package io.jenkins.blueocean.service.embedded;

import hudson.model.User;
import io.jenkins.blueocean.auth.jwt.JwtAuthenticationStore;
import io.jenkins.blueocean.auth.jwt.JwtAuthenticationStoreFactory;
import io.jenkins.blueocean.auth.jwt.JwtToken;
import io.jenkins.blueocean.auth.jwt.impl.SimpleJwtAuthenticationStore;
import io.jenkins.blueocean.commons.ServiceException;
import java.io.IOException;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import jenkins.model.Jenkins;
import org.acegisecurity.Authentication;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.lang.JoseException;
import org.kohsuke.stapler.StaplerRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/jenkins/blueocean/service/embedded/JwtAuthenticationToken.class */
public final class JwtAuthenticationToken {
    private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationToken.class);

    public static Authentication create(StaplerRequest staplerRequest) {
        JwtClaims validate = validate(staplerRequest);
        try {
            if (validate.getSubject().equals("anonymous")) {
                Jenkins.getInstance();
                return Jenkins.ANONYMOUS;
            }
            Authentication authentication = getJwtStore(validate.getClaimsMap()).getAuthentication(validate.getClaimsMap());
            if (authentication == null) {
                throw new ServiceException.UnauthorizedException("Unauthorized: No valid authentication instance found");
            }
            return authentication;
        } catch (MalformedClaimException e) {
            logger.error(String.format("Error reading sub header for token %s", validate.getRawJson()), e);
            throw new ServiceException.UnauthorizedException("Invalid JWT token: malformed claim");
        }
    }

    public JwtAuthenticationToken(JwtClaims jwtClaims) throws MalformedClaimException {
        String subject = jwtClaims.getSubject();
        if (User.get(subject, false, Collections.emptyMap()) == null) {
            throw new ServiceException.UnauthorizedException("Invalid JWT token: subject " + subject + " not found");
        }
    }

    private static JwtClaims validate(StaplerRequest staplerRequest) {
        JsonWebStructure fromCompactSerialization;
        String algorithmHeaderValue;
        String header = staplerRequest.getHeader("Authorization");
        if (header == null || !header.startsWith("Bearer ")) {
            throw new ServiceException.UnauthorizedException("JWT token not found");
        }
        String substring = header.substring("Bearer ".length());
        try {
            fromCompactSerialization = JsonWebStructure.fromCompactSerialization(substring);
            algorithmHeaderValue = fromCompactSerialization.getAlgorithmHeaderValue();
        } catch (JoseException e) {
            logger.error("Error parsing JWT token: " + e.getMessage(), e);
            throw new ServiceException.UnauthorizedException("Invalid JWT Token: " + e.getMessage());
        }
        if (algorithmHeaderValue == null || !algorithmHeaderValue.equals("RS256")) {
            logger.error(String.format("Invalid JWT token: unsupported algorithm in header, found %s, expected %s", algorithmHeaderValue, "RS256"));
            throw new ServiceException.UnauthorizedException("Invalid JWT token");
        }
        String keyIdHeaderValue = fromCompactSerialization.getKeyIdHeaderValue();
        if (keyIdHeaderValue == null) {
            logger.error("Invalid JWT token: missing kid");
            throw new ServiceException.UnauthorizedException("Invalid JWT token");
        }
        JwtToken.JwtRsaDigitalSignatureKey jwtRsaDigitalSignatureKey = new JwtToken.JwtRsaDigitalSignatureKey(keyIdHeaderValue);
        try {
            if (!jwtRsaDigitalSignatureKey.exists()) {
                throw new ServiceException.NotFoundException(String.format("kid %s not found", keyIdHeaderValue));
            }
            try {
                JwtClaims jwtClaims = new JwtConsumerBuilder().setRequireExpirationTime().setRequireJwtId().setAllowedClockSkewInSeconds(30).setRequireSubject().setVerificationKey(jwtRsaDigitalSignatureKey.getPublicKey()).build().process(substring).getJwtClaims();
                if (jwtClaims.getExpirationTime().isBefore(NumericDate.now())) {
                    throw new ServiceException.UnauthorizedException("Invalid JWT token: expired");
                }
                return jwtClaims;
            } catch (InvalidJwtException e2) {
                logger.error("Invalid JWT token: " + e2.getMessage(), e2);
                throw new ServiceException.UnauthorizedException("Invalid JWT token");
            } catch (MalformedClaimException e3) {
                logger.error(String.format("Error reading sub header for token %s", fromCompactSerialization.getPayload()), e3);
                throw new ServiceException.UnauthorizedException("Invalid JWT token: malformed claim");
            }
        } catch (IOException e4) {
            logger.error(String.format("Error reading RSA key for id %s: %s", keyIdHeaderValue, e4.getMessage()), e4);
            throw new ServiceException.UnexpectedErrorException("Unexpected error: " + e4.getMessage(), e4);
        }
        logger.error("Error parsing JWT token: " + e.getMessage(), e);
        throw new ServiceException.UnauthorizedException("Invalid JWT Token: " + e.getMessage());
    }

    private static JwtAuthenticationStore getJwtStore(Map<String, Object> map) {
        JwtAuthenticationStore jwtAuthenticationStore = null;
        Iterator it = JwtAuthenticationStoreFactory.all().iterator();
        while (it.hasNext()) {
            JwtAuthenticationStoreFactory jwtAuthenticationStoreFactory = (JwtAuthenticationStoreFactory) it.next();
            if (jwtAuthenticationStoreFactory instanceof SimpleJwtAuthenticationStore) {
                jwtAuthenticationStore = jwtAuthenticationStoreFactory.getJwtAuthenticationStore(map);
            } else {
                JwtAuthenticationStore jwtAuthenticationStore2 = jwtAuthenticationStoreFactory.getJwtAuthenticationStore(map);
                if (jwtAuthenticationStore2 != null) {
                    return jwtAuthenticationStore2;
                }
            }
        }
        return jwtAuthenticationStore;
    }
}
