package io.jenkins.plugins.oidc_provider;

import edu.umd.cs.findbugs.annotations.CheckForNull;
import hudson.Extension;
import hudson.ExtensionList;
import hudson.model.InvisibleAction;
import hudson.model.UnprotectedRootAction;
import hudson.security.ACL;
import hudson.security.ACLContext;
import hudson.util.Secret;
import io.jenkins.plugins.oidc_provider.Issuer;
import io.jsonwebtoken.SignatureAlgorithm;
import java.io.Serializable;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;
import java.util.Iterator;
import java.util.logging.Logger;
import net.sf.json.JSONArray;
import net.sf.json.JSONObject;
import org.kohsuke.stapler.HttpResponses;
import org.kohsuke.stapler.StaplerRequest;

@Extension
/* loaded from: input_file:io/jenkins/plugins/oidc_provider/Keys.class */
public final class Keys extends InvisibleAction implements UnprotectedRootAction {
    private static final Logger LOGGER = Logger.getLogger(Keys.class.getName());
    static final String URL_NAME = "oidc";
    static final String WELL_KNOWN_OPENID_CONFIGURATION = "/.well-known/openid-configuration";
    static final String JWKS = "/jwks";

    /* loaded from: input_file:io/jenkins/plugins/oidc_provider/Keys$AlgorithmType.class */
    public enum AlgorithmType {
        RSA,
        ELLIPTIC_CURVE
    }

    /* loaded from: input_file:io/jenkins/plugins/oidc_provider/Keys$SecretKeyPair.class */
    public static class SecretKeyPair implements Serializable {
        private static final long serialVersionUID = 2448941858110252020L;
        private final Secret privateKey;
        private final Secret publicKey;
        private final SupportedKeyAlgorithm algorithm;

        private SecretKeyPair(SupportedKeyAlgorithm supportedKeyAlgorithm, byte[] bArr, byte[] bArr2) {
            this.privateKey = Secret.fromString(Base64.getEncoder().encodeToString(bArr));
            this.publicKey = Secret.fromString(Base64.getEncoder().encodeToString(bArr2));
            this.algorithm = supportedKeyAlgorithm;
        }

        public KeyPair toKeyPair() throws Exception {
            KeyFactory keyFactory;
            switch (this.algorithm.type) {
                case RSA:
                    keyFactory = KeyFactory.getInstance("RSA");
                    break;
                case ELLIPTIC_CURVE:
                    keyFactory = KeyFactory.getInstance("EC");
                    break;
                default:
                    throw new RuntimeException("Cannot restore keypair from " + this.algorithm.name() + " algorithm");
            }
            return new KeyPair(keyFactory.generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(this.publicKey.getPlainText()))), keyFactory.generatePrivate(new PKCS8EncodedKeySpec(Base64.getDecoder().decode(this.privateKey.getPlainText()))));
        }

        public static SecretKeyPair fromKeyPair(SupportedKeyAlgorithm supportedKeyAlgorithm, KeyPair keyPair) {
            return new SecretKeyPair(supportedKeyAlgorithm, keyPair.getPrivate().getEncoded(), keyPair.getPublic().getEncoded());
        }
    }

    /* loaded from: input_file:io/jenkins/plugins/oidc_provider/Keys$SupportedKeyAlgorithm.class */
    public enum SupportedKeyAlgorithm {
        ES256(SignatureAlgorithm.ES256, "P-256", AlgorithmType.ELLIPTIC_CURVE),
        ES384(SignatureAlgorithm.ES384, "P-384", AlgorithmType.ELLIPTIC_CURVE),
        ES512(SignatureAlgorithm.ES512, "P-521", AlgorithmType.ELLIPTIC_CURVE),
        RS256(SignatureAlgorithm.RS256, AlgorithmType.RSA),
        RS384(SignatureAlgorithm.RS384, AlgorithmType.RSA),
        RS512(SignatureAlgorithm.RS512, AlgorithmType.RSA);

        private final SignatureAlgorithm algorithm;
        private final String curve;
        private final AlgorithmType type;

        SupportedKeyAlgorithm(SignatureAlgorithm signatureAlgorithm, AlgorithmType algorithmType) {
            this(signatureAlgorithm, null, algorithmType);
        }

        SupportedKeyAlgorithm(SignatureAlgorithm signatureAlgorithm, String str, AlgorithmType algorithmType) {
            this.algorithm = signatureAlgorithm;
            this.curve = str;
            this.type = algorithmType;
        }

        public KeyPair generateKeyPair() {
            return io.jsonwebtoken.security.Keys.keyPairFor(this.algorithm);
        }

