package org.jenkinsci.plugins.saml;

import com.google.common.base.Preconditions;
import hudson.Extension;
import hudson.Util;
import hudson.model.Descriptor;
import hudson.model.User;
import hudson.security.SecurityRealm;
import hudson.tasks.Mailer;
import hudson.util.FormValidation;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.Nonnull;
import javax.servlet.ServletException;
import jenkins.model.Jenkins;
import jenkins.security.SecurityListener;
import org.acegisecurity.Authentication;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.AuthenticationManager;
import org.acegisecurity.BadCredentialsException;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.context.SecurityContextHolder;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.Header;
import org.kohsuke.stapler.HttpResponse;
import org.kohsuke.stapler.HttpResponses;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;
import org.pac4j.core.client.RedirectAction;
import org.pac4j.core.context.J2EContext;
import org.pac4j.core.context.J2ERequestContext;
import org.pac4j.core.exception.RequiresHttpAction;
import org.pac4j.saml.client.Saml2Client;
import org.pac4j.saml.profile.Saml2Profile;

/* loaded from: input_file:org/jenkinsci/plugins/saml/SamlSecurityRealm.class */
public class SamlSecurityRealm extends SecurityRealm {
    public static final String CONSUMER_SERVICE_URL_PATH = "securityRealm/finishLogin";
    public static final String EXPIRATION_ATTRIBUTE = SamlSecurityRealm.class.getName() + ".expiration";
    private static final Logger LOG = Logger.getLogger(SamlSecurityRealm.class.getName());
    private static final String REFERER_ATTRIBUTE = SamlSecurityRealm.class.getName() + ".referer";
    private static final String DEFAULT_DISPLAY_NAME_ATTRIBUTE_NAME = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name";
    private static final String DEFAULT_GROUPS_ATTRIBUTE_NAME = "http://schemas.xmlsoap.org/claims/Group";
    private static final int DEFAULT_MAXIMUM_AUTHENTICATION_LIFETIME = 86400;
    private static final String DEFAULT_USERNAME_CASE_CONVERSION = "none";
    private static final String DEFAULT_EMAIL_ATTRIBUTE_NAME = "email";
    private String displayNameAttributeName;
    private String groupsAttributeName;
    private int maximumAuthenticationLifetime;
    private String emailAttributeName;
    private final String idpMetadata;
    private final String usernameCaseConversion;
    private final String usernameAttributeName;
    private final String logoutUrl;
    private SamlEncryptionData encryptionData;
    private SamlAdvancedConfiguration advancedConfiguration;

    @Extension
    /* loaded from: input_file:org/jenkinsci/plugins/saml/SamlSecurityRealm$DescriptorImpl.class */
    public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
        public DescriptorImpl() {
        }

        public DescriptorImpl(Class<? extends SecurityRealm> cls) {
            super(cls);
        }

        public String getDisplayName() {
            return "SAML 2.0";
        }
    }

    @DataBoundConstructor
    public SamlSecurityRealm(String str, String str2, String str3, String str4, Integer num, String str5, String str6, String str7, SamlAdvancedConfiguration samlAdvancedConfiguration, SamlEncryptionData samlEncryptionData, String str8) {
        this.idpMetadata = Util.fixEmptyAndTrim(str2);
        this.displayNameAttributeName = DEFAULT_DISPLAY_NAME_ATTRIBUTE_NAME;
        this.groupsAttributeName = DEFAULT_GROUPS_ATTRIBUTE_NAME;
        this.maximumAuthenticationLifetime = DEFAULT_MAXIMUM_AUTHENTICATION_LIFETIME;
        if (str3 != null && !str3.isEmpty()) {
            this.displayNameAttributeName = str3;
        }
        if (str4 != null && !str4.isEmpty()) {
            this.groupsAttributeName = str4;
        }
        if (num != null && num.intValue() > 0) {
            this.maximumAuthenticationLifetime = num.intValue();
        }
        this.usernameAttributeName = Util.fixEmptyAndTrim(str5);
        this.advancedConfiguration = samlAdvancedConfiguration;
        this.encryptionData = samlEncryptionData;
        this.usernameCaseConversion = StringUtils.defaultIfBlank(str8, DEFAULT_USERNAME_CASE_CONVERSION);
        if (StringUtils.isNotBlank(str6)) {
            this.emailAttributeName = Util.fixEmptyAndTrim(str6);
        }
        this.logoutUrl = Util.fixEmptyAndTrim(str7);
        LOG.finer(toString());
    }

