package com.google.gerrit.httpd;

import com.google.gerrit.common.Nullable;
import com.google.gerrit.extensions.registration.DynamicItem;
import com.google.gerrit.server.AccessPath;
import com.google.gerrit.server.account.AccountCache;
import com.google.gerrit.server.account.AccountState;
import com.google.gerrit.server.config.GerritServerConfig;
import com.google.gwtjsonrpc.server.SignedToken;
import com.google.gwtjsonrpc.server.XsrfException;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Collections;
import java.util.HashMap;
import java.util.Locale;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import org.eclipse.jgit.lib.Config;

/* JADX INFO: Access modifiers changed from: package-private */
@Singleton
/* loaded from: input_file:WEB-INF/lib/gerrit-httpd-httpd.jar:com/google/gerrit/httpd/ProjectDigestFilter.class */
public class ProjectDigestFilter implements Filter {
    public static final String REALM_NAME = "Gerrit Code Review";
    private static final String AUTHORIZATION = "Authorization";
    private final Provider<String> urlProvider;
    private final DynamicItem<WebSession> session;
    private final AccountCache accountCache;
    private final Config config;
    private final SignedToken tokens = new SignedToken((int) TimeUnit.SECONDS.convert(1, TimeUnit.HOURS));
    private ServletContext context;
    private static final char[] LHEX = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/gerrit-httpd-httpd.jar:com/google/gerrit/httpd/ProjectDigestFilter$Response.class */
    public class Response extends HttpServletResponseWrapper {
        private static final String WWW_AUTHENTICATE = "WWW-Authenticate";
        private final HttpServletRequest req;
        Boolean stale;

        Response(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
            super(httpServletResponse);
            this.req = httpServletRequest;
        }

        private void status(int i) {
            if (i != 401) {
                if (containsHeader("WWW-Authenticate")) {
                    setHeader("WWW-Authenticate", null);
                    return;
                }
                return;
            }
            StringBuilder sb = new StringBuilder();
            sb.append("Digest");
            sb.append(" realm=\"").append("Gerrit Code Review").append("\"");
            String str = (String) ProjectDigestFilter.this.urlProvider.get();
            if (str == null) {
                str = this.req.getContextPath();
                if (str != null && !str.isEmpty() && !str.endsWith("/")) {
                    str = str + "/";
                }
            }
            if (str != null && !str.isEmpty()) {
                sb.append(", domain=\"").append(str).append("\"");
            }
            sb.append(", qop=\"auth\"");
            if (this.stale != null) {
                sb.append(", stale=").append(this.stale);
            }
            sb.append(", nonce=\"").append(ProjectDigestFilter.this.newNonce()).append("\"");
            setHeader("WWW-Authenticate", sb.toString());
        }

        @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
        public void sendError(int i, String str) throws IOException {
            status(i);
            super.sendError(i, str);
        }

        @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
        public void sendError(int i) throws IOException {
            status(i);
            super.sendError(i);
        }

        @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
        @Deprecated
        public void setStatus(int i, String str) {
            status(i);
            super.setStatus(i, str);
        }

        @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
        public void setStatus(int i) {
            status(i);
            super.setStatus(i);
        }
    }

    @Inject
    ProjectDigestFilter(@com.google.gerrit.server.config.CanonicalWebUrl @Nullable Provider<String> provider, DynamicItem<WebSession> dynamicItem, AccountCache accountCache, @GerritServerConfig Config config) throws XsrfException {
        this.urlProvider = provider;
        this.session = dynamicItem;
        this.accountCache = accountCache;
        this.config = config;
    }

    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) {
        this.context = filterConfig.getServletContext();
    }

    @Override // javax.servlet.Filter
    public void destroy() {
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        Response response = new Response(httpServletRequest, (HttpServletResponse) servletResponse);
        if (verify(httpServletRequest, response)) {
            filterChain.doFilter(httpServletRequest, response);
        }
    }

