package org.sonar.server.authentication;

import com.google.common.base.Preconditions;
import com.google.common.collect.Sets;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Stream;
import javax.annotation.CheckForNull;
import javax.annotation.Nullable;
import org.sonar.api.server.authentication.IdentityProvider;
import org.sonar.api.server.authentication.UserIdentity;
import org.sonar.api.utils.log.Logger;
import org.sonar.api.utils.log.Loggers;
import org.sonar.core.util.stream.MoreCollectors;
import org.sonar.db.DbClient;
import org.sonar.db.DbSession;
import org.sonar.db.organization.OrganizationDto;
import org.sonar.db.user.GroupDto;
import org.sonar.db.user.UserDto;
import org.sonar.db.user.UserGroupDto;
import org.sonar.server.authentication.UserIdentityAuthenticatorParameters;
import org.sonar.server.authentication.event.AuthenticationException;
import org.sonar.server.authentication.exception.EmailAlreadyExistsRedirectionException;
import org.sonar.server.authentication.exception.UpdateLoginRedirectionException;
import org.sonar.server.es.DefaultIndexSettings;
import org.sonar.server.es.EsUtils;
import org.sonar.server.organization.DefaultOrganizationProvider;
import org.sonar.server.organization.OrganizationFlags;
import org.sonar.server.organization.OrganizationUpdater;
import org.sonar.server.user.ExternalIdentity;
import org.sonar.server.user.NewUser;
import org.sonar.server.user.UpdateUser;
import org.sonar.server.user.UserUpdater;
import org.sonar.server.usergroups.DefaultGroupFinder;

/* loaded from: input_file:org/sonar/server/authentication/UserIdentityAuthenticatorImpl.class */
public class UserIdentityAuthenticatorImpl implements UserIdentityAuthenticator {
    private static final Logger LOGGER = Loggers.get(UserIdentityAuthenticatorImpl.class);
    private final DbClient dbClient;
    private final UserUpdater userUpdater;
    private final DefaultOrganizationProvider defaultOrganizationProvider;
    private final OrganizationFlags organizationFlags;
    private final OrganizationUpdater organizationUpdater;
    private final DefaultGroupFinder defaultGroupFinder;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.sonar.server.authentication.UserIdentityAuthenticatorImpl$1, reason: invalid class name */
    /* loaded from: input_file:org/sonar/server/authentication/UserIdentityAuthenticatorImpl$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$sonar$server$authentication$UserIdentityAuthenticatorParameters$ExistingEmailStrategy;
        static final /* synthetic */ int[] $SwitchMap$org$sonar$server$authentication$UserIdentityAuthenticatorParameters$UpdateLoginStrategy = new int[UserIdentityAuthenticatorParameters.UpdateLoginStrategy.values().length];

        static {
            try {
                $SwitchMap$org$sonar$server$authentication$UserIdentityAuthenticatorParameters$UpdateLoginStrategy[UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$sonar$server$authentication$UserIdentityAuthenticatorParameters$UpdateLoginStrategy[UserIdentityAuthenticatorParameters.UpdateLoginStrategy.WARN.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            $SwitchMap$org$sonar$server$authentication$UserIdentityAuthenticatorParameters$ExistingEmailStrategy = new int[UserIdentityAuthenticatorParameters.ExistingEmailStrategy.values().length];
            try {
                $SwitchMap$org$sonar$server$authentication$UserIdentityAuthenticatorParameters$ExistingEmailStrategy[UserIdentityAuthenticatorParameters.ExistingEmailStrategy.ALLOW.ordinal()] = 1;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$sonar$server$authentication$UserIdentityAuthenticatorParameters$ExistingEmailStrategy[UserIdentityAuthenticatorParameters.ExistingEmailStrategy.WARN.ordinal()] = 2;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$sonar$server$authentication$UserIdentityAuthenticatorParameters$ExistingEmailStrategy[UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID.ordinal()] = 3;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    public UserIdentityAuthenticatorImpl(DbClient dbClient, UserUpdater userUpdater, DefaultOrganizationProvider defaultOrganizationProvider, OrganizationFlags organizationFlags, OrganizationUpdater organizationUpdater, DefaultGroupFinder defaultGroupFinder) {
        this.dbClient = dbClient;
        this.userUpdater = userUpdater;
        this.defaultOrganizationProvider = defaultOrganizationProvider;
        this.organizationFlags = organizationFlags;
        this.organizationUpdater = organizationUpdater;
        this.defaultGroupFinder = defaultGroupFinder;
    }

