package com.google.gerrit.httpd.auth.openid;

import com.google.common.base.MoreObjects;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.UnmodifiableIterator;
import com.google.common.flogger.FluentLogger;
import com.google.gerrit.common.Nullable;
import com.google.gerrit.common.PageLinks;
import com.google.gerrit.common.auth.openid.OpenIdUrls;
import com.google.gerrit.extensions.auth.oauth.OAuthServiceProvider;
import com.google.gerrit.extensions.client.AuthType;
import com.google.gerrit.extensions.registration.DynamicMap;
import com.google.gerrit.extensions.restapi.Url;
import com.google.gerrit.httpd.HtmlDomUtil;
import com.google.gerrit.httpd.LoginUrlToken;
import com.google.gerrit.httpd.template.SiteHeaderFooter;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.config.AuthConfig;
import com.google.gerrit.server.config.CanonicalWebUrl;
import com.google.gerrit.server.config.GerritServerConfig;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Collection;
import java.util.HashSet;
import java.util.Map;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.sshd.client.config.keys.ClientIdentity;
import org.eclipse.jgit.lib.Config;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

@Singleton
/* loaded from: input_file:com/google/gerrit/httpd/auth/openid/LoginForm.class */
class LoginForm extends HttpServlet {
    private static final long serialVersionUID = 1;
    private static final FluentLogger logger = FluentLogger.forEnclosingClass();
    private static final ImmutableMap<String, String> ALL_PROVIDERS = ImmutableMap.of("launchpad", OpenIdUrls.URL_LAUNCHPAD, "yahoo", OpenIdUrls.URL_YAHOO);
    private final ImmutableSet<String> suggestProviders;
    private final Provider<String> urlProvider;
    private final Provider<OAuthSessionOverOpenID> oauthSessionProvider;
    private final OpenIdServiceImpl impl;
    private final int maxRedirectUrlLength;
    private final String ssoUrl;
    private final SiteHeaderFooter header;
    private final Provider<CurrentUser> currentUserProvider;
    private final DynamicMap<OAuthServiceProvider> oauthServiceProviders;

    @Inject
    LoginForm(@CanonicalWebUrl @Nullable Provider<String> provider, @GerritServerConfig Config config, AuthConfig authConfig, OpenIdServiceImpl openIdServiceImpl, SiteHeaderFooter siteHeaderFooter, Provider<OAuthSessionOverOpenID> provider2, Provider<CurrentUser> provider3, DynamicMap<OAuthServiceProvider> dynamicMap) {
        this.urlProvider = provider;
        this.impl = openIdServiceImpl;
        this.header = siteHeaderFooter;
        this.maxRedirectUrlLength = config.getInt("openid", "maxRedirectUrlLength", 10);
        this.oauthSessionProvider = provider2;
        this.currentUserProvider = provider3;
        this.oauthServiceProviders = dynamicMap;
        if (provider == null || Strings.isNullOrEmpty(provider.get())) {
            logger.atSevere().log("gerrit.canonicalWebUrl must be set in gerrit.config");
        }
        if (authConfig.getAuthType() == AuthType.OPENID_SSO) {
            this.suggestProviders = ImmutableSet.of();
            this.ssoUrl = authConfig.getOpenIdSsoUrl();
            return;
        }
        HashSet hashSet = new HashSet();
        UnmodifiableIterator<Map.Entry<String, String>> it = ALL_PROVIDERS.entrySet().iterator();
        while (it.hasNext()) {
            Map.Entry<String, String> next = it.next();
            if (openIdServiceImpl.isAllowedOpenID(next.getValue())) {
                hashSet.add(next.getKey());
            }
        }
        this.suggestProviders = ImmutableSet.copyOf((Collection) hashSet);
        this.ssoUrl = null;
    }

    @Override // javax.servlet.http.HttpServlet
    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        SignInMode signInMode;
        if (this.ssoUrl == null) {
            if (Strings.nullToEmpty(httpServletRequest.getParameter("id")).trim().isEmpty()) {
                sendForm(httpServletRequest, httpServletResponse, httpServletRequest.getParameter("link") != null, null);
                return;
            } else {
                doPost(httpServletRequest, httpServletResponse);
                return;
            }
        }
        String token = LoginUrlToken.getToken(httpServletRequest);
        if (PageLinks.REGISTER.equals(token)) {
            signInMode = SignInMode.REGISTER;
            token = "/";
        } else {
            signInMode = SignInMode.SIGN_IN;
        }
        discover(httpServletRequest, httpServletResponse, false, this.ssoUrl, false, token, signInMode);
    }

