package com.google.gerrit.httpd.auth.openid;

import com.google.common.flogger.FluentLogger;
import com.google.gerrit.entities.Account;
import com.google.gerrit.entities.KeyUtil;
import com.google.gerrit.extensions.registration.DynamicItem;
import com.google.gerrit.extensions.restapi.Url;
import com.google.gerrit.httpd.CanonicalWebUrl;
import com.google.gerrit.httpd.ProxyProperties;
import com.google.gerrit.httpd.WebSession;
import com.google.gerrit.httpd.auth.openid.DiscoveryResult;
import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.UrlEncoded;
import com.google.gerrit.server.account.AccountException;
import com.google.gerrit.server.account.AccountManager;
import com.google.gerrit.server.account.AuthRequest;
import com.google.gerrit.server.account.AuthResult;
import com.google.gerrit.server.account.externalids.ExternalIdKeyFactory;
import com.google.gerrit.server.auth.openid.OpenIdProviderPattern;
import com.google.gerrit.server.config.AuthConfig;
import com.google.gerrit.server.config.ConfigUtil;
import com.google.gerrit.server.config.GerritServerConfig;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
import java.io.IOException;
import java.net.URL;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.xerces.impl.xs.SchemaSymbols;
import org.eclipse.jgit.lib.Config;
import org.openid4java.consumer.ConsumerException;
import org.openid4java.consumer.ConsumerManager;
import org.openid4java.consumer.VerificationResult;
import org.openid4java.discovery.DiscoveryException;
import org.openid4java.discovery.DiscoveryInformation;
import org.openid4java.message.Message;
import org.openid4java.message.MessageException;
import org.openid4java.message.MessageExtension;
import org.openid4java.message.ParameterList;
import org.openid4java.message.ax.AxMessage;
import org.openid4java.message.ax.FetchRequest;
import org.openid4java.message.ax.FetchResponse;
import org.openid4java.message.pape.PapeMessage;
import org.openid4java.message.pape.PapeRequest;
import org.openid4java.message.pape.PapeResponse;
import org.openid4java.message.sreg.SRegMessage;
import org.openid4java.message.sreg.SRegRequest;
import org.openid4java.message.sreg.SRegResponse;
import org.openid4java.util.HttpClientFactory;

@Singleton
/* loaded from: input_file:com/google/gerrit/httpd/auth/openid/OpenIdServiceImpl.class */
class OpenIdServiceImpl {
    private static final FluentLogger logger = FluentLogger.forEnclosingClass();
    static final String RETURN_URL = "OpenID";
    private static final String P_MODE = "gerrit.mode";
    private static final String P_TOKEN = "gerrit.token";
    private static final String P_REMEMBER = "gerrit.remember";
    private static final String P_CLAIMED = "gerrit.claimed";
    private static final int LASTID_AGE = 31536000;
    private static final String OPENID_MODE = "openid.mode";
    private static final String OMODE_CANCEL = "cancel";
    private static final String SCHEMA_EMAIL = "http://schema.openid.net/contact/email";
    private static final String SCHEMA_FIRSTNAME = "http://schema.openid.net/namePerson/first";
    private static final String SCHEMA_LASTNAME = "http://schema.openid.net/namePerson/last";
    private final DynamicItem<WebSession> webSession;
    private final Provider<IdentifiedUser> identifiedUser;
    private final CanonicalWebUrl urlProvider;
    private final AccountManager accountManager;
    private final ConsumerManager manager;
    private final List<OpenIdProviderPattern> allowedOpenIDs;
    private final List<String> openIdDomains;
    private final ExternalIdKeyFactory externalIdKeyFactory;
    private final AuthRequest.Factory authRequestFactory;
    private final int papeMaxAuthAge;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/google/gerrit/httpd/auth/openid/OpenIdServiceImpl$State.class */
    public static class State {
        final DiscoveryInformation discovered;
        final UrlEncoded retTo;
        final String contextUrl;

