package io.jenkins.plugins.tuleap_oauth;

import com.auth0.jwk.Jwk;
import com.auth0.jwk.JwkException;
import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.google.gson.Gson;
import com.google.inject.Guice;
import com.google.inject.Inject;
import com.google.inject.Module;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.Extension;
import hudson.Util;
import hudson.model.Descriptor;
import hudson.model.User;
import hudson.security.GroupDetails;
import hudson.security.SecurityRealm;
import hudson.security.UserMayOrMayNotExistException;
import hudson.tasks.Mailer;
import hudson.util.FormValidation;
import hudson.util.Secret;
import io.jenkins.plugins.tuleap_api.client.authentication.AccessToken;
import io.jenkins.plugins.tuleap_api.client.authentication.AccessTokenApi;
import io.jenkins.plugins.tuleap_api.client.authentication.OpenIDClientApi;
import io.jenkins.plugins.tuleap_api.client.authentication.UserInfo;
import io.jenkins.plugins.tuleap_oauth.checks.AccessTokenChecker;
import io.jenkins.plugins.tuleap_oauth.checks.AuthorizationCodeChecker;
import io.jenkins.plugins.tuleap_oauth.checks.IDTokenChecker;
import io.jenkins.plugins.tuleap_oauth.checks.UserInfoChecker;
import io.jenkins.plugins.tuleap_oauth.guice.TuleapOAuth2GuiceModule;
import io.jenkins.plugins.tuleap_oauth.helper.PluginHelper;
import io.jenkins.plugins.tuleap_oauth.helper.TuleapAuthorizationCodeUrlBuilder;
import io.jenkins.plugins.tuleap_oauth.helper.TuleapGroupHelper;
import io.jenkins.plugins.tuleap_oauth.helper.UserAuthoritiesRetriever;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.NoSuchAlgorithmException;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.ServletException;
import javax.servlet.http.HttpSession;
import jenkins.model.Jenkins;
import jenkins.security.SecurityListener;
import okhttp3.Response;
import okhttp3.ResponseBody;
import org.acegisecurity.Authentication;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.AuthenticationManager;
import org.acegisecurity.BadCredentialsException;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.context.SecurityContextHolder;
import org.acegisecurity.userdetails.UserDetails;
import org.acegisecurity.userdetails.UsernameNotFoundException;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.HttpRedirect;
import org.kohsuke.stapler.HttpResponse;
import org.kohsuke.stapler.HttpResponses;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;
import org.kohsuke.stapler.verb.POST;

/* loaded from: input_file:WEB-INF/lib/tuleap-oauth.jar:io/jenkins/plugins/tuleap_oauth/TuleapSecurityRealm.class */
public class TuleapSecurityRealm extends SecurityRealm {
    private static final Logger LOGGER = Logger.getLogger(TuleapSecurityRealm.class.getName());
    private String clientId;
    private Secret clientSecret;
    private static final String LOGIN_URL = "securityRealm/commenceLogin";
    public static final String REDIRECT_URI = "securityRealm/finishLogin";
    public static final String CODE_VERIFIER_SESSION_ATTRIBUTE = "code_verifier";
    public static final String STATE_SESSION_ATTRIBUTE = "state";
    public static final String JENKINS_REDIRECT_URI_ATTRIBUTE = "redirect_uri";
    public static final String NONCE_ATTRIBUTE = "nonce";
    public static final String AUTHORIZATION_ENDPOINT = "oauth2/authorize?";
    public static final String SCOPES = "read:project read:user_membership openid profile email offline_access";
    public static final String CODE_CHALLENGE_METHOD = "S256";
    private AuthorizationCodeChecker authorizationCodeChecker;
    private PluginHelper pluginHelper;
    private AccessTokenChecker accessTokenChecker;
    private Gson gson;
    private IDTokenChecker IDTokenChecker;
    private UserInfoChecker userInfoChecker;
    private TuleapAuthorizationCodeUrlBuilder authorizationCodeUrlBuilder;
    private TuleapUserPropertyStorage tuleapUserPropertyStorage;
    private UserAuthoritiesRetriever userAuthoritiesRetriever;
    private AccessTokenApi accessTokenApi;
    private OpenIDClientApi openIDClientApi;
    private TuleapGroupHelper tuleapGroupHelper;

