package org.jenkinsci.plugins.azurekeyvaultplugin;

import com.cloudbees.plugins.credentials.Credentials;
import com.cloudbees.plugins.credentials.CredentialsScope;
import com.cloudbees.plugins.credentials.SystemCredentialsProvider;
import com.cloudbees.plugins.credentials.common.IdCredentials;
import com.cloudbees.plugins.credentials.common.StandardListBoxModel;
import com.microsoft.azure.util.AzureBaseCredentials;
import com.microsoft.azure.util.AzureCredentials;
import com.microsoft.azure.util.AzureImdsCredentials;
import hudson.Extension;
import hudson.ExtensionList;
import hudson.model.Item;
import hudson.security.ACL;
import hudson.util.FormValidation;
import hudson.util.ListBoxModel;
import java.io.IOException;
import java.util.Optional;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.model.GlobalConfiguration;
import jenkins.model.Jenkins;
import org.apache.commons.lang3.StringUtils;
import org.jenkinsci.Symbol;
import org.kohsuke.stapler.AncestorInPath;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.verb.POST;

@Extension
@Symbol({"azureKeyVault"})
/* loaded from: input_file:WEB-INF/lib/azure-keyvault.jar:org/jenkinsci/plugins/azurekeyvaultplugin/AzureKeyVaultGlobalConfiguration.class */
public class AzureKeyVaultGlobalConfiguration extends GlobalConfiguration {
    public static final String GENERATED_ID = "azure-keyvault-autogenerated";
    private static final Logger LOG = Logger.getLogger(AzureKeyVaultGlobalConfiguration.class.getName());
    private static final String GENERATED_DESCRIPTION = "Auto generated credential from environment";
    private String keyVaultURL;
    private String credentialID;

    public AzureKeyVaultGlobalConfiguration() {
        load();
    }

    public String getKeyVaultURL() {
        resolveKeyVaultUrlFromEnvironment().ifPresent(str -> {
            this.keyVaultURL = str;
            save();
        });
        return this.keyVaultURL;
    }

    @DataBoundSetter
    public void setKeyVaultURL(String str) {
        this.keyVaultURL = str;
        save();
        refresh();
    }

    private void refresh() {
        ((AzureCredentialsProvider) ExtensionList.lookupSingleton(AzureCredentialsProvider.class)).refreshCredentials();
    }

    public String getCredentialID() {
        resolveCredentialIdFromEnvironment().ifPresent(str -> {
            this.credentialID = str;
            save();
        });
        return this.credentialID;
    }

    private Optional<String> resolveKeyVaultUrlFromEnvironment() {
        Optional<String> propertyByEnvOrSystemProperty = getPropertyByEnvOrSystemProperty("AZURE_KEYVAULT_URL", "jenkins.azure-keyvault.url");
        return (propertyByEnvOrSystemProperty.isPresent() && propertyByEnvOrSystemProperty.get().equals(this.keyVaultURL)) ? Optional.empty() : propertyByEnvOrSystemProperty;
    }

    private Optional<String> resolveCredentialIdFromEnvironment() {
        Optional findAny = SystemCredentialsProvider.getInstance().getCredentials().stream().filter(credentials -> {
            return ((credentials instanceof AzureCredentials) || (credentials instanceof AzureImdsCredentials)) && ((IdCredentials) credentials).getId().equals(GENERATED_ID);
        }).findAny();
        if (getPropertyByEnvOrSystemProperty("AZURE_KEYVAULT_UAMI_ENABLED", "jenkins.azure-keyvault.uami.enabled").orElse("false").equals("true")) {
            if (findAny.isPresent() && (findAny.get() instanceof AzureImdsCredentials)) {
                return Optional.empty();
            }
            AzureImdsCredentials azureImdsCredentials = new AzureImdsCredentials(CredentialsScope.GLOBAL, GENERATED_ID, GENERATED_DESCRIPTION);
            storeCredential(azureImdsCredentials);
            return Optional.of(azureImdsCredentials.getId());
        }
        String orElse = getPropertyByEnvOrSystemProperty("AZURE_KEYVAULT_SP_CLIENT_ID", "jenkins.azure-keyvault.sp.client_id").orElse("false");
        if (orElse.equals("false")) {
            return Optional.empty();
        }
        String orElseThrow = getPropertyByEnvOrSystemProperty("AZURE_KEYVAULT_SP_CLIENT_SECRET", "jenkins.azure-keyvault.sp.client_secret").orElseThrow(IllegalArgumentException::new);
        String orElseThrow2 = getPropertyByEnvOrSystemProperty("AZURE_KEYVAULT_SP_SUBSCRIPTION_ID", "jenkins.azure-keyvault.sp.subscription_id").orElseThrow(IllegalArgumentException::new);
        String orElseThrow3 = getPropertyByEnvOrSystemProperty("AZURE_KEYVAULT_SP_TENANT_ID", "jenkins.azure-keyvault.sp.tenant_id").orElseThrow(IllegalArgumentException::new);
        if (findAny.isPresent() && (findAny.get() instanceof AzureCredentials) && azureCredentialIsEqual((AzureCredentials) findAny.get(), orElse, orElseThrow, orElseThrow2, orElseThrow3)) {
            return Optional.empty();
        }
        AzureCredentials azureCredentials = new AzureCredentials(CredentialsScope.GLOBAL, GENERATED_ID, GENERATED_DESCRIPTION, orElseThrow2, orElse, orElseThrow);
        azureCredentials.setTenant(orElseThrow3);
        storeCredential(azureCredentials);
        return Optional.of(azureCredentials.getId());
    }

