package com.google.gerrit.server.account;

import com.google.gerrit.common.data.AccessSection;
import com.google.gerrit.common.data.GlobalCapability;
import com.google.gerrit.common.errors.InvalidUserNameException;
import com.google.gerrit.common.errors.NameAlreadyUsedException;
import com.google.gerrit.reviewdb.client.Account;
import com.google.gerrit.reviewdb.client.AccountExternalId;
import com.google.gerrit.reviewdb.client.AccountGroupMember;
import com.google.gerrit.reviewdb.client.AccountGroupMemberAudit;
import com.google.gerrit.reviewdb.server.ReviewDb;
import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.account.ChangeUserName;
import com.google.gerrit.server.config.AuthConfig;
import com.google.gerrit.server.project.ProjectCache;
import com.google.gwtorm.server.OrmException;
import com.google.gwtorm.server.SchemaFactory;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.concurrent.atomic.AtomicBoolean;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:WEB-INF/lib/gerrit-server-2.5.2.jar:com/google/gerrit/server/account/AccountManager.class */
public class AccountManager {
    private static final Logger log = LoggerFactory.getLogger(AccountManager.class);
    private final SchemaFactory<ReviewDb> schema;
    private final AccountCache byIdCache;
    private final AccountByEmailCache byEmailCache;
    private final AuthConfig authConfig;
    private final Realm realm;
    private final IdentifiedUser.GenericFactory userFactory;
    private final ChangeUserName.Factory changeUserNameFactory;
    private final ProjectCache projectCache;
    private final AtomicBoolean firstAccount = new AtomicBoolean();

    @Inject
    AccountManager(SchemaFactory<ReviewDb> schemaFactory, AccountCache accountCache, AccountByEmailCache accountByEmailCache, AuthConfig authConfig, Realm realm, IdentifiedUser.GenericFactory genericFactory, ChangeUserName.Factory factory, ProjectCache projectCache) throws OrmException {
        this.schema = schemaFactory;
        this.byIdCache = accountCache;
        this.byEmailCache = accountByEmailCache;
        this.authConfig = authConfig;
        this.realm = realm;
        this.userFactory = genericFactory;
        this.changeUserNameFactory = factory;
        this.projectCache = projectCache;
        ReviewDb open = schemaFactory.open();
        try {
            this.firstAccount.set(open.accounts().anyAccounts().toList().isEmpty());
            open.close();
        } catch (Throwable th) {
            open.close();
            throw th;
        }
    }

    public Account.Id lookup(String str) throws AccountException {
        try {
            ReviewDb open = this.schema.open();
            try {
                AccountExternalId accountExternalId = open.accountExternalIds().get(new AccountExternalId.Key(str));
                return accountExternalId != null ? accountExternalId.getAccountId() : null;
            } finally {
                open.close();
            }
        } catch (OrmException e) {
            throw new AccountException("Cannot lookup account " + str, e);
        }
    }

    public AuthResult authenticate(AuthRequest authRequest) throws AccountException {
        AuthRequest authenticate = this.realm.authenticate(authRequest);
        try {
            ReviewDb open = this.schema.open();
            try {
                AccountExternalId.Key id = id(authenticate);
                AccountExternalId accountExternalId = open.accountExternalIds().get(id);
                if (accountExternalId == null) {
                    AuthResult create = create(open, authenticate);
                    open.close();
                    return create;
                }
                Account account = open.accounts().get(accountExternalId.getAccountId());
                if (account == null || !account.isActive()) {
                    throw new AccountException("Authentication error, account inactive");
                }
                update(open, authenticate, accountExternalId);
                AuthResult authResult = new AuthResult(accountExternalId.getAccountId(), id, false);
                open.close();
                return authResult;
            } catch (Throwable th) {
                open.close();
                throw th;
            }
        } catch (OrmException e) {
            throw new AccountException("Authentication error", e);
        }
    }

    private void update(ReviewDb reviewDb, AuthRequest authRequest, AccountExternalId accountExternalId) throws OrmException {
        IdentifiedUser create = this.userFactory.create(accountExternalId.getAccountId());
        Account account = null;
        String emailAddress = authRequest.getEmailAddress();
        String emailAddress2 = accountExternalId.getEmailAddress();
        if (emailAddress != null && !emailAddress.equals(emailAddress2)) {
            if (emailAddress2 != null && emailAddress2.equals(create.getAccount().getPreferredEmail())) {
                account = load(null, create.getAccountId(), reviewDb);
                account.setPreferredEmail(emailAddress);
            }
            accountExternalId.setEmailAddress(emailAddress);
            reviewDb.accountExternalIds().update(Collections.singleton(accountExternalId));
        }
        if (!this.realm.allowsEdit(Account.FieldName.FULL_NAME) && !eq(create.getAccount().getFullName(), authRequest.getDisplayName())) {
            account = load(account, create.getAccountId(), reviewDb);
            account.setFullName(authRequest.getDisplayName());
        }
        if (!this.realm.allowsEdit(Account.FieldName.USER_NAME) && !eq(create.getUserName(), authRequest.getUserName())) {
            this.changeUserNameFactory.create(reviewDb, create, authRequest.getUserName());
        }
        if (account != null) {
            reviewDb.accounts().update(Collections.singleton(account));
        }
        if (emailAddress != null && !emailAddress.equals(emailAddress2)) {
            this.byEmailCache.evict(emailAddress2);
            this.byEmailCache.evict(emailAddress);
        }
        if (account != null) {
            this.byIdCache.evict(account.getId());
        }
    }

