package com.google.gerrit.server.account;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import com.google.common.flogger.FluentLogger;
import com.google.gerrit.common.data.GlobalCapability;
import com.google.gerrit.entities.AccessSection;
import com.google.gerrit.entities.Account;
import com.google.gerrit.entities.AccountGroup;
import com.google.gerrit.exceptions.NoSuchGroupException;
import com.google.gerrit.exceptions.StorageException;
import com.google.gerrit.extensions.client.AccountFieldName;
import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.ServerInitiated;
import com.google.gerrit.server.account.externalids.DuplicateExternalIdKeyException;
import com.google.gerrit.server.account.externalids.ExternalId;
import com.google.gerrit.server.account.externalids.ExternalIdFactory;
import com.google.gerrit.server.account.externalids.ExternalIdKeyFactory;
import com.google.gerrit.server.account.externalids.ExternalIds;
import com.google.gerrit.server.auth.NoSuchUserException;
import com.google.gerrit.server.config.GerritServerConfig;
import com.google.gerrit.server.group.db.GroupDelta;
import com.google.gerrit.server.group.db.GroupsUpdate;
import com.google.gerrit.server.notedb.Sequences;
import com.google.gerrit.server.project.ProjectCache;
import com.google.gerrit.server.ssh.SshKeyCache;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
import com.ibm.icu.text.DateFormat;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.atomic.AtomicBoolean;
import org.eclipse.jgit.errors.ConfigInvalidException;
import org.eclipse.jgit.lib.Config;

@Singleton
/* loaded from: input_file:com/google/gerrit/server/account/AccountManager.class */
public class AccountManager {
    private static final FluentLogger logger = FluentLogger.forEnclosingClass();
    private final Sequences sequences;
    private final Accounts accounts;
    private final Provider<AccountsUpdate> accountsUpdateProvider;
    private final AccountCache byIdCache;
    private final Realm realm;
    private final IdentifiedUser.GenericFactory userFactory;
    private final SshKeyCache sshKeyCache;
    private final ProjectCache projectCache;
    private final AtomicBoolean awaitsFirstAccountCheck;
    private final ExternalIds externalIds;
    private final GroupsUpdate.Factory groupsUpdateFactory;
    private final boolean autoUpdateAccountActiveStatus;
    private final SetInactiveFlag setInactiveFlag;
    private final ExternalIdFactory externalIdFactory;
    private final ExternalIdKeyFactory externalIdKeyFactory;

    @VisibleForTesting
    @Inject
    public AccountManager(Sequences sequences, @GerritServerConfig Config config, Accounts accounts, @ServerInitiated Provider<AccountsUpdate> provider, AccountCache accountCache, Realm realm, IdentifiedUser.GenericFactory genericFactory, SshKeyCache sshKeyCache, ProjectCache projectCache, ExternalIds externalIds, GroupsUpdate.Factory factory, SetInactiveFlag setInactiveFlag, ExternalIdFactory externalIdFactory, ExternalIdKeyFactory externalIdKeyFactory) {
        this.sequences = sequences;
        this.accounts = accounts;
        this.accountsUpdateProvider = provider;
        this.byIdCache = accountCache;
        this.realm = realm;
        this.userFactory = genericFactory;
        this.sshKeyCache = sshKeyCache;
        this.projectCache = projectCache;
        this.awaitsFirstAccountCheck = new AtomicBoolean(config.getBoolean("capability", "makeFirstUserAdmin", true));
        this.externalIds = externalIds;
        this.groupsUpdateFactory = factory;
        this.autoUpdateAccountActiveStatus = config.getBoolean("auth", "autoUpdateAccountActiveStatus", false);
        this.setInactiveFlag = setInactiveFlag;
        this.externalIdFactory = externalIdFactory;
        this.externalIdKeyFactory = externalIdKeyFactory;
    }

    public Optional<Account.Id> lookup(String str) throws AccountException {
        try {
            return this.externalIds.get(this.externalIdKeyFactory.parse(str)).map((v0) -> {
                return v0.accountId();
            });
        } catch (IOException e) {
            throw new AccountException("Cannot lookup account " + str, e);
        }
    }

