package com.google.gerrit.server.config;

import com.google.gerrit.extensions.client.AuthType;
import com.google.gerrit.extensions.client.GitBasicAuthPolicy;
import com.google.gerrit.server.account.externalids.ExternalId;
import com.google.gerrit.server.auth.openid.OpenIdProviderPattern;
import com.google.gwtjsonrpc.server.SignedToken;
import com.google.gwtjsonrpc.server.XsrfException;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.TimeUnit;
import org.eclipse.jgit.lib.Config;

@Singleton
/* loaded from: input_file:com/google/gerrit/server/config/AuthConfig.class */
public class AuthConfig {
    private final AuthType authType;
    private final String httpHeader;
    private final String httpDisplaynameHeader;
    private final String httpEmailHeader;
    private final String httpExternalIdHeader;
    private final String registerPageUrl;
    private final String registerUrl;
    private final String registerText;
    private final boolean trustContainerAuth;
    private final boolean enableRunAs;
    private final boolean userNameToLowerCase;
    private final boolean useContributorAgreements;
    private final String loginUrl;
    private final String loginText;
    private final String logoutUrl;
    private final String switchAccountUrl;
    private final String editFullNameUrl;
    private final String httpPasswordUrl;
    private final String openIdSsoUrl;
    private final List<String> openIdDomains;
    private final List<OpenIdProviderPattern> trustedOpenIDs;
    private final List<OpenIdProviderPattern> allowedOpenIDs;
    private final String cookiePath;
    private final String cookieDomain;
    private final boolean cookieSecure;
    private final SignedToken emailReg;
    private final boolean allowRegisterNewEmail;
    private GitBasicAuthPolicy gitBasicAuthPolicy;

    @Inject
    AuthConfig(@GerritServerConfig Config config) throws XsrfException {
        this.authType = toType(config);
        this.httpHeader = config.getString("auth", null, "httpheader");
        this.httpDisplaynameHeader = config.getString("auth", null, "httpdisplaynameheader");
        this.httpEmailHeader = config.getString("auth", null, "httpemailheader");
        this.httpExternalIdHeader = config.getString("auth", null, "httpexternalidheader");
        this.loginUrl = config.getString("auth", null, "loginurl");
        this.loginText = config.getString("auth", null, "logintext");
        this.logoutUrl = config.getString("auth", null, "logouturl");
        this.switchAccountUrl = config.getString("auth", null, "switchAccountUrl");
        this.editFullNameUrl = config.getString("auth", null, "editFullNameUrl");
        this.httpPasswordUrl = config.getString("auth", null, "httpPasswordUrl");
        this.registerPageUrl = config.getString("auth", null, "registerPageUrl");
        this.registerUrl = config.getString("auth", null, "registerUrl");
        this.registerText = config.getString("auth", null, "registerText");
        this.openIdSsoUrl = config.getString("auth", null, "openidssourl");
        this.openIdDomains = Arrays.asList(config.getStringList("auth", null, "openIdDomain"));
        this.trustedOpenIDs = toPatterns(config, "trustedOpenID");
        this.allowedOpenIDs = toPatterns(config, "allowedOpenID");
        this.cookiePath = config.getString("auth", null, "cookiepath");
        this.cookieDomain = config.getString("auth", null, "cookiedomain");
        this.cookieSecure = config.getBoolean("auth", "cookiesecure", false);
        this.trustContainerAuth = config.getBoolean("auth", "trustContainerAuth", false);
        this.enableRunAs = config.getBoolean("auth", null, "enableRunAs", true);
        this.gitBasicAuthPolicy = getBasicAuthPolicy(config);
        this.useContributorAgreements = config.getBoolean("auth", "contributoragreements", false);
        this.userNameToLowerCase = config.getBoolean("auth", "userNameToLowerCase", false);
        this.allowRegisterNewEmail = config.getBoolean("auth", "allowRegisterNewEmail", true);
        if (this.gitBasicAuthPolicy == GitBasicAuthPolicy.HTTP_LDAP && this.authType != AuthType.LDAP && this.authType != AuthType.LDAP_BIND) {
            throw new IllegalStateException("use auth.gitBasicAuthPolicy HTTP_LDAP only with auth.type LDAP or LDAP_BIND");
        }
        if (this.gitBasicAuthPolicy == GitBasicAuthPolicy.OAUTH && this.authType != AuthType.OAUTH) {
            throw new IllegalStateException("use auth.gitBasicAuthPolicy OAUTH only with auth.type OAUTH");
        }
        String string = config.getString("auth", null, "registerEmailPrivateKey");
        if (string == null || string.isEmpty()) {
            this.emailReg = null;
        } else {
            this.emailReg = new SignedToken((int) ConfigUtil.getTimeUnit(config, "auth", null, "maxRegisterEmailTokenAge", TimeUnit.SECONDS.convert(12L, TimeUnit.HOURS), TimeUnit.SECONDS), string);
        }
    }