        State(DiscoveryInformation discoveryInformation, UrlEncoded urlEncoded, String str) {
            this.discovered = discoveryInformation;
            this.retTo = urlEncoded;
            this.contextUrl = str;
        }
    }

    @Inject
    OpenIdServiceImpl(DynamicItem<WebSession> dynamicItem, Provider<IdentifiedUser> provider, CanonicalWebUrl canonicalWebUrl, @GerritServerConfig Config config, AuthConfig authConfig, AccountManager accountManager, ProxyProperties proxyProperties, ExternalIdKeyFactory externalIdKeyFactory, AuthRequest.Factory factory) {
        if (proxyProperties.getProxyUrl() != null) {
            org.openid4java.util.ProxyProperties proxyProperties2 = new org.openid4java.util.ProxyProperties();
            URL proxyUrl = proxyProperties.getProxyUrl();
            proxyProperties2.setProxyHostName(proxyUrl.getHost());
            proxyProperties2.setProxyPort(proxyUrl.getPort());
            proxyProperties2.setUserName(proxyProperties.getUsername());
            proxyProperties2.setPassword(proxyProperties.getPassword());
            HttpClientFactory.setProxyProperties(proxyProperties2);
        }
        this.webSession = dynamicItem;
        this.identifiedUser = provider;
        this.urlProvider = canonicalWebUrl;
        this.accountManager = accountManager;
        this.manager = new ConsumerManager();
        this.allowedOpenIDs = authConfig.getAllowedOpenIDs();
        this.openIdDomains = authConfig.getOpenIdDomains();
        this.papeMaxAuthAge = (int) ConfigUtil.getTimeUnit(config, "auth", (String) null, "maxOpenIdSessionAge", -1L, TimeUnit.SECONDS);
        this.externalIdKeyFactory = externalIdKeyFactory;
        this.authRequestFactory = factory;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public DiscoveryResult discover(HttpServletRequest httpServletRequest, String str, SignInMode signInMode, boolean z, String str2) {
        State init = init(httpServletRequest, str, signInMode, z, str2);
        if (init == null) {
            return new DiscoveryResult(DiscoveryResult.Status.NO_PROVIDER);
        }
        try {
            org.openid4java.message.AuthRequest authenticate = this.manager.authenticate(init.discovered, init.retTo.toString());
            logger.atFine().log("OpenID: openid-realm=%s", init.contextUrl);
            authenticate.setRealm(init.contextUrl);
            if (requestRegistration(authenticate)) {
                SRegRequest createFetchRequest = SRegRequest.createFetchRequest();
                createFetchRequest.addAttribute("fullname", true);
                createFetchRequest.addAttribute("email", true);
                authenticate.addExtension(createFetchRequest);
                FetchRequest createFetchRequest2 = FetchRequest.createFetchRequest();
                createFetchRequest2.addAttribute("FirstName", SCHEMA_FIRSTNAME, true);
                createFetchRequest2.addAttribute("LastName", SCHEMA_LASTNAME, true);
                createFetchRequest2.addAttribute("Email", SCHEMA_EMAIL, true);
                authenticate.addExtension(createFetchRequest2);
            }
            if (0 <= this.papeMaxAuthAge) {
                PapeRequest createPapeRequest = PapeRequest.createPapeRequest();
                createPapeRequest.setMaxAuthAge(this.papeMaxAuthAge);
                authenticate.addExtension(createPapeRequest);
            }
            return new DiscoveryResult(authenticate.getDestinationUrl(false), authenticate.getParameterMap());
        } catch (ConsumerException | MessageException e) {
            logger.atSevere().withCause(e).log("Cannot create OpenID redirect for %s" + str);
            return new DiscoveryResult(DiscoveryResult.Status.ERROR);
        }
    }

