package io.alauda.jenkins.plugins.credentials;

import com.cloudbees.plugins.credentials.Credentials;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.CredentialsStore;
import com.cloudbees.plugins.credentials.common.IdCredentials;
import hudson.Extension;
import hudson.ExtensionList;
import hudson.model.ItemGroup;
import hudson.model.ModelObject;
import hudson.security.ACL;
import io.alauda.jenkins.devops.support.KubernetesCluster;
import io.alauda.jenkins.devops.support.KubernetesClusterConfiguration;
import io.alauda.jenkins.devops.support.KubernetesClusterConfigurationListener;
import io.alauda.jenkins.plugins.credentials.convertor.CredentialsConversionException;
import io.alauda.jenkins.plugins.credentials.convertor.SecretToCredentialConverter;
import io.alauda.jenkins.plugins.credentials.metadata.CredentialsWithMetadata;
import io.alauda.jenkins.plugins.credentials.metadata.MetadataProvider;
import io.alauda.jenkins.plugins.credentials.rule.KubernetesSecretRule;
import io.alauda.jenkins.plugins.credentials.scope.JenkinsRootScope;
import io.alauda.jenkins.plugins.credentials.scope.KubernetesSecretScope;
import io.kubernetes.client.ApiClient;
import io.kubernetes.client.Configuration;
import io.kubernetes.client.ProgressRequestBody;
import io.kubernetes.client.ProgressResponseBody;
import io.kubernetes.client.apis.CoreV1Api;
import io.kubernetes.client.extended.controller.ControllerManager;
import io.kubernetes.client.extended.controller.builder.ControllerBuilder;
import io.kubernetes.client.extended.controller.builder.ControllerManagerBuilder;
import io.kubernetes.client.extended.controller.reconciler.Reconciler;
import io.kubernetes.client.extended.controller.reconciler.Request;
import io.kubernetes.client.extended.controller.reconciler.Result;
import io.kubernetes.client.informer.SharedInformerFactory;
import io.kubernetes.client.informer.cache.Lister;
import io.kubernetes.client.models.V1ObjectMeta;
import io.kubernetes.client.models.V1Secret;
import io.kubernetes.client.models.V1SecretList;
import java.time.LocalDateTime;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import javax.annotation.Nonnull;
import jenkins.model.Jenkins;
import org.acegisecurity.Authentication;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Extension
/* loaded from: input_file:WEB-INF/lib/alauda-devops-credentials-provider.jar:io/alauda/jenkins/plugins/credentials/KubernetesCredentialsProvider.class */
public class KubernetesCredentialsProvider extends CredentialsProvider implements KubernetesClusterConfigurationListener {
    private static final Logger logger = LoggerFactory.getLogger(KubernetesCredentialsProvider.class);
    private static final String CONTROLLER_NAME = "SecretController";
    private ConcurrentHashMap<String, CredentialsWithMetadata> credentials = new ConcurrentHashMap<>();
    private ControllerManager controllerManager;
    private ExecutorService controllerManagerThread;
    private LocalDateTime lastEventComingTime;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/alauda-devops-credentials-provider.jar:io/alauda/jenkins/plugins/credentials/KubernetesCredentialsProvider$SecretReconciler.class */
    public class SecretReconciler implements Reconciler {
        private Lister<V1Secret> secretLister;

        public SecretReconciler(Lister<V1Secret> lister) {
            this.secretLister = lister;
        }

        public Result reconcile(Request request) {
            String namespace = request.getNamespace();
            String name = request.getName();
            V1Secret v1Secret = (V1Secret) this.secretLister.namespace(namespace).get(name);
            if (v1Secret == null) {
                KubernetesCredentialsProvider.logger.debug("[{}] Unable to get Secret '{}/{}' from local list, will remove it", new Object[]{getControllerName(), namespace, name});
                String credentialId = SecretUtils.getCredentialId(new V1ObjectMeta().namespace(namespace).name(name));
                if (KubernetesCredentialsProvider.this.credentials.containsKey(credentialId)) {
                    KubernetesCredentialsProvider.logger.debug("Secret Deleted - {}", credentialId);
                    KubernetesCredentialsProvider.this.credentials.remove(credentialId);
                }
                return new Result(false);
            }
            IdCredentials convertSecret = KubernetesCredentialsProvider.this.convertSecret(v1Secret);
            if (convertSecret == null) {
                return new Result(false);
            }
            KubernetesCredentialsProvider.logger.debug("Secret Added - {}", convertSecret.getId());
            KubernetesCredentialsProvider.this.credentials.put(convertSecret.getId(), KubernetesCredentialsProvider.this.addMetadataToCredentials(v1Secret, convertSecret));
            return new Result(false);
        }

