package org.jenkinsci.plugins.azurekeyvaultplugin;

import com.azure.core.credential.TokenCredential;
import com.azure.identity.ClientSecretCredentialBuilder;
import com.azure.security.keyvault.secrets.SecretClient;
import com.azure.security.keyvault.secrets.models.KeyVaultSecret;
import com.microsoft.azure.util.AzureCredentials;
import hudson.EnvVars;
import hudson.Extension;
import hudson.FilePath;
import hudson.Launcher;
import hudson.Util;
import hudson.console.ConsoleLogFilter;
import hudson.model.AbstractProject;
import hudson.model.Item;
import hudson.model.Run;
import hudson.model.TaskListener;
import hudson.tasks.BuildWrapperDescriptor;
import hudson.util.ListBoxModel;
import io.jenkins.plugins.azuresdk.HttpClientRetriever;
import java.util.ArrayList;
import java.util.List;
import java.util.logging.Logger;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import jenkins.tasks.SimpleBuildWrapper;
import org.apache.commons.lang3.StringUtils;
import org.jenkinsci.Symbol;
import org.kohsuke.stapler.AncestorInPath;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.verb.POST;

/* loaded from: input_file:org/jenkinsci/plugins/azurekeyvaultplugin/AzureKeyVaultBuildWrapper.class */
public class AzureKeyVaultBuildWrapper extends SimpleBuildWrapper {
    private static final Logger LOGGER = Logger.getLogger("Jenkins.AzureKeyVaultBuildWrapper");
    private final List<AzureKeyVaultSecret> azureKeyVaultSecrets;
    private final List<String> valuesToMask = new ArrayList();
    private String keyVaultURL;
    private String applicationID;
    private String applicationSecret;
    private String credentialID;
    private String tenantId;

    @Extension
    @Symbol({"withAzureKeyvault"})
    /* loaded from: input_file:org/jenkinsci/plugins/azurekeyvaultplugin/AzureKeyVaultBuildWrapper$DescriptorImpl.class */
    public static final class DescriptorImpl extends BuildWrapperDescriptor {
        public DescriptorImpl() {
            super(AzureKeyVaultBuildWrapper.class);
            load();
        }

        @POST
        public ListBoxModel doFillCredentialIDOverrideItems(@AncestorInPath Item item) {
            return AzureKeyVaultUtil.doFillCredentialIDItems(item);
        }

        public boolean isApplicable(AbstractProject<?, ?> abstractProject) {
            return true;
        }

        public String getDisplayName() {
            return "Bind credentials in Azure Key Vault to variables";
        }
    }

    @DataBoundConstructor
    public AzureKeyVaultBuildWrapper(@CheckForNull List<AzureKeyVaultSecret> list) {
        this.azureKeyVaultSecrets = list;
    }

    public String getKeyVaultURLOverride() {
        return this.keyVaultURL;
    }

    @DataBoundSetter
    public void setKeyVaultURLOverride(String str) {
        this.keyVaultURL = Util.fixEmpty(str);
    }

    public String getApplicationIDOverride() {
        return this.applicationID;
    }

    @DataBoundSetter
    public void setApplicationIDOverride(String str) {
        this.applicationID = Util.fixEmpty(str);
    }

    public String getApplicationSecretOverride() {
        return this.applicationSecret;
    }

    @DataBoundSetter
    public void setApplicationSecretOverride(String str) {
        this.applicationSecret = Util.fixEmpty(str);
    }

    public String getCredentialIDOverride() {
        return this.credentialID;
    }

    @DataBoundSetter
    public void setCredentialIDOverride(String str) {
        this.credentialID = Util.fixEmpty(str);
    }

    public String getTenantIdOverride() {
        return this.tenantId;
    }

    @DataBoundSetter
    public void setTenantIdOverride(String str) {
        this.tenantId = Util.fixEmpty(str);
    }

    public String getKeyVaultURL() {
        AzureKeyVaultGlobalConfiguration azureKeyVaultGlobalConfiguration = AzureKeyVaultGlobalConfiguration.get();
        if (StringUtils.isNotEmpty(this.keyVaultURL)) {
            return this.keyVaultURL;
        }
        if (StringUtils.isNotEmpty(azureKeyVaultGlobalConfiguration.getKeyVaultURL())) {
            return azureKeyVaultGlobalConfiguration.getKeyVaultURL();
        }
        throw new AzureKeyVaultException("No key vault url configured, set one globally or in the build wrap step");
    }