    @Override // org.sonar.server.authentication.UserIdentityAuthenticator
    public UserDto authenticate(UserIdentityAuthenticatorParameters userIdentityAuthenticatorParameters) {
        DbSession openSession = this.dbClient.openSession(false);
        Throwable th = null;
        try {
            UserDto user = getUser(openSession, userIdentityAuthenticatorParameters.getUserIdentity(), userIdentityAuthenticatorParameters.getProvider());
            if (user == null) {
                UserDto registerNewUser = registerNewUser(openSession, null, userIdentityAuthenticatorParameters);
                if (openSession != null) {
                    if (0 != 0) {
                        try {
                            openSession.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        openSession.close();
                    }
                }
                return registerNewUser;
            }
            if (user.isActive()) {
                UserDto registerExistingUser = registerExistingUser(openSession, user, userIdentityAuthenticatorParameters);
                if (openSession != null) {
                    if (0 != 0) {
                        try {
                            openSession.close();
                        } catch (Throwable th3) {
                            th.addSuppressed(th3);
                        }
                    } else {
                        openSession.close();
                    }
                }
                return registerExistingUser;
            }
            UserDto registerNewUser2 = registerNewUser(openSession, user, userIdentityAuthenticatorParameters);
            if (openSession != null) {
                if (0 != 0) {
                    try {
                        openSession.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    openSession.close();
                }
            }
            return registerNewUser2;
        } catch (Throwable th5) {
            if (openSession != null) {
                if (0 != 0) {
                    try {
                        openSession.close();
                    } catch (Throwable th6) {
                        th.addSuppressed(th6);
                    }
                } else {
                    openSession.close();
                }
            }
            throw th5;
        }
    }

    @CheckForNull
    private UserDto getUser(DbSession dbSession, UserIdentity userIdentity, IdentityProvider identityProvider) {
        String providerId = userIdentity.getProviderId();
        UserDto selectByExternalIdAndIdentityProvider = this.dbClient.userDao().selectByExternalIdAndIdentityProvider(dbSession, providerId == null ? userIdentity.getProviderLogin() : providerId, identityProvider.getKey());
        return selectByExternalIdAndIdentityProvider != null ? selectByExternalIdAndIdentityProvider : this.dbClient.userDao().selectByLogin(dbSession, userIdentity.getLogin());
    }

    private UserDto registerExistingUser(DbSession dbSession, UserDto userDto, UserIdentityAuthenticatorParameters userIdentityAuthenticatorParameters) {
        UpdateUser externalIdentity = new UpdateUser().setLogin(userIdentityAuthenticatorParameters.getUserIdentity().getLogin()).setEmail(userIdentityAuthenticatorParameters.getUserIdentity().getEmail()).setName(userIdentityAuthenticatorParameters.getUserIdentity().getName()).setExternalIdentity(new ExternalIdentity(userIdentityAuthenticatorParameters.getProvider().getKey(), userIdentityAuthenticatorParameters.getUserIdentity().getProviderLogin(), userIdentityAuthenticatorParameters.getUserIdentity().getProviderId()));
        detectLoginUpdate(dbSession, userDto, externalIdentity, userIdentityAuthenticatorParameters);
        this.userUpdater.updateAndCommit(dbSession, userDto, externalIdentity, userDto2 -> {
            syncGroups(dbSession, userIdentityAuthenticatorParameters.getUserIdentity(), userDto2);
        }, toArray(detectEmailUpdate(dbSession, userIdentityAuthenticatorParameters)));
        return userDto;
    }

    private UserDto registerNewUser(DbSession dbSession, @Nullable UserDto userDto, UserIdentityAuthenticatorParameters userIdentityAuthenticatorParameters) {
        Optional<UserDto> detectEmailUpdate = detectEmailUpdate(dbSession, userIdentityAuthenticatorParameters);
        NewUser createNewUser = createNewUser(userIdentityAuthenticatorParameters);
        return userDto == null ? this.userUpdater.createAndCommit(dbSession, createNewUser, userDto2 -> {
            syncGroups(dbSession, userIdentityAuthenticatorParameters.getUserIdentity(), userDto2);
        }, toArray(detectEmailUpdate)) : this.userUpdater.reactivateAndCommit(dbSession, userDto, createNewUser, userDto3 -> {
            syncGroups(dbSession, userIdentityAuthenticatorParameters.getUserIdentity(), userDto3);
        }, toArray(detectEmailUpdate));
    }

