package org.jenkinsci.plugins.azurekeyvaultplugin;

import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.common.IdCredentials;
import com.cloudbees.plugins.credentials.common.StandardListBoxModel;
import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials;
import com.cloudbees.plugins.credentials.domains.DomainRequirement;
import com.microsoft.azure.keyvault.KeyVaultClient;
import com.microsoft.azure.keyvault.models.SecretBundle;
import com.microsoft.azure.util.AzureCredentials;
import hudson.EnvVars;
import hudson.Extension;
import hudson.FilePath;
import hudson.Launcher;
import hudson.console.ConsoleLogFilter;
import hudson.model.AbstractProject;
import hudson.model.Item;
import hudson.model.Run;
import hudson.model.TaskListener;
import hudson.security.ACL;
import hudson.tasks.BuildWrapperDescriptor;
import hudson.util.ListBoxModel;
import hudson.util.Secret;
import java.io.ByteArrayInputStream;
import java.io.OutputStream;
import java.net.URI;
import java.security.KeyStore;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.security.auth.login.CredentialException;
import javax.security.auth.login.CredentialNotFoundException;
import javax.xml.bind.DatatypeConverter;
import jenkins.tasks.SimpleBuildWrapper;
import org.apache.commons.lang3.StringUtils;
import org.jenkinsci.Symbol;
import org.kohsuke.stapler.AncestorInPath;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;

/* loaded from: input_file:WEB-INF/lib/azure-keyvault.jar:org/jenkinsci/plugins/azurekeyvaultplugin/AzureKeyVaultBuildWrapper.class */
public class AzureKeyVaultBuildWrapper extends SimpleBuildWrapper {
    private static final char[] emptyCharArray = new char[0];
    private static final Logger LOGGER = Logger.getLogger("Jenkins.AzureKeyVaultBuildWrapper");
    private final List<AzureKeyVaultSecret> azureKeyVaultSecrets;
    private final List<String> valuesToMask = new ArrayList();
    private String keyVaultURL;
    private String applicationID;
    private String applicationSecret;
    private String credentialID;

    @Extension
    @Symbol({"withAzureKeyvault"})
    /* loaded from: input_file:WEB-INF/lib/azure-keyvault.jar:org/jenkinsci/plugins/azurekeyvaultplugin/AzureKeyVaultBuildWrapper$DescriptorImpl.class */
    public static final class DescriptorImpl extends BuildWrapperDescriptor {
        public DescriptorImpl() {
            super(AzureKeyVaultBuildWrapper.class);
            load();
        }

        public ListBoxModel doFillCredentialIDOverrideItems(@AncestorInPath Item item) {
            return new StandardListBoxModel().includeEmptyValue().includeAs(ACL.SYSTEM, item, StandardUsernamePasswordCredentials.class).includeAs(ACL.SYSTEM, item, AzureCredentials.class);
        }

        public boolean isApplicable(AbstractProject<?, ?> abstractProject) {
            return true;
        }

        public String getDisplayName() {
            return "Bind credentials in Azure Key Vault to variables";
        }
    }

    @DataBoundConstructor
    public AzureKeyVaultBuildWrapper(@CheckForNull List<AzureKeyVaultSecret> list) {
        this.azureKeyVaultSecrets = list;
    }

    public String getKeyVaultURLOverride() {
        return this.keyVaultURL;
    }

    @DataBoundSetter
    public void setKeyVaultURLOverride(String str) {
        this.keyVaultURL = str;
    }

    public String getApplicationIDOverride() {
        return this.applicationID;
    }

    @DataBoundSetter
    public void setApplicationIDOverride(String str) {
        this.applicationID = str;
    }

    public String getApplicationSecretOverride() {
        return this.applicationSecret;
    }

    @DataBoundSetter
    public void setApplicationSecretOverride(String str) {
        this.applicationSecret = str;
    }

    public String getCredentialIDOverride() {
        return this.credentialID;
    }