    public ConsoleLogFilter createLoggerDecorator(@Nonnull Run<?, ?> run) {
        return new MaskingConsoleLogFilter(run.getCharset().name(), this.valuesToMask);
    }

    public TokenCredential getKeyVaultCredential(Run<?, ?> run) {
        LOGGER.fine("Trying override credentials...");
        TokenCredential keyVaultCredential = getKeyVaultCredential(run, this.applicationSecret, this.credentialID, this.tenantId);
        if (keyVaultCredential != null) {
            LOGGER.fine("Using override credentials");
            return keyVaultCredential;
        }
        LOGGER.fine("Trying global credentials");
        TokenCredential keyVaultCredential2 = getKeyVaultCredential(run, null, AzureKeyVaultGlobalConfiguration.get().getCredentialID(), null);
        if (keyVaultCredential2 != null) {
            return keyVaultCredential2;
        }
        throw new AzureKeyVaultException("Unable to find a valid credential with provided parameters");
    }

    @CheckForNull
    public TokenCredential getKeyVaultCredential(Run<?, ?> run, String str, String str2, String str3) {
        if (StringUtils.isNotEmpty(str2)) {
            LOGGER.fine("Fetching credentials by ID");
            return AzureKeyVaultCredentialRetriever.getCredentialById(str2, run);
        }
        if (!StringUtils.isNotEmpty(str)) {
            return null;
        }
        if (StringUtils.isEmpty(str3)) {
            throw new IllegalArgumentException("Set `tenantId` in your withAzureKeyVault configuration, or migrate to using either a 'Azure Service Principal' or a 'Azure Managed Identity'");
        }
        LOGGER.fine("Using explicit application secret.");
        return new ClientSecretCredentialBuilder().clientId(getApplicationID()).clientSecret(str).httpClient(HttpClientRetriever.get()).tenantId(str3).build();
    }

    public String getApplicationID() {
        if (!StringUtils.isNotEmpty(this.applicationID)) {
            return null;
        }
        LOGGER.fine("Using override Application ID");
        return this.applicationID;
    }

    public List<AzureKeyVaultSecret> getAzureKeyVaultSecrets() {
        return this.azureKeyVaultSecrets;
    }

    /* renamed from: getDescriptor, reason: merged with bridge method [inline-methods] */
    public DescriptorImpl m2getDescriptor() {
        return super.getDescriptor();
    }

    private KeyVaultSecret getSecret(SecretClient secretClient, AzureKeyVaultSecret azureKeyVaultSecret) {
        return AzureKeyVaultCredentialRetriever.getSecretBundle(secretClient, azureKeyVaultSecret);
    }

    public void setUp(SimpleBuildWrapper.Context context, Run<?, ?> run, FilePath filePath, Launcher launcher, TaskListener taskListener, EnvVars envVars) {
        if (this.azureKeyVaultSecrets == null || this.azureKeyVaultSecrets.isEmpty()) {
            return;
        }
        SecretClient createKeyVaultClient = AzureCredentials.createKeyVaultClient(getKeyVaultCredential(run), getKeyVaultURL());
        for (AzureKeyVaultSecret azureKeyVaultSecret : this.azureKeyVaultSecrets) {
            if (azureKeyVaultSecret.isPassword()) {
                KeyVaultSecret secret = getSecret(createKeyVaultClient, azureKeyVaultSecret);
                if (secret == null) {
                    throw new AzureKeyVaultException(String.format("Secret: %s not found in vault: %s", azureKeyVaultSecret.getName(), getKeyVaultURL()));
                }
                this.valuesToMask.add(secret.getValue());
                context.env(azureKeyVaultSecret.getEnvVariable(), secret.getValue());
            } else if (azureKeyVaultSecret.isCertificate()) {
                KeyVaultSecret secret2 = getSecret(createKeyVaultClient, azureKeyVaultSecret);
                if (secret2 == null) {
                    throw new AzureKeyVaultException(String.format("Certificate: %s not found in vault: %s", azureKeyVaultSecret.getName(), getKeyVaultURL()));
                }
                try {
                    context.env(azureKeyVaultSecret.getEnvVariable(), AzureKeyVaultUtil.convertAndWritePfxToDisk(filePath, secret2.getValue()));
                } catch (Exception e) {
                    throw new AzureKeyVaultException(e.getMessage(), e);
                }
            } else {
                continue;
            }
        }
    }
}
