package org.jenkinsci.plugins.oic;

import com.google.api.client.auth.oauth2.AuthorizationCodeFlow;
import com.google.api.client.auth.oauth2.BearerToken;
import com.google.api.client.auth.oauth2.ClientParametersAuthentication;
import com.google.api.client.auth.openidconnect.IdToken;
import com.google.api.client.auth.openidconnect.IdTokenResponse;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpRequest;
import com.google.api.client.http.HttpRequestInitializer;
import com.google.api.client.http.HttpResponseException;
import com.google.api.client.http.HttpStatusCodes;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.GenericJson;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.JsonObjectParser;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.common.base.Strings;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.Extension;
import hudson.Util;
import hudson.model.Descriptor;
import hudson.model.User;
import hudson.security.SecurityRealm;
import hudson.tasks.Mailer;
import hudson.util.FormValidation;
import hudson.util.HttpResponses;
import hudson.util.Secret;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.util.Arrays;
import jenkins.model.Jenkins;
import org.acegisecurity.Authentication;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.AuthenticationManager;
import org.acegisecurity.BadCredentialsException;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.context.SecurityContextHolder;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import org.acegisecurity.providers.anonymous.AnonymousAuthenticationToken;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.Header;
import org.kohsuke.stapler.HttpRedirect;
import org.kohsuke.stapler.HttpResponse;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.StaplerRequest;

/* loaded from: input_file:WEB-INF/lib/oic-auth.jar:org/jenkinsci/plugins/oic/OicSecurityRealm.class */
public class OicSecurityRealm extends SecurityRealm {
    private static final JsonFactory JSON_FACTORY = new JacksonFactory();
    private final HttpTransport httpTransport;
    private final String clientId;
    private final Secret clientSecret;
    private final String tokenServerUrl;
    private final String authorizationServerUrl;
    private final String userInfoServerUrl;
    private final String userNameField;
    private final String tokenFieldToCheckKey;
    private final String tokenFieldToCheckValue;
    private final String fullNameFieldName;
    private final String emailFieldName;
    private final String scopes;
    private final boolean disableSslVerification;

    @Extension
    /* loaded from: input_file:WEB-INF/lib/oic-auth.jar:org/jenkinsci/plugins/oic/OicSecurityRealm$DescriptorImpl.class */
    public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
        public String getDisplayName() {
            return "Login with Openid Connect";
        }

        public FormValidation doCheckClientId(@QueryParameter String str) {
            return (str == null || str.trim().length() == 0) ? FormValidation.error("Client id is required.") : FormValidation.ok();
        }

        public FormValidation doCheckClientSecret(@QueryParameter String str) {
            return (str == null || str.trim().length() == 0) ? FormValidation.error("Client secret is required.") : FormValidation.ok();
        }

        public FormValidation doCheckTokenServerUrl(@QueryParameter String str) {
            if (str == null) {
                return FormValidation.error("Token Server Url Key is required.");
            }
            try {
                new URL(str);
                return FormValidation.ok();
            } catch (MalformedURLException e) {
                return FormValidation.error(e, "Not a valid url.");
            }
        }

        public FormValidation doCheckAuthorizationServerUrl(@QueryParameter String str) {
            if (str == null) {
                return FormValidation.error("Token Server Url Key is required.");
            }
            try {
                new URL(str);
                return FormValidation.ok();
            } catch (MalformedURLException e) {
                return FormValidation.error(e, "Not a valid url.");
            }
        }

        public FormValidation doCheckUserNameField(@QueryParameter String str) {
            return (str == null || str.trim().length() == 0) ? FormValidation.ok("Using 'sub'.") : FormValidation.ok();
        }

        public FormValidation doCheckScopes(@QueryParameter String str) {
            return (str == null || str.trim().length() == 0) ? FormValidation.ok("Using 'openid email'.") : !str.toLowerCase().contains("openid") ? FormValidation.warning("Are you sure you don't want to include 'openid' as an scope?") : FormValidation.ok();
        }
    }