    private boolean azureCredentialIsEqual(AzureCredentials azureCredentials, String str, String str2, String str3, String str4) {
        return StringUtils.equals(azureCredentials.getClientId(), str) && StringUtils.equals(azureCredentials.getPlainClientSecret(), str2) && StringUtils.equals(azureCredentials.getSubscriptionId(), str3) && StringUtils.equals(azureCredentials.getTenant(), str4);
    }

    private Optional<String> getPropertyByEnvOrSystemProperty(String str, String str2) {
        String str3 = System.getenv(str);
        if (str3 != null) {
            return Optional.of(str3);
        }
        String property = System.getProperty(str2);
        return property != null ? Optional.of(property) : Optional.empty();
    }

    private void storeCredential(AzureBaseCredentials azureBaseCredentials) {
        SystemCredentialsProvider systemCredentialsProvider = SystemCredentialsProvider.getInstance();
        int i = 0;
        while (true) {
            if (i >= systemCredentialsProvider.getCredentials().size()) {
                break;
            }
            IdCredentials idCredentials = (Credentials) systemCredentialsProvider.getCredentials().get(i);
            if ((idCredentials instanceof IdCredentials) && idCredentials.getId().equals(azureBaseCredentials.getId())) {
                systemCredentialsProvider.getCredentials().remove(i);
                break;
            }
            i++;
        }
        systemCredentialsProvider.getCredentials().add(azureBaseCredentials);
        try {
            systemCredentialsProvider.save();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    @DataBoundSetter
    public void setCredentialID(String str) {
        this.credentialID = str;
        save();
        refresh();
    }

    @POST
    public FormValidation doTestConnection(@QueryParameter("keyVaultURL") String str, @QueryParameter("credentialID") String str2) {
        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
        if (str == null) {
            return FormValidation.error("Key vault url is required");
        }
        if (str2 == null) {
            return FormValidation.error("Credential ID is required");
        }
        try {
            return FormValidation.ok(String.format("Success, found %d secrets in the vault", Long.valueOf(AzureCredentials.createKeyVaultClient(AzureKeyVaultCredentialRetriever.getCredentialById(str2), str).listPropertiesOfSecrets().stream().count())));
        } catch (RuntimeException e) {
            LOG.log(Level.WARNING, "Failed testing connection", (Throwable) e);
            return FormValidation.error(e, e.getMessage());
        }
    }

    @POST
    public ListBoxModel doFillCredentialIDItems(@AncestorInPath Item item) {
        return ((item != null || Jenkins.get().hasPermission(Jenkins.ADMINISTER)) && (item == null || item.hasPermission(Item.EXTENDED_READ))) ? new StandardListBoxModel().includeEmptyValue().includeAs(ACL.SYSTEM, item, AzureCredentials.class).includeAs(ACL.SYSTEM, item, AzureImdsCredentials.class) : new StandardListBoxModel();
    }

    public static AzureKeyVaultGlobalConfiguration get() {
        return (AzureKeyVaultGlobalConfiguration) ExtensionList.lookupSingleton(AzureKeyVaultGlobalConfiguration.class);
    }
}
