package jenkins.security;

import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.Extension;
import hudson.Util;
import hudson.model.Descriptor;
import hudson.model.User;
import hudson.model.UserProperty;
import hudson.model.UserPropertyDescriptor;
import hudson.security.ACL;
import hudson.util.HttpResponses;
import hudson.util.Secret;
import java.io.IOException;
import java.security.SecureRandom;
import java.time.ZonedDateTime;
import java.time.format.DateTimeFormatter;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import jenkins.model.Jenkins;
import jenkins.security.apitoken.ApiTokenPropertyConfiguration;
import jenkins.security.apitoken.ApiTokenStats;
import jenkins.security.apitoken.ApiTokenStore;
import jenkins.security.apitoken.TokenUuidAndPlainValue;
import jenkins.util.SystemProperties;
import net.jcip.annotations.Immutable;
import net.sf.json.JSONArray;
import net.sf.json.JSONObject;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.text.lookup.StringLookupFactory;
import org.jenkinsci.Symbol;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.Beta;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.AncestorInPath;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.HttpResponse;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;
import org.kohsuke.stapler.interceptor.RequirePOST;

/* loaded from: input_file:WEB-INF/lib/jenkins-core-2.361-rc32649.c1a_a_f3d2c248.jar:jenkins/security/ApiTokenProperty.class */
public class ApiTokenProperty extends UserProperty {
    private volatile Secret apiToken;
    private ApiTokenStore tokenStore;
    private transient ApiTokenStats tokenStats;
    private static final Logger LOGGER = Logger.getLogger(ApiTokenProperty.class.getName());

    @SuppressFBWarnings(value = {"MS_SHOULD_BE_FINAL"}, justification = "Accessible via System Groovy Scripts")
    private static boolean SHOW_LEGACY_TOKEN_TO_ADMINS = SystemProperties.getBoolean(ApiTokenProperty.class.getName() + ".showTokenToAdmins");

    @SuppressFBWarnings(value = {"MS_SHOULD_BE_FINAL"}, justification = "Accessible via System Groovy Scripts")
    private static boolean ADMIN_CAN_GENERATE_NEW_TOKENS = SystemProperties.getBoolean(ApiTokenProperty.class.getName() + ".adminCanGenerateNewTokens");

    @Deprecated
    private static final SecureRandom RANDOM = new SecureRandom();

    @Restricted({NoExternalUse.class})
    @Deprecated
    public static final HMACConfidentialKey API_KEY_SEED = new HMACConfidentialKey(ApiTokenProperty.class, "seed", 16);

    @Extension
    @Symbol({"apiToken"})
    /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.361-rc32649.c1a_a_f3d2c248.jar:jenkins/security/ApiTokenProperty$DescriptorImpl.class */
    public static final class DescriptorImpl extends UserPropertyDescriptor {
        @Override // hudson.model.Descriptor
        @NonNull
        public String getDisplayName() {
            return Messages.ApiTokenProperty_DisplayName();
        }

        @Restricted({NoExternalUse.class})
        public String getNoLegacyToken() {
            return Messages.ApiTokenProperty_NoLegacyToken();
        }

        @Override // hudson.model.UserPropertyDescriptor
        public ApiTokenProperty newInstance(User user) {
            return !ApiTokenPropertyConfiguration.get().isTokenGenerationOnCreationEnabled() ? forceNewInstance(user, false) : forceNewInstance(user, true);
        }

        private ApiTokenProperty forceNewInstance(User user, boolean z) {
            return z ? new ApiTokenProperty(ApiTokenProperty.API_KEY_SEED.mac(user.getId())) : new ApiTokenProperty(null);
        }

        @Restricted({NoExternalUse.class})
        public boolean isStatisticsEnabled() {
            return ApiTokenPropertyConfiguration.get().isUsageStatisticsEnabled();
        }

        @Restricted({NoExternalUse.class})
        public boolean mustDisplayLegacyApiToken(User user) {
            ApiTokenProperty apiTokenProperty = (ApiTokenProperty) user.getProperty(ApiTokenProperty.class);
            if (apiTokenProperty == null || apiTokenProperty.apiToken == null) {
                return ApiTokenPropertyConfiguration.get().isCreationOfLegacyTokenEnabled();
            }
            return true;
        }

        @Restricted({NoExternalUse.class})
        public boolean hasCurrentUserRightToGenerateNewToken(User user) {
            return ApiTokenProperty.canCurrentUserControlObject(ApiTokenProperty.ADMIN_CAN_GENERATE_NEW_TOKENS, user);
        }

