package io.jenkins.blueocean.auth.jwt.impl;

import com.cloudbees.plugins.credentials.domains.AntPathMatcher;
import hudson.Extension;
import hudson.init.Initializer;
import hudson.security.ACL;
import hudson.security.ACLContext;
import hudson.util.PluginServletFilter;
import io.jenkins.blueocean.auth.jwt.JwtTokenVerifier;
import io.jenkins.blueocean.commons.BlueOceanConfigProperties;
import java.io.IOException;
import java.util.Iterator;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.stapler.Stapler;
import org.springframework.security.core.Authentication;

@Extension
/* loaded from: input_file:test-dependencies/blueocean-jwt.hpi:WEB-INF/lib/blueocean-jwt.jar:io/jenkins/blueocean/auth/jwt/impl/JwtAuthenticationFilter.class */
public class JwtAuthenticationFilter implements Filter {
    private static final String JWT_TOKEN_VALIDATED = JwtAuthenticationFilter.class.getName() + ".validated";
    private boolean isJwtEnabled;

    @Initializer(fatal = false)
    public static void init() throws ServletException {
        PluginServletFilter.addFilter(new JwtAuthenticationFilter());
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        this.isJwtEnabled = Boolean.getBoolean(BlueOceanConfigProperties.BLUEOCEAN_FEATURE_JWT_AUTHENTICATION_PROPERTY);
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (!shouldApply(httpServletRequest)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        Authentication verifyToken = verifyToken(httpServletRequest);
        if (verifyToken == null) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        ACLContext as2 = ACL.as2(verifyToken);
        Throwable th = null;
        try {
            try {
                httpServletRequest.setAttribute(JWT_TOKEN_VALIDATED, true);
                filterChain.doFilter(servletRequest, servletResponse);
                if (as2 != null) {
                    if (0 == 0) {
                        as2.close();
                        return;
                    }
                    try {
                        as2.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (as2 != null) {
                if (th != null) {
                    try {
                        as2.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    as2.close();
                }
            }
            throw th4;
        }
    }

    private Authentication verifyToken(HttpServletRequest httpServletRequest) {
        Iterator it = JwtTokenVerifier.all().iterator();
        while (it.hasNext()) {
            Authentication verify = ((JwtTokenVerifier) it.next()).verify(httpServletRequest);
            if (verify != null) {
                return verify;
            }
        }
        return null;
    }

    protected boolean shouldApply(HttpServletRequest httpServletRequest) {
        if (!this.isJwtEnabled) {
            return false;
        }
        String substring = httpServletRequest.getRequestURI().substring(httpServletRequest.getContextPath().length());
        if (!StringUtils.isBlank(substring)) {
            substring = substring.replaceAll("//+", AntPathMatcher.DEFAULT_PATH_SEPARATOR);
        }
        return substring.startsWith("/blue/") || substring.startsWith("/sse-gateway/");
    }

    public void destroy() {
    }

    public static boolean didRequestHaveValidatedJwtToken() {
        return Boolean.TRUE.equals(Stapler.getCurrentRequest().getAttribute(JWT_TOKEN_VALIDATED));
    }
}
