package org.conjur.jenkins.credentials;

import com.cloudbees.hudson.plugins.folder.AbstractFolder;
import com.cloudbees.plugins.credentials.Credentials;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.CredentialsStore;
import com.cloudbees.plugins.credentials.CredentialsStoreAction;
import com.cloudbees.plugins.credentials.domains.Domain;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.Nullable;
import hudson.model.Hudson;
import hudson.model.Item;
import hudson.model.ItemGroup;
import hudson.model.ModelObject;
import hudson.security.Permission;
import java.util.Collections;
import java.util.List;
import java.util.concurrent.ConcurrentHashMap;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.model.Jenkins;
import org.conjur.jenkins.api.ConjurAPI;
import org.jenkins.ui.icon.Icon;
import org.jenkins.ui.icon.IconSet;
import org.jenkins.ui.icon.IconType;
import org.kohsuke.stapler.Stapler;
import org.kohsuke.stapler.export.ExportedBean;
import org.springframework.security.core.Authentication;

/* loaded from: input_file:org/conjur/jenkins/credentials/ConjurCredentialStore.class */
public class ConjurCredentialStore extends CredentialsStore {
    private static final String DISPLAY_NAME = "Conjur Credential Storage";
    private static final Logger LOGGER = Logger.getLogger(ConjurCredentialStore.class.getName());
    private static ConcurrentHashMap<String, ConjurCredentialStore> allStores = new ConcurrentHashMap<>();
    private final ConjurCredentialProvider provider;
    private final ModelObject context;
    private final ConjurCredentialStoreAction action;

    @ExportedBean
    /* loaded from: input_file:org/conjur/jenkins/credentials/ConjurCredentialStore$ConjurCredentialStoreAction.class */
    public static class ConjurCredentialStoreAction extends CredentialsStoreAction {
        private static final String ICON_CLASS = "icon-conjur-credentials-store";
        private final ConjurCredentialStore store;
        private final ModelObject context;
        private static final String DISPLAY_NAME = "Conjur Credential Store";

        private ConjurCredentialStoreAction(ConjurCredentialStore conjurCredentialStore, ModelObject modelObject) {
            this.store = conjurCredentialStore;
            this.context = modelObject;
            addIcons();
        }

        private void addIcons() {
            IconSet.icons.addIcon(new Icon("icon-conjur-credentials-store icon-sm", "conjur-credentials/images/conjur-credential-store-sm.png", "width: 16px; height: 16px;", IconType.PLUGIN));
            IconSet.icons.addIcon(new Icon("icon-conjur-credentials-store icon-md", "conjur-credentials/images/conjur-credential-store-md.png", "width: 24px; height: 24px;", IconType.PLUGIN));
            IconSet.icons.addIcon(new Icon("icon-conjur-credentials-store icon-lg", "conjur-credentials/images/conjur-credential-store-lg.png", "width: 32px; height: 32px;", IconType.PLUGIN));
            IconSet.icons.addIcon(new Icon("icon-conjur-credentials-store icon-xlg", "conjur-credentials/images/conjur-credential-store-xlg.png", "width: 48px; height: 48px;", IconType.PLUGIN));
        }

        @NonNull
        /* renamed from: getStore, reason: merged with bridge method [inline-methods] */
        public ConjurCredentialStore m17getStore() {
            return this.store;
        }

        public String getIconFileName() {
            if (isVisible()) {
                return "/plugin/conjur-credentials/images/conjur-credential-store-lg.png";
            }
            return null;
        }

        public String getIconClassName() {
            if (isVisible()) {
                return ICON_CLASS;
            }
            return null;
        }

        public String getDisplayName() {
            return DISPLAY_NAME;
        }
    }

    public ConjurCredentialStore(ConjurCredentialProvider conjurCredentialProvider, ModelObject modelObject) {
        super(ConjurCredentialProvider.class);
        this.provider = conjurCredentialProvider;
        this.context = modelObject;
        this.action = new ConjurCredentialStoreAction(this, modelObject);
    }

    public static void putCredentialStore(String str, ConjurCredentialStore conjurCredentialStore) {
        allStores.put(str, conjurCredentialStore);
    }

    public static ConjurCredentialStore getCredentialStore(String str) {
        return allStores.get(str);
    }

    public static boolean isStoreContainsKey(String str) {
        return allStores.containsKey(str);
    }

