package io.kubesphere.jenkins.devops.auth;

import com.squareup.okhttp.MediaType;
import com.squareup.okhttp.OkHttpClient;
import com.squareup.okhttp.Request;
import com.squareup.okhttp.RequestBody;
import com.squareup.okhttp.Response;
import hudson.Extension;
import hudson.model.User;
import io.kubesphere.jenkins.devops.auth.KubesphereTokenReviewResponse;
import java.io.IOException;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import jenkins.security.BasicHeaderAuthenticator;
import jenkins.security.SecurityListener;
import net.sf.json.JSONObject;
import org.acegisecurity.Authentication;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import org.acegisecurity.userdetails.UserDetails;
import org.acegisecurity.userdetails.UsernameNotFoundException;
import org.springframework.dao.DataAccessException;

@Extension
/* loaded from: input_file:WEB-INF/lib/kubesphere-token-auth.jar:io/kubesphere/jenkins/devops/auth/KubesphereApiTokenAuthenticator.class */
public class KubesphereApiTokenAuthenticator extends BasicHeaderAuthenticator {
    public static final MediaType JSON = MediaType.parse("application/json; charset=utf-8");
    private static final Logger LOGGER = Logger.getLogger(KubesphereApiTokenAuthenticator.class.getName());

    /* loaded from: input_file:WEB-INF/lib/kubesphere-token-auth.jar:io/kubesphere/jenkins/devops/auth/KubesphereApiTokenAuthenticator$CacheEntry.class */
    public static class CacheEntry<T> {
        private final long expires;
        private final T value;

        public CacheEntry(int i, T t) {
            this.expires = System.currentTimeMillis() + TimeUnit.SECONDS.toMillis(i);
            this.value = t;
        }

        public T getValue() {
            return this.value;
        }

        public boolean isValid() {
            return System.currentTimeMillis() < this.expires;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/kubesphere-token-auth.jar:io/kubesphere/jenkins/devops/auth/KubesphereApiTokenAuthenticator$CacheMap.class */
    public static class CacheMap<K, V> extends LinkedHashMap<K, CacheEntry<V>> {
        private int cacheSize;

        public CacheMap(int i) {
            super(i + 1);
            this.cacheSize = i;
        }

        public void setCacheSize(int i) {
            this.cacheSize = i;
        }

        public int getCacheSize() {
            return this.cacheSize;
        }

        @Override // java.util.LinkedHashMap
        protected boolean removeEldestEntry(Map.Entry<K, CacheEntry<V>> entry) {
            return size() > this.cacheSize || entry.getValue() == null || !entry.getValue().isValid();
        }
    }

    public Authentication authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2) throws ServletException {
        if (!KubesphereTokenAuthGlobalConfiguration.get().isEnabled()) {
            return null;
        }
        User byId = User.getById(str, true);
        try {
            KubesphereTokenReviewResponse reviewResponse = getReviewResponse(str, str2);
            if (reviewResponse == null || reviewResponse.getStatus() == null) {
                LOGGER.severe("cannot get the review response or status is null by " + str);
                return null;
            }
            if (!reviewResponse.getStatus().getAuthenticated().booleanValue() || !str.equals(reviewResponse.getStatus().getUser().getUsername())) {
                return null;
            }
            try {
                UserDetails userDetailsForImpersonation = byId.getUserDetailsForImpersonation();
                UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(userDetailsForImpersonation.getUsername(), userDetailsForImpersonation.getPassword(), userDetailsForImpersonation.getAuthorities());
                SecurityListener.fireAuthenticated(userDetailsForImpersonation);
                httpServletRequest.setAttribute(KubesphereApiTokenAuthenticator.class.getName(), true);
                return usernamePasswordAuthenticationToken;
            } catch (DataAccessException e) {
                throw new ServletException(e);
            } catch (UsernameNotFoundException e2) {
                LOGGER.log(Level.WARNING, "API token matched for user " + str + " but the impersonation failed", e2);
                throw new ServletException(e2);
            }
        } catch (IOException e3) {
            LOGGER.log(Level.SEVERE, "errors when auth with ks", (Throwable) e3);
            return null;
        }
    }

