package org.jenkinsci.plugins.googlelogin;

import com.google.api.client.auth.oauth2.AuthorizationCodeFlow;
import com.google.api.client.auth.oauth2.BearerToken;
import com.google.api.client.auth.oauth2.ClientParametersAuthentication;
import com.google.api.client.auth.oauth2.Credential;
import com.google.api.client.auth.openidconnect.IdToken;
import com.google.api.client.auth.openidconnect.IdTokenResponse;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpRequest;
import com.google.api.client.http.HttpRequestInitializer;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.JsonObjectParser;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.common.annotations.VisibleForTesting;
import hudson.Extension;
import hudson.Util;
import hudson.model.Descriptor;
import hudson.model.Failure;
import hudson.model.User;
import hudson.security.SecurityRealm;
import hudson.util.HttpResponses;
import hudson.util.Secret;
import java.io.IOException;
import java.util.Arrays;
import java.util.StringTokenizer;
import jenkins.model.Jenkins;
import jenkins.security.SecurityListener;
import org.acegisecurity.Authentication;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.AuthenticationManager;
import org.acegisecurity.BadCredentialsException;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.context.SecurityContextHolder;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import org.acegisecurity.providers.anonymous.AnonymousAuthenticationToken;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.DoNotUse;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.Header;
import org.kohsuke.stapler.HttpRedirect;
import org.kohsuke.stapler.HttpResponse;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.Stapler;
import org.kohsuke.stapler.StaplerRequest;

/* loaded from: input_file:WEB-INF/lib/google-login.jar:org/jenkinsci/plugins/googlelogin/GoogleOAuth2SecurityRealm.class */
public class GoogleOAuth2SecurityRealm extends SecurityRealm {
    private static final String SCOPE = "profile email";
    private static final String AUTHORIZATION_SERVER_URL = "https://accounts.google.com/o/oauth2/auth";
    private final String clientId;
    private final Secret clientSecret;
    private final String domain;
    private boolean rootURLFromRequest;
    private static final JsonFactory JSON_FACTORY = new JacksonFactory();
    private static final GenericUrl TOKEN_SERVER_URL = new GenericUrl("https://accounts.google.com/o/oauth2/token");
    private static final HttpTransport HTTP_TRANSPORT = new NetHttpTransport();
    private static final String SESSION_NAME = GoogleOAuth2SecurityRealm.class.getName() + ".OAuthSession";

    @Extension
    /* loaded from: input_file:WEB-INF/lib/google-login.jar:org/jenkinsci/plugins/googlelogin/GoogleOAuth2SecurityRealm$DescriptorImpl.class */
    public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
        public String getDisplayName() {
            return "Login with Google";
        }
    }

    @DataBoundConstructor
    public GoogleOAuth2SecurityRealm(String str, String str2, String str3) throws IOException {
        this.clientId = str;
        this.clientSecret = Secret.fromString(str2);
        this.domain = Util.fixEmptyAndTrim(str3);
    }

    public boolean isRootURLFromRequest() {
        return this.rootURLFromRequest;
    }

    @DataBoundSetter
    public void setRootURLFromRequest(boolean z) {
        this.rootURLFromRequest = z;
    }

    public String getClientId() {
        return this.clientId;
    }

    public Secret getClientSecret() {
        return this.clientSecret;
    }

    public String getDomain() {
        return this.domain;
    }

    public String getLoginUrl() {
        return "securityRealm/commenceLogin";
    }

    public SecurityRealm.SecurityComponents createSecurityComponents() {
        return new SecurityRealm.SecurityComponents(new AuthenticationManager() { // from class: org.jenkinsci.plugins.googlelogin.GoogleOAuth2SecurityRealm.1
            public Authentication authenticate(Authentication authentication) throws AuthenticationException {
                if (authentication instanceof AnonymousAuthenticationToken) {
                    return authentication;
                }
                throw new BadCredentialsException("Unexpected authentication type: " + authentication);
            }
        });
    }

    protected String getPostLogOutUrl(StaplerRequest staplerRequest, Authentication authentication) {
        return "securityRealm/loggedOut";
    }