    @NonNull
    public ModelObject getContext() {
        return this.context;
    }

    public boolean hasPermission2(@NonNull Authentication authentication, @NonNull Permission permission) {
        LOGGER.log(Level.FINEST, "Conjur CredentialStore hasPermission() ");
        boolean hasPermission2 = Jenkins.get().getACL().hasPermission2(authentication, Jenkins.ADMINISTER);
        boolean hasPermission22 = Jenkins.get().getACL().hasPermission2(authentication, CredentialsProvider.VIEW);
        Logger logger = LOGGER;
        Level level = Level.FINEST;
        Object[] objArr = new Object[3];
        objArr[0] = authentication.getName();
        objArr[1] = hasPermission2 ? "yes" : "no";
        objArr[2] = hasPermission22 ? "yes" : "no";
        logger.log(level, String.format("Checking permissions for the user: %s admin %s credview %s", objArr));
        if (!CredentialsProvider.VIEW.equals(permission)) {
            return false;
        }
        if (hasPermission22 || hasPermission2) {
            return hasPermission2 || hasPermission22;
        }
        Item item = (Item) Stapler.getCurrentRequest().findAncestorObject(Item.class);
        if (item == null) {
            LOGGER.log(Level.WARNING, "Unable to determine the current item for permission check ");
            return false;
        }
        LOGGER.log(Level.FINEST, String.format("Current item: %s", item.getFullName()));
        boolean hasPermission23 = item.getACL().hasPermission2(authentication, CredentialsProvider.VIEW);
        Logger logger2 = LOGGER;
        Level level2 = Level.FINEST;
        Object[] objArr2 = new Object[2];
        objArr2[0] = item.getFullName();
        objArr2[1] = hasPermission23 ? "yes" : "no";
        logger2.log(level2, String.format("Non-admin user for the current Jenkins item: %s - %s", objArr2));
        return hasPermission23;
    }

    public String getDisplayName() {
        return DISPLAY_NAME;
    }

    @NonNull
    public List<Credentials> getCredentials(@NonNull Domain domain) {
        Authentication authentication2 = Jenkins.getAuthentication2();
        if (!hasPermission2(authentication2, CredentialsProvider.VIEW)) {
            LOGGER.log(Level.FINEST, String.format("User: %s does not have permission to view credentials.", authentication2.getName()));
            return Collections.emptyList();
        }
        ModelObject modelObject = (Item) Stapler.getCurrentRequest().findAncestorObject(Item.class);
        if ((this.context instanceof Hudson) || modelObject == null) {
            LOGGER.log(Level.FINEST, "ConjurCredentialStore: Global credentials found!");
            return this.provider.getCredentials(Credentials.class, Jenkins.get());
        }
        String str = null;
        if (this.context instanceof Item) {
            str = this.context.getFullName();
        } else if (this.context instanceof ItemGroup) {
            str = this.context.getFullName();
        }
        if (str != null && modelObject.getFullName().indexOf(str) != 0) {
            LOGGER.log(Level.FINEST, "Cannot deliver credentials from path to which you don't have access");
            return Collections.emptyList();
        }
        if (getContext() != modelObject) {
            if (!ConjurAPI.isInheritanceOn(modelObject)) {
                return Collections.emptyList();
            }
            if (!(modelObject instanceof Hudson)) {
                ItemGroup parent = modelObject.getParent();
                while (true) {
                    ItemGroup itemGroup = parent;
                    if (!(itemGroup instanceof AbstractFolder)) {
                        break;
                    }
                    Item item = (Item) itemGroup;
                    LOGGER.log(Level.FINEST, String.format("ConjurCredentialStore getCredentials, context:  current folder name: %s currentContext.getFullDisplayName(): %s g.getFullDisplayName(): %s  item: %s", this.context.getDisplayName(), itemGroup.getFullName(), modelObject.getFullName(), itemGroup.getFullDisplayName(), item.getFullName()));
                    LOGGER.log(Level.FINEST, String.format("storepath %s actfolder %s", str, item.getFullName()));
                    if (!ConjurAPI.isInheritanceOn(itemGroup)) {
                        LOGGER.log(Level.FINEST, "Cannot deliver credentials from path to which you don't have access or inhertiance is: off");
                        return Collections.emptyList();
                    }
                    parent = ((AbstractFolder) AbstractFolder.class.cast(itemGroup)).getParent();
                }
            }
        }
        return this.provider.getCredentials(Credentials.class, getContext());
    }

    public boolean addCredentials(@NonNull Domain domain, @NonNull Credentials credentials) {
        throw new UnsupportedOperationException("Jenkins may not add credentials to Conjur");
    }

    public boolean removeCredentials(@NonNull Domain domain, @NonNull Credentials credentials) {
        throw new UnsupportedOperationException("Jenkins may not remove credentials from Conjur");
    }

    public boolean updateCredentials(@NonNull Domain domain, @NonNull Credentials credentials, @NonNull Credentials credentials2) {
        throw new UnsupportedOperationException("Jenkins may not update credentials in Conjur");
    }

    @Nullable
    public CredentialsStoreAction getStoreAction() {
        return this.action;
    }
}
