package jenkins.security.seed;

import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.BulkChange;
import hudson.Extension;
import hudson.model.User;
import hudson.model.UserProperty;
import hudson.model.UserPropertyDescriptor;
import hudson.util.HttpResponses;
import java.io.IOException;
import java.security.SecureRandom;
import java.util.Objects;
import jenkins.model.Jenkins;
import jenkins.security.LastGrantedAuthoritiesProperty;
import jenkins.util.SystemProperties;
import org.apache.commons.codec.binary.Hex;
import org.jenkinsci.Symbol;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.DoNotUse;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.AncestorInPath;
import org.kohsuke.stapler.HttpResponse;
import org.kohsuke.stapler.interceptor.RequirePOST;

/* loaded from: input_file:WEB-INF/lib/jenkins-core-2.443-rc34576.2c7c0fddb_b_4e.jar:jenkins/security/seed/UserSeedProperty.class */
public class UserSeedProperty extends UserProperty {
    public static final String USER_SESSION_SEED = "_JENKINS_SESSION_SEED";
    private static final int SEED_NUM_BYTES = 8;
    private String seed;

    @Restricted({NoExternalUse.class})
    @SuppressFBWarnings(value = {"MS_SHOULD_BE_FINAL"}, justification = "for script console")
    public static boolean DISABLE_USER_SEED = SystemProperties.getBoolean(UserSeedProperty.class.getName() + ".disableUserSeed");

    @Restricted({NoExternalUse.class})
    @SuppressFBWarnings(value = {"MS_SHOULD_BE_FINAL"}, justification = "for script console")
    public static boolean HIDE_USER_SEED_SECTION = SystemProperties.getBoolean(UserSeedProperty.class.getName() + ".hideUserSeedSection");
    private static final SecureRandom RANDOM = new SecureRandom();

    @Extension
    @Symbol({"userSeed"})
    /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.443-rc34576.2c7c0fddb_b_4e.jar:jenkins/security/seed/UserSeedProperty$DescriptorImpl.class */
    public static final class DescriptorImpl extends UserPropertyDescriptor {
        @Override // hudson.model.Descriptor
        @NonNull
        public String getDisplayName() {
            return Messages.UserSeedProperty_DisplayName();
        }

        @Override // hudson.model.UserPropertyDescriptor
        public UserSeedProperty newInstance(User user) {
            return new UserSeedProperty();
        }

        @Restricted({DoNotUse.class})
        public boolean isCurrentUser(@NonNull User user) {
            return Objects.equals(User.current(), user);
        }

        @RequirePOST
        public synchronized HttpResponse doRenewSessionSeed(@NonNull @AncestorInPath User user) throws IOException {
            user.checkPermission(Jenkins.ADMINISTER);
            if (UserSeedProperty.DISABLE_USER_SEED) {
                return HttpResponses.error(404, "User seed feature is disabled");
            }
            BulkChange bulkChange = new BulkChange(user);
            try {
                ((UserSeedProperty) user.getProperty(UserSeedProperty.class)).renewSeed();
                LastGrantedAuthoritiesProperty lastGrantedAuthoritiesProperty = (LastGrantedAuthoritiesProperty) user.getProperty(LastGrantedAuthoritiesProperty.class);
                if (lastGrantedAuthoritiesProperty != null) {
                    lastGrantedAuthoritiesProperty.invalidate();
                }
                bulkChange.commit();
                bulkChange.close();
                return HttpResponses.ok();
            } catch (Throwable th) {
                try {
                    bulkChange.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }

        @Override // hudson.model.UserPropertyDescriptor
        public boolean isEnabled() {
            return (UserSeedProperty.DISABLE_USER_SEED || UserSeedProperty.HIDE_USER_SEED_SECTION) ? false : true;
        }
    }

    private UserSeedProperty() {
        renewSeedInternal();
    }

    @NonNull
    public String getSeed() {
        return this.seed;
    }

    public void renewSeed() {
        renewSeedInternal();
        UserSeedChangeListener.fireUserSeedRenewed(this.user);
    }

    private void renewSeedInternal() {
        String str = this.seed;
        String str2 = str;
        byte[] bArr = new byte[8];
        while (Objects.equals(str2, str)) {
            RANDOM.nextBytes(bArr);
            str2 = new String(Hex.encodeHex(bArr));
        }
        this.seed = str2;
    }
}
