package io.jenkins.blueocean.auth.jwt.impl;

import com.fasterxml.jackson.annotation.JsonProperty;
import com.google.common.collect.ImmutableList;
import hudson.Extension;
import hudson.Plugin;
import hudson.model.User;
import hudson.remoting.Base64;
import hudson.tasks.Mailer;
import io.jenkins.blueocean.auth.jwt.JwkService;
import io.jenkins.blueocean.auth.jwt.JwtAuthenticationService;
import io.jenkins.blueocean.auth.jwt.JwtToken;
import io.jenkins.blueocean.commons.ServiceException;
import io.jenkins.blueocean.rest.model.BlueUser;
import java.io.IOException;
import java.security.interfaces.RSAPublicKey;
import java.util.Collections;
import java.util.UUID;
import javax.annotation.Nullable;
import jenkins.model.Jenkins;
import net.sf.json.JSONObject;
import org.acegisecurity.Authentication;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.RsaJsonWebKey;
import org.jose4j.jwk.Use;
import org.jose4j.jws.AlgorithmIdentifiers;
import org.jose4j.jwt.ReservedClaimNames;
import org.kohsuke.stapler.QueryParameter;

@Extension
/* loaded from: input_file:test-dependencies/blueocean-jwt.hpi:WEB-INF/lib/blueocean-jwt.jar:io/jenkins/blueocean/auth/jwt/impl/JwtImpl.class */
public class JwtImpl extends JwtAuthenticationService {
    private static int DEFAULT_EXPIRY_IN_SEC = 1800;
    private static int DEFAULT_MAX_EXPIRY_TIME_IN_MIN = 480;
    private static int DEFAULT_NOT_BEFORE_IN_SEC = 30;

    /* loaded from: input_file:test-dependencies/blueocean-jwt.hpi:WEB-INF/lib/blueocean-jwt.jar:io/jenkins/blueocean/auth/jwt/impl/JwtImpl$JwkFactory.class */
    public class JwkFactory extends JwkService {
        private final String keyId;

        public JwkFactory(String str) {
            this.keyId = str;
        }

        @Override // io.jenkins.blueocean.auth.jwt.JwkService
        public JSONObject getJwk() {
            JwtToken.JwtRsaDigitalSignatureKey jwtRsaDigitalSignatureKey = new JwtToken.JwtRsaDigitalSignatureKey(this.keyId);
            try {
                if (!jwtRsaDigitalSignatureKey.exists()) {
                    throw new ServiceException.NotFoundException(String.format("kid %s not found", this.keyId));
                }
                RSAPublicKey publicKey = jwtRsaDigitalSignatureKey.getPublicKey();
                JSONObject jSONObject = new JSONObject();
                jSONObject.put(JsonWebKey.KEY_TYPE_PARAMETER, "RSA");
                jSONObject.put("alg", AlgorithmIdentifiers.RSA_USING_SHA256);
                jSONObject.put("kid", this.keyId);
                jSONObject.put(JsonWebKey.USE_PARAMETER, Use.SIGNATURE);
                jSONObject.put(JsonWebKey.KEY_OPERATIONS, ImmutableList.of("verify"));
                jSONObject.put(RsaJsonWebKey.MODULUS_MEMBER_NAME, Base64.encode(publicKey.getModulus().toByteArray()));
                jSONObject.put(RsaJsonWebKey.EXPONENT_MEMBER_NAME, Base64.encode(publicKey.getPublicExponent().toByteArray()));
                return jSONObject;
            } catch (IOException e) {
                throw new ServiceException.UnexpectedErrorException("Unexpected error: " + e.getMessage(), e);
            }
        }
    }

    @Override // io.jenkins.blueocean.auth.jwt.JwtAuthenticationService
    public JwtToken getToken(@Nullable @QueryParameter("expiryTimeInMins") Integer num, @Nullable @QueryParameter("maxExpiryTimeInMins") Integer num2) {
        String property = System.getProperty("EXPIRY_TIME_IN_MINS");
        long j = DEFAULT_EXPIRY_IN_SEC;
        if (property != null) {
            j = Integer.parseInt(property);
        }
        int i = DEFAULT_MAX_EXPIRY_TIME_IN_MIN;
        String property2 = System.getProperty("MAX_EXPIRY_TIME_IN_MINS");
        if (property2 != null) {
            i = Integer.parseInt(property2);
        }
        if (num2 != null) {
            i = num2.intValue();
        }
        if (num != null) {
            if (num.intValue() > i) {
                throw new ServiceException.BadRequestExpception(String.format("expiryTimeInMins %s can't be greated than %s", num, Integer.valueOf(i)));
            }
            j = num.intValue() * 60;
        }
        Jenkins.getInstance();
        Authentication authentication = Jenkins.getAuthentication();
        if (authentication == null) {
            throw new ServiceException.UnauthorizedException("Unauthorized: No login session found");
        }
        String name = authentication.getName();
        User user = User.get(name, false, Collections.emptyMap());
        String str = null;
        String str2 = null;
        if (user != null) {
            str2 = user.getFullName();
            name = user.getId();
            Mailer.UserProperty userProperty = (Mailer.UserProperty) user.getProperty(Mailer.UserProperty.class);
            if (userProperty != null) {
                str = userProperty.getAddress();
            }
        }
        Plugin plugin = Jenkins.getInstance().getPlugin("blueocean-jwt");
        String str3 = "blueocean-jwt:" + (plugin != null ? plugin.getWrapper().getVersion() : JsonProperty.USE_DEFAULT_NAME);
        JwtToken jwtToken = new JwtToken();
        jwtToken.claim.put(ReservedClaimNames.JWT_ID, UUID.randomUUID().toString().replace("-", JsonProperty.USE_DEFAULT_NAME));
        jwtToken.claim.put(ReservedClaimNames.ISSUER, str3);
        jwtToken.claim.put(ReservedClaimNames.SUBJECT, name);
        jwtToken.claim.put("name", str2);
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        jwtToken.claim.put(ReservedClaimNames.ISSUED_AT, Long.valueOf(currentTimeMillis));
        jwtToken.claim.put(ReservedClaimNames.EXPIRATION_TIME, Long.valueOf(currentTimeMillis + j));
        jwtToken.claim.put(ReservedClaimNames.NOT_BEFORE, Long.valueOf(currentTimeMillis - DEFAULT_NOT_BEFORE_IN_SEC));
        JSONObject jSONObject = new JSONObject();
        JSONObject jSONObject2 = new JSONObject();
        jSONObject2.put("id", name);
        jSONObject2.put("fullName", str2);
        jSONObject2.put(BlueUser.EMAIL, str);
        jSONObject.put("user", jSONObject2);
        jwtToken.claim.put("context", jSONObject);
        return jwtToken;
    }

    @Override // io.jenkins.blueocean.auth.jwt.JwtAuthenticationService
    public JwkFactory getJwks(String str) {
        if (str == null) {
            throw new ServiceException.BadRequestExpception("keyId is required");
        }
        return new JwkFactory(str);
    }

    public String getIconFileName() {
        return null;
    }

    public String getDisplayName() {
        return "BlueOcean Jwt endpoint";
    }
}