        @RequirePOST
        @Deprecated
        public HttpResponse doChangeToken(@AncestorInPath User user, StaplerResponse staplerResponse) throws IOException {
            user.checkPermission(Jenkins.ADMINISTER);
            ApiTokenProperty.LOGGER.log(Level.FINE, "Deprecated action /changeToken used, consider using /generateNewToken instead");
            if (!mustDisplayLegacyApiToken(user)) {
                return HttpResponses.html(Messages.ApiTokenProperty_ChangeToken_CapabilityNotAllowed());
            }
            ApiTokenProperty apiTokenProperty = (ApiTokenProperty) user.getProperty(ApiTokenProperty.class);
            if (apiTokenProperty == null) {
                apiTokenProperty = forceNewInstance(user, true);
                apiTokenProperty.setUser(user);
                user.addProperty(apiTokenProperty);
            } else {
                apiTokenProperty.changeApiToken();
            }
            staplerResponse.setHeader(StringLookupFactory.KEY_SCRIPT, "document.getElementById('apiToken').value='" + apiTokenProperty.getApiToken() + "'");
            return HttpResponses.html(apiTokenProperty.hasPermissionToSeeToken() ? Messages.ApiTokenProperty_ChangeToken_Success() : Messages.ApiTokenProperty_ChangeToken_SuccessHidden());
        }

        @RequirePOST
        public HttpResponse doGenerateNewToken(@AncestorInPath User user, @QueryParameter String str) throws IOException {
            if (!hasCurrentUserRightToGenerateNewToken(user)) {
                return HttpResponses.forbidden();
            }
            String Token_Created_on = StringUtils.isBlank(str) ? Messages.Token_Created_on(DateTimeFormatter.ISO_OFFSET_DATE_TIME.format(ZonedDateTime.now())) : str;
            ApiTokenProperty apiTokenProperty = (ApiTokenProperty) user.getProperty(ApiTokenProperty.class);
            if (apiTokenProperty == null) {
                apiTokenProperty = forceNewInstance(user, false);
                user.addProperty(apiTokenProperty);
            }
            TokenUuidAndPlainValue generateNewToken = apiTokenProperty.generateNewToken(Token_Created_on);
            HashMap hashMap = new HashMap();
            hashMap.put("tokenUuid", generateNewToken.tokenUuid);
            hashMap.put("tokenName", Token_Created_on);
            hashMap.put("tokenValue", generateNewToken.plainValue);
            return HttpResponses.okJSON(hashMap);
        }

        @RequirePOST
        @Restricted({NoExternalUse.class})
        public HttpResponse doAddFixedToken(@AncestorInPath User user, @QueryParameter String str, @QueryParameter String str2) throws IOException {
            if (!hasCurrentUserRightToGenerateNewToken(user)) {
                return HttpResponses.forbidden();
            }
            String format = StringUtils.isBlank(str) ? String.format("Token created on %s", DateTimeFormatter.ISO_OFFSET_DATE_TIME.format(ZonedDateTime.now())) : str;
            ApiTokenProperty apiTokenProperty = (ApiTokenProperty) user.getProperty(ApiTokenProperty.class);
            if (apiTokenProperty == null) {
                apiTokenProperty = forceNewInstance(user, false);
                user.addProperty(apiTokenProperty);
            }
            String addFixedNewToken = apiTokenProperty.tokenStore.addFixedNewToken(format, str2);
            user.save();
            HashMap hashMap = new HashMap();
            hashMap.put("tokenUuid", addFixedNewToken);
            hashMap.put("tokenName", format);
            return HttpResponses.okJSON(hashMap);
        }

        @RequirePOST
        public HttpResponse doRename(@AncestorInPath User user, @QueryParameter String str, @QueryParameter String str2) throws IOException {
            user.checkPermission(Jenkins.ADMINISTER);
            if (StringUtils.isBlank(str2)) {
                return HttpResponses.errorJSON("The name cannot be empty");
            }
            if (StringUtils.isBlank(str)) {
                return HttpResponses.errorWithoutStack(400, "The tokenUuid cannot be empty");
            }
            ApiTokenProperty apiTokenProperty = (ApiTokenProperty) user.getProperty(ApiTokenProperty.class);
            if (apiTokenProperty == null) {
                return HttpResponses.errorWithoutStack(400, "The user does not have any ApiToken yet, try generating one before.");
            }
            if (!apiTokenProperty.tokenStore.renameToken(str, str2)) {
                return HttpResponses.errorJSON("No token found, try refreshing the page");
            }
            user.save();
            return HttpResponses.ok();
        }

        @RequirePOST
        public HttpResponse doRevoke(@AncestorInPath User user, @QueryParameter String str) throws IOException {
            user.checkPermission(Jenkins.ADMINISTER);
            if (StringUtils.isBlank(str)) {
                return HttpResponses.errorWithoutStack(400, "The tokenUuid cannot be empty");
            }
            ApiTokenProperty apiTokenProperty = (ApiTokenProperty) user.getProperty(ApiTokenProperty.class);
            if (apiTokenProperty == null) {
                return HttpResponses.errorWithoutStack(400, "The user does not have any ApiToken yet, try generating one before.");
            }
            apiTokenProperty.revokeToken(str);
            return HttpResponses.ok();
        }