    @DataBoundSetter
    public void setCredentialIDOverride(String str) {
        this.credentialID = str;
    }

    public String getKeyVaultURL() {
        AzureKeyVaultGlobalConfiguration azureKeyVaultGlobalConfiguration = AzureKeyVaultGlobalConfiguration.get();
        if (StringUtils.isNotEmpty(this.keyVaultURL)) {
            return this.keyVaultURL;
        }
        if (StringUtils.isNotEmpty(azureKeyVaultGlobalConfiguration.getKeyVaultURL())) {
            return azureKeyVaultGlobalConfiguration.getKeyVaultURL();
        }
        throw new AzureKeyVaultException("No key vault url configured, set one globally or in the build wrap step");
    }

    public ConsoleLogFilter createLoggerDecorator(@Nonnull Run<?, ?> run) {
        return new MaskingConsoleLogFilter(run.getCharset().name(), this.valuesToMask);
    }

    public AzureKeyVaultCredential getKeyVaultCredential(Run<?, ?> run) throws CredentialException {
        LOGGER.log(Level.FINE, "Trying override credentials...");
        AzureKeyVaultCredential keyVaultCredential = getKeyVaultCredential(run, this.applicationSecret, this.credentialID);
        if (keyVaultCredential.isValid()) {
            LOGGER.log(Level.FINE, "Using override credentials");
            return keyVaultCredential;
        }
        LOGGER.log(Level.FINE, "Trying global credentials");
        AzureKeyVaultCredential keyVaultCredential2 = getKeyVaultCredential(run, null, AzureKeyVaultGlobalConfiguration.get().getCredentialID());
        if (!keyVaultCredential2.isValid()) {
            throw new CredentialNotFoundException("Unable to find a valid credential with provided parameters");
        }
        LOGGER.log(Level.FINE, "Using global credentials");
        return keyVaultCredential2;
    }

    public AzureKeyVaultCredential getKeyVaultCredential(Run<?, ?> run, String str, String str2) throws CredentialException {
        if (!StringUtils.isNotEmpty(str2)) {
            if (!StringUtils.isNotEmpty(str)) {
                return new AzureKeyVaultCredential();
            }
            LOGGER.log(Level.FINE, "Using explicit application secret.");
            return new AzureKeyVaultCredential(getApplicationID(), Secret.fromString(str));
        }
        LOGGER.log(Level.FINE, "Fetching credentials by ID");
        AzureKeyVaultCredential credentialById = getCredentialById(str2, run);
        if (!credentialById.isApplicationIDValid()) {
            LOGGER.log(Level.FINE, "Credential is password-only. Setting the username");
            credentialById.setApplicationID(getApplicationID());
        }
        return credentialById;
    }

    public String getApplicationID() {
        if (!StringUtils.isNotEmpty(this.applicationID)) {
            return null;
        }
        LOGGER.log(Level.FINE, "Using override Application ID");
        return this.applicationID;
    }

    public AzureKeyVaultCredential getCredentialById(String str, Run<?, ?> run) throws CredentialException {
        AzureKeyVaultCredential azureKeyVaultCredential = new AzureKeyVaultCredential();
        StandardUsernamePasswordCredentials findCredentialById = CredentialsProvider.findCredentialById(str, IdCredentials.class, run, new DomainRequirement[0]);
        if (findCredentialById == null) {
            throw new CredentialNotFoundException(str);
        }
        if (findCredentialById instanceof StandardUsernamePasswordCredentials) {
            LOGGER.log(Level.FINE, String.format("Fetched %s as StandardUsernamePasswordCredentials", str));
            CredentialsProvider.track(run, findCredentialById);
            azureKeyVaultCredential.setApplicationID(findCredentialById.getUsername());
            azureKeyVaultCredential.setApplicationSecret(findCredentialById.getPassword());
            return azureKeyVaultCredential;
        }
        if (!(findCredentialById instanceof AzureCredentials)) {
            throw new CredentialException("Could not determine the type for Secret id " + str + " only 'Username/Password', and 'Microsoft Azure Service Principal' are supported");
        }
        LOGGER.log(Level.FINE, String.format("Fetched %s as AzureCredentials", str));
        CredentialsProvider.track(run, findCredentialById);
        AzureCredentials azureCredentials = (AzureCredentials) findCredentialById;
        azureKeyVaultCredential.setApplicationID(azureCredentials.getClientId());
        azureKeyVaultCredential.setApplicationSecret(azureCredentials.getPlainClientSecret());
        return azureKeyVaultCredential;
    }

    public List<AzureKeyVaultSecret> getAzureKeyVaultSecrets() {
        return this.azureKeyVaultSecrets;
    }

