package org.jenkinsci.plugins.azurekeyvaultplugin;

import com.azure.security.keyvault.secrets.SecretClient;
import com.azure.security.keyvault.secrets.models.SecretProperties;
import com.cloudbees.plugins.credentials.Credentials;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.CredentialsStore;
import com.cloudbees.plugins.credentials.common.IdCredentials;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.github.benmanes.caffeine.cache.LoadingCache;
import com.google.common.annotations.VisibleForTesting;
import com.microsoft.jenkins.keyvault.SecretClientCache;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.Nullable;
import hudson.Extension;
import hudson.model.ItemGroup;
import hudson.model.ModelObject;
import hudson.security.ACL;
import hudson.util.Secret;
import java.net.MalformedURLException;
import java.net.URL;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.function.Supplier;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.model.GlobalConfiguration;
import jenkins.model.Jenkins;
import org.acegisecurity.Authentication;
import org.apache.commons.lang3.StringUtils;
import org.jenkinsci.plugins.azurekeyvaultplugin.credentials.sshuserprivatekey.AzureSSHUserPrivateKeyCredentials;
import org.jenkinsci.plugins.azurekeyvaultplugin.credentials.string.AzureSecretStringCredentials;
import org.jenkinsci.plugins.azurekeyvaultplugin.credentials.usernamepassword.AzureUsernamePasswordCredentials;

@Extension
/* loaded from: input_file:org/jenkinsci/plugins/azurekeyvaultplugin/AzureCredentialsProvider.class */
public class AzureCredentialsProvider extends CredentialsProvider {
    private static final Logger LOG = Logger.getLogger(AzureCredentialsProvider.class.getName());
    private static final String CACHE_KEY = "key";
    private static final String DEFAULT_TYPE = "string";
    private final AzureCredentialsStore store = new AzureCredentialsStore(this);
    private final LoadingCache<String, Collection<IdCredentials>> cache = Caffeine.newBuilder().maximumSize(1).expireAfterWrite(Duration.ofMinutes(120)).refreshAfterWrite(Duration.ofMinutes(10)).build(str -> {
        return fetchCredentials();
    });

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/jenkinsci/plugins/azurekeyvaultplugin/AzureCredentialsProvider$KeyVaultSecretRetriever.class */
    public static class KeyVaultSecretRetriever implements Supplier<Secret> {
        private final transient SecretClient client;
        private final String secretId;

        public KeyVaultSecretRetriever(SecretClient secretClient, String str) {
            this.client = secretClient;
            this.secretId = str;
        }

        public String retrieveSecret() {
            try {
                String[] split = new URL(this.secretId).getPath().split("/");
                return split.length == 2 + 1 ? this.client.getSecret(split[2]).getValue() : this.client.getSecret(split[2], split[3]).getValue();
            } catch (MalformedURLException e) {
                throw new RuntimeException(e);
            }
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.util.function.Supplier
        public Secret get() {
            return Secret.fromString(retrieveSecret());
        }
    }

    public void refreshCredentials() {
        this.cache.refresh(CACHE_KEY);
    }

    @NonNull
    public <C extends Credentials> List<C> getCredentials(@NonNull Class<C> cls, @Nullable ItemGroup itemGroup, @Nullable Authentication authentication) {
        if (!ACL.SYSTEM.equals(authentication)) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        try {
            Collection<IdCredentials> collection = (Collection) this.cache.get(CACHE_KEY);
            if (collection == null) {
                throw new IllegalStateException("Cache is not working");
            }
            for (IdCredentials idCredentials : collection) {
                if (cls.isAssignableFrom(idCredentials.getClass())) {
                    arrayList.add(cls.cast(idCredentials));
                }
                LOG.log(Level.FINEST, "getCredentials {0} does not match", idCredentials.getId());
            }
            return arrayList;
        } catch (RuntimeException e) {
            LOG.log(Level.WARNING, "Error retrieving secrets from Azure KeyVault: " + e.getMessage(), (Throwable) e);
            return Collections.emptyList();
        }
    }