    public static KubesphereTokenReviewResponse getReviewResponse(String str, String str2) throws IOException {
        KubesphereTokenReviewResponse.TokenStatus status;
        KubesphereTokenAuthGlobalConfiguration kubesphereTokenAuthGlobalConfiguration = KubesphereTokenAuthGlobalConfiguration.get();
        if (kubesphereTokenAuthGlobalConfiguration.getCacheConfiguration() == null) {
            return getReviewResponseFromApiServer(KubesphereTokenAuthGlobalConfiguration.get().getServerUrl(), str, str2);
        }
        synchronized (kubesphereTokenAuthGlobalConfiguration) {
            Map<String, CacheEntry<KubesphereTokenReviewResponse>> tokenAuthCache = kubesphereTokenAuthGlobalConfiguration.getTokenAuthCache();
            if (tokenAuthCache == null) {
                kubesphereTokenAuthGlobalConfiguration.setTokenAuthCache(new CacheMap(kubesphereTokenAuthGlobalConfiguration.getCacheConfiguration().getSize()));
            } else {
                if (((CacheMap) tokenAuthCache).getCacheSize() != kubesphereTokenAuthGlobalConfiguration.getCacheConfiguration().getSize()) {
                    ((CacheMap) tokenAuthCache).setCacheSize(kubesphereTokenAuthGlobalConfiguration.getCacheConfiguration().getSize());
                }
                CacheEntry<KubesphereTokenReviewResponse> cacheEntry = tokenAuthCache.get(str);
                if (cacheEntry != null && cacheEntry.isValid() && cacheEntry.getValue().getToken().equals(str2)) {
                    return cacheEntry.getValue();
                }
            }
            KubesphereTokenReviewResponse reviewResponseFromApiServer = getReviewResponseFromApiServer(KubesphereTokenAuthGlobalConfiguration.get().getServerUrl(), str, str2);
            if (reviewResponseFromApiServer == null || (status = reviewResponseFromApiServer.getStatus()) == null) {
                return null;
            }
            if (status.getAuthenticated().booleanValue() && str.equals(status.getUser().getUsername())) {
                synchronized (kubesphereTokenAuthGlobalConfiguration) {
                    Map<String, CacheEntry<KubesphereTokenReviewResponse>> tokenAuthCache2 = kubesphereTokenAuthGlobalConfiguration.getTokenAuthCache();
                    if (tokenAuthCache2.containsKey(str)) {
                        tokenAuthCache2.replace(str, new CacheEntry<>(kubesphereTokenAuthGlobalConfiguration.getCacheConfiguration().getTtl(), reviewResponseFromApiServer));
                    } else {
                        tokenAuthCache2.put(str, new CacheEntry<>(kubesphereTokenAuthGlobalConfiguration.getCacheConfiguration().getTtl(), reviewResponseFromApiServer));
                    }
                }
            }
            return reviewResponseFromApiServer;
        }
    }

    public static KubesphereTokenReviewResponse getReviewResponseFromApiServer(String str, String str2, String str3) throws IOException {
        OkHttpClient okHttpClient = new OkHttpClient();
        okHttpClient.setConnectTimeout(30L, TimeUnit.SECONDS);
        okHttpClient.setReadTimeout(60L, TimeUnit.SECONDS);
        Request.Builder builder = new Request.Builder();
        builder.url(str + "oauth/authenticate");
        KubesphereTokenReviewRequest kubesphereTokenReviewRequest = new KubesphereTokenReviewRequest(str3);
        LOGGER.log(Level.FINE, "Request payload for auth, " + JSONObject.fromObject(kubesphereTokenReviewRequest).toString());
        builder.post(RequestBody.create(JSON, JSONObject.fromObject(kubesphereTokenReviewRequest).toString()));
        Response execute = okHttpClient.newCall(builder.build()).execute();
        String string = execute.body().string();
        LOGGER.log(Level.FINE, "Response body from API gateway, " + string);
        return execute.code() == 200 ? new KubesphereTokenReviewResponse(JSONObject.fromObject(string), str3) : new KubesphereTokenReviewResponse();
    }
}
