package com.google.gerrit.server.mail;

import com.google.common.base.Preconditions;
import com.google.common.io.BaseEncoding;
import com.google.gerrit.reviewdb.client.Account;
import com.google.gerrit.server.config.AuthConfig;
import com.google.gerrit.server.mail.EmailTokenVerifier;
import com.google.gwtjsonrpc.common.CheckTokenException;
import com.google.gwtjsonrpc.server.SignedToken;
import com.google.gwtjsonrpc.server.ValidToken;
import com.google.gwtjsonrpc.server.XsrfException;
import com.google.inject.AbstractModule;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import java.nio.charset.StandardCharsets;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

@Singleton
/* loaded from: input_file:com/google/gerrit/server/mail/SignedTokenEmailTokenVerifier.class */
public class SignedTokenEmailTokenVerifier implements EmailTokenVerifier {
    private final SignedToken emailRegistrationToken;

    /* loaded from: input_file:com/google/gerrit/server/mail/SignedTokenEmailTokenVerifier$Module.class */
    public static class Module extends AbstractModule {
        @Override // com.google.inject.AbstractModule
        protected void configure() {
            bind(EmailTokenVerifier.class).to(SignedTokenEmailTokenVerifier.class);
        }
    }

    @Inject
    SignedTokenEmailTokenVerifier(AuthConfig authConfig) {
        this.emailRegistrationToken = authConfig.getEmailRegistrationToken();
    }

    @Override // com.google.gerrit.server.mail.EmailTokenVerifier
    public String encode(Account.Id id, String str) {
        checkEmailRegistrationToken();
        try {
            return this.emailRegistrationToken.newToken(BaseEncoding.base64Url().encode(String.format("%s:%s", id, str).getBytes(StandardCharsets.UTF_8)));
        } catch (XsrfException e) {
            throw new IllegalArgumentException(e);
        }
    }

    @Override // com.google.gerrit.server.mail.EmailTokenVerifier
    public EmailTokenVerifier.ParsedToken decode(String str) throws EmailTokenVerifier.InvalidTokenException {
        checkEmailRegistrationToken();
        try {
            ValidToken checkToken = this.emailRegistrationToken.checkToken(str, null);
            if (checkToken == null || checkToken.getData() == null || checkToken.getData().isEmpty()) {
                throw new EmailTokenVerifier.InvalidTokenException();
            }
            Matcher matcher = Pattern.compile("^([0-9]+):(.+@.+)$").matcher(new String(BaseEncoding.base64Url().decode(checkToken.getData()), StandardCharsets.UTF_8));
            if (matcher.matches()) {
                return new EmailTokenVerifier.ParsedToken(Account.Id.tryParse(matcher.group(1)).orElseThrow(EmailTokenVerifier.InvalidTokenException::new), matcher.group(2));
            }
            throw new EmailTokenVerifier.InvalidTokenException();
        } catch (CheckTokenException | XsrfException e) {
            throw new EmailTokenVerifier.InvalidTokenException(e);
        }
    }

    private void checkEmailRegistrationToken() {
        Preconditions.checkState(this.emailRegistrationToken != null, "'auth.registerEmailPrivateKey' not set in gerrit.config");
    }
}