    @Extension
    /* loaded from: input_file:WEB-INF/lib/tuleap-oauth.jar:io/jenkins/plugins/tuleap_oauth/TuleapSecurityRealm$DescriptorImpl.class */
    public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
        public String getDisplayName() {
            return "Tuleap Authentication";
        }

        @POST
        public FormValidation doCheckTuleapUri(@QueryParameter String str) {
            return ((PluginHelper) Guice.createInjector(new Module[]{new TuleapOAuth2GuiceModule()}).getInstance(PluginHelper.class)).isHttpsUrl(str) ? FormValidation.ok() : FormValidation.error(Messages.TuleapSecurityRealmDescriptor_CheckUrl());
        }

        @POST
        public FormValidation doCheckClientId(@QueryParameter String str) {
            return StringUtils.isBlank(str) ? FormValidation.error(Messages.TuleapSecurityRealmDescriptor_CheckClientIdEmpty()) : !str.matches("^(tlp-client-id-)\\d+$") ? FormValidation.error(Messages.TuleapSecurityRealmDescriptor_CheckClientIdFormat()) : FormValidation.ok();
        }

        public String getHelpFile() {
            return "/plugin/tuleap-oauth/helpTuleapSecurityRealm/helpTuleapRealm/help.html";
        }
    }

    @DataBoundConstructor
    public TuleapSecurityRealm(String str, String str2) {
        this.clientId = Util.fixEmptyAndTrim(str);
        setClientSecret(Util.fixEmptyAndTrim(str2));
    }

    @Inject
    public void setOpenIDClientApi(OpenIDClientApi openIDClientApi) {
        this.openIDClientApi = openIDClientApi;
    }

    @Inject
    public void setAccessTokenApi(AccessTokenApi accessTokenApi) {
        this.accessTokenApi = accessTokenApi;
    }

    @Inject
    public void setAuthorizationCodeUrlBuilder(TuleapAuthorizationCodeUrlBuilder tuleapAuthorizationCodeUrlBuilder) {
        this.authorizationCodeUrlBuilder = tuleapAuthorizationCodeUrlBuilder;
    }

    @Inject
    public void setUserInfoChecker(UserInfoChecker userInfoChecker) {
        this.userInfoChecker = userInfoChecker;
    }

    @Inject
    public void setIDTokenChecker(IDTokenChecker iDTokenChecker) {
        this.IDTokenChecker = iDTokenChecker;
    }

    @Inject
    public void setGson(Gson gson) {
        this.gson = gson;
    }

    @Inject
    public void setAuthorizationCodeChecker(AuthorizationCodeChecker authorizationCodeChecker) {
        this.authorizationCodeChecker = authorizationCodeChecker;
    }

    @Inject
    public void setPluginHelper(PluginHelper pluginHelper) {
        this.pluginHelper = pluginHelper;
    }

    @Inject
    public void setAccessTokenChecker(AccessTokenChecker accessTokenChecker) {
        this.accessTokenChecker = accessTokenChecker;
    }

    @Inject
    public void setTuleapUserPropertyStorage(TuleapUserPropertyStorage tuleapUserPropertyStorage) {
        this.tuleapUserPropertyStorage = tuleapUserPropertyStorage;
    }

    @Inject
    public void setUserAuthoritiesRetriever(UserAuthoritiesRetriever userAuthoritiesRetriever) {
        this.userAuthoritiesRetriever = userAuthoritiesRetriever;
    }

