package com.microsoft.jenkins.azuread;

import com.cloudbees.hudson.plugins.folder.AbstractFolder;
import com.microsoft.graph.models.Group;
import com.microsoft.graph.models.User;
import com.microsoft.graph.options.HeaderOption;
import com.microsoft.graph.options.QueryOption;
import com.microsoft.graph.requests.GraphServiceClient;
import com.microsoft.graph.requests.GroupCollectionPage;
import com.microsoft.graph.requests.UserCollectionPage;
import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.Extension;
import hudson.init.InitMilestone;
import hudson.init.Initializer;
import hudson.model.AbstractItem;
import hudson.model.AutoCompletionCandidates;
import hudson.model.Descriptor;
import hudson.model.Item;
import hudson.model.ItemGroup;
import hudson.model.Job;
import hudson.security.ACL;
import hudson.security.AuthorizationStrategy;
import hudson.security.GlobalMatrixAuthorizationStrategy;
import hudson.security.Permission;
import hudson.security.SecurityRealm;
import hudson.security.SidACL;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.Set;
import java.util.TreeSet;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.model.Jenkins;
import okhttp3.Request;
import org.apache.commons.lang.StringUtils;
import org.jenkinsci.plugins.matrixauth.AuthorizationContainer;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.DoNotUse;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.accmod.restrictions.suppressions.SuppressRestrictedWarnings;
import org.kohsuke.stapler.QueryParameter;
import org.springframework.security.core.Authentication;

/* loaded from: input_file:WEB-INF/lib/azure-ad.jar:com/microsoft/jenkins/azuread/AzureAdMatrixAuthorizationStrategy.class */
public class AzureAdMatrixAuthorizationStrategy extends GlobalMatrixAuthorizationStrategy {
    private final transient ObjId2FullSidMap objId2FullSidMap = new ObjId2FullSidMap();
    private static final Logger LOGGER = Logger.getLogger(AzureAdMatrixAuthorizationStrategy.class.getName());

    @Extension
    public static final Descriptor<AuthorizationStrategy> DESCRIPTOR = new DescriptorImpl();

    @SuppressRestrictedWarnings({GlobalMatrixAuthorizationStrategy.ConverterImpl.class})
    @Restricted({DoNotUse.class})
    /* loaded from: input_file:WEB-INF/lib/azure-ad.jar:com/microsoft/jenkins/azuread/AzureAdMatrixAuthorizationStrategy$ConverterImpl.class */
    public static class ConverterImpl extends GlobalMatrixAuthorizationStrategy.ConverterImpl {
        /* renamed from: create, reason: merged with bridge method [inline-methods] */
        public GlobalMatrixAuthorizationStrategy m492create() {
            return new AzureAdMatrixAuthorizationStrategy();
        }

        public boolean canConvert(Class cls) {
            return cls == AzureAdMatrixAuthorizationStrategy.class;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/azure-ad.jar:com/microsoft/jenkins/azuread/AzureAdMatrixAuthorizationStrategy$DescriptorImpl.class */
    public static class DescriptorImpl extends GlobalMatrixAuthorizationStrategy.DescriptorImpl {
        protected GlobalMatrixAuthorizationStrategy create() {
            return new AzureAdMatrixAuthorizationStrategy();
        }

        @NonNull
        public String getDisplayName() {
            return "Azure Active Directory Matrix-based security";
        }

        public AutoCompletionCandidates doAutoCompleteUserOrGroup(@QueryParameter String str) throws IOException {
            return AzureAdMatrixAuthorizationStrategy.searchAndGenerateCandidates(str);
        }
    }

    @NonNull
    public ACL getACL(@NonNull Job<?, ?> job) {
        AzureAdAuthorizationMatrixProperty property = job.getProperty(AzureAdAuthorizationMatrixProperty.class);
        return property != null ? property.getInheritanceStrategy().getEffectiveACL(property.getACL(), job) : getACL(job.getParent());
    }

    @Restricted({NoExternalUse.class})
    public static ACL inheritingACL(final ACL acl, final ACL acl2) {
        return ((acl instanceof SidACL) && (acl2 instanceof SidACL)) ? ((SidACL) acl2).newInheritingACL((SidACL) acl) : new ACL() { // from class: com.microsoft.jenkins.azuread.AzureAdMatrixAuthorizationStrategy.1
            public boolean hasPermission2(@NonNull Authentication authentication, @NonNull Permission permission) {
                return authentication.equals(SYSTEM2) || acl2.hasPermission2(authentication, permission) || acl.hasPermission2(authentication, permission);
            }
        };
    }

    public ACL getACL(ItemGroup<?> itemGroup) {
        return itemGroup instanceof Item ? ((Item) itemGroup).getACL() : getRootACL();
    }

    @NonNull
    public ACL getACL(@NonNull AbstractItem abstractItem) {
        AzureAdAuthorizationMatrixFolderProperty azureAdAuthorizationMatrixFolderProperty;
        return (Jenkins.get().getPlugin("cloudbees-folder") == null || !(abstractItem instanceof AbstractFolder) || (azureAdAuthorizationMatrixFolderProperty = ((AbstractFolder) abstractItem).getProperties().get(AzureAdAuthorizationMatrixFolderProperty.class)) == null) ? getACL(abstractItem.getParent()) : azureAdAuthorizationMatrixFolderProperty.getInheritanceStrategy().getEffectiveACL(azureAdAuthorizationMatrixFolderProperty.getACL(), abstractItem);
    }