    public SamlSecurityRealm(String str, String str2, String str3, String str4, Integer num, String str5, String str6, String str7, SamlAdvancedConfiguration samlAdvancedConfiguration, SamlEncryptionData samlEncryptionData) {
        this(str, str2, str3, str4, num, str5, str6, str7, samlAdvancedConfiguration, samlEncryptionData, DEFAULT_USERNAME_CASE_CONVERSION);
    }

    public boolean allowsSignup() {
        return false;
    }

    public SecurityRealm.SecurityComponents createSecurityComponents() {
        LOG.finer("createSecurityComponents");
        return new SecurityRealm.SecurityComponents(new AuthenticationManager() { // from class: org.jenkinsci.plugins.saml.SamlSecurityRealm.1
            public Authentication authenticate(Authentication authentication) throws AuthenticationException {
                if (authentication instanceof SamlAuthenticationToken) {
                    return authentication;
                }
                throw new BadCredentialsException("Unexpected authentication type: " + authentication);
            }
        }, new SamlUserDetailsService());
    }

    public String getLoginUrl() {
        return "securityRealm/commenceLogin";
    }

    public HttpResponse doCommenceLogin(StaplerRequest staplerRequest, @Header("Referer") String str) {
        LOG.fine("SamlSecurityRealm.doCommenceLogin called. Using consumerServiceUrl " + getConsumerServiceUrl());
        staplerRequest.getSession().setAttribute(REFERER_ATTRIBUTE, str);
        try {
            RedirectAction redirectAction = newClient().getRedirectAction(new J2ERequestContext(staplerRequest), true, false);
            if (redirectAction.getType() == RedirectAction.RedirectType.REDIRECT) {
                LOG.fine("REDIRECT : " + redirectAction.getLocation());
                return HttpResponses.redirectTo(redirectAction.getLocation());
            }
            if (redirectAction.getType() != RedirectAction.RedirectType.SUCCESS) {
                throw new IllegalStateException("Received unexpected response type " + redirectAction.getType());
            }
            LOG.fine("SUCCESS : " + redirectAction.getContent());
            return HttpResponses.html(redirectAction.getContent());
        } catch (RequiresHttpAction e) {
            throw new IllegalStateException((Throwable) e);
        }
    }

    public HttpResponse doFinishLogin(StaplerRequest staplerRequest, StaplerResponse staplerResponse) {
        LOG.finer("SamlSecurityRealm.doFinishLogin called");
        Saml2Client newClient = newClient();
        J2EContext j2EContext = new J2EContext(staplerRequest, staplerResponse);
        try {
            Saml2Profile saml2Profile = (Saml2Profile) newClient.getUserProfile(newClient.getCredentials(j2EContext), j2EContext);
            LOG.finer(saml2Profile.toString());
            String loadUserName = loadUserName(saml2Profile);
            List<GrantedAuthority> loadGrantedAuthorities = loadGrantedAuthorities(saml2Profile);
            SamlUserDetails samlUserDetails = new SamlUserDetails(loadUserName, (GrantedAuthority[]) loadGrantedAuthorities.toArray(new GrantedAuthority[loadGrantedAuthorities.size()]));
            if (getMaximumSessionLifetime() != null) {
                staplerRequest.getSession().setAttribute(EXPIRATION_ATTRIBUTE, Long.valueOf(System.currentTimeMillis() + (1000 * getMaximumSessionLifetime().intValue())));
            }
            SecurityContextHolder.getContext().setAuthentication(new SamlAuthenticationToken(samlUserDetails, staplerRequest.getSession()));
            SecurityListener.fireAuthenticated(samlUserDetails);
            User current = User.current();
            boolean modifyUserFullName = false | modifyUserFullName(current, saml2Profile) | modifyUserEmail(current, (List) saml2Profile.getAttribute(getEmailAttributeName()));
            if (current != null && modifyUserFullName) {
                try {
                    current.save();
                } catch (IOException e) {
                    LOG.log(Level.WARNING, "Unable to save updated user data", (Throwable) e);
                }
            }
            SecurityListener.fireLoggedIn(samlUserDetails.getUsername());
            String str = (String) staplerRequest.getSession().getAttribute(REFERER_ATTRIBUTE);
            return HttpResponses.redirectTo(str != null ? str : baseUrl());
        } catch (RequiresHttpAction e2) {
            throw new IllegalStateException((Throwable) e2);
        }
    }