    @Inject
    public void setTuleapGroupHelper(TuleapGroupHelper tuleapGroupHelper) {
        this.tuleapGroupHelper = tuleapGroupHelper;
    }

    private void injectInstances() {
        if (this.pluginHelper == null || this.authorizationCodeChecker == null || this.accessTokenChecker == null || this.IDTokenChecker == null || this.gson == null || this.authorizationCodeUrlBuilder == null || this.accessTokenApi == null || this.openIDClientApi == null || this.tuleapUserPropertyStorage == null || this.userAuthoritiesRetriever == null || this.tuleapGroupHelper == null) {
            Guice.createInjector(new Module[]{new TuleapOAuth2GuiceModule()}).injectMembers(this);
        }
    }

    public String getClientId() {
        return this.clientId;
    }

    public Secret getClientSecret() {
        return this.clientSecret;
    }

    public String getTuleapUri() {
        String domainUrl = this.pluginHelper.getConfiguration().getDomainUrl();
        if (!StringUtils.isBlank(domainUrl) && !domainUrl.endsWith("/")) {
            domainUrl = domainUrl.concat("/");
        }
        return domainUrl;
    }

    private void setClientSecret(String str) {
        this.clientSecret = Secret.fromString(str);
    }

    private TuleapOAuthClientConfiguration buildTuleapOAuthClientConfiguration() {
        return new TuleapOAuthClientConfiguration(this.clientId, this.clientSecret);
    }

    public UserDetails loadUserByUsername(String str) {
        injectInstances();
        Authentication currentUserAuthenticationToken = this.pluginHelper.getCurrentUserAuthenticationToken();
        if (currentUserAuthenticationToken == null) {
            throw new UserMayOrMayNotExistException("No access token found for user " + str);
        }
        if (!(currentUserAuthenticationToken instanceof TuleapAuthenticationToken)) {
            throw new UserMayOrMayNotExistException("Unknown token type for user " + str);
        }
        User user = this.pluginHelper.getUser(str);
        if (user == null || !this.tuleapUserPropertyStorage.has(user)) {
            throw new UsernameNotFoundException("Could not find user " + str + " for Tuleap");
        }
        return new TuleapUserDetails(str);
    }

    public GroupDetails loadGroupByGroupname(String str) {
        injectInstances();
        TuleapAuthenticationToken currentUserAuthenticationToken = this.pluginHelper.getCurrentUserAuthenticationToken();
        if (!this.tuleapGroupHelper.groupNameIsInTuleapFormat(str).booleanValue()) {
            throw new UsernameNotFoundException("Not a Tuleap Group");
        }
        if (currentUserAuthenticationToken == null) {
            throw new UserMayOrMayNotExistException("No access token found for user");
        }
        if (!(currentUserAuthenticationToken instanceof TuleapAuthenticationToken)) {
            throw new UserMayOrMayNotExistException("Unknown token type for user");
        }
        if (this.tuleapGroupHelper.groupExistsOnTuleapServer(str, currentUserAuthenticationToken, buildTuleapOAuthClientConfiguration()).booleanValue()) {
            return new TuleapGroupDetails(str);
        }
        throw new UsernameNotFoundException("Could not find group " + str + " for Tuleap");
    }

    public SecurityRealm.SecurityComponents createSecurityComponents() {
        return new SecurityRealm.SecurityComponents(new AuthenticationManager() { // from class: io.jenkins.plugins.tuleap_oauth.TuleapSecurityRealm.1
            public Authentication authenticate(Authentication authentication) throws AuthenticationException {
                if (authentication instanceof TuleapAuthenticationToken) {
                    return authentication;
                }
                throw new BadCredentialsException("Unexpected authentication type: " + authentication);
            }
        });
    }

    public String getLoginUrl() {
        return LOGIN_URL;
    }

    protected String getPostLogOutUrl(StaplerRequest staplerRequest, Authentication authentication) {
        injectInstances();
        authentication.setAuthenticated(false);
        return getJenkinsInstance().hasPermission(Jenkins.READ) ? super.getPostLogOutUrl(staplerRequest, authentication) : staplerRequest.getContextPath() + "/tuleapLogout";
    }

    public HttpResponse doCommenceLogin(StaplerRequest staplerRequest) throws UnsupportedEncodingException, NoSuchAlgorithmException {
        injectInstances();
        return new HttpRedirect(this.authorizationCodeUrlBuilder.buildRedirectUrlAndStoreSessionAttribute(staplerRequest, getTuleapUri(), this.clientId));
    }

