package io.jenkins.plugins.venafivcert;

import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials;
import com.venafi.vcert.sdk.Config;
import com.venafi.vcert.sdk.VCertClient;
import com.venafi.vcert.sdk.VCertException;
import com.venafi.vcert.sdk.certificate.CertificateRequest;
import com.venafi.vcert.sdk.certificate.KeyType;
import com.venafi.vcert.sdk.certificate.PEMCollection;
import com.venafi.vcert.sdk.connectors.ZoneConfiguration;
import com.venafi.vcert.sdk.endpoint.Authentication;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.AbortException;
import hudson.Extension;
import hudson.FilePath;
import hudson.Launcher;
import hudson.Util;
import hudson.model.AbstractProject;
import hudson.model.Run;
import hudson.model.TaskListener;
import hudson.tasks.BuildStepDescriptor;
import hudson.tasks.Builder;
import hudson.util.FormValidation;
import hudson.util.ListBoxModel;
import hudson.util.Secret;
import java.io.IOException;
import java.io.InputStream;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.time.ZoneId;
import java.time.ZonedDateTime;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import jenkins.tasks.SimpleBuildStep;
import org.jenkinsci.Symbol;
import org.jenkinsci.plugins.plaincredentials.StringCredentials;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.QueryParameter;

/* loaded from: input_file:WEB-INF/lib/venafi-vcert.jar:io/jenkins/plugins/venafivcert/CertRequestBuilder.class */
public class CertRequestBuilder extends Builder implements SimpleBuildStep {
    private final String connectorName;
    private final String zoneConfigName;
    private final String commonName;
    private final String privKeyOutput;
    private final String certOutput;
    private final String certChainOutput;

    @SuppressFBWarnings({"UUF_UNUSED_FIELD"})
    private KeyType keyType;

    @SuppressFBWarnings({"UUF_UNUSED_FIELD"})
    private List<DnsName> dnsNames;

    @SuppressFBWarnings({"UUF_UNUSED_FIELD"})
    private List<IpAddress> ipAddresses;

    @SuppressFBWarnings({"UUF_UNUSED_FIELD"})
    private List<EmailAddress> emailAddresses;

    @SuppressFBWarnings({"UUF_UNUSED_FIELD"})
    private String organization;

    @SuppressFBWarnings({"UUF_UNUSED_FIELD"})
    private String organizationalUnit;

    @SuppressFBWarnings({"UUF_UNUSED_FIELD"})
    private String locality;

    @SuppressFBWarnings({"UUF_UNUSED_FIELD"})
    private String province;

    @SuppressFBWarnings({"UUF_UNUSED_FIELD"})
    private String country;

    @SuppressFBWarnings({"UUF_UNUSED_FIELD"})
    private int expirationWindow;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Extension
    @Symbol({"venafiVcertRequestCertificate"})
    /* loaded from: input_file:WEB-INF/lib/venafi-vcert.jar:io/jenkins/plugins/venafivcert/CertRequestBuilder$DescriptorImpl.class */
    public static final class DescriptorImpl extends BuildStepDescriptor<Builder> {
        public boolean isApplicable(Class<? extends AbstractProject> cls) {
            return true;
        }

        public String getDisplayName() {
            return Messages.CertRequestBuilder_displayName();
        }

        public ListBoxModel doFillConnectorNameItems() {
            ListBoxModel listBoxModel = new ListBoxModel();
            for (ConnectorConfig connectorConfig : PluginConfig.get().getConnectorConfigs()) {
                listBoxModel.add(connectorConfig.getName(), connectorConfig.getName());
            }
            return listBoxModel;
        }

        public FormValidation doCheckConnectorName(@QueryParameter String str) {
            return FormValidation.validateRequired(str);
        }

        public FormValidation doCheckZoneConfigName(@QueryParameter String str) {
            return FormValidation.validateRequired(str);
        }

        public FormValidation doCheckCommonName(@QueryParameter String str) {
            return FormValidation.validateRequired(str);
        }

        public FormValidation doCheckPrivKeyOutput(@QueryParameter String str) {
            return FormValidation.validateRequired(str);
        }

