package org.jenkinsci.plugins.oic;

import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import edu.umd.cs.findbugs.annotations.CheckForNull;
import hudson.Extension;
import hudson.RelativePath;
import hudson.Util;
import hudson.model.Descriptor;
import hudson.util.FormValidation;
import java.io.IOException;
import java.net.URL;
import java.net.http.HttpHeaders;
import java.time.LocalDateTime;
import java.time.ZonedDateTime;
import java.time.format.DateTimeFormatter;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.logging.Logger;
import javax.net.ssl.SSLException;
import jenkins.model.Jenkins;
import org.jenkinsci.Symbol;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.DoNotUse;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.verb.POST;

/* loaded from: input_file:org/jenkinsci/plugins/oic/OicServerWellKnownConfiguration.class */
public class OicServerWellKnownConfiguration extends OicServerConfiguration {
    private static final long serialVersionUID = 1;
    private static final Logger LOGGER = Logger.getLogger(OicServerWellKnownConfiguration.class.getName());
    private final String wellKnownOpenIDConfigurationUrl;
    private String scopesOverride;
    private transient LocalDateTime wellKnownExpires = null;
    private volatile transient OIDCProviderMetadata oidcProviderMetadata;

    @Extension
    @Symbol({"wellKnown"})
    /* loaded from: input_file:org/jenkinsci/plugins/oic/OicServerWellKnownConfiguration$DescriptorImpl.class */
    public static class DescriptorImpl extends Descriptor<OicServerConfiguration> {
        public String getDisplayName() {
            return Messages.OicServerWellKnownConfiguration_DisplayName();
        }

        @POST
        public FormValidation doCheckWellKnownOpenIDConfigurationUrl(@QueryParameter String str, @RelativePath("..") @QueryParameter boolean z) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            if (str == null || str.isBlank()) {
                return FormValidation.error(Messages.OicSecurityRealm_NotAValidURL());
            }
            try {
                OIDCProviderMetadata parse = OIDCProviderMetadata.parse(ProxyAwareResourceRetriever.createProxyAwareResourceRetriver(z).retrieveResource(new URL(str)).getContent());
                return (parse.getAuthorizationEndpointURI() == null || parse.getTokenEndpointURI() == null) ? FormValidation.warning(Messages.OicSecurityRealm_URLNotAOpenIdEnpoint()) : FormValidation.ok();
            } catch (SSLException e) {
                return FormValidation.error(e, Messages.OicSecurityRealm_SSLErrorRetreivingWellKnownConfig());
            } catch (ParseException e2) {
                return FormValidation.error(e2, Messages.OicSecurityRealm_URLNotAOpenIdEnpoint());
            } catch (IOException e3) {
                return FormValidation.error(e3, Messages.OicSecurityRealm_ErrorRetreivingWellKnownConfig());
            }
        }

        @POST
        public FormValidation doCheckOverrideScopes(@QueryParameter String str) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            if (Util.fixEmptyAndTrim(str) != null && !str.toLowerCase().contains("openid")) {
                return FormValidation.warning(Messages.OicSecurityRealm_RUSureOpenIdNotInScope());
            }
            return FormValidation.ok();
        }
    }

    @DataBoundConstructor
    public OicServerWellKnownConfiguration(String str) {
        this.wellKnownOpenIDConfigurationUrl = (String) Objects.requireNonNull(str);
    }

    @DataBoundSetter
    public void setScopesOverride(String str) {
        this.scopesOverride = Util.fixEmptyAndTrim(str);
    }

    public String getScopesOverride() {
        return this.scopesOverride;
    }

    public String getWellKnownOpenIDConfigurationUrl() {
        return this.wellKnownOpenIDConfigurationUrl;
    }

    @Restricted({DoNotUse.class})
    void invalidateProviderMetadata() {
        this.oidcProviderMetadata = null;
    }

    /* JADX WARN: Removed duplicated region for block: B:31:0x0145  */
    /* JADX WARN: Removed duplicated region for block: B:33:0x014a  */
    @Override // org.jenkinsci.plugins.oic.OicServerConfiguration
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata toProviderMetadata() {
        /*
            Method dump skipped, instructions count: 340
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.jenkinsci.plugins.oic.OicServerWellKnownConfiguration.toProviderMetadata():com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata");
    }

    protected static void filterNonCompliantAlgorithms(OIDCProviderMetadata oIDCProviderMetadata) {
        List.of((List) Optional.ofNullable(oIDCProviderMetadata.getIDTokenJWSAlgs()).orElse(List.of()), (List) Optional.ofNullable(oIDCProviderMetadata.getTokenEndpointJWSAlgs()).orElse(List.of()), (List) Optional.ofNullable(oIDCProviderMetadata.getIntrospectionEndpointJWSAlgs()).orElse(List.of()), (List) Optional.ofNullable(oIDCProviderMetadata.getRevocationEndpointJWSAlgs()).orElse(List.of()), (List) Optional.ofNullable(oIDCProviderMetadata.getRequestObjectJWSAlgs()).orElse(List.of()), (List) Optional.ofNullable(oIDCProviderMetadata.getDPoPJWSAlgs()).orElse(List.of()), (List) Optional.ofNullable(oIDCProviderMetadata.getAuthorizationJWSAlgs()).orElse(List.of()), (List) Optional.ofNullable(oIDCProviderMetadata.getBackChannelAuthenticationRequestJWSAlgs()).orElse(List.of())).stream().filter((v0) -> {
            return Objects.nonNull(v0);
        }).forEach(OicAlgorithmValidator::filterFipsNonCompliantJwsAlgorithm);
        List.of((List) Optional.ofNullable(oIDCProviderMetadata.getIDTokenJWEAlgs()).orElse(List.of()), (List) Optional.ofNullable(oIDCProviderMetadata.getRequestObjectJWEAlgs()).orElse(List.of()), (List) Optional.ofNullable(oIDCProviderMetadata.getAuthorizationJWEAlgs()).orElse(List.of())).stream().filter((v0) -> {
            return Objects.nonNull(v0);
        }).forEach(OicAlgorithmValidator::filterFipsNonCompliantJweAlgorithm);
        List.of((List) Optional.ofNullable(oIDCProviderMetadata.getRequestObjectJWEEncs()).orElse(List.of()), (List) Optional.ofNullable(oIDCProviderMetadata.getAuthorizationJWEEncs()).orElse(List.of())).stream().filter((v0) -> {
            return Objects.nonNull(v0);
        }).forEach(OicAlgorithmValidator::filterFipsNonCompliantEncryptionMethod);
    }

    /* JADX WARN: Type inference failed for: r1v7, types: [java.time.LocalDateTime] */
    private void setWellKnownExpires(@CheckForNull HttpHeaders httpHeaders) {
        ZonedDateTime parse;
        Optional empty = httpHeaders == null ? Optional.empty() : httpHeaders.firstValue("Expires");
        if (!empty.isPresent() || "0".equals(empty.get()) || (parse = ZonedDateTime.parse((CharSequence) empty.get(), DateTimeFormatter.RFC_1123_DATE_TIME)) == null) {
            this.wellKnownExpires = LocalDateTime.now().plusSeconds(3600L);
        } else {
            this.wellKnownExpires = parse.toLocalDateTime();
        }
    }
}
