.AccountState;
import com.google.gerrit.server.account.AuthRequest;
import com.google.gerrit.server.account.AuthResult;
import com.google.gerrit.server.config.GerritServerConfig;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.util.Locale;
import java.util.NoSuchElementException;
import java.util.Optional;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import org.eclipse.jgit.lib.Config;

@Singleton
/* loaded from: input_file:com/google/gerrit/httpd/ProjectOAuthFilter.class */
class ProjectOAuthFilter implements Filter {
    private static final FluentLogger logger = FluentLogger.forEnclosingClass();
    private static final String REALM_NAME = "Gerrit Code Review";
    private static final String AUTHORIZATION = "Authorization";
    private static final String BASIC = "Basic ";
    private static final String GIT_COOKIE_PREFIX = "git-";
    private final DynamicItem<WebSession> session;
    private final DynamicMap<OAuthLoginProvider> loginProviders;
    private final AccountCache accountCache;
    private final AccountManager accountManager;
    private final String gitOAuthProvider;
    private final boolean userNameToLowerCase;
    private String defaultAuthPlugin;
    private String defaultAuthProvider;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/google/gerrit/httpd/ProjectOAuthFilter$AuthInfo.class */
    public class AuthInfo {
        private final String username;
        private final String tokenOrSecret;
        private final String pluginName;
        private final String exportName;

        private AuthInfo(String str, String str2, String str3, String str4) {
            this.username = ProjectOAuthFilter.this.userNameToLowerCase ? str.toLowerCase(Locale.US) : str;
            this.tokenOrSecret = str2;
            this.pluginName = str3;
            this.exportName = str4;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/google/gerrit/httpd/ProjectOAuthFilter$Response.class */
    public static class Response extends HttpServletResponseWrapper {
        private static final String WWW_AUTHENTICATE = "WWW-Authenticate";

        Response(HttpServletResponse httpServletResponse) {
            super(httpServletResponse);
        }

        private void status(int i) {
            if (i != 401) {
                if (containsHeader("WWW-Authenticate")) {
                    setHeader("WWW-Authenticate", null);
                }
            } else {
                StringBuilder sb = new StringBuilder();
                sb.append(ProjectOAuthFilter.BASIC);
                sb.append("realm=\"").append("Gerrit Code Review").append("\"");
                setHeader("WWW-Authenticate", sb.toString());
            }
        }

        @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
        public void sendError(int i, String str) throws IOException {
            status(i);
            super.sendError(i, str);
        }

        @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
        public void sendError(int i) throws IOException {
            status(i);
            super.sendError(i);
        }

        @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
        @Deprecated
        public void setStatus(int i, String str) {
            status(i);
            super.setStatus(i, str);
        }

        @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
        public void setStatus(int i) {
            status(i);
            super.setStatus(i);
        }
    }

    @Inject
    ProjectOAuthFilter(DynamicItem<WebSession> dynamicItem, DynamicMap<OAuthLoginProvider> dynamicMap, AccountCache accountCache, AccountManager accountManager, @GerritServerConfig Config config) {
        this.session = dynamicItem;
        this.loginProviders = dynamicMap;
        this.accountCache = accountCache;
        this.accountManager = accountManager;
        this.gitOAuthProvider = config.getString("auth", null, "gitOAuthProvider");
        this.userNameToLowerCase = config.getBoolean("auth", null, "userNameToLowerCase", false);
    }

    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
        if (Strings.isNullOrEmpty(this.gitOAuthProvider)) {
            pickOnlyProvider();
        } else {
            pickConfiguredProvider();
        }
    }

    @Override // javax.servlet.Filter
    public void destroy() {
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        Response response = new Response((HttpServletResponse) servletResponse);
        if (verify(httpServletRequest, response)) {
            filterChain.doFilter(httpServletRequest, response);
        }
    }