    private Optional<UserDto> detectEmailUpdate(DbSession dbSession, UserIdentityAuthenticatorParameters userIdentityAuthenticatorParameters) {
        String email = userIdentityAuthenticatorParameters.getUserIdentity().getEmail();
        if (email == null) {
            return Optional.empty();
        }
        List selectByEmail = this.dbClient.userDao().selectByEmail(dbSession, email);
        if (selectByEmail.isEmpty()) {
            return Optional.empty();
        }
        if (selectByEmail.size() > 1) {
            throw generateExistingEmailError(userIdentityAuthenticatorParameters, email);
        }
        UserDto userDto = (UserDto) selectByEmail.get(0);
        if (userDto == null || Objects.equals(userDto.getLogin(), userIdentityAuthenticatorParameters.getUserIdentity().getLogin()) || (Objects.equals(userDto.getExternalId(), userIdentityAuthenticatorParameters.getUserIdentity().getProviderId()) && Objects.equals(userDto.getExternalIdentityProvider(), userIdentityAuthenticatorParameters.getProvider().getKey()))) {
            return Optional.empty();
        }
        UserIdentityAuthenticatorParameters.ExistingEmailStrategy existingEmailStrategy = userIdentityAuthenticatorParameters.getExistingEmailStrategy();
        switch (AnonymousClass1.$SwitchMap$org$sonar$server$authentication$UserIdentityAuthenticatorParameters$ExistingEmailStrategy[existingEmailStrategy.ordinal()]) {
            case 1:
                userDto.setEmail((String) null);
                this.dbClient.userDao().update(dbSession, userDto);
                return Optional.of(userDto);
            case DefaultIndexSettings.MINIMUM_NGRAM_LENGTH /* 2 */:
                throw new EmailAlreadyExistsRedirectionException(email, userDto, userIdentityAuthenticatorParameters.getUserIdentity(), userIdentityAuthenticatorParameters.getProvider());
            case EsUtils.SCROLL_TIME_IN_MINUTES /* 3 */:
                throw generateExistingEmailError(userIdentityAuthenticatorParameters, email);
            default:
                throw new IllegalStateException(String.format("Unknown strategy %s", existingEmailStrategy));
        }
    }

    private void detectLoginUpdate(DbSession dbSession, UserDto userDto, UpdateUser updateUser, UserIdentityAuthenticatorParameters userIdentityAuthenticatorParameters) {
        String organizationUuid;
        String login = updateUser.login();
        if (!updateUser.isLoginChanged() || userDto.getLogin().equals(login) || !this.organizationFlags.isEnabled(dbSession) || (organizationUuid = userDto.getOrganizationUuid()) == null) {
            return;
        }
        Optional selectByUuid = this.dbClient.organizationDao().selectByUuid(dbSession, organizationUuid);
        Preconditions.checkState(selectByUuid.isPresent(), "Cannot find personal organization uuid '%s' for user '%s'", new Object[]{organizationUuid, userDto.getLogin()});
        UserIdentityAuthenticatorParameters.UpdateLoginStrategy updateLoginStrategy = userIdentityAuthenticatorParameters.getUpdateLoginStrategy();
        switch (AnonymousClass1.$SwitchMap$org$sonar$server$authentication$UserIdentityAuthenticatorParameters$UpdateLoginStrategy[updateLoginStrategy.ordinal()]) {
            case 1:
                this.organizationUpdater.updateOrganizationKey(dbSession, (OrganizationDto) selectByUuid.get(), (String) Objects.requireNonNull(login, "new login cannot be null"));
                return;
            case DefaultIndexSettings.MINIMUM_NGRAM_LENGTH /* 2 */:
                throw new UpdateLoginRedirectionException(userIdentityAuthenticatorParameters.getUserIdentity(), userIdentityAuthenticatorParameters.getProvider(), userDto, (OrganizationDto) selectByUuid.get());
            default:
                throw new IllegalStateException(String.format("Unknown strategy %s", updateLoginStrategy));
        }
    }

