package com.onepassword.jenkins.plugins;

import com.cloudbees.plugins.credentials.CredentialsMatchers;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.CredentialsScope;
import com.cloudbees.plugins.credentials.CredentialsUnavailableException;
import com.cloudbees.plugins.credentials.matchers.IdMatcher;
import com.onepassword.jenkins.plugins.config.OnePasswordConfig;
import com.onepassword.jenkins.plugins.config.OnePasswordConfigResolver;
import com.onepassword.jenkins.plugins.exception.OnePasswordException;
import com.onepassword.jenkins.plugins.model.OnePasswordSecret;
import hudson.EnvVars;
import hudson.ExtensionList;
import hudson.model.Run;
import hudson.security.ACL;
import hudson.util.Secret;
import java.io.BufferedReader;
import java.io.File;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.PrintStream;
import java.io.Serializable;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Supplier;
import jenkins.model.Jenkins;
import org.apache.commons.lang.StringUtils;
import org.jenkinsci.plugins.plaincredentials.StringCredentials;
import org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl;

/* loaded from: input_file:WEB-INF/lib/onepassword-secrets.jar:com/onepassword/jenkins/plugins/OnePasswordAccessor.class */
public class OnePasswordAccessor implements Serializable {
    private static final long serialVersionUID = 1456115587313159751L;
    private OnePasswordConfig config;
    private static final String GENERATED_CONNECT_TOKEN_ID = "onepassword_connect_token_autogenerated";
    private static final String GENERATED_SERVICE_ACCOUNT_TOKEN_ID = "onepassword_service_account_token_autogenerated";
    private static final String GENERATED_CONNECT_DESCRIPTION = "Auto-generated credential of the 1Password Connect Token from environment";
    private static final String GENERATED_SERVICE_ACCOUNT_DESCRIPTION = "Auto-generated credential of the 1Password Service Account Token from environment";
    private static final String envOPConnectHost = "OP_CONNECT_HOST";
    private static final String envOPConnectToken = "OP_CONNECT_TOKEN";
    private static final String envOPServiceAccountToken = "OP_SERVICE_ACCOUNT_TOKEN";
    private static final String envOPCLIPath = "OP_CLI_PATH";
    private static final String envOPIntegrationName = "OP_INTEGRATION_NAME";
    private static final String envOPIntegrationID = "OP_INTEGRATION_ID";
    private static final String envOPIntegrationBuildNumber = "OP_INTEGRATION_BUILDNUMBER";
    private static final String OPIntegrationName = "1Password Jenkins Plugin";
    private static final String OPIntegrationID = "JEN";
    private static final String OPIntegrationBuildNumber = "0001001";

    public OnePasswordAccessor() {
        this.config = new OnePasswordConfig();
    }

    public OnePasswordAccessor(OnePasswordConfig onePasswordConfig) {
        this.config = onePasswordConfig;
    }

    public OnePasswordAccessor init() {
        return this;
    }

    public OnePasswordConfig getConfig() {
        return this.config;
    }

    public void setConfig(OnePasswordConfig onePasswordConfig) {
        this.config = onePasswordConfig;
    }

