package org.jenkinsci.plugins.oic;

import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpHeaders;
import com.google.api.client.http.HttpResponse;
import com.google.api.client.http.HttpResponseException;
import com.google.api.client.json.gson.GsonFactory;
import com.google.gson.JsonParseException;
import edu.umd.cs.findbugs.annotations.CheckForNull;
import hudson.Extension;
import hudson.RelativePath;
import hudson.Util;
import hudson.model.Descriptor;
import hudson.util.FormValidation;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.charset.Charset;
import java.time.LocalDateTime;
import java.time.ZonedDateTime;
import java.time.format.DateTimeFormatter;
import java.util.Objects;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.model.Jenkins;
import org.apache.commons.lang.StringUtils;
import org.jenkinsci.Symbol;
import org.jenkinsci.plugins.oic.OicSecurityRealm;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.verb.POST;

/* loaded from: input_file:org/jenkinsci/plugins/oic/OicServerWellKnownConfiguration.class */
public class OicServerWellKnownConfiguration extends OicServerConfiguration {
    private static final long serialVersionUID = 1;
    private static final Logger LOGGER = Logger.getLogger(OicServerWellKnownConfiguration.class.getName());
    private final String wellKnownOpenIDConfigurationUrl;
    private String scopesOverride;
    private transient String authorizationServerUrl;
    private transient String tokenServerUrl;
    private transient String jwksServerUrl;
    private transient String endSessionUrl;
    private transient String scopes;
    private transient String userInfoServerUrl;
    private transient boolean useRefreshTokens;
    private transient OicSecurityRealm.TokenAuthMethod tokenAuthMethod;
    private transient LocalDateTime wellKnownExpires = null;

    @Extension
    @Symbol({"wellKnown"})
    /* loaded from: input_file:org/jenkinsci/plugins/oic/OicServerWellKnownConfiguration$DescriptorImpl.class */
    public static class DescriptorImpl extends Descriptor<OicServerConfiguration> {
        public String getDisplayName() {
            return Messages.OicServerWellKnownConfiguration_DisplayName();
        }

        @POST
        public FormValidation doCheckWellKnownOpenIDConfigurationUrl(@QueryParameter String str, @RelativePath("..") @QueryParameter boolean z) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            if (str == null || str.isBlank()) {
                return FormValidation.error(Messages.OicSecurityRealm_NotAValidURL());
            }
            try {
                WellKnownOpenIDConfigurationResponse wellKnownOpenIDConfigurationResponse = (WellKnownOpenIDConfigurationResponse) GsonFactory.getDefaultInstance().fromInputStream(OicSecurityRealm.constructHttpTransport(z).createRequestFactory().buildGetRequest(new GenericUrl(new URL(str))).execute().getContent(), Charset.defaultCharset(), WellKnownOpenIDConfigurationResponse.class);
                return (wellKnownOpenIDConfigurationResponse.getAuthorizationEndpoint() == null || wellKnownOpenIDConfigurationResponse.getTokenEndpoint() == null) ? FormValidation.warning(Messages.OicSecurityRealm_URLNotAOpenIdEnpoint()) : FormValidation.ok();
            } catch (HttpResponseException e) {
                return FormValidation.error(e, Messages.OicSecurityRealm_CouldNotRetreiveWellKnownConfig(Integer.valueOf(e.getStatusCode()), e.getStatusMessage()));
            } catch (IOException e2) {
                return FormValidation.error(e2, Messages.OicSecurityRealm_ErrorRetreivingWellKnownConfig());
            } catch (JsonParseException e3) {
                return FormValidation.error(e3, Messages.OicSecurityRealm_CouldNotParseResponse());
            } catch (MalformedURLException e4) {
                return FormValidation.error(e4, Messages.OicSecurityRealm_NotAValidURL());
            }
        }

        @POST
        public FormValidation doCheckOverrideScopes(@QueryParameter String str) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            if (Util.fixEmptyAndTrim(str) != null && !str.toLowerCase().contains("openid")) {
                return FormValidation.warning(Messages.OicSecurityRealm_RUSureOpenIdNotInScope());
            }
            return FormValidation.ok();
        }
    }

    @DataBoundConstructor
    public OicServerWellKnownConfiguration(String str) {
        this.wellKnownOpenIDConfigurationUrl = (String) Objects.requireNonNull(str);
    }

    @DataBoundSetter
    public void setScopesOverride(String str) {
        this.scopesOverride = Util.fixEmptyAndTrim(str);
    }

    @Override // org.jenkinsci.plugins.oic.OicServerConfiguration
    public String getAuthorizationServerUrl() {
        loadWellKnownConfigIfNeeded();
        return this.authorizationServerUrl;
    }

    @Override // org.jenkinsci.plugins.oic.OicServerConfiguration
    @CheckForNull
    public String getEndSessionUrl() {
        loadWellKnownConfigIfNeeded();
        return this.endSessionUrl;
    }

