package org.jenkinsci.plugins.azurekeyvaultplugin;

import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.common.IdCredentials;
import com.cloudbees.plugins.credentials.common.StandardCredentials;
import com.cloudbees.plugins.credentials.common.StandardListBoxModel;
import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials;
import com.cloudbees.plugins.credentials.domains.DomainRequirement;
import com.microsoft.azure.keyvault.KeyVaultClient;
import com.microsoft.azure.keyvault.models.SecretBundle;
import com.microsoft.azure.util.AzureCredentials;
import hudson.EnvVars;
import hudson.Extension;
import hudson.FilePath;
import hudson.Launcher;
import hudson.console.ConsoleLogFilter;
import hudson.model.AbstractProject;
import hudson.model.Descriptor;
import hudson.model.Item;
import hudson.model.Run;
import hudson.model.TaskListener;
import hudson.security.ACL;
import hudson.tasks.BuildWrapper;
import hudson.util.ListBoxModel;
import hudson.util.Secret;
import java.io.ByteArrayInputStream;
import java.io.OutputStream;
import java.net.URI;
import java.security.KeyStore;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.security.auth.login.CredentialException;
import javax.security.auth.login.CredentialNotFoundException;
import javax.xml.bind.DatatypeConverter;
import jenkins.tasks.SimpleBuildWrapper;
import net.sf.json.JSONObject;
import org.apache.commons.lang3.StringUtils;
import org.jenkinsci.plugins.plaincredentials.StringCredentials;
import org.kohsuke.stapler.AncestorInPath;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.StaplerRequest;

/* loaded from: input_file:org/jenkinsci/plugins/azurekeyvaultplugin/AzureKeyVaultBuildWrapper.class */
public class AzureKeyVaultBuildWrapper extends SimpleBuildWrapper {
    private List<AzureKeyVaultSecret> azureKeyVaultSecrets;
    private static char[] emptyCharArray = new char[0];
    private static final Logger LOGGER = Logger.getLogger("Jenkins.AzureKeyVaultBuildWrapper");
    private List<String> valuesToMask = new ArrayList();
    private String keyVaultURL;
    private String applicationID;
    private Secret applicationSecret;
    private String credentialID;

    @Extension
    /* loaded from: input_file:org/jenkinsci/plugins/azurekeyvaultplugin/AzureKeyVaultBuildWrapper$DescriptorImpl.class */
    public static final class DescriptorImpl extends Descriptor<BuildWrapper> {
        private String keyVaultURL;
        private String applicationID;
        private Secret applicationSecret;
        private String credentialID;

        public DescriptorImpl() {
            super(AzureKeyVaultBuildWrapper.class);
            load();
        }

        public ListBoxModel doFillCredentialIDItems(@AncestorInPath Item item) {
            return new StandardListBoxModel().includeEmptyValue().includeAs(ACL.SYSTEM, item, StandardCredentials.class);
        }

        public ListBoxModel doFillCredentialIDOverrideItems(@AncestorInPath Item item) {
            return new StandardListBoxModel().includeEmptyValue().includeAs(ACL.SYSTEM, item, StandardCredentials.class);
        }

        public boolean isApplicable(AbstractProject<?, ?> abstractProject) {
            return true;
        }

        public String getKeyVaultURL() {
            return this.keyVaultURL;
        }

        public void setKeyVaultUrl(String str) {
            this.keyVaultURL = str;
        }

        public String getApplicationID() {
            return this.applicationID;
        }

        public void setApplicationID(String str) {
            this.applicationID = str;
        }

        public Secret getApplicationSecret() {
            return this.applicationSecret;
        }

        public void setApplicationSecret(String str) {
            this.applicationSecret = Secret.fromString(str);
        }

        public String getCredentialID() {
            return this.credentialID;
        }

        public void setCredentialID(String str) {
            this.credentialID = str;
        }

        public String getDisplayName() {
            return "Azure Key Vault Plugin";
        }

        public boolean configure(StaplerRequest staplerRequest, JSONObject jSONObject) throws Descriptor.FormException {
            this.keyVaultURL = jSONObject.getString("keyVaultURL");
            this.applicationID = jSONObject.getString("applicationID");
            this.applicationSecret = Secret.fromString(jSONObject.getString("applicationSecret"));
            this.credentialID = jSONObject.getString("credentialID");
            save();
            return super.configure(staplerRequest, jSONObject);
        }
    }

    @DataBoundConstructor
    public AzureKeyVaultBuildWrapper(@CheckForNull List<AzureKeyVaultSecret> list) {
        this.azureKeyVaultSecrets = list;
    }

    public String getKeyVaultURLOverride() {
        return this.keyVaultURL;
    }

    @DataBoundSetter
    public void setKeyVaultURLOverride(String str) {
        this.keyVaultURL = str;
    }

    public String getApplicationIDOverride() {
        return this.applicationID;
    }