    public static Map<String, String> retrieveSecrets(Run<?, ?> run, PrintStream printStream, EnvVars envVars, OnePasswordConfig onePasswordConfig, List<OnePasswordSecret> list) {
        HashMap hashMap = new HashMap();
        OnePasswordConfig pullAndMergeConfig = pullAndMergeConfig(run, onePasswordConfig, envVars);
        String connectHost = pullAndMergeConfig.getConnectHost();
        StringCredentials connectCredential = pullAndMergeConfig.getConnectCredential();
        if (connectCredential == null) {
            Objects.requireNonNull(pullAndMergeConfig);
            connectCredential = retrieveCredentials(run, pullAndMergeConfig::getConnectCredentialId);
        }
        StringCredentials serviceAccountCredential = pullAndMergeConfig.getServiceAccountCredential();
        if (serviceAccountCredential == null) {
            Objects.requireNonNull(pullAndMergeConfig);
            serviceAccountCredential = retrieveCredentials(run, pullAndMergeConfig::getServiceAccountCredentialId);
        }
        if (serviceAccountCredential == null) {
            if (connectCredential != null && StringUtils.isBlank(connectHost)) {
                throw new OnePasswordException("The Connect host is not configured - please provide the host to the Connect instance.");
            }
            if (!StringUtils.isBlank(connectHost) && connectCredential == null) {
                throw new OnePasswordException("The Connect credential is not configured - please provide the credential of the Connect instance.");
            }
            if (connectCredential == null && StringUtils.isBlank(connectHost)) {
                throw new OnePasswordException("No credential has been configured - please provide either the credential and host of the Connect instance or the credential of the Service Account Token.");
            }
        }
        String opCLIPath = pullAndMergeConfig.getOpCLIPath();
        if (StringUtils.isBlank(opCLIPath)) {
            opCLIPath = (String) envVars.get("WORKSPACE");
        }
        ProcessBuilder processBuilder = new ProcessBuilder(new String[0]);
        Map<String, String> environment = processBuilder.environment();
        if (!StringUtils.isBlank(connectHost)) {
            environment.putIfAbsent(envOPConnectHost, connectHost);
        }
        if (connectCredential != null) {
            environment.putIfAbsent(envOPConnectToken, connectCredential.getSecret().getPlainText());
        }
        if (serviceAccountCredential != null) {
            environment.putIfAbsent(envOPServiceAccountToken, serviceAccountCredential.getSecret().getPlainText());
        }
        environment.put(envOPIntegrationName, OPIntegrationName);
        environment.put(envOPIntegrationID, OPIntegrationID);
        environment.put(envOPIntegrationBuildNumber, OPIntegrationBuildNumber);
        processBuilder.directory(new File(opCLIPath));
        for (OnePasswordSecret onePasswordSecret : list) {
            printStream.printf("Retrieving secret %s%n", onePasswordSecret.getEnvVar());
            String[] strArr = {opCLIPath + "/op", "read", onePasswordSecret.getSecretRef()};
            try {
                Process start = processBuilder.command(strArr).start();
                BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(start.getInputStream(), StandardCharsets.UTF_8));
                BufferedReader bufferedReader2 = new BufferedReader(new InputStreamReader(start.getErrorStream(), StandardCharsets.UTF_8));
                String readLine = bufferedReader.readLine();
                if (StringUtils.isBlank(readLine)) {
                    StringBuilder sb = new StringBuilder();
                    while (true) {
                        String readLine2 = bufferedReader2.readLine();
                        if (readLine2 == null) {
                            break;
                        }
                        sb.append(readLine2).append("\n");
                    }
                    if (StringUtils.isBlank(sb.toString())) {
                        throw new OnePasswordException("Secret with reference " + onePasswordSecret.getSecretRef() + "is empty.");
                    }
                    throw new OnePasswordException("Error retrieving secret " + onePasswordSecret.getSecretRef() + ":\n" + String.valueOf(sb) + "\n");
                }
                hashMap.put(onePasswordSecret.getEnvVar(), readLine);
                bufferedReader.close();
                bufferedReader2.close();
            } catch (IOException e) {
                throw new OnePasswordException("Error running command " + Arrays.toString(strArr) + ":\n" + e.getMessage() + "\n");
            }
        }
        if (environment.get(envOPConnectHost) != null) {
            environment.remove(envOPConnectHost);
        }
        if (environment.get(envOPConnectToken) != null) {
            environment.remove(envOPConnectToken);
        }
        if (environment.get(envOPServiceAccountToken) != null) {
            environment.remove(envOPServiceAccountToken);
        }
        return hashMap;
    }