    public AuthResult authenticate(AuthRequest authRequest) throws AccountException, IOException {
        try {
            authRequest = this.realm.authenticate(authRequest);
            try {
                Optional<ExternalId> optional = this.externalIds.get(authRequest.getExternalIdKey());
                if (!optional.isPresent()) {
                    logger.atFine().log("External ID for account %s not found. A new account will be automatically created.", authRequest.getUserName());
                    return create(authRequest);
                }
                ExternalId externalId = optional.get();
                Optional<AccountState> optional2 = this.byIdCache.get(externalId.accountId());
                if (!optional2.isPresent()) {
                    logger.atSevere().log("Authentication with external ID %s failed. Account %s doesn't exist.", (Object) externalId.key().get(), externalId.accountId().get());
                    throw new AccountException("Authentication error, account not found");
                }
                Optional<Account> updateAccountActiveStatus = updateAccountActiveStatus(authRequest, optional2.get().account());
                if (!updateAccountActiveStatus.isPresent()) {
                    throw new AccountException("Authentication error, account not found");
                }
                if (!updateAccountActiveStatus.get().isActive()) {
                    throw new AccountException("Authentication error, account inactive");
                }
                update(authRequest, externalId);
                return new AuthResult(externalId.accountId(), authRequest.getExternalIdKey(), false);
            } catch (StorageException | ConfigInvalidException e) {
                throw new AccountException("Authentication error", e);
            }
        } catch (NoSuchUserException e2) {
            deactivateAccountIfItExists(authRequest);
            throw e2;
        }
    }

    private void deactivateAccountIfItExists(AuthRequest authRequest) {
        if (shouldUpdateActiveStatus(authRequest)) {
            try {
                Optional<ExternalId> optional = this.externalIds.get(authRequest.getExternalIdKey());
                if (optional.isPresent()) {
                    this.setInactiveFlag.deactivate(optional.get().accountId());
                }
            } catch (Exception e) {
                logger.atSevere().withCause(e).log("Unable to deactivate account %s", authRequest.getUserName().orElse(" for external ID key " + authRequest.getExternalIdKey().get()));
            }
        }
    }

    private Optional<Account> updateAccountActiveStatus(AuthRequest authRequest, Account account) throws AccountException {
        if (!shouldUpdateActiveStatus(authRequest) || authRequest.isActive() == account.isActive()) {
            return Optional.of(account);
        }
        if (authRequest.isActive()) {
            try {
                this.setInactiveFlag.activate(account.id());
            } catch (Exception e) {
                throw new AccountException("Unable to activate account " + account.id(), e);
            }
        } else {
            try {
                this.setInactiveFlag.deactivate(account.id());
            } catch (Exception e2) {
                throw new AccountException("Unable to deactivate account " + account.id(), e2);
            }
        }
        return this.byIdCache.get(account.id()).map((v0) -> {
            return v0.account();
        });
    }

    private boolean shouldUpdateActiveStatus(AuthRequest authRequest) {
        return this.autoUpdateAccountActiveStatus && authRequest.authProvidesAccountActiveStatus();
    }

    private void update(AuthRequest authRequest, ExternalId externalId) throws IOException, ConfigInvalidException, AccountException {
        IdentifiedUser create = this.userFactory.create(externalId.accountId());
        ArrayList arrayList = new ArrayList();
        String emailAddress = authRequest.getEmailAddress();
        String email = externalId.email();
        if (emailAddress != null && !emailAddress.equals(email)) {
            ExternalId create2 = this.externalIdFactory.create(externalId.key(), externalId.accountId(), emailAddress, externalId.password());
            checkEmailNotUsed(externalId.accountId(), create2);
            arrayList.add(builder -> {
                builder.replaceExternalId(externalId, create2);
            });
            if (email != null && email.equals(create.getAccount().preferredEmail())) {
                arrayList.add(builder2 -> {
                    builder2.setPreferredEmail(emailAddress);
                });
            }
        }
        if (!Strings.isNullOrEmpty(authRequest.getDisplayName()) && !Objects.equals(create.getAccount().fullName(), authRequest.getDisplayName())) {
            arrayList.add(builder3 -> {
                builder3.setFullName(authRequest.getDisplayName());
            });
        }
        if (!this.realm.allowsEdit(AccountFieldName.USER_NAME) && authRequest.getUserName().isPresent() && !authRequest.getUserName().equals(create.getUserName())) {
            if (create.getUserName().isPresent()) {
                logger.atWarning().log("Not changing already set username %s to %s", create.getUserName().get(), authRequest.getUserName().get());
            } else {
                logger.atWarning().log("Not setting username to %s", authRequest.getUserName().get());
            }
        }
        if (arrayList.isEmpty()) {
            return;
        }
        this.accountsUpdateProvider.get().update("Update Account on Login", create.getAccountId(), AccountsUpdate.joinConsumers(arrayList)).orElseThrow(() -> {
            return new StorageException("Account " + create.getAccountId() + " has been deleted");
        });
    }

