package org.jenkinsci.plugins.oic;

import com.google.api.client.auth.oauth2.AuthorizationCodeFlow;
import com.google.api.client.auth.oauth2.AuthorizationCodeTokenRequest;
import com.google.api.client.auth.oauth2.BearerToken;
import com.google.api.client.auth.oauth2.ClientParametersAuthentication;
import com.google.api.client.auth.oauth2.Credential;
import com.google.api.client.auth.openidconnect.IdToken;
import com.google.api.client.http.BasicAuthentication;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpExecuteInterceptor;
import com.google.api.client.http.HttpHeaders;
import com.google.api.client.http.HttpRequest;
import com.google.api.client.http.HttpRequestInitializer;
import com.google.api.client.http.HttpResponse;
import com.google.api.client.http.HttpResponseException;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.GenericJson;
import com.google.api.client.json.JsonObjectParser;
import com.google.api.client.json.gson.GsonFactory;
import com.google.api.client.json.webtoken.JsonWebSignature;
import com.google.api.client.util.ArrayMap;
import com.google.api.client.util.Data;
import com.google.common.base.Strings;
import com.google.gson.JsonParseException;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.Extension;
import hudson.Util;
import hudson.model.Descriptor;
import hudson.model.User;
import hudson.security.SecurityRealm;
import hudson.tasks.Mailer;
import hudson.util.FormValidation;
import hudson.util.HttpResponses;
import hudson.util.Secret;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.lang.reflect.Field;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import java.net.URLEncoder;
import java.nio.charset.Charset;
import java.security.GeneralSecurityException;
import java.time.LocalDateTime;
import java.time.ZonedDateTime;
import java.time.format.DateTimeFormatter;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Random;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.ServletException;
import jenkins.model.Jenkins;
import jenkins.security.SecurityListener;
import org.apache.commons.lang.StringUtils;
import org.apache.http.protocol.HTTP;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.DoNotUse;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.Header;
import org.kohsuke.stapler.HttpRedirect;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;
import org.kohsuke.stapler.interceptor.RequirePOST;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

/* loaded from: input_file:WEB-INF/lib/oic-auth.jar:org/jenkinsci/plugins/oic/OicSecurityRealm.class */
public class OicSecurityRealm extends SecurityRealm {
    private static final String ID_TOKEN_REQUEST_ATTRIBUTE = "oic-id-token";
    private static final String STATE_REQUEST_ATTRIBUTE = "oic-state";
    private static final String NO_SECRET = "none";
    private final String clientId;
    private final Secret clientSecret;
    private String wellKnownOpenIDConfigurationUrl;
    private String tokenServerUrl;
    private TokenAuthMethod tokenAuthMethod;
    private String authorizationServerUrl;
    private String userInfoServerUrl;
    private String userNameField;
    private String tokenFieldToCheckKey;
    private String tokenFieldToCheckValue;
    private String fullNameFieldName;
    private String emailFieldName;
    private String groupsFieldName;
    private transient String simpleGroupsFieldName;
    private transient String nestedGroupFieldName;
    private String scopes;
    private final boolean disableSslVerification;
    private boolean logoutFromOpenidProvider;
    private String endSessionEndpoint;
    private String postLogoutRedirectUrl;
    private boolean escapeHatchEnabled;
    private String escapeHatchUsername;
    private Secret escapeHatchSecret;
    private String escapeHatchGroup;
    private String automanualconfigure;
    private transient Boolean overrideScopesDefined;
    private String overrideScopes;
    private boolean rootURLFromRequest;
    private boolean sendScopesInTokenRequest;
    private boolean pkceEnabled;
    private boolean nonceDisabled;
    private transient LocalDateTime wellKnownExpires;
    private transient String endSessionUrl;
    private transient HttpTransport httpTransport;
    private static final Logger LOGGER = Logger.getLogger(OicSecurityRealm.class.getName());
    private static final Random RANDOM = new Random();

    @Extension
    /* loaded from: input_file:WEB-INF/lib/oic-auth.jar:org/jenkinsci/plugins/oic/OicSecurityRealm$DescriptorImpl.class */
    public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
        public boolean isAuto() {
            SecurityRealm securityRealm = Jenkins.get().getSecurityRealm();
            return (securityRealm instanceof OicSecurityRealm) && StringUtils.isNotBlank(((OicSecurityRealm) securityRealm).getWellKnownOpenIDConfigurationUrl());
        }

        public boolean isManual() {
            return (Jenkins.get().getSecurityRealm() instanceof OicSecurityRealm) && !isAuto();
        }

        public String getDisplayName() {
            return Messages.OicSecurityRealm_DisplayName();
        }

        @RequirePOST
        public FormValidation doCheckClientId(@QueryParameter String str) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            return Util.fixEmptyAndTrim(str) == null ? FormValidation.error(Messages.OicSecurityRealm_ClientIdRequired()) : FormValidation.ok();
        }

        @RequirePOST
        public FormValidation doCheckClientSecret(@QueryParameter String str) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            return Util.fixEmptyAndTrim(str) == null ? FormValidation.error(Messages.OicSecurityRealm_ClientSecretRequired()) : FormValidation.ok();
        }