    public static Map<String, String> loadSecrets(Run<?, ?> run, PrintStream printStream, EnvVars envVars, OnePasswordConfig onePasswordConfig, List<OnePasswordSecret> list) {
        if (list == null) {
            list = new ArrayList();
        }
        for (Map.Entry entry : envVars.entrySet()) {
            if (isOPReference((String) entry.getValue())) {
                list.add(new OnePasswordSecret((String) entry.getKey(), (String) entry.getValue()));
            }
        }
        return retrieveSecrets(run, printStream, envVars, onePasswordConfig, list);
    }

    public static StringCredentials retrieveCredentials(Run run, Supplier<String> supplier) {
        if (Jenkins.getInstanceOrNull() == null) {
            return null;
        }
        String str = supplier.get();
        if (StringUtils.isBlank(str)) {
            return null;
        }
        StringCredentials firstOrNull = CredentialsMatchers.firstOrNull(CredentialsProvider.lookupCredentials(StringCredentials.class, run.getParent(), ACL.SYSTEM, Collections.emptyList()), new IdMatcher(str));
        if (firstOrNull == null) {
            throw new CredentialsUnavailableException(str);
        }
        return firstOrNull;
    }

    public static OnePasswordConfig pullAndMergeConfig(Run<?, ?> run, OnePasswordConfig onePasswordConfig, EnvVars envVars) {
        OnePasswordConfig resolveConfigFromEnv = resolveConfigFromEnv(run, envVars);
        if (resolveConfigFromEnv == null) {
            resolveConfigFromEnv = onePasswordConfig;
        } else if (onePasswordConfig != null) {
            if (onePasswordConfig.hasConnectHost() && !StringUtils.isBlank(onePasswordConfig.getConnectHost())) {
                resolveConfigFromEnv.setConnectHost(onePasswordConfig.getConnectHost());
            }
            if (onePasswordConfig.hasConnectCredentialId() && !StringUtils.isBlank(onePasswordConfig.getConnectCredentialId())) {
                resolveConfigFromEnv.setConnectCredentialId(onePasswordConfig.getConnectCredentialId());
                resolveConfigFromEnv.setConnectCredential(null);
            }
            if (onePasswordConfig.hasServiceAccountCredentialId() && !StringUtils.isBlank(onePasswordConfig.getServiceAccountCredentialId())) {
                resolveConfigFromEnv.setServiceAccountCredentialId(onePasswordConfig.getServiceAccountCredentialId());
                resolveConfigFromEnv.setServiceAccountCredential(null);
            }
        }
        Iterator it = ExtensionList.lookup(OnePasswordConfigResolver.class).iterator();
        while (it.hasNext()) {
            OnePasswordConfigResolver onePasswordConfigResolver = (OnePasswordConfigResolver) it.next();
            resolveConfigFromEnv = resolveConfigFromEnv != null ? resolveConfigFromEnv.mergeWithParent(onePasswordConfigResolver.forJob(run.getParent())) : onePasswordConfigResolver.forJob(run.getParent());
        }
        if (resolveConfigFromEnv == null) {
            throw new OnePasswordException("No config found - please configure 1Password");
        }
        return resolveConfigFromEnv;
    }

