package org.jenkinsci.plugins.azurekeyvaultplugin;

import com.azure.core.credential.TokenCredential;
import com.azure.identity.ClientSecretCredentialBuilder;
import com.azure.security.keyvault.secrets.SecretClient;
import com.azure.security.keyvault.secrets.models.KeyVaultSecret;
import com.microsoft.azure.util.AzureCredentials;
import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.Extension;
import hudson.FilePath;
import hudson.Util;
import hudson.console.ConsoleLogFilter;
import hudson.model.Item;
import hudson.model.Run;
import hudson.util.ListBoxModel;
import io.jenkins.plugins.azuresdk.HttpClientRetriever;
import java.nio.charset.StandardCharsets;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.security.auth.login.CredentialNotFoundException;
import jenkins.YesNoMaybe;
import org.apache.commons.lang3.ObjectUtils;
import org.apache.commons.lang3.StringUtils;
import org.jenkinsci.plugins.credentialsbinding.masking.SecretPatterns;
import org.jenkinsci.plugins.workflow.steps.AbstractStepExecutionImpl;
import org.jenkinsci.plugins.workflow.steps.BodyExecutionCallback;
import org.jenkinsci.plugins.workflow.steps.BodyInvoker;
import org.jenkinsci.plugins.workflow.steps.EnvironmentExpander;
import org.jenkinsci.plugins.workflow.steps.Step;
import org.jenkinsci.plugins.workflow.steps.StepContext;
import org.jenkinsci.plugins.workflow.steps.StepDescriptor;
import org.jenkinsci.plugins.workflow.steps.StepExecution;
import org.kohsuke.stapler.AncestorInPath;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.verb.POST;

/* loaded from: input_file:WEB-INF/lib/azure-keyvault.jar:org/jenkinsci/plugins/azurekeyvaultplugin/AzureKeyVaultStep.class */
public class AzureKeyVaultStep extends Step {
    private final List<AzureKeyVaultSecret> secrets;
    private String keyVaultURL;
    private String credentialID;

    @Extension(dynamicLoadable = YesNoMaybe.YES, optional = true)
    /* loaded from: input_file:WEB-INF/lib/azure-keyvault.jar:org/jenkinsci/plugins/azurekeyvaultplugin/AzureKeyVaultStep$DescriptorImpl.class */
    public static class DescriptorImpl extends StepDescriptor {
        @NonNull
        public String getDisplayName() {
            return "Bind credentials in Azure Key Vault to environment variables";
        }

        @POST
        public ListBoxModel doFillCredentialIDItems(@AncestorInPath Item item) {
            return AzureKeyVaultUtil.doFillCredentialIDItems(item);
        }

        public String getFunctionName() {
            return "azureKeyVault";
        }

        public boolean takesImplicitBlockArgument() {
            return true;
        }

        public Set<? extends Class<?>> getRequiredContext() {
            return Set.of(Run.class);
        }
    }

    /* loaded from: input_file:WEB-INF/lib/azure-keyvault.jar:org/jenkinsci/plugins/azurekeyvaultplugin/AzureKeyVaultStep$ExecutionImpl.class */
    static class ExecutionImpl extends AbstractStepExecutionImpl {
        private final String keyVaultURL;
        private String credentialId;
        private final List<AzureKeyVaultSecret> azureKeyVaultSecrets;
        private String applicationId;
        private String applicationSecret;
        private String tenantId;
        private static final long serialVersionUID = 1;

        /* JADX INFO: Access modifiers changed from: package-private */
        public ExecutionImpl(StepContext stepContext, String str, String str2, List<AzureKeyVaultSecret> list) {
            super(stepContext);
            this.keyVaultURL = str;
            this.credentialId = str2;
            this.azureKeyVaultSecrets = list;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public ExecutionImpl(StepContext stepContext, String str, String str2, String str3, String str4, List<AzureKeyVaultSecret> list) {
            super(stepContext);
            this.keyVaultURL = str;
            this.applicationId = str2;
            this.applicationSecret = str3;
            this.tenantId = str4;
            this.azureKeyVaultSecrets = list;
        }

        private boolean isLegacyAuth() {
            return StringUtils.isNotEmpty(this.applicationId) && StringUtils.isNotEmpty(this.applicationSecret) && StringUtils.isNotEmpty(this.tenantId);
        }

        private TokenCredential getCredential(Run<?, ?> run) {
            return isLegacyAuth() ? new ClientSecretCredentialBuilder().clientId(this.applicationId).clientSecret(this.applicationSecret).httpClient(HttpClientRetriever.get()).tenantId(this.tenantId).build() : AzureKeyVaultCredentialRetriever.getCredentialById(this.credentialId, run);
        }