    private boolean requestRegistration(org.openid4java.message.AuthRequest authRequest) {
        if (org.openid4java.message.AuthRequest.SELECT_ID.equals(authRequest.getIdentity())) {
            return true;
        }
        try {
            return !this.accountManager.lookup(authRequest.getIdentity()).isPresent();
        } catch (AccountException e) {
            logger.atWarning().withCause(e).log("Cannot determine if user account exists");
            return true;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void doAuth(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        String emailAddress;
        int lastIndexOf;
        PapeResponse papeResponse;
        if ("cancel".equals(httpServletRequest.getParameter(OPENID_MODE))) {
            cancel(httpServletRequest, httpServletResponse);
            return;
        }
        SignInMode signInMode = signInMode(httpServletRequest);
        String parameter = httpServletRequest.getParameter("openid.identity");
        String parameter2 = httpServletRequest.getParameter(P_CLAIMED);
        String parameter3 = httpServletRequest.getParameter(P_TOKEN);
        boolean equals = SchemaSymbols.ATTVAL_TRUE_1.equals(httpServletRequest.getParameter(P_REMEMBER));
        String str = parameter2 != null ? parameter2 : parameter;
        if (!isAllowedOpenID(str) || !isAllowedOpenID(parameter) || (parameter2 != null && !isAllowedOpenID(parameter2))) {
            cancelWithError(httpServletRequest, httpServletResponse, "Provider not allowed");
            return;
        }
        State init = init(httpServletRequest, str, signInMode, equals, parameter3);
        if (init == null) {
            cancel(httpServletRequest, httpServletResponse);
            return;
        }
        String parameter4 = httpServletRequest.getParameter("openid.return_to");
        if (parameter4 != null && parameter4.contains("openid.rpnonce=")) {
            init.retTo.put("openid.rpnonce", httpServletRequest.getParameter("openid.rpnonce"));
            init.retTo.put("openid.rpsig", httpServletRequest.getParameter("openid.rpsig"));
        }
        VerificationResult verify = this.manager.verify(init.retTo.toString(), new ParameterList(httpServletRequest.getParameterMap()), init.discovered);
        if (verify.getVerifiedId() == null) {
            if ("Nonce verification failed.".equals(verify.getStatusMsg())) {
                logger.atSevere().log("OpenID failure: %s  Likely caused by clock skew on this server, install/configure NTP.", verify.getStatusMsg());
                cancelWithError(httpServletRequest, httpServletResponse, verify.getStatusMsg());
                return;
            } else if (verify.getStatusMsg() == null) {
                cancel(httpServletRequest, httpServletResponse);
                return;
            } else {
                logger.atSevere().log("OpenID failure: %s", verify.getStatusMsg());
                cancelWithError(httpServletRequest, httpServletResponse, verify.getStatusMsg());
                return;
            }
        }
        Message authResponse = verify.getAuthResponse();
        SRegResponse sRegResponse = null;
        FetchResponse fetchResponse = null;
        if (0 <= this.papeMaxAuthAge) {
            boolean z = false;
            try {
                papeResponse = (PapeResponse) authResponse.getExtension(PapeMessage.OPENID_NS_PAPE);
            } catch (MessageException e) {
                logger.atSevere().withCause(e).log("Invalid PAPE response from %s", parameter);
                z = true;
                papeResponse = null;
            }
            if (!z && papeResponse == null) {
                logger.atSevere().log("No PAPE extension response from %s", parameter);
                cancelWithError(httpServletRequest, httpServletResponse, "OpenID provider does not support PAPE.");
                return;
            }
        }
        if (authResponse.hasExtension(SRegMessage.OPENID_NS_SREG)) {
            MessageExtension extension = authResponse.getExtension(SRegMessage.OPENID_NS_SREG);
            if (extension instanceof SRegResponse) {
                sRegResponse = (SRegResponse) extension;
            }
        }
        if (authResponse.hasExtension(AxMessage.OPENID_NS_AX)) {
            MessageExtension extension2 = authResponse.getExtension(AxMessage.OPENID_NS_AX);
            if (extension2 instanceof FetchResponse) {
                fetchResponse = (FetchResponse) extension2;
            }
        }
        AuthRequest create = this.authRequestFactory.create(this.externalIdKeyFactory.parse(parameter));
        if (sRegResponse != null) {
            create.setDisplayName(sRegResponse.getAttributeValue("fullname"));