        public FormValidation doCheckCertOutput(@QueryParameter String str) {
            return FormValidation.validateRequired(str);
        }

        public FormValidation doCheckCertChainOutput(@QueryParameter String str) {
            return FormValidation.validateRequired(str);
        }

        public FormValidation doCheckExpirationWindow(@QueryParameter String str) {
            if (Util.fixEmptyAndTrim(str) == null) {
                return FormValidation.ok();
            }
            try {
                return Integer.parseInt(str) < 0 ? FormValidation.error(Messages.CertRequestBuilder_atLeastZeroNumberRequired()) : FormValidation.ok();
            } catch (NumberFormatException e) {
                return FormValidation.error(Messages.CertRequestBuilder_invalidNumber());
            }
        }
    }

    @DataBoundConstructor
    public CertRequestBuilder(String str, String str2, String str3, String str4, String str5, String str6) {
        this.connectorName = str;
        this.zoneConfigName = str2;
        this.commonName = str3;
        this.privKeyOutput = str4;
        this.certOutput = str5;
        this.certChainOutput = str6;
    }

    public String getConnectorName() {
        return this.connectorName;
    }

    public String getZoneConfigName() {
        return this.zoneConfigName;
    }

    public KeyType getKeyType() {
        return this.keyType;
    }

    @DataBoundSetter
    public void setKeyType(KeyType keyType) {
        this.keyType = keyType;
    }

    public List<DnsName> getDnsNames() {
        return this.dnsNames == null ? Collections.emptyList() : this.dnsNames;
    }

    @DataBoundSetter
    public void setDnsNames(List<DnsName> list) {
        this.dnsNames = list;
    }

    public List<IpAddress> getIpAddresses() {
        return this.ipAddresses == null ? Collections.emptyList() : this.ipAddresses;
    }

    @DataBoundSetter
    public void setIpAddresses(List<IpAddress> list) {
        this.ipAddresses = list;
    }

    public List<EmailAddress> getEmailAddresses() {
        return this.emailAddresses == null ? Collections.emptyList() : this.emailAddresses;
    }

    @DataBoundSetter
    public void setEmailAddresses(List<EmailAddress> list) {
        this.emailAddresses = list;
    }

    public String getCommonName() {
        return this.commonName;
    }

    public int getExpirationWindow() {
        return this.expirationWindow;
    }

    @DataBoundSetter
    public void setExpirationWindow(int i) {
        this.expirationWindow = i;
    }

    public String getOrganization() {
        return this.organization;
    }

    @DataBoundSetter
    public void setOrganization(String str) {
        this.organization = str;
    }

    public String getOrganizationalUnit() {
        return this.organizationalUnit;
    }

    @DataBoundSetter
    public void setOrganizationalUnit(String str) {
        this.organizationalUnit = str;
    }

    public String getLocality() {
        return this.locality;
    }

    @DataBoundSetter
    public void setLocality(String str) {
        this.locality = str;
    }

    public String getProvince() {
        return this.province;
    }

    @DataBoundSetter
    public void setProvince(String str) {
        this.province = str;
    }

    public String getCountry() {
        return this.country;
    }

    @DataBoundSetter
    public void setCountry(String str) {
        this.country = str;
    }

