package org.jenkinsci.plugins.oic;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Strings;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.oauth2.sdk.GrantType;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import com.nimbusds.oauth2.sdk.pkce.CodeChallengeMethod;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.Extension;
import hudson.ExtensionList;
import hudson.Util;
import hudson.model.Descriptor;
import hudson.model.Failure;
import hudson.model.User;
import hudson.security.ChainedServletFilter;
import hudson.security.SecurityRealm;
import hudson.tasks.Mailer;
import hudson.util.FormValidation;
import hudson.util.Secret;
import io.burt.jmespath.Expression;
import io.burt.jmespath.JmesPath;
import io.burt.jmespath.RuntimeConfiguration;
import io.burt.jmespath.jcf.JcfRuntime;
import java.io.IOException;
import java.io.InvalidObjectException;
import java.io.ObjectStreamException;
import java.io.Serializable;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.text.ParseException;
import java.time.Clock;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Random;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import javax.annotation.PostConstruct;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import jenkins.model.IdStrategy;
import jenkins.model.IdStrategyDescriptor;
import jenkins.model.Jenkins;
import jenkins.security.ApiTokenProperty;
import jenkins.security.FIPS140;
import jenkins.security.SecurityListener;
import jenkins.util.SystemProperties;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.DoNotUse;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.Header;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.Stapler;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;
import org.kohsuke.stapler.interceptor.RequirePOST;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.credentials.Credentials;
import org.pac4j.core.exception.TechnicalException;
import org.pac4j.core.exception.http.HttpAction;
import org.pac4j.core.exception.http.RedirectionAction;
import org.pac4j.core.http.callback.NoParameterCallbackUrlResolver;
import org.pac4j.jee.context.JEEContext;
import org.pac4j.jee.context.JEEContextFactory;
import org.pac4j.jee.context.session.JEESessionStoreFactory;
import org.pac4j.jee.http.adapter.JEEHttpActionAdapter;
import org.pac4j.oidc.client.OidcClient;
import org.pac4j.oidc.config.OidcConfiguration;
import org.pac4j.oidc.credentials.authenticator.OidcAuthenticator;
import org.pac4j.oidc.profile.OidcProfile;
import org.pac4j.oidc.redirect.OidcRedirectionActionBuilder;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.crypto.bcrypt.BCrypt;
import org.springframework.util.Assert;

/* loaded from: input_file:org/jenkinsci/plugins/oic/OicSecurityRealm.class */
public class OicSecurityRealm extends SecurityRealm implements Serializable {
    private static final long serialVersionUID = 1;
    private IdStrategy userIdStrategy;
    private IdStrategy groupIdStrategy;
    private static final String ID_TOKEN_REQUEST_ATTRIBUTE = "oic-id-token";
    private static final String NO_SECRET = "none";
    private static final String SESSION_POST_LOGIN_REDIRECT_URL_KEY = "oic-redirect-on-login-url";
    private final String clientId;
    private final Secret clientSecret;

    @Deprecated
    private transient String wellKnownOpenIDConfigurationUrl;

    @Deprecated
    private transient String tokenServerUrl;

    @Deprecated
    private transient String jwksServerUrl;

    @Deprecated
    private transient TokenAuthMethod tokenAuthMethod;

    @Deprecated
    private transient String authorizationServerUrl;

    @Deprecated
    private transient String userInfoServerUrl;
    private final boolean disableSslVerification;
    private String postLogoutRedirectUrl;
    private OicServerConfiguration serverConfiguration;

    @Deprecated
    private transient String endSessionUrl;
    private transient ProxyAwareResourceRetriever proxyAwareResourceRetriever;
    private static final Logger LOGGER = Logger.getLogger(OicSecurityRealm.class.getName());
    private static boolean checkNonceInRefreshFlow = SystemProperties.getBoolean(OicSecurityRealm.class.getName() + ".checkNonceInRefreshFlow", false);
    private static final Random RANDOM = new Random();
    private static final Clock CLOCK = Clock.systemUTC();
    private static final JmesPath<Object> JMESPATH = new JcfRuntime(new RuntimeConfiguration.Builder().withSilentTypeErrors(true).build());
    private String userNameField = "sub";
    private transient Expression<Object> userNameFieldExpr = null;
    private String tokenFieldToCheckKey = null;
    private transient Expression<Object> tokenFieldToCheckExpr = null;
    private String tokenFieldToCheckValue = null;
    private String fullNameFieldName = null;
    private transient Expression<Object> fullNameFieldExpr = null;
    private String emailFieldName = null;
    private transient Expression<Object> emailFieldExpr = null;
    private String groupsFieldName = null;
    private transient Expression<Object> groupsFieldExpr = null;
    private transient String simpleGroupsFieldName = null;
    private transient String nestedGroupFieldName = null;

    @Deprecated
    private transient String scopes = null;
    private boolean logoutFromOpenidProvider = true;

    @Deprecated
    private transient String endSessionEndpoint = null;
    private boolean escapeHatchEnabled = false;
    private String escapeHatchUsername = null;
    private Secret escapeHatchSecret = null;
    private String escapeHatchGroup = null;

    @Deprecated
    private transient String automanualconfigure = null;

    @Deprecated
    private transient boolean useRefreshTokens = false;

    @Deprecated
    private String overrideScopes = null;
    private boolean rootURLFromRequest = false;
    private boolean sendScopesInTokenRequest = false;
    private boolean pkceEnabled = false;
    private boolean disableTokenVerification = false;
    private boolean nonceDisabled = false;
    private boolean tokenExpirationCheckDisabled = false;
    private boolean allowTokenAccessWithoutOicSession = false;
    private Long allowedTokenExpirationClockSkewSeconds = 60L;

    @Extension
    /* loaded from: input_file:org/jenkinsci/plugins/oic/OicSecurityRealm$DescriptorImpl.class */
    public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
        public String getDisplayName() {
            return Messages.OicSecurityRealm_DisplayName();
        }

        @RequirePOST
        public FormValidation doCheckClientId(@QueryParameter String str) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            return Util.fixEmptyAndTrim(str) == null ? FormValidation.error(Messages.OicSecurityRealm_ClientIdRequired()) : FormValidation.ok();
        }

        @RequirePOST
        public FormValidation doCheckClientSecret(@QueryParameter String str) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            return Util.fixEmptyAndTrim(str) == null ? FormValidation.error(Messages.OicSecurityRealm_ClientSecretRequired()) : FormValidation.ok();
        }