        @RequirePOST
        public FormValidation doCheckWellKnownOpenIDConfigurationUrl(@QueryParameter String str, @QueryParameter boolean z) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            try {
                WellKnownOpenIDConfigurationResponse wellKnownOpenIDConfigurationResponse = (WellKnownOpenIDConfigurationResponse) GsonFactory.getDefaultInstance().fromInputStream(OicSecurityRealm.constructHttpTransport(z).createRequestFactory().buildGetRequest(new GenericUrl(new URL(str))).execute().getContent(), Charset.defaultCharset(), WellKnownOpenIDConfigurationResponse.class);
                return (wellKnownOpenIDConfigurationResponse.getAuthorizationEndpoint() == null || wellKnownOpenIDConfigurationResponse.getTokenEndpoint() == null) ? FormValidation.warning(Messages.OicSecurityRealm_URLNotAOpenIdEnpoint()) : FormValidation.ok();
            } catch (HttpResponseException e) {
                return FormValidation.error(e, Messages.OicSecurityRealm_CouldNotRetreiveWellKnownConfig(Integer.valueOf(e.getStatusCode()), e.getStatusMessage()));
            } catch (JsonParseException e2) {
                return FormValidation.error(e2, Messages.OicSecurityRealm_CouldNotParseResponse());
            } catch (MalformedURLException e3) {
                return FormValidation.error(e3, Messages.OicSecurityRealm_NotAValidURL());
            } catch (IOException e4) {
                return FormValidation.error(e4, Messages.OicSecurityRealm_ErrorRetreivingWellKnownConfig());
            }
        }

        @RequirePOST
        public FormValidation doCheckTokenServerUrl(@QueryParameter String str) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            if (Util.fixEmptyAndTrim(str) == null) {
                return FormValidation.error(Messages.OicSecurityRealm_TokenServerURLKeyRequired());
            }
            try {
                new URL(str);
                return FormValidation.ok();
            } catch (MalformedURLException e) {
                return FormValidation.error(e, Messages.OicSecurityRealm_NotAValidURL());
            }
        }

        @RequirePOST
        public FormValidation doCheckTokenAuthMethod(@QueryParameter String str) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            return Util.fixEmptyAndTrim(str) == null ? FormValidation.error(Messages.OicSecurityRealm_TokenAuthMethodRequired()) : FormValidation.ok();
        }

        @RequirePOST
        public FormValidation doCheckAuthorizationServerUrl(@QueryParameter String str) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            if (str == null) {
                return FormValidation.error(Messages.OicSecurityRealm_TokenServerURLKeyRequired());
            }
            try {
                new URL(str);
                return FormValidation.ok();
            } catch (MalformedURLException e) {
                return FormValidation.error(e, Messages.OicSecurityRealm_NotAValidURL());
            }
        }

        @RequirePOST
        public FormValidation doCheckUserNameField(@QueryParameter String str) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            return Util.fixEmptyAndTrim(str) == null ? FormValidation.ok(Messages.OicSecurityRealm_UsingDefaultUsername()) : FormValidation.ok();
        }

        @RequirePOST
        public FormValidation doCheckScopes(@QueryParameter String str) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            return Util.fixEmptyAndTrim(str) == null ? FormValidation.ok(Messages.OicSecurityRealm_UsingDefaultScopes()) : !str.toLowerCase().contains("openid") ? FormValidation.warning(Messages.OicSecurityRealm_RUSureOpenIdNotInScope()) : FormValidation.ok();
        }

        @RequirePOST
        public FormValidation doCheckOverrideScopes(@QueryParameter String str) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            return Util.fixEmptyAndTrim(str) == null ? FormValidation.ok(Messages.OicSecurityRealm_UsingDefaultScopes()) : !str.toLowerCase().contains("openid") ? FormValidation.warning(Messages.OicSecurityRealm_RUSureOpenIdNotInScope()) : FormValidation.ok();
        }

        @RequirePOST
        public FormValidation doCheckEndSessionEndpoint(@QueryParameter String str) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            if (Util.fixEmptyAndTrim(str) == null) {
                return FormValidation.error(Messages.OicSecurityRealm_EndSessionURLKeyRequired());
            }
            try {
                new URL(str);
                return FormValidation.ok();
            } catch (MalformedURLException e) {
                return FormValidation.error(e, Messages.OicSecurityRealm_NotAValidURL());
            }
        }

        @RequirePOST
        public FormValidation doCheckPostLogoutRedirectUrl(@QueryParameter String str) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            if (Util.fixEmptyAndTrim(str) == null) {
                return FormValidation.ok();
            }
            try {
                new URL(str);
                return FormValidation.ok();
            } catch (MalformedURLException e) {
                return FormValidation.error(e, Messages.OicSecurityRealm_NotAValidURL());
            }
        }

        @RequirePOST
        public FormValidation doCheckGroupsFieldName(@QueryParameter String str) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            if (Util.fixEmptyAndTrim(str) != null && str.split("\\[\\]\\.").length > 2) {
                return FormValidation.error(Messages.OicSecurityRealm_InvalidGroupsFieldName());
            }
            return FormValidation.ok();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/oic-auth.jar:org/jenkinsci/plugins/oic/OicSecurityRealm$PlaceHolder.class */
    public enum PlaceHolder {
        ABSENT
    }

    /* loaded from: input_file:WEB-INF/lib/oic-auth.jar:org/jenkinsci/plugins/oic/OicSecurityRealm$TokenAuthMethod.class */
    public enum TokenAuthMethod {
        client_secret_basic,
        client_secret_post
    }

