package org.conjur.jenkins.api;

import com.cloudbees.hudson.plugins.folder.AbstractFolder;
import com.cloudbees.plugins.credentials.CredentialsMatchers;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.common.UsernamePasswordCredentials;
import hudson.model.AbstractItem;
import hudson.model.Item;
import hudson.model.ItemGroup;
import hudson.model.Job;
import hudson.model.ModelObject;
import hudson.model.Run;
import hudson.security.ACL;
import java.io.IOException;
import java.net.URLEncoder;
import java.util.Base64;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.model.GlobalConfiguration;
import jenkins.model.Jenkins;
import okhttp3.MediaType;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.RequestBody;
import okhttp3.Response;
import org.conjur.jenkins.configuration.ConjurConfiguration;
import org.conjur.jenkins.configuration.ConjurJITJobProperty;
import org.conjur.jenkins.configuration.FolderConjurConfiguration;
import org.conjur.jenkins.configuration.GlobalConjurConfiguration;
import org.conjur.jenkins.jwtauth.impl.JwtToken;

/* loaded from: input_file:org/conjur/jenkins/api/ConjurAPI.class */
public class ConjurAPI {
    private static final Logger LOGGER = Logger.getLogger(ConjurAPI.class.getName());

    /* loaded from: input_file:org/conjur/jenkins/api/ConjurAPI$ConjurAuthnInfo.class */
    public static class ConjurAuthnInfo {
        public String applianceUrl;
        public String authnPath;
        public String account;
        public String login;
        public String apiKey;
    }

    static Logger getLogger() {
        return Logger.getLogger(ConjurAPI.class.getName());
    }

    private static void defaultToEnvironment(ConjurAuthnInfo conjurAuthnInfo) {
        Map<String, String> map = System.getenv();
        if (conjurAuthnInfo.applianceUrl == null && map.containsKey("CONJUR_APPLIANCE_URL")) {
            conjurAuthnInfo.applianceUrl = map.get("CONJUR_APPLIANCE_URL");
        }
        if (conjurAuthnInfo.account == null && map.containsKey("CONJUR_ACCOUNT")) {
            conjurAuthnInfo.account = map.get("CONJUR_ACCOUNT");
        }
        if (conjurAuthnInfo.login == null && map.containsKey("CONJUR_AUTHN_LOGIN")) {
            conjurAuthnInfo.login = map.get("CONJUR_AUTHN_LOGIN");
        }
        if (conjurAuthnInfo.apiKey == null && map.containsKey("CONJUR_AUTHN_API_KEY")) {
            conjurAuthnInfo.apiKey = map.get("CONJUR_AUTHN_API_KEY");
        }
    }

