package io.fabric8.jenkins.openshiftsync;

import com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey;
import com.cloudbees.plugins.credentials.Credentials;
import com.cloudbees.plugins.credentials.CredentialsMatchers;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.CredentialsScope;
import com.cloudbees.plugins.credentials.CredentialsStore;
import com.cloudbees.plugins.credentials.SecretBytes;
import com.cloudbees.plugins.credentials.domains.Domain;
import com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl;
import com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import hudson.Util;
import hudson.model.Fingerprint;
import hudson.security.ACL;
import io.fabric8.kubernetes.api.model.LocalObjectReference;
import io.fabric8.kubernetes.api.model.ObjectMeta;
import io.fabric8.kubernetes.api.model.Secret;
import io.fabric8.kubernetes.client.dsl.NonNamespaceOperation;
import io.fabric8.kubernetes.client.dsl.Resource;
import io.fabric8.openshift.api.model.BuildConfig;
import io.fabric8.openshift.api.model.BuildConfigSpec;
import io.fabric8.openshift.api.model.BuildSource;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.model.Jenkins;
import org.acegisecurity.context.SecurityContext;
import org.acegisecurity.context.SecurityContextHolder;
import org.apache.commons.lang.StringUtils;
import org.jenkinsci.plugins.plaincredentials.impl.FileCredentialsImpl;
import org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl;

/* loaded from: input_file:io/fabric8/jenkins/openshiftsync/CredentialsUtils.class */
public class CredentialsUtils {
    private static final String SECRET_TEXT_SECRET_TYPE = "secretText";
    private static final String FILE_SECRET_TYPE = "filename";
    private static final String TOKEN_SECRET_TYPE = "token";
    public static final String KUBERNETES_SERVICE_ACCOUNT = "Kubernetes Service Account";
    private static final Base64.Decoder DECODER = Base64.getDecoder();
    private static final Logger logger = Logger.getLogger(CredentialsUtils.class.getName());
    private static final Map<String, String> SOURCE_SECRET_TO_CREDS_MAP = new ConcurrentHashMap();
    public static final ConcurrentHashMap<String, String> UID_TO_SECRET_MAP = new ConcurrentHashMap<>();

    public static Secret getSourceSecretForBuildConfig(BuildConfig buildConfig) {
        BuildSource source;
        LocalObjectReference sourceSecret;
        String name;
        BuildConfigSpec spec = buildConfig.getSpec();
        if (spec == null || (source = spec.getSource()) == null || (sourceSecret = source.getSourceSecret()) == null || (name = sourceSecret.getName()) == null || name.isEmpty()) {
            return null;
        }
        ObjectMeta metadata = buildConfig.getMetadata();
        String namespace = metadata.getNamespace();
        String name2 = metadata.getName();
        logger.info("Retrieving SourceSecret for BuildConfig " + name2 + " in Namespace " + namespace);
        Secret secret = (Secret) ((Resource) ((NonNamespaceOperation) OpenShiftUtils.getAuthenticatedOpenShiftClient().secrets().inNamespace(namespace)).withName(name)).get();
        if (secret != null) {
            return secret;
        }
        logger.warning(("Secret Name provided in BuildConfig " + name2 + " as " + name) + " does not exist. Please review the BuildConfig and make the necessary changes.");
        return null;
    }

    public static String updateSourceCredentials(BuildConfig buildConfig) throws IOException {
        ObjectMeta metadata;
        String str = null;
        Secret sourceSecretForBuildConfig = getSourceSecretForBuildConfig(buildConfig);
        if (sourceSecretForBuildConfig != null && (metadata = sourceSecretForBuildConfig.getMetadata()) != null) {
            String namespace = metadata.getNamespace();
            String name = metadata.getName();
            ObjectMeta metadata2 = buildConfig.getMetadata();
            String name2 = metadata2.getName();
            String insertOrUpdateCredentialsFromSecret = insertOrUpdateCredentialsFromSecret(sourceSecretForBuildConfig);
            String namespaceName = NamespaceName.create(buildConfig).toString();
            if (insertOrUpdateCredentialsFromSecret != null) {
                logger.info("Linking sourceSecret " + name + " to Jenkins Credentials " + insertOrUpdateCredentialsFromSecret);
                linkSourceSecretToCredentials(namespaceName, insertOrUpdateCredentialsFromSecret);
                return insertOrUpdateCredentialsFromSecret;
            }
            logger.info("Unlinking BuildConfig sourceSecret matching BuildConfig " + name2);
            str = unlinkBCSecretToCrendential(namespaceName);
            if (str != null) {
                logger.info("Deleting sourceSecret " + name + " in namespace " + namespace);
                deleteCredential(str, NamespaceName.create(buildConfig), metadata2.getResourceVersion());
            }
        }
        return str;
    }