    @Override // javax.servlet.http.HttpServlet
    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        SignInMode signInMode;
        boolean z = httpServletRequest.getParameter("link") != null;
        String trim = Strings.nullToEmpty(httpServletRequest.getParameter("id")).trim();
        if (trim.isEmpty()) {
            sendForm(httpServletRequest, httpServletResponse, z, null);
            return;
        }
        if (!trim.startsWith("http://") && !trim.startsWith("https://")) {
            trim = "http://" + trim;
        }
        if ((this.ssoUrl != null && !this.ssoUrl.equals(trim)) || !this.impl.isAllowedOpenID(trim)) {
            sendForm(httpServletRequest, httpServletResponse, z, "OpenID provider not permitted by site policy.");
            return;
        }
        boolean equals = "1".equals(httpServletRequest.getParameter("rememberme"));
        String token = LoginUrlToken.getToken(httpServletRequest);
        if (z) {
            signInMode = SignInMode.LINK_IDENTIY;
        } else if (PageLinks.REGISTER.equals(token)) {
            signInMode = SignInMode.REGISTER;
            token = "/";
        } else {
            signInMode = SignInMode.SIGN_IN;
        }
        logger.atFine().log("mode \"%s\"", signInMode);
        OAuthServiceProvider lookupOAuthServiceProvider = lookupOAuthServiceProvider(trim);
        if (lookupOAuthServiceProvider == null) {
            logger.atFine().log("OpenId provider \"%s\"", trim);
            discover(httpServletRequest, httpServletResponse, z, trim, equals, token, signInMode);
            return;
        }
        logger.atFine().log("OAuth provider \"%s\"", trim);
        OAuthSessionOverOpenID oAuthSessionOverOpenID = this.oauthSessionProvider.get();
        if (!this.currentUserProvider.get().isIdentifiedUser() && oAuthSessionOverOpenID.isLoggedIn()) {
            oAuthSessionOverOpenID.logout();
        }
        if (isGerritLogin(httpServletRequest) || oAuthSessionOverOpenID.isOAuthFinal(httpServletRequest)) {
            oAuthSessionOverOpenID.setServiceProvider(lookupOAuthServiceProvider);
            oAuthSessionOverOpenID.setLinkMode(z);
            oAuthSessionOverOpenID.login(httpServletRequest, httpServletResponse, lookupOAuthServiceProvider);
        }
    }

    private void discover(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z, String str, boolean z2, String str2, SignInMode signInMode) throws IOException {
        if (this.ssoUrl != null) {
            z2 = false;
        }
        DiscoveryResult discover = this.impl.discover(httpServletRequest, str, signInMode, z2, str2);
        switch (discover.status) {
            case VALID:
                redirect(discover, httpServletResponse);
                return;
            case NO_PROVIDER:
                sendForm(httpServletRequest, httpServletResponse, z, "Provider is not supported, or was incorrectly entered.");
                return;
            case ERROR:
                sendForm(httpServletRequest, httpServletResponse, z, "Unable to connect with OpenID provider.");
                return;
            default:
                return;
        }
    }

    private void redirect(DiscoveryResult discoveryResult, HttpServletResponse httpServletResponse) throws IOException {
        StringBuilder sb = new StringBuilder();
        sb.append(discoveryResult.providerUrl);
        if (discoveryResult.providerArgs != null && !discoveryResult.providerArgs.isEmpty()) {
            boolean z = true;
            for (Map.Entry<String, String> entry : discoveryResult.providerArgs.entrySet()) {
                if (z) {
                    sb.append('?');
                    z = false;
                } else {
                    sb.append('&');
                }
                sb.append(Url.encode(entry.getKey())).append('=').append(Url.encode(entry.getValue()));
            }
        }
        if (sb.length() <= this.maxRedirectUrlLength) {
            httpServletResponse.sendRedirect(sb.toString());
            return;
        }
        Document parseFile = HtmlDomUtil.parseFile(LoginForm.class, "RedirectForm.html");
        Element find = HtmlDomUtil.find(parseFile, "redirect_form");
        find.setAttribute("action", discoveryResult.providerUrl);
        if (discoveryResult.providerArgs != null && !discoveryResult.providerArgs.isEmpty()) {
            for (Map.Entry<String, String> entry2 : discoveryResult.providerArgs.entrySet()) {
                Element createElement = parseFile.createElement("input");
                createElement.setAttribute("type", "hidden");
                createElement.setAttribute("name", entry2.getKey());
                createElement.setAttribute("value", entry2.getValue());
                find.appendChild(createElement);
            }
        }
        sendHtml(httpServletResponse, parseFile);
    }