    /* renamed from: getDescriptor, reason: merged with bridge method [inline-methods] */
    public DescriptorImpl m631getDescriptor() {
        return super.getDescriptor();
    }

    private SecretBundle getSecret(KeyVaultClient keyVaultClient, AzureKeyVaultSecret azureKeyVaultSecret) {
        String keyVaultURL = getKeyVaultURL();
        try {
            return keyVaultClient.getSecret(keyVaultURL, azureKeyVaultSecret.getName(), azureKeyVaultSecret.getVersion());
        } catch (Exception e) {
            throw new AzureKeyVaultException(String.format("Failed to retrieve secret %s from vault %s, error message: %s", azureKeyVaultSecret.getName(), keyVaultURL, e.getMessage()), e);
        }
    }

    public void setUp(SimpleBuildWrapper.Context context, Run<?, ?> run, FilePath filePath, Launcher launcher, TaskListener taskListener, EnvVars envVars) {
        if (this.azureKeyVaultSecrets == null || this.azureKeyVaultSecrets.isEmpty()) {
            return;
        }
        try {
            AzureKeyVaultCredential keyVaultCredential = getKeyVaultCredential(run);
            if (keyVaultCredential == null || !keyVaultCredential.isValid()) {
                throw new AzureKeyVaultException("No valid credentials were found for accessing KeyVault");
            }
            KeyVaultClient keyVaultClient = new KeyVaultClient(keyVaultCredential);
            String keyVaultURL = getKeyVaultURL();
            for (AzureKeyVaultSecret azureKeyVaultSecret : this.azureKeyVaultSecrets) {
                if (azureKeyVaultSecret.isPassword()) {
                    SecretBundle secret = getSecret(keyVaultClient, azureKeyVaultSecret);
                    if (secret == null) {
                        throw new AzureKeyVaultException(String.format("Secret: %s not found in vault: %s", azureKeyVaultSecret.getName(), keyVaultURL));
                    }
                    this.valuesToMask.add(secret.value());
                    context.env(azureKeyVaultSecret.getEnvVariable(), secret.value());
                } else if (azureKeyVaultSecret.isCertificate()) {
                    SecretBundle secret2 = getSecret(keyVaultClient, azureKeyVaultSecret);
                    if (secret2 == null) {
                        throw new AzureKeyVaultException(String.format("Certificate: %s not found in vault: %s", azureKeyVaultSecret.getName(), keyVaultURL));
                    }
                    try {
                        byte[] parseBase64Binary = DatatypeConverter.parseBase64Binary(secret2.value());
                        KeyStore keyStore = KeyStore.getInstance("PKCS12");
                        keyStore.load(new ByteArrayInputStream(parseBase64Binary), emptyCharArray);
                        KeyStore keyStore2 = KeyStore.getInstance("PKCS12");
                        keyStore2.load(null, null);
                        Enumeration<String> aliases = keyStore.aliases();
                        while (aliases.hasMoreElements()) {
                            String nextElement = aliases.nextElement();
                            keyStore2.setKeyEntry(nextElement, keyStore.getKey(nextElement, emptyCharArray), emptyCharArray, keyStore.getCertificateChain(nextElement));
                        }
                        FilePath createTempFile = filePath.createTempFile("keyvault", "pfx");
                        OutputStream write = createTempFile.write();
                        keyStore2.store(write, emptyCharArray);
                        write.close();
                        URI uri = createTempFile.toURI();
                        this.valuesToMask.add(uri.getPath());
                        context.env(azureKeyVaultSecret.getEnvVariable(), uri.getPath());
                    } catch (Exception e) {
                        throw new AzureKeyVaultException(e.getMessage(), e);
                    }
                } else {
                    continue;
                }
            }
        } catch (CredentialException e2) {
            throw new AzureKeyVaultException(e2.getMessage(), e2);
        }
    }
}