    public static void deleteSourceCredentials(BuildConfig buildConfig) throws IOException {
        ObjectMeta metadata;
        Map labels;
        Secret sourceSecretForBuildConfig = getSourceSecretForBuildConfig(buildConfig);
        if (sourceSecretForBuildConfig == null || (metadata = sourceSecretForBuildConfig.getMetadata()) == null || (labels = metadata.getLabels()) == null) {
            return;
        }
        String str = (String) labels.get(Constants.OPENSHIFT_LABELS_SECRET_CREDENTIAL_SYNC);
        if (str != null && str.equalsIgnoreCase(Constants.VALUE_SECRET_SYNC)) {
            return;
        }
        deleteCredential(sourceSecretForBuildConfig);
    }

    private static String getSecretCustomName(Secret secret) {
        Map annotations;
        String str;
        ObjectMeta metadata = secret.getMetadata();
        if (metadata == null || (annotations = metadata.getAnnotations()) == null || (str = (String) annotations.get(Annotations.SECRET_NAME)) == null) {
            return null;
        }
        return str;
    }

    public static String upsertCredential(Secret secret) throws IOException {
        if (secret == null || secret.getMetadata() == null) {
            return null;
        }
        return insertOrUpdateCredentialsFromSecret(secret);
    }

    private static String insertOrUpdateCredentialsFromSecret(Secret secret) throws IOException {
        if (secret == null) {
            return null;
        }
        String secretCustomName = getSecretCustomName(secret);
        ObjectMeta metadata = secret.getMetadata();
        String namespace = metadata.getNamespace();
        String name = metadata.getName();
        Credentials secretToCredentials = secretToCredentials(secret);
        if (secretToCredentials == null) {
            return null;
        }
        String generateCredentialsName = generateCredentialsName(namespace, name, secretCustomName);
        Credentials lookupCredentials = lookupCredentials(generateCredentialsName);
        SecurityContext impersonate = ACL.impersonate(ACL.SYSTEM);
        try {
            CredentialsStore credentialsStore = (CredentialsStore) CredentialsProvider.lookupStores(Jenkins.getActiveInstance()).iterator().next();
            String generateCredentialsName2 = generateCredentialsName(namespace, name, null);
            Credentials lookupCredentials2 = lookupCredentials(generateCredentialsName2);
            String uid = metadata.getUid();
            if (generateCredentialsName2.equals(generateCredentialsName)) {
                if (lookupCredentials != null) {
                    credentialsStore.updateCredentials(Domain.global(), lookupCredentials, secretToCredentials);
                    UID_TO_SECRET_MAP.put(uid, generateCredentialsName);
                    logger.info("Updated credential " + generateCredentialsName + " from Secret " + String.valueOf(NamespaceName.create(secret)) + " with revision: " + metadata.getResourceVersion());
                } else if (credentialsStore.addCredentials(Domain.global(), secretToCredentials)) {
                    UID_TO_SECRET_MAP.put(uid, generateCredentialsName);
                    logger.info("Created credential " + generateCredentialsName + " from Secret " + String.valueOf(NamespaceName.create(secret)) + " with revision: " + metadata.getResourceVersion());
                } else {
                    logger.warning("Update failed for secret with new Id " + generateCredentialsName + " from Secret " + String.valueOf((Object) null) + " with revision: " + metadata.getResourceVersion());
                }
            } else if (credentialsStore.addCredentials(Domain.global(), secretToCredentials)) {
                String str = UID_TO_SECRET_MAP.get(uid);
                if (str != null) {
                    credentialsStore.removeCredentials(Domain.global(), lookupCredentials(str));
                } else if (lookupCredentials2 != null) {
                    credentialsStore.removeCredentials(Domain.global(), lookupCredentials2);
                }
                UID_TO_SECRET_MAP.put(uid, generateCredentialsName);
                logger.info("Updated credential " + str + " with new Id " + generateCredentialsName + " from Secret " + String.valueOf(NamespaceName.create(secret)) + " with revision: " + metadata.getResourceVersion());
            } else {
                logger.warning("Setting secret  failed for secret with new Id " + generateCredentialsName + " from Secret " + String.valueOf((Object) null) + " with revision: " + metadata.getResourceVersion());
                logger.warning("Check if Id " + generateCredentialsName + " is not already used.");
            }
            credentialsStore.save();
            SecurityContextHolder.setContext(impersonate);
            if (generateCredentialsName == null || generateCredentialsName.isEmpty()) {
                return null;
            }
            return generateCredentialsName;
        } catch (Throwable th) {
            SecurityContextHolder.setContext(impersonate);
            throw th;
        }
    }