        @RequirePOST
        public FormValidation doCheckPostLogoutRedirectUrl(@QueryParameter String str) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            if (Util.fixEmptyAndTrim(str) == null) {
                return FormValidation.ok();
            }
            try {
                new URL(str);
                return FormValidation.ok();
            } catch (MalformedURLException e) {
                return FormValidation.error(e, Messages.OicSecurityRealm_NotAValidURL());
            }
        }

        @RequirePOST
        public FormValidation doCheckUserNameField(@QueryParameter String str) {
            return doCheckFieldName(str, FormValidation.ok(Messages.OicSecurityRealm_UsingDefaultUsername()));
        }

        @RequirePOST
        public FormValidation doCheckFullNameFieldName(@QueryParameter String str) {
            return doCheckFieldName(str, FormValidation.ok());
        }

        @RequirePOST
        public FormValidation doCheckEmailFieldName(@QueryParameter String str) {
            return doCheckFieldName(str, FormValidation.ok());
        }

        @RequirePOST
        public FormValidation doCheckGroupsFieldName(@QueryParameter String str) {
            return doCheckFieldName(str, FormValidation.ok());
        }

        @RequirePOST
        public FormValidation doCheckTokenFieldToCheckKey(@QueryParameter String str) {
            return doCheckFieldName(str, FormValidation.ok());
        }

        @RequirePOST
        public FormValidation doCheckDisableSslVerification(@QueryParameter Boolean bool) {
            return (FIPS140.useCompliantAlgorithms() && bool.booleanValue()) ? FormValidation.error(Messages.OicSecurityRealm_DisableSslVerificationFipsMode()) : FormValidation.ok();
        }

        @RequirePOST
        public FormValidation doCheckDisableTokenVerification(@QueryParameter Boolean bool) {
            return (FIPS140.useCompliantAlgorithms() && bool.booleanValue()) ? FormValidation.error(Messages.OicSecurityRealm_DisableTokenVerificationFipsMode()) : FormValidation.ok();
        }

        private FormValidation doCheckFieldName(String str, FormValidation formValidation) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            return Util.fixEmptyAndTrim(str) == null ? formValidation : OicSecurityRealm.compileJMESPath(str, null) == null ? FormValidation.error(Messages.OicSecurityRealm_InvalidFieldName()) : FormValidation.ok();
        }

        @Restricted({NoExternalUse.class})
        public Descriptor<OicServerConfiguration> getDefaultServerConfigurationType() {
            return Jenkins.get().getDescriptor(OicServerWellKnownConfiguration.class);
        }

        @Restricted({NoExternalUse.class})
        public boolean isFipsEnabled() {
            return FIPS140.useCompliantAlgorithms();
        }

        @Restricted({NoExternalUse.class})
        public List<IdStrategyDescriptor> getIdStrategyDescriptors() {
            return ExtensionList.lookup(IdStrategyDescriptor.class);
        }

        @Restricted({NoExternalUse.class})
        public IdStrategy defaultUsernameIdStrategy() {
            return new IdStrategy.CaseSensitive();
        }

        @Restricted({NoExternalUse.class})
        public IdStrategy defaultGroupIdStrategy() {
            return new IdStrategy.CaseSensitive();
        }
    }

    /* loaded from: input_file:org/jenkinsci/plugins/oic/OicSecurityRealm$TokenAuthMethod.class */
    public enum TokenAuthMethod {
        client_secret_basic(ClientAuthenticationMethod.CLIENT_SECRET_BASIC),
        client_secret_post(ClientAuthenticationMethod.CLIENT_SECRET_POST);

        private ClientAuthenticationMethod clientAuthMethod;

        TokenAuthMethod(ClientAuthenticationMethod clientAuthenticationMethod) {
            this.clientAuthMethod = clientAuthenticationMethod;
        }

        ClientAuthenticationMethod toClientAuthenticationMethod() {
            return this.clientAuthMethod;
        }
    }

    @DataBoundConstructor
    public OicSecurityRealm(String str, Secret secret, OicServerConfiguration oicServerConfiguration, Boolean bool, IdStrategy idStrategy, IdStrategy idStrategy2) throws IOException, Descriptor.FormException {
        this.disableSslVerification = ((Boolean) Util.fixNull(bool, Boolean.FALSE)).booleanValue();
        if (FIPS140.useCompliantAlgorithms() && this.disableSslVerification) {
            throw new Descriptor.FormException(Messages.OicSecurityRealm_DisableSslVerificationFipsMode(), "disableSslVerification");
        }
        this.clientId = str;
        this.clientSecret = secret;
        this.serverConfiguration = oicServerConfiguration;
        this.userIdStrategy = idStrategy;
        this.groupIdStrategy = idStrategy2;
    }

    protected Object readResolve() throws ObjectStreamException {
        if (FIPS140.useCompliantAlgorithms()) {
            if (isDisableSslVerification()) {
                throw new IllegalStateException(Messages.OicSecurityRealm_DisableSslVerificationFipsMode());
            }
            if (isDisableTokenVerification()) {
                throw new IllegalStateException(Messages.OicSecurityRealm_DisableTokenVerificationFipsMode());
            }
        }
        if (!Strings.isNullOrEmpty(this.endSessionUrl)) {
            this.endSessionEndpoint = this.endSessionUrl + "/";
        }
        if (!Strings.isNullOrEmpty(this.groupsFieldName) || Strings.isNullOrEmpty(this.simpleGroupsFieldName)) {
            setGroupsFieldName(this.groupsFieldName);
        } else {
            String str = this.simpleGroupsFieldName;
            if (!Strings.isNullOrEmpty(this.nestedGroupFieldName)) {
                str = str + "[]." + this.nestedGroupFieldName;
            }
            setGroupsFieldName(str);
        }
        setUserNameField(this.userNameField);
        setEmailFieldName(this.emailFieldName);
        setFullNameFieldName(this.fullNameFieldName);
        setTokenFieldToCheckKey(this.tokenFieldToCheckKey);
        setEscapeHatchSecret(this.escapeHatchSecret);
        try {
            setEscapeHatchEnabled(this.escapeHatchEnabled);
            try {
                if (this.automanualconfigure != null) {
                    if ("auto".equals(this.automanualconfigure)) {
                        OicServerWellKnownConfiguration oicServerWellKnownConfiguration = new OicServerWellKnownConfiguration(this.wellKnownOpenIDConfigurationUrl);
                        oicServerWellKnownConfiguration.setScopesOverride(this.overrideScopes);
                        this.serverConfiguration = oicServerWellKnownConfiguration;
                    } else {
                        OicServerManualConfiguration oicServerManualConfiguration = new OicServerManualConfiguration("migrated", this.tokenServerUrl, this.authorizationServerUrl);
                        if (this.tokenAuthMethod != null) {
                            oicServerManualConfiguration.setTokenAuthMethod(this.tokenAuthMethod);
                        }
                        oicServerManualConfiguration.setEndSessionUrl(this.endSessionEndpoint);
                        oicServerManualConfiguration.setJwksServerUrl(this.jwksServerUrl);
                        oicServerManualConfiguration.setScopes(this.scopes != null ? this.scopes : "openid email");
                        oicServerManualConfiguration.setUseRefreshTokens(this.useRefreshTokens);
                        oicServerManualConfiguration.setUserInfoServerUrl(this.userInfoServerUrl);
                        this.serverConfiguration = oicServerManualConfiguration;
                    }
                }
                createProxyAwareResourceRetriver();
                return this;
            } catch (Descriptor.FormException e) {
                InvalidObjectException invalidObjectException = new InvalidObjectException(e.getFormField() + ": " + e.getMessage());
                invalidObjectException.initCause(e);
                throw invalidObjectException;
            }
        } catch (Descriptor.FormException e2) {
            throw new IllegalArgumentException(e2.getFormField() + ": " + e2.getMessage());
        }
    }