    @Deprecated
    public OicSecurityRealm(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, String str9, String str10, String str11, String str12, String str13, String str14, Boolean bool, Boolean bool2, String str15, String str16, Boolean bool3, String str17, String str18, String str19, String str20) throws IOException {
        this.wellKnownOpenIDConfigurationUrl = null;
        this.tokenServerUrl = null;
        this.authorizationServerUrl = null;
        this.userInfoServerUrl = null;
        this.userNameField = "sub";
        this.tokenFieldToCheckKey = null;
        this.tokenFieldToCheckValue = null;
        this.fullNameFieldName = null;
        this.emailFieldName = null;
        this.groupsFieldName = null;
        this.simpleGroupsFieldName = null;
        this.nestedGroupFieldName = null;
        this.scopes = null;
        this.logoutFromOpenidProvider = true;
        this.endSessionEndpoint = null;
        this.escapeHatchEnabled = false;
        this.escapeHatchUsername = null;
        this.escapeHatchSecret = null;
        this.escapeHatchGroup = null;
        this.automanualconfigure = null;
        this.overrideScopesDefined = null;
        this.overrideScopes = null;
        this.rootURLFromRequest = false;
        this.sendScopesInTokenRequest = false;
        this.pkceEnabled = false;
        this.nonceDisabled = false;
        this.wellKnownExpires = null;
        this.disableSslVerification = ((Boolean) Util.fixNull(bool, Boolean.FALSE)).booleanValue();
        this.httpTransport = constructHttpTransport(this.disableSslVerification);
        this.clientId = str;
        this.clientSecret = (str2 == null || str2.toLowerCase().equals(NO_SECRET)) ? null : Secret.fromString(str2);
        this.authorizationServerUrl = str6;
        this.tokenServerUrl = str4;
        this.tokenAuthMethod = TokenAuthMethod.valueOf(StringUtils.defaultIfBlank(str5, "client_secret_post"));
        this.userInfoServerUrl = str7;
        setScopes(str13);
        this.endSessionEndpoint = str15;
        if ("auto".equals(str20) || (Util.fixNull(str20).isEmpty() && !Util.fixNull(str3).isEmpty())) {
            this.automanualconfigure = "auto";
            this.wellKnownOpenIDConfigurationUrl = Util.fixEmpty(str3);
            loadWellKnownOpenIDConfigurationUrl();
        } else {
            this.automanualconfigure = "manual";
            this.wellKnownOpenIDConfigurationUrl = null;
        }
        setTokenFieldToCheckKey(Util.fixEmpty(str9));
        setTokenFieldToCheckValue(Util.fixEmpty(str10));
        setUserNameField(Util.fixEmpty(str8) == null ? "sub" : str8);
        setFullNameFieldName(Util.fixEmpty(str11));
        setEmailFieldName(Util.fixEmpty(str12));
        setGroupsFieldName(Util.fixEmpty(str14));
        this.logoutFromOpenidProvider = ((Boolean) Util.fixNull(bool2, Boolean.TRUE)).booleanValue();
        this.postLogoutRedirectUrl = str16;
        this.escapeHatchEnabled = ((Boolean) Util.fixNull(bool3, Boolean.FALSE)).booleanValue();
        this.escapeHatchUsername = Util.fixEmpty(str17);
        this.escapeHatchSecret = Secret.fromString(str18);
        this.escapeHatchGroup = Util.fixEmpty(str19);
    }

    @DataBoundConstructor
    public OicSecurityRealm(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, String str9, Boolean bool) throws IOException {
        this.wellKnownOpenIDConfigurationUrl = null;
        this.tokenServerUrl = null;
        this.authorizationServerUrl = null;
        this.userInfoServerUrl = null;
        this.userNameField = "sub";
        this.tokenFieldToCheckKey = null;
        this.tokenFieldToCheckValue = null;
        this.fullNameFieldName = null;
        this.emailFieldName = null;
        this.groupsFieldName = null;
        this.simpleGroupsFieldName = null;
        this.nestedGroupFieldName = null;
        this.scopes = null;
        this.logoutFromOpenidProvider = true;
        this.endSessionEndpoint = null;
        this.escapeHatchEnabled = false;
        this.escapeHatchUsername = null;
        this.escapeHatchSecret = null;
        this.escapeHatchGroup = null;
        this.automanualconfigure = null;
        this.overrideScopesDefined = null;
        this.overrideScopes = null;
        this.rootURLFromRequest = false;
        this.sendScopesInTokenRequest = false;
        this.pkceEnabled = false;
        this.nonceDisabled = false;
        this.wellKnownExpires = null;
        this.disableSslVerification = ((Boolean) Util.fixNull(bool, Boolean.FALSE)).booleanValue();
        this.httpTransport = constructHttpTransport(this.disableSslVerification);
        this.clientId = str;
        this.clientSecret = (str2 == null || str2.toLowerCase().equals(NO_SECRET)) ? null : Secret.fromString(str2);
        this.automanualconfigure = Util.fixNull(str9);
        this.authorizationServerUrl = str3;
        this.tokenServerUrl = str4;
        this.tokenAuthMethod = TokenAuthMethod.valueOf(StringUtils.defaultIfBlank(str5, "client_secret_post"));
        this.userInfoServerUrl = str6;
        this.endSessionEndpoint = str7;
        setScopes(str8);
    }

    protected Object readResolve() {
        if (this.httpTransport == null) {
            this.httpTransport = constructHttpTransport(isDisableSslVerification());
        }
        if (!Strings.isNullOrEmpty(this.endSessionUrl)) {
            try {
                Field declaredField = getClass().getDeclaredField("endSessionEndpoint");
                declaredField.setAccessible(true);
                declaredField.set(this, this.endSessionUrl + "/");
            } catch (IllegalAccessException | IllegalArgumentException | NoSuchFieldException | SecurityException e) {
                LOGGER.log(Level.SEVERE, "Can't set endSessionEndpoint from old value", e);
            }
        }
        if (!Strings.isNullOrEmpty(this.groupsFieldName) || Strings.isNullOrEmpty(this.simpleGroupsFieldName)) {
            setGroupsFieldName(this.groupsFieldName);
        } else {
            String str = this.simpleGroupsFieldName;
            if (!Strings.isNullOrEmpty(this.nestedGroupFieldName)) {
                str = str + "[]." + this.nestedGroupFieldName;
            }
            setGroupsFieldName(str);
        }
        return this;
    }

    private static HttpTransport constructHttpTransport(boolean z) {
        NetHttpTransport.Builder builder = new NetHttpTransport.Builder();
        builder.setConnectionFactory(new JenkinsAwareConnectionFactory());
        if (z) {
            try {
                builder.doNotValidateCertificate();
            } catch (GeneralSecurityException e) {
            }
        }
        return builder.build();
    }

    public String getClientId() {
        return this.clientId;
    }

    public Secret getClientSecret() {
        return this.clientSecret == null ? Secret.fromString(NO_SECRET) : this.clientSecret;
    }

