package org.jenkinsci.plugins.authorizeproject.strategy;

import hudson.Extension;
import hudson.model.Job;
import hudson.model.Queue;
import hudson.model.User;
import hudson.security.ACL;
import hudson.security.AbstractPasswordBasedSecurityRealm;
import hudson.security.AccessControlled;
import hudson.util.FormValidation;
import java.io.ObjectStreamException;
import java.util.Collections;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.model.Jenkins;
import jenkins.security.ApiTokenProperty;
import org.acegisecurity.AccessDeniedException;
import org.acegisecurity.Authentication;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import org.acegisecurity.userdetails.UsernameNotFoundException;
import org.apache.commons.lang.StringUtils;
import org.jenkinsci.plugins.authorizeproject.AuthorizeProjectProperty;
import org.jenkinsci.plugins.authorizeproject.AuthorizeProjectStrategy;
import org.jenkinsci.plugins.authorizeproject.AuthorizeProjectStrategyDescriptor;
import org.jenkinsci.plugins.authorizeproject.AuthorizeProjectUtil;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.DoNotUse;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.StaplerRequest;

/* loaded from: input_file:WEB-INF/lib/authorize-project.jar:org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.class */
public class SpecificUsersAuthorizationStrategy extends AuthorizeProjectStrategy {
    private final String userid;

    @Restricted({DoNotUse.class})
    private transient Boolean useApitoken;

    @Restricted({DoNotUse.class})
    private transient String apitoken;

    @Restricted({DoNotUse.class})
    private transient String password;
    private transient Boolean noNeedReauthentication;
    private boolean dontRestrictJobConfiguration;
    private static Logger LOGGER = Logger.getLogger(SpecificUsersAuthorizationStrategy.class.getName());
    private static final Authentication[] BUILTIN_USERS = {ACL.SYSTEM, Jenkins.ANONYMOUS};

    @Extension
    /* loaded from: input_file:WEB-INF/lib/authorize-project.jar:org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy$DescriptorImpl.class */
    public static class DescriptorImpl extends AuthorizeProjectStrategyDescriptor {
        public String getDisplayName() {
            return Messages.SpecificUsersAuthorizationStrategy_DisplayName();
        }

        @Restricted({NoExternalUse.class})
        public String calcCheckPasswordRequestedUrl() {
            return String.format("'%s/%s/checkPasswordRequested' + qs(this).nearBy('userid')", getCurrentDescriptorByNameUrl(), getDescriptorUrl());
        }

        @Restricted({NoExternalUse.class})
        public String doCheckPasswordRequested(StaplerRequest staplerRequest, @QueryParameter String str) {
            return Boolean.toString(SpecificUsersAuthorizationStrategy.isAuthenticationRequired(str.trim()));
        }

        @Restricted({NoExternalUse.class})
        public FormValidation doCheckUserid(@QueryParameter String str) {
            if (StringUtils.isBlank(str)) {
                return FormValidation.error(Messages.SpecificUsersAuthorizationStrategy_userid_required());
            }
            for (Authentication authentication : SpecificUsersAuthorizationStrategy.BUILTIN_USERS) {
                if (AuthorizeProjectUtil.userIdEquals(str, authentication.getPrincipal().toString())) {
                    return FormValidation.error(Messages.SpecificUsersAuthorizationStrategy_userid_builtin());
                }
            }
            return FormValidation.ok();
        }

        @Restricted({NoExternalUse.class})
        public FormValidation doCheckPassword(StaplerRequest staplerRequest, @QueryParameter String str, @QueryParameter String str2, @QueryParameter String str3, @QueryParameter boolean z) {
            return !SpecificUsersAuthorizationStrategy.isAuthenticationRequired(str.trim()) ? FormValidation.ok() : (!z ? StringUtils.isBlank(str2) : StringUtils.isBlank(str3)) ? FormValidation.ok() : FormValidation.error(Messages.SpecificUsersAuthorizationStrategy_password_required());
        }

        public FormValidation doCheckDontRestrictJobConfiguration(@QueryParameter boolean z) {
            return z ? FormValidation.warning(Messages.SpecificUsersAuthorizationStrategy_dontRestrictJobConfiguration_usage()) : FormValidation.ok();
        }

        @Restricted({NoExternalUse.class})
        public boolean isUseApitoken() {
            return !(Jenkins.get().getSecurityRealm() instanceof AbstractPasswordBasedSecurityRealm);
        }

        @Override // org.jenkinsci.plugins.authorizeproject.AuthorizeProjectStrategyDescriptor
        public boolean isEnabledByDefault() {
            return false;
        }
    }

    public String getUserid() {
        return this.userid;
    }

    public boolean isDontRestrictJobConfiguration() {
        return this.dontRestrictJobConfiguration;
    }