        public AlgorithmType getType() {
            return this.type;
        }
    }

    public String getUrlName() {
        return URL_NAME;
    }

    public JSONObject doDynamic(StaplerRequest staplerRequest) {
        String restOfPath = staplerRequest.getRestOfPath();
        ACLContext as2 = ACL.as2(ACL.SYSTEM2);
        Throwable th = null;
        try {
            Issuer findIssuer = findIssuer(restOfPath, WELL_KNOWN_OPENID_CONFIGURATION);
            if (findIssuer != null) {
                JSONObject openidConfiguration = openidConfiguration(findIssuer.url());
                if (as2 != null) {
                    if (0 != 0) {
                        try {
                            as2.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        as2.close();
                    }
                }
                return openidConfiguration;
            }
            Issuer findIssuer2 = findIssuer(restOfPath, JWKS);
            if (findIssuer2 == null) {
                throw HttpResponses.notFound();
            }
            JSONArray jSONArray = new JSONArray();
            for (IdTokenCredentials idTokenCredentials : findIssuer2.credentials()) {
                if (idTokenCredentials.getIssuer() != null) {
                    LOGGER.fine(() -> {
                        return "declining to serve key for " + idTokenCredentials.getId() + " since it would be served from " + idTokenCredentials.getIssuer();
                    });
                } else {
                    jSONArray.element(key(idTokenCredentials));
                }
            }
            JSONObject accumulate = new JSONObject().accumulate("keys", jSONArray);
            if (as2 != null) {
                if (0 != 0) {
                    try {
                        as2.close();
                    } catch (Throwable th3) {
                        th.addSuppressed(th3);
                    }
                } else {
                    as2.close();
                }
            }
            return accumulate;
        } catch (Throwable th4) {
            if (as2 != null) {
                if (0 != 0) {
                    try {
                        as2.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    as2.close();
                }
            }
            throw th4;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static JSONObject openidConfiguration(String str) {
        JSONArray jSONArray = new JSONArray();
        for (SupportedKeyAlgorithm supportedKeyAlgorithm : SupportedKeyAlgorithm.values()) {
            jSONArray.element(supportedKeyAlgorithm.name());
        }
        return new JSONObject().accumulate("issuer", str).accumulate("jwks_uri", str + JWKS).accumulate("response_types_supported", new JSONArray().element("code")).accumulate("subject_types_supported", new JSONArray().element("public")).accumulate("id_token_signing_alg_values_supported", jSONArray).accumulate("authorization_endpoint", "https://unimplemented").accumulate("token_endpoint", "https://unimplemented");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static JSONObject key(IdTokenCredentials idTokenCredentials) {
        SupportedKeyAlgorithm algorithm = idTokenCredentials.getAlgorithm();
        switch (algorithm.getType()) {
            case RSA:
                return encodeRsaJsonWebKey(algorithm, idTokenCredentials.getId(), (RSAPublicKey) idTokenCredentials.publicKey());
            case ELLIPTIC_CURVE:
                return encodeECJsonWebKey(algorithm, idTokenCredentials.getId(), (ECPublicKey) idTokenCredentials.publicKey());
            default:
                throw new IllegalArgumentException("Cannot encode creds with algorithm " + algorithm.name());
        }
    }

    @CheckForNull
    private static Issuer findIssuer(String str, String str2) {
        if (!str.endsWith(str2)) {
            return null;
        }
        String substring = str.substring(0, str.length() - str2.length());
        LOGGER.fine(() -> {
            return "looking up issuer for " + substring;
        });
        Iterator it = ExtensionList.lookup(Issuer.Factory.class).iterator();
        while (it.hasNext()) {
            Issuer forUri = ((Issuer.Factory) it.next()).forUri(substring);
            if (forUri != null) {
                if (!forUri.uri().equals(substring)) {
                    LOGGER.warning(() -> {
                        return forUri + " was expected to have URI " + substring;
                    });
                    return null;
                }
                if (forUri.credentials().stream().noneMatch(idTokenCredentials -> {
                    return idTokenCredentials.getIssuer() == null;
                })) {
                    LOGGER.fine(() -> {
                        return "found " + forUri + " but has no credentials with default issuer; not advertising existence of a folder";
                    });
                    return null;
                }
                LOGGER.fine(() -> {
                    return "found " + forUri;
                });
                return forUri;
            }
        }
        return null;
    }

    public static JSONObject encodeECJsonWebKey(SupportedKeyAlgorithm supportedKeyAlgorithm, String str, ECPublicKey eCPublicKey) {
        Base64.Encoder encoder = Base64.getEncoder();
        String encodeToString = encoder.encodeToString(eCPublicKey.getW().getAffineX().toByteArray());
        return new JSONObject().accumulate("alg", supportedKeyAlgorithm.name()).accumulate("kty", "EC").accumulate("use", "sig").accumulate("kid", str).accumulate("crv", supportedKeyAlgorithm.curve).accumulate("x", encodeToString).accumulate("y", encoder.encodeToString(eCPublicKey.getW().getAffineY().toByteArray()));
    }

    public static JSONObject encodeRsaJsonWebKey(SupportedKeyAlgorithm supportedKeyAlgorithm, String str, RSAPublicKey rSAPublicKey) {
        Base64.Encoder withoutPadding = Base64.getUrlEncoder().withoutPadding();
        return new JSONObject().accumulate("kid", str).accumulate("kty", "RSA").accumulate("alg", supportedKeyAlgorithm.name()).accumulate("use", "sig").accumulate("n", withoutPadding.encodeToString(rSAPublicKey.getModulus().toByteArray())).accumulate("e", withoutPadding.encodeToString(rSAPublicKey.getPublicExponent().toByteArray()));
    }
}