    private static void deleteCredential(String str, NamespaceName namespaceName, String str2) throws IOException {
        Credentials lookupCredentials = lookupCredentials(str);
        if (lookupCredentials != null) {
            SecurityContext impersonate = ACL.impersonate(ACL.SYSTEM);
            try {
                Fingerprint fingerprintOf = CredentialsProvider.getFingerprintOf(lookupCredentials);
                if (fingerprintOf != null && fingerprintOf.getJobs().size() > 0) {
                    StringBuffer stringBuffer = new StringBuffer();
                    Iterator it = fingerprintOf.getJobs().iterator();
                    while (it.hasNext()) {
                        stringBuffer.append((String) it.next()).append(" ");
                    }
                    logger.info("About to delete credential " + str + "which is referenced by jobs: " + stringBuffer.toString());
                }
                CredentialsStore credentialsStore = (CredentialsStore) CredentialsProvider.lookupStores(Jenkins.getActiveInstance()).iterator().next();
                if (lookupCredentials.getDescriptor().getDisplayName().contains(KUBERNETES_SERVICE_ACCOUNT)) {
                    logger.warning("Stopped attempt to delete Kubernetes Service Account credentials with Id " + str);
                } else {
                    credentialsStore.removeCredentials(Domain.global(), lookupCredentials);
                    logger.info("Deleted credential " + str + " from Secret " + String.valueOf(namespaceName) + " with revision: " + str2);
                    credentialsStore.save();
                }
            } finally {
                SecurityContextHolder.setContext(impersonate);
            }
        }
    }

    public static void deleteCredential(Secret secret) {
        if (secret != null) {
            try {
                deleteCredential(generateCredentialsName(secret.getMetadata().getNamespace(), secret.getMetadata().getName(), getSecretCustomName(secret)), NamespaceName.create(secret), secret.getMetadata().getResourceVersion());
            } catch (IOException e) {
                logger.log(Level.SEVERE, "Credentials has not been deleted: " + String.valueOf(e), (Throwable) e);
                throw new RuntimeException(e);
            }
        }
    }

    public static String getCurrentToken() {
        OpenShiftToken firstOrNull;
        String credentialsId = GlobalPluginConfiguration.get().getCredentialsId();
        return (credentialsId.equals("") || (firstOrNull = CredentialsMatchers.firstOrNull(CredentialsProvider.lookupCredentials(OpenShiftToken.class, Jenkins.getActiveInstance(), ACL.SYSTEM, Collections.emptyList()), CredentialsMatchers.withId(credentialsId))) == null) ? "" : firstOrNull.getToken();
    }

    private static Credentials lookupCredentials(String str) {
        return CredentialsMatchers.firstOrNull(CredentialsProvider.lookupCredentials(Credentials.class, Jenkins.getActiveInstance(), ACL.SYSTEM, Collections.emptyList()), CredentialsMatchers.withId(str));
    }

