package io.jenkins.plugins.oidc_provider;

import com.cloudbees.plugins.credentials.Credentials;
import com.cloudbees.plugins.credentials.CredentialsScope;
import com.cloudbees.plugins.credentials.impl.BaseStandardCredentials;
import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.ExtensionList;
import hudson.Util;
import hudson.model.Run;
import hudson.model.TaskListener;
import hudson.util.FormValidation;
import hudson.util.Secret;
import io.jenkins.plugins.oidc_provider.Issuer;
import io.jenkins.plugins.oidc_provider.config.ClaimTemplate;
import io.jenkins.plugins.oidc_provider.config.IdTokenConfiguration;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPrivateCrtKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.RSAPublicKeySpec;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Consumer;
import jenkins.model.Jenkins;
import net.sf.json.JSONArray;
import net.sf.json.JSONObject;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.HttpResponses;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.StaplerRequest;

/* loaded from: input_file:WEB-INF/lib/oidc-provider.jar:io/jenkins/plugins/oidc_provider/IdTokenCredentials.class */
public abstract class IdTokenCredentials extends BaseStandardCredentials {
    private static final long serialVersionUID = 1;
    private transient KeyPair kp;
    private final Secret privateKey;

    @CheckForNull
    private String issuer;

    @CheckForNull
    private String audience;

    @CheckForNull
    private transient Run<?, ?> build;
    public static final Set<String> STANDARD_CLAIMS;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:WEB-INF/lib/oidc-provider.jar:io/jenkins/plugins/oidc_provider/IdTokenCredentials$IdTokenCredentialsDescriptor.class */
    protected static abstract class IdTokenCredentialsDescriptor extends BaseStandardCredentials.BaseStandardCredentialsDescriptor {
        @CheckForNull
        private static Issuer issuerFromRequest(@NonNull StaplerRequest staplerRequest) {
            Issuer issuer = (Issuer) ExtensionList.lookup(Issuer.Factory.class).stream().map(factory -> {
                return factory.forConfig(staplerRequest);
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).findFirst().orElse(null);
            if (issuer != null) {
                issuer.checkExtendedReadPermission();
            }
            return issuer;
        }

        public final FormValidation doCheckIssuer(StaplerRequest staplerRequest, @QueryParameter String str, @QueryParameter String str2) {
            Issuer issuerFromRequest = issuerFromRequest(staplerRequest);
            if (Util.fixEmpty(str2) == null) {
                return issuerFromRequest != null ? FormValidation.okWithMarkup("Issuer URI: <code>" + Util.escape(issuerFromRequest.url()) + "</code>") : FormValidation.warning("Unable to determine the issuer URI");
            }
            try {
                URI uri = new URI(str2);
                if (!"https".equals(uri.getScheme())) {
                    return FormValidation.errorWithMarkup("Issuer URIs should use <code>https</code> scheme");
                }
                if (uri.getQuery() != null) {
                    return FormValidation.error("Issuer URIs must not have a query component");
                }
                if (uri.getFragment() != null) {
                    return FormValidation.error("Issuer URIs must not have a fragment component");
                }
                if (uri.getPath() != null && uri.getPath().endsWith("/")) {
                    return FormValidation.errorWithMarkup("Issuer URIs should not end with a slash (<code>/</code>) in this context");
                }
                if (issuerFromRequest == null) {
                    return FormValidation.warning("Unable to determine where these credentials are being saved");
                }
                if (issuerFromRequest.credentials().stream().filter(idTokenCredentials -> {
                    return idTokenCredentials.getId().equals(str) && str2.equals(idTokenCredentials.getIssuer());
                }).findFirst().orElse(null) == null) {
                    return FormValidation.ok("Save these credentials, then return to this screen for instructions");
                }
                String replaceFirst = staplerRequest.getRequestURI().replaceFirst("/checkIssuer$", "");
                return FormValidation.okWithMarkup("Serve <code>" + Util.xmlEscape(str2) + "/.well-known/openid-configuration</code> with <a href=\"" + replaceFirst + "/wellKnownOpenidConfiguration?issuer=" + Util.escape(str2) + "\" target=\"_blank\" rel=\"noopener noreferrer\">this content</a> and <code>" + Util.xmlEscape(str2) + "/jwks</code> with <a href=\"" + replaceFirst + "/jwks?id=" + Util.escape(str) + "&issuer=" + Util.escape(str2) + "\" target=\"_blank\" rel=\"noopener noreferrer\">this content</a> (both as <code>application/json</code>).<br>Note that the JWKS document will need to be updated if you resave these credentials.");
            } catch (URISyntaxException e) {
                return FormValidation.error("Not a well-formed URI");
            }
        }

        public JSONObject doWellKnownOpenidConfiguration(@QueryParameter String str) {
            return Keys.openidConfiguration(str);
        }

        public JSONObject doJwks(StaplerRequest staplerRequest, @QueryParameter String str, @QueryParameter String str2) {
            Issuer issuerFromRequest = issuerFromRequest(staplerRequest);
            if (issuerFromRequest == null) {
                throw HttpResponses.notFound();
            }
            IdTokenCredentials orElse = issuerFromRequest.credentials().stream().filter(idTokenCredentials -> {
                return idTokenCredentials.getId().equals(str) && str2.equals(idTokenCredentials.getIssuer());
            }).findFirst().orElse(null);
            if (orElse == null) {
                throw HttpResponses.notFound();
            }
            return new JSONObject().accumulate("keys", new JSONArray().element(Keys.key(orElse)));
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public IdTokenCredentials(CredentialsScope credentialsScope, String str, String str2) {
        this(credentialsScope, str, str2, generatePrivateKey());
    }