        public boolean start() throws Exception {
            StepContext context = getContext();
            BodyInvoker withCallback = context.newBodyInvoker().withCallback(BodyExecutionCallback.wrap(context));
            Map<String, String> secretsMap = getSecretsMap(getCredential((Run) context.get(Run.class)), this.keyVaultURL, this.azureKeyVaultSecrets);
            withCallback.withContexts(new Object[]{EnvironmentExpander.merge((EnvironmentExpander) context.get(EnvironmentExpander.class), new AzureKeyVaultEnvironmentExpander(secretsMap)), BodyInvoker.mergeConsoleLogFilters((ConsoleLogFilter) context.get(ConsoleLogFilter.class), new MaskingConsoleLogFilter(StandardCharsets.UTF_8.name(), SecretPatterns.getAggregateSecretPattern(secretsMap.values())))});
            withCallback.start();
            return false;
        }

        private KeyVaultSecret getSecret(SecretClient secretClient, AzureKeyVaultSecret azureKeyVaultSecret) {
            return AzureKeyVaultCredentialRetriever.getSecretBundle(secretClient, azureKeyVaultSecret);
        }

        private Map<String, String> getSecretsMap(TokenCredential tokenCredential, String str, List<AzureKeyVaultSecret> list) {
            if (list == null || list.isEmpty()) {
                return Collections.emptyMap();
            }
            HashMap hashMap = new HashMap();
            SecretClient createKeyVaultClient = AzureCredentials.createKeyVaultClient(tokenCredential, str);
            for (AzureKeyVaultSecret azureKeyVaultSecret : list) {
                if (azureKeyVaultSecret.isPassword()) {
                    KeyVaultSecret secret = getSecret(createKeyVaultClient, azureKeyVaultSecret);
                    if (secret == null) {
                        throw new AzureKeyVaultException(String.format("Secret: %s not found in vault: %s", azureKeyVaultSecret.getName(), str));
                    }
                    hashMap.put(azureKeyVaultSecret.getEnvVariable(), secret.getValue());
                } else if (azureKeyVaultSecret.isCertificate()) {
                    KeyVaultSecret secret2 = getSecret(createKeyVaultClient, azureKeyVaultSecret);
                    if (secret2 == null) {
                        throw new AzureKeyVaultException(String.format("Certificate: %s not found in vault: %s", azureKeyVaultSecret.getName(), str));
                    }
                    try {
                        hashMap.put(azureKeyVaultSecret.getEnvVariable(), AzureKeyVaultUtil.saveCertificateToDisk(secret2.getProperties().getContentType(), (FilePath) Objects.requireNonNull((FilePath) getContext().get(FilePath.class), "A certificate requires a `node`"), secret2.getValue()));
                    } catch (Exception e) {
                        throw new AzureKeyVaultException(e.getMessage(), e);
                    }
                } else {
                    continue;
                }
            }
            return hashMap;
        }

        public void stop(@Nonnull Throwable th) {
            getContext().onFailure(th);
        }
    }

    @DataBoundConstructor
    public AzureKeyVaultStep(List<AzureKeyVaultSecret> list) {
        this.secrets = list;
    }

    public List<AzureKeyVaultSecret> getSecrets() {
        return this.secrets;
    }

    public String getKeyVaultURL() {
        return this.keyVaultURL;
    }

    @DataBoundSetter
    public void setKeyVaultURL(String str) {
        this.keyVaultURL = Util.fixEmpty(str);
    }

    public String getCredentialID() {
        return this.credentialID;
    }

    @DataBoundSetter
    public void setCredentialID(String str) {
        this.credentialID = Util.fixEmpty(str);
    }

    public StepExecution start(StepContext stepContext) throws Exception {
        AzureKeyVaultGlobalConfiguration azureKeyVaultGlobalConfiguration = AzureKeyVaultGlobalConfiguration.get();
        String str = (String) ObjectUtils.firstNonNull(new String[]{this.keyVaultURL, azureKeyVaultGlobalConfiguration.getKeyVaultURL()});
        if (StringUtils.isEmpty(str)) {
            throw new AzureKeyVaultException("No key vault url configured, set one globally or in the build wrap step");
        }
        String str2 = (String) ObjectUtils.firstNonNull(new String[]{this.credentialID, azureKeyVaultGlobalConfiguration.getCredentialID()});
        if (StringUtils.isEmpty(str2)) {
            throw new CredentialNotFoundException("Unable to find a valid credential with provided parameters");
        }
        return new ExecutionImpl(stepContext, str, str2, this.secrets);
    }
}
