package com.gitblit.manager;

import com.gitblit.Constants;
import com.gitblit.IStoredSettings;
import com.gitblit.Keys;
import com.gitblit.auth.AuthenticationProvider;
import com.gitblit.auth.HtpasswdAuthProvider;
import com.gitblit.auth.LdapAuthProvider;
import com.gitblit.auth.PAMAuthProvider;
import com.gitblit.auth.RedmineAuthProvider;
import com.gitblit.auth.SalesforceAuthProvider;
import com.gitblit.auth.WindowsAuthProvider;
import com.gitblit.models.TeamModel;
import com.gitblit.models.UserModel;
import com.gitblit.utils.Base64;
import com.gitblit.utils.HttpUtils;
import com.gitblit.utils.StringUtils;
import com.gitblit.utils.X509Utils;
import com.gitblit.wicket.GitBlitWebSession;
import java.nio.charset.Charset;
import java.security.Principal;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.tools.ant.taskdefs.condition.Os;
import org.apache.wicket.RequestCycle;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.wso2.carbon.appfactory.common.AppFactoryConstants;

/* JADX WARN: Classes with same name are omitted:
  input_file:com/gitblit/manager/AuthenticationManager.class
 */
/* loaded from: input_file:gitblit-1.4.1-wso2v1.jar:com/gitblit/manager/AuthenticationManager.class */
public class AuthenticationManager implements IAuthenticationManager {
    private final IStoredSettings settings;
    private final IRuntimeManager runtimeManager;
    private final IUserManager userManager;
    private final Map<String, String> legacyRedirects;
    private final Logger logger = LoggerFactory.getLogger(getClass());
    private final List<AuthenticationProvider> authenticationProviders = new ArrayList();
    private final Map<String, Class<? extends AuthenticationProvider>> providerNames = new HashMap();

    public AuthenticationManager(IRuntimeManager iRuntimeManager, IUserManager iUserManager) {
        this.settings = iRuntimeManager.getSettings();
        this.runtimeManager = iRuntimeManager;
        this.userManager = iUserManager;
        this.providerNames.put("htpasswd", HtpasswdAuthProvider.class);
        this.providerNames.put("ldap", LdapAuthProvider.class);
        this.providerNames.put("pam", PAMAuthProvider.class);
        this.providerNames.put(AppFactoryConstants.REDMINE, RedmineAuthProvider.class);
        this.providerNames.put("salesforce", SalesforceAuthProvider.class);
        this.providerNames.put(Os.FAMILY_WINDOWS, WindowsAuthProvider.class);
        this.legacyRedirects = new HashMap();
        this.legacyRedirects.put("com.gitblit.HtpasswdUserService", "htpasswd");
        this.legacyRedirects.put("com.gitblit.LdapUserService", "ldap");
        this.legacyRedirects.put("com.gitblit.PAMUserService", "pam");
        this.legacyRedirects.put("com.gitblit.RedmineUserService", AppFactoryConstants.REDMINE);
        this.legacyRedirects.put("com.gitblit.SalesforceUserService", "salesforce");
        this.legacyRedirects.put("com.gitblit.WindowsUserService", Os.FAMILY_WINDOWS);
    }

    @Override // com.gitblit.manager.IManager
    public AuthenticationManager start() {
        String string = this.settings.getString(Keys.realm.userService, "${baseFolder}/users.conf");
        if (this.legacyRedirects.containsKey(string)) {
            this.logger.warn("");
            this.logger.warn(Constants.BORDER2);
            this.logger.warn(" IUserService '{}' is obsolete!", string);
            this.logger.warn(" Please set '{}={}'", Keys.realm.authenticationProviders, this.legacyRedirects.get(string));
            this.logger.warn(Constants.BORDER2);
            this.logger.warn("");
            if (StringUtils.isEmpty(this.settings.getString(Keys.realm.authenticationProviders, null))) {
                this.settings.overrideSetting(Keys.realm.authenticationProviders, this.legacyRedirects.get(string));
            }
        }
        List<String> strings = this.settings.getStrings(Keys.realm.authenticationProviders);
        if (strings.isEmpty()) {
            this.logger.info("External authentication disabled.");
        } else {
            for (String str : strings) {
                try {
                    Class<?> cls = this.providerNames.containsKey(str) ? this.providerNames.get(str) : Class.forName(str);
                    this.logger.info("setting up {}", cls.getName());
                    AuthenticationProvider authenticationProvider = (AuthenticationProvider) cls.newInstance();
                    authenticationProvider.setup(this.runtimeManager, this.userManager);
                    this.authenticationProviders.add(authenticationProvider);
                } catch (Exception e) {
                    this.logger.error("", (Throwable) e);
                }
            }
        }
        return this;
    }