    private Account load(Account account, Account.Id id, ReviewDb reviewDb) throws OrmException {
        if (account == null) {
            account = reviewDb.accounts().get(id);
            if (account == null) {
                throw new OrmException("Account " + id + " has been deleted");
            }
        }
        return account;
    }

    private static boolean eq(String str, String str2) {
        return (str == null && str2 == null) || (str != null && str.equals(str2));
    }

    private AuthResult create(ReviewDb reviewDb, AuthRequest authRequest) throws OrmException, AccountException {
        if (this.authConfig.isAllowGoogleAccountUpgrade() && authRequest.isScheme("https://www.google.com/accounts/o8/id?") && authRequest.getEmailAddress() != null) {
            ArrayList arrayList = new ArrayList();
            ArrayList arrayList2 = new ArrayList();
            for (AccountExternalId accountExternalId : reviewDb.accountExternalIds().byEmailAddress(authRequest.getEmailAddress())) {
                if (accountExternalId.isScheme("https://www.google.com/accounts/o8/id?")) {
                    arrayList.add(accountExternalId);
                } else if (accountExternalId.isScheme(AccountExternalId.LEGACY_GAE)) {
                    arrayList2.add(accountExternalId);
                }
            }
            if (!arrayList.isEmpty()) {
                Account.Id accountId = ((AccountExternalId) arrayList.get(0)).getAccountId();
                if (arrayList.size() > 1) {
                    Iterator it = arrayList.iterator();
                    while (it.hasNext()) {
                        if (!accountId.equals(((AccountExternalId) it.next()).getAccountId())) {
                            throw new AccountException("Multiple user accounts for " + authRequest.getEmailAddress() + " using Google Accounts provider");
                        }
                    }
                }
                AccountExternalId createId = createId(accountId, authRequest);
                createId.setEmailAddress(authRequest.getEmailAddress());
                if (arrayList.size() == 1) {
                    AccountExternalId accountExternalId2 = (AccountExternalId) arrayList.get(0);
                    reviewDb.accountExternalIds().upsert(Collections.singleton(createId));
                    reviewDb.accountExternalIds().delete(Collections.singleton(accountExternalId2));
                } else {
                    reviewDb.accountExternalIds().insert(Collections.singleton(createId));
                }
                return new AuthResult(accountId, createId.getKey(), false);
            }
            if (arrayList2.size() == 1) {
                AccountExternalId accountExternalId3 = (AccountExternalId) arrayList2.get(0);
                AccountExternalId createId2 = createId(accountExternalId3.getAccountId(), authRequest);
                createId2.setEmailAddress(authRequest.getEmailAddress());
                reviewDb.accountExternalIds().upsert(Collections.singleton(createId2));
                reviewDb.accountExternalIds().delete(Collections.singleton(accountExternalId3));
                return new AuthResult(createId2.getAccountId(), createId2.getKey(), false);
            }
            if (arrayList2.size() > 1) {
                throw new AccountException("Multiple Gerrit 1.x accounts found");
            }
        }
        Account.Id id = new Account.Id(reviewDb.nextAccountId());
        Account account = new Account(id);
        AccountExternalId createId3 = createId(id, authRequest);
        createId3.setEmailAddress(authRequest.getEmailAddress());
        account.setFullName(authRequest.getDisplayName());
        account.setPreferredEmail(createId3.getEmailAddress());
        reviewDb.accounts().insert(Collections.singleton(account));
        reviewDb.accountExternalIds().insert(Collections.singleton(createId3));
        if (this.firstAccount.get() && this.firstAccount.compareAndSet(true, false)) {
            AccountGroupMember accountGroupMember = new AccountGroupMember(new AccountGroupMember.Key(id, reviewDb.accountGroups().byUUID(this.projectCache.getAllProjects().getConfig().getAccessSection(AccessSection.GLOBAL_CAPABILITIES).getPermission(GlobalCapability.ADMINISTRATE_SERVER).getRules().get(0).getGroup().getUUID()).iterator().next().getId()));
            reviewDb.accountGroupMembersAudit().insert(Collections.singleton(new AccountGroupMemberAudit(accountGroupMember, id)));
            reviewDb.accountGroupMembers().insert(Collections.singleton(accountGroupMember));
        }
        if (authRequest.getUserName() != null) {
            try {
                this.changeUserNameFactory.create(reviewDb, this.userFactory.create(id), authRequest.getUserName()).call();
            } catch (InvalidUserNameException e) {
                handleSettingUserNameFailure(reviewDb, account, createId3, "Cannot assign user name \"" + authRequest.getUserName() + "\" to account " + id + "; name does not conform.", e, false);
            } catch (NameAlreadyUsedException e2) {
                handleSettingUserNameFailure(reviewDb, account, createId3, "Cannot assign user name \"" + authRequest.getUserName() + "\" to account " + id + "; name already in use.", e2, false);
            } catch (OrmException e3) {
                handleSettingUserNameFailure(reviewDb, account, createId3, "Cannot assign user name", e3, true);
            }
        }
        this.byEmailCache.evict(account.getPreferredEmail());
        this.realm.onCreateAccount(authRequest, account);
        return new AuthResult(id, createId3.getKey(), true);
    }