    @VisibleForTesting
    static String getSecretName(String str) {
        if (StringUtils.isEmpty(str)) {
            throw new AzureKeyVaultException("Empty id for key vault item.");
        }
        int lastIndexOf = str.lastIndexOf(47);
        if (lastIndexOf < 0) {
            throw new AzureKeyVaultException("Wrong pattern for key vault item id.");
        }
        return str.substring(lastIndexOf + 1);
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Failed to find 'out' block for switch in B:29:0x00d9. Please report as an issue. */
    /* JADX WARN: Failed to find 'out' block for switch in B:40:0x012d. Please report as an issue. */
    public static Collection<IdCredentials> fetchCredentials() {
        AzureKeyVaultGlobalConfiguration azureKeyVaultGlobalConfiguration = (AzureKeyVaultGlobalConfiguration) GlobalConfiguration.all().get(AzureKeyVaultGlobalConfiguration.class);
        if (azureKeyVaultGlobalConfiguration == null) {
            throw new AzureKeyVaultException("No global key vault url configured.");
        }
        String credentialID = azureKeyVaultGlobalConfiguration.getCredentialID();
        try {
            String keyVaultURL = azureKeyVaultGlobalConfiguration.getKeyVaultURL();
            if (StringUtils.isEmpty(keyVaultURL) || StringUtils.isEmpty(credentialID)) {
                return Collections.emptyList();
            }
            SecretClient secretClient = SecretClientCache.get(credentialID, keyVaultURL);
            String extractLabelSelector = extractLabelSelector();
            ArrayList arrayList = new ArrayList();
            Iterator it = secretClient.listPropertiesOfSecrets().iterator();
            while (it.hasNext()) {
                SecretProperties secretProperties = (SecretProperties) it.next();
                String id = secretProperties.getId();
                Map tags = secretProperties.getTags();
                if (tags == null) {
                    tags = new HashMap();
                }
                if (!StringUtils.isNotBlank(extractLabelSelector) || extractLabelSelector.equals(tags.get("jenkins-label"))) {
                    String str = (String) tags.getOrDefault("type", DEFAULT_TYPE);
                    if (tags.containsKey("username") && str.equals(DEFAULT_TYPE)) {
                        str = "username";
                    }
                    String str2 = str;
                    boolean z = -1;
                    switch (str2.hashCode()) {
                        case -1822060497:
                            if (str2.equals("sshUserPrivateKey")) {
                                z = 2;
                                break;
                            }
                            break;
                        case -891985903:
                            if (str2.equals(DEFAULT_TYPE)) {
                                z = false;
                                break;
                            }
                            break;
                        case -265713450:
                            if (str2.equals("username")) {
                                z = true;
                                break;
                            }
                            break;
                    }
                    switch (z) {
                        case false:
                            arrayList.add(new AzureSecretStringCredentials(getSecretName(id), "", new KeyVaultSecretRetriever(secretClient, id)));
                            break;
                        case true:
                            arrayList.add(new AzureUsernamePasswordCredentials(getSecretName(id), (String) tags.get("username"), "", new KeyVaultSecretRetriever(secretClient, id)));
                            break;
                        case true:
                            String str3 = (String) tags.get("username-is-secret");
                            String str4 = (String) tags.get("passphrase-id");
                            Secret secret = null;
                            boolean z2 = false;
                            if (StringUtils.isNotBlank(str3)) {
                                z2 = Boolean.parseBoolean(str3);
                            }
                            if (StringUtils.isNotBlank(str4)) {
                                try {
                                    secret = new KeyVaultSecretRetriever(secretClient, keyVaultURL + "secrets/" + str4).get();
                                } catch (Exception e) {
                                    LOG.log(Level.WARNING, "Could not find passphrase with ID " + str4 + " in KeyVault.");
                                    break;
                                }
                            }
                            arrayList.add(new AzureSSHUserPrivateKeyCredentials(getSecretName(id), "", (String) tags.get("username"), z2, secret, new KeyVaultSecretRetriever(secretClient, id)));
                            break;
                        default:
                            throw new IllegalStateException("Unknown type: " + str);
                    }
                }
            }
            return arrayList;
        } catch (Exception e2) {
            LOG.log(Level.WARNING, "Error retrieving secrets from Azure KeyVault: " + e2.getMessage(), (Throwable) e2);
            return Collections.emptyList();
        }
    }

    public static String extractLabelSelector() {
        return StringUtils.isNotBlank(System.getenv("AZURE_KEYVAULT_LABEL_SELECTOR")) ? System.getenv("AZURE_KEYVAULT_LABEL_SELECTOR") : System.getProperty("jenkins.azure-keyvault.label_selector");
    }

    public CredentialsStore getStore(ModelObject modelObject) {
        if (modelObject == Jenkins.get()) {
            return this.store;
        }
        return null;
    }

    public String getIconClassName() {
        return "icon-azure-key-vault-credentials-store";
    }
}