    @Override // com.gitblit.manager.IManager
    public AuthenticationManager stop() {
        for (AuthenticationProvider authenticationProvider : this.authenticationProviders) {
            try {
                authenticationProvider.stop();
            } catch (Exception e) {
                this.logger.error("Failed to stop " + authenticationProvider.getClass().getSimpleName(), (Throwable) e);
            }
        }
        return this;
    }

    public void addAuthenticationProvider(AuthenticationProvider authenticationProvider) {
        this.authenticationProviders.add(authenticationProvider);
    }

    @Override // com.gitblit.manager.IAuthenticationManager
    public UserModel authenticate(HttpServletRequest httpServletRequest) {
        return authenticate(httpServletRequest, false);
    }

    @Override // com.gitblit.manager.IAuthenticationManager
    public UserModel authenticate(HttpServletRequest httpServletRequest, boolean z) {
        UserModel userModel;
        Principal userPrincipal;
        if (!z && (userPrincipal = httpServletRequest.getUserPrincipal()) != null) {
            String name = userPrincipal.getName();
            if (!StringUtils.isEmpty(name)) {
                boolean isInternalAccount = this.userManager.isInternalAccount(name);
                UserModel userModel2 = this.userManager.getUserModel(name);
                if (userModel2 != null) {
                    flagWicketSession(Constants.AuthenticationType.CONTAINER);
                    this.logger.debug(MessageFormat.format("{0} authenticated by servlet container principal from {1}", userModel2.username, httpServletRequest.getRemoteAddr()));
                    return validateAuthentication(userModel2, Constants.AuthenticationType.CONTAINER);
                }
                if (this.settings.getBoolean(Keys.realm.container.autoCreateAccounts, false) && !isInternalAccount) {
                    UserModel userModel3 = new UserModel(name.toLowerCase());
                    userModel3.displayName = name;
                    userModel3.password = Constants.EXTERNAL_ACCOUNT;
                    userModel3.accountType = Constants.AccountType.CONTAINER;
                    this.userManager.updateUserModel(userModel3);
                    flagWicketSession(Constants.AuthenticationType.CONTAINER);
                    this.logger.debug(MessageFormat.format("{0} authenticated and created by servlet container principal from {1}", userModel3.username, httpServletRequest.getRemoteAddr()));
                    return validateAuthentication(userModel3, Constants.AuthenticationType.CONTAINER);
                }
                if (!isInternalAccount) {
                    this.logger.warn(MessageFormat.format("Failed to find UserModel for {0}, attempted servlet container authentication from {1}", userPrincipal.getName(), httpServletRequest.getRemoteAddr()));
                }
            }
        }
        UserModel userModelFromCertificate = HttpUtils.getUserModelFromCertificate(httpServletRequest, this.settings.getBoolean(Keys.git.enforceCertificateValidity, true), (String[]) this.settings.getStrings(Keys.git.certificateUsernameOIDs).toArray(new String[0]));
        if (userModelFromCertificate != null) {
            UserModel userModel4 = this.userManager.getUserModel(userModelFromCertificate.username);
            X509Utils.X509Metadata certificateMetadata = HttpUtils.getCertificateMetadata(httpServletRequest);
            if (userModel4 != null) {
                flagWicketSession(Constants.AuthenticationType.CERTIFICATE);
                this.logger.debug(MessageFormat.format("{0} authenticated by client certificate {1} from {2}", userModel4.username, certificateMetadata.serialNumber, httpServletRequest.getRemoteAddr()));
                return validateAuthentication(userModel4, Constants.AuthenticationType.CERTIFICATE);
            }
            this.logger.warn(MessageFormat.format("Failed to find UserModel for {0}, attempted client certificate ({1}) authentication from {2}", userModelFromCertificate.username, certificateMetadata.serialNumber, httpServletRequest.getRemoteAddr()));
        }
        if (z) {
            return null;
        }
        String cookie = getCookie(httpServletRequest);
        if (!StringUtils.isEmpty(cookie) && (userModel = this.userManager.getUserModel(cookie.toCharArray())) != null) {
            flagWicketSession(Constants.AuthenticationType.COOKIE);
            this.logger.debug(MessageFormat.format("{0} authenticated by cookie from {1}", userModel.username, httpServletRequest.getRemoteAddr()));
            return validateAuthentication(userModel, Constants.AuthenticationType.COOKIE);
        }
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null || !header.startsWith("Basic")) {
            return null;
        }
        String[] split = new String(Base64.decode(header.substring("Basic".length()).trim()), Charset.forName("UTF-8")).split(":", 2);
        if (split.length != 2) {
            return null;
        }
        String str = split[0];
        UserModel authenticate = authenticate(str, split[1].toCharArray());
        if (authenticate == null) {
            this.logger.warn(MessageFormat.format("Failed login attempt for {0}, invalid credentials from {1}", str, httpServletRequest.getRemoteAddr()));
            return null;
        }
        flagWicketSession(Constants.AuthenticationType.CREDENTIALS);
        this.logger.debug(MessageFormat.format("{0} authenticated by BASIC request header from {1}", authenticate.username, httpServletRequest.getRemoteAddr()));
        return validateAuthentication(authenticate, Constants.AuthenticationType.CREDENTIALS);
    }