            create.setEmailAddress(sRegResponse.getAttributeValue("email"));
        } else if (fetchResponse != null) {
            String attributeValue = fetchResponse.getAttributeValue("FirstName");
            String attributeValue2 = fetchResponse.getAttributeValue("LastName");
            StringBuilder sb = new StringBuilder();
            if (attributeValue != null && attributeValue.length() > 0) {
                sb.append(attributeValue);
            }
            if (attributeValue2 != null && attributeValue2.length() > 0) {
                if (sb.length() > 0) {
                    sb.append(' ');
                }
                sb.append(attributeValue2);
            }
            create.setDisplayName(sb.length() > 0 ? sb.toString() : null);
            create.setEmailAddress(fetchResponse.getAttributeValue("Email"));
        }
        if (this.openIdDomains != null && !this.openIdDomains.isEmpty() && (lastIndexOf = (emailAddress = create.getEmailAddress()).lastIndexOf(64)) >= 0 && lastIndexOf < emailAddress.length() - 1) {
            String substring = emailAddress.substring(lastIndexOf);
            boolean z2 = false;
            Iterator<String> it = this.openIdDomains.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                } else if (substring.equalsIgnoreCase(it.next())) {
                    z2 = true;
                    break;
                }
            }
            if (!z2) {
                logger.atSevere().log("Domain disallowed: %s", substring);
                cancelWithError(httpServletRequest, httpServletResponse, "Domain disallowed");
                return;
            }
        }
        if (parameter2 != null) {
            Optional lookup = this.accountManager.lookup(parameter2);
            Optional lookup2 = this.accountManager.lookup(create.getExternalIdKey().get());
            if (lookup.isPresent() && lookup2.isPresent()) {
                if (!((Account.Id) lookup.get()).equals(lookup2.get())) {
                    logger.atSevere().log("OpenID accounts disagree over user identity:\n  Claimed ID: %s is %s\n  Delgate ID: %s is %s", lookup.get(), parameter2, lookup2.get(), create.getExternalIdKey());
                    cancelWithError(httpServletRequest, httpServletResponse, "Contact site administrator");
                    return;
                }
            } else if (!lookup.isPresent() && lookup2.isPresent()) {
                AuthRequest create2 = this.authRequestFactory.create(this.externalIdKeyFactory.parse(parameter2));
                create2.setDisplayName(create.getDisplayName());
                create2.setEmailAddress(create.getEmailAddress());
                this.accountManager.link((Account.Id) lookup2.get(), create2);
            } else if (lookup.isPresent() && !lookup2.isPresent()) {
                this.accountManager.link((Account.Id) lookup.get(), create);
            }
        }
        try {
            switch (signInMode) {
                case REGISTER:
                case SIGN_IN:
                    AuthResult authenticate = this.accountManager.authenticate(create);
                    Cookie cookie = new Cookie("gerrit.last_openid", "");
                    cookie.setPath(httpServletRequest.getContextPath() + "/login/");
                    if (equals) {
                        cookie.setValue(str);
                        cookie.setMaxAge(LASTID_AGE);
                    } else {
                        cookie.setMaxAge(0);
                    }
                    httpServletResponse.addCookie(cookie);
                    ((WebSession) this.webSession.get()).login(authenticate, equals);
                    if (authenticate.isNew() && parameter2 != null) {
                        AuthRequest create3 = this.authRequestFactory.create(this.externalIdKeyFactory.parse(parameter2));
                        create3.setDisplayName(create.getDisplayName());
                        create3.setEmailAddress(create.getEmailAddress());
                        this.accountManager.link(authenticate.getAccountId(), create3);
                    }
                    callback(authenticate.isNew(), httpServletRequest, httpServletResponse);
                    break;
                case LINK_IDENTIY:
                    ((WebSession) this.webSession.get()).login(this.accountManager.link(((IdentifiedUser) this.identifiedUser.get()).getAccountId(), create), equals);
                    callback(false, httpServletRequest, httpServletResponse);
                    break;
            }
        } catch (AccountException e2) {
            logger.atSevere().withCause(e2).log("OpenID authentication failure");
            cancelWithError(httpServletRequest, httpServletResponse, "Contact site administrator");
        }
    }

