package org.jenkinsci.plugins.github.webhook;

import com.cloudbees.jenkins.GitHubWebHook;
import com.google.common.base.Charsets;
import com.google.common.base.Optional;
import com.google.common.base.Predicates;
import com.google.common.collect.Lists;
import hudson.util.Secret;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import java.lang.reflect.InvocationTargetException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.interfaces.RSAPublicKey;
import javax.servlet.ServletException;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.StringUtils;
import org.jenkinsci.main.modules.instance_identity.InstanceIdentity;
import org.jenkinsci.plugins.github.GitHubPlugin;
import org.jenkinsci.plugins.github.util.FluentIterableWrapper;
import org.kohsuke.github.GHEvent;
import org.kohsuke.stapler.HttpResponses;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;
import org.kohsuke.stapler.interceptor.Interceptor;
import org.kohsuke.stapler.interceptor.InterceptorAnnotation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Target({ElementType.METHOD, ElementType.FIELD})
@InterceptorAnnotation(Processor.class)
@Retention(RetentionPolicy.RUNTIME)
/* loaded from: input_file:test-dependencies/github.hpi:WEB-INF/lib/github.jar:org/jenkinsci/plugins/github/webhook/RequirePostWithGHHookPayload.class */
public @interface RequirePostWithGHHookPayload {

    /* loaded from: input_file:test-dependencies/github.hpi:WEB-INF/lib/github.jar:org/jenkinsci/plugins/github/webhook/RequirePostWithGHHookPayload$Processor.class */
    public static class Processor extends Interceptor {
        private static final Logger LOGGER = LoggerFactory.getLogger(Processor.class);
        public static final String SIGNATURE_HEADER = "X-Hub-Signature";
        private static final String SHA1_PREFIX = "sha1=";

        public Object invoke(StaplerRequest staplerRequest, StaplerResponse staplerResponse, Object obj, Object[] objArr) throws IllegalAccessException, InvocationTargetException {
            shouldBePostMethod(staplerRequest);
            returnsInstanceIdentityIfLocalUrlTest(staplerRequest);
            shouldContainParseablePayload(objArr);
            shouldProvideValidSignature(staplerRequest, objArr);
            return this.target.invoke(staplerRequest, staplerResponse, obj, objArr);
        }

        protected void shouldBePostMethod(StaplerRequest staplerRequest) throws InvocationTargetException {
            if (!staplerRequest.getMethod().equals("POST")) {
                throw new InvocationTargetException(HttpResponses.error(405, "Method POST required"));
            }
        }

        protected void returnsInstanceIdentityIfLocalUrlTest(StaplerRequest staplerRequest) throws InvocationTargetException {
            if (staplerRequest.getHeader(GitHubWebHook.URL_VALIDATION_HEADER) != null) {
                throw new InvocationTargetException(new HttpResponses.HttpResponseException() { // from class: org.jenkinsci.plugins.github.webhook.RequirePostWithGHHookPayload.Processor.1
                    public void generateResponse(StaplerRequest staplerRequest2, StaplerResponse staplerResponse, Object obj) throws IOException, ServletException {
                        RSAPublicKey rSAPublicKey = new InstanceIdentity().getPublic();
                        staplerResponse.setStatus(200);
                        staplerResponse.setHeader(GitHubWebHook.X_INSTANCE_IDENTITY, new String(Base64.encodeBase64(rSAPublicKey.getEncoded()), Charsets.UTF_8));
                    }
                });
            }
        }

        protected void shouldContainParseablePayload(Object[] objArr) throws InvocationTargetException {
            isTrue(objArr.length == 2, "GHHook root action should take <(GHEvent) event> and <(String) payload> only");
            FluentIterableWrapper from = FluentIterableWrapper.from(Lists.newArrayList(objArr));
            isTrue(from.firstMatch(Predicates.instanceOf(GHEvent.class)).isPresent(), "Hook should contain event type");
            isTrue(StringUtils.isNotBlank((String) from.firstMatch(Predicates.instanceOf(String.class)).or("")), "Hook should contain payload");
        }

        protected void shouldProvideValidSignature(StaplerRequest staplerRequest, Object[] objArr) throws InvocationTargetException {
            Optional fromNullable = Optional.fromNullable(staplerRequest.getHeader(SIGNATURE_HEADER));
            Secret hookSecret = GitHubPlugin.configuration().getHookSecretConfig().getHookSecret();
            if (fromNullable.isPresent() && Optional.fromNullable(hookSecret).isPresent()) {
                String substringAfter = StringUtils.substringAfter((String) fromNullable.get(), SHA1_PREFIX);
                LOGGER.trace("Trying to verify sign from header {}", fromNullable.get());
                isTrue(GHWebhookSignature.webhookSignature(payloadFrom(staplerRequest, objArr), hookSecret).matches(substringAfter), String.format("Provided signature [%s] did not match to calculated", substringAfter));
            }
        }

        protected String payloadFrom(StaplerRequest staplerRequest, Object[] objArr) {
            String str = (String) objArr[1];
            if (staplerRequest.getContentType().equals("application/json")) {
                return str;
            }
            if (!staplerRequest.getContentType().equals("application/x-www-form-urlencoded")) {
                LOGGER.error("Unknown content type {}", staplerRequest.getContentType());
                return "";
            }
            try {
                return String.format("payload=%s", URLEncoder.encode(str, StandardCharsets.UTF_8.toString()));
            } catch (UnsupportedEncodingException e) {
                LOGGER.error(e.getMessage(), e);
                return "";
            }
        }

        private void isTrue(boolean z, String str) throws InvocationTargetException {
            if (!z) {
                throw new InvocationTargetException(HttpResponses.errorWithoutStack(400, str));
            }
        }
    }
}