    public static String getAuthorizationToken(OkHttpClient okHttpClient, ConjurConfiguration conjurConfiguration, ModelObject modelObject) throws IOException {
        String str = null;
        List lookupCredentials = CredentialsProvider.lookupCredentials(UsernamePasswordCredentials.class, Jenkins.get(), ACL.SYSTEM, Collections.emptyList());
        if (modelObject != null) {
            if (modelObject instanceof Run) {
                lookupCredentials.addAll(CredentialsProvider.lookupCredentials(UsernamePasswordCredentials.class, ((Run) modelObject).getParent(), ACL.SYSTEM, Collections.emptyList()));
            } else {
                lookupCredentials.addAll(CredentialsProvider.lookupCredentials(UsernamePasswordCredentials.class, (AbstractItem) modelObject, ACL.SYSTEM, Collections.emptyList()));
            }
        }
        ConjurAuthnInfo conjurAuthnInfo = getConjurAuthnInfo(conjurConfiguration, lookupCredentials, modelObject);
        Request request = null;
        if (conjurAuthnInfo.login == null || conjurAuthnInfo.apiKey == null) {
            if ((conjurAuthnInfo.authnPath != null) & (conjurAuthnInfo.apiKey != null)) {
                String str2 = conjurAuthnInfo.authnPath.indexOf("/") == -1 ? "authn-jwt/" + conjurAuthnInfo.authnPath : conjurAuthnInfo.authnPath;
                LOGGER.log(Level.FINE, "Authenticating with Conjur (JWT) authnPath={0}", str2);
                request = new Request.Builder().url(String.format("%s/%s/%s/authenticate", conjurAuthnInfo.applianceUrl, str2, conjurAuthnInfo.account)).post(RequestBody.create(MediaType.parse("text/plain"), conjurAuthnInfo.apiKey)).build();
            }
        } else {
            LOGGER.log(Level.FINE, "Authenticating with Conjur (authn)");
            request = new Request.Builder().url(String.format("%s/%s/%s/%s/authenticate", conjurAuthnInfo.applianceUrl, conjurAuthnInfo.authnPath, conjurAuthnInfo.account, URLEncoder.encode(conjurAuthnInfo.login, "utf-8"))).post(RequestBody.create(MediaType.parse("text/plain"), conjurAuthnInfo.apiKey)).build();
        }
        if (request != null) {
            Response execute = okHttpClient.newCall(request).execute();
            str = Base64.getEncoder().withoutPadding().encodeToString(execute.body().string().getBytes("UTF-8"));
            LOGGER.log(Level.FINEST, () -> {
                return "Conjur Authenticate response " + execute.code() + " - " + execute.message();
            });
            if (execute.code() != 200) {
                throw new IOException("Error authenticating to Conjur [" + execute.code() + " - " + execute.message() + "\n" + str);
            }
        } else {
            LOGGER.log(Level.FINE, "Failed to find credentials for conjur authentication");
        }
        return str;
    }

    public static ConjurAuthnInfo getConjurAuthnInfo(ConjurConfiguration conjurConfiguration, List<UsernamePasswordCredentials> list, ModelObject modelObject) {
        ConjurAuthnInfo conjurAuthnInfo = new ConjurAuthnInfo();
        if (conjurConfiguration != null) {
            if (list != null) {
                initializeWithCredential(conjurAuthnInfo, conjurConfiguration.getCredentialID(), list);
            }
            String applianceURL = conjurConfiguration.getApplianceURL();
            if (applianceURL != null && !applianceURL.isEmpty()) {
                conjurAuthnInfo.applianceUrl = applianceURL;
            }
            String account = conjurConfiguration.getAccount();
            if (account != null && !account.isEmpty()) {
                conjurAuthnInfo.account = account;
            }
            conjurAuthnInfo.authnPath = "authn";
        }
        defaultToEnvironment(conjurAuthnInfo);
        if (conjurAuthnInfo.login == null && conjurAuthnInfo.apiKey == null && modelObject != null) {
            setConjurAuthnForJITCredentialAccess(modelObject, conjurAuthnInfo);
        }
        return conjurAuthnInfo;
    }

    private static void setConjurAuthnForJITCredentialAccess(ModelObject modelObject, ConjurAuthnInfo conjurAuthnInfo) {
        String token = JwtToken.getToken(modelObject);
        GlobalConjurConfiguration globalConjurConfiguration = (GlobalConjurConfiguration) GlobalConfiguration.all().get(GlobalConjurConfiguration.class);
        if (token == null || globalConjurConfiguration == null) {
            return;
        }
        conjurAuthnInfo.login = null;
        conjurAuthnInfo.authnPath = globalConjurConfiguration.getAuthWebServiceId();
        conjurAuthnInfo.apiKey = "jwt=" + token;
    }