    private static KeyPair generatePrivateKey() {
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(2048);
            return keyPairGenerator.generateKeyPair();
        } catch (NoSuchAlgorithmException e) {
            throw new AssertionError(e);
        }
    }

    private IdTokenCredentials(CredentialsScope credentialsScope, String str, String str2, KeyPair keyPair) {
        this(credentialsScope, str, str2, keyPair, serializePrivateKey(keyPair));
    }

    private static Secret serializePrivateKey(KeyPair keyPair) {
        if ($assertionsDisabled || ((RSAPublicKey) keyPair.getPublic()).getModulus().equals(((RSAPrivateCrtKey) keyPair.getPrivate()).getModulus())) {
            return Secret.fromString(Base64.getEncoder().encodeToString(keyPair.getPrivate().getEncoded()));
        }
        throw new AssertionError();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public IdTokenCredentials(CredentialsScope credentialsScope, String str, String str2, KeyPair keyPair, Secret secret) {
        super(credentialsScope, str, str2);
        this.kp = keyPair;
        this.privateKey = secret;
    }

    protected Object readResolve() throws Exception {
        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
        RSAPrivateCrtKey rSAPrivateCrtKey = (RSAPrivateCrtKey) keyFactory.generatePrivate(new PKCS8EncodedKeySpec(Base64.getDecoder().decode(this.privateKey.getPlainText())));
        this.kp = new KeyPair(keyFactory.generatePublic(new RSAPublicKeySpec(rSAPrivateCrtKey.getModulus(), rSAPrivateCrtKey.getPublicExponent())), rSAPrivateCrtKey);
        return this;
    }

    public final String getIssuer() {
        return this.issuer;
    }

    @DataBoundSetter
    public final void setIssuer(String str) {
        this.issuer = Util.fixEmpty(str);
    }

    public final String getAudience() {
        return this.audience;
    }

    @DataBoundSetter
    public final void setAudience(String str) {
        this.audience = Util.fixEmpty(str);
    }

    protected abstract IdTokenCredentials clone(KeyPair keyPair, Secret secret);

    public final Credentials forRun(Run<?, ?> run) {
        IdTokenCredentials clone = clone(this.kp, this.privateKey);
        clone.issuer = this.issuer;
        clone.audience = this.audience;
        clone.build = run;
        return clone;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RSAPublicKey publicKey() {
        return (RSAPublicKey) this.kp.getPublic();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @NonNull
    public final String token() {
        Map environment;
        IdTokenConfiguration idTokenConfiguration = IdTokenConfiguration.get();
        JwtBuilder issuedAt = Jwts.builder().setHeaderParam("kid", getId()).setIssuer(this.issuer != null ? this.issuer : findIssuer().url()).setAudience(this.audience).setExpiration(Date.from(Instant.now().plus(idTokenConfiguration.getTokenLifetime(), (TemporalUnit) ChronoUnit.SECONDS))).setIssuedAt(new Date());
        if (this.build != null) {
            try {
                environment = this.build.getEnvironment(TaskListener.NULL);
            } catch (IOException | InterruptedException e) {
                throw new RuntimeException(e);
            }
        } else {
            environment = Collections.singletonMap("JENKINS_URL", Jenkins.get().getRootUrl());
        }
        AtomicBoolean atomicBoolean = new AtomicBoolean();
        Map map = environment;
        Consumer consumer = list -> {
            Iterator it = list.iterator();
            while (it.hasNext()) {
                ClaimTemplate claimTemplate = (ClaimTemplate) it.next();
                if (STANDARD_CLAIMS.contains(claimTemplate.name)) {
                    throw new SecurityException("An id token claim template must not specify " + claimTemplate.name);
                }
                if (claimTemplate.name.equals("sub")) {
                    atomicBoolean.set(true);
                }
                issuedAt.claim(claimTemplate.name, claimTemplate.type.parse(Util.replaceMacro(claimTemplate.format, map)));
            }
        };
        consumer.accept(idTokenConfiguration.getClaimTemplates());
        if (this.build != null) {
            consumer.accept(idTokenConfiguration.getBuildClaimTemplates());
        } else {
            consumer.accept(idTokenConfiguration.getGlobalClaimTemplates());
        }
        if (atomicBoolean.get()) {
            return issuedAt.signWith(this.kp.getPrivate()).compact();
        }
        throw new SecurityException("An id token claim template must specify sub");
    }

    @NonNull
    protected Issuer findIssuer() {
        Run<?, ?> run = this.build;
        if (run == null) {
            return (Issuer) ExtensionList.lookupSingleton(RootIssuer.class);
        }
        Iterator it = ExtensionList.lookup(Issuer.Factory.class).iterator();
        while (it.hasNext()) {
            for (Issuer issuer : ((Issuer.Factory) it.next()).forContext(run)) {
                if (issuer.credentials().contains(this)) {
                    return issuer;
                }
            }
        }
        throw new IllegalStateException("Could not find issuer corresponding to " + getId() + " for " + run.getExternalizableId());
    }

    static {
        $assertionsDisabled = !IdTokenCredentials.class.desiredAssertionStatus();
        STANDARD_CLAIMS = Collections.unmodifiableSet(new HashSet(Arrays.asList("iss", "aud", "exp", "iat", "auth_time", "nonce", "acr", "amr", "azp", "nbf", "jti")));
    }
}