    private boolean verify(HttpServletRequest httpServletRequest, Response response) throws IOException {
        AuthInfo extractAuthInfo;
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null || !header.startsWith(BASIC)) {
            Cookie findGitCookie = findGitCookie(httpServletRequest);
            if (findGitCookie == null) {
                return true;
            }
            extractAuthInfo = extractAuthInfo(findGitCookie);
            if (extractAuthInfo == null) {
                response.sendError(401);
                return false;
            }
        } else {
            extractAuthInfo = extractAuthInfo(header, encoding(httpServletRequest));
            if (extractAuthInfo == null) {
                response.sendError(401);
                return false;
            }
        }
        if (Strings.isNullOrEmpty(extractAuthInfo.tokenOrSecret)) {
            response.sendError(401);
            return false;
        }
        Optional<AccountState> filter = this.accountCache.getByUsername(extractAuthInfo.username).filter(accountState -> {
            return accountState.account().isActive();
        });
        if (!filter.isPresent()) {
            logger.atWarning().log(ProjectBasicAuthFilter.authenticationFailedMsg(extractAuthInfo.username, httpServletRequest) + ": account inactive or not provisioned in Gerrit");
            response.sendError(401);
            return false;
        }
        Account account = filter.get().account();
        AuthRequest forExternalUser = AuthRequest.forExternalUser(extractAuthInfo.username);
        forExternalUser.setEmailAddress(account.preferredEmail());
        forExternalUser.setDisplayName(account.fullName());
        forExternalUser.setPassword(extractAuthInfo.tokenOrSecret);
        forExternalUser.setAuthPlugin(extractAuthInfo.pluginName);
        forExternalUser.setAuthProvider(extractAuthInfo.exportName);
        try {
            AuthResult authenticate = this.accountManager.authenticate(forExternalUser);
            WebSession webSession = this.session.get();
            webSession.setUserAccountId(authenticate.getAccountId());
            webSession.setAccessPathOk(AccessPath.GIT, true);
            webSession.setAccessPathOk(AccessPath.REST_API, true);
            return true;
        } catch (AccountException e) {
            logger.atWarning().withCause(e).log(ProjectBasicAuthFilter.authenticationFailedMsg(extractAuthInfo.username, httpServletRequest));
            response.sendError(401);
            return false;
        }
    }

    private void pickOnlyProvider() throws ServletException {
        try {
            Extension extension = (Extension) Iterables.getOnlyElement(this.loginProviders);
            this.defaultAuthPlugin = extension.getPluginName();
            this.defaultAuthProvider = extension.getExportName();
        } catch (IllegalArgumentException e) {
        } catch (NoSuchElementException e2) {
            throw new ServletException("No OAuth login provider installed", e2);
        }
    }

    private void pickConfiguredProvider() throws ServletException {
        int lastIndexOf = this.gitOAuthProvider.lastIndexOf(58);
        if (lastIndexOf < 1 || lastIndexOf == this.gitOAuthProvider.length() - 1) {
            throw new ServletException("OAuth login provider configuration is invalid: Must be of the form pluginName:providerName");
        }
        this.defaultAuthPlugin = this.gitOAuthProvider.substring(0, lastIndexOf);
        this.defaultAuthProvider = this.gitOAuthProvider.substring(lastIndexOf + 1);
        if (this.loginProviders.get(this.defaultAuthPlugin, this.defaultAuthProvider) == null) {
            throw new ServletException("Configured OAuth login provider " + this.gitOAuthProvider + " wasn't installed");
        }
    }

    private AuthInfo extractAuthInfo(String str, String str2) throws UnsupportedEncodingException {
        String str3 = new String(BaseEncoding.base64().decode(str.substring(BASIC.length())), str2);
        int indexOf = str3.indexOf(58);
        if (indexOf < 1 || indexOf == str3.length() - 1) {
            return null;
        }
        return new AuthInfo(str3.substring(0, indexOf), str3.substring(indexOf + 1), this.defaultAuthPlugin, this.defaultAuthProvider);
    }

    private AuthInfo extractAuthInfo(Cookie cookie) throws UnsupportedEncodingException {
        String decode = URLDecoder.decode(cookie.getName().substring(GIT_COOKIE_PREFIX.length()), StandardCharsets.UTF_8.name());
        String value = cookie.getValue();
        int lastIndexOf = value.lastIndexOf(64);
        if (lastIndexOf < 1 || lastIndexOf == value.length() - 1) {
            return new AuthInfo(decode, cookie.getValue(), this.defaultAuthPlugin, this.defaultAuthProvider);
        }
        String substring = value.substring(0, lastIndexOf);
        String substring2 = value.substring(lastIndexOf + 1);
        int lastIndexOf2 = substring2.lastIndexOf(58);
        if (lastIndexOf2 < 1 || lastIndexOf2 == substring2.length() - 1) {
            return null;
        }
        String substring3 = substring2.substring(0, lastIndexOf2);
        String substring4 = substring2.substring(lastIndexOf2 + 1);
        if (this.loginProviders.get(substring3, substring4) == null) {
            return null;
        }
        return new AuthInfo(decode, substring, substring3, substring4);
    }

    private static String encoding(HttpServletRequest httpServletRequest) {
        return (String) MoreObjects.firstNonNull(httpServletRequest.getCharacterEncoding(), StandardCharsets.UTF_8.name());
    }

    private static Cookie findGitCookie(HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return null;
        }
        for (Cookie cookie : cookies) {
            if (cookie.getName().startsWith(GIT_COOKIE_PREFIX)) {
                return cookie;
            }
        }
        return null;
    }
}