    private String loadUserName(Saml2Profile saml2Profile) {
        String usernameFromProfile = getUsernameFromProfile(saml2Profile);
        if (this.usernameCaseConversion != null) {
            if (this.usernameCaseConversion.compareTo("lowercase") == 0) {
                usernameFromProfile = usernameFromProfile.toLowerCase();
            } else if (this.usernameCaseConversion.compareTo("uppercase") == 0) {
                usernameFromProfile = usernameFromProfile.toUpperCase();
            }
        }
        return usernameFromProfile;
    }

    private boolean modifyUserFullName(User user, Saml2Profile saml2Profile) {
        boolean z = false;
        String str = null;
        List list = (List) saml2Profile.getAttribute(this.displayNameAttributeName);
        if (list != null && !list.isEmpty()) {
            str = (String) list.get(0);
        }
        if (user != null && StringUtils.isNotBlank(str) && str.compareTo(user.getFullName()) != 0) {
            user.setFullName(str);
            z = true;
        }
        return z;
    }

    private List<GrantedAuthority> loadGrantedAuthorities(Saml2Profile saml2Profile) {
        List list = (List) saml2Profile.getAttribute(this.groupsAttributeName);
        if (list == null) {
            list = new ArrayList();
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(AUTHENTICATED_AUTHORITY);
        if (!list.isEmpty()) {
            Iterator it = list.iterator();
            while (it.hasNext()) {
                arrayList.add(new SamlGroupAuthority((String) it.next()));
            }
        }
        return arrayList;
    }

    private boolean modifyUserEmail(User user, List<?> list) {
        Mailer.UserProperty property;
        String str = null;
        boolean z = false;
        if (list != null && !list.isEmpty()) {
            str = (String) list.get(0);
        }
        if (user != null) {
            try {
                if (StringUtils.isNotBlank(str) && (property = user.getProperty(Mailer.UserProperty.class)) != null && str.compareTo(StringUtils.defaultIfBlank(property.getAddress(), "")) != 0) {
                    user.addProperty(new Mailer.UserProperty(str));
                    z = true;
                }
            } catch (IOException e) {
                LOG.log(Level.SEVERE, "Could not update user email", (Throwable) e);
            }
        }
        return z;
    }

    private String getUsernameFromProfile(Saml2Profile saml2Profile) {
        if (this.usernameAttributeName != null) {
            Object attribute = saml2Profile.getAttribute(this.usernameAttributeName);
            if (attribute instanceof String) {
                return (String) attribute;
            }
            if (attribute instanceof List) {
                return (String) ((List) attribute).get(0);
            }
            LOG.log(Level.SEVERE, "Unable to get username from attribute {0} value {1}, Saml Profile {2}", new Object[]{this.usernameAttributeName, attribute, saml2Profile});
            LOG.log(Level.SEVERE, "Falling back to NameId {0}", saml2Profile.getId());
        }
        return saml2Profile.getId();
    }

    public HttpResponse doMetadata(StaplerRequest staplerRequest, StaplerResponse staplerResponse) {
        return HttpResponses.plainText(newClient().printClientMetadata());
    }

    private Saml2Client newClient() {
        Preconditions.checkNotNull(this.idpMetadata);
        Saml2Client saml2Client = new Saml2Client();
        saml2Client.setIdpMetadata(this.idpMetadata);
        saml2Client.setCallbackUrl(getConsumerServiceUrl());
        saml2Client.setDestinationBindingType("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
        if (getEncryptionData() != null) {
            saml2Client.setKeystorePath(getKeystorePath());
            saml2Client.setKeystorePassword(getKeystorePassword());
            saml2Client.setPrivateKeyPassword(getPrivateKeyPassword());
        }
        saml2Client.setMaximumAuthenticationLifetime(Integer.valueOf(this.maximumAuthenticationLifetime));
        if (getAdvancedConfiguration() != null) {
            saml2Client.setForceAuth(getForceAuthn().booleanValue());
            if (getSpEntityId() != null) {
                saml2Client.setSpEntityId(getSpEntityId());
            }
            if (getAuthnContextClassRef() != null) {
                saml2Client.setAuthnContextClassRef(getAuthnContextClassRef());
                saml2Client.setComparisonType("exact");
            }
        }
        if (LOG.isLoggable(Level.FINE)) {
            LOG.fine(saml2Client.printClientMetadata());
        }
        return saml2Client;
    }