    public String getWellKnownOpenIDConfigurationUrl() {
        return this.wellKnownOpenIDConfigurationUrl;
    }

    public String getTokenServerUrl() {
        return this.tokenServerUrl;
    }

    public TokenAuthMethod getTokenAuthMethod() {
        return this.tokenAuthMethod;
    }

    public String getAuthorizationServerUrl() {
        return this.authorizationServerUrl;
    }

    public String getUserInfoServerUrl() {
        return this.userInfoServerUrl;
    }

    public String getUserNameField() {
        return this.userNameField;
    }

    public String getTokenFieldToCheckKey() {
        return this.tokenFieldToCheckKey;
    }

    public String getTokenFieldToCheckValue() {
        return this.tokenFieldToCheckValue;
    }

    public String getFullNameFieldName() {
        return this.fullNameFieldName;
    }

    public String getEmailFieldName() {
        return this.emailFieldName;
    }

    public String getGroupsFieldName() {
        return this.groupsFieldName;
    }

    public String getScopes() {
        return this.scopes != null ? this.scopes : "openid email";
    }

    public boolean isDisableSslVerification() {
        return this.disableSslVerification;
    }

    public boolean isLogoutFromOpenidProvider() {
        return this.logoutFromOpenidProvider;
    }

    public String getEndSessionEndpoint() {
        return this.endSessionEndpoint;
    }

    public String getPostLogoutRedirectUrl() {
        return this.postLogoutRedirectUrl;
    }

    public boolean isEscapeHatchEnabled() {
        return this.escapeHatchEnabled;
    }

    public String getEscapeHatchUsername() {
        return this.escapeHatchUsername;
    }

    public Secret getEscapeHatchSecret() {
        return this.escapeHatchSecret;
    }

    public String getEscapeHatchGroup() {
        return this.escapeHatchGroup;
    }

    public String getAutomanualconfigure() {
        return this.automanualconfigure;
    }

    public boolean isOverrideScopesDefined() {
        return this.overrideScopes != null;
    }

    public String getOverrideScopes() {
        return this.overrideScopes;
    }

    public boolean isRootURLFromRequest() {
        return this.rootURLFromRequest;
    }

    public boolean isSendScopesInTokenRequest() {
        return this.sendScopesInTokenRequest;
    }

    public boolean isPkceEnabled() {
        return this.pkceEnabled;
    }

    public boolean isNonceDisabled() {
        return this.nonceDisabled;
    }

    public boolean isAutoConfigure() {
        return "auto".equals(this.automanualconfigure);
    }

    private void loadWellKnownOpenIDConfigurationUrl() {
        if (!isAutoConfigure() || this.wellKnownOpenIDConfigurationUrl == null) {
            return;
        }
        LocalDateTime now = LocalDateTime.now();
        if (this.wellKnownExpires == null || !this.wellKnownExpires.isBefore(now)) {
            try {
                HttpResponse execute = this.httpTransport.createRequestFactory().buildGetRequest(new GenericUrl(new URL(this.wellKnownOpenIDConfigurationUrl))).execute();
                WellKnownOpenIDConfigurationResponse wellKnownOpenIDConfigurationResponse = (WellKnownOpenIDConfigurationResponse) GsonFactory.getDefaultInstance().fromInputStream(execute.getContent(), Charset.defaultCharset(), WellKnownOpenIDConfigurationResponse.class);
                this.authorizationServerUrl = (String) Util.fixNull(wellKnownOpenIDConfigurationResponse.getAuthorizationEndpoint(), this.authorizationServerUrl);
                this.tokenServerUrl = (String) Util.fixNull(wellKnownOpenIDConfigurationResponse.getTokenEndpoint(), this.tokenServerUrl);
                this.tokenAuthMethod = (TokenAuthMethod) Util.fixNull(wellKnownOpenIDConfigurationResponse.getPreferredTokenAuthMethod(), this.tokenAuthMethod);
                this.userInfoServerUrl = (String) Util.fixNull(wellKnownOpenIDConfigurationResponse.getUserinfoEndpoint(), this.userInfoServerUrl);
                if (wellKnownOpenIDConfigurationResponse.getScopesSupported() != null) {
                    setScopes(StringUtils.join(wellKnownOpenIDConfigurationResponse.getScopesSupported(), " "));
                }
                applyOverrideScopes();
                this.endSessionEndpoint = (String) Util.fixNull(wellKnownOpenIDConfigurationResponse.getEndSessionEndpoint(), this.endSessionEndpoint);
                setWellKnownExpires(execute.getHeaders());
            } catch (HttpResponseException e) {
                LOGGER.log(Level.SEVERE, "Could not get wellknown OpenID Configuration", (Throwable) e);
            } catch (JsonParseException e2) {
                LOGGER.log(Level.SEVERE, "Could not parse wellknown OpenID Configuration", (Throwable) e2);
            } catch (MalformedURLException e3) {
                LOGGER.log(Level.SEVERE, "Invalid WellKnown OpenID Configuration URL", (Throwable) e3);
            } catch (IOException e4) {
                LOGGER.log(Level.SEVERE, "Error while loading wellknown OpenID Configuration", (Throwable) e4);
            }
        }
    }

    /* JADX WARN: Type inference failed for: r1v5, types: [java.time.LocalDateTime] */
    private void setWellKnownExpires(HttpHeaders httpHeaders) {
        ZonedDateTime parse;
        String fixEmpty = Util.fixEmpty(httpHeaders.getExpires());
        if (fixEmpty == null || "0".equals(fixEmpty) || (parse = ZonedDateTime.parse(fixEmpty, DateTimeFormatter.RFC_1123_DATE_TIME)) == null) {
            this.wellKnownExpires = LocalDateTime.now().plusSeconds(3600L);
        } else {
            this.wellKnownExpires = parse.toLocalDateTime();
        }
    }