    public String getPrivKeyOutput() {
        return this.privKeyOutput;
    }

    public String getCertOutput() {
        return this.certOutput;
    }

    public String getCertChainOutput() {
        return this.certChainOutput;
    }

    public void perform(@Nonnull Run<?, ?> run, @Nonnull FilePath filePath, @Nonnull Launcher launcher, @Nonnull TaskListener taskListener) throws InterruptedException, IOException {
        Logger logger = new Logger(taskListener.getLogger(), Messages.CertRequestBuilder_functionName());
        try {
            ZonedDateTime prevCertExpirationTime = getPrevCertExpirationTime(filePath);
            if (!withinExpirationWindow(logger, prevCertExpirationTime)) {
                logger.log("Previous certificate's expiry time (%s) is not within the expiration window of %d hours. Not requesting a certificate.", prevCertExpirationTime, Integer.valueOf(getExpirationWindow()));
                return;
            }
            ConnectorConfig connectorConfig = getConnectorConfig();
            VCertClient createClient = createClient(run, connectorConfig);
            ZoneConfiguration readZoneConfig = readZoneConfig(createClient);
            CertificateRequest certificateRequest = new CertificateRequest();
            certificateRequest.keyType(getKeyType()).dnsNames(getDnsNamesAsStrings()).ipAddresses(getIpAddressesAsInetAddresses()).emailAddresses(getEmailAddressesAsStrings());
            certificateRequest.subject(new CertificateRequest.PKIXName().commonName(getCommonName()).organization(Arrays.asList(getOrganization())).organizationalUnit(Arrays.asList(getOrganizationalUnit())).country(Arrays.asList(getCountry())).locality(Arrays.asList(getLocality())).province(Arrays.asList(getProvince())));
            writeOutputFiles(filePath, retrieveCertificate(connectorConfig, createClient, requestCertificate(connectorConfig, createClient, readZoneConfig, certificateRequest)));
        } catch (InterruptedException e) {
            throw e;
        } catch (Exception e2) {
            throw new AbortException("Error reading existing certificate's value: " + e2.getMessage());
        }
    }

    private boolean withinExpirationWindow(Logger logger, ZonedDateTime zonedDateTime) throws AbortException {
        if (this.expirationWindow == 0) {
            return true;
        }
        if (this.expirationWindow < 0) {
            throw new AbortException("expirationWindow may not be a negative number");
        }
        if (zonedDateTime == null) {
            logger.log("An expirationWindow is configured, but the previous certificate (%s) does not exist. Will proceed with requesting a new certificate.", getCertOutput());
            return true;
        }
        boolean isAfter = ZonedDateTime.now().isAfter(zonedDateTime.minusHours(this.expirationWindow));
        if (isAfter) {
            logger.log("Previous certificate's expiry time (%s) is within the expiration window of %d hours. Will proceed with requesting a certificate.", zonedDateTime, Integer.valueOf(getExpirationWindow()));
        }
        return isAfter;
    }

    private ZonedDateTime getPrevCertExpirationTime(FilePath filePath) throws IOException, InterruptedException, CertificateException {
        FilePath child = filePath.child(getCertOutput());
        if (!child.exists()) {
            return null;
        }
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        InputStream read = child.read();
        try {
            ZonedDateTime ofInstant = ZonedDateTime.ofInstant(((X509Certificate) certificateFactory.generateCertificate(read)).getNotAfter().toInstant(), ZoneId.systemDefault());
            if (read != null) {
                read.close();
            }
            return ofInstant;
        } catch (Throwable th) {
            if (read != null) {
                try {
                    read.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private List<String> getDnsNamesAsStrings() {
        return (List) getDnsNames().stream().map(dnsName -> {
            return dnsName.getHostName();
        }).collect(Collectors.toList());
    }

    private List<String> getEmailAddressesAsStrings() {
        return (List) getEmailAddresses().stream().map(emailAddress -> {
            return emailAddress.getAddress();
        }).collect(Collectors.toList());
    }

    private Collection<InetAddress> getIpAddressesAsInetAddresses() throws AbortException {
        try {
            ArrayList arrayList = new ArrayList();
            Iterator<IpAddress> it = getIpAddresses().iterator();
            while (it.hasNext()) {
                arrayList.add(InetAddress.getByName(it.next().getAddress()));
            }
            return arrayList;
        } catch (UnknownHostException e) {
            throw new AbortException("Error resolving one of the provided IP addresses: " + e.getMessage());
        }
    }

    private Config createSdkConfig(ConnectorConfig connectorConfig) {
        Config.ConfigBuilder builder = Config.builder();
        builder.connectorType(connectorConfig.getType().getVCertConnectorType());
        builder.appInfo(Messages.apiVendorAndProductName());
        if (connectorConfig.getType() == ConnectorType.TLS_PROTECT) {
            builder.baseUrl(connectorConfig.getTppBaseUrl());
        }
        return builder.build();
    }