        @RequirePOST
        @Restricted({NoExternalUse.class})
        public HttpResponse doRevokeAll(@AncestorInPath User user) throws IOException {
            user.checkPermission(Jenkins.ADMINISTER);
            ApiTokenProperty apiTokenProperty = (ApiTokenProperty) user.getProperty(ApiTokenProperty.class);
            if (apiTokenProperty == null) {
                return HttpResponses.errorWithoutStack(400, "The user does not have any ApiToken yet, try generating one before.");
            }
            apiTokenProperty.revokeAllTokens();
            return HttpResponses.ok();
        }

        @RequirePOST
        @Restricted({NoExternalUse.class})
        public HttpResponse doRevokeAllExcept(@AncestorInPath User user, @QueryParameter String str) throws IOException {
            user.checkPermission(Jenkins.ADMINISTER);
            if (StringUtils.isBlank(str)) {
                return HttpResponses.errorWithoutStack(400, "The tokenUuid cannot be empty");
            }
            ApiTokenProperty apiTokenProperty = (ApiTokenProperty) user.getProperty(ApiTokenProperty.class);
            if (apiTokenProperty == null) {
                return HttpResponses.errorWithoutStack(400, "The user does not have any ApiToken yet, try generating one before.");
            }
            apiTokenProperty.revokeAllTokensExceptOne(str);
            return HttpResponses.ok();
        }
    }

    @Restricted({NoExternalUse.class})
    @Immutable
    /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.361-rc32649.c1a_a_f3d2c248.jar:jenkins/security/ApiTokenProperty$TokenInfoAndStats.class */
    public static class TokenInfoAndStats {
        public final String uuid;
        public final String name;
        public final Date creationDate;
        public final long numDaysCreation;
        public final boolean isLegacy;
        public final int useCounter;
        public final Date lastUseDate;
        public final long numDaysUse;

        public TokenInfoAndStats(@NonNull ApiTokenStore.HashedToken hashedToken, @NonNull ApiTokenStats.SingleTokenStats singleTokenStats) {
            this.uuid = hashedToken.getUuid();
            this.name = hashedToken.getName();
            this.creationDate = hashedToken.getCreationDate();
            this.numDaysCreation = hashedToken.getNumDaysCreation();
            this.isLegacy = hashedToken.isLegacy();
            this.useCounter = singleTokenStats.getUseCounter();
            this.lastUseDate = singleTokenStats.getLastUseDate();
            this.numDaysUse = singleTokenStats.getNumDaysUse();
        }
    }

    @DataBoundConstructor
    public ApiTokenProperty() {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // hudson.model.UserProperty
    public void setUser(User user) {
        super.setUser(user);
        if (this.tokenStore == null) {
            this.tokenStore = new ApiTokenStore();
        }
        if (this.tokenStats == null) {
            this.tokenStats = ApiTokenStats.load(this.user);
        }
        if (this.apiToken != null) {
            this.tokenStore.regenerateTokenFromLegacyIfRequired(this.apiToken);
        }
    }

    ApiTokenProperty(@CheckForNull String str) {
        if (str != null) {
            this.apiToken = Secret.fromString(str);
        }
    }

    @NonNull
    public String getApiToken() {
        LOGGER.log(Level.FINE, "Deprecated usage of getApiToken");
        if (LOGGER.isLoggable(Level.FINER)) {
            LOGGER.log(Level.FINER, "Deprecated usage of getApiToken (trace)", (Throwable) new Exception());
        }
        return hasPermissionToSeeToken() ? getApiTokenInsecure() : Messages.ApiTokenProperty_ChangeToken_TokenIsHidden();
    }

    @Restricted({NoExternalUse.class})
    public boolean hasLegacyToken() {
        return this.apiToken != null;
    }

    @NonNull
    @Restricted({NoExternalUse.class})
    String getApiTokenInsecure() {
        if (this.apiToken == null) {
            return Messages.ApiTokenProperty_NoLegacyToken();
        }
        String plainText = this.apiToken.getPlainText();
        if (plainText.equals(Util.getDigestOf(Jenkins.get().getSecretKey() + ":" + this.user.getId()))) {
            String mac = API_KEY_SEED.mac(this.user.getId());
            plainText = mac;
            this.apiToken = Secret.fromString(mac);
        }
        return Util.getDigestOf(plainText);
    }

    public boolean matchesPassword(String str) {
        ApiTokenStore.HashedToken findMatchingToken;
        if (StringUtils.isBlank(str) || (findMatchingToken = this.tokenStore.findMatchingToken(str)) == null) {
            return false;
        }
        this.tokenStats.updateUsageForId(findMatchingToken.getUuid());
        return true;
    }

    private boolean hasPermissionToSeeToken() {
        return canCurrentUserControlObject(SHOW_LEGACY_TOKEN_TO_ADMINS, this.user);
    }

    private static boolean canCurrentUserControlObject(boolean z, User user) {
        if (z && Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
            return true;
        }
        User current = User.current();
        if (current == null) {
            return false;
        }
        if (Jenkins.getAuthentication2().equals(ACL.SYSTEM2)) {
            return true;
        }
        return User.idStrategy().equals(user.getId(), current.getId());
    }