    @DataBoundSetter
    public void setWellKnownOpenIDConfigurationUrl(String str) {
        if (!isAutoConfigure() && (!this.automanualconfigure.isEmpty() || Util.fixNull(str).isEmpty())) {
            this.automanualconfigure = "manual";
            this.wellKnownOpenIDConfigurationUrl = null;
        } else {
            this.automanualconfigure = "auto";
            this.wellKnownOpenIDConfigurationUrl = str;
            loadWellKnownOpenIDConfigurationUrl();
        }
    }

    private void applyOverrideScopes() {
        if (!"auto".equals(this.automanualconfigure) || this.overrideScopes == null) {
            return;
        }
        if (this.scopes == null) {
            this.scopes = this.overrideScopes;
            return;
        }
        HashSet hashSet = new HashSet(Arrays.asList(this.scopes.trim().split("\\s+")));
        hashSet.retainAll(Arrays.asList(this.overrideScopes.trim().split("\\s+")));
        setScopes(StringUtils.join(hashSet, " "));
    }

    @DataBoundSetter
    public void setUserNameField(String str) {
        this.userNameField = Util.fixEmpty(str);
    }

    @DataBoundSetter
    public void setTokenFieldToCheckKey(String str) {
        this.tokenFieldToCheckKey = Util.fixEmpty(str);
    }

    @DataBoundSetter
    public void setTokenFieldToCheckValue(String str) {
        this.tokenFieldToCheckValue = Util.fixEmpty(str);
    }

    @DataBoundSetter
    public void setFullNameFieldName(String str) {
        this.fullNameFieldName = Util.fixEmpty(str);
    }

    @DataBoundSetter
    public void setEmailFieldName(String str) {
        this.emailFieldName = Util.fixEmpty(str);
    }

    @DataBoundSetter
    public void setGroupsFieldName(String str) {
        this.groupsFieldName = Util.fixEmpty(str);
        if (this.groupsFieldName != null) {
            String[] split = this.groupsFieldName.split("\\[\\]\\.", 2);
            this.simpleGroupsFieldName = Util.fixEmpty(split[0]);
            this.nestedGroupFieldName = split.length > 1 ? Util.fixEmpty(split[1]) : null;
            if (this.groupsFieldName.split("\\[\\]\\.").length > 2) {
                LOGGER.warning("nestedGroupFieldName contains more than one []., this is not supported");
            }
            LOGGER.fine("in setGroupsFieldName,  groupsFieldName is " + this.groupsFieldName + " simpleGroupsFieldName is " + this.simpleGroupsFieldName + " nestedGroupFieldName is " + this.nestedGroupFieldName);
        }
    }

    public void setScopes(String str) {
        this.scopes = Util.fixEmptyAndTrim(str);
    }

    @DataBoundSetter
    public void setLogoutFromOpenidProvider(boolean z) {
        this.logoutFromOpenidProvider = z;
    }

    @DataBoundSetter
    public void setPostLogoutRedirectUrl(String str) {
        this.postLogoutRedirectUrl = Util.fixEmpty(str);
    }

    @DataBoundSetter
    public void setEscapeHatchEnabled(boolean z) {
        this.escapeHatchEnabled = z;
    }

    @DataBoundSetter
    public void setEscapeHatchUsername(String str) {
        this.escapeHatchUsername = Util.fixEmpty(str);
    }

    @DataBoundSetter
    public void setEscapeHatchSecret(Secret secret) {
        this.escapeHatchSecret = secret;
    }

    @DataBoundSetter
    public void setEscapeHatchGroup(String str) {
        this.escapeHatchGroup = Util.fixEmpty(str);
    }

    @DataBoundSetter
    public void setOverrideScopesDefined(boolean z) {
        if (z) {
            this.overrideScopesDefined = Boolean.TRUE;
            return;
        }
        this.overrideScopesDefined = Boolean.FALSE;
        this.overrideScopes = null;
        applyOverrideScopes();
    }

    @DataBoundSetter
    public void setOverrideScopes(String str) {
        if (this.overrideScopesDefined == null || this.overrideScopesDefined.booleanValue()) {
            this.overrideScopes = Util.fixEmptyAndTrim(str);
            applyOverrideScopes();
        }
    }

    @DataBoundSetter
    public void setRootURLFromRequest(boolean z) {
        this.rootURLFromRequest = z;
    }

    @DataBoundSetter
    public void setSendScopesInTokenRequest(boolean z) {
        this.sendScopesInTokenRequest = z;
    }

    @DataBoundSetter
    public void setPkceEnabled(boolean z) {
        this.pkceEnabled = z;
    }

    @DataBoundSetter
    public void setNonceDisabled(boolean z) {
        this.nonceDisabled = z;
    }

    public String getLoginUrl() {
        return "securityRealm/commenceLogin";
    }

    public String getAuthenticationGatewayUrl() {
        return "securityRealm/escapeHatch";
    }