    private static String generateCredentialsName(String str, String str2, String str3) {
        return str3 == null ? str + "-" + str2 : str3;
    }

    private static Credentials arbitraryKeyValueTextCredential(Map<String, String> map, String str) {
        String str2 = "";
        if (map != null && map.size() > 0) {
            try {
                str2 = new ObjectMapper().writeValueAsString(map);
            } catch (JsonProcessingException e) {
                logger.log(Level.WARNING, "Arbitrary opaque secret " + str + " had issue converting json", e);
            }
        }
        if (!StringUtils.isBlank(str2)) {
            return newSecretTextCredential(str, new String(Base64.getEncoder().encode(str2.getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
        }
        logger.log(Level.WARNING, "Opaque secret {0} did not provide any data that could be processed into a Jenkins credential", new Object[]{str});
        return null;
    }

    private static Credentials secretToCredentials(Secret secret) {
        String namespace = secret.getMetadata().getNamespace();
        String name = secret.getMetadata().getName();
        Map data = secret.getData();
        if (data == null) {
            logger.log(Level.WARNING, "Secret " + name + " does not contain any data. No credential will be created.");
            return null;
        }
        String generateCredentialsName = generateCredentialsName(namespace, name, getSecretCustomName(secret));
        String str = (String) data.get(Constants.OPENSHIFT_SECRETS_DATA_PASSWORD);
        String str2 = (String) data.get(Constants.OPENSHIFT_SECRETS_DATA_SSHPRIVATEKEY);
        String str3 = (String) data.get(Constants.OPENSHIFT_SECRETS_DATA_USERNAME);
        String str4 = (String) data.get(Constants.OPENSHIFT_SECRETS_DATA_PASSPHRASE);
        String str5 = StringUtils.isNotBlank(str4) ? str4 : str;
        String type = secret.getType();
        boolean z = -1;
        switch (type.hashCode()) {
            case -2137285688:
                if (type.equals(Constants.OPENSHIFT_SECRETS_TYPE_BASICAUTH)) {
                    z = true;
                    break;
                }
                break;
            case -1926827967:
                if (type.equals(Constants.OPENSHIFT_SECRETS_TYPE_OPAQUE)) {
                    z = false;
                    break;
                }
                break;
            case -1357361554:
                if (type.equals(Constants.OPENSHIFT_SECRETS_TYPE_SSH)) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (StringUtils.isNotBlank(str3) && StringUtils.isNotBlank(str)) {
                    return newUsernamePasswordCredentials(generateCredentialsName, str3, str);
                }
                if (StringUtils.isNotBlank(str2)) {
                    return newSSHUserCredential(generateCredentialsName, str3, str2, str5);
                }
                String str6 = (String) data.get("filename");
                if (StringUtils.isNotBlank(str6)) {
                    return newSecretFileCredential(generateCredentialsName, str6);
                }
                String str7 = (String) data.get(Constants.OPENSHIFT_SECRETS_DATA_CERTIFICATE);
                if (StringUtils.isNotBlank(str7)) {
                    return newCertificateCredential(generateCredentialsName, str, str7);
                }
                String str8 = (String) data.get(Constants.OPENSHIFT_SECRETS_DATA_SECRET_TEXT);
                if (StringUtils.isNotBlank(str8)) {
                    return newSecretTextCredential(generateCredentialsName, str8);
                }
                String str9 = (String) data.get(Constants.OPENSHIFT_SECRETS_DATA_CLIENT_TOKEN);
                return StringUtils.isNotBlank(str9) ? newOpenshiftTokenCredentials(generateCredentialsName, str9) : arbitraryKeyValueTextCredential(data, generateCredentialsName);
            case true:
                return newUsernamePasswordCredentials(generateCredentialsName, str3, str);
            case true:
                return newSSHUserCredential(generateCredentialsName, str3, str2, str5);
            default:
                return arbitraryKeyValueTextCredential(data, generateCredentialsName);
        }
    }

