package com.googlesource.gerrit.plugins.oauth;

import com.google.common.base.CharMatcher;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.gerrit.extensions.annotations.PluginName;
import com.google.gerrit.extensions.auth.oauth.OAuthServiceProvider;
import com.google.gerrit.extensions.auth.oauth.OAuthToken;
import com.google.gerrit.extensions.auth.oauth.OAuthUserInfo;
import com.google.gerrit.extensions.auth.oauth.OAuthVerifier;
import com.google.gerrit.json.OutputFormat;
import com.google.gerrit.server.config.CanonicalWebUrl;
import com.google.gerrit.server.config.PluginConfig;
import com.google.gerrit.server.config.PluginConfigFactory;
import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.codec.binary.Base64;
import org.scribe.builder.ServiceBuilder;
import org.scribe.model.OAuthRequest;
import org.scribe.model.Response;
import org.scribe.model.Token;
import org.scribe.model.Verb;
import org.scribe.model.Verifier;
import org.scribe.oauth.OAuthService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:com/googlesource/gerrit/plugins/oauth/GoogleOAuthService.class */
class GoogleOAuthService implements OAuthServiceProvider {
    private static final Logger log = LoggerFactory.getLogger(GoogleOAuthService.class);
    static final String CONFIG_SUFFIX = "-google-oauth";
    private static final String GOOGLE_PROVIDER_PREFIX = "google-oauth:";
    private static final String PROTECTED_RESOURCE_URL = "https://www.googleapis.com/oauth2/v2/userinfo";
    private static final String SCOPE = "email profile";
    private final OAuthService service;
    private final String canonicalWebUrl;
    private final List<String> domains;
    private final boolean useEmailAsUsername;
    private final boolean fixLegacyUserId;

    @Inject
    GoogleOAuthService(PluginConfigFactory pluginConfigFactory, @PluginName String str, @CanonicalWebUrl Provider<String> provider) {
        PluginConfig fromGerritConfig = pluginConfigFactory.getFromGerritConfig(str + CONFIG_SUFFIX);
        this.canonicalWebUrl = CharMatcher.is('/').trimTrailingFrom((CharSequence) provider.get()) + "/";
        if (fromGerritConfig.getBoolean("link-to-existing-openid-accounts", false)) {
            log.warn(String.format("The support for: %s is disconinued", "link-to-existing-openid-accounts"));
        }
        this.fixLegacyUserId = fromGerritConfig.getBoolean("fix-legacy-user-id", false);
        this.domains = Arrays.asList(fromGerritConfig.getStringList("domain"));
        this.useEmailAsUsername = fromGerritConfig.getBoolean("use-email-as-username", false);
        this.service = new ServiceBuilder().provider(Google2Api.class).apiKey(fromGerritConfig.getString("client-id")).apiSecret(fromGerritConfig.getString("client-secret")).callback(this.canonicalWebUrl + "oauth").scope(SCOPE).build();
        if (log.isDebugEnabled()) {
            log.debug("OAuth2: canonicalWebUrl={}", this.canonicalWebUrl);
            log.debug("OAuth2: scope={}", SCOPE);
            log.debug("OAuth2: domains={}", this.domains);
            log.debug("OAuth2: useEmailAsUsername={}", Boolean.valueOf(this.useEmailAsUsername));
        }
    }

