package org.jenkinsci.plugins;

import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.Extension;
import hudson.model.Descriptor;
import hudson.model.User;
import hudson.security.SecurityRealm;
import hudson.tasks.Mailer;
import hudson.util.FormValidation;
import hudson.util.PluginServletFilter;
import java.io.IOException;
import java.io.InputStream;
import java.util.List;
import java.util.UUID;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.cert.X509Certificate;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import jenkins.security.SecurityListener;
import net.sf.json.JSONObject;
import org.apache.commons.lang.StringUtils;
import org.jenkinsci.plugins.KeycloakAvatarProperty;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.adapters.AdapterDeploymentContext;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.adapters.OIDCHttpFacade;
import org.keycloak.adapters.ServerRequest;
import org.keycloak.adapters.rotation.AdapterTokenVerifier;
import org.keycloak.adapters.spi.AuthenticationError;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.spi.LogoutError;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.adapters.config.AdapterConfig;
import org.keycloak.util.JsonSerialization;
import org.keycloak.util.TokenUtil;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.Header;
import org.kohsuke.stapler.HttpRedirect;
import org.kohsuke.stapler.HttpResponse;
import org.kohsuke.stapler.HttpResponses;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;

/* loaded from: input_file:org/jenkinsci/plugins/KeycloakSecurityRealm.class */
public class KeycloakSecurityRealm extends SecurityRealm {
    private static final String JENKINS_LOGIN_URL = "securityRealm/commenceLogin";
    public static final String JENKINS_FINISH_LOGIN_URL = "securityRealm/finishLogin";
    public static final String AUTH_REQUESTED = "AUTH_REQUESTED";
    private static final Logger LOGGER = Logger.getLogger(KeycloakSecurityRealm.class.getName());
    private static final String REFERER_ATTRIBUTE = KeycloakSecurityRealm.class.getName() + ".referer";
    private transient KeycloakDeployment keycloakDeployment;
    private transient RefreshFilter filter;
    private String keycloakJson = "";
    private String keycloakIdp = "";
    private boolean keycloakValidate = false;
    private boolean keycloakRespectAccessTokenTimeout = true;

    @Extension
    /* loaded from: input_file:org/jenkinsci/plugins/KeycloakSecurityRealm$DescriptorImpl.class */
    public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
        public String getHelpFile() {
            return "/plugin/keycloak/help/help-security-realm.html";
        }

        @NonNull
        public String getDisplayName() {
            return "Keycloak Authentication Plugin";
        }

        public FormValidation doCheckKeycloakJson(@QueryParameter String str) throws ServletException {
            try {
                if (!StringUtils.isNotEmpty(str)) {
                    return FormValidation.error("Keycloak JSON is required.");
                }
                JsonSerialization.readValue(str, AdapterConfig.class);
                return FormValidation.ok();
            } catch (IOException e) {
                return FormValidation.error("Issue parsing keycloak adapter json. JSON does not appear valid.");
            }
        }

        /* renamed from: newInstance, reason: merged with bridge method [inline-methods] */
        public SecurityRealm m1newInstance(StaplerRequest staplerRequest, JSONObject jSONObject) throws Descriptor.FormException {
            JSONObject jSONObject2 = jSONObject.getJSONObject("keycloak").getJSONObject("keycloakJson");
            if (jSONObject2.isNullObject() || jSONObject2.isEmpty()) {
                throw new Descriptor.FormException("Keycloak JSON is required.", "keycloakJson");
            }
            return super.newInstance(staplerRequest, jSONObject);
        }
    }