    private void sendForm(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z, @Nullable String str) throws IOException {
        String requestURI = httpServletRequest.getRequestURI();
        String str2 = ((String) MoreObjects.firstNonNull(this.urlProvider != null ? this.urlProvider.get() : "/", "/")) + LoginUrlToken.getToken(httpServletRequest);
        Document parse = this.header.parse(LoginForm.class, "LoginForm.html");
        HtmlDomUtil.find(parse, "hostName").setTextContent(httpServletRequest.getServerName());
        HtmlDomUtil.find(parse, "login_form").setAttribute("action", requestURI);
        HtmlDomUtil.find(parse, "cancel_link").setAttribute("href", str2);
        if (!z || this.ssoUrl != null) {
            Element find = HtmlDomUtil.find(parse, "f_link");
            find.getParentNode().removeChild(find);
        }
        String lastId = getLastId(httpServletRequest);
        if (lastId != null) {
            HtmlDomUtil.find(parse, "f_openid").setAttribute("value", lastId);
        }
        Element find2 = HtmlDomUtil.find(parse, "error_message");
        if (Strings.isNullOrEmpty(str)) {
            find2.getParentNode().removeChild(find2);
        } else {
            find2.setTextContent(str);
        }
        UnmodifiableIterator<String> it = ALL_PROVIDERS.keySet().iterator();
        while (it.hasNext()) {
            String next = it.next();
            Element find3 = HtmlDomUtil.find(parse, "provider_" + next);
            if (find3 != null) {
                if (this.suggestProviders.contains(next)) {
                    Element find4 = HtmlDomUtil.find(find3, ClientIdentity.ID_FILE_PREFIX + next);
                    if (find4 == null) {
                        find3.getParentNode().removeChild(find3);
                    } else {
                        StringBuilder sb = new StringBuilder();
                        sb.append(requestURI).append(find4.getAttribute("href"));
                        if (z) {
                            sb.append("&link");
                        }
                        find4.setAttribute("href", sb.toString());
                    }
                } else {
                    find3.getParentNode().removeChild(find3);
                }
            }
        }
        Element find5 = HtmlDomUtil.find(parse, "providers");
        for (String str3 : this.oauthServiceProviders.plugins()) {
            for (Map.Entry<String, Provider<OAuthServiceProvider>> entry : this.oauthServiceProviders.byPlugin(str3).entrySet()) {
                addProvider(find5, z, str3, entry.getKey(), entry.getValue().get().getName());
            }
        }
        sendHtml(httpServletResponse, parse);
    }

    private void sendHtml(HttpServletResponse httpServletResponse, Document document) throws IOException {
        byte[] utf8 = HtmlDomUtil.toUTF8(document);
        httpServletResponse.setStatus(401);
        httpServletResponse.setContentType("text/html");
        httpServletResponse.setCharacterEncoding(StandardCharsets.UTF_8.name());
        httpServletResponse.setContentLength(utf8.length);
        ServletOutputStream outputStream = httpServletResponse.getOutputStream();
        try {
            outputStream.write(utf8);
            if (outputStream != null) {
                outputStream.close();
            }
        } catch (Throwable th) {
            if (outputStream != null) {
                try {
                    outputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static void addProvider(Element element, boolean z, String str, String str2, String str3) {
        Element createElement = element.getOwnerDocument().createElement("div");
        createElement.setAttribute("id", str2);
        Element createElement2 = element.getOwnerDocument().createElement("a");
        StringBuilder sb = new StringBuilder(String.format("?id=%s_%s", str, str2));
        if (z) {
            sb.append("&link");
        }
        createElement2.setAttribute("href", sb.toString());
        createElement2.setTextContent(str3 + " (" + str + " plugin)");
        createElement.appendChild(createElement2);
        element.appendChild(createElement);
    }

    private OAuthServiceProvider lookupOAuthServiceProvider(String str) {
        if (str.startsWith("http://")) {
            str = str.substring("http://".length());
        }
        for (String str2 : this.oauthServiceProviders.plugins()) {
            for (Map.Entry<String, Provider<OAuthServiceProvider>> entry : this.oauthServiceProviders.byPlugin(str2).entrySet()) {
                if (str.equals(String.format("%s_%s", str2, entry.getKey()))) {
                    return entry.getValue().get();
                }
            }
        }
        return null;
    }

    private static String getLastId(HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return null;
        }
        for (Cookie cookie : cookies) {
            if (OpenIdUrls.LASTID_COOKIE.equals(cookie.getName())) {
                return cookie.getValue();
            }
        }
        return null;
    }

    private static boolean isGerritLogin(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getRequestURI().contains("/login");
    }
}