    public String getClientId() {
        return this.clientId;
    }

    public Secret getClientSecret() {
        return this.clientSecret == null ? Secret.fromString(NO_SECRET) : this.clientSecret;
    }

    @Restricted({NoExternalUse.class})
    public OicServerConfiguration getServerConfiguration() {
        return this.serverConfiguration;
    }

    public String getUserNameField() {
        return this.userNameField;
    }

    @Restricted({NoExternalUse.class})
    public boolean isMissingIdStrategy() {
        return this.userIdStrategy == null || this.groupIdStrategy == null;
    }

    public IdStrategy getUserIdStrategy() {
        return this.userIdStrategy != null ? this.userIdStrategy : IdStrategy.CASE_INSENSITIVE;
    }

    public String getTokenFieldToCheckKey() {
        return this.tokenFieldToCheckKey;
    }

    public String getTokenFieldToCheckValue() {
        return this.tokenFieldToCheckValue;
    }

    public String getFullNameFieldName() {
        return this.fullNameFieldName;
    }

    public String getEmailFieldName() {
        return this.emailFieldName;
    }

    public String getGroupsFieldName() {
        return this.groupsFieldName;
    }

    public IdStrategy getGroupIdStrategy() {
        return this.groupIdStrategy != null ? this.groupIdStrategy : IdStrategy.CASE_INSENSITIVE;
    }

    public boolean isDisableSslVerification() {
        return this.disableSslVerification;
    }

    public boolean isLogoutFromOpenidProvider() {
        return this.logoutFromOpenidProvider;
    }

    public String getPostLogoutRedirectUrl() {
        return this.postLogoutRedirectUrl;
    }

    public boolean isEscapeHatchEnabled() {
        return this.escapeHatchEnabled;
    }

    public String getEscapeHatchUsername() {
        return this.escapeHatchUsername;
    }

    public Secret getEscapeHatchSecret() {
        return this.escapeHatchSecret;
    }

    public String getEscapeHatchGroup() {
        return this.escapeHatchGroup;
    }

    public boolean isRootURLFromRequest() {
        return this.rootURLFromRequest;
    }

    public boolean isSendScopesInTokenRequest() {
        return this.sendScopesInTokenRequest;
    }

    public boolean isPkceEnabled() {
        return this.pkceEnabled;
    }

    public boolean isDisableTokenVerification() {
        return this.disableTokenVerification;
    }

    public boolean isNonceDisabled() {
        return this.nonceDisabled;
    }

    public boolean isTokenExpirationCheckDisabled() {
        return this.tokenExpirationCheckDisabled;
    }

    public boolean isAllowTokenAccessWithoutOicSession() {
        return this.allowTokenAccessWithoutOicSession;
    }

    public Long getAllowedTokenExpirationClockSkewSeconds() {
        return this.allowedTokenExpirationClockSkewSeconds;
    }

    @Restricted({NoExternalUse.class})
    @PostConstruct
    public void createProxyAwareResourceRetriver() {
        this.proxyAwareResourceRetriever = ProxyAwareResourceRetriever.createProxyAwareResourceRetriver(isDisableSslVerification());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ProxyAwareResourceRetriever getResourceRetriever() {
        return this.proxyAwareResourceRetriever;
    }

    private OidcConfiguration buildOidcConfiguration() {
        CustomOidcConfiguration customOidcConfiguration = new CustomOidcConfiguration(isDisableSslVerification());
        customOidcConfiguration.setClientId(this.clientId);
        customOidcConfiguration.setSecret(this.clientSecret.getPlainText());
        OIDCProviderMetadata providerMetadata = this.serverConfiguration.toProviderMetadata();
        filterNonFIPS140CompliantAlgorithms(providerMetadata);
        if (isDisableTokenVerification()) {
            customOidcConfiguration.setAllowUnsignedIdTokens(true);
            customOidcConfiguration.setTokenValidator(new AnythingGoesTokenValidator());
        }
        customOidcConfiguration.setProviderMetadata(providerMetadata);
        if (providerMetadata.getScopes() != null) {
            customOidcConfiguration.setScope(providerMetadata.getScopes().toString());
        }
        customOidcConfiguration.setUseNonce(!this.nonceDisabled);
        if (this.allowedTokenExpirationClockSkewSeconds != null) {
            customOidcConfiguration.setMaxClockSkew(this.allowedTokenExpirationClockSkewSeconds.intValue());
        }
        customOidcConfiguration.setResourceRetriever(getResourceRetriever());
        if (isPkceEnabled()) {
            customOidcConfiguration.setPkceMethod(CodeChallengeMethod.S256);
        }
        return customOidcConfiguration;
    }