    protected UserModel validateAuthentication(UserModel userModel, Constants.AuthenticationType authenticationType) {
        if (userModel == null) {
            return null;
        }
        if (!userModel.disabled) {
            return userModel;
        }
        this.logger.warn("Rejected {} authentication attempt by disabled account \"{}\"", authenticationType, userModel.username);
        return null;
    }

    protected void flagWicketSession(Constants.AuthenticationType authenticationType) {
        if (RequestCycle.get() != null) {
            GitBlitWebSession.get().authenticationType = authenticationType;
        }
    }

    @Override // com.gitblit.manager.IAuthenticationManager
    public UserModel authenticate(String str, char[] cArr) {
        UserModel authenticate;
        if (StringUtils.isEmpty(str)) {
            return null;
        }
        String decodeUsername = StringUtils.decodeUsername(str);
        if (StringUtils.isEmpty(new String(cArr))) {
            return null;
        }
        UserModel userModel = this.userManager.getUserModel(decodeUsername);
        if (userModel != null && userModel.isLocalAccount()) {
            return authenticateLocal(userModel, cArr);
        }
        for (AuthenticationProvider authenticationProvider : this.authenticationProviders) {
            if ((authenticationProvider instanceof AuthenticationProvider.UsernamePasswordAuthenticationProvider) && (authenticate = authenticationProvider.authenticate(decodeUsername, cArr)) != null) {
                authenticate.accountType = authenticationProvider.getAccountType();
                return validateAuthentication(authenticate, Constants.AuthenticationType.CREDENTIALS);
            }
        }
        return null;
    }

    protected UserModel authenticateLocal(UserModel userModel, char[] cArr) {
        UserModel userModel2 = null;
        if (userModel.password.startsWith(StringUtils.MD5_TYPE)) {
            if (userModel.password.equalsIgnoreCase(StringUtils.MD5_TYPE + StringUtils.getMD5(new String(cArr)))) {
                userModel2 = userModel;
            }
        } else if (userModel.password.startsWith(StringUtils.COMBINED_MD5_TYPE)) {
            if (userModel.password.equalsIgnoreCase(StringUtils.COMBINED_MD5_TYPE + StringUtils.getMD5(userModel.username.toLowerCase() + new String(cArr)))) {
                userModel2 = userModel;
            }
        } else if (userModel.password.equals(new String(cArr))) {
            userModel2 = userModel;
        }
        return validateAuthentication(userModel2, Constants.AuthenticationType.CREDENTIALS);
    }