    private boolean isSignIn(SignInMode signInMode) {
        switch (signInMode) {
            case REGISTER:
            case SIGN_IN:
                return true;
            case LINK_IDENTIY:
            default:
                return false;
        }
    }

    private static SignInMode signInMode(HttpServletRequest httpServletRequest) {
        try {
            return SignInMode.valueOf(httpServletRequest.getParameter(P_MODE));
        } catch (RuntimeException e) {
            return SignInMode.SIGN_IN;
        }
    }

    private void callback(boolean z, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String parameter = httpServletRequest.getParameter(P_TOKEN);
        if (parameter == null || parameter.isEmpty() || parameter.startsWith("/SignInFailure,")) {
            parameter = "/";
        }
        StringBuilder sb = new StringBuilder();
        sb.append(this.urlProvider.get(httpServletRequest));
        String decode = Url.decode(parameter);
        if (z && !parameter.startsWith("/register/")) {
            sb.append("#" + "/register/");
            if (decode.startsWith("#")) {
                decode = decode.substring(1);
            }
        }
        sb.append(decode);
        httpServletResponse.sendRedirect(sb.toString());
    }

    private void cancel(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (isSignIn(signInMode(httpServletRequest))) {
            ((WebSession) this.webSession.get()).logout();
        }
        callback(false, httpServletRequest, httpServletResponse);
    }

    private void cancelWithError(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException {
        SignInMode signInMode = signInMode(httpServletRequest);
        if (isSignIn(signInMode)) {
            ((WebSession) this.webSession.get()).logout();
        }
        StringBuilder sb = new StringBuilder();
        sb.append(this.urlProvider.get(httpServletRequest));
        sb.append('#');
        sb.append("SignInFailure");
        sb.append(',');
        sb.append(signInMode.name());
        sb.append(',');
        sb.append(str != null ? KeyUtil.encode(str) : "");
        httpServletResponse.sendRedirect(sb.toString());
    }

    private State init(HttpServletRequest httpServletRequest, String str, SignInMode signInMode, boolean z, String str2) {
        try {
            List discover = this.manager.discover(str);
            if (discover == null || discover.isEmpty()) {
                return null;
            }
            String str3 = this.urlProvider.get(httpServletRequest);
            DiscoveryInformation associate = this.manager.associate(discover);
            UrlEncoded urlEncoded = new UrlEncoded(str3 + "OpenID");
            urlEncoded.put(P_MODE, signInMode.name());
            if (str2 != null && str2.length() > 0) {
                urlEncoded.put(P_TOKEN, str2);
            }
            if (z) {
                urlEncoded.put(P_REMEMBER, SchemaSymbols.ATTVAL_TRUE_1);
            }
            if (associate.hasClaimedIdentifier()) {
                urlEncoded.put(P_CLAIMED, associate.getClaimedIdentifier().getIdentifier());
            }
            return new State(associate, urlEncoded, str3);
        } catch (DiscoveryException e) {
            logger.atSevere().withCause(e).log("Cannot discover OpenID %s", str);
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isAllowedOpenID(String str) {
        Iterator<OpenIdProviderPattern> it = this.allowedOpenIDs.iterator();
        while (it.hasNext()) {
            if (it.next().matches(str)) {
                return true;
            }
        }
        return false;
    }
}