    @Restricted({NoExternalUse.class})
    protected void filterNonFIPS140CompliantAlgorithms(@NonNull OIDCProviderMetadata oIDCProviderMetadata) {
        if (FIPS140.useCompliantAlgorithms()) {
            filterJwsAlgorithms(oIDCProviderMetadata);
            filterJweAlgorithms(oIDCProviderMetadata);
            filterEncryptionMethods(oIDCProviderMetadata);
        }
    }

    private void filterEncryptionMethods(@NonNull OIDCProviderMetadata oIDCProviderMetadata) {
        if (oIDCProviderMetadata.getRequestObjectJWEEncs() != null) {
            oIDCProviderMetadata.setRequestObjectJWEEncs(OicAlgorithmValidatorFIPS140.getFipsCompliantEncryptionMethod(oIDCProviderMetadata.getRequestObjectJWEEncs()));
        }
        if (oIDCProviderMetadata.getAuthorizationJWEEncs() != null) {
            oIDCProviderMetadata.setAuthorizationJWEEncs(OicAlgorithmValidatorFIPS140.getFipsCompliantEncryptionMethod(oIDCProviderMetadata.getAuthorizationJWEEncs()));
        }
        if (oIDCProviderMetadata.getIDTokenJWEEncs() != null) {
            oIDCProviderMetadata.setIDTokenJWEEncs(OicAlgorithmValidatorFIPS140.getFipsCompliantEncryptionMethod(oIDCProviderMetadata.getIDTokenJWEEncs()));
        }
        if (oIDCProviderMetadata.getUserInfoJWEEncs() != null) {
            oIDCProviderMetadata.setUserInfoJWEEncs(OicAlgorithmValidatorFIPS140.getFipsCompliantEncryptionMethod(oIDCProviderMetadata.getUserInfoJWEEncs()));
        }
        if (oIDCProviderMetadata.getRequestObjectJWEEncs() != null) {
            oIDCProviderMetadata.setRequestObjectJWEEncs(OicAlgorithmValidatorFIPS140.getFipsCompliantEncryptionMethod(oIDCProviderMetadata.getRequestObjectJWEEncs()));
        }
        if (oIDCProviderMetadata.getAuthorizationJWEEncs() != null) {
            oIDCProviderMetadata.setAuthorizationJWEEncs(OicAlgorithmValidatorFIPS140.getFipsCompliantEncryptionMethod(oIDCProviderMetadata.getAuthorizationJWEEncs()));
        }
    }

    private void filterJweAlgorithms(@NonNull OIDCProviderMetadata oIDCProviderMetadata) {
        if (oIDCProviderMetadata.getIDTokenJWEAlgs() != null) {
            oIDCProviderMetadata.setIDTokenJWEAlgs(OicAlgorithmValidatorFIPS140.getFipsCompliantJWEAlgorithm(oIDCProviderMetadata.getIDTokenJWEAlgs()));
        }
        if (oIDCProviderMetadata.getUserInfoJWEAlgs() != null) {
            oIDCProviderMetadata.setUserInfoJWEAlgs(OicAlgorithmValidatorFIPS140.getFipsCompliantJWEAlgorithm(oIDCProviderMetadata.getUserInfoJWEAlgs()));
        }
        if (oIDCProviderMetadata.getRequestObjectJWEAlgs() != null) {
            oIDCProviderMetadata.setRequestObjectJWEAlgs(OicAlgorithmValidatorFIPS140.getFipsCompliantJWEAlgorithm(oIDCProviderMetadata.getRequestObjectJWEAlgs()));
        }
        if (oIDCProviderMetadata.getAuthorizationJWEAlgs() != null) {
            oIDCProviderMetadata.setAuthorizationJWEAlgs(OicAlgorithmValidatorFIPS140.getFipsCompliantJWEAlgorithm(oIDCProviderMetadata.getAuthorizationJWEAlgs()));
        }
    }

    private void filterJwsAlgorithms(@NonNull OIDCProviderMetadata oIDCProviderMetadata) {
        if (oIDCProviderMetadata.getIDTokenJWSAlgs() != null) {
            oIDCProviderMetadata.setIDTokenJWSAlgs(OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(oIDCProviderMetadata.getIDTokenJWSAlgs()));
        }
        if (oIDCProviderMetadata.getUserInfoJWSAlgs() != null) {
            oIDCProviderMetadata.setUserInfoJWSAlgs(OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(oIDCProviderMetadata.getUserInfoJWSAlgs()));
        }
        if (oIDCProviderMetadata.getTokenEndpointJWSAlgs() != null) {
            oIDCProviderMetadata.setTokenEndpointJWSAlgs(OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(oIDCProviderMetadata.getTokenEndpointJWSAlgs()));
        }
        if (oIDCProviderMetadata.getIntrospectionEndpointJWSAlgs() != null) {
            oIDCProviderMetadata.setIntrospectionEndpointJWSAlgs(OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(oIDCProviderMetadata.getIntrospectionEndpointJWSAlgs()));
        }
        if (oIDCProviderMetadata.getRevocationEndpointJWSAlgs() != null) {
            oIDCProviderMetadata.setRevocationEndpointJWSAlgs(OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(oIDCProviderMetadata.getRevocationEndpointJWSAlgs()));
        }
        if (oIDCProviderMetadata.getRequestObjectJWSAlgs() != null) {
            oIDCProviderMetadata.setRequestObjectJWSAlgs(OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(oIDCProviderMetadata.getRequestObjectJWSAlgs()));
        }
        if (oIDCProviderMetadata.getDPoPJWSAlgs() != null) {
            oIDCProviderMetadata.setDPoPJWSAlgs(OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(oIDCProviderMetadata.getDPoPJWSAlgs()));
        }
        if (oIDCProviderMetadata.getAuthorizationJWSAlgs() != null) {
            oIDCProviderMetadata.setAuthorizationJWSAlgs(OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(oIDCProviderMetadata.getAuthorizationJWSAlgs()));
        }
        if (oIDCProviderMetadata.getBackChannelAuthenticationRequestJWSAlgs() != null) {
            oIDCProviderMetadata.setBackChannelAuthenticationRequestJWSAlgs(OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(oIDCProviderMetadata.getBackChannelAuthenticationRequestJWSAlgs()));
        }
        if (oIDCProviderMetadata.getClientRegistrationAuthnJWSAlgs() != null) {
            oIDCProviderMetadata.setClientRegistrationAuthnJWSAlgs(OicAlgorithmValidatorFIPS140.getFipsCompliantJWSAlgorithm(oIDCProviderMetadata.getClientRegistrationAuthnJWSAlgs()));
        }
    }

    @Restricted({NoExternalUse.class})
    protected OidcClient buildOidcClient() {
        OidcConfiguration buildOidcConfiguration = buildOidcConfiguration();
        OidcClient oidcClient = new OidcClient(buildOidcConfiguration);
        oidcClient.setCallbackUrl(buildOAuthRedirectUrl());
        oidcClient.setAuthenticator(new OidcAuthenticator(buildOidcConfiguration, oidcClient));
        oidcClient.setCallbackUrlResolver(new NoParameterCallbackUrlResolver());
        return oidcClient;
    }

    @DataBoundSetter
    public void setUserNameField(String str) {
        this.userNameField = (String) Util.fixNull(Util.fixEmptyAndTrim(str), "sub");
        this.userNameFieldExpr = compileJMESPath(this.userNameField, "user name field");
    }

