package com.google.gerrit.server.config;

import com.google.gerrit.common.auth.openid.OpenIdProviderPattern;
import com.google.gerrit.reviewdb.client.AccountExternalId;
import com.google.gerrit.reviewdb.client.AuthType;
import com.google.gwtjsonrpc.server.SignedToken;
import com.google.gwtjsonrpc.server.XsrfException;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.TimeUnit;
import org.eclipse.jgit.lib.Config;

@Singleton
/* loaded from: input_file:WEB-INF/lib/gerrit-server-2.5.2.jar:com/google/gerrit/server/config/AuthConfig.class */
public class AuthConfig {
    private final AuthType authType;
    private final String httpHeader;
    private final boolean trustContainerAuth;
    private final boolean userNameToLowerCase;
    private final boolean gitBasicAuth;
    private final String logoutUrl;
    private final String openIdSsoUrl;
    private final List<OpenIdProviderPattern> trustedOpenIDs;
    private final List<OpenIdProviderPattern> allowedOpenIDs;
    private final String cookiePath;
    private final boolean cookieSecure;
    private final SignedToken emailReg;
    private final SignedToken restToken;
    private final boolean allowGoogleAccountUpgrade;

    @Inject
    AuthConfig(@GerritServerConfig Config config) throws XsrfException {
        this.authType = toType(config);
        this.httpHeader = config.getString("auth", null, "httpheader");
        this.logoutUrl = config.getString("auth", null, "logouturl");
        this.openIdSsoUrl = config.getString("auth", null, "openidssourl");
        this.trustedOpenIDs = toPatterns(config, "trustedOpenID");
        this.allowedOpenIDs = toPatterns(config, "allowedOpenID");
        this.cookiePath = config.getString("auth", null, "cookiepath");
        this.cookieSecure = config.getBoolean("auth", "cookiesecure", false);
        this.trustContainerAuth = config.getBoolean("auth", "trustContainerAuth", false);
        this.gitBasicAuth = config.getBoolean("auth", "gitBasicAuth", false);
        this.userNameToLowerCase = config.getBoolean("auth", "userNameToLowerCase", false);
        String string = config.getString("auth", null, "registerEmailPrivateKey");
        if (string == null || string.isEmpty()) {
            this.emailReg = null;
        } else {
            this.emailReg = new SignedToken((int) ConfigUtil.getTimeUnit(config, "auth", null, "maxRegisterEmailTokenAge", TimeUnit.SECONDS.convert(12L, TimeUnit.HOURS), TimeUnit.SECONDS), string);
        }
        String string2 = config.getString("auth", null, "restTokenPrivateKey");
        if (string2 == null || string2.isEmpty()) {
            this.restToken = null;
        } else {
            this.restToken = new SignedToken((int) ConfigUtil.getTimeUnit(config, "auth", null, "maxRestTokenAge", 60L, TimeUnit.SECONDS), string2);
        }
        if (this.authType == AuthType.OPENID) {
            this.allowGoogleAccountUpgrade = config.getBoolean("auth", "allowgoogleaccountupgrade", false);
        } else {
            this.allowGoogleAccountUpgrade = false;
        }
    }

    private static List<OpenIdProviderPattern> toPatterns(Config config, String str) {
        String[] stringList = config.getStringList("auth", null, str);
        if (stringList.length == 0) {
            stringList = new String[]{"http://", "https://"};
        }
        ArrayList arrayList = new ArrayList();
        for (String str2 : stringList) {
            arrayList.add(OpenIdProviderPattern.create(str2));
        }
        return Collections.unmodifiableList(arrayList);
    }

    private static AuthType toType(Config config) {
        return (AuthType) ConfigUtil.getEnum(config, "auth", (String) null, "type", AuthType.OPENID);
    }

    public AuthType getAuthType() {
        return this.authType;
    }

    public String getLoginHttpHeader() {
        return this.httpHeader;
    }

    public String getLogoutURL() {
        return this.logoutUrl;
    }

    public String getOpenIdSsoUrl() {
        return this.openIdSsoUrl;
    }

    public String getCookiePath() {
        return this.cookiePath;
    }

    public boolean getCookieSecure() {
        return this.cookieSecure;
    }

    public SignedToken getEmailRegistrationToken() {
        return this.emailReg;
    }

    public SignedToken getRestToken() {
        return this.restToken;
    }

    public boolean isAllowGoogleAccountUpgrade() {
        return this.allowGoogleAccountUpgrade;
    }

    public List<OpenIdProviderPattern> getAllowedOpenIDs() {
        return this.allowedOpenIDs;
    }

    public boolean isTrustContainerAuth() {
        return this.trustContainerAuth;
    }

    public boolean isUserNameToLowerCase() {
        return this.userNameToLowerCase;
    }

    public boolean isGitBasichAuth() {
        return this.gitBasicAuth;
    }

    public boolean isIdentityTrustable(Collection<AccountExternalId> collection) {
        switch (getAuthType()) {
            case DEVELOPMENT_BECOME_ANY_ACCOUNT:
            case HTTP:
            case HTTP_LDAP:
            case LDAP:
            case LDAP_BIND:
            case CLIENT_SSL_CERT_LDAP:
            case CUSTOM_EXTENSION:
                return true;
            case OPENID_SSO:
                return true;
            case OPENID:
                Iterator<AccountExternalId> it = collection.iterator();
                while (it.hasNext()) {
                    if (!isTrusted(it.next())) {
                        return false;
                    }
                }
                return true;
            default:
                return false;
        }
    }

    private boolean isTrusted(AccountExternalId accountExternalId) {
        if (accountExternalId.isScheme(AccountExternalId.LEGACY_GAE)) {
            return isAllowGoogleAccountUpgrade();
        }
        if (accountExternalId.isScheme(AccountExternalId.SCHEME_MAILTO) || accountExternalId.isScheme(AccountExternalId.SCHEME_UUID) || accountExternalId.isScheme(AccountExternalId.SCHEME_USERNAME)) {
            return true;
        }
        Iterator<OpenIdProviderPattern> it = this.trustedOpenIDs.iterator();
        while (it.hasNext()) {
            if (it.next().matches(accountExternalId)) {
                return true;
            }
        }
        return false;
    }
}
