package org.jenkinsci.plugins.cas;

import hudson.Extension;
import hudson.Util;
import hudson.model.Descriptor;
import hudson.security.ChainedServletFilter2;
import hudson.security.SecurityRealm;
import hudson.util.FormValidation;
import jakarta.servlet.Filter;
import jakarta.servlet.FilterConfig;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpSession;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLEncoder;
import jenkins.model.Jenkins;
import jenkins.security.SecurityListener;
import org.apache.commons.lang.StringUtils;
import org.apereo.cas.client.session.SessionMappingStorage;
import org.apereo.cas.client.util.CommonUtils;
import org.jenkinsci.plugins.cas.spring.CasConfigurationContext;
import org.jenkinsci.plugins.cas.spring.security.CasRestAuthenticator;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.StaplerRequest2;
import org.kohsuke.stapler.StaplerResponse2;
import org.kohsuke.stapler.interceptor.RequirePOST;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.config.BeanDefinitionCustomizer;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.AnnotationConfigApplicationContext;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.cas.ServiceProperties;
import org.springframework.security.cas.authentication.CasAuthenticationToken;
import org.springframework.security.cas.web.CasAuthenticationEntryPoint;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.util.UrlUtils;

/* loaded from: input_file:org/jenkinsci/plugins/cas/CasSecurityRealm.class */
public class CasSecurityRealm extends SecurityRealm {
    public static final String DEFAULT_COMMENCE_LOGIN_URL = "securityRealm/commenceLogin";
    public static final String DEFAULT_FINISH_LOGIN_URL = "securityRealm/finishLogin";
    public static final String DEFAULT_FAILED_LOGIN_URL = "securityRealm/failedLogin";
    private static final Logger LOG = LoggerFactory.getLogger(CasSecurityRealm.class);
    public final String casServerUrl;
    public final CasProtocol casProtocol;
    public final Boolean forceRenewal;
    public final Boolean enableSingleSignOut;
    public final Boolean enableRestApi;
    public final Boolean enableLogoutRedirect;
    private transient ApplicationContext applicationContext;

    @Extension
    /* loaded from: input_file:org/jenkinsci/plugins/cas/CasSecurityRealm$DescriptorImpl.class */
    public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
        public String getDisplayName() {
            return "CAS (Central Authentication Service)";
        }

        @RequirePOST
        public FormValidation doCheckCasServerUrl(@QueryParameter String str) throws IOException, ServletException {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            String fixEmptyAndTrim = Util.fixEmptyAndTrim(str);
            if (fixEmptyAndTrim == null) {
                return FormValidation.error(Messages.CasSecurityRealm_casServerUrl_missingUrl());
            }
            try {
                return !CommonUtils.getResponseFromServer(new URL(StringUtils.stripEnd(fixEmptyAndTrim, "/") + "/login"), "UTF-8").contains("username") ? FormValidation.warning(Messages.CasSecurityRealm_casServerUrl_invalidResponse()) : FormValidation.ok();
            } catch (RuntimeException e) {
                return FormValidation.error(Messages.CasSecurityRealm_casServerUrl_cannotGetResponse() + ": " + (e.getCause() == null ? e : e.getCause()));
            } catch (MalformedURLException e2) {
                return FormValidation.error(Messages.CasSecurityRealm_casServerUrl_malformedUrl() + ": " + e2.getMessage());
            }
        }
    }

    @Deprecated
    public CasSecurityRealm(String str, CasProtocol casProtocol, Boolean bool, Boolean bool2) {
        this(str, casProtocol, bool, bool2, false);
    }

    @Deprecated
    public CasSecurityRealm(String str, CasProtocol casProtocol, Boolean bool, Boolean bool2, Boolean bool3) {
        this(str, casProtocol, bool, bool2, bool3, true);
    }

    @DataBoundConstructor
    public CasSecurityRealm(String str, CasProtocol casProtocol, Boolean bool, Boolean bool2, Boolean bool3, Boolean bool4) {
        this.casServerUrl = StringUtils.stripEnd(str, "/") + "/";
        this.casProtocol = casProtocol;
        this.forceRenewal = bool;
        this.enableSingleSignOut = bool2;
        this.enableRestApi = bool3;
        this.enableLogoutRedirect = bool4;
    }

    public static String getJenkinsUrl() {
        return Jenkins.get().getRootUrl();
    }

    public static String getJenkinsUrl(HttpServletRequest httpServletRequest) {
        String jenkinsUrl = getJenkinsUrl();
        if (jenkinsUrl == null && httpServletRequest != null) {
            jenkinsUrl = UrlUtils.buildFullRequestUrl(httpServletRequest.getScheme(), httpServletRequest.getServerName(), httpServletRequest.getServerPort(), httpServletRequest.getContextPath(), (String) null) + "/";
        }
        return jenkinsUrl;
    }