    @DataBoundSetter
    public void setTokenFieldToCheckKey(String str) {
        this.tokenFieldToCheckKey = Util.fixEmptyAndTrim(str);
        this.tokenFieldToCheckExpr = compileJMESPath(this.tokenFieldToCheckKey, "token field to check");
    }

    @DataBoundSetter
    public void setTokenFieldToCheckValue(String str) {
        this.tokenFieldToCheckValue = Util.fixEmptyAndTrim(str);
    }

    @DataBoundSetter
    public void setFullNameFieldName(String str) {
        this.fullNameFieldName = Util.fixEmptyAndTrim(str);
        this.fullNameFieldExpr = compileJMESPath(this.fullNameFieldName, "full name field");
    }

    @DataBoundSetter
    public void setEmailFieldName(String str) {
        this.emailFieldName = Util.fixEmptyAndTrim(str);
        this.emailFieldExpr = compileJMESPath(this.emailFieldName, "email field");
    }

    protected static Expression<Object> compileJMESPath(String str, String str2) {
        if (str == null) {
            return null;
        }
        try {
            Expression<Object> compile = JMESPATH.compile(str);
            if (compile == null && str2 != null) {
                LOGGER.warning(str2 + " with config '" + str + "' is an invalid JMESPath expression ");
            }
            return compile;
        } catch (RuntimeException e) {
            if (str2 == null) {
                return null;
            }
            LOGGER.warning(str2 + " config failed " + e.toString());
            return null;
        }
    }

    private Object applyJMESPath(Expression<Object> expression, Object obj) {
        return expression.search(obj);
    }

    @DataBoundSetter
    public void setGroupsFieldName(String str) {
        this.groupsFieldName = Util.fixEmptyAndTrim(str);
        this.groupsFieldExpr = compileJMESPath(str, "groups field");
    }

    @DataBoundSetter
    public void setLogoutFromOpenidProvider(boolean z) {
        this.logoutFromOpenidProvider = z;
    }

    @DataBoundSetter
    public void setPostLogoutRedirectUrl(String str) {
        this.postLogoutRedirectUrl = Util.fixEmptyAndTrim(str);
    }

    @DataBoundSetter
    public void setEscapeHatchEnabled(boolean z) throws Descriptor.FormException {
        if (FIPS140.useCompliantAlgorithms() && z) {
            throw new Descriptor.FormException("Escape Hatch cannot be enabled in FIPS environment", "escapeHatchEnabled");
        }
        this.escapeHatchEnabled = z;
    }

    @DataBoundSetter
    public void setEscapeHatchUsername(String str) {
        this.escapeHatchUsername = Util.fixEmptyAndTrim(str);
    }

    @DataBoundSetter
    public void setEscapeHatchSecret(Secret secret) {
        if (secret != null) {
            String secret2 = Secret.toString(secret);
            if (!Pattern.compile("\\A\\$[^$]+\\$\\d+\\$[./0-9A-Za-z]{53}").matcher(secret2).matches()) {
                this.escapeHatchSecret = Secret.fromString(BCrypt.hashpw(secret2, BCrypt.gensalt()));
                return;
            }
        }
        this.escapeHatchSecret = secret;
    }

    protected boolean checkEscapeHatch(String str, String str2) {
        return str.equals(this.escapeHatchUsername) & BCrypt.checkpw(str2, Secret.toString(this.escapeHatchSecret));
    }

    @DataBoundSetter
    public void setEscapeHatchGroup(String str) {
        this.escapeHatchGroup = Util.fixEmptyAndTrim(str);
    }

    @DataBoundSetter
    public void setRootURLFromRequest(boolean z) {
        this.rootURLFromRequest = z;
    }

    @DataBoundSetter
    public void setSendScopesInTokenRequest(boolean z) {
        this.sendScopesInTokenRequest = z;
    }

    @DataBoundSetter
    public void setPkceEnabled(boolean z) {
        this.pkceEnabled = z;
    }

    @DataBoundSetter
    public void setDisableTokenVerification(boolean z) throws Descriptor.FormException {
        if (FIPS140.useCompliantAlgorithms() && z) {
            throw new Descriptor.FormException(Messages.OicSecurityRealm_DisableTokenVerificationFipsMode(), "disableTokenVerification");
        }
        this.disableTokenVerification = z;
    }

    @DataBoundSetter
    public void setNonceDisabled(boolean z) {
        this.nonceDisabled = z;
    }

    @DataBoundSetter
    public void setTokenExpirationCheckDisabled(boolean z) {
        this.tokenExpirationCheckDisabled = z;
    }

    @DataBoundSetter
    public void setAllowTokenAccessWithoutOicSession(boolean z) {
        this.allowTokenAccessWithoutOicSession = z;
    }

    @DataBoundSetter
    public void setAllowedTokenExpirationClockSkewSeconds(Long l) {
        this.allowedTokenExpirationClockSkewSeconds = l;
    }

    public String getLoginUrl() {
        return "securityRealm/commenceLogin";
    }

    public String getAuthenticationGatewayUrl() {
        return "securityRealm/escapeHatch";
    }

    public Filter createFilter(FilterConfig filterConfig) {
        return new ChainedServletFilter(new Filter[]{super.createFilter(filterConfig), new Filter() { // from class: org.jenkinsci.plugins.oic.OicSecurityRealm.1
            public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
                if (OicSecurityRealm.this.handleTokenExpiration((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse)) {
                    filterChain.doFilter(servletRequest, servletResponse);
                }
            }
        }});
    }

    public SecurityRealm.SecurityComponents createSecurityComponents() {
        return new SecurityRealm.SecurityComponents(new AuthenticationManager() { // from class: org.jenkinsci.plugins.oic.OicSecurityRealm.2
            public Authentication authenticate(Authentication authentication) throws AuthenticationException {
                if (authentication instanceof AnonymousAuthenticationToken) {
                    return authentication;
                }
                if (!(authentication instanceof UsernamePasswordAuthenticationToken) || !OicSecurityRealm.this.escapeHatchEnabled) {
                    throw new BadCredentialsException("Unexpected authentication type: " + String.valueOf(authentication));
                }
                OicSecurityRealm.this.randomWait();
                if (!OicSecurityRealm.this.checkEscapeHatch(authentication.getPrincipal().toString(), authentication.getCredentials().toString())) {
                    throw new BadCredentialsException("Wrong username and password: " + String.valueOf(authentication));
                }
                ArrayList arrayList = new ArrayList();
                arrayList.add(SecurityRealm.AUTHENTICATED_AUTHORITY2);
                if (StringUtils.isNotBlank(OicSecurityRealm.this.escapeHatchGroup)) {
                    arrayList.add(new SimpleGrantedAuthority(OicSecurityRealm.this.escapeHatchGroup));
                }
                UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(OicSecurityRealm.this.escapeHatchUsername, "", arrayList);
                SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
                SecurityListener.fireAuthenticated2(new OicUserDetails(OicSecurityRealm.this.escapeHatchUsername, arrayList));
                return usernamePasswordAuthenticationToken;
            }
        });
    }

    protected String getValidRedirectUrl(String str) {
        String rootUrl = getRootUrl();
        if (str != null && !str.isEmpty()) {
            try {
                String url = new URL(new URL(rootUrl), str).toString();
                if (url.startsWith(rootUrl)) {
                    return url.startsWith(new URL(new URL(rootUrl), "OicLogout").toString()) ? rootUrl : url;
                }
            } catch (MalformedURLException e) {
            }
        }
        return rootUrl;
    }