    private static List<OpenIdProviderPattern> toPatterns(Config config, String str) {
        String[] stringList = config.getStringList("auth", null, str);
        if (stringList.length == 0) {
            stringList = new String[]{"http://", "https://"};
        }
        ArrayList arrayList = new ArrayList();
        for (String str2 : stringList) {
            arrayList.add(OpenIdProviderPattern.create(str2));
        }
        return Collections.unmodifiableList(arrayList);
    }

    private static AuthType toType(Config config) {
        return (AuthType) config.getEnum("auth", null, "type", AuthType.OPENID);
    }

    private GitBasicAuthPolicy getBasicAuthPolicy(Config config) {
        return (GitBasicAuthPolicy) config.getEnum("auth", null, "gitBasicAuthPolicy", isLdapAuthType() ? GitBasicAuthPolicy.LDAP : isOAuthType() ? GitBasicAuthPolicy.OAUTH : GitBasicAuthPolicy.HTTP);
    }

    public AuthType getAuthType() {
        return this.authType;
    }

    public String getLoginHttpHeader() {
        return this.httpHeader;
    }

    public String getHttpDisplaynameHeader() {
        return this.httpDisplaynameHeader;
    }

    public String getHttpEmailHeader() {
        return this.httpEmailHeader;
    }

    public String getHttpExternalIdHeader() {
        return this.httpExternalIdHeader;
    }

    public String getLoginUrl() {
        return this.loginUrl;
    }

    public String getLoginText() {
        return this.loginText;
    }

    public String getLogoutURL() {
        return this.logoutUrl;
    }

    public String getSwitchAccountUrl() {
        return this.switchAccountUrl;
    }

    public String getEditFullNameUrl() {
        return this.editFullNameUrl;
    }

    public String getHttpPasswordUrl() {
        return this.httpPasswordUrl;
    }

    public String getOpenIdSsoUrl() {
        return this.openIdSsoUrl;
    }

    public List<String> getOpenIdDomains() {
        return this.openIdDomains;
    }

    public String getCookiePath() {
        return this.cookiePath;
    }

    public String getCookieDomain() {
        return this.cookieDomain;
    }

    public boolean getCookieSecure() {
        return this.cookieSecure;
    }

    public SignedToken getEmailRegistrationToken() {
        return this.emailReg;
    }

    public List<OpenIdProviderPattern> getAllowedOpenIDs() {
        return this.allowedOpenIDs;
    }

    public boolean isTrustContainerAuth() {
        return this.trustContainerAuth;
    }

    public boolean isRunAsEnabled() {
        return this.enableRunAs;
    }

    public boolean isUserNameToLowerCase() {
        return this.userNameToLowerCase;
    }

    public GitBasicAuthPolicy getGitBasicAuthPolicy() {
        return this.gitBasicAuthPolicy;
    }

    public boolean isUseContributorAgreements() {
        return this.useContributorAgreements;
    }

    public boolean isIdentityTrustable(Collection<ExternalId> collection) {
        switch (getAuthType()) {
            case DEVELOPMENT_BECOME_ANY_ACCOUNT:
            case HTTP:
            case HTTP_LDAP:
            case LDAP:
            case LDAP_BIND:
            case CLIENT_SSL_CERT_LDAP:
            case CUSTOM_EXTENSION:
            case OAUTH:
                return true;
            case OPENID_SSO:
                return true;
            case OPENID:
                Iterator<ExternalId> it = collection.iterator();
                while (it.hasNext()) {
                    if (!isTrusted(it.next())) {
                        return false;
                    }
                }
                return true;
            default:
                return false;
        }
    }

    private boolean isTrusted(ExternalId externalId) {
        if (externalId.isScheme(ExternalId.SCHEME_MAILTO) || externalId.isScheme("uuid") || externalId.isScheme("username")) {
            return true;
        }
        Iterator<OpenIdProviderPattern> it = this.trustedOpenIDs.iterator();
        while (it.hasNext()) {
            if (it.next().matches(externalId)) {
                return true;
            }
        }
        return false;
    }

    public String getRegisterPageUrl() {
        return this.registerPageUrl;
    }

    public String getRegisterUrl() {
        return this.registerUrl;
    }

    public String getRegisterText() {
        return this.registerText;
    }

    public boolean isLdapAuthType() {
        return this.authType == AuthType.LDAP || this.authType == AuthType.LDAP_BIND;
    }

    public boolean isOAuthType() {
        return this.authType == AuthType.OAUTH;
    }

    public boolean isAllowRegisterNewEmail() {
        return this.allowRegisterNewEmail;
    }
}
