package com.cloudbees.jenkins.plugins.kubernetes_credentials_provider;

import com.cloudbees.plugins.credentials.Credentials;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.common.IdCredentials;
import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.Extension;
import hudson.init.InitMilestone;
import hudson.init.Initializer;
import hudson.init.TermMilestone;
import hudson.init.Terminator;
import hudson.model.ItemGroup;
import hudson.security.ACL;
import io.fabric8.kubernetes.api.model.Secret;
import io.fabric8.kubernetes.api.model.SecretList;
import io.fabric8.kubernetes.client.ConfigBuilder;
import io.fabric8.kubernetes.client.DefaultKubernetesClient;
import io.fabric8.kubernetes.client.KubernetesClient;
import io.fabric8.kubernetes.client.KubernetesClientException;
import io.fabric8.kubernetes.client.Watch;
import io.fabric8.kubernetes.client.Watcher;
import io.fabric8.kubernetes.client.dsl.FilterWatchListDeletable;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.concurrent.ConcurrentHashMap;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.acegisecurity.Authentication;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;

@Extension
/* loaded from: input_file:com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/KubernetesCredentialProvider.class */
public class KubernetesCredentialProvider extends CredentialsProvider implements Watcher<Secret> {
    private static final Logger LOG = Logger.getLogger(KubernetesCredentialProvider.class.getName());
    private ConcurrentHashMap<String, IdCredentials> credentials = new ConcurrentHashMap<>();

    @CheckForNull
    private KubernetesClient client;

    @CheckForNull
    private Watch watch;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.cloudbees.jenkins.plugins.kubernetes_credentials_provider.KubernetesCredentialProvider$1, reason: invalid class name */
    /* loaded from: input_file:com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/KubernetesCredentialProvider$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$fabric8$kubernetes$client$Watcher$Action = new int[Watcher.Action.values().length];

        static {
            try {
                $SwitchMap$io$fabric8$kubernetes$client$Watcher$Action[Watcher.Action.ADDED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$fabric8$kubernetes$client$Watcher$Action[Watcher.Action.MODIFIED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$io$fabric8$kubernetes$client$Watcher$Action[Watcher.Action.DELETED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$io$fabric8$kubernetes$client$Watcher$Action[Watcher.Action.ERROR.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    @Initializer(after = InitMilestone.PLUGINS_PREPARED, fatal = false)
    @Restricted({NoExternalUse.class})
    public void startWatchingForSecrets() {
        try {
            DefaultKubernetesClient defaultKubernetesClient = new DefaultKubernetesClient(new ConfigBuilder().build());
            LOG.log(Level.FINER, "Using namespace: {0}", defaultKubernetesClient.getNamespace());
            LOG.log(Level.FINER, "retreiving secrets");
            SecretList secretList = (SecretList) ((FilterWatchListDeletable) defaultKubernetesClient.secrets().withLabel("jenkins.io/credentials-type")).list();
            List<Secret> items = secretList.getItems();
            ConcurrentHashMap<String, IdCredentials> concurrentHashMap = new ConcurrentHashMap<>();
            for (Secret secret : items) {
                LOG.log(Level.FINE, "Secret Added - {0}", SecretUtils.getCredentialId(secret));
                IdCredentials convertSecret = convertSecret(secret);
                if (convertSecret != null) {
                    concurrentHashMap.put(SecretUtils.getCredentialId(secret), convertSecret);
                }
            }
            this.credentials = concurrentHashMap;
            this.client = defaultKubernetesClient;
            LOG.log(Level.FINER, "regestering watch");
            this.watch = (Watch) ((FilterWatchListDeletable) defaultKubernetesClient.secrets().withLabel("jenkins.io/credentials-type")).watch(secretList.getMetadata().getResourceVersion(), this);
            LOG.log(Level.FINER, "registered watch, retreiving secrets");
        } catch (KubernetesClientException e) {
            LOG.log(Level.SEVERE, "Failed to initialise k8s secret provider, secrets from Kubernetes will not be available", e);
        }
    }

    @Restricted({NoExternalUse.class})
    @Terminator(after = TermMilestone.STARTED)
    public void stopWatchingForSecrets() {
        if (this.watch != null) {
            this.watch.close();
            this.watch = null;
        }
        if (this.client != null) {
            this.client.close();
            this.client = null;
        }
    }

    public <C extends Credentials> List<C> getCredentials(Class<C> cls, ItemGroup itemGroup, Authentication authentication) {
        LOG.log(Level.FINEST, "getCredentials called with type {0} and authentication {1}", new Object[]{cls.getName(), authentication});
        if (!ACL.SYSTEM.equals(authentication)) {
            return emptyList();
        }
        ArrayList arrayList = new ArrayList();
        for (IdCredentials idCredentials : this.credentials.values()) {
            LOG.log(Level.FINEST, "getCredentials {0} is a possible candidate", idCredentials.getId());
            if (cls.isAssignableFrom(idCredentials.getClass())) {
                LOG.log(Level.FINEST, "getCredentials {0} matches, adding to list", idCredentials.getId());
                arrayList.add(cls.cast(idCredentials));
            }
            LOG.log(Level.FINEST, "getCredentials {0} does not match", idCredentials.getId());
        }
        return arrayList;
    }

    @NonNull
    private final <T> List<T> emptyList() {
        return Collections.emptyList();
    }

    public void eventReceived(Watcher.Action action, Secret secret) {
        String credentialId = SecretUtils.getCredentialId(secret);
        switch (AnonymousClass1.$SwitchMap$io$fabric8$kubernetes$client$Watcher$Action[action.ordinal()]) {
            case 1:
                LOG.log(Level.FINE, "Secret Added - {0}", credentialId);
                IdCredentials convertSecret = convertSecret(secret);
                if (convertSecret != null) {
                    this.credentials.put(credentialId, convertSecret);
                    return;
                }
                return;
            case 2:
                LOG.log(Level.FINE, "Secret Modified - {0}", credentialId);
                IdCredentials convertSecret2 = convertSecret(secret);
                if (convertSecret2 != null) {
                    this.credentials.put(credentialId, convertSecret2);
                    return;
                }
                return;
            case 3:
                LOG.log(Level.FINE, "Secret Deleted - {0}", credentialId);
                this.credentials.remove(credentialId);
                return;
            case 4:
                LOG.log(Level.WARNING, "Action received of type Error. {0}", secret);
                return;
            default:
                return;
        }
    }

    public void onClose(KubernetesClientException kubernetesClientException) {
        LOG.log(Level.INFO, "onClose.", (Throwable) kubernetesClientException);
    }

    @CheckForNull
    IdCredentials convertSecret(Secret secret) {
        String str = (String) secret.getMetadata().getLabels().get("jenkins.io/credentials-type");
        SecretToCredentialConverter lookup = SecretToCredentialConverter.lookup(str);
        if (lookup == null) {
            LOG.log(Level.WARNING, "No SecretToCredentialConveror found to convert secrets of type {0}", str);
            return null;
        }
        try {
            return lookup.mo3convert(secret);
        } catch (CredentialsConvertionException e) {
            if (LOG.isLoggable(Level.FINE)) {
                LOG.log(Level.FINE, "Failed to convert Secret '" + SecretUtils.getCredentialId(secret) + "' of type " + str, (Throwable) e);
                return null;
            }
            LOG.log(Level.WARNING, "Failed to convert Secret ''{0}'' of type {1} due to {2}", new Object[]{SecretUtils.getCredentialId(secret), str, e.getMessage()});
            return null;
        }
    }
}