    public static OnePasswordConfig resolveConfigFromEnv(Run<?, ?> run, EnvVars envVars) {
        Optional<String> propertyByEnvOrSystemProperty = getPropertyByEnvOrSystemProperty(envOPConnectHost, "jenkins.onepassword.connect_host", envVars);
        Optional<String> propertyByEnvOrSystemProperty2 = getPropertyByEnvOrSystemProperty(envOPConnectToken, "jenkins.onepassword.connect_token", envVars);
        Optional<String> propertyByEnvOrSystemProperty3 = getPropertyByEnvOrSystemProperty(envOPServiceAccountToken, "jenkins.onepassword.service_account_token", envVars);
        Optional<String> propertyByEnvOrSystemProperty4 = getPropertyByEnvOrSystemProperty(envOPCLIPath, "jenkins.onepassword.op_cli_path", envVars);
        if (!propertyByEnvOrSystemProperty.isPresent() && !propertyByEnvOrSystemProperty2.isPresent() && !propertyByEnvOrSystemProperty3.isPresent() && !propertyByEnvOrSystemProperty4.isPresent()) {
            return null;
        }
        OnePasswordConfig onePasswordConfig = new OnePasswordConfig();
        Objects.requireNonNull(onePasswordConfig);
        propertyByEnvOrSystemProperty.ifPresent(onePasswordConfig::setConnectHost);
        Objects.requireNonNull(onePasswordConfig);
        propertyByEnvOrSystemProperty4.ifPresent(onePasswordConfig::setOpCLIPath);
        if (propertyByEnvOrSystemProperty2.isPresent()) {
            for (StringCredentials stringCredentials : CredentialsProvider.lookupCredentials(StringCredentials.class, run.getParent(), ACL.SYSTEM, Collections.emptyList())) {
                if (stringCredentials.getSecret().getPlainText().equals(propertyByEnvOrSystemProperty2.get()) || stringCredentials.getId().equals(propertyByEnvOrSystemProperty2.get())) {
                    onePasswordConfig.setConnectCredential(stringCredentials);
                    onePasswordConfig.setConnectCredentialId(stringCredentials.getId());
                }
            }
            if (StringUtils.isBlank(onePasswordConfig.getConnectCredentialId())) {
                StringCredentialsImpl stringCredentialsImpl = new StringCredentialsImpl(CredentialsScope.GLOBAL, GENERATED_CONNECT_TOKEN_ID, GENERATED_CONNECT_DESCRIPTION, Secret.fromString(propertyByEnvOrSystemProperty2.get()));
                onePasswordConfig.setConnectCredential(stringCredentialsImpl);
                onePasswordConfig.setConnectCredentialId(stringCredentialsImpl.getId());
            }
        }
        if (propertyByEnvOrSystemProperty3.isPresent()) {
            for (StringCredentials stringCredentials2 : CredentialsProvider.lookupCredentials(StringCredentials.class, run.getParent(), ACL.SYSTEM, Collections.emptyList())) {
                if (stringCredentials2.getSecret().getPlainText().equals(propertyByEnvOrSystemProperty3.get()) || stringCredentials2.getId().equals(propertyByEnvOrSystemProperty3.get())) {
                    onePasswordConfig.setServiceAccountCredential(stringCredentials2);
                    onePasswordConfig.setServiceAccountCredentialId(stringCredentials2.getId());
                }
            }
            if (StringUtils.isBlank(onePasswordConfig.getServiceAccountCredentialId())) {
                StringCredentialsImpl stringCredentialsImpl2 = new StringCredentialsImpl(CredentialsScope.GLOBAL, GENERATED_SERVICE_ACCOUNT_TOKEN_ID, GENERATED_SERVICE_ACCOUNT_DESCRIPTION, Secret.fromString(propertyByEnvOrSystemProperty3.get()));
                onePasswordConfig.setServiceAccountCredential(stringCredentialsImpl2);
                onePasswordConfig.setServiceAccountCredentialId(stringCredentialsImpl2.getId());
            }
        }
        return onePasswordConfig;
    }

    private static Optional<String> getPropertyByEnvOrSystemProperty(String str, String str2, EnvVars envVars) {
        String str3 = (String) envVars.get(str);
        if (str3 != null) {
            return Optional.of(str3);
        }
        String str4 = System.getenv(str);
        if (str4 != null) {
            return Optional.of(str4);
        }
        String property = System.getProperty(str2);
        return property != null ? Optional.of(property) : Optional.empty();
    }

    public static boolean isOPReference(String str) {
        if (!str.startsWith("op://")) {
            return false;
        }
        String[] split = str.substring("op://".length()).split("/");
        return split.length >= 3 && split.length <= 4;
    }
}