    protected String getPostLogOutUrl(StaplerRequest staplerRequest, @Nonnull Authentication authentication) {
        LOG.log(Level.FINE, "Doing Logout {}", authentication.getPrincipal());
        return (Jenkins.getActiveInstance().hasPermission(Jenkins.READ) && StringUtils.isBlank(getLogoutUrl())) ? super.getPostLogOutUrl(staplerRequest, authentication) : StringUtils.isNotBlank(getLogoutUrl()) ? getLogoutUrl() : Jenkins.getActiveInstance().getRootUrl() + "samlLogout";
    }

    public void doLogout(StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws IOException, ServletException {
        super.doLogout(staplerRequest, staplerResponse);
        LOG.log(Level.FINEST, "Here we could do the SAML Single Logout");
    }

    private String baseUrl() {
        return Jenkins.getActiveInstance().getRootUrl();
    }

    private String getConsumerServiceUrl() {
        return baseUrl() + CONSUMER_SERVICE_URL_PATH;
    }

    public String getIdpMetadata() {
        return this.idpMetadata;
    }

    public String getUsernameAttributeName() {
        return this.usernameAttributeName;
    }

    public String getSpMetadata() {
        return newClient().printClientMetadata();
    }

    public String getDisplayNameAttributeName() {
        return this.displayNameAttributeName;
    }

    public String getGroupsAttributeName() {
        return this.groupsAttributeName;
    }

    public Integer getMaximumAuthenticationLifetime() {
        return Integer.valueOf(this.maximumAuthenticationLifetime);
    }

    public SamlAdvancedConfiguration getAdvancedConfiguration() {
        return this.advancedConfiguration;
    }

    public Boolean getForceAuthn() {
        return this.advancedConfiguration != null ? this.advancedConfiguration.getForceAuthn() : Boolean.FALSE;
    }

    public String getAuthnContextClassRef() {
        if (this.advancedConfiguration != null) {
            return this.advancedConfiguration.getAuthnContextClassRef();
        }
        return null;
    }

    public String getSpEntityId() {
        if (this.advancedConfiguration != null) {
            return this.advancedConfiguration.getSpEntityId();
        }
        return null;
    }

    public Integer getMaximumSessionLifetime() {
        if (this.advancedConfiguration != null) {
            return this.advancedConfiguration.getMaximumSessionLifetime();
        }
        return null;
    }

    public SamlEncryptionData getEncryptionData() {
        return this.encryptionData;
    }

    public String getKeystorePath() {
        if (this.encryptionData != null) {
            return this.encryptionData.getKeystorePath();
        }
        return null;
    }

    public String getKeystorePassword() {
        if (this.encryptionData != null) {
            return this.encryptionData.getKeystorePassword();
        }
        return null;
    }

    public String getPrivateKeyPassword() {
        if (this.encryptionData != null) {
            return this.encryptionData.getPrivateKeyPassword();
        }
        return null;
    }

    public String getUsernameCaseConversion() {
        return this.usernameCaseConversion;
    }

    public String getEmailAttributeName() {
        return this.emailAttributeName;
    }

    public String getLogoutUrl() {
        return this.logoutUrl;
    }

    public FormValidation doCheckLogoutUrl(@QueryParameter String str) {
        if (str == null || str.isEmpty()) {
            return FormValidation.ok();
        }
        try {
            new URL(str);
            return FormValidation.ok();
        } catch (MalformedURLException e) {
            return FormValidation.error("The url is malformed.", new Object[]{e});
        }
    }

    public String toString() {
        StringBuffer stringBuffer = new StringBuffer("SamlSecurityRealm{");
        stringBuffer.append("idpMetadata='").append(this.idpMetadata).append('\'');
        stringBuffer.append(", displayNameAttributeName='").append(this.displayNameAttributeName).append('\'');
        stringBuffer.append(", groupsAttributeName='").append(this.groupsAttributeName).append('\'');
        stringBuffer.append(", maximumAuthenticationLifetime=").append(this.maximumAuthenticationLifetime);
        stringBuffer.append(", usernameCaseConversion='").append(this.usernameCaseConversion).append('\'');
        stringBuffer.append(", usernameAttributeName='").append(this.usernameAttributeName).append('\'');
        stringBuffer.append(", encryptionData=").append(this.encryptionData);
        stringBuffer.append(", advancedConfiguration=").append(this.advancedConfiguration);
        stringBuffer.append('}');
        return stringBuffer.toString();
    }
}
