package com.atlassian.bitbucket.internal.build.jenkins;

import com.atlassian.applinks.api.ApplicationId;
import com.atlassian.applinks.api.ApplicationLink;
import com.atlassian.applinks.api.ApplicationLinkService;
import com.atlassian.applinks.api.TypeNotInstalledException;
import com.atlassian.applinks.api.application.generic.GenericApplicationType;
import com.atlassian.bitbucket.dmz.build.BuildServerProvider;
import com.atlassian.bitbucket.dmz.build.PluginBuildServer;
import com.atlassian.bitbucket.i18n.I18nService;
import com.atlassian.bitbucket.util.MoreStreams;
import com.atlassian.cache.Cache;
import com.atlassian.cache.CacheException;
import com.atlassian.cache.CacheLoader;
import com.atlassian.cache.CacheManager;
import com.atlassian.cache.CacheSettingsBuilder;
import com.google.common.annotations.VisibleForTesting;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import javax.annotation.Nonnull;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/bitbucket/internal/build/jenkins/JenkinsBuildServerProvider.class */
public class JenkinsBuildServerProvider implements BuildServerProvider {
    public static final String ALGORITHM_HEADER = "BBS-Signature-Algorithm";
    public static final String SIGNATURE_HEADER = "BBS-Signature";
    private static final String BASE_URL_HEADER = "base-url";
    private static final Logger log = LoggerFactory.getLogger(JenkinsBuildServerProvider.class);
    private final ApplicationLinkService applicationLinkService;
    private final I18nService i18nService;
    private final JenkinsBuildServerSignatureValidator jenkinsBuildServerSignatureValidator;
    private final Cache<ApplicationId, PublicKey> publicKeyCache;

    @VisibleForTesting
    /* loaded from: input_file:com/atlassian/bitbucket/internal/build/jenkins/JenkinsBuildServerProvider$JenkinsPublicKeyCacheLoader.class */
    static class JenkinsPublicKeyCacheLoader implements CacheLoader<ApplicationId, PublicKey> {
        public static final String KEY_FACTORY_ALGORITHM = "RSA";
        public static final String PUBLIC_KEY_HEADER = "X-Instance-Identity";
        private final ApplicationLinkService applicationLinkService;
        private final HttpHeaderFetcher httpHeaderFetcher;
        public static final Base64.Decoder DECODER = Base64.getDecoder();
        private static final Logger log = LoggerFactory.getLogger(JenkinsPublicKeyCacheLoader.class);

        JenkinsPublicKeyCacheLoader(ApplicationLinkService applicationLinkService, HttpHeaderFetcher httpHeaderFetcher) {
            this.applicationLinkService = applicationLinkService;
            this.httpHeaderFetcher = httpHeaderFetcher;
        }

        @Nonnull
        public PublicKey load(@Nonnull ApplicationId applicationId) {
            try {
                String uri = this.applicationLinkService.getApplicationLink(applicationId).getRpcUrl().toString();
                return KeyFactory.getInstance(KEY_FACTORY_ALGORITHM).generatePublic(new X509EncodedKeySpec(DECODER.decode(this.httpHeaderFetcher.getHeaderValue(uri + "/login", PUBLIC_KEY_HEADER).orElseThrow(() -> {
                    return new IOException("No header found for " + uri);
                }))));
            } catch (IOException | URISyntaxException | NoSuchAlgorithmException | TypeNotInstalledException | IllegalArgumentException | InvalidKeySpecException e) {
                log.warn("Unable to load Jenkins public key for applicationId: {}", applicationId, e);
                throw new CacheException("Failed to fetch public key from Jenkins please ensure your application link is configured correctly", e);
            }
        }
    }

    public JenkinsBuildServerProvider(ApplicationLinkService applicationLinkService, CacheManager cacheManager, I18nService i18nService) {
        this(applicationLinkService, cacheManager, i18nService, new JenkinsBuildServerSignatureValidator());
    }

    @VisibleForTesting
    JenkinsBuildServerProvider(ApplicationLinkService applicationLinkService, CacheManager cacheManager, I18nService i18nService, JenkinsBuildServerSignatureValidator jenkinsBuildServerSignatureValidator) {
        this.applicationLinkService = applicationLinkService;
        this.i18nService = i18nService;
        this.jenkinsBuildServerSignatureValidator = jenkinsBuildServerSignatureValidator;
        this.publicKeyCache = cacheManager.getCache(JenkinsBuildServerProvider.class.getName(), new JenkinsPublicKeyCacheLoader(applicationLinkService, new HttpHeaderFetcher()), new CacheSettingsBuilder().local().flushable().expireAfterWrite(8L, TimeUnit.HOURS).build());
    }

    public Optional<PluginBuildServer> getBuildServer(@Nonnull String str) {
        Objects.requireNonNull(str, "id");
        return MoreStreams.streamIterable(this.applicationLinkService.getApplicationLinks(GenericApplicationType.class)).filter(applicationLink -> {
            return applicationLink.getRpcUrl().toString().equalsIgnoreCase(str);
        }).findFirst().map(applicationLink2 -> {
            return new JenkinsPluginBuildServer(applicationLink2, this.i18nService);
        });
    }

    @Nonnull
    public Optional<PluginBuildServer> getBuildServer(@Nonnull HttpServletRequest httpServletRequest, @Nonnull Map<String, Object> map) {
        Objects.requireNonNull(httpServletRequest, "servletRequest");
        Objects.requireNonNull(map, "requestBody");
        String header = httpServletRequest.getHeader(SIGNATURE_HEADER);
        String requestHost = getRequestHost(httpServletRequest);
        return (StringUtils.isBlank(header) || StringUtils.isBlank(requestHost)) ? Optional.empty() : MoreStreams.streamIterable(this.applicationLinkService.getApplicationLinks(GenericApplicationType.class)).filter(applicationLink -> {
            return verifySignature(applicationLink, httpServletRequest, map, header, requestHost);
        }).findFirst().map(applicationLink2 -> {
            return new JenkinsPluginBuildServer(applicationLink2, this.i18nService);
        });
    }

    private String getRequestHost(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader(BASE_URL_HEADER);
        if (StringUtils.isBlank(header)) {
            return null;
        }
        try {
            return new URI(header).getHost();
        } catch (URISyntaxException e) {
            log.warn("Failed to construct URI from Jenkins request header field <base-url> " + header + " :", e.getMessage());
            return null;
        }
    }

    private boolean verifySignature(ApplicationLink applicationLink, HttpServletRequest httpServletRequest, Map<String, Object> map, String str, String str2) {
        if (!applicationLink.getRpcUrl().getHost().equals(str2)) {
            return false;
        }
        try {
            PublicKey publicKey = (PublicKey) this.publicKeyCache.get(applicationLink.getId());
            if (publicKey == null) {
                return false;
            }
            return this.jenkinsBuildServerSignatureValidator.doSignaturesMatch(httpServletRequest.getHeader(ALGORITHM_HEADER), publicKey, map, str);
        } catch (GeneralSecurityException e) {
            log.warn("Failed to verify signature: ", e);
            return false;
        }
    }
}
