package org.jenkinsci.plugins.azurekeyvaultplugin;

import com.cloudbees.plugins.credentials.Credentials;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.CredentialsScope;
import com.cloudbees.plugins.credentials.CredentialsStore;
import com.cloudbees.plugins.credentials.common.IdCredentials;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Suppliers;
import com.microsoft.azure.keyvault.KeyVaultClient;
import com.microsoft.azure.keyvault.authentication.KeyVaultCredentials;
import com.microsoft.azure.keyvault.models.KeyVaultErrorException;
import com.microsoft.azure.keyvault.models.SecretItem;
import com.microsoft.jenkins.keyvault.SecretStringCredentials;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.Nullable;
import hudson.Extension;
import hudson.model.ItemGroup;
import hudson.model.ModelObject;
import hudson.security.ACL;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.model.GlobalConfiguration;
import jenkins.model.Jenkins;
import okhttp3.OkHttpClient;
import org.acegisecurity.Authentication;
import org.apache.commons.lang3.StringUtils;

@Extension
/* loaded from: input_file:WEB-INF/lib/azure-keyvault.jar:org/jenkinsci/plugins/azurekeyvaultplugin/AzureCredentialsProvider.class */
public class AzureCredentialsProvider extends CredentialsProvider {
    private static final Logger LOG = Logger.getLogger(AzureCredentialsProvider.class.getName());
    private final AzureCredentialsStore store = new AzureCredentialsStore(this);
    private Supplier<Collection<IdCredentials>> credentialsSupplier = memoizeWithExpiration(AzureCredentialsProvider::fetchCredentials, Duration.ofMinutes(5));

    private static <T> Supplier<T> memoizeWithExpiration(Supplier<T> supplier, Duration duration) {
        supplier.getClass();
        com.google.common.base.Supplier memoizeWithExpiration = Suppliers.memoizeWithExpiration(supplier::get, duration.toMillis(), TimeUnit.MILLISECONDS);
        memoizeWithExpiration.getClass();
        return memoizeWithExpiration::get;
    }

    public void refreshCredentials() {
        this.credentialsSupplier = memoizeWithExpiration(AzureCredentialsProvider::fetchCredentials, Duration.ofMinutes(5L));
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r10v0, types: [com.microsoft.azure.keyvault.models.KeyVaultErrorException, java.lang.Throwable] */
    @NonNull
    public <C extends Credentials> List<C> getCredentials(@NonNull Class<C> cls, @Nullable ItemGroup itemGroup, @Nullable Authentication authentication) {
        Logger.getLogger(OkHttpClient.class.getName()).setLevel(Level.FINE);
        if (!ACL.SYSTEM.equals(authentication)) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        try {
            for (IdCredentials idCredentials : this.credentialsSupplier.get()) {
                if (cls.isAssignableFrom(idCredentials.getClass())) {
                    arrayList.add(cls.cast(idCredentials));
                }
                LOG.log(Level.FINEST, "getCredentials {0} does not match", idCredentials.getId());
            }
            return arrayList;
        } catch (KeyVaultErrorException e) {
            LOG.log(Level.WARNING, "Error retrieving secrets from Azure KeyVault: " + e.getMessage(), (Throwable) e);
            return Collections.emptyList();
        }
    }

    @VisibleForTesting
    static String getSecretName(String str) {
        if (StringUtils.isEmpty(str)) {
            throw new AzureKeyVaultException("Empty id for key vault item.");
        }
        int lastIndexOf = str.lastIndexOf(47);
        if (lastIndexOf < 0) {
            throw new AzureKeyVaultException("Wrong pattern for key vault item id.");
        }
        return str.substring(lastIndexOf + 1);
    }

    private static Collection<IdCredentials> fetchCredentials() {
        AzureKeyVaultGlobalConfiguration azureKeyVaultGlobalConfiguration = (AzureKeyVaultGlobalConfiguration) GlobalConfiguration.all().get(AzureKeyVaultGlobalConfiguration.class);
        if (azureKeyVaultGlobalConfiguration == null) {
            throw new AzureKeyVaultException("No global key vault url configured.");
        }
        String credentialID = azureKeyVaultGlobalConfiguration.getCredentialID();
        KeyVaultCredentials credentialById = AzureKeyVaultCredentialRetriever.getCredentialById(credentialID);
        if (credentialById == null) {
            return Collections.emptyList();
        }
        KeyVaultClient keyVaultClient = new KeyVaultClient(credentialById);
        String keyVaultURL = azureKeyVaultGlobalConfiguration.getKeyVaultURL();
        ArrayList arrayList = new ArrayList();
        Iterator it = keyVaultClient.getSecrets(keyVaultURL).iterator();
        while (it.hasNext()) {
            String id = ((SecretItem) it.next()).id();
            arrayList.add(new SecretStringCredentials(CredentialsScope.GLOBAL, getSecretName(id), id, credentialID, id));
        }
        keyVaultClient.httpClient().connectionPool().evictAll();
        return arrayList;
    }

    public CredentialsStore getStore(ModelObject modelObject) {
        if (modelObject == Jenkins.get()) {
            return this.store;
        }
        return null;
    }

    public String getIconClassName() {
        return "icon-azure-key-vault-credentials-store";
    }
}
