package org.jenkinsci.plugins.kubernetes.credentials;

import com.cloudbees.plugins.credentials.CredentialsScope;
import com.cloudbees.plugins.credentials.CredentialsStore;
import com.cloudbees.plugins.credentials.impl.BaseStandardCredentials;
import com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl;
import hudson.Extension;
import hudson.util.FormValidation;
import hudson.util.Secret;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.UnknownHostException;
import java.nio.charset.StandardCharsets;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.logging.Logger;
import jenkins.security.FIPS140;
import net.sf.json.JSONObject;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.apache.http.Header;
import org.apache.http.client.ClientProtocolException;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.conn.HttpHostConnectException;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.util.EntityUtils;
import org.jenkinsci.plugins.kubernetes.credentials.HttpClientWithTLSOptionsFactory;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.interceptor.RequirePOST;

/* loaded from: input_file:WEB-INF/lib/kubernetes-credentials.jar:org/jenkinsci/plugins/kubernetes/credentials/OpenShiftBearerTokenCredentialImpl.class */
public class OpenShiftBearerTokenCredentialImpl extends UsernamePasswordCredentialsImpl implements TokenProducer {
    protected static final long EARLY_EXPIRE_DELAY_SEC = 300;
    private static final long serialVersionUID = 6031616605797622926L;
    private static final Logger logger = Logger.getLogger(OpenShiftBearerTokenCredentialImpl.class.getName());
    private transient ConcurrentMap<String, Token> tokenCache;

    @Extension
    /* loaded from: input_file:WEB-INF/lib/kubernetes-credentials.jar:org/jenkinsci/plugins/kubernetes/credentials/OpenShiftBearerTokenCredentialImpl$DescriptorImpl.class */
    public static class DescriptorImpl extends BaseStandardCredentials.BaseStandardCredentialsDescriptor {
        public String getDisplayName() {
            return "OpenShift Username and Password";
        }

        @RequirePOST
        public FormValidation doCheckPassword(@QueryParameter String str) {
            return (!FIPS140.useCompliantAlgorithms() || StringUtils.length(str) >= 14) ? FormValidation.ok() : FormValidation.error(Messages.passwordTooShortFIPS());
        }

        public /* bridge */ /* synthetic */ String getCheckIdUrl(CredentialsStore credentialsStore) throws UnsupportedEncodingException {
            return super.getCheckIdUrl(credentialsStore);
        }
    }

    /* loaded from: input_file:WEB-INF/lib/kubernetes-credentials.jar:org/jenkinsci/plugins/kubernetes/credentials/OpenShiftBearerTokenCredentialImpl$Token.class */
    public static class Token {
        String value;
        long expire;
    }

    /* loaded from: input_file:WEB-INF/lib/kubernetes-credentials.jar:org/jenkinsci/plugins/kubernetes/credentials/OpenShiftBearerTokenCredentialImpl$TokenResponseError.class */
    public static class TokenResponseError extends Exception {
        public TokenResponseError(String str) {
            super(str);
        }
    }

    @DataBoundConstructor
    public OpenShiftBearerTokenCredentialImpl(CredentialsScope credentialsScope, String str, String str2, String str3, String str4) {
        super(credentialsScope, str, str2, str3, str4);
        this.tokenCache = new ConcurrentHashMap();
    }

    /* JADX WARN: Removed duplicated region for block: B:20:0x00eb A[EXC_TOP_SPLITTER, SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:29:0x00dc A[SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:32:0x011f A[SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:35:0x012a A[SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:38:0x002d A[SYNTHETIC] */
    @edu.umd.cs.findbugs.annotations.SuppressFBWarnings(value = {"SF_SWITCH_NO_DEFAULT"}, justification = "Other values can be discarded")
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    protected static org.jenkinsci.plugins.kubernetes.credentials.OpenShiftBearerTokenCredentialImpl.Token extractTokenFromLocation(java.lang.String r8) throws org.jenkinsci.plugins.kubernetes.credentials.OpenShiftBearerTokenCredentialImpl.TokenResponseError {
        /*
            Method dump skipped, instructions count: 373
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.jenkinsci.plugins.kubernetes.credentials.OpenShiftBearerTokenCredentialImpl.extractTokenFromLocation(java.lang.String):org.jenkinsci.plugins.kubernetes.credentials.OpenShiftBearerTokenCredentialImpl$Token");
    }