    @Override // com.gitblit.manager.IAuthenticationManager
    public String getCookie(HttpServletRequest httpServletRequest) {
        Cookie[] cookies;
        if (!this.settings.getBoolean(Keys.web.allowCookieAuthentication, true) || (cookies = httpServletRequest.getCookies()) == null || cookies.length <= 0) {
            return null;
        }
        for (Cookie cookie : cookies) {
            if (cookie.getName().equals(Constants.NAME)) {
                return cookie.getValue();
            }
        }
        return null;
    }

    @Override // com.gitblit.manager.IAuthenticationManager
    public void setCookie(HttpServletResponse httpServletResponse, UserModel userModel) {
        Cookie cookie;
        if (this.settings.getBoolean(Keys.web.allowCookieAuthentication, true) && GitBlitWebSession.get().authenticationType.isStandard()) {
            if (userModel == null) {
                cookie = new Cookie(Constants.NAME, "");
            } else {
                String cookie2 = this.userManager.getCookie(userModel);
                if (StringUtils.isEmpty(cookie2)) {
                    cookie = new Cookie(Constants.NAME, "");
                } else {
                    cookie = new Cookie(Constants.NAME, cookie2);
                    cookie.setMaxAge((int) TimeUnit.DAYS.toSeconds(7L));
                }
            }
            cookie.setPath("/");
            httpServletResponse.addCookie(cookie);
        }
    }

    @Override // com.gitblit.manager.IAuthenticationManager
    public void logout(HttpServletResponse httpServletResponse, UserModel userModel) {
        setCookie(httpServletResponse, null);
    }

    @Override // com.gitblit.manager.IAuthenticationManager
    public boolean supportsCredentialChanges(UserModel userModel) {
        return (userModel != null && userModel.isLocalAccount()) || findProvider(userModel).supportsCredentialChanges();
    }

    @Override // com.gitblit.manager.IAuthenticationManager
    public boolean supportsDisplayNameChanges(UserModel userModel) {
        return (userModel != null && userModel.isLocalAccount()) || findProvider(userModel).supportsDisplayNameChanges();
    }

    @Override // com.gitblit.manager.IAuthenticationManager
    public boolean supportsEmailAddressChanges(UserModel userModel) {
        return (userModel != null && userModel.isLocalAccount()) || findProvider(userModel).supportsEmailAddressChanges();
    }

    @Override // com.gitblit.manager.IAuthenticationManager
    public boolean supportsTeamMembershipChanges(UserModel userModel) {
        return (userModel != null && userModel.isLocalAccount()) || findProvider(userModel).supportsTeamMembershipChanges();
    }

    @Override // com.gitblit.manager.IAuthenticationManager
    public boolean supportsTeamMembershipChanges(TeamModel teamModel) {
        return (teamModel != null && teamModel.isLocalTeam()) || findProvider(teamModel).supportsTeamMembershipChanges();
    }

    protected AuthenticationProvider findProvider(UserModel userModel) {
        for (AuthenticationProvider authenticationProvider : this.authenticationProviders) {
            if (authenticationProvider.getAccountType().equals(userModel.accountType)) {
                return authenticationProvider;
            }
        }
        return AuthenticationProvider.NULL_PROVIDER;
    }

    protected AuthenticationProvider findProvider(TeamModel teamModel) {
        for (AuthenticationProvider authenticationProvider : this.authenticationProviders) {
            if (authenticationProvider.getAccountType().equals(teamModel.accountType)) {
                return authenticationProvider;
            }
        }
        return AuthenticationProvider.NULL_PROVIDER;
    }
}