    /* loaded from: input_file:org/jenkinsci/plugins/KeycloakSecurityRealm$ServletFacade.class */
    public static class ServletFacade implements OIDCHttpFacade {
        private final HttpServletRequest servletRequest;

        private ServletFacade(HttpServletRequest httpServletRequest) {
            this.servletRequest = httpServletRequest;
        }

        public KeycloakSecurityContext getSecurityContext() {
            throw new IllegalStateException("Not yet implemented");
        }

        public HttpFacade.Request getRequest() {
            return new HttpFacade.Request() { // from class: org.jenkinsci.plugins.KeycloakSecurityRealm.ServletFacade.1
                public String getFirstParam(String str) {
                    return ServletFacade.this.servletRequest.getParameter(str);
                }

                public String getMethod() {
                    return ServletFacade.this.servletRequest.getMethod();
                }

                public String getURI() {
                    return ServletFacade.this.servletRequest.getRequestURL().toString();
                }

                public String getRelativePath() {
                    return ServletFacade.this.servletRequest.getServletPath();
                }

                public boolean isSecure() {
                    return ServletFacade.this.servletRequest.isSecure();
                }

                public String getQueryParamValue(String str) {
                    return ServletFacade.this.servletRequest.getParameter(str);
                }

                public HttpFacade.Cookie getCookie(String str) {
                    return null;
                }

                public String getHeader(String str) {
                    return ServletFacade.this.servletRequest.getHeader(str);
                }

                public List<String> getHeaders(String str) {
                    return null;
                }

                public InputStream getInputStream() {
                    try {
                        return ServletFacade.this.servletRequest.getInputStream();
                    } catch (IOException e) {
                        throw new RuntimeException(e);
                    }
                }

                public String getRemoteAddr() {
                    return ServletFacade.this.servletRequest.getRemoteAddr();
                }

                public void setError(AuthenticationError authenticationError) {
                    ServletFacade.this.servletRequest.setAttribute(AuthenticationError.class.getName(), authenticationError);
                }

                public void setError(LogoutError logoutError) {
                    ServletFacade.this.servletRequest.setAttribute(LogoutError.class.getName(), logoutError);
                }

                public InputStream getInputStream(boolean z) {
                    try {
                        return ServletFacade.this.servletRequest.getInputStream();
                    } catch (IOException e) {
                        throw new RuntimeException(e);
                    }
                }
            };
        }

        public HttpFacade.Response getResponse() {
            throw new IllegalStateException("Not yet implemented");
        }

        public X509Certificate[] getCertificateChain() {
            throw new IllegalStateException("Not yet implemented");
        }
    }

    @DataBoundConstructor
    public KeycloakSecurityRealm(String str, String str2, boolean z, boolean z2) throws IOException {
        if (StringUtils.isEmpty(str2)) {
            throw new IllegalArgumentException("Keycloak JSON is a mandatory item.");
        }
        setKeycloakIdp(str);
        setKeycloakJson(str2);
        setKeycloakValidate(z);
        setKeycloakRespectAccessTokenTimeout(z2);
        createFilter();
    }

    protected KeycloakSecurityRealm() {
        createFilter();
    }

    synchronized void createFilter() {
        if (this.filter == null || !this.filter.isInitCalled()) {
            try {
                LOGGER.log(Level.INFO, "Create Filter");
                this.filter = new RefreshFilter();
                PluginServletFilter.addFilter(this.filter);
            } catch (ServletException e) {
                LOGGER.log(Level.SEVERE, "createFilter", e);
            }
        }
    }

    public HttpResponse doCommenceLogin(StaplerRequest staplerRequest, StaplerResponse staplerResponse, @Header("Referer") String str) throws IOException {
        staplerRequest.getSession().setAttribute(REFERER_ATTRIBUTE, str);
        String attachOIDCScope = TokenUtil.attachOIDCScope((String) null);
        String redirectUrl = redirectUrl(staplerRequest);
        String uuid = UUID.randomUUID().toString();
        KeycloakUriBuilder queryParam = getKeycloakDeployment().getAuthUrl().clone().queryParam("client_id", new Object[]{getKeycloakDeployment().getResourceName()}).queryParam("redirect_uri", new Object[]{redirectUrl}).queryParam("state", new Object[]{uuid}).queryParam("response_type", new Object[]{"code"}).queryParam("scope", new Object[]{attachOIDCScope});
        String keycloakIdp = getKeycloakIdp();
        if (!"".equals(keycloakIdp) && keycloakIdp != null) {
            queryParam.queryParam("kc_idp_hint", new Object[]{keycloakIdp});
        }
        String uri = queryParam.build(new Object[0]).toString();
        staplerRequest.getSession().setAttribute(AUTH_REQUESTED, Boolean.TRUE);
        staplerRequest.getSession().setAttribute("state", uuid);
        createFilter();
        return new HttpRedirect(uri);
    }