        public String getControllerName() {
            return KubernetesCredentialsProvider.CONTROLLER_NAME;
        }
    }

    public void onConfigChange(KubernetesCluster kubernetesCluster, ApiClient apiClient) {
        shutDown(null);
        SharedInformerFactory sharedInformerFactory = new SharedInformerFactory();
        ControllerManagerBuilder controllerManagerBuilder = ControllerBuilder.controllerManagerBuilder(sharedInformerFactory);
        String labelSelector = KubernetesCredentialsProviderConfiguration.get().getLabelSelector();
        CoreV1Api coreV1Api = new CoreV1Api();
        this.controllerManager = controllerManagerBuilder.addController(ControllerBuilder.defaultBuilder(sharedInformerFactory).watch(workQueue -> {
            return ControllerBuilder.controllerWatchBuilder(V1Secret.class, workQueue).withWorkQueueKeyFunc(v1Secret -> {
                return new Request(v1Secret.getMetadata().getNamespace(), v1Secret.getMetadata().getName());
            }).withOnAddFilter(v1Secret2 -> {
                logger.debug("[{}] receives event: Add; Secret '{}/{}'", new Object[]{CONTROLLER_NAME, v1Secret2.getMetadata().getNamespace(), v1Secret2.getMetadata().getName()});
                return true;
            }).withOnUpdateFilter((v1Secret3, v1Secret4) -> {
                logger.debug("[{}] receives event: Update; Secret '{}/{}'", new Object[]{CONTROLLER_NAME, v1Secret3.getMetadata().getNamespace(), v1Secret3.getMetadata().getName()});
                this.lastEventComingTime = LocalDateTime.now();
                return true;
            }).withOnDeleteFilter((v1Secret5, bool) -> {
                logger.debug("[{}] receives event: Delete; Secret '{}/{}'", new Object[]{CONTROLLER_NAME, v1Secret5.getMetadata().getNamespace(), v1Secret5.getMetadata().getName()});
                return true;
            }).build();
        }).withReconciler(new SecretReconciler(new Lister(sharedInformerFactory.sharedIndexInformerFor(callGeneratorParams -> {
            return coreV1Api.listSecretForAllNamespacesCall((String) null, (String) null, labelSelector, (Integer) null, (String) null, callGeneratorParams.resourceVersion, callGeneratorParams.timeoutSeconds, callGeneratorParams.watch, (ProgressResponseBody.ProgressListener) null, (ProgressRequestBody.ProgressRequestListener) null);
        }, V1Secret.class, V1SecretList.class).getIndexer()))).withName(CONTROLLER_NAME).withWorkerCount(4).build()).build();
        this.controllerManagerThread = Executors.newSingleThreadExecutor();
        this.controllerManagerThread.submit(() -> {
            this.controllerManager.run();
        });
    }

    public void onConfigError(KubernetesCluster kubernetesCluster, Throwable th) {
        shutDown(th);
    }

    private void shutDown(Throwable th) {
        if (this.controllerManager != null) {
            this.controllerManager.shutdown();
            this.controllerManager = null;
        }
        if (this.controllerManagerThread != null && !this.controllerManagerThread.isShutdown()) {
            this.controllerManagerThread.shutdown();
        }
        if (th != null) {
            logger.error("Alauda DevOps Credentials Provider is stopped, reason {}", th.getMessage());
        } else {
            logger.error("Alauda DevOps Credentials Provider is stopped, reason is null, might be stopped by user");
        }
    }

    public LocalDateTime getLastEventComingTime() {
        return this.lastEventComingTime;
    }