    @DataBoundSetter
    public void setApplicationIDOverride(String str) {
        this.applicationID = str;
    }

    public Secret getApplicationSecretOverride() {
        return this.applicationSecret;
    }

    @DataBoundSetter
    public void setApplicationSecretOverride(String str) {
        this.applicationSecret = Secret.fromString(str);
    }

    public String getCredentialIDOverride() {
        return this.credentialID;
    }

    @DataBoundSetter
    public void setCredentialIDOverride(String str) {
        this.credentialID = str;
    }

    public String getKeyVaultURL() {
        if (StringUtils.isNotEmpty(this.keyVaultURL)) {
            return this.keyVaultURL;
        }
        if (StringUtils.isNotEmpty(m1getDescriptor().getKeyVaultURL())) {
            return m1getDescriptor().getKeyVaultURL();
        }
        throw new AzureKeyVaultException("No key vault url configured, set one globally or in the build wrap step");
    }

    public ConsoleLogFilter createLoggerDecorator(@Nonnull Run<?, ?> run) {
        return new MaskingConsoleLogFilter(run.getCharset().name(), this.valuesToMask);
    }

    public AzureKeyVaultCredential getKeyVaultCredential(Run<?, ?> run) throws CredentialException {
        LOGGER.log(Level.INFO, "Trying override credentials...");
        AzureKeyVaultCredential keyVaultCredential = getKeyVaultCredential(run, this.applicationSecret, this.credentialID);
        if (keyVaultCredential.isValid()) {
            LOGGER.log(Level.INFO, "Using override credentials");
            return keyVaultCredential;
        }
        LOGGER.log(Level.INFO, "Trying global credentials");
        AzureKeyVaultCredential keyVaultCredential2 = getKeyVaultCredential(run, m1getDescriptor().getApplicationSecret(), m1getDescriptor().getCredentialID());
        if (!keyVaultCredential2.isValid()) {
            throw new CredentialNotFoundException("Unable to find a valid credential with provided parameters");
        }
        LOGGER.log(Level.INFO, "Using global credentials");
        return keyVaultCredential2;
    }

    public AzureKeyVaultCredential getKeyVaultCredential(Run<?, ?> run, Secret secret, String str) throws CredentialException {
        if (!StringUtils.isNotEmpty(str)) {
            if (!AzureKeyVaultUtil.isNotEmpty(secret)) {
                return new AzureKeyVaultCredential();
            }
            LOGGER.log(Level.WARNING, "Using explicit application secret. This will be deprecated in 1.0. Use Credential ID instead.");
            return new AzureKeyVaultCredential(getApplicationID(), secret);
        }
        LOGGER.log(Level.INFO, "Fetching credentials by ID");
        AzureKeyVaultCredential credentialById = getCredentialById(str, run);
        if (!credentialById.isApplicationIDValid()) {
            LOGGER.log(Level.INFO, "Credential is password-only. Setting the username");
            credentialById.setApplicationID(getApplicationID());
        }
        return credentialById;
    }

    public String getApplicationID() {
        if (StringUtils.isNotEmpty(this.applicationID)) {
            LOGGER.log(Level.INFO, "Using override Application ID");
            return this.applicationID;
        }
        LOGGER.log(Level.INFO, "Using global Application ID");
        return m1getDescriptor().getApplicationID();
    }