    @Restricted({NoExternalUse.class})
    public Collection<TokenInfoAndStats> getTokenList() {
        return (Collection) this.tokenStore.getTokenListSortedByName().stream().map(hashedToken -> {
            return new TokenInfoAndStats(hashedToken, this.tokenStats.findTokenStatsById(hashedToken.getUuid()));
        }).collect(Collectors.toList());
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // hudson.model.UserProperty, hudson.model.ReconfigurableDescribable
    public UserProperty reconfigure(StaplerRequest staplerRequest, @CheckForNull JSONObject jSONObject) throws Descriptor.FormException {
        if (jSONObject == null) {
            return this;
        }
        this.tokenStore.reconfigure(convertToTokenMap(jSONObject.get("tokenStore")));
        return this;
    }

    private Map<String, JSONObject> convertToTokenMap(Object obj) {
        if (obj == null) {
            return Collections.emptyMap();
        }
        if (obj instanceof JSONObject) {
            HashMap hashMap = new HashMap();
            addJSONTokenIntoMap(hashMap, (JSONObject) obj);
            return hashMap;
        }
        if (!(obj instanceof JSONArray)) {
            throw HttpResponses.error(400, "Unexpected class received for the token store information");
        }
        JSONArray jSONArray = (JSONArray) obj;
        HashMap hashMap2 = new HashMap();
        for (int i = 0; i < jSONArray.size(); i++) {
            addJSONTokenIntoMap(hashMap2, jSONArray.getJSONObject(i));
        }
        return hashMap2;
    }

    private void addJSONTokenIntoMap(Map<String, JSONObject> map, JSONObject jSONObject) {
        map.put(jSONObject.getString("tokenUuid"), jSONObject);
    }

    @Deprecated
    public void changeApiToken() throws IOException {
        this.user.checkPermission(Jenkins.ADMINISTER);
        LOGGER.log(Level.FINE, "Deprecated usage of changeApiToken");
        ApiTokenStore.HashedToken legacyToken = this.tokenStore.getLegacyToken();
        _changeApiToken();
        this.tokenStore.regenerateTokenFromLegacy(this.apiToken);
        if (legacyToken != null) {
            this.tokenStats.removeId(legacyToken.getUuid());
        }
        this.user.save();
    }

    @Deprecated
    private void _changeApiToken() {
        byte[] bArr = new byte[16];
        RANDOM.nextBytes(bArr);
        this.apiToken = Secret.fromString(Util.toHexString(bArr));
    }

    @Restricted({NoExternalUse.class})
    public void deleteApiToken() {
        this.apiToken = null;
    }

    @Restricted({NoExternalUse.class})
    public ApiTokenStore getTokenStore() {
        return this.tokenStore;
    }

    @Restricted({NoExternalUse.class})
    public ApiTokenStats getTokenStats() {
        return this.tokenStats;
    }

    @NonNull
    @Restricted({Beta.class})
    public String addFixedNewToken(@NonNull String str, @NonNull String str2) throws IOException {
        String addFixedNewToken = this.tokenStore.addFixedNewToken(str, str2);
        this.user.save();
        return addFixedNewToken;
    }

    @NonNull
    @Restricted({Beta.class})
    public TokenUuidAndPlainValue generateNewToken(@NonNull String str) throws IOException {
        TokenUuidAndPlainValue generateNewToken = this.tokenStore.generateNewToken(str);
        this.user.save();
        return generateNewToken;
    }

    @Restricted({Beta.class})
    public void revokeAllTokens() throws IOException {
        this.tokenStats.removeAll();
        this.tokenStore.revokeAllTokens();
        this.user.save();
    }

    @Restricted({Beta.class})
    public void revokeAllTokensExceptOne(@NonNull String str) throws IOException {
        this.tokenStats.removeAllExcept(str);
        this.tokenStore.revokeAllTokensExcept(str);
        this.user.save();
    }

    @Restricted({Beta.class})
    public void revokeToken(@NonNull String str) throws IOException {
        ApiTokenStore.HashedToken revokeToken = this.tokenStore.revokeToken(str);
        if (revokeToken != null) {
            if (revokeToken.isLegacy()) {
                this.apiToken = null;
            }
            this.tokenStats.removeId(revokeToken.getUuid());
            this.user.save();
        }
    }
}