    private AuthResult create(AuthRequest authRequest) throws AccountException, IOException, ConfigInvalidException {
        Account.Id id = Account.id(this.sequences.nextAccountId());
        logger.atFine().log("Assigning new Id %s to account", id);
        ExternalId createWithEmail = this.externalIdFactory.createWithEmail(authRequest.getExternalIdKey(), id, authRequest.getEmailAddress());
        logger.atFine().log("Created external Id: %s", createWithEmail);
        checkEmailNotUsed(id, createWithEmail);
        ExternalId createUsername = authRequest.getUserName().isPresent() ? createUsername(id, authRequest.getUserName().get()) : null;
        boolean z = this.awaitsFirstAccountCheck.getAndSet(false) && !this.accounts.hasAnyAccount();
        try {
            try {
                AccountState insert = this.accountsUpdateProvider.get().insert("Create Account on First Login", id, builder -> {
                    builder.setFullName(authRequest.getDisplayName()).setPreferredEmail(createWithEmail.email()).addExternalId(createWithEmail);
                    if (createUsername != null) {
                        builder.addExternalId(createUsername);
                    }
                });
                this.awaitsFirstAccountCheck.set(z);
                if (createUsername != null) {
                    Optional<String> userName = authRequest.getUserName();
                    SshKeyCache sshKeyCache = this.sshKeyCache;
                    Objects.requireNonNull(sshKeyCache);
                    userName.ifPresent(sshKeyCache::evict);
                }
                IdentifiedUser create = this.userFactory.create(id);
                if (z) {
                    addGroupMember(this.projectCache.getAllProjects().getConfig().getAccessSection(AccessSection.GLOBAL_CAPABILITIES).orElseThrow(() -> {
                        return new IllegalStateException("access section does not exist");
                    }).getPermission(GlobalCapability.ADMINISTRATE_SERVER).getRules().get(0).getGroup().getUUID(), create);
                }
                this.realm.onCreateAccount(authRequest, insert.account());
                return new AuthResult(id, createWithEmail.key(), true);
            } catch (DuplicateExternalIdKeyException e) {
                throw new AccountException("Cannot assign external ID \"" + e.getDuplicateKey().get() + "\" to account " + id + "; external ID already in use.");
            }
        } catch (Throwable th) {
            this.awaitsFirstAccountCheck.set(z);
            throw th;
        }
    }

    private ExternalId createUsername(Account.Id id, String str) throws AccountUserNameException {
        Preconditions.checkArgument(!Strings.isNullOrEmpty(str));
        if (ExternalId.isValidUsername(str)) {
            return this.externalIdFactory.create("username", str, id);
        }
        throw new AccountUserNameException(String.format("Cannot assign user name \"%s\" to account %s; name does not conform.", str, id));
    }

    private void checkEmailNotUsed(Account.Id id, ExternalId externalId) throws IOException, AccountException {
        String email = externalId.email();
        if (email == null) {
            return;
        }
        ImmutableSet<ExternalId> byEmail = this.externalIds.byEmail(email);
        if (byEmail.isEmpty()) {
            return;
        }
        for (ExternalId externalId2 : byEmail) {
            if (externalId2.accountId().get() != id.get()) {
                logger.atWarning().log("Email %s is already assigned to account %s; cannot create external ID %s with the same email for account %s.", email, Integer.valueOf(externalId2.accountId().get()), externalId.key().get(), Integer.valueOf(externalId.accountId().get()));
                throw new AccountException("Email '" + email + "' in use by another account");
            }
        }
    }

