package jenkins.security;

import hudson.Extension;
import hudson.Util;
import hudson.model.Descriptor;
import hudson.model.User;
import hudson.model.UserProperty;
import hudson.model.UserPropertyDescriptor;
import hudson.security.ACL;
import hudson.util.HttpResponses;
import hudson.util.Secret;
import java.io.IOException;
import java.nio.charset.Charset;
import java.security.MessageDigest;
import java.security.SecureRandom;
import javax.annotation.Nonnull;
import jenkins.model.Jenkins;
import jenkins.util.SystemProperties;
import net.sf.json.JSONObject;
import net.sf.json.util.JSONUtils;
import org.apache.commons.lang.StringUtils;
import org.jenkinsci.Symbol;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.AncestorInPath;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.HttpResponse;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;
import org.kohsuke.stapler.interceptor.RequirePOST;
import org.springframework.aop.framework.autoproxy.target.QuickTargetSourceCreator;

/* loaded from: input_file:WEB-INF/lib/jenkins-core-2.129-rc15783.0ebb792a91bb.jar:jenkins/security/ApiTokenProperty.class */
public class ApiTokenProperty extends UserProperty {
    private volatile Secret apiToken;
    private static final boolean SHOW_TOKEN_TO_ADMINS = SystemProperties.getBoolean(ApiTokenProperty.class.getName() + ".showTokenToAdmins");
    private static final SecureRandom RANDOM = new SecureRandom();
    private static final HMACConfidentialKey API_KEY_SEED = new HMACConfidentialKey(ApiTokenProperty.class, "seed", 16);

    @Extension
    @Symbol({"apiToken"})
    /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.129-rc15783.0ebb792a91bb.jar:jenkins/security/ApiTokenProperty$DescriptorImpl.class */
    public static final class DescriptorImpl extends UserPropertyDescriptor {
        @Override // hudson.model.Descriptor
        public String getDisplayName() {
            return Messages.ApiTokenProperty_DisplayName();
        }

        @Override // hudson.model.UserPropertyDescriptor
        public ApiTokenProperty newInstance(User user) {
            return new ApiTokenProperty(ApiTokenProperty.API_KEY_SEED.mac(user.getId()));
        }

        @RequirePOST
        public HttpResponse doChangeToken(@AncestorInPath User user, StaplerResponse staplerResponse) throws IOException {
            ApiTokenProperty apiTokenProperty = (ApiTokenProperty) user.getProperty(ApiTokenProperty.class);
            if (apiTokenProperty == null) {
                apiTokenProperty = newInstance(user);
                user.addProperty(apiTokenProperty);
            } else {
                apiTokenProperty.changeApiToken();
            }
            staplerResponse.setHeader("script", "document.getElementById('apiToken').value='" + apiTokenProperty.getApiToken() + JSONUtils.SINGLE_QUOTE);
            return HttpResponses.html(apiTokenProperty.hasPermissionToSeeToken() ? Messages.ApiTokenProperty_ChangeToken_Success() : Messages.ApiTokenProperty_ChangeToken_SuccessHidden());
        }
    }

    @DataBoundConstructor
    public ApiTokenProperty() {
        _changeApiToken();
    }

    ApiTokenProperty(String str) {
        this.apiToken = Secret.fromString(str);
    }

    @Nonnull
    public String getApiToken() {
        return hasPermissionToSeeToken() ? getApiTokenInsecure() : Messages.ApiTokenProperty_ChangeToken_TokenIsHidden();
    }

    @Nonnull
    @Restricted({NoExternalUse.class})
    String getApiTokenInsecure() {
        String plainText = this.apiToken.getPlainText();
        if (plainText.equals(Util.getDigestOf(Jenkins.getInstance().getSecretKey() + QuickTargetSourceCreator.PREFIX_COMMONS_POOL + this.user.getId()))) {
            String mac = API_KEY_SEED.mac(this.user.getId());
            plainText = mac;
            this.apiToken = Secret.fromString(mac);
        }
        return Util.getDigestOf(plainText);
    }

    public boolean matchesPassword(String str) {
        return MessageDigest.isEqual(str.getBytes(Charset.forName("US-ASCII")), getApiTokenInsecure().getBytes(Charset.forName("US-ASCII")));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean hasPermissionToSeeToken() {
        Jenkins jenkins2 = Jenkins.getInstance();
        if (SHOW_TOKEN_TO_ADMINS && jenkins2.hasPermission(Jenkins.ADMINISTER)) {
            return true;
        }
        User current = User.current();
        if (current == null) {
            return false;
        }
        if (Jenkins.getAuthentication() == ACL.SYSTEM) {
            return true;
        }
        return StringUtils.equals(this.user.getId(), current.getId());
    }

    public void changeApiToken() throws IOException {
        this.user.checkPermission(Jenkins.ADMINISTER);
        _changeApiToken();
        this.user.save();
    }

    private void _changeApiToken() {
        byte[] bArr = new byte[16];
        RANDOM.nextBytes(bArr);
        this.apiToken = Secret.fromString(Util.toHexString(bArr));
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // hudson.model.UserProperty, hudson.model.ReconfigurableDescribable
    public UserProperty reconfigure(StaplerRequest staplerRequest, JSONObject jSONObject) throws Descriptor.FormException {
        return this;
    }
}