    public SecurityRealm.SecurityComponents createSecurityComponents() {
        return new SecurityRealm.SecurityComponents(new AuthenticationManager() { // from class: org.jenkinsci.plugins.oic.OicSecurityRealm.1
            public Authentication authenticate(Authentication authentication) throws AuthenticationException {
                if (authentication instanceof AnonymousAuthenticationToken) {
                    return authentication;
                }
                if (!(authentication instanceof UsernamePasswordAuthenticationToken) || !OicSecurityRealm.this.escapeHatchEnabled) {
                    throw new BadCredentialsException("Unexpected authentication type: " + authentication);
                }
                OicSecurityRealm.this.randomWait();
                if (!authentication.getPrincipal().toString().equals(OicSecurityRealm.this.escapeHatchUsername) || !authentication.getCredentials().toString().equals(Secret.toString(OicSecurityRealm.this.escapeHatchSecret))) {
                    throw new BadCredentialsException("Wrong username and password: " + authentication);
                }
                ArrayList arrayList = new ArrayList();
                arrayList.add(SecurityRealm.AUTHENTICATED_AUTHORITY2);
                if (StringUtils.isNotBlank(OicSecurityRealm.this.escapeHatchGroup)) {
                    arrayList.add(new SimpleGrantedAuthority(OicSecurityRealm.this.escapeHatchGroup));
                }
                UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(OicSecurityRealm.this.escapeHatchUsername, "", arrayList);
                SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
                SecurityListener.fireAuthenticated2(new OicUserDetails(OicSecurityRealm.this.escapeHatchUsername, arrayList));
                return usernamePasswordAuthenticationToken;
            }
        }, new UserDetailsService() { // from class: org.jenkinsci.plugins.oic.OicSecurityRealm.2
            public UserDetails loadUserByUsername(String str) throws UsernameNotFoundException {
                OicSecurityRealm.LOGGER.fine("loadUserByUsername in createSecurityComponents called, username: " + str);
                User user = User.get(str, false, Collections.emptyMap());
                if (user == null) {
                    OicSecurityRealm.LOGGER.fine("loadUserByUsername in createSecurityComponents called, no user '" + str + "' found");
                    throw new UsernameNotFoundException(str);
                }
                OicSecurityRealm.LOGGER.fine("loadUserByUsername in createSecurityComponents called, user: " + user);
                OicUserProperty oicUserProperty = (OicUserProperty) user.getProperty(OicUserProperty.class);
                List<GrantedAuthority> arrayList = new ArrayList();
                if (oicUserProperty != null) {
                    arrayList = oicUserProperty.getAuthoritiesAsGrantedAuthorities();
                    OicSecurityRealm.LOGGER.fine("loadUserByUsername in createSecurityComponents called, oic prop found with username '" + oicUserProperty.getUserName() + "', auths size: " + arrayList.size());
                }
                return new OicUserDetails(str, arrayList);
            }
        });
    }

    protected AuthorizationCodeFlow buildAuthorizationCodeFlow() {
        Credential.AccessMethod queryParameterAccessMethod = BearerToken.queryParameterAccessMethod();
        HttpExecuteInterceptor clientParametersAuthentication = new ClientParametersAuthentication(this.clientId, Secret.toString(this.clientSecret));
        if (TokenAuthMethod.client_secret_basic.equals(this.tokenAuthMethod)) {
            queryParameterAccessMethod = BearerToken.authorizationHeaderAccessMethod();
            clientParametersAuthentication = new BasicAuthentication(this.clientId, Secret.toString(this.clientSecret));
        }
        AuthorizationCodeFlow.Builder scopes = new AuthorizationCodeFlow.Builder(queryParameterAccessMethod, this.httpTransport, GsonFactory.getDefaultInstance(), new GenericUrl(this.tokenServerUrl), clientParametersAuthentication, this.clientId, this.authorizationServerUrl).setScopes(Arrays.asList(getScopes()));
        if (this.pkceEnabled) {
            scopes.enablePKCE();
        }
        return scopes.build();
    }

    protected String getValidRedirectUrl(String str) {
        if (str != null && !str.isEmpty()) {
            if (str.startsWith("/")) {
                return URI.create(getRootUrl() + str).normalize().toString();
            }
            try {
                if (new URL(str).getHost().equals(new URL(getRootUrl()).getHost())) {
                    return str;
                }
            } catch (MalformedURLException e) {
            }
        }
        return getRootUrl();
    }

    @Restricted({DoNotUse.class})
    public org.kohsuke.stapler.HttpResponse doCommenceLogin(@QueryParameter String str, @Header("Referer") String str2) {
        loadWellKnownOpenIDConfigurationUrl();
        final String validRedirectUrl = getValidRedirectUrl(str != null ? str : str2);
        final AuthorizationCodeFlow buildAuthorizationCodeFlow = buildAuthorizationCodeFlow();
        return new OicSession(buildAuthorizationCodeFlow, str, buildOAuthRedirectUrl()) { // from class: org.jenkinsci.plugins.oic.OicSecurityRealm.3
            @Override // org.jenkinsci.plugins.oic.OicSession
            public org.kohsuke.stapler.HttpResponse onSuccess(String str3) {
                try {
                    AuthorizationCodeTokenRequest responseClass = buildAuthorizationCodeFlow.newTokenRequest(str3).setRedirectUri(OicSecurityRealm.this.buildOAuthRedirectUrl()).setResponseClass(OicTokenResponse.class);
                    if (!OicSecurityRealm.this.sendScopesInTokenRequest) {
                        responseClass.setScopes((Collection<String>) Collections.emptyList());
                    }
                    OicTokenResponse oicTokenResponse = (OicTokenResponse) responseClass.execute();
                    IdToken parseIdToken = oicTokenResponse.parseIdToken();
                    if ((OicSecurityRealm.this.isNonceDisabled() || validateNonce(parseIdToken)) && !OicSecurityRealm.this.failedCheckOfTokenField(parseIdToken)) {
                        setIdToken(oicTokenResponse.getIdToken());
                        GenericJson genericJson = null;
                        if (!Strings.isNullOrEmpty(OicSecurityRealm.this.userInfoServerUrl)) {
                            genericJson = OicSecurityRealm.this.getUserInfo(buildAuthorizationCodeFlow, oicTokenResponse.getAccessToken());
                        }
                        String determineStringField = OicSecurityRealm.this.determineStringField(OicSecurityRealm.this.userNameField, parseIdToken, genericJson);
                        if (determineStringField == null) {
                            return HttpResponses.error(500, "no field '" + OicSecurityRealm.this.userNameField + "' was supplied in the UserInfo or the IdToken payload to be used as the username");
                        }
                        buildAuthorizationCodeFlow.createAndStoreCredential(oicTokenResponse, null);
                        OicSecurityRealm.this.loginAndSetUserData(determineStringField.toString(), parseIdToken, genericJson);
                        return new HttpRedirect(validRedirectUrl);
                    }
                    return HttpResponses.errorWithoutStack(401, "Unauthorized");
                } catch (IOException e) {
                    return HttpResponses.error(500, e);
                }
            }
        }.doCommenceLogin(isNonceDisabled());
    }