    private void handleSettingUserNameFailure(ReviewDb reviewDb, Account account, AccountExternalId accountExternalId, String str, Exception exc, boolean z) throws AccountUserNameException, OrmException {
        if (z) {
            log.error(str, (Throwable) exc);
        } else {
            log.error(str);
        }
        if (this.realm.allowsEdit(Account.FieldName.USER_NAME)) {
            return;
        }
        reviewDb.accounts().delete(Collections.singleton(account));
        reviewDb.accountExternalIds().delete(Collections.singleton(accountExternalId));
        throw new AccountUserNameException(str, exc);
    }

    private static AccountExternalId createId(Account.Id id, AuthRequest authRequest) {
        return new AccountExternalId(id, new AccountExternalId.Key(authRequest.getExternalId()));
    }

    public AuthResult link(Account.Id id, AuthRequest authRequest) throws AccountException {
        try {
            ReviewDb open = this.schema.open();
            try {
                AuthRequest link = this.realm.link(open, id, authRequest);
                AccountExternalId.Key id2 = id(link);
                AccountExternalId accountExternalId = open.accountExternalIds().get(id2);
                if (accountExternalId == null) {
                    AccountExternalId createId = createId(id, link);
                    createId.setEmailAddress(link.getEmailAddress());
                    open.accountExternalIds().insert(Collections.singleton(createId));
                    if (link.getEmailAddress() != null) {
                        Account account = open.accounts().get(id);
                        if (account.getPreferredEmail() == null) {
                            account.setPreferredEmail(link.getEmailAddress());
                            open.accounts().update(Collections.singleton(account));
                        }
                    }
                    if (link.getEmailAddress() != null) {
                        this.byEmailCache.evict(link.getEmailAddress());
                        this.byIdCache.evict(id);
                    }
                } else {
                    if (!accountExternalId.getAccountId().equals(id)) {
                        throw new AccountException("Identity in use by another account");
                    }
                    update(open, link, accountExternalId);
                }
                AuthResult authResult = new AuthResult(id, id2, false);
                open.close();
                return authResult;
            } catch (Throwable th) {
                open.close();
                throw th;
            }
        } catch (OrmException e) {
            throw new AccountException("Cannot link identity", e);
        }
    }

    public AuthResult unlink(Account.Id id, AuthRequest authRequest) throws AccountException {
        try {
            ReviewDb open = this.schema.open();
            try {
                AuthRequest unlink = this.realm.unlink(open, id, authRequest);
                AccountExternalId.Key id2 = id(unlink);
                AccountExternalId accountExternalId = open.accountExternalIds().get(id2);
                if (accountExternalId == null) {
                    throw new AccountException("Identity not found");
                }
                if (!accountExternalId.getAccountId().equals(id)) {
                    throw new AccountException("Identity in use by another account");
                }
                open.accountExternalIds().delete(Collections.singleton(accountExternalId));
                if (unlink.getEmailAddress() != null) {
                    Account account = open.accounts().get(id);
                    if (account.getPreferredEmail() != null && account.getPreferredEmail().equals(unlink.getEmailAddress())) {
                        account.setPreferredEmail(null);
                        open.accounts().update(Collections.singleton(account));
                    }
                    this.byEmailCache.evict(unlink.getEmailAddress());
                    this.byIdCache.evict(id);
                }
                AuthResult authResult = new AuthResult(id, id2, false);
                open.close();
                return authResult;
            } catch (Throwable th) {
                open.close();
                throw th;
            }
        } catch (OrmException e) {
            throw new AccountException("Cannot unlink identity", e);
        }
    }

    private static AccountExternalId.Key id(AuthRequest authRequest) {
        return new AccountExternalId.Key(authRequest.getExternalId());
    }
}