    protected static String getBasicAuthenticationHeader(String str, Secret secret) {
        return "Basic " + Base64.encodeBase64String((str + ":" + Secret.toString(secret)).getBytes(StandardCharsets.UTF_8));
    }

    private Object readResolve() {
        this.tokenCache = new ConcurrentHashMap();
        return this;
    }

    @Override // org.jenkinsci.plugins.kubernetes.credentials.TokenProducer
    public String getToken(String str, String str2, boolean z) throws IOException {
        Token token = this.tokenCache.get(str);
        if (token == null || System.currentTimeMillis() > token.expire) {
            try {
                token = refreshToken(str, str2, z);
                this.tokenCache.put(str, token);
            } catch (URISyntaxException e) {
                throw new IOException("The OAuth server URL was invalid ('" + str + "'): " + e.getMessage(), e);
            } catch (UnknownHostException e2) {
                throw new IOException("Can't resolve OAuth server hostname ('" + str + "'): " + e2.getMessage(), e2);
            } catch (ClientProtocolException e3) {
                throw new IOException("Can't parse protocol in the OAuth server URL ('" + str + "')", e3);
            } catch (HttpHostConnectException e4) {
                throw new IOException("Can't connect to the OAuth server ('" + str + "'): " + e4.getMessage(), e4);
            } catch (HttpClientWithTLSOptionsFactory.TLSConfigurationError e5) {
                throw new IOException("Could not configure SSL Factory in HttpClientWithTLSOptionsFactory: " + e5.getMessage(), e5);
            } catch (TokenResponseError e6) {
                throw new IOException("The response from the OAuth server was invalid: " + e6.getMessage(), e6);
            }
        }
        return token.value;
    }

    private synchronized Token refreshToken(String str, String str2, boolean z) throws URISyntaxException, HttpClientWithTLSOptionsFactory.TLSConfigurationError, TokenResponseError, IOException {
        String oauthServerUrl = getOauthServerUrl(str, str2, z);
        HttpClientBuilder builder = HttpClientWithTLSOptionsFactory.getBuilder(new URI(oauthServerUrl), str2, z);
        HttpGet httpGet = new HttpGet(oauthServerUrl + "?client_id=openshift-challenging-client&response_type=token");
        httpGet.setHeader("Authorization", getBasicAuthenticationHeader(getUsername(), getPassword()));
        Utils.ensureFIPSCompliantURIRequest(httpGet.getURI(), z);
        CloseableHttpResponse execute = builder.build().execute(httpGet);
        if (execute.getStatusLine().getStatusCode() != 302) {
            throw new TokenResponseError("The OAuth service didn't respond with a redirection but with '" + execute.getStatusLine().getStatusCode() + ": " + execute.getStatusLine().getReasonPhrase() + "'");
        }
        Header firstHeader = execute.getFirstHeader("Location");
        if (firstHeader == null) {
            throw new TokenResponseError("The OAuth service didn't respond with location header");
        }
        return extractTokenFromLocation(firstHeader.getValue());
    }

    private String getOauthServerUrl(String str, String str2, boolean z) throws URISyntaxException, IOException, HttpClientWithTLSOptionsFactory.TLSConfigurationError {
        HttpClientBuilder builder = HttpClientWithTLSOptionsFactory.getBuilder(new URI(str), str2, z);
        HttpGet httpGet = new HttpGet(str + "/.well-known/oauth-authorization-server");
        Utils.ensureFIPSCompliantURIRequest(httpGet.getURI(), z);
        return JSONObject.fromObject(EntityUtils.toString(builder.build().execute(httpGet).getEntity())).getString("authorization_endpoint");
    }
}
