package com.mesosphere.velocity.marathon.auth;

import com.auth0.jwt.Algorithm;
import com.auth0.jwt.JWTAlgorithmException;
import com.auth0.jwt.JWTSigner;
import com.auth0.jwt.internal.org.bouncycastle.jce.provider.BouncyCastleProvider;
import com.auth0.jwt.internal.org.bouncycastle.util.io.pem.PemReader;
import com.cloudbees.plugins.credentials.Credentials;
import com.mesosphere.velocity.marathon.exceptions.AuthenticationException;
import hudson.util.Secret;
import java.io.IOException;
import java.io.StringReader;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Security;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.HashMap;
import java.util.logging.Logger;
import net.sf.json.JSONException;
import net.sf.json.JSONObject;
import org.apache.http.client.methods.RequestBuilder;
import org.apache.http.client.protocol.HttpClientContext;
import org.apache.http.cookie.Cookie;
import org.apache.http.entity.ContentType;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.HttpClientBuilder;
import org.jenkinsci.plugins.plaincredentials.StringCredentials;

/* loaded from: input_file:com/mesosphere/velocity/marathon/auth/DcosAuthImpl.class */
public class DcosAuthImpl extends TokenAuthProvider {
    public static final String DCOS_AUTH_COOKIE = "dcos-acs-auth-cookie";
    protected static final String DCOS_AUTH_PAYLOAD = "{\"uid\":\"%s\",\"token\":\"%s\"}";
    private static final Logger LOGGER = Logger.getLogger(DcosAuthImpl.class.getName());
    private static final String DCOS_AUTH_USER_FIELD = "uid";
    private static final String DCOS_AUTH_SCHEME_FIELD = "scheme";
    private static final String DCOS_AUTH_PRIVATEKEY_FIELD = "private_key";
    private static final String DCOS_AUTH_LOGINENDPOINT_FIELD = "login_endpoint";
    private JWTSigner.Options options;
    private ContentType contentType;
    private HttpClientBuilder client;
    private HttpClientContext context;
    private StringCredentials credentials;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.mesosphere.velocity.marathon.auth.DcosAuthImpl$1, reason: invalid class name */
    /* loaded from: input_file:com/mesosphere/velocity/marathon/auth/DcosAuthImpl$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$auth0$jwt$Algorithm = new int[Algorithm.values().length];

        static {
            try {
                $SwitchMap$com$auth0$jwt$Algorithm[Algorithm.RS256.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
        }
    }

    public DcosAuthImpl(StringCredentials stringCredentials) {
        this(stringCredentials, new JWTSigner.Options(), ContentType.APPLICATION_JSON, HttpClientBuilder.create(), new HttpClientContext());
    }

    DcosAuthImpl(StringCredentials stringCredentials, JWTSigner.Options options, ContentType contentType, HttpClientBuilder httpClientBuilder, HttpClientContext httpClientContext) {
        this.options = options;
        this.contentType = contentType;
        this.client = httpClientBuilder;
        this.context = httpClientContext;
        this.credentials = stringCredentials;
    }

    private String getTokenFromCookie(HttpClientContext httpClientContext) {
        for (Cookie cookie : httpClientContext.getCookieStore().getCookies()) {
            if (cookie.getName().equals(DCOS_AUTH_COOKIE)) {
                return cookie.getValue();
            }
        }
        return null;
    }

    @Override // com.mesosphere.velocity.marathon.auth.TokenAuthProvider
    public String getToken() throws AuthenticationException {
        DcosLoginPayload createDcosLoginPayload = createDcosLoginPayload();
        try {
            this.client.build().execute(RequestBuilder.post().setUri(createDcosLoginPayload.getLoginURL()).setEntity(new StringEntity(createDcosLoginPayload.toString(), this.contentType)).build(), this.context).close();
            return getTokenFromCookie(this.context);
        } catch (IOException e) {
            String str = "Failed to execute web request to login endpoint.\n" + e.getMessage();
            LOGGER.warning(str);
            throw new AuthenticationException(str);
        }
    }