    @SuppressFBWarnings(value = {"DMI_RANDOM_USED_ONLY_ONCE"}, justification = "False positive in spotbug about DMI_RANDOM_USED_ONLY_ONCE")
    private void randomWait() {
        try {
            Thread.sleep(1000 + RANDOM.nextInt(1000));
        } catch (InterruptedException e) {
            Thread.currentThread().interrupt();
        }
    }

    private GenericJson getUserInfo(AuthorizationCodeFlow authorizationCodeFlow, final String str) throws IOException {
        HttpRequest buildGetRequest = authorizationCodeFlow.getTransport().createRequestFactory(new HttpRequestInitializer() { // from class: org.jenkinsci.plugins.oic.OicSecurityRealm.4
            @Override // com.google.api.client.http.HttpRequestInitializer
            public void initialize(HttpRequest httpRequest) throws IOException {
                httpRequest.getHeaders().setAuthorization("Bearer " + str);
            }
        }).buildGetRequest(new GenericUrl(this.userInfoServerUrl));
        buildGetRequest.setThrowExceptionOnExecuteError(false);
        HttpResponse execute = buildGetRequest.execute();
        if (!execute.isSuccessStatusCode()) {
            throw new HttpResponseException(execute);
        }
        if (!execute.getHeaders().getContentType().contains("application/jwt")) {
            return (GenericJson) new JsonObjectParser(authorizationCodeFlow.getJsonFactory()).parseAndClose(execute.getContent(), execute.getContentCharset(), GenericJson.class);
        }
        return JsonWebSignature.parse(authorizationCodeFlow.getJsonFactory(), execute.parseAsString()).getPayload();
    }

    private boolean failedCheckOfTokenField(IdToken idToken) {
        if (this.tokenFieldToCheckKey == null || this.tokenFieldToCheckValue == null) {
            return false;
        }
        Object field = getField(idToken.getPayload(), this.tokenFieldToCheckKey);
        return field == null || !this.tokenFieldToCheckValue.equals(String.valueOf(field));
    }

    private UsernamePasswordAuthenticationToken loginAndSetUserData(String str, IdToken idToken, GenericJson genericJson) throws IOException {
        List<GrantedAuthority> determineAuthorities = determineAuthorities(idToken, genericJson);
        if (LOGGER.isLoggable(Level.FINEST)) {
            StringBuilder sb = new StringBuilder("(");
            Iterator<GrantedAuthority> it = determineAuthorities.iterator();
            while (it.hasNext()) {
                sb.append(" ").append(it.next().getAuthority());
            }
            sb.append(" )");
            LOGGER.finest("GrantedAuthorities:" + sb);
        }
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(str, "", determineAuthorities);
        SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
        User user = User.get2(usernamePasswordAuthenticationToken);
        if (user == null) {
            throw new IOException("Cannot set OIDC property on anonymous user");
        }
        user.addProperty(new OicUserProperty(str, determineAuthorities));
        String determineStringField = determineStringField(this.emailFieldName, idToken, genericJson);
        if (determineStringField != null) {
            user.addProperty(new Mailer.UserProperty(determineStringField));
        }
        String determineStringField2 = determineStringField(this.fullNameFieldName, idToken, genericJson);
        if (determineStringField2 != null) {
            user.setFullName(determineStringField2);
        }
        SecurityListener.fireAuthenticated2(new OicUserDetails(str, determineAuthorities));
        return usernamePasswordAuthenticationToken;
    }

    private String determineStringField(String str, IdToken idToken, GenericJson genericJson) {
        String fixEmptyAndTrim;
        Object field;
        String fixEmptyAndTrim2;
        if (str == null) {
            return null;
        }
        if (genericJson != null && (field = getField(genericJson, str)) != null && (field instanceof String) && (fixEmptyAndTrim2 = Util.fixEmptyAndTrim((String) field)) != null) {
            return fixEmptyAndTrim2;
        }
        if (idToken == null || (fixEmptyAndTrim = Util.fixEmptyAndTrim(getField(idToken, str))) == null) {
            return null;
        }
        return fixEmptyAndTrim;
    }

    private List<GrantedAuthority> determineAuthorities(IdToken idToken, GenericJson genericJson) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(SecurityRealm.AUTHENTICATED_AUTHORITY2);
        if (!StringUtils.isNotBlank(this.simpleGroupsFieldName)) {
            LOGGER.fine("Not adding groups because groupsFieldName is not set. groupsFieldName=" + this.groupsFieldName);
        } else if (!Strings.isNullOrEmpty(this.userInfoServerUrl) && containsField(genericJson, this.simpleGroupsFieldName)) {
            LOGGER.fine("UserInfo contains group field name: " + this.simpleGroupsFieldName + " with value class:" + getField(genericJson, this.simpleGroupsFieldName).getClass());
            List<String> ensureString = ensureString(getField(genericJson, this.simpleGroupsFieldName));
            if (ensureString.isEmpty()) {
                LOGGER.warning("UserInfo does not contains groups in " + this.simpleGroupsFieldName);
            } else {
                LOGGER.fine("Number of groups in groupNames: " + ensureString.size());
            }
            for (String str : ensureString) {
                LOGGER.fine("Adding group from UserInfo: " + str);
                arrayList.add(new SimpleGrantedAuthority(str));
            }
        } else if (containsField(idToken.getPayload(), this.simpleGroupsFieldName)) {
            LOGGER.fine("idToken contains group field name: " + this.simpleGroupsFieldName + " with value class:" + getField(idToken.getPayload(), this.simpleGroupsFieldName).getClass());
            List<String> ensureString2 = ensureString(getField(idToken.getPayload(), this.simpleGroupsFieldName));
            LOGGER.fine("Number of groups in groupNames: " + ensureString2.size());
            for (String str2 : ensureString2) {
                LOGGER.fine("Adding group from idToken: " + str2);
                arrayList.add(new SimpleGrantedAuthority(str2));
            }
        } else {
            LOGGER.warning("idToken and userInfo did not contain group field name: " + this.simpleGroupsFieldName);
        }
        return arrayList;
    }