    private Authentication createSdkAuthObject(Run<?, ?> run, ConnectorConfig connectorConfig) {
        if (connectorConfig.getType() == ConnectorType.TLS_PROTECT) {
            StandardUsernamePasswordCredentials findCredentials = Utils.findCredentials(StandardUsernamePasswordCredentials.class, connectorConfig.getTppCredentialsId(), null);
            CredentialsProvider.track(run, findCredentials);
            return Authentication.builder().user(findCredentials.getUsername()).password(Secret.toString(findCredentials.getPassword())).build();
        }
        if (!$assertionsDisabled && connectorConfig.getType() != ConnectorType.DEVOPS_ACCELERATE) {
            throw new AssertionError();
        }
        StringCredentials findCredentials2 = Utils.findCredentials(StringCredentials.class, connectorConfig.getCloudCredentialsId(), null);
        CredentialsProvider.track(run, findCredentials2);
        return Authentication.builder().apiKey(Secret.toString(findCredentials2.getSecret())).build();
    }

    private ConnectorConfig getConnectorConfig() throws AbortException {
        ConnectorConfig connectorConfigByName = PluginConfig.get().getConnectorConfigByName(getConnectorName());
        if (connectorConfigByName == null) {
            throw new AbortException("No Venafi VCert connector configuration with name '" + getConnectorName() + "' found");
        }
        return connectorConfigByName;
    }

    private VCertClient createClient(Run<?, ?> run, ConnectorConfig connectorConfig) throws AbortException {
        Config createSdkConfig = createSdkConfig(connectorConfig);
        Authentication createSdkAuthObject = createSdkAuthObject(run, connectorConfig);
        try {
            VCertClient vCertClient = new VCertClient(createSdkConfig);
            try {
                vCertClient.authenticate(createSdkAuthObject);
                return vCertClient;
            } catch (VCertException e) {
                throw new AbortException("Error authenticating VCert: " + e.getMessage());
            }
        } catch (VCertException e2) {
            throw new AbortException("Error creating VCert client: " + e2.getMessage());
        }
    }

    private ZoneConfiguration readZoneConfig(VCertClient vCertClient) throws AbortException {
        try {
            return vCertClient.readZoneConfiguration(getZoneConfigName());
        } catch (VCertException e) {
            throw new AbortException("Error reading VCert zone configuration: " + e);
        }
    }

    private CertificateRequest requestCertificate(ConnectorConfig connectorConfig, VCertClient vCertClient, ZoneConfiguration zoneConfiguration, CertificateRequest certificateRequest) throws AbortException {
        try {
            CertificateRequest generateRequest = vCertClient.generateRequest(zoneConfiguration, certificateRequest);
            try {
                vCertClient.requestCertificate(generateRequest, zoneConfiguration);
                return generateRequest;
            } catch (VCertException e) {
                throw new AbortException("Error requesting certificate from VCert " + connectorConfig.getType() + ": " + e.getMessage());
            }
        } catch (VCertException e2) {
            throw new AbortException("Error generating certificate request: " + e2.getMessage());
        }
    }

    private PEMCollection retrieveCertificate(ConnectorConfig connectorConfig, VCertClient vCertClient, CertificateRequest certificateRequest) throws AbortException {
        try {
            return vCertClient.retrieveCertificate(certificateRequest);
        } catch (VCertException e) {
            throw new AbortException("Error retrieving certificate from VCert " + connectorConfig.getType() + ": " + e.getMessage());
        }
    }

    private void writeOutputFiles(FilePath filePath, PEMCollection pEMCollection) throws InterruptedException, IOException {
        FilePath child = filePath.child(getPrivKeyOutput());
        child.write(pEMCollection.pemPrivateKey(), "UTF-8");
        child.chmod(384);
        filePath.child(getCertOutput()).write(pEMCollection.pemCertificate(), "UTF-8");
        filePath.child(getCertChainOutput()).write(pEMCollection.pemCertificateChain(), "UTF-8");
    }

    static {
        $assertionsDisabled = !CertRequestBuilder.class.desiredAssertionStatus();
    }
}
