package io.jenkins.blueocean.service.embedded.util;

import com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey;
import com.cloudbees.plugins.credentials.Credentials;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.CredentialsScope;
import com.cloudbees.plugins.credentials.CredentialsStore;
import com.cloudbees.plugins.credentials.domains.Domain;
import com.google.common.base.Preconditions;
import hudson.model.User;
import io.jenkins.blueocean.commons.ServiceException;
import io.jenkins.blueocean.service.embedded.rest.UserKey;
import java.io.IOException;
import java.util.Iterator;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import jenkins.model.Jenkins;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;

@Restricted({NoExternalUse.class})
/* loaded from: input_file:test-dependencies/blueocean-rest-impl.hpi:WEB-INF/lib/blueocean-rest-impl.jar:io/jenkins/blueocean/service/embedded/util/UserSSHKeyManager.class */
public class UserSSHKeyManager {
    private static final int KEY_SIZE = 2048;
    private static final String BLUEOCEAN_GENERATED_SSH_KEY_ID = "jenkins-generated-ssh-key";
    private static final String BLUEOCEAN_DOMAIN_NAME = "blueocean-private-key-domain";

    @Nonnull
    public static BasicSSHUserPrivateKey getOrCreate(@Nonnull User user) {
        Preconditions.checkNotNull(user);
        CredentialsStore userStore = getUserStore(user);
        if (userStore == null) {
            throw new ServiceException.ForbiddenException(String.format("Logged in user: %s doesn't have writable credentials store", user.getId()));
        }
        for (Credentials credentials : userStore.getCredentials(getDomain(userStore))) {
            if (credentials instanceof BasicSSHUserPrivateKey) {
                BasicSSHUserPrivateKey basicSSHUserPrivateKey = (BasicSSHUserPrivateKey) credentials;
                if (BLUEOCEAN_GENERATED_SSH_KEY_ID.equals(basicSSHUserPrivateKey.getId())) {
                    return basicSSHUserPrivateKey;
                }
            }
        }
        try {
            BasicSSHUserPrivateKey basicSSHUserPrivateKey2 = new BasicSSHUserPrivateKey(CredentialsScope.USER, BLUEOCEAN_GENERATED_SSH_KEY_ID, user.getId(), new BasicSSHUserPrivateKey.DirectEntryPrivateKeySource(SSHKeyUtils.generateKey(2048).trim()), null, BLUEOCEAN_GENERATED_SSH_KEY_ID);
            userStore.addCredentials(getDomain(userStore), basicSSHUserPrivateKey2);
            userStore.save();
            return basicSSHUserPrivateKey2;
        } catch (IOException e) {
            throw new ServiceException.UnexpectedErrorException("Failed to create the private key", e);
        }
    }

    @Nonnull
    public static UserKey getPublicKey(@Nonnull User user, @Nonnull BasicSSHUserPrivateKey basicSSHUserPrivateKey) {
        Preconditions.checkNotNull(user);
        Preconditions.checkNotNull(basicSSHUserPrivateKey);
        return new UserKey(basicSSHUserPrivateKey.getId(), SSHKeyUtils.getPublicKey(basicSSHUserPrivateKey.getPrivateKey(), getKeyComment(user.getId())).trim());
    }

    public static void reset(@Nonnull User user) {
        Preconditions.checkNotNull(user);
        try {
            CredentialsStore userStore = getUserStore(user);
            if (userStore == null) {
                throw new ServiceException.ForbiddenException(String.format("Logged in user: %s doesn't have writable credentials store", user.getId()));
            }
            BasicSSHUserPrivateKey basicSSHUserPrivateKey = null;
            Iterator<Credentials> it = userStore.getCredentials(getDomain(userStore)).iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Credentials next = it.next();
                if (next instanceof BasicSSHUserPrivateKey) {
                    BasicSSHUserPrivateKey basicSSHUserPrivateKey2 = (BasicSSHUserPrivateKey) next;
                    if (BLUEOCEAN_GENERATED_SSH_KEY_ID.equals(basicSSHUserPrivateKey2.getId())) {
                        basicSSHUserPrivateKey = basicSSHUserPrivateKey2;
                        break;
                    }
                }
            }
            if (basicSSHUserPrivateKey != null) {
                userStore.removeCredentials(getDomain(userStore), basicSSHUserPrivateKey);
                userStore.save();
            }
        } catch (IOException e) {
            throw new ServiceException.UnexpectedErrorException("Unable to reset the user's key", e);
        }
    }

    @CheckForNull
    private static CredentialsStore getUserStore(User user) {
        for (CredentialsStore credentialsStore : CredentialsProvider.lookupStores(user)) {
            if (credentialsStore.hasPermission(CredentialsProvider.CREATE) && credentialsStore.hasPermission(CredentialsProvider.UPDATE)) {
                return credentialsStore;
            }
        }
        return null;
    }

    private static String getKeyComment(String str) {
        String rootUrl = Jenkins.getInstance().getRootUrl();
        if (rootUrl == null) {
            rootUrl = Jenkins.getInstance().getRootUrlFromRequest();
        }
        return ((str == null ? Jenkins.getInstance().getDisplayName() : str) + "@" + rootUrl.replaceAll(".*//([^/]+).*", "$1")).replaceAll("[^:@._a-zA-Z0-9]", "");
    }

    private static Domain getDomain(CredentialsStore credentialsStore) {
        Domain domainByName = credentialsStore.getDomainByName(BLUEOCEAN_DOMAIN_NAME);
        if (domainByName == null) {
            try {
                if (!credentialsStore.addDomain(new Domain(BLUEOCEAN_DOMAIN_NAME, null, null), new Credentials[0])) {
                    throw new ServiceException.UnexpectedErrorException(String.format("Failed to create credential domain: %s", BLUEOCEAN_DOMAIN_NAME));
                }
                domainByName = credentialsStore.getDomainByName(BLUEOCEAN_DOMAIN_NAME);
                if (domainByName == null) {
                    throw new ServiceException.UnexpectedErrorException(String.format("Domain %s created but not found", BLUEOCEAN_DOMAIN_NAME));
                }
            } catch (IOException e) {
                throw new ServiceException.UnexpectedErrorException("Failed to save the Blue Ocean domain.", e);
            }
        }
        return domainByName;
    }
}