    @Override // com.mesosphere.velocity.marathon.auth.TokenAuthProvider
    public boolean updateTokenCredentials(Credentials credentials) throws AuthenticationException {
        if (!(credentials instanceof StringCredentials)) {
            LOGGER.warning("Invalid credential type, expected String Credentials, received: " + credentials.getClass().getName());
            return false;
        }
        StringCredentials stringCredentials = (StringCredentials) credentials;
        if (this.credentials == null) {
            return false;
        }
        try {
            String token = getToken();
            if (token == null) {
                LOGGER.warning("Failed to retrieve authentication token from DC/OS.");
                throw new AuthenticationException("Failed to retrieve authentication token from DC/OS.");
            }
            return doTokenUpdate(stringCredentials.getId(), newTokenCredentials(stringCredentials, token));
        } catch (IOException e) {
            LOGGER.warning(e.getMessage());
            throw new AuthenticationException(e.getMessage());
        }
    }

    DcosLoginPayload createDcosLoginPayload() throws AuthenticationException {
        JSONObject constructJsonFromCredentials = constructJsonFromCredentials();
        try {
            String string = constructJsonFromCredentials.getString(DCOS_AUTH_USER_FIELD);
            String string2 = constructJsonFromCredentials.getString(DCOS_AUTH_LOGINENDPOINT_FIELD);
            String string3 = constructJsonFromCredentials.getString(DCOS_AUTH_SCHEME_FIELD);
            if (!string3.toUpperCase().equals("RS256")) {
                throw new AuthenticationException("Unsupported algorithm '" + string3 + "', this must be 'RS256'");
            }
            this.options.setAlgorithm(Algorithm.findByName(string3));
            this.options.setExpirySeconds(300);
            this.options.setIssuedAt(true);
            return DcosLoginPayload.create(string2, string, createSigner(constructJsonFromCredentials.getString(DCOS_AUTH_PRIVATEKEY_FIELD)).sign(createClaims(string), this.options));
        } catch (JWTAlgorithmException e) {
            String str = "Algorithm error: " + e.getMessage();
            LOGGER.warning(str);
            throw new AuthenticationException(str);
        } catch (JSONException e2) {
            LOGGER.warning("Invalid DC/OS service account JSON");
            throw new AuthenticationException("Invalid DC/OS service account JSON");
        }
    }

    private JSONObject constructJsonFromCredentials() throws AuthenticationException {
        try {
            return JSONObject.fromObject(Secret.toString(this.credentials.getSecret()));
        } catch (JSONException e) {
            String str = "Invalid JSON in credentials '" + this.credentials.getId() + "'";
            LOGGER.warning(str);
            throw new AuthenticationException(str);
        }
    }

    private HashMap<String, Object> createClaims(String str) {
        HashMap<String, Object> hashMap = new HashMap<>(1);
        hashMap.put(DCOS_AUTH_USER_FIELD, str);
        return hashMap;
    }

    private JWTSigner createSigner(String str) throws AuthenticationException {
        switch (AnonymousClass1.$SwitchMap$com$auth0$jwt$Algorithm[this.options.getAlgorithm().ordinal()]) {
            case 1:
                PemReader pemReader = new PemReader(new StringReader(str));
                try {
                    try {
                        try {
                            return new JWTSigner(KeyFactory.getInstance("RSA", "BC").generatePrivate(new PKCS8EncodedKeySpec(pemReader.readPemObject().getContent())));
                        } catch (NoSuchProviderException e) {
                            String str2 = "Unknown provider: " + e.getMessage();
                            LOGGER.warning(str2);
                            throw new AuthenticationException(str2);
                        } catch (InvalidKeySpecException e2) {
                            String str3 = "Unable to read key: " + e2.getMessage();
                            LOGGER.warning(str3);
                            throw new AuthenticationException(str3);
                        }
                    } catch (IOException e3) {
                        String str4 = "Error encountered closing PEM reader:\n" + e3.getMessage();
                        LOGGER.warning(str4);
                        throw new AuthenticationException(str4);
                    } catch (NoSuchAlgorithmException e4) {
                        String str5 = "Unsupported algorithm: " + e4.getMessage();
                        LOGGER.warning(str5);
                        throw new AuthenticationException(str5);
                    }
                } finally {
                    try {
                        pemReader.close();
                    } catch (IOException e5) {
                        LOGGER.warning(e5.getMessage());
                    }
                }
            default:
                throw new AuthenticationException("Unsupported algorithm '" + this.options.getAlgorithm().getValue() + "', this must be 'RS256'");
        }
    }

    static {
        if (Security.getProvider("BC") == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
    }
}