    private void syncGroups(DbSession dbSession, UserIdentity userIdentity, UserDto userDto) {
        if (userIdentity.shouldSyncGroups()) {
            String login = userIdentity.getLogin();
            HashSet hashSet = new HashSet(this.dbClient.groupMembershipDao().selectGroupsByLogins(dbSession, Collections.singletonList(login)).get(login));
            Set groups = userIdentity.getGroups();
            LOGGER.debug("List of groups returned by the identity provider '{}'", groups);
            Sets.SetView difference = Sets.difference(groups, hashSet);
            Sets.SetView difference2 = Sets.difference(hashSet, groups);
            ArrayList arrayList = new ArrayList((Collection) difference);
            arrayList.addAll(difference2);
            Map<String, GroupDto> map = (Map) this.dbClient.groupDao().selectByNames(dbSession, this.defaultOrganizationProvider.get().getUuid(), arrayList).stream().collect(MoreCollectors.uniqueIndex((v0) -> {
                return v0.getName();
            }));
            addGroups(dbSession, userDto, difference, map);
            removeGroups(dbSession, userDto, difference2, map);
        }
    }

    private void addGroups(DbSession dbSession, UserDto userDto, Collection<String> collection, Map<String, GroupDto> map) {
        Stream<String> stream = collection.stream();
        map.getClass();
        stream.map((v1) -> {
            return r1.get(v1);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).forEach(groupDto -> {
            LOGGER.debug("Adding group '{}' to user '{}'", groupDto.getName(), userDto.getLogin());
            this.dbClient.userGroupDao().insert(dbSession, new UserGroupDto().setGroupId(groupDto.getId().intValue()).setUserId(userDto.getId().intValue()));
        });
    }

    private void removeGroups(DbSession dbSession, UserDto userDto, Collection<String> collection, Map<String, GroupDto> map) {
        Optional<GroupDto> defaultGroup = getDefaultGroup(dbSession);
        Stream<String> stream = collection.stream();
        map.getClass();
        stream.map((v1) -> {
            return r1.get(v1);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).filter(groupDto -> {
            return (defaultGroup.isPresent() && groupDto.getId().equals(((GroupDto) defaultGroup.get()).getId())) ? false : true;
        }).forEach(groupDto2 -> {
            LOGGER.debug("Removing group '{}' from user '{}'", groupDto2.getName(), userDto.getLogin());
            this.dbClient.userGroupDao().delete(dbSession, groupDto2.getId().intValue(), userDto.getId().intValue());
        });
    }

    private Optional<GroupDto> getDefaultGroup(DbSession dbSession) {
        return this.organizationFlags.isEnabled(dbSession) ? Optional.empty() : Optional.of(this.defaultGroupFinder.findDefaultGroup(dbSession, this.defaultOrganizationProvider.get().getUuid()));
    }

    private static NewUser createNewUser(UserIdentityAuthenticatorParameters userIdentityAuthenticatorParameters) {
        String key = userIdentityAuthenticatorParameters.getProvider().getKey();
        if (userIdentityAuthenticatorParameters.getProvider().allowsUsersToSignUp()) {
            return NewUser.builder().setLogin(userIdentityAuthenticatorParameters.getUserIdentity().getLogin()).setEmail(userIdentityAuthenticatorParameters.getUserIdentity().getEmail()).setName(userIdentityAuthenticatorParameters.getUserIdentity().getName()).setExternalIdentity(new ExternalIdentity(key, userIdentityAuthenticatorParameters.getUserIdentity().getProviderLogin(), userIdentityAuthenticatorParameters.getUserIdentity().getProviderId())).build();
        }
        throw AuthenticationException.newBuilder().setSource(userIdentityAuthenticatorParameters.getSource()).setLogin(userIdentityAuthenticatorParameters.getUserIdentity().getLogin()).setMessage(String.format("User signup disabled for provider '%s'", key)).setPublicMessage(String.format("'%s' users are not allowed to sign up", key)).build();
    }

    private static UserDto[] toArray(Optional<UserDto> optional) {
        return (UserDto[]) optional.map(userDto -> {
            return new UserDto[]{userDto};
        }).orElse(new UserDto[0]);
    }

    private static AuthenticationException generateExistingEmailError(UserIdentityAuthenticatorParameters userIdentityAuthenticatorParameters, String str) {
        return AuthenticationException.newBuilder().setSource(userIdentityAuthenticatorParameters.getSource()).setLogin(userIdentityAuthenticatorParameters.getUserIdentity().getLogin()).setMessage(String.format("Email '%s' is already used", str)).setPublicMessage(String.format("You can't sign up because email '%s' is already used by an existing user. This means that you probably already registered with another account.", str)).build();
    }
}