    private String redirectUrl(StaplerRequest staplerRequest) {
        String referer = staplerRequest.getReferer();
        String stringBuffer = staplerRequest.getRequestURL().toString();
        if (referer != null && stringBuffer != null && referer.startsWith("https:") && stringBuffer.startsWith("http:")) {
            stringBuffer = stringBuffer.replace("http:", "https:");
        }
        return KeycloakUriBuilder.fromUri(stringBuffer).replacePath(staplerRequest.getContextPath()).replaceQuery((String) null).path(JENKINS_FINISH_LOGIN_URL).toTemplate();
    }

    private KeycloakDeployment resolveDeployment(KeycloakDeployment keycloakDeployment, HttpServletRequest httpServletRequest) {
        return new AdapterDeploymentContext(keycloakDeployment).resolveDeployment(new ServletFacade(httpServletRequest));
    }

    @SuppressFBWarnings(value = {"REC_CATCH_EXCEPTION"}, justification = "We want to catch all exceptions")
    public HttpResponse doFinishLogin(StaplerRequest staplerRequest) throws IOException {
        String redirectUrl = redirectUrl(staplerRequest);
        try {
            LOGGER.log(Level.FINE, "Code" + staplerRequest.getParameter("code"));
            LOGGER.log(Level.FINE, "Redirect" + redirectUrl);
            KeycloakDeployment resolveDeployment = resolveDeployment(getKeycloakDeployment(), staplerRequest);
            LOGGER.log(Level.FINE, "TokenURL" + resolveDeployment.getTokenUrl());
            checkState(staplerRequest.getParameter("state"), staplerRequest.getSession().getAttribute("state"));
            AccessTokenResponse invokeAccessCodeToToken = ServerRequest.invokeAccessCodeToToken(resolveDeployment, staplerRequest.getParameter("code"), redirectUrl, (String) null);
            String token = invokeAccessCodeToToken.getToken();
            String idToken = invokeAccessCodeToToken.getIdToken();
            String refreshToken = invokeAccessCodeToToken.getRefreshToken();
            AccessToken verifyToken = AdapterTokenVerifier.verifyToken(token, resolveDeployment);
            if (idToken != null) {
                IDToken iDToken = (IDToken) new JWSInput(idToken).readJsonContent(IDToken.class);
                KeycloakAuthentication keycloakAuthentication = new KeycloakAuthentication(iDToken, verifyToken, refreshToken, invokeAccessCodeToToken, resolveDeployment.getResourceName());
                SecurityContextHolder.getContext().setAuthentication(keycloakAuthentication);
                User current = User.current();
                if (current != null) {
                    current.setFullName(iDToken.getPreferredUsername());
                    if (!current.getProperty(Mailer.UserProperty.class).hasExplicitlyConfiguredAddress()) {
                        current.addProperty(new Mailer.UserProperty(iDToken.getEmail()));
                    }
                    String picture = iDToken.getPicture();
                    if (picture != null) {
                        LOGGER.finest("Avatar url is: " + picture);
                        current.addProperty(new KeycloakAvatarProperty(new KeycloakAvatarProperty.AvatarImage(picture)));
                    }
                    SecurityListener.fireAuthenticated2(new KeycloakUserDetails(iDToken.getPreferredUsername(), keycloakAuthentication.getAuthorities()));
                }
            }
        } catch (Exception e) {
            ServerRequest.HttpFailure httpFailure = null;
            LOGGER.log(Level.SEVERE, "Authentication Exception ", (Throwable) e);
            if (e instanceof ServerRequest.HttpFailure) {
                httpFailure = e;
            }
            ServerRequest.HttpFailure cause = e.getCause();
            if (cause != null) {
                LOGGER.log(Level.SEVERE, "Original exception", (Throwable) cause);
                if (cause instanceof ServerRequest.HttpFailure) {
                    httpFailure = cause;
                }
            }
            if (httpFailure != null) {
                LOGGER.log(Level.SEVERE, "Failure Message" + e.getError());
                LOGGER.log(Level.SEVERE, "Failure HTTP Status" + e.getStatus());
            }
        }
        if (staplerRequest.getSession(false) != null) {
            staplerRequest.changeSessionId();
        }
        String str = (String) staplerRequest.getSession().getAttribute(REFERER_ATTRIBUTE);
        if (str == null) {
            return HttpResponses.redirectToContextRoot();
        }
        LOGGER.log(Level.FINEST, "Redirecting to " + str);
        return HttpResponses.redirectTo(str);
    }