    @Restricted({DoNotUse.class})
    public void doCommenceLogin(@QueryParameter String str, @Header("Referer") String str2) throws URISyntaxException {
        OidcClient buildOidcClient = buildOidcClient();
        String validRedirectUrl = getValidRedirectUrl(str != null ? str : str2);
        OidcRedirectionActionBuilder oidcRedirectionActionBuilder = new OidcRedirectionActionBuilder(buildOidcClient);
        JEEContext newContext = JEEContextFactory.INSTANCE.newContext(new Object[]{Stapler.getCurrentRequest(), Stapler.getCurrentResponse()});
        SessionStore newSessionStore = JEESessionStoreFactory.INSTANCE.newSessionStore(new Object[0]);
        RedirectionAction redirectionAction = (RedirectionAction) oidcRedirectionActionBuilder.getRedirectionAction(newContext, newSessionStore).orElseThrow();
        newSessionStore.set(newContext, SESSION_POST_LOGIN_REDIRECT_URL_KEY, validRedirectUrl);
        JEEHttpActionAdapter.INSTANCE.adapt(redirectionAction, newContext);
    }

    @SuppressFBWarnings(value = {"DMI_RANDOM_USED_ONLY_ONCE"}, justification = "False positive in spotbug about DMI_RANDOM_USED_ONLY_ONCE")
    private void randomWait() {
        try {
            Thread.sleep(1000 + RANDOM.nextInt(1000));
        } catch (InterruptedException e) {
            Thread.currentThread().interrupt();
        }
    }

    private boolean failedCheckOfTokenField(JWT jwt) throws ParseException {
        String stringField;
        if (this.tokenFieldToCheckKey == null || this.tokenFieldToCheckValue == null) {
            return false;
        }
        return jwt == null || (stringField = getStringField(jwt.getJWTClaimsSet().getClaims(), this.tokenFieldToCheckExpr)) == null || !this.tokenFieldToCheckValue.equals(stringField);
    }

    private UsernamePasswordAuthenticationToken loginAndSetUserData(String str, JWT jwt, Map<String, Object> map, OicCredentials oicCredentials) throws IOException, ParseException {
        List<GrantedAuthority> determineAuthorities = determineAuthorities(jwt, map);
        if (LOGGER.isLoggable(Level.FINEST)) {
            StringBuilder sb = new StringBuilder(str);
            sb.append(" (");
            Iterator<GrantedAuthority> it = determineAuthorities.iterator();
            while (it.hasNext()) {
                sb.append(" ").append(it.next().getAuthority());
            }
            sb.append(" )");
            LOGGER.finest("GrantedAuthorities:" + String.valueOf(sb));
        }
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(str, "", determineAuthorities);
        SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
        User user = User.get2(usernamePasswordAuthenticationToken);
        if (user == null) {
            throw new IOException("Cannot set OIDC property on anonymous user");
        }
        String determineStringField = determineStringField(this.emailFieldExpr, jwt, map);
        if (determineStringField != null) {
            user.addProperty(new Mailer.UserProperty(determineStringField));
        }
        String determineStringField2 = determineStringField(this.fullNameFieldExpr, jwt, map);
        if (determineStringField2 != null) {
            user.setFullName(determineStringField2);
        }
        user.addProperty(oicCredentials);
        SecurityListener.fireAuthenticated2(new OicUserDetails(str, determineAuthorities));
        SecurityListener.fireLoggedIn(str);
        return usernamePasswordAuthenticationToken;
    }

    private String determineStringField(Expression<Object> expression, JWT jwt, Map map) throws ParseException {
        String fixEmptyAndTrim;
        Object search;
        String fixEmptyAndTrim2;
        if (expression == null) {
            return null;
        }
        if (map != null && (search = expression.search(map)) != null && (search instanceof String) && (fixEmptyAndTrim2 = Util.fixEmptyAndTrim((String) search)) != null) {
            return fixEmptyAndTrim2;
        }
        if (jwt == null || (fixEmptyAndTrim = Util.fixEmptyAndTrim(getStringField(jwt.getJWTClaimsSet().getClaims(), expression))) == null) {
            return null;
        }
        return fixEmptyAndTrim;
    }

    protected String getStringField(Object obj, Expression<Object> expression) {
        Object search;
        if (obj == null || expression == null || (search = expression.search(obj)) == null || (search instanceof Map) || (search instanceof List)) {
            return null;
        }
        return String.valueOf(search);
    }

    private List<GrantedAuthority> determineAuthorities(JWT jwt, Map<String, Object> map) throws ParseException {
        ArrayList arrayList = new ArrayList();
        arrayList.add(SecurityRealm.AUTHENTICATED_AUTHORITY2);
        if (this.groupsFieldExpr == null) {
            if (this.groupsFieldName == null) {
                LOGGER.fine("Not adding groups because groupsFieldName is not set. groupsFieldName=" + this.groupsFieldName);
            } else {
                LOGGER.fine("Not adding groups because groupsFieldName is invalid. groupsFieldName=" + this.groupsFieldName);
            }
            return arrayList;
        }
        Object search = map != null ? this.groupsFieldExpr.search(map) : null;
        if (search == null && jwt != null) {
            search = this.groupsFieldExpr.search(jwt.getJWTClaimsSet().getClaims());
        }
        if (search == null) {
            LOGGER.warning("idToken and userInfo did not contain group field name: " + this.groupsFieldName);
            return arrayList;
        }
        List<String> ensureString = ensureString(search);
        if (ensureString.isEmpty()) {
            LOGGER.warning("Could not identify groups in " + this.groupsFieldName + "=" + search.toString());
            return arrayList;
        }
        LOGGER.fine("Number of groups in groupNames: " + ensureString.size());
        for (String str : ensureString) {
            LOGGER.fine("Adding group from UserInfo: " + str);
            arrayList.add(new SimpleGrantedAuthority(str));
        }
        return arrayList;
    }