    @DataBoundSetter
    public void setDontRestrictJobConfiguration(boolean z) {
        this.dontRestrictJobConfiguration = z;
    }

    public SpecificUsersAuthorizationStrategy(String str) {
        this.userid = StringUtils.trim(str);
        this.dontRestrictJobConfiguration = false;
        for (Authentication authentication : BUILTIN_USERS) {
            if (AuthorizeProjectUtil.userIdEquals(this.userid, authentication.getPrincipal().toString())) {
                throw new IllegalArgumentException(Messages.SpecificUsersAuthorizationStrategy_userid_builtin());
            }
        }
    }

    @DataBoundConstructor
    public SpecificUsersAuthorizationStrategy(String str, boolean z, String str2, String str3) throws AccessDeniedException {
        this(str);
        if (isAuthenticationRequired(getUserid()) && !authenticate(getUserid(), z, str2, str3)) {
            throw new AccessDeniedException(Messages.SpecificUsersAuthorizationStrategy_userid_authenticate());
        }
    }

    static boolean authenticate(String str, boolean z, String str2, String str3) {
        User user;
        ApiTokenProperty property;
        if (z) {
            return (str2 == null || (user = User.get(str, false, Collections.emptyMap())) == null || (property = user.getProperty(ApiTokenProperty.class)) == null || !property.matchesPassword(str2)) ? false : true;
        }
        if (str3 == null) {
            return false;
        }
        try {
            Jenkins.get().getSecurityRealm().getSecurityComponents().manager.authenticate(new UsernamePasswordAuthenticationToken(str, str3));
            return true;
        } catch (Exception e) {
            LOGGER.log(Level.WARNING, String.format("Failed to authenticate %s", str), (Throwable) e);
            return false;
        }
    }

    protected static boolean isAuthenticationRequired(String str) {
        if (Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
            return false;
        }
        User current = User.current();
        return current == null || !AuthorizeProjectUtil.userIdEquals(current.getId(), str);
    }

    @Override // org.jenkinsci.plugins.authorizeproject.AuthorizeProjectStrategy
    /* renamed from: getDescriptor */
    public DescriptorImpl mo3getDescriptor() {
        return (DescriptorImpl) super.mo3getDescriptor();
    }

    @Override // org.jenkinsci.plugins.authorizeproject.AuthorizeProjectStrategy
    public Authentication authenticate(Job<?, ?> job, Queue.Item item) {
        User user = User.get(getUserid(), false, Collections.emptyMap());
        if (user == null) {
            return Jenkins.ANONYMOUS;
        }
        try {
            return user.impersonate();
        } catch (UsernameNotFoundException e) {
            LOGGER.log(Level.WARNING, String.format("Invalid User %s. Falls back to anonymous.", getUserid()), e);
            return Jenkins.ANONYMOUS;
        }
    }

    @Override // org.jenkinsci.plugins.authorizeproject.AuthorizeProjectStrategy
    public boolean hasJobConfigurePermission(AccessControlled accessControlled) {
        if (isDontRestrictJobConfiguration()) {
            return true;
        }
        return AuthorizeProjectUtil.userIdEquals(Jenkins.getAuthentication().getName(), this.userid);
    }

    @Override // org.jenkinsci.plugins.authorizeproject.AuthorizeProjectStrategy
    public boolean hasAuthorizationConfigurePermission(AccessControlled accessControlled) {
        return !isAuthenticationRequired(getUserid());
    }

    protected static SpecificUsersAuthorizationStrategy getCurrentStrategy(Job<?, ?> job) {
        AuthorizeProjectProperty authorizeProjectProperty;
        if (job == null || (authorizeProjectProperty = (AuthorizeProjectProperty) job.getProperty(AuthorizeProjectProperty.class)) == null || !(authorizeProjectProperty.getStrategy() instanceof SpecificUsersAuthorizationStrategy)) {
            return null;
        }
        return (SpecificUsersAuthorizationStrategy) authorizeProjectProperty.getStrategy();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.jenkinsci.plugins.authorizeproject.AuthorizeProjectStrategy
    public Object readResolve() throws ObjectStreamException {
        SpecificUsersAuthorizationStrategy specificUsersAuthorizationStrategy = (SpecificUsersAuthorizationStrategy) super.readResolve();
        if (specificUsersAuthorizationStrategy.noNeedReauthentication != null) {
            specificUsersAuthorizationStrategy.setDontRestrictJobConfiguration(specificUsersAuthorizationStrategy.noNeedReauthentication.booleanValue());
        }
        return specificUsersAuthorizationStrategy;
    }
}