    @Nonnull
    public <C extends Credentials> List<C> getCredentials(@Nonnull Class<C> cls, ItemGroup itemGroup, Authentication authentication) {
        logger.debug("getCredentials called with type {} and authentication {}", cls.getName(), authentication);
        if (!ACL.SYSTEM.equals(authentication)) {
            return Collections.emptyList();
        }
        List<C> credentialsWithinScope = getCredentialsWithinScope(cls, itemGroup, authentication);
        if (KubernetesSecretScope.matchedScopes(itemGroup).stream().anyMatch(kubernetesSecretScope -> {
            return kubernetesSecretScope.getClass().equals(JenkinsRootScope.class);
        })) {
            return credentialsWithinScope;
        }
        JenkinsRootScope jenkinsRootScope = (JenkinsRootScope) ExtensionList.lookup(JenkinsRootScope.class).get(0);
        this.credentials.forEach((str, credentialsWithMetadata) -> {
            if (jenkinsRootScope.shouldShowInScope(Jenkins.getInstance(), credentialsWithMetadata) && cls.isAssignableFrom(credentialsWithMetadata.getCredentials().getClass())) {
                Credentials credentials = (Credentials) cls.cast(credentialsWithMetadata.getCredentials());
                if (credentialsWithinScope.contains(credentials)) {
                    return;
                }
                credentialsWithinScope.add(credentials);
            }
        });
        return credentialsWithinScope;
    }

    public <C extends Credentials> List<C> getCredentialsWithinScope(@Nonnull Class<C> cls, ItemGroup itemGroup, Authentication authentication) {
        logger.debug("getCredentials called with type {} and authentication {}", cls.getName(), authentication);
        if (!ACL.SYSTEM.equals(authentication)) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        HashSet hashSet = new HashSet();
        List<KubernetesSecretScope> matchedScopes = KubernetesSecretScope.matchedScopes(itemGroup);
        this.credentials.forEach((str, credentialsWithMetadata) -> {
            if (matchedScopes.stream().anyMatch(kubernetesSecretScope -> {
                return kubernetesSecretScope.shouldShowInScope(itemGroup, credentialsWithMetadata);
            }) && cls.isAssignableFrom(credentialsWithMetadata.getCredentials().getClass()) && hashSet.add(str)) {
                arrayList.add(cls.cast(credentialsWithMetadata.getCredentials()));
            }
        });
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public CredentialsWithMetadata addMetadataToCredentials(V1Secret v1Secret, IdCredentials idCredentials) {
        CredentialsWithMetadata credentialsWithMetadata = new CredentialsWithMetadata(idCredentials);
        MetadataProvider.all().forEach(metadataProvider -> {
            metadataProvider.attach(v1Secret, credentialsWithMetadata);
        });
        return credentialsWithMetadata;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public IdCredentials convertSecret(V1Secret v1Secret) {
        String secretType;
        SecretToCredentialConverter lookup;
        if (KubernetesSecretRule.shouldExclude(v1Secret) || (lookup = SecretToCredentialConverter.lookup((secretType = getSecretType(v1Secret)))) == null) {
            return null;
        }
        try {
            return lookup.mo3convert(v1Secret);
        } catch (CredentialsConversionException e) {
            logger.debug("Failed to convert Secret '" + SecretUtils.getCredentialId(v1Secret) + "' of type " + secretType, e);
            return null;
        }
    }

    private String getSecretType(V1Secret v1Secret) {
        return v1Secret.getType();
    }

    public CredentialsStore getStore(ModelObject modelObject) {
        if (!(modelObject instanceof ItemGroup)) {
            return null;
        }
        ItemGroup itemGroup = (ItemGroup) modelObject;
        if (KubernetesSecretScope.hasMatchedScope(itemGroup)) {
            return new AlaudaKubernetesCredentialsStore(this, itemGroup);
        }
        return null;
    }

    @Nonnull
    public String getDisplayName() {
        return "Alauda DevOps Credentials Provider";
    }

    public String getIconClassName() {
        return "icon-credentials-alauda-store";
    }

    public void restart() {
        onConfigChange(KubernetesClusterConfiguration.get().getCluster(), Configuration.getDefaultApiClient());
    }
}