    private static Credentials newOpenshiftTokenCredentials(String str, String str2) {
        if (str != null && str.length() != 0 && str2 != null && str2.length() != 0) {
            return new OpenShiftTokenCredentials(CredentialsScope.GLOBAL, str, str, hudson.util.Secret.fromString(new String(DECODER.decode(str2), StandardCharsets.UTF_8)));
        }
        logInvalidSecretData(str, str2, TOKEN_SECRET_TYPE);
        return null;
    }

    private static Credentials newSecretFileCredential(String str, String str2) {
        if (str != null && str.length() != 0 && str2 != null && str2.length() != 0) {
            return new FileCredentialsImpl(CredentialsScope.GLOBAL, str, str, str, SecretBytes.fromString(str2));
        }
        logInvalidSecretData(str, str2, "filename");
        return null;
    }

    private static Credentials newSecretTextCredential(String str, String str2) {
        if (str == null || str.length() == 0 || str2 == null || str2.length() == 0) {
            logInvalidSecretData(str, str2, SECRET_TEXT_SECRET_TYPE);
            return null;
        }
        return new StringCredentialsImpl(CredentialsScope.GLOBAL, str, str, hudson.util.Secret.fromString(new String(DECODER.decode(str2), StandardCharsets.UTF_8)));
    }

    private static Credentials newCertificateCredential(String str, String str2, String str3) {
        if (str == null || str.length() == 0 || str3 == null || str3.length() == 0) {
            logInvalidSecretData(str, str3, Constants.OPENSHIFT_SECRETS_DATA_CERTIFICATE);
            return null;
        }
        return new CertificateCredentialsImpl(CredentialsScope.GLOBAL, str, str, str2 != null ? new String(DECODER.decode(str2), StandardCharsets.UTF_8) : null, new CertificateCredentialsImpl.UploadedKeyStoreSource(SecretBytes.fromString(str3)));
    }

    private static void logInvalidSecretData(String str, String str2, String str3) {
        logger.log(Level.WARNING, "Invalid secret data, secretName: " + str + " " + str3 + " is null: " + (str2 == null) + " " + str3 + " is empty: " + (str2 != null ? str2.length() == 0 : false));
    }

    private static Credentials newSSHUserCredential(String str, String str2, String str3, String str4) {
        boolean isBlank = StringUtils.isBlank(str);
        boolean isBlank2 = StringUtils.isBlank(str3);
        if (isBlank || isBlank2) {
            logger.log(Level.WARNING, "Invalid secret data, secretName: " + str + " sshKeyData is blank null: " + isBlank2);
            return null;
        }
        return new BasicSSHUserPrivateKey(CredentialsScope.GLOBAL, str, Util.fixNull(str2).isEmpty() ? "" : new String(DECODER.decode(str2), StandardCharsets.UTF_8), new BasicSSHUserPrivateKey.DirectEntryPrivateKeySource(new String(DECODER.decode(str3), StandardCharsets.UTF_8)), str4 != null ? new String(DECODER.decode(str4), StandardCharsets.UTF_8) : null, str);
    }

    private static Credentials newUsernamePasswordCredentials(String str, String str2, String str3) {
        if (str != null && str.length() != 0 && str2 != null && str2.length() != 0 && str3 != null && str3.length() != 0) {
            return new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL, str, str, new String(DECODER.decode(str2), StandardCharsets.UTF_8), new String(DECODER.decode(str3), StandardCharsets.UTF_8));
        }
        logger.log(Level.WARNING, "Invalid secret data, secretName: " + str + " usernameData is null: " + (str2 == null) + " usernameData is empty: " + (str2 != null ? str2.length() == 0 : false) + " passwordData is null: " + (str3 == null) + " passwordData is empty: " + (str3 != null ? str3.length() == 0 : false));
        return null;
    }

    public static boolean hasCredentials() {
        return !StringUtils.isEmpty(OpenShiftUtils.getAuthenticatedOpenShiftClient().getConfiguration().getOauthToken());
    }

    static void linkSourceSecretToCredentials(String str, String str2) {
        SOURCE_SECRET_TO_CREDS_MAP.put(str, str2);
    }

    static String unlinkBCSecretToCrendential(String str) {
        return SOURCE_SECRET_TO_CREDS_MAP.remove(str);
    }
}