    public static String getFinishLoginUrl() {
        return DEFAULT_FINISH_LOGIN_URL;
    }

    public static String getFailedLoginUrl() {
        return DEFAULT_FAILED_LOGIN_URL;
    }

    public static String getServiceUrl(HttpServletRequest httpServletRequest, ServiceProperties serviceProperties) {
        String service = serviceProperties.getService();
        if (service != null && !service.startsWith("http")) {
            service = getJenkinsUrl(httpServletRequest) + service;
        }
        return service;
    }

    protected ApplicationContext getApplicationContext() {
        if (this.applicationContext == null) {
            LOG.debug("Creating CAS ApplicationContext");
            AnnotationConfigApplicationContext annotationConfigApplicationContext = new AnnotationConfigApplicationContext();
            annotationConfigApplicationContext.registerBean(CasSecurityRealm.class, () -> {
                return this;
            }, new BeanDefinitionCustomizer[0]);
            annotationConfigApplicationContext.registerBean(CasProtocol.class, () -> {
                return this.casProtocol;
            }, new BeanDefinitionCustomizer[0]);
            annotationConfigApplicationContext.register(new Class[]{CasConfigurationContext.class});
            annotationConfigApplicationContext.refresh();
            this.applicationContext = annotationConfigApplicationContext;
        }
        return this.applicationContext;
    }

    public String getLoginUrl() {
        return DEFAULT_COMMENCE_LOGIN_URL;
    }

    protected String getPostLogOutUrl2(StaplerRequest2 staplerRequest2, Authentication authentication) {
        if (!Boolean.TRUE.equals(this.enableLogoutRedirect)) {
            return super.getPostLogOutUrl2(staplerRequest2, authentication);
        }
        StringBuilder sb = new StringBuilder(this.casServerUrl);
        sb.append("logout?service=");
        try {
            sb.append(URLEncoder.encode(getJenkinsUrl(), "UTF-8"));
            return sb.toString();
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException(e);
        }
    }

    public SecurityRealm.SecurityComponents createSecurityComponents() {
        return new SecurityRealm.SecurityComponents(new AuthenticationManager() { // from class: org.jenkinsci.plugins.cas.CasSecurityRealm.1
            public Authentication authenticate(Authentication authentication) throws AuthenticationException {
                if (authentication instanceof AnonymousAuthenticationToken) {
                    return authentication;
                }
                if (!(authentication instanceof UsernamePasswordAuthenticationToken) || !Boolean.TRUE.equals(CasSecurityRealm.this.enableRestApi)) {
                    throw new BadCredentialsException("Unexpected authentication type: " + authentication);
                }
                CasSecurityRealm.LOG.debug("Authenticating UsernamePasswordAuthenticationToken with CAS REST API");
                return ((CasRestAuthenticator) CasSecurityRealm.this.getApplicationContext().getBean(CasRestAuthenticator.class)).authenticate(authentication);
            }
        });
    }

    public Filter createFilter(FilterConfig filterConfig) {
        LOG.debug("Creating CAS authentication filter");
        return new ChainedServletFilter2(new Filter[]{(Filter) getApplicationContext().getBean("casFilter", ChainedServletFilter2.class), super.createFilter(filterConfig)});
    }

    public void doLogout(StaplerRequest2 staplerRequest2, StaplerResponse2 staplerResponse2) throws IOException, ServletException {
        HttpSession session = staplerRequest2.getSession(false);
        if (session != null) {
            ((SessionMappingStorage) getApplicationContext().getBean(SessionMappingStorage.class)).removeBySessionById(session.getId());
        }
        super.doLogout(staplerRequest2, staplerResponse2);
    }

    public void doCommenceLogin(StaplerRequest2 staplerRequest2, StaplerResponse2 staplerResponse2) throws IOException, ServletException {
        LOG.debug("Redirecting to CAS for authentication");
        ((CasAuthenticationEntryPoint) getApplicationContext().getBean(CasAuthenticationEntryPoint.class)).commence(staplerRequest2, staplerResponse2, (AuthenticationException) null);
    }

    public void doFinishLogin(StaplerRequest2 staplerRequest2, StaplerResponse2 staplerResponse2) {
        CasAuthenticationToken authentication = SecurityContextHolder.getContext().getAuthentication();
        LOG.debug("Finishing CAS login with authentication={}", authentication);
        staplerRequest2.getSession();
        if (authentication instanceof CasAuthenticationToken) {
            SecurityListener.fireAuthenticated2(authentication.getUserDetails());
        }
    }
}