    private List<String> ensureString(Object obj) {
        if (obj == null) {
            LOGGER.warning("userInfo did not contain a valid group field content, got null");
            return Collections.emptyList();
        }
        if (obj instanceof String) {
            String[] split = ((String) obj).split("[\\s\\[\\],]");
            ArrayList arrayList = new ArrayList();
            for (String str : split) {
                if (str != null && !str.isEmpty()) {
                    arrayList.add(str);
                }
            }
            return arrayList;
        }
        if (!(obj instanceof List)) {
            try {
                return (List) obj;
            } catch (ClassCastException e) {
                LOGGER.warning("userInfo did not contain a valid group field content, got: " + obj.getClass().getSimpleName());
                return Collections.emptyList();
            }
        }
        ArrayList arrayList2 = new ArrayList();
        for (Object obj2 : (List) obj) {
            if (obj2 instanceof String) {
                arrayList2.add(obj2.toString());
            } else if (obj2 instanceof Map) {
                Map map = (Map) obj2;
                if (this.nestedGroupFieldName != null && map.keySet().contains(this.nestedGroupFieldName)) {
                    arrayList2.add((String) map.get(this.nestedGroupFieldName));
                }
            }
        }
        return arrayList2;
    }

    @Restricted({DoNotUse.class})
    public void doLogout(StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws IOException, ServletException {
        User user = User.get2(SecurityContextHolder.getContext().getAuthentication());
        Assert.notNull(user, "User must not be null");
        OicCredentials oicCredentials = (OicCredentials) user.getProperty(OicCredentials.class);
        if (oicCredentials != null) {
            if (this.logoutFromOpenidProvider && this.serverConfiguration.toProviderMetadata().getEndSessionEndpointURI() != null) {
                user.addProperty(new OicCredentials(null, null, null, Long.valueOf(CLOCK.millis())));
            }
            staplerRequest.setAttribute(ID_TOKEN_REQUEST_ATTRIBUTE, oicCredentials.getIdToken());
        }
        super.doLogout(staplerRequest, staplerResponse);
    }

    public String getPostLogOutUrl2(StaplerRequest staplerRequest, Authentication authentication) {
        String maybeOpenIdLogoutEndpoint = maybeOpenIdLogoutEndpoint(Objects.toString(staplerRequest.getAttribute(ID_TOKEN_REQUEST_ATTRIBUTE), ""), Objects.toString(getStateAttribute(staplerRequest.getSession())), this.postLogoutRedirectUrl);
        return maybeOpenIdLogoutEndpoint != null ? maybeOpenIdLogoutEndpoint : getFinalLogoutUrl(staplerRequest, authentication);
    }

    @VisibleForTesting
    Object getStateAttribute(HttpSession httpSession) {
        OidcClient buildOidcClient = buildOidcClient();
        return buildOidcClient.getConfiguration().getValueRetriever().retrieve(buildOidcClient.getStateSessionAttributeName(), buildOidcClient, JEEContextFactory.INSTANCE.newContext(new Object[]{Stapler.getCurrentRequest(), Stapler.getCurrentResponse()}), JEESessionStoreFactory.INSTANCE.newSessionStore(new Object[0])).orElse(null);
    }

    @CheckForNull
    private String maybeOpenIdLogoutEndpoint(String str, String str2, String str3) {
        URI endSessionEndpointURI = this.serverConfiguration.toProviderMetadata().getEndSessionEndpointURI();
        if (!this.logoutFromOpenidProvider || endSessionEndpointURI == null) {
            return null;
        }
        StringBuilder sb = new StringBuilder(endSessionEndpointURI.toString());
        if (Strings.isNullOrEmpty(str)) {
            sb.append("?");
        } else {
            sb.append("?id_token_hint=").append(str).append("&");
        }
        sb.append("state=").append(str2);
        if (str3 != null) {
            sb.append("&post_logout_redirect_uri=").append(URLEncoder.encode(str3, StandardCharsets.UTF_8));
        }
        return sb.toString();
    }

    private String getFinalLogoutUrl(StaplerRequest staplerRequest, Authentication authentication) {
        return Jenkins.get().hasPermission(Jenkins.READ) ? super.getPostLogOutUrl2(staplerRequest, authentication) : staplerRequest.getContextPath() + "/OicLogout";
    }

    private String getRootUrl() {
        return this.rootURLFromRequest ? Jenkins.get().getRootUrlFromRequest() : Jenkins.get().getRootUrl();
    }

    private String ensureRootUrl() {
        String rootUrl = getRootUrl();
        if (rootUrl == null) {
            throw new NullPointerException("Jenkins root url must not be null");
        }
        return rootUrl;
    }

    private String buildOauthCommenceLogin() {
        return ensureRootUrl() + getLoginUrl();
    }

    private String buildOAuthRedirectUrl() throws NullPointerException {
        return ensureRootUrl() + "securityRealm/finishLogin";
    }

    public void doFinishLogin(StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws IOException, ParseException {
        OidcClient buildOidcClient = buildOidcClient();
        JEEContext newContext = JEEContextFactory.INSTANCE.newContext(new Object[]{staplerRequest, staplerResponse});
        SessionStore newSessionStore = JEESessionStoreFactory.INSTANCE.newSessionStore(new Object[0]);
        try {
            if (!newSessionStore.renewSession(newContext)) {
                throw new TechnicalException("Could not create a new session");
            }
            OidcProfile oidcProfile = (OidcProfile) buildOidcClient.getProfileCreator().create((Credentials) buildOidcClient.getCredentials(newContext, newSessionStore).orElseThrow(() -> {
                return new Failure("Could not extract credentials from request");
            }), newContext, newSessionStore).orElseThrow(() -> {
                return new Failure("Could not build user profile");
            });
            AccessToken accessToken = oidcProfile.getAccessToken();
            JWT idToken = oidcProfile.getIdToken();
            RefreshToken refreshToken = oidcProfile.getRefreshToken();
            String determineStringField = determineStringField(this.userNameFieldExpr, idToken, oidcProfile.getAttributes());
            if (failedCheckOfTokenField(idToken)) {
                throw new FailedCheckOfTokenException(buildOidcClient.getConfiguration().findLogoutUrl());
            }
            loginAndSetUserData(determineStringField, idToken, oidcProfile.getAttributes(), new OicCredentials(accessToken == null ? null : accessToken.getValue(), idToken.getParsedString(), refreshToken != null ? refreshToken.getValue() : null, Long.valueOf(accessToken == null ? 0L : accessToken.getLifetime()), Long.valueOf(CLOCK.millis()), getAllowedTokenExpirationClockSkewSeconds()));
            staplerResponse.sendRedirect(302, (String) newSessionStore.get(newContext, SESSION_POST_LOGIN_REDIRECT_URL_KEY).orElse(Jenkins.get().getRootUrl()));
        } catch (HttpAction e) {
            JEEHttpActionAdapter.INSTANCE.adapt(e, newContext);
        }
    }

