package com.google.gerrit.httpd.auth.openid;

import com.google.common.base.Strings;
import com.google.common.flogger.FluentLogger;
import com.google.common.io.BaseEncoding;
import com.google.gerrit.entities.Account;
import com.google.gerrit.extensions.auth.oauth.OAuthServiceProvider;
import com.google.gerrit.extensions.auth.oauth.OAuthToken;
import com.google.gerrit.extensions.auth.oauth.OAuthUserInfo;
import com.google.gerrit.extensions.auth.oauth.OAuthVerifier;
import com.google.gerrit.extensions.registration.DynamicItem;
import com.google.gerrit.extensions.restapi.Url;
import com.google.gerrit.httpd.CanonicalWebUrl;
import com.google.gerrit.httpd.LoginUrlToken;
import com.google.gerrit.httpd.WebSession;
import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.account.AccountException;
import com.google.gerrit.server.account.AccountManager;
import com.google.gerrit.server.account.AuthRequest;
import com.google.gerrit.server.account.externalids.ExternalIdKeyFactory;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.servlet.SessionScoped;
import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Optional;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.jgit.errors.ConfigInvalidException;

@SessionScoped
/* loaded from: input_file:WEB-INF/lib/com_google_gerrit_httpd_auth_openid_libopenid.jar:com/google/gerrit/httpd/auth/openid/OAuthSessionOverOpenID.class */
class OAuthSessionOverOpenID {
    static final String GERRIT_LOGIN = "/login";
    private final String state = generateRandomState();
    private final DynamicItem<WebSession> webSession;
    private final Provider<IdentifiedUser> identifiedUser;
    private final AccountManager accountManager;
    private final CanonicalWebUrl urlProvider;
    private OAuthServiceProvider serviceProvider;
    private OAuthToken token;
    private OAuthUserInfo user;
    private String redirectToken;
    private boolean linkMode;
    private final ExternalIdKeyFactory externalIdKeyFactory;
    private final AuthRequest.Factory authRequestFactory;
    private static final FluentLogger logger = FluentLogger.forEnclosingClass();
    private static final SecureRandom randomState = newRandomGenerator();

    @Inject
    OAuthSessionOverOpenID(DynamicItem<WebSession> dynamicItem, Provider<IdentifiedUser> provider, AccountManager accountManager, CanonicalWebUrl canonicalWebUrl, ExternalIdKeyFactory externalIdKeyFactory, AuthRequest.Factory factory) {
        this.webSession = dynamicItem;
        this.identifiedUser = provider;
        this.accountManager = accountManager;
        this.urlProvider = canonicalWebUrl;
        this.externalIdKeyFactory = externalIdKeyFactory;
        this.authRequestFactory = factory;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isLoggedIn() {
        return (this.token == null || this.user == null) ? false : true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isOAuthFinal(HttpServletRequest httpServletRequest) {
        return Strings.emptyToNull(httpServletRequest.getParameter("code")) != null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean login(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuthServiceProvider oAuthServiceProvider) throws IOException {
        logger.atFine().log("Login %s", this);
        if (!isOAuthFinal(httpServletRequest)) {
            logger.atFine().log("Login-PHASE1 %s", this);
            this.redirectToken = LoginUrlToken.getToken(httpServletRequest);
            httpServletResponse.sendRedirect(oAuthServiceProvider.getAuthorizationUrl() + "&state=" + this.state);
            return false;
        }
        if (!checkState(httpServletRequest)) {
            httpServletResponse.sendError(404);
            return false;
        }
        logger.atFine().log("Login-Retrieve-User %s", this);
        this.token = oAuthServiceProvider.getAccessToken(new OAuthVerifier(httpServletRequest.getParameter("code")));
        this.user = oAuthServiceProvider.getUserInfo(this.token);
        if (!isLoggedIn()) {
            httpServletResponse.sendError(401);
            return false;
        }
        logger.atFine().log("Login-SUCCESS %s", this);
        authenticateAndRedirect(httpServletRequest, httpServletResponse);
        return true;
    }

