package hudson.cli;

import com.google.common.annotations.VisibleForTesting;
import hudson.FilePath;
import hudson.model.User;
import hudson.remoting.Channel;
import hudson.util.Secret;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.Serializable;
import java.util.Arrays;
import java.util.Properties;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import jenkins.model.Jenkins;
import jenkins.security.HMACConfidentialKey;
import jenkins.security.MasterToSlaveCallable;
import jenkins.security.seed.UserSeedProperty;
import org.acegisecurity.Authentication;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import org.acegisecurity.providers.anonymous.AnonymousAuthenticationToken;
import org.acegisecurity.userdetails.UserDetails;
import org.springframework.dao.DataAccessException;

@Deprecated
/* loaded from: input_file:hudson/cli/ClientAuthenticationCache.class */
public class ClientAuthenticationCache implements Serializable {
    private static final HMACConfidentialKey MAC = new HMACConfidentialKey(ClientAuthenticationCache.class, "MAC");
    private static final Logger LOGGER = Logger.getLogger(ClientAuthenticationCache.class.getName());
    private static final String VERIFICATION_FRAGMENT_SEPARATOR = "_";
    private static final String USERNAME_VERIFICATION_SEPARATOR = ":";
    private static final String VERSION_2 = "v2";
    private final FilePath store;

    @VisibleForTesting
    final Properties props = new Properties();

    /* loaded from: input_file:hudson/cli/ClientAuthenticationCache$CredentialsFilePathMasterToSlaveCallable.class */
    private static class CredentialsFilePathMasterToSlaveCallable extends MasterToSlaveCallable<FilePath, IOException> {
        private CredentialsFilePathMasterToSlaveCallable() {
        }

        /* renamed from: call, reason: merged with bridge method [inline-methods] */
        public FilePath m56call() throws IOException {
            File file = new File(System.getProperty("user.home"));
            File file2 = new File(file, ".hudson");
            return file2.exists() ? new FilePath(new File(file2, "cli-credentials")) : new FilePath(new File(file, ".jenkins/cli-credentials"));
        }
    }

    public ClientAuthenticationCache(Channel channel) throws IOException, InterruptedException {
        this.store = (FilePath) (channel == null ? FilePath.localChannel : channel).call(new CredentialsFilePathMasterToSlaveCallable());
        if (this.store.exists()) {
            InputStream read = this.store.read();
            Throwable th = null;
            try {
                try {
                    this.props.load(read);
                    if (read != null) {
                        if (0 == 0) {
                            read.close();
                            return;
                        }
                        try {
                            read.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } catch (Throwable th4) {
                if (read != null) {
                    if (th != null) {
                        try {
                            read.close();
                        } catch (Throwable th5) {
                            th.addSuppressed(th5);
                        }
                    } else {
                        read.close();
                    }
                }
                throw th4;
            }
        }
    }

    @Nonnull
    public Authentication get() {
        String property = this.props.getProperty(getPropertyKey());
        if (property == null) {
            LOGGER.finer("No stored CLI authentication");
            return Jenkins.ANONYMOUS;
        }
        Secret decrypt = Secret.decrypt(property);
        if (decrypt != null) {
            LOGGER.log(Level.FINE, "Ignoring insecure stored CLI authentication for {0}", decrypt.getPlainText());
            return Jenkins.ANONYMOUS;
        }
        int lastIndexOf = property.lastIndexOf(USERNAME_VERIFICATION_SEPARATOR);
        if (lastIndexOf == -1) {
            LOGGER.log(Level.FINE, "Ignoring malformed stored CLI authentication: {0}", property);
            return Jenkins.ANONYMOUS;
        }
        String substring = property.substring(0, lastIndexOf);
        String substring2 = property.substring(lastIndexOf + 1);
        if (substring2.indexOf(VERIFICATION_FRAGMENT_SEPARATOR) == -1) {
            return legacy(substring, substring2, property);
        }
        String[] split = substring2.split(VERIFICATION_FRAGMENT_SEPARATOR);
        if (split.length < 2) {
            LOGGER.log(Level.FINE, "Ignoring malformed stored CLI authentication verification: {0}", property);
            return Jenkins.ANONYMOUS;
        }
        String str = split[0];
        String str2 = split[1];
        String[] strArr = (String[]) Arrays.copyOfRange(split, 2, split.length);
        if (VERSION_2.equals(str2)) {
            Authentication version2 = version2(substring, strArr, property);
            return version2 != null ? version2 : getUserAuthIfValidMac(substring, str, property);
        }
        LOGGER.log(Level.FINE, "Unrecognized version for stored CLI authentication verification: {0}", property);
        return Jenkins.ANONYMOUS;
    }

    private Authentication legacy(String str, String str2, String str3) {
        return getUserAuthIfValidMac(str, str2, str3);
    }