    private List<String> ensureString(Object obj) {
        if (obj == null || Data.isNull(obj)) {
            LOGGER.warning("userInfo did not contain a valid group field content, got null");
            return Collections.emptyList();
        }
        if (obj instanceof String) {
            String[] split = ((String) obj).split("[\\s\\[\\],]");
            ArrayList arrayList = new ArrayList();
            for (String str : split) {
                if (str != null && !str.isEmpty()) {
                    arrayList.add(str);
                }
            }
            return arrayList;
        }
        if (!(obj instanceof ArrayList)) {
            try {
                return (List) obj;
            } catch (ClassCastException e) {
                LOGGER.warning("userInfo did not contain a valid group field content, got: " + obj.getClass().getSimpleName());
                return Collections.emptyList();
            }
        }
        ArrayList arrayList2 = new ArrayList();
        for (Object obj2 : (List) obj) {
            if (obj2 instanceof String) {
                arrayList2.add(obj2.toString());
            } else if (obj2 instanceof ArrayMap) {
                Map map = (Map) obj2;
                if (this.nestedGroupFieldName != null && map.keySet().contains(this.nestedGroupFieldName)) {
                    arrayList2.add((String) map.get(this.nestedGroupFieldName));
                }
            }
        }
        return arrayList2;
    }

    private String getField(IdToken idToken, String str) {
        Object field = getField(idToken.getPayload(), str);
        if (field != null) {
            return String.valueOf(field);
        }
        return null;
    }

    @Restricted({DoNotUse.class})
    public void doLogout(StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws IOException, ServletException {
        OicSession current = OicSession.getCurrent();
        if (current != null) {
            staplerRequest.setAttribute(ID_TOKEN_REQUEST_ATTRIBUTE, current.getIdToken());
            staplerRequest.setAttribute(STATE_REQUEST_ATTRIBUTE, current.getState());
        }
        super.doLogout(staplerRequest, staplerResponse);
    }

    public String getPostLogOutUrl2(StaplerRequest staplerRequest, Authentication authentication) {
        if (!this.logoutFromOpenidProvider || Strings.isNullOrEmpty(this.endSessionEndpoint)) {
            return getFinalLogoutUrl(staplerRequest, authentication);
        }
        StringBuilder sb = new StringBuilder(this.endSessionEndpoint);
        sb.append("?id_token_hint=").append(staplerRequest.getAttribute(ID_TOKEN_REQUEST_ATTRIBUTE));
        sb.append("&state=").append(staplerRequest.getAttribute(STATE_REQUEST_ATTRIBUTE));
        if (this.postLogoutRedirectUrl != null) {
            try {
                sb.append("&post_logout_redirect_uri=").append(URLEncoder.encode(this.postLogoutRedirectUrl, HTTP.UTF_8));
            } catch (UnsupportedEncodingException e) {
                throw new RuntimeException(e);
            }
        }
        return sb.toString();
    }

    private String getFinalLogoutUrl(StaplerRequest staplerRequest, Authentication authentication) {
        return Jenkins.get().hasPermission(Jenkins.READ) ? super.getPostLogOutUrl2(staplerRequest, authentication) : staplerRequest.getContextPath() + "/OicLogout";
    }

    private String getRootUrl() {
        return this.rootURLFromRequest ? Jenkins.get().getRootUrlFromRequest() : Jenkins.get().getRootUrl();
    }

    private String buildOAuthRedirectUrl() throws NullPointerException {
        String rootUrl = getRootUrl();
        if (rootUrl == null) {
            throw new NullPointerException("Jenkins root url should not be null");
        }
        return rootUrl + "securityRealm/finishLogin";
    }

    public org.kohsuke.stapler.HttpResponse doFinishLogin(StaplerRequest staplerRequest) throws IOException {
        OicSession current = OicSession.getCurrent();
        if (current != null) {
            return current.doFinishLogin(staplerRequest);
        }
        LOGGER.fine("No session to resume (perhaps jenkins was restarted?)");
        return HttpResponses.errorWithoutStack(401, "Unauthorized");
    }

    public Object getField(GenericJson genericJson, String str) {
        Object lookup = lookup(genericJson, str);
        if (lookup == PlaceHolder.ABSENT) {
            return null;
        }
        return lookup;
    }

    public boolean containsField(GenericJson genericJson, String str) {
        return lookup(genericJson, str) != PlaceHolder.ABSENT;
    }

    private Object lookup(Map map, String str) {
        Object lookup;
        if (str.contains("\"")) {
            int indexOf = str.indexOf(34);
            Object obj = map.get(str.substring(0, indexOf));
            if (obj != null && (obj instanceof Map)) {
                return lookup((Map) obj, str.substring(indexOf));
            }
            if (map.containsKey(str.substring(0, indexOf))) {
                return null;
            }
            return PlaceHolder.ABSENT;
        }
        String str2 = str;
        int length = str.length();
        do {
            str2 = str2.substring(0, length);
            Object obj2 = map.get(str2);
            if (obj2 != null) {
                if (str2.length() == str.length()) {
                    return obj2 instanceof Map ? PlaceHolder.ABSENT : obj2;
                }
                if ((obj2 instanceof Map) && (lookup = lookup((Map) obj2, str.substring(str2.length() + 1, str.length()))) != null) {
                    return lookup;
                }
            }
            length = str2.lastIndexOf(46);
        } while (length != -1);
        if (map.containsKey(str2)) {
            return null;
        }
        return PlaceHolder.ABSENT;
    }
}