    private void addGroupMember(AccountGroup.UUID uuid, IdentifiedUser identifiedUser) throws IOException, ConfigInvalidException, AccountException {
        try {
            this.groupsUpdateFactory.create(identifiedUser).updateGroup(uuid, GroupDelta.builder().setMemberModification(immutableSet -> {
                return Sets.union(immutableSet, ImmutableSet.of(identifiedUser.getAccountId()));
            }).build());
        } catch (NoSuchGroupException e) {
            throw new AccountException(String.format("Group %s not found", uuid), e);
        }
    }

    public AuthResult link(Account.Id id, AuthRequest authRequest) throws AccountException, IOException, ConfigInvalidException {
        Optional<ExternalId> optional = this.externalIds.get(authRequest.getExternalIdKey());
        if (optional.isPresent()) {
            ExternalId externalId = optional.get();
            if (!externalId.accountId().equals(id)) {
                throw new AccountException("Identity '" + externalId.key().get() + "' in use by another account");
            }
            update(authRequest, externalId);
        } else {
            ExternalId createWithEmail = this.externalIdFactory.createWithEmail(authRequest.getExternalIdKey(), id, authRequest.getEmailAddress());
            checkEmailNotUsed(id, createWithEmail);
            this.accountsUpdateProvider.get().update("Link External ID", id, (accountState, builder) -> {
                builder.addExternalId(createWithEmail);
                if (authRequest.getEmailAddress() == null || accountState.account().preferredEmail() != null) {
                    return;
                }
                builder.setPreferredEmail(authRequest.getEmailAddress());
            });
        }
        return new AuthResult(id, authRequest.getExternalIdKey(), false);
    }

    public AuthResult updateLink(Account.Id id, AuthRequest authRequest) throws AccountException, IOException, ConfigInvalidException {
        this.accountsUpdateProvider.get().update("Delete External IDs on Update Link", id, (accountState, builder) -> {
            Set set = (Set) accountState.externalIds().stream().filter(externalId -> {
                return externalId.key().isScheme(authRequest.getExternalIdKey().scheme());
            }).collect(ImmutableSet.toImmutableSet());
            if (set.isEmpty()) {
                return;
            }
            if (set.size() > 1 || set.stream().noneMatch(externalId2 -> {
                return externalId2.key().equals(authRequest.getExternalIdKey());
            })) {
                builder.deleteExternalIds(set);
            }
        });
        return link(id, authRequest);
    }

    public void unlink(Account.Id id, ExternalId.Key key) throws AccountException, IOException, ConfigInvalidException {
        unlink(id, ImmutableList.of(key));
    }

    public void unlink(Account.Id id, Collection<ExternalId.Key> collection) throws AccountException, IOException, ConfigInvalidException {
        if (collection.isEmpty()) {
            return;
        }
        ArrayList arrayList = new ArrayList(collection.size());
        for (ExternalId.Key key : collection) {
            Optional<ExternalId> optional = this.externalIds.get(key);
            if (!optional.isPresent()) {
                throw new AccountException("Identity '" + key.get() + "' not found");
            }
            if (!optional.get().accountId().equals(id)) {
                throw new AccountException("Identity '" + key.get() + "' in use by another account");
            }
            arrayList.add(optional.get());
        }
        this.accountsUpdateProvider.get().update("Unlink External ID" + (arrayList.size() > 1 ? DateFormat.SECOND : ""), id, (accountState, builder) -> {
            builder.deleteExternalIds(arrayList);
            if (accountState.account().preferredEmail() == null || !arrayList.stream().anyMatch(externalId -> {
                return accountState.account().preferredEmail().equals(externalId.email());
            })) {
                return;
            }
            builder.setPreferredEmail(null);
        });
    }
}