    @DataBoundConstructor
    public OicSecurityRealm(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, String str9, String str10, String str11, boolean z) throws IOException {
        this.clientId = str;
        this.clientSecret = Secret.fromString(str2);
        this.tokenServerUrl = str3;
        this.authorizationServerUrl = str4;
        this.userInfoServerUrl = str5;
        this.userNameField = Util.fixEmpty(str6) == null ? "sub" : str6;
        this.tokenFieldToCheckKey = Util.fixEmpty(str7);
        this.tokenFieldToCheckValue = Util.fixEmpty(str8);
        this.fullNameFieldName = Util.fixEmpty(str9);
        this.emailFieldName = Util.fixEmpty(str10);
        this.scopes = Util.fixEmpty(str11) == null ? "openid email" : str11;
        this.disableSslVerification = z;
        this.httpTransport = constructHttpTransport(this.disableSslVerification);
    }

    private HttpTransport constructHttpTransport(boolean z) {
        NetHttpTransport.Builder builder = new NetHttpTransport.Builder();
        if (z) {
            try {
                builder.doNotValidateCertificate();
            } catch (GeneralSecurityException e) {
            }
        }
        return builder.build();
    }

    public String getClientId() {
        return this.clientId;
    }

    public Secret getClientSecret() {
        return this.clientSecret;
    }

    public String getTokenServerUrl() {
        return this.tokenServerUrl;
    }

    public String getAuthorizationServerUrl() {
        return this.authorizationServerUrl;
    }

    public String getUserInfoServerUrl() {
        return this.userInfoServerUrl;
    }

    public String getUserNameField() {
        return this.userNameField;
    }

    public String getTokenFieldToCheckKey() {
        return this.tokenFieldToCheckKey;
    }

    public String getTokenFieldToCheckValue() {
        return this.tokenFieldToCheckValue;
    }

    public String getFullNameFieldName() {
        return this.fullNameFieldName;
    }

    public String getEmailFieldName() {
        return this.emailFieldName;
    }

    public String getScopes() {
        return this.scopes;
    }

    public boolean isDisableSslVerification() {
        return this.disableSslVerification;
    }

    public String getLoginUrl() {
        return "securityRealm/commenceLogin";
    }

    public SecurityRealm.SecurityComponents createSecurityComponents() {
        return new SecurityRealm.SecurityComponents(new AuthenticationManager() { // from class: org.jenkinsci.plugins.oic.OicSecurityRealm.1
            public Authentication authenticate(Authentication authentication) throws AuthenticationException {
                if (authentication instanceof AnonymousAuthenticationToken) {
                    return authentication;
                }
                throw new BadCredentialsException("Unexpected authentication type: " + authentication);
            }
        });
    }