    @Restricted({DoNotUse.class})
    public HttpResponse doCommenceLogin(StaplerRequest staplerRequest, @QueryParameter String str, @Header("Referer") String str2) throws IOException {
        final String redirectOnFinish = getRedirectOnFinish(str, str2);
        final AuthorizationCodeFlow build = new AuthorizationCodeFlow.Builder(BearerToken.queryParameterAccessMethod(), HTTP_TRANSPORT, JSON_FACTORY, TOKEN_SERVER_URL, new ClientParametersAuthentication(this.clientId, this.clientSecret.getPlainText()), this.clientId, AUTHORIZATION_SERVER_URL).setScopes(Arrays.asList(SCOPE)).build();
        OAuthSession oAuthSession = new OAuthSession(str, buildOAuthRedirectUrl(), this.domain) { // from class: org.jenkinsci.plugins.googlelogin.GoogleOAuth2SecurityRealm.2
            @Override // org.jenkinsci.plugins.googlelogin.OAuthSession
            public HttpResponse onSuccess(String str3) {
                try {
                    IdTokenResponse execute = IdTokenResponse.execute(build.newTokenRequest(str3).setRedirectUri(GoogleOAuth2SecurityRealm.this.buildOAuthRedirectUrl()));
                    if (!GoogleOAuth2SecurityRealm.this.isDomainValid(IdToken.parse(GoogleOAuth2SecurityRealm.JSON_FACTORY, execute.getIdToken()).getPayload().get("hd"))) {
                        return HttpResponses.errorWithoutStack(401, "Unauthorized");
                    }
                    final Credential createAndStoreCredential = build.createAndStoreCredential(execute, null);
                    GoogleUserInfo googleUserInfo = (GoogleUserInfo) GoogleOAuth2SecurityRealm.HTTP_TRANSPORT.createRequestFactory(new HttpRequestInitializer() { // from class: org.jenkinsci.plugins.googlelogin.GoogleOAuth2SecurityRealm.2.1
                        @Override // com.google.api.client.http.HttpRequestInitializer
                        public void initialize(HttpRequest httpRequest) throws IOException {
                            createAndStoreCredential.initialize(httpRequest);
                            httpRequest.setParser(new JsonObjectParser(GoogleOAuth2SecurityRealm.JSON_FACTORY));
                        }
                    }).buildGetRequest(new GenericUrl("https://www.googleapis.com/userinfo/v2/me")).execute().parseAs(GoogleUserInfo.class);
                    UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(googleUserInfo.getEmail(), "", new GrantedAuthority[]{SecurityRealm.AUTHENTICATED_AUTHORITY});
                    Stapler.getCurrentRequest().getSession().invalidate();
                    Stapler.getCurrentRequest().getSession();
                    SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
                    googleUserInfo.updateProfile(User.get(usernamePasswordAuthenticationToken.getName()));
                    SecurityListener.fireLoggedIn(usernamePasswordAuthenticationToken.getName());
                    return new HttpRedirect(redirectOnFinish);
                } catch (IOException e) {
                    return HttpResponses.error(500, e);
                }
            }
        };
        staplerRequest.getSession().setAttribute(SESSION_NAME, oAuthSession);
        return oAuthSession.doCommenceLogin(build);
    }

    String getRedirectOnFinish(String str, String str2) {
        return (str == null || !Util.isSafeToRedirectTo(str)) ? (str2 == null || !Util.isSafeToRedirectTo(str2)) ? getRootURL() : str2 : str;
    }

    @VisibleForTesting
    boolean isDomainValid(Object obj) {
        if (this.domain == null) {
            return true;
        }
        StringTokenizer stringTokenizer = new StringTokenizer(this.domain, ",");
        while (stringTokenizer.hasMoreElements()) {
            if (stringTokenizer.nextToken().trim().equals(obj)) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String buildOAuthRedirectUrl() {
        String rootURL = getRootURL();
        if (rootURL == null) {
            throw new NullPointerException("Jenkins root url should not be null");
        }
        return rootURL + "securityRealm/finishLogin";
    }

    private String getRootURL() {
        return this.rootURLFromRequest ? Jenkins.getInstance().getRootUrlFromRequest() : Jenkins.getInstance().getRootUrl();
    }

    @Restricted({DoNotUse.class})
    public HttpResponse doFinishLogin(StaplerRequest staplerRequest) throws IOException {
        OAuthSession oAuthSession = (OAuthSession) staplerRequest.getSession().getAttribute(SESSION_NAME);
        return oAuthSession != null ? oAuthSession.doFinishLogin(staplerRequest) : new Failure("Your Jenkins session has expired. Please login again.");
    }
}