    @SuppressRestrictedWarnings({AuthorizationContainer.IdStrategyComparator.class, AuthorizationContainer.class})
    @NonNull
    /* renamed from: getGroups, reason: merged with bridge method [inline-methods] */
    public Set<String> m491getGroups() {
        TreeSet treeSet = new TreeSet((Comparator) new AuthorizationContainer.IdStrategyComparator());
        treeSet.addAll(super.getGroups());
        Iterator it = Jenkins.get().getAllItems(Job.class).iterator();
        while (it.hasNext()) {
            AzureAdAuthorizationMatrixProperty property = ((Job) it.next()).getProperty(AzureAdAuthorizationMatrixProperty.class);
            if (property != null) {
                treeSet.addAll(property.getGroups());
            }
        }
        Iterator it2 = Jenkins.get().getAllItems(AbstractFolder.class).iterator();
        while (it2.hasNext()) {
            AzureAdAuthorizationMatrixFolderProperty azureAdAuthorizationMatrixFolderProperty = ((AbstractFolder) it2.next()).getProperties().get(AzureAdAuthorizationMatrixFolderProperty.class);
            if (azureAdAuthorizationMatrixFolderProperty != null) {
                treeSet.addAll(azureAdAuthorizationMatrixFolderProperty.getGroups());
            }
        }
        return treeSet;
    }

    public void add(Permission permission, String str) {
        super.add(permission, str);
        this.objId2FullSidMap.putFullSid(str);
    }

    public boolean hasExplicitPermission(String str, Permission permission) {
        if (str == null) {
            return false;
        }
        return super.hasExplicitPermission(this.objId2FullSidMap.getOrOriginal(str), permission);
    }

    public boolean hasPermission(String str, Permission permission) {
        return super.hasPermission(this.objId2FullSidMap.getOrOriginal(str), permission);
    }

    public boolean hasPermission(String str, Permission permission, boolean z) {
        return super.hasPermission(this.objId2FullSidMap.getOrOriginal(str), permission, z);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static AutoCompletionCandidates searchAndGenerateCandidates(String str) {
        if (StringUtils.isEmpty(str)) {
            return null;
        }
        SecurityRealm securityRealm = Jenkins.get().getSecurityRealm();
        if (!(securityRealm instanceof AzureSecurityRealm)) {
            return null;
        }
        GraphServiceClient<Request> azureClient = ((AzureSecurityRealm) securityRealm).getAzureClient();
        ArrayList<AzureObject> arrayList = new ArrayList();
        LOGGER.info("search users with prefix: " + str);
        try {
            for (User user : lookupUsers(str, azureClient).getCurrentPage()) {
                arrayList.add(new AzureObject(user.id, user.displayName));
                if (arrayList.size() > 20) {
                    break;
                }
            }
            if (arrayList.size() < 20) {
                for (Group group : lookupGroups(str, azureClient).getCurrentPage()) {
                    arrayList.add(new AzureObject(group.id, group.displayName));
                }
            }
        } catch (Exception e) {
            LOGGER.log(Level.WARNING, "Do not have sufficient privileges to search related users or groups", (Throwable) e);
        }
        AutoCompletionCandidates autoCompletionCandidates = new AutoCompletionCandidates();
        for (AzureObject azureObject : arrayList) {
            autoCompletionCandidates.add(ObjId2FullSidMap.generateFullSid(azureObject.getDisplayName(), azureObject.getObjectId()));
        }
        return autoCompletionCandidates;
    }

    private static GroupCollectionPage lookupGroups(String str, GraphServiceClient<Request> graphServiceClient) {
        LinkedList linkedList = new LinkedList();
        linkedList.add(new QueryOption("$search", String.format("\"displayName:%s\"", str)));
        linkedList.add(new HeaderOption("ConsistencyLevel", "eventual"));
        return graphServiceClient.groups().buildRequest(linkedList).orderBy("displayName").select("id,displayName").get();
    }

    private static UserCollectionPage lookupUsers(String str, GraphServiceClient<Request> graphServiceClient) {
        LinkedList linkedList = new LinkedList();
        linkedList.add(new QueryOption("$search", String.format("\"displayName:%s\" OR \"userPrincipalName:%s\"", str, str)));
        linkedList.add(new HeaderOption("ConsistencyLevel", "eventual"));
        return graphServiceClient.users().buildRequest(linkedList).select("id,displayName").orderBy("displayName").get();
    }

    @Initializer(before = InitMilestone.PLUGINS_STARTED)
    public static void fixClassNameTypo() {
        Jenkins.XSTREAM2.addCompatibilityAlias("com.microsoft.jenkins.azuread.AzureAdMatrixAuthorizationStategy", AzureAdMatrixAuthorizationStrategy.class);
    }
}