    public HttpResponse doCommenceLogin(@QueryParameter String str, @Header("Referer") String str2) throws IOException {
        final String determineRedirectTarget = determineRedirectTarget(str, str2);
        final AuthorizationCodeFlow build = new AuthorizationCodeFlow.Builder(BearerToken.queryParameterAccessMethod(), this.httpTransport, JSON_FACTORY, new GenericUrl(this.tokenServerUrl), new ClientParametersAuthentication(this.clientId, this.clientSecret.getPlainText()), this.clientId, this.authorizationServerUrl).setScopes(Arrays.asList(this.scopes)).build();
        return new OicSession(build, str, buildOAuthRedirectUrl()) { // from class: org.jenkinsci.plugins.oic.OicSecurityRealm.2
            @Override // org.jenkinsci.plugins.oic.OicSession
            public HttpResponse onSuccess(String str3) {
                Object obj;
                try {
                    IdTokenResponse execute = IdTokenResponse.execute(build.newTokenRequest(str3).setRedirectUri(OicSecurityRealm.this.buildOAuthRedirectUrl()));
                    IdToken parse = IdToken.parse(OicSecurityRealm.JSON_FACTORY, execute.getIdToken());
                    GenericJson genericJson = null;
                    if (Strings.isNullOrEmpty(OicSecurityRealm.this.userInfoServerUrl)) {
                        obj = parse.getPayload().get(OicSecurityRealm.this.userNameField);
                    } else {
                        genericJson = OicSecurityRealm.this.getUserInfo(build, execute.getAccessToken());
                        obj = genericJson.get(OicSecurityRealm.this.userNameField);
                    }
                    if (obj == null) {
                        return HttpResponses.error(500, "no field '" + OicSecurityRealm.this.userNameField + "' was supplied in the token payload to be used as the username");
                    }
                    if (OicSecurityRealm.this.failedCheckOfTokenField(parse)) {
                        return HttpResponses.errorWithoutStack(HttpStatusCodes.STATUS_CODE_UNAUTHORIZED, "Unauthorized");
                    }
                    build.createAndStoreCredential(execute, null);
                    OicSecurityRealm.this.loginAndSetUserData(obj.toString(), new GrantedAuthority[]{SecurityRealm.AUTHENTICATED_AUTHORITY}, parse, genericJson);
                    return new HttpRedirect(determineRedirectTarget);
                } catch (IOException e) {
                    return HttpResponses.error(500, e);
                }
            }
        }.doCommenceLogin();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public GenericJson getUserInfo(AuthorizationCodeFlow authorizationCodeFlow, final String str) throws IOException {
        HttpRequest buildGetRequest = authorizationCodeFlow.getTransport().createRequestFactory(new HttpRequestInitializer() { // from class: org.jenkinsci.plugins.oic.OicSecurityRealm.3
            @Override // com.google.api.client.http.HttpRequestInitializer
            public void initialize(HttpRequest httpRequest) throws IOException {
                httpRequest.getHeaders().setAuthorization("Bearer " + str);
            }
        }).buildGetRequest(new GenericUrl(this.userInfoServerUrl));
        buildGetRequest.setParser(new JsonObjectParser(authorizationCodeFlow.getJsonFactory()));
        buildGetRequest.setThrowExceptionOnExecuteError(false);
        com.google.api.client.http.HttpResponse execute = buildGetRequest.execute();
        if (execute.isSuccessStatusCode()) {
            return (GenericJson) execute.parseAs(GenericJson.class);
        }
        throw new HttpResponseException(execute);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean failedCheckOfTokenField(IdToken idToken) {
        if (this.tokenFieldToCheckKey == null || this.tokenFieldToCheckValue == null) {
            return false;
        }
        Object obj = idToken.getPayload().get(this.tokenFieldToCheckKey);
        if (obj == null) {
            return true;
        }
        return this.tokenFieldToCheckValue.equals(String.valueOf(obj));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public UsernamePasswordAuthenticationToken loginAndSetUserData(String str, GrantedAuthority[] grantedAuthorityArr, IdToken idToken, GenericJson genericJson) throws IOException {
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(str, "", grantedAuthorityArr);
        SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
        User user = User.get(usernamePasswordAuthenticationToken.getName());
        String field = genericJson == null ? getField(idToken, this.emailFieldName) : (String) genericJson.get(this.emailFieldName);
        if (field != null) {
            user.addProperty(new Mailer.UserProperty(field));
        }
        String field2 = genericJson == null ? getField(idToken, this.fullNameFieldName) : (String) genericJson.get(this.fullNameFieldName);
        if (field2 != null) {
            user.setFullName(field2);
        }
        return usernamePasswordAuthenticationToken;
    }

    private String getField(IdToken idToken, String str) {
        Object obj = idToken.getPayload().get(str);
        if (obj != null) {
            return String.valueOf(obj);
        }
        return null;
    }

    @SuppressFBWarnings({"NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE"})
    private String determineRedirectTarget(@QueryParameter String str, @Header("Referer") String str2) {
        return str != null ? str : str2 != null ? str2 : Jenkins.getInstance().getRootUrl();
    }

    /* JADX INFO: Access modifiers changed from: private */
    @SuppressFBWarnings({"NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE"})
    public String buildOAuthRedirectUrl() throws NullPointerException {
        String rootUrl = Jenkins.getInstance().getRootUrl();
        if (rootUrl == null) {
            throw new NullPointerException("Jenkins root url should not be null");
        }
        return rootUrl + "securityRealm/finishLogin";
    }

    public HttpResponse doFinishLogin(StaplerRequest staplerRequest) throws IOException {
        return OicSession.getCurrent().doFinishLogin(staplerRequest);
    }
}