    @CheckForNull
    private Authentication version2(String str, String[] strArr, String str2) {
        if (strArr.length != 1) {
            LOGGER.log(Level.FINE, "Number of fragments invalid for stored CLI authentication verification: {0}", str2);
            return Jenkins.ANONYMOUS;
        }
        if (UserSeedProperty.DISABLE_USER_SEED) {
            return null;
        }
        User byId = User.getById(str, false);
        if (byId == null) {
            LOGGER.log(Level.FINE, "User not found for stored CLI authentication verification: {0}", str2);
            return Jenkins.ANONYMOUS;
        }
        UserSeedProperty userSeedProperty = (UserSeedProperty) byId.getProperty(UserSeedProperty.class);
        if (userSeedProperty == null) {
            LOGGER.log(Level.INFO, "User does not have a user seed but one is contained in CLI authentication: {0}", str2);
            return Jenkins.ANONYMOUS;
        }
        if (strArr[0].equals(userSeedProperty.getSeed())) {
            return null;
        }
        LOGGER.log(Level.FINE, "Actual user seed does not correspond to the one in stored CLI authentication: {0}", str2);
        return Jenkins.ANONYMOUS;
    }

    private Authentication getUserAuthIfValidMac(String str, String str2, String str3) {
        if (!MAC.checkMac(str, str2)) {
            LOGGER.log(Level.FINE, "Ignoring stored CLI authentication due to MAC mismatch: {0}", str3);
            return Jenkins.ANONYMOUS;
        }
        try {
            UserDetails loadUserByUsername = Jenkins.get().getSecurityRealm().loadUserByUsername(str);
            LOGGER.log(Level.FINER, "Loaded stored CLI authentication for {0}", str);
            return new UsernamePasswordAuthenticationToken(loadUserByUsername.getUsername(), "", loadUserByUsername.getAuthorities());
        } catch (AuthenticationException | DataAccessException e) {
            LOGGER.log(Level.FINE, "Stored CLI authentication did not correspond to a valid user: " + str, e);
            return Jenkins.ANONYMOUS;
        }
    }

    @VisibleForTesting
    String getPropertyKey() {
        Jenkins activeInstance = Jenkins.getActiveInstance();
        String rootUrl = activeInstance.getRootUrl();
        return rootUrl != null ? rootUrl : activeInstance.getLegacyInstanceId();
    }

    public void set(Authentication authentication) throws IOException, InterruptedException {
        String username = Jenkins.getActiveInstance().getSecurityRealm().loadUserByUsername(authentication.getName()).getUsername();
        User byId = authentication instanceof AnonymousAuthenticationToken ? null : User.getById(authentication.getName(), false);
        if (byId == null) {
            setUsingLegacyMethod(username);
            return;
        }
        UserSeedProperty userSeedProperty = (UserSeedProperty) byId.getProperty(UserSeedProperty.class);
        this.props.setProperty(getPropertyKey(), username + USERNAME_VERIFICATION_SEPARATOR + String.join(VERIFICATION_FRAGMENT_SEPARATOR, getMacOf(username), VERSION_2, userSeedProperty == null ? "no-user-seed" : userSeedProperty.getSeed()));
        save();
    }

    @VisibleForTesting
    void setUsingLegacyMethod(String str) throws IOException, InterruptedException {
        this.props.setProperty(getPropertyKey(), str + USERNAME_VERIFICATION_SEPARATOR + getMacOf(str));
        save();
    }

    @VisibleForTesting
    @Nonnull
    String getMacOf(@Nonnull String str) {
        return MAC.mac(str);
    }

    public void remove() throws IOException, InterruptedException {
        if (this.props.remove(getPropertyKey()) != null) {
            save();
        }
    }

    @VisibleForTesting
    void save() throws IOException, InterruptedException {
        OutputStream write = this.store.write();
        Throwable th = null;
        try {
            this.props.store(write, "Credential store");
            if (write != null) {
                if (0 != 0) {
                    try {
                        write.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    write.close();
                }
            }
            this.store.chmod(384);
        } catch (Throwable th3) {
            if (write != null) {
                if (0 != 0) {
                    try {
                        write.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    write.close();
                }
            }
            throw th3;
        }
    }
}