    private void authenticateAndRedirect(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        AuthRequest create = this.authRequestFactory.create(this.externalIdKeyFactory.parse(this.user.getExternalId()));
        try {
            String claimedIdentity = this.user.getClaimedIdentity();
            Optional<Account.Id> lookup = this.accountManager.lookup(this.user.getExternalId());
            Optional<Account.Id> empty = Optional.empty();
            if (!Strings.isNullOrEmpty(claimedIdentity)) {
                empty = this.accountManager.lookup(claimedIdentity);
                if (!empty.isPresent()) {
                    logger.atFine().log("Claimed identity is unknown");
                }
            }
            if (empty.isPresent()) {
                logger.atFine().log("Claimed identity is set and is known");
                if (!lookup.isPresent()) {
                    logger.atFine().log("Claimed account already exists: link to it.");
                    try {
                        this.accountManager.link(empty.get(), create);
                    } catch (ConfigInvalidException e) {
                        logger.atSevere().log("Cannot link: %s to user identity:\n  Claimed ID: %s is %s", this.user.getExternalId(), empty.get(), claimedIdentity);
                        httpServletResponse.sendError(403);
                        return;
                    }
                } else {
                    if (!empty.get().equals(lookup.get())) {
                        logger.atFine().log("OAuth accounts disagree over user identity:\n  Claimed ID: %s is %s\n  Delgate ID: %s is %s", empty.get(), claimedIdentity, lookup.get(), this.user.getExternalId());
                        httpServletResponse.sendError(403);
                        return;
                    }
                    logger.atFine().log("Both link to the same account. All is fine.");
                }
            } else if (this.linkMode) {
                Account.Id accountId = this.identifiedUser.get().getAccountId();
                try {
                    try {
                        logger.atFine().log("Linking \"%s\" to \"%s\"", this.user.getExternalId(), accountId);
                        this.accountManager.link(accountId, create);
                        this.linkMode = false;
                    } catch (ConfigInvalidException e2) {
                        logger.atSevere().log("Cannot link: %s to user identity: %s", this.user.getExternalId(), accountId);
                        httpServletResponse.sendError(403);
                        this.linkMode = false;
                        return;
                    }
                } catch (Throwable th) {
                    this.linkMode = false;
                    throw th;
                }
            }
            create.setUserName(this.user.getUserName());
            create.setEmailAddress(this.user.getEmailAddress());
            create.setDisplayName(this.user.getDisplayName());
            this.webSession.get().login(this.accountManager.authenticate(create), true);
            httpServletResponse.sendRedirect(this.urlProvider.get(httpServletRequest) + Url.decode(this.redirectToken));
        } catch (AccountException e3) {
            logger.atSevere().withCause(e3).log("Unable to authenticate user \"%s\"", this.user);
            httpServletResponse.sendError(403);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void logout() {
        this.token = null;
        this.user = null;
        this.redirectToken = null;
        this.serviceProvider = null;
    }

    private boolean checkState(ServletRequest servletRequest) {
        String nullToEmpty = Strings.nullToEmpty(servletRequest.getParameter("state"));
        if (nullToEmpty.equals(this.state)) {
            return true;
        }
        logger.atSevere().log("Illegal request state '%s' on OAuthProtocol %s", nullToEmpty, this);
        return false;
    }

    private static SecureRandom newRandomGenerator() {
        try {
            return SecureRandom.getInstance("SHA1PRNG");
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException("No SecureRandom available for GitHub authentication", e);
        }
    }

    private static String generateRandomState() {
        byte[] bArr = new byte[32];
        randomState.nextBytes(bArr);
        return BaseEncoding.base64Url().encode(bArr);
    }

    public String toString() {
        return "OAuthSession [token=" + this.token + ", user=" + this.user + "]";
    }

    public void setServiceProvider(OAuthServiceProvider oAuthServiceProvider) {
        this.serviceProvider = oAuthServiceProvider;
    }

    public OAuthServiceProvider getServiceProvider() {
        return this.serviceProvider;
    }

    public void setLinkMode(boolean z) {
        this.linkMode = z;
    }

    public boolean isLinkMode() {
        return this.linkMode;
    }
}