    @SuppressFBWarnings({"NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE"})
    public HttpResponse doFinishLogin(StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws IOException, JwkException, ServletException {
        if (!this.authorizationCodeChecker.checkAuthorizationCode(staplerRequest)) {
            return HttpResponses.redirectTo(getJenkinsInstance().getRootUrl() + TuleapAuthenticationErrorAction.REDIRECT_ON_AUTHENTICATION_ERROR);
        }
        AccessToken accessToken = this.accessTokenApi.getAccessToken((String) staplerRequest.getSession().getAttribute(CODE_VERIFIER_SESSION_ATTRIBUTE), staplerRequest.getParameter("code"), this.clientId, this.clientSecret);
        if (!this.accessTokenChecker.checkResponseBody(accessToken)) {
            return HttpResponses.redirectTo(getJenkinsInstance().getRootUrl() + TuleapAuthenticationErrorAction.REDIRECT_ON_AUTHENTICATION_ERROR);
        }
        List<Jwk> signingKeys = this.openIDClientApi.getSigningKeys();
        DecodedJWT decode = JWT.decode(accessToken.getIdToken());
        this.IDTokenChecker.checkPayloadAndSignature(decode, signingKeys, getTuleapUri(), this.clientId, staplerRequest);
        UserInfo userInfo = this.openIDClientApi.getUserInfo(accessToken);
        if (!this.userInfoChecker.checkUserInfoResponseBody(userInfo, decode)) {
            return HttpResponses.redirectTo(getJenkinsInstance().getRootUrl() + TuleapAuthenticationErrorAction.REDIRECT_ON_AUTHENTICATION_ERROR);
        }
        authenticateAsTuleapUser(staplerRequest, userInfo, accessToken);
        return HttpResponses.redirectToContextRoot();
    }

    private ResponseBody getResponseBody(Response response) throws IOException {
        ResponseBody body = response.body();
        if (body == null) {
            LOGGER.log(Level.WARNING, "An error occurred");
            return null;
        }
        if (response.isSuccessful()) {
            return body;
        }
        LOGGER.log(Level.WARNING, body.string());
        return null;
    }

    private Jenkins getJenkinsInstance() {
        return this.pluginHelper.getJenkinsInstance();
    }

    private void authenticateAsTuleapUser(StaplerRequest staplerRequest, UserInfo userInfo, AccessToken accessToken) throws IOException {
        TuleapUserDetails tuleapUserDetails = new TuleapUserDetails(userInfo.getUsername());
        tuleapUserDetails.addAuthority(SecurityRealm.AUTHENTICATED_AUTHORITY);
        List<GrantedAuthority> authoritiesForUser = this.userAuthoritiesRetriever.getAuthoritiesForUser(accessToken);
        tuleapUserDetails.getClass();
        authoritiesForUser.forEach(tuleapUserDetails::addTuleapAuthority);
        TuleapAuthenticationToken tuleapAuthenticationToken = new TuleapAuthenticationToken(tuleapUserDetails, accessToken);
        HttpSession session = staplerRequest.getSession(false);
        if (session != null) {
            session.invalidate();
        }
        staplerRequest.getSession(true);
        SecurityContextHolder.getContext().setAuthentication(tuleapAuthenticationToken);
        User current = User.current();
        if (current == null) {
            throw new UsernameNotFoundException("User not found");
        }
        current.setFullName(userInfo.getName());
        if (!current.getProperty(Mailer.UserProperty.class).hasExplicitlyConfiguredAddress()) {
            current.addProperty(new Mailer.UserProperty(userInfo.getEmail()));
        }
        this.tuleapUserPropertyStorage.save(current);
        SecurityListener.fireAuthenticated(tuleapUserDetails);
    }
}