    public OAuthUserInfo getUserInfo(OAuthToken oAuthToken) throws IOException {
        OAuthRequest oAuthRequest = new OAuthRequest(Verb.GET, PROTECTED_RESOURCE_URL);
        this.service.signRequest(new Token(oAuthToken.getToken(), oAuthToken.getSecret(), oAuthToken.getRaw()), oAuthRequest);
        Response send = oAuthRequest.send();
        if (send.getCode() != 200) {
            throw new IOException(String.format("Status %s (%s) for request %s", Integer.valueOf(send.getCode()), send.getBody(), oAuthRequest.getUrl()));
        }
        JsonElement jsonElement = (JsonElement) OutputFormat.JSON.newGson().fromJson(send.getBody(), JsonElement.class);
        if (log.isDebugEnabled()) {
            log.debug("User info response: {}", send.getBody());
        }
        if (!jsonElement.isJsonObject()) {
            throw new IOException(String.format("Invalid JSON '%s': not a JSON Object", jsonElement));
        }
        JsonObject asJsonObject = jsonElement.getAsJsonObject();
        JsonElement jsonElement2 = asJsonObject.get("id");
        if (jsonElement2 == null || jsonElement2.isJsonNull()) {
            throw new IOException("Response doesn't contain id field");
        }
        JsonElement jsonElement3 = asJsonObject.get("email");
        JsonElement jsonElement4 = asJsonObject.get("name");
        String str = null;
        if (this.domains.size() > 0) {
            boolean z = false;
            String retrieveHostedDomain = retrieveHostedDomain(retrieveJWTToken(oAuthToken));
            Iterator<String> it = this.domains.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (it.next().equalsIgnoreCase(retrieveHostedDomain)) {
                    z = true;
                    break;
                }
            }
            if (!z) {
                log.error("Error: hosted domain validation failed: {}", Strings.nullToEmpty(retrieveHostedDomain));
                return null;
            }
        }
        if (this.useEmailAsUsername && !jsonElement3.isJsonNull()) {
            str = jsonElement3.getAsString().split("@")[0];
        }
        return new OAuthUserInfo(GOOGLE_PROVIDER_PREFIX + jsonElement2.getAsString(), str, (jsonElement3 == null || jsonElement3.isJsonNull()) ? null : jsonElement3.getAsString(), (jsonElement4 == null || jsonElement4.isJsonNull()) ? null : jsonElement4.getAsString(), this.fixLegacyUserId ? jsonElement2.getAsString() : null);
    }

    private JsonObject retrieveJWTToken(OAuthToken oAuthToken) {
        JsonElement jsonElement;
        JsonElement jsonElement2 = (JsonElement) OutputFormat.JSON.newGson().fromJson(oAuthToken.getRaw(), JsonElement.class);
        if (jsonElement2 == null || !jsonElement2.isJsonObject() || (jsonElement = jsonElement2.getAsJsonObject().get("id_token")) == null || jsonElement.isJsonNull()) {
            return null;
        }
        String decodePayload = decodePayload(jsonElement.getAsString());
        if (Strings.isNullOrEmpty(decodePayload)) {
            return null;
        }
        JsonElement jsonElement3 = (JsonElement) OutputFormat.JSON.newGson().fromJson(decodePayload, JsonElement.class);
        if (jsonElement3.isJsonObject()) {
            return jsonElement3.getAsJsonObject();
        }
        return null;
    }

    private static String retrieveHostedDomain(JsonObject jsonObject) {
        JsonElement jsonElement = jsonObject.get("hd");
        if (jsonElement == null || jsonElement.isJsonNull()) {
            log.debug("OAuth2: JWT doesn't contain hd element");
            return null;
        }
        String asString = jsonElement.getAsString();
        log.debug("OAuth2: hd={}", asString);
        return asString;
    }

    private static String decodePayload(String str) {
        Preconditions.checkNotNull(str);
        String[] split = str.split("\\.");
        Preconditions.checkState(split.length == 3);
        String str2 = split[1];
        Preconditions.checkNotNull(str2);
        return new String(Base64.decodeBase64(str2));
    }

    public OAuthToken getAccessToken(OAuthVerifier oAuthVerifier) {
        Token accessToken = this.service.getAccessToken(null, new Verifier(oAuthVerifier.getValue()));
        return new OAuthToken(accessToken.getToken(), accessToken.getSecret(), accessToken.getRawResponse());
    }

    public String getAuthorizationUrl() {
        String authorizationUrl = this.service.getAuthorizationUrl(null);
        try {
            if (this.domains.size() == 1) {
                authorizationUrl = authorizationUrl + "&hd=" + URLEncoder.encode(this.domains.get(0), StandardCharsets.UTF_8.name());
            } else if (this.domains.size() > 1) {
                authorizationUrl = authorizationUrl + "&hd=*";
            }
            if (log.isDebugEnabled()) {
                log.debug("OAuth2: authorization URL={}", authorizationUrl);
            }
            return authorizationUrl;
        } catch (UnsupportedEncodingException e) {
            throw new IllegalArgumentException(e);
        }
    }

    public String getVersion() {
        return this.service.getVersion();
    }

    public String getName() {
        return "Google OAuth2";
    }
}