    private void checkState(String str, Object obj) {
        if (StringUtils.isEmpty(str) || obj == null) {
            LOGGER.log(Level.WARNING, "Cannot validate incoming authentication attempt due to state not being found. State from query: " + str + " State from session: " + String.valueOf(obj));
            throw new AuthenticationServiceException("Could not validate state token during authentication.");
        }
        String obj2 = obj.toString();
        if (StringUtils.equals(str, obj2)) {
            LOGGER.log(Level.FINE, "State cookie matches parameter value.");
        } else {
            LOGGER.log(Level.WARNING, "State session value (" + obj2 + ") did NOT match parameter value (" + str + ")");
            throw new AuthenticationServiceException("State values did not match");
        }
    }

    public boolean allowsSignup() {
        return false;
    }

    public SecurityRealm.SecurityComponents createSecurityComponents() {
        return new SecurityRealm.SecurityComponents(new AuthenticationManager() { // from class: org.jenkinsci.plugins.KeycloakSecurityRealm.1
            public Authentication authenticate(Authentication authentication) throws AuthenticationException {
                if (authentication instanceof KeycloakAuthentication) {
                    return authentication;
                }
                throw new BadCredentialsException("Unexpected authentication type: " + String.valueOf(authentication));
            }
        });
    }

    public String getLoginUrl() {
        return JENKINS_LOGIN_URL;
    }

    public void doLogout(StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws IOException, ServletException {
        KeycloakAuthentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication instanceof KeycloakAuthentication) {
            try {
                ServerRequest.invokeLogout(getKeycloakDeployment(), authentication.getRefreshToken());
            } catch (ServerRequest.HttpFailure e) {
                LOGGER.log(Level.SEVERE, "Logout Exception ", e);
            }
        }
        staplerRequest.getSession().setAttribute(AUTH_REQUESTED, Boolean.FALSE);
        super.doLogout(staplerRequest, staplerResponse);
    }

    public String getKeycloakJson() {
        return this.keycloakJson;
    }

    public void setKeycloakJson(String str) {
        this.keycloakJson = str;
    }

    public boolean isKeycloakValidate() {
        return this.keycloakValidate;
    }

    public void setKeycloakValidate(boolean z) {
        this.keycloakValidate = z;
    }

    public boolean isKeycloakRespectAccessTokenTimeout() {
        return this.keycloakRespectAccessTokenTimeout;
    }

    public void setKeycloakRespectAccessTokenTimeout(boolean z) {
        this.keycloakRespectAccessTokenTimeout = z;
    }

    public String getKeycloakIdp() {
        return this.keycloakIdp;
    }

    public void setKeycloakIdp(String str) {
        this.keycloakIdp = str;
    }

    public boolean checkKeycloakOnEachRequest() {
        return isKeycloakValidate();
    }

    public boolean respectAccessTokenTimeout() {
        return isKeycloakRespectAccessTokenTimeout();
    }

    public synchronized KeycloakDeployment getKeycloakDeployment() throws IOException {
        if (this.keycloakDeployment == null || this.keycloakDeployment.getClient() == null) {
            this.keycloakDeployment = KeycloakDeploymentBuilder.build((AdapterConfig) JsonSerialization.readValue(getKeycloakJson(), AdapterConfig.class));
        }
        return this.keycloakDeployment;
    }
}