    public AzureKeyVaultCredential getCredentialById(String str, Run<?, ?> run) throws CredentialException {
        AzureKeyVaultCredential azureKeyVaultCredential = new AzureKeyVaultCredential();
        AzureCredentials findCredentialById = CredentialsProvider.findCredentialById(str, IdCredentials.class, run, new DomainRequirement[0]);
        if (findCredentialById == null) {
            throw new CredentialNotFoundException(str);
        }
        if (StringCredentials.class.isInstance(findCredentialById)) {
            LOGGER.log(Level.INFO, String.format("Fetched %s as StringCredentials", str));
            CredentialsProvider.track(run, findCredentialById);
            azureKeyVaultCredential.setApplicationSecret(((StringCredentials) StringCredentials.class.cast(findCredentialById)).getSecret());
            return azureKeyVaultCredential;
        }
        if (StandardUsernamePasswordCredentials.class.isInstance(findCredentialById)) {
            LOGGER.log(Level.INFO, String.format("Fetched %s as StandardUsernamePasswordCredentials", str));
            CredentialsProvider.track(run, findCredentialById);
            azureKeyVaultCredential.setApplicationID(((StandardUsernamePasswordCredentials) StandardUsernamePasswordCredentials.class.cast(findCredentialById)).getUsername());
            azureKeyVaultCredential.setApplicationSecret(((StandardUsernamePasswordCredentials) StandardUsernamePasswordCredentials.class.cast(findCredentialById)).getPassword());
            return azureKeyVaultCredential;
        }
        if (!AzureCredentials.class.isInstance(findCredentialById)) {
            throw new CredentialException("Could not determine the type for Secret id " + str + " only 'Secret Text', 'Username/Password', and 'Microsoft Azure Service Principal' are supported");
        }
        LOGGER.log(Level.INFO, String.format("Fetched %s as AzureCredentials", str));
        CredentialsProvider.track(run, findCredentialById);
        AzureCredentials azureCredentials = findCredentialById;
        azureKeyVaultCredential.setApplicationID(azureCredentials.getClientId());
        azureKeyVaultCredential.setApplicationSecret(azureCredentials.getPlainClientSecret());
        return azureKeyVaultCredential;
    }

    public List<AzureKeyVaultSecret> getAzureKeyVaultSecrets() {
        return this.azureKeyVaultSecrets;
    }

    /* renamed from: getDescriptor, reason: merged with bridge method [inline-methods] */
    public DescriptorImpl m1getDescriptor() {
        return (DescriptorImpl) super.getDescriptor();
    }

    private SecretBundle getSecret(KeyVaultClient keyVaultClient, AzureKeyVaultSecret azureKeyVaultSecret) {
        try {
            return keyVaultClient.getSecret(getKeyVaultURL(), azureKeyVaultSecret.getName(), azureKeyVaultSecret.getVersion());
        } catch (Exception e) {
            throw new AzureKeyVaultException(e.getMessage(), e);
        }
    }

    public void setUp(SimpleBuildWrapper.Context context, Run<?, ?> run, FilePath filePath, Launcher launcher, TaskListener taskListener, EnvVars envVars) {
        SecretBundle secret;
        if (this.azureKeyVaultSecrets == null || this.azureKeyVaultSecrets.isEmpty()) {
            return;
        }
        try {
            AzureKeyVaultCredential keyVaultCredential = getKeyVaultCredential(run);
            if (keyVaultCredential == null || !keyVaultCredential.isValid()) {
                throw new AzureKeyVaultException("No valid credentials were found for accessing KeyVault");
            }
            KeyVaultClient keyVaultClient = new KeyVaultClient(keyVaultCredential);
            for (AzureKeyVaultSecret azureKeyVaultSecret : this.azureKeyVaultSecrets) {
                if (azureKeyVaultSecret.isPassword()) {
                    SecretBundle secret2 = getSecret(keyVaultClient, azureKeyVaultSecret);
                    if (secret2 == null) {
                        throw new AzureKeyVaultException(String.format("Secret: %s not found", azureKeyVaultSecret.getName()));
                    }
                    this.valuesToMask.add(secret2.value());
                    context.env(azureKeyVaultSecret.getEnvVariable(), secret2.value());
                } else if (azureKeyVaultSecret.isCertificate() && (secret = getSecret(keyVaultClient, azureKeyVaultSecret)) != null) {
                    try {
                        byte[] parseBase64Binary = DatatypeConverter.parseBase64Binary(secret.value());
                        KeyStore keyStore = KeyStore.getInstance("PKCS12");
                        keyStore.load(new ByteArrayInputStream(parseBase64Binary), emptyCharArray);
                        KeyStore keyStore2 = KeyStore.getInstance("PKCS12");
                        keyStore2.load(null, null);
                        Enumeration<String> aliases = keyStore.aliases();
                        while (aliases.hasMoreElements()) {
                            String nextElement = aliases.nextElement();
                            keyStore2.setKeyEntry(nextElement, keyStore.getKey(nextElement, emptyCharArray), emptyCharArray, keyStore.getCertificateChain(nextElement));
                        }
                        FilePath createTempFile = filePath.createTempFile("keyvault", "pfx");
                        OutputStream write = createTempFile.write();
                        keyStore2.store(write, emptyCharArray);
                        write.close();
                        URI uri = createTempFile.toURI();
                        this.valuesToMask.add(uri.getPath());
                        context.env(azureKeyVaultSecret.getEnvVariable(), uri.getPath());
                    } catch (Exception e) {
                        throw new AzureKeyVaultException(e.getMessage(), e);
                    }
                }
            }
        } catch (CredentialException e2) {
            throw new AzureKeyVaultException(e2.getMessage(), e2);
        }
    }
}