    public boolean handleTokenExpiration(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        OicCredentials oicCredentials;
        String header;
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (httpServletRequest.getRequestURI().endsWith("/logout") || authentication == null || (authentication instanceof AnonymousAuthenticationToken)) {
            return true;
        }
        User user = User.get2(authentication);
        if (isAllowTokenAccessWithoutOicSession() && (header = httpServletRequest.getHeader("Authorization")) != null && header.startsWith("Basic ")) {
            if (user.getProperty(ApiTokenProperty.class).matchesPassword(new String(Base64.getDecoder().decode(header.substring(6)), StandardCharsets.UTF_8).split(":")[1])) {
                return true;
            }
        }
        if (user == null || (oicCredentials = (OicCredentials) user.getProperty(OicCredentials.class)) == null || !isExpired(oicCredentials)) {
            return true;
        }
        if (this.serverConfiguration.toProviderMetadata().getGrantTypes() == null || !this.serverConfiguration.toProviderMetadata().getGrantTypes().contains(GrantType.REFRESH_TOKEN) || Strings.isNullOrEmpty(oicCredentials.getRefreshToken())) {
            if (isTokenExpirationCheckDisabled()) {
                return true;
            }
            redirectToLoginUrl(httpServletRequest, httpServletResponse);
            return false;
        }
        LOGGER.log(Level.FINEST, "Attempting to refresh credential for user: {0}", user.getId());
        boolean refreshExpiredToken = refreshExpiredToken(user.getId(), oicCredentials, httpServletRequest, httpServletResponse);
        LOGGER.log(Level.FINEST, "Refresh credential for user returned {0}", Boolean.valueOf(refreshExpiredToken));
        return refreshExpiredToken;
    }

    private void redirectToLoginUrl(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (httpServletRequest != null && (httpServletRequest.getSession(false) != null || Strings.isNullOrEmpty(httpServletRequest.getHeader("Authorization")))) {
            httpServletRequest.getSession().invalidate();
        }
        if (httpServletResponse != null) {
            httpServletResponse.sendRedirect(Jenkins.get().getSecurityRealm().getLoginUrl());
        }
    }

    public boolean isExpired(OicCredentials oicCredentials) {
        return oicCredentials.getExpiresAtMillis() != null && CLOCK.millis() >= oicCredentials.getExpiresAtMillis().longValue();
    }

    private boolean refreshExpiredToken(String str, OicCredentials oicCredentials, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        JEEContext newContext = JEEContextFactory.INSTANCE.newContext(new Object[]{httpServletRequest, httpServletResponse});
        SessionStore newSessionStore = JEESessionStoreFactory.INSTANCE.newSessionStore(new Object[0]);
        OidcClient buildOidcClient = buildOidcClient();
        buildOidcClient.getConfiguration().setUseNonce(!this.nonceDisabled && checkNonceInRefreshFlow);
        try {
            OidcProfile oidcProfile = new OidcProfile();
            oidcProfile.setAccessToken(new BearerAccessToken(oicCredentials.getAccessToken()));
            oidcProfile.setIdTokenString(oicCredentials.getIdToken());
            oidcProfile.setRefreshToken(new RefreshToken(oicCredentials.getRefreshToken()));
            OidcProfile oidcProfile2 = (OidcProfile) buildOidcClient.renewUserProfile(oidcProfile, newContext, newSessionStore).orElseThrow(() -> {
                return new IllegalStateException("Could not renew user profile");
            });
            AccessToken accessToken = oidcProfile2.getAccessToken();
            JWT jwt = (JWT) Objects.requireNonNullElse(oidcProfile2.getIdToken(), JWTParser.parse(oicCredentials.getIdToken()));
            RefreshToken refreshToken = (RefreshToken) Objects.requireNonNullElse(oidcProfile2.getRefreshToken(), new RefreshToken(oicCredentials.getRefreshToken()));
            String determineStringField = determineStringField(this.userNameFieldExpr, jwt, oidcProfile2.getAttributes());
            if (!User.idStrategy().equals(str, determineStringField)) {
                httpServletResponse.sendError(401, "User name was not the same after refresh request");
                return false;
            }
            if (LOGGER.isLoggable(Level.FINE)) {
                Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
                User user = User.get2(authentication);
                LOGGER.log(Level.FINE, "Token refresh.  Current Authentitcation principal: " + authentication.getName() + " user id:" + (user == null ? "null user" : user.getId()) + " newly retreived username would have been: " + determineStringField);
            }
            if (failedCheckOfTokenField(jwt)) {
                throw new FailedCheckOfTokenException(buildOidcClient.getConfiguration().findLogoutUrl());
            }
            loginAndSetUserData(str, jwt, oidcProfile2.getAttributes(), new OicCredentials(accessToken.getValue(), jwt.getParsedString(), refreshToken.getValue(), Long.valueOf(accessToken.getLifetime()), Long.valueOf(CLOCK.millis()), getAllowedTokenExpirationClockSkewSeconds()));
            return true;
        } catch (IllegalStateException e) {
            LOGGER.log(Level.WARNING, "Failed to refresh expired token, profile was null", (Throwable) e);
            httpServletResponse.sendError(401);
            return false;
        } catch (TechnicalException e2) {
            if (!StringUtils.contains(e2.getMessage(), "error=invalid_grant")) {
                LOGGER.log(Level.WARNING, "Failed to refresh expired token", e2);
                httpServletResponse.sendError(401, Messages.OicSecurityRealm_TokenRefreshFailure());
                return false;
            }
            if (isTokenExpirationCheckDisabled()) {
                LOGGER.log(Level.FINE, "Failed to refresh expired token because grant is invalid, proceeding as \"Token Expiration Check Disabled\" is set");
                return false;
            }
            LOGGER.log(Level.FINE, "Failed to refresh expired token", e2);
            redirectToLoginUrl(httpServletRequest, httpServletResponse);
            return false;
        } catch (ParseException e3) {
            LOGGER.log(Level.WARNING, "Failed to refresh expired token", (Throwable) e3);
            httpServletResponse.sendError(401, Messages.OicSecurityRealm_TokenRefreshFailure());
            return false;
        }
    }
}