    private boolean verify(HttpServletRequest httpServletRequest, Response response) throws IOException {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null || !header.startsWith("Digest ")) {
            return true;
        }
        Map<String, String> parseAuthorization = parseAuthorization(header);
        String str = parseAuthorization.get("username");
        String str2 = parseAuthorization.get("realm");
        String str3 = parseAuthorization.get("nonce");
        String str4 = parseAuthorization.get("uri");
        String str5 = parseAuthorization.get("response");
        String str6 = parseAuthorization.get("qop");
        String str7 = parseAuthorization.get("nc");
        String str8 = parseAuthorization.get("cnonce");
        String method = httpServletRequest.getMethod();
        if (str == null || str2 == null || str3 == null || str4 == null || str5 == null || !"auth".equals(str6) || !"Gerrit Code Review".equals(str2)) {
            this.context.log("Invalid header: Authorization: " + header);
            response.sendError(403);
            return false;
        }
        String str9 = str;
        if (this.config.getBoolean("auth", "userNameToLowerCase", false)) {
            str9 = str9.toLowerCase(Locale.US);
        }
        AccountState byUsername = this.accountCache.getByUsername(str9);
        if (byUsername == null || !byUsername.getAccount().isActive()) {
            response.sendError(401);
            return false;
        }
        String password = byUsername.getPassword(str9);
        if (password == null) {
            response.sendError(401);
            return false;
        }
        if (!KD(H(str + ":" + str2 + ":" + password), str3 + ":" + str7 + ":" + str8 + ":" + str6 + ":" + H(method + ":" + str4)).equals(str5)) {
            response.sendError(401);
            return false;
        }
        try {
            if (this.tokens.checkToken(str3, "") == null) {
                response.stale = true;
                response.sendError(401);
                return false;
            }
            WebSession webSession = this.session.get();
            webSession.setUserAccountId(byUsername.getAccount().getId());
            webSession.setAccessPathOk(AccessPath.GIT, true);
            webSession.setAccessPathOk(AccessPath.REST_API, true);
            return true;
        } catch (XsrfException e) {
            this.context.log("Error validating nonce for digest authentication", e);
            response.sendError(500);
            return false;
        }
    }

    private static String H(String str) {
        try {
            MessageDigest newMD5 = newMD5();
            newMD5.update(str.getBytes("UTF-8"));
            return LHEX(newMD5.digest());
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException("UTF-8 encoding not available", e);
        }
    }

    private static String KD(String str, String str2) {
        try {
            MessageDigest newMD5 = newMD5();
            newMD5.update(str.getBytes("UTF-8"));
            newMD5.update((byte) 58);
            newMD5.update(str2.getBytes("UTF-8"));
            return LHEX(newMD5.digest());
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException("UTF-8 encoding not available", e);
        }
    }

    private static MessageDigest newMD5() {
        try {
            return MessageDigest.getInstance("MD5");
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("No MD5 available", e);
        }
    }

    private static String LHEX(byte[] bArr) {
        StringBuilder sb = new StringBuilder(bArr.length * 2);
        for (byte b : bArr) {
            sb.append(LHEX[(b >>> 4) & 15]);
            sb.append(LHEX[b & 15]);
        }
        return sb.toString();
    }

    private Map<String, String> parseAuthorization(String str) {
        String substring;
        int i;
        HashMap hashMap = new HashMap();
        int length = "Digest ".length();
        while (length < str.length()) {
            if (length < str.length() && str.charAt(length) == ',') {
                length++;
            }
            while (length < str.length() && Character.isWhitespace(str.charAt(length))) {
                length++;
            }
            int indexOf = str.indexOf(61, length);
            if (indexOf < 0 || indexOf + 1 == str.length()) {
                return Collections.emptyMap();
            }
            String substring2 = str.substring(length, indexOf);
            if (str.charAt(indexOf + 1) == '\"') {
                int indexOf2 = str.indexOf(34, indexOf + 2);
                if (indexOf2 < 0) {
                    return Collections.emptyMap();
                }
                substring = str.substring(indexOf + 2, indexOf2);
                i = indexOf2;
            } else {
                int indexOf3 = str.indexOf(32, indexOf + 1);
                int indexOf4 = str.indexOf(44, indexOf + 1);
                if (indexOf3 < 0) {
                    indexOf3 = str.length();
                }
                if (indexOf4 < 0) {
                    indexOf4 = str.length();
                }
                int min = Math.min(indexOf3, indexOf4);
                substring = str.substring(indexOf + 1, min);
                i = min;
            }
            length = i + 1;
            hashMap.put(substring2, substring);
        }
        return hashMap;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String newNonce() {
        try {
            return this.tokens.newToken("");
        } catch (XsrfException e) {
            throw new RuntimeException("Cannot generate new nonce", e);
        }
    }
}