    @Override // org.jenkinsci.plugins.oic.OicServerConfiguration
    public String getJwksServerUrl() {
        loadWellKnownConfigIfNeeded();
        return this.jwksServerUrl;
    }

    @Override // org.jenkinsci.plugins.oic.OicServerConfiguration
    public String getScopes() {
        loadWellKnownConfigIfNeeded();
        return this.scopesOverride != null ? this.scopesOverride : this.scopes != null ? this.scopes : "openid email";
    }

    public String getScopesOverride() {
        return this.scopesOverride;
    }

    public String getWellKnownOpenIDConfigurationUrl() {
        return this.wellKnownOpenIDConfigurationUrl;
    }

    @Override // org.jenkinsci.plugins.oic.OicServerConfiguration
    public String getTokenServerUrl() {
        loadWellKnownConfigIfNeeded();
        return this.tokenServerUrl;
    }

    @Override // org.jenkinsci.plugins.oic.OicServerConfiguration
    public String getUserInfoServerUrl() {
        loadWellKnownConfigIfNeeded();
        return this.userInfoServerUrl;
    }

    @Override // org.jenkinsci.plugins.oic.OicServerConfiguration
    public boolean isUseRefreshTokens() {
        loadWellKnownConfigIfNeeded();
        return this.useRefreshTokens;
    }

    @Override // org.jenkinsci.plugins.oic.OicServerConfiguration
    public OicSecurityRealm.TokenAuthMethod getTokenAuthMethod() {
        loadWellKnownConfigIfNeeded();
        return this.tokenAuthMethod;
    }

    private void loadWellKnownConfigIfNeeded() {
        LocalDateTime now = LocalDateTime.now();
        if (this.wellKnownExpires == null || !this.wellKnownExpires.isBefore(now)) {
            try {
                HttpResponse execute = ((OicSecurityRealm) Jenkins.get().getSecurityRealm()).getHttpTransport().createRequestFactory().buildGetRequest(new GenericUrl(new URL(this.wellKnownOpenIDConfigurationUrl))).execute();
                WellKnownOpenIDConfigurationResponse wellKnownOpenIDConfigurationResponse = (WellKnownOpenIDConfigurationResponse) GsonFactory.getDefaultInstance().fromInputStream(execute.getContent(), Charset.defaultCharset(), WellKnownOpenIDConfigurationResponse.class);
                this.authorizationServerUrl = wellKnownOpenIDConfigurationResponse.getAuthorizationEndpoint();
                this.tokenServerUrl = wellKnownOpenIDConfigurationResponse.getTokenEndpoint();
                this.jwksServerUrl = wellKnownOpenIDConfigurationResponse.getJwksUri();
                this.tokenAuthMethod = wellKnownOpenIDConfigurationResponse.getPreferredTokenAuthMethod();
                this.userInfoServerUrl = wellKnownOpenIDConfigurationResponse.getUserinfoEndpoint();
                if (wellKnownOpenIDConfigurationResponse.getScopesSupported() != null && !wellKnownOpenIDConfigurationResponse.getScopesSupported().isEmpty()) {
                    this.scopes = StringUtils.join(wellKnownOpenIDConfigurationResponse.getScopesSupported(), " ");
                }
                this.endSessionUrl = wellKnownOpenIDConfigurationResponse.getEndSessionEndpoint();
                if (wellKnownOpenIDConfigurationResponse.getGrantTypesSupported() != null) {
                    this.useRefreshTokens = wellKnownOpenIDConfigurationResponse.getGrantTypesSupported().contains("refresh_token");
                } else {
                    this.useRefreshTokens = false;
                }
                setWellKnownExpires(execute.getHeaders());
            } catch (MalformedURLException e) {
                LOGGER.log(Level.SEVERE, "Invalid WellKnown OpenID Configuration URL", (Throwable) e);
            } catch (IOException e2) {
                LOGGER.log(Level.SEVERE, "Error while loading wellknown OpenID Configuration", (Throwable) e2);
            } catch (JsonParseException e3) {
                LOGGER.log(Level.SEVERE, "Could not parse wellknown OpenID Configuration", e3);
            } catch (HttpResponseException e4) {
                LOGGER.log(Level.SEVERE, "Could not get wellknown OpenID Configuration", e4);
            }
        }
    }

    /* JADX WARN: Type inference failed for: r1v5, types: [java.time.LocalDateTime] */
    private void setWellKnownExpires(HttpHeaders httpHeaders) {
        ZonedDateTime parse;
        String fixEmptyAndTrim = Util.fixEmptyAndTrim(httpHeaders.getExpires());
        if (fixEmptyAndTrim == null || "0".equals(fixEmptyAndTrim) || (parse = ZonedDateTime.parse(fixEmptyAndTrim, DateTimeFormatter.RFC_1123_DATE_TIME)) == null) {
            this.wellKnownExpires = LocalDateTime.now().plusSeconds(3600L);
        } else {
            this.wellKnownExpires = parse.toLocalDateTime();
        }
    }
}