    public static String getSecret(OkHttpClient okHttpClient, ConjurConfiguration conjurConfiguration, String str, String str2) throws IOException {
        ConjurAuthnInfo conjurAuthnInfo = getConjurAuthnInfo(conjurConfiguration, null, null);
        LOGGER.log(Level.FINEST, "Fetching secret from Conjur");
        Response execute = okHttpClient.newCall(new Request.Builder().url(String.format("%s/secrets/%s/variable/%s", conjurAuthnInfo.applianceUrl, conjurAuthnInfo.account, str2)).get().addHeader("Authorization", "Token token=\"" + str + "\"").build()).execute();
        String string = execute.body().string();
        LOGGER.log(Level.FINEST, () -> {
            return "Fetch secret [" + str2 + "] from Conjur response " + execute.code() + " - " + execute.message();
        });
        if (execute.code() != 200) {
            throw new IOException("Error fetching secret from Conjur [" + execute.code() + " - " + execute.message() + "\n" + string);
        }
        return string;
    }

    public static ConjurConfiguration logConjurConfiguration(ConjurConfiguration conjurConfiguration) {
        if (conjurConfiguration != null) {
            LOGGER.log(Level.FINEST, "Conjur configuration provided");
            LOGGER.log(Level.FINEST, "Conjur Configuration Appliance Url: " + conjurConfiguration.getApplianceURL());
            LOGGER.log(Level.FINEST, "Conjur Configuration Account: " + conjurConfiguration.getAccount());
            LOGGER.log(Level.FINEST, "Conjur Configuration credential ID: " + conjurConfiguration.getCredentialID());
        }
        return conjurConfiguration;
    }

    private static void initializeWithCredential(ConjurAuthnInfo conjurAuthnInfo, String str, List<UsernamePasswordCredentials> list) {
        if (str == null || str.isEmpty()) {
            return;
        }
        LOGGER.log(Level.FINEST, "Retrieving Conjur credential stored in Jenkins");
        UsernamePasswordCredentials firstOrNull = CredentialsMatchers.firstOrNull(list, CredentialsMatchers.withId(str));
        if (firstOrNull != null) {
            conjurAuthnInfo.login = firstOrNull.getUsername();
            conjurAuthnInfo.apiKey = firstOrNull.getPassword().getPlainText();
        }
    }

    public static ConjurConfiguration getConfigurationFromContext(ModelObject modelObject, ModelObject modelObject2) {
        ModelObject modelObject3 = modelObject != null ? modelObject : modelObject2;
        Job job = null;
        ConjurJITJobProperty conjurJITJobProperty = null;
        if (modelObject3 instanceof Run) {
            Run run = (Run) modelObject3;
            conjurJITJobProperty = (ConjurJITJobProperty) run.getParent().getProperty(ConjurJITJobProperty.class);
            job = run.getParent();
        } else if (modelObject3 instanceof AbstractItem) {
            job = (Item) modelObject3;
        }
        ConjurConfiguration conjurConfiguration = GlobalConjurConfiguration.get().getConjurConfiguration();
        if (modelObject3 == null) {
            return logConjurConfiguration(conjurConfiguration);
        }
        if (conjurJITJobProperty != null && !conjurJITJobProperty.getInheritFromParent().booleanValue()) {
            return logConjurConfiguration(conjurJITJobProperty.getConjurConfiguration());
        }
        ConjurConfiguration inheritedConjurConfiguration = inheritedConjurConfiguration(job);
        return inheritedConjurConfiguration != null ? logConjurConfiguration(inheritedConjurConfiguration) : logConjurConfiguration(conjurConfiguration);
    }

    private static ConjurConfiguration inheritedConjurConfiguration(Item item) {
        ItemGroup parent = item.getParent();
        while (true) {
            ItemGroup itemGroup = parent;
            if (!(itemGroup instanceof AbstractFolder)) {
                return null;
            }
            FolderConjurConfiguration folderConjurConfiguration = ((AbstractFolder) itemGroup).getProperties().get(FolderConjurConfiguration.class);
            if (folderConjurConfiguration != null && !folderConjurConfiguration.getInheritFromParent().booleanValue()) {
                return folderConjurConfiguration.getConjurConfiguration();
            }
            parent = ((AbstractFolder) itemGroup).getParent();
        }
    }

    private ConjurAPI() {
    }
}
