package com.google.gerrit.gpg;

import com.google.common.base.Strings;
import com.google.common.flogger.FluentLogger;
import com.google.gerrit.extensions.registration.DynamicSet;
import com.google.gerrit.gpg.SignedPushPreReceiveHook;
import com.google.gerrit.reviewdb.client.BooleanProjectConfig;
import com.google.gerrit.reviewdb.client.Project;
import com.google.gerrit.server.EnableSignedPush;
import com.google.gerrit.server.config.AllUsersName;
import com.google.gerrit.server.config.GerritServerConfig;
import com.google.gerrit.server.git.GitRepositoryManager;
import com.google.gerrit.server.git.ReceivePackInitializer;
import com.google.gerrit.server.project.ProjectCache;
import com.google.gerrit.server.project.ProjectState;
import com.google.inject.AbstractModule;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.ProvisionException;
import com.google.inject.Singleton;
import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.ArrayList;
import org.eclipse.jgit.lib.Config;
import org.eclipse.jgit.lib.ConfigConstants;
import org.eclipse.jgit.lib.Repository;
import org.eclipse.jgit.transport.PreReceiveHookChain;
import org.eclipse.jgit.transport.ReceivePack;
import org.eclipse.jgit.transport.SignedPushConfig;

/* loaded from: input_file:com/google/gerrit/gpg/SignedPushModule.class */
class SignedPushModule extends AbstractModule {
    private static final FluentLogger logger = FluentLogger.forEnclosingClass();

    @Singleton
    /* loaded from: input_file:com/google/gerrit/gpg/SignedPushModule$Initializer.class */
    private static class Initializer implements ReceivePackInitializer {
        private final SignedPushConfig signedPushConfig;
        private final SignedPushPreReceiveHook hook;
        private final ProjectCache projectCache;

        @Inject
        Initializer(@GerritServerConfig Config config, @EnableSignedPush boolean z, SignedPushPreReceiveHook signedPushPreReceiveHook, ProjectCache projectCache) {
            this.hook = signedPushPreReceiveHook;
            this.projectCache = projectCache;
            if (!z) {
                this.signedPushConfig = null;
                return;
            }
            String string = config.getString(ConfigConstants.CONFIG_RECEIVE_SECTION, null, "certNonceSeed");
            string = Strings.isNullOrEmpty(string) ? SignedPushModule.randomString(64) : string;
            this.signedPushConfig = new SignedPushConfig();
            this.signedPushConfig.setCertNonceSeed(string);
            this.signedPushConfig.setCertNonceSlopLimit(config.getInt(ConfigConstants.CONFIG_RECEIVE_SECTION, null, "certNonceSlop", 300));
        }

        @Override // com.google.gerrit.server.git.ReceivePackInitializer
        public void init(Project.NameKey nameKey, ReceivePack receivePack) {
            ProjectState projectState = this.projectCache.get(nameKey);
            if (!projectState.is(BooleanProjectConfig.ENABLE_SIGNED_PUSH)) {
                receivePack.setSignedPushConfig(null);
                return;
            }
            if (this.signedPushConfig == null) {
                SignedPushModule.logger.atSevere().log("receive.enableSignedPush is true for project %s but false in gerrit.config, so signed push verification is disabled", nameKey.get());
                receivePack.setSignedPushConfig(null);
                return;
            }
            receivePack.setSignedPushConfig(this.signedPushConfig);
            ArrayList arrayList = new ArrayList(3);
            if (projectState.is(BooleanProjectConfig.REQUIRE_SIGNED_PUSH)) {
                arrayList.add(SignedPushPreReceiveHook.Required.INSTANCE);
            }
            arrayList.add(this.hook);
            arrayList.add(receivePack.getPreReceiveHook());
            receivePack.setPreReceiveHook(PreReceiveHookChain.newChain(arrayList));
        }
    }

    @Singleton
    /* loaded from: input_file:com/google/gerrit/gpg/SignedPushModule$StoreProvider.class */
    private static class StoreProvider implements Provider<PublicKeyStore> {
        private final GitRepositoryManager repoManager;
        private final AllUsersName allUsers;

        @Inject
        StoreProvider(GitRepositoryManager gitRepositoryManager, AllUsersName allUsersName) {
            this.repoManager = gitRepositoryManager;
            this.allUsers = allUsersName;
        }

        @Override // com.google.inject.Provider, javax.inject.Provider
        public PublicKeyStore get() {
            try {
                final Repository openRepository = this.repoManager.openRepository(this.allUsers);
                return new PublicKeyStore(openRepository) { // from class: com.google.gerrit.gpg.SignedPushModule.StoreProvider.1
                    @Override // com.google.gerrit.gpg.PublicKeyStore, java.lang.AutoCloseable
                    public void close() {
                        try {
                            super.close();
                        } finally {
                            openRepository.close();
                        }
                    }
                };
            } catch (IOException e) {
                throw new ProvisionException("Cannot open " + this.allUsers, e);
            }
        }
    }

    @Override // com.google.inject.AbstractModule
    protected void configure() {
        if (!BouncyCastleUtil.havePGP()) {
            throw new ProvisionException("Bouncy Castle PGP not installed");
        }
        bind(PublicKeyStore.class).toProvider(StoreProvider.class);
        DynamicSet.bind(binder(), ReceivePackInitializer.class).to(Initializer.class);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String randomString(int i) {
        try {
            SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
            StringBuilder sb = new StringBuilder(i);
            for (int i2 = 0; i2 < i; i2++) {
                sb.append((char) secureRandom.nextInt());
            }
            return sb.toString();
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException(e);
        }
    }
}
