package jenkins.security.apitoken;

import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.Util;
import hudson.util.Secret;
import java.io.Serializable;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Comparator;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.UUID;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.concurrent.Immutable;
import net.sf.json.JSONObject;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;

@Restricted({NoExternalUse.class})
/* loaded from: input_file:WEB-INF/lib/jenkins-core-2.145-rc27334.008c4350849b.jar:jenkins/security/apitoken/ApiTokenStore.class */
public class ApiTokenStore {
    private static final Logger LOGGER;
    private static final SecureRandom RANDOM;
    private static final Comparator<HashedToken> SORT_BY_LOWERCASED_NAME;
    private static final int TOKEN_LENGTH_V2 = 34;
    private static final String LEGACY_VERSION = "10";
    private static final String HASH_VERSION = "11";
    private static final String HASH_ALGORITHM = "SHA-256";
    private List<HashedToken> tokenList;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    @Immutable
    /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.145-rc27334.008c4350849b.jar:jenkins/security/apitoken/ApiTokenStore$HashValue.class */
    public static class HashValue implements Serializable {
        private static final long serialVersionUID = 1;
        private final String version;
        private final String hash;

        private HashValue(String str, String str2) {
            this.version = str;
            this.hash = str2;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.145-rc27334.008c4350849b.jar:jenkins/security/apitoken/ApiTokenStore$HashedToken.class */
    public static class HashedToken implements Serializable {
        private static final long serialVersionUID = 1;
        private String uuid;
        private String name;
        private Date creationDate;
        private HashValue value;

        private HashedToken() {
            init();
        }

        private Object readResolve() {
            init();
            return this;
        }

        private void init() {
            if (this.uuid == null) {
                this.uuid = UUID.randomUUID().toString();
            }
        }

        @Nonnull
        public static HashedToken buildNew(@Nonnull String str, @Nonnull HashValue hashValue) {
            HashedToken hashedToken = new HashedToken();
            hashedToken.name = str;
            hashedToken.creationDate = new Date();
            hashedToken.value = hashValue;
            return hashedToken;
        }

        @Nonnull
        public static HashedToken buildNewFromLegacy(@Nonnull HashValue hashValue, boolean z) {
            HashedToken hashedToken = new HashedToken();
            hashedToken.name = jenkins.security.Messages.ApiTokenProperty_LegacyTokenName();
            if (z) {
                hashedToken.creationDate = null;
            } else {
                hashedToken.creationDate = new Date();
            }
            hashedToken.value = hashValue;
            return hashedToken;
        }

        public void rename(String str) {
            this.name = str;
        }

        public boolean match(byte[] bArr) {
            try {
                return MessageDigest.isEqual(Util.fromHexString(this.value.hash), bArr);
            } catch (NumberFormatException e) {
                ApiTokenStore.LOGGER.log(Level.INFO, "The API token with name=[{0}] is not in hex-format and so cannot be used", this.name);
                return false;
            }
        }

        public String getName() {
            return this.name;
        }

        public Date getCreationDate() {
            return this.creationDate;
        }

        public long getNumDaysCreation() {
            if (this.creationDate == null) {
                return 0L;
            }
            return Util.daysElapsedSince(this.creationDate);
        }

        public String getUuid() {
            return this.uuid;
        }

        public boolean isLegacy() {
            return this.value.version.equals(ApiTokenStore.LEGACY_VERSION);
        }

        public void setName(String str) {
            this.name = str;
        }
    }

    @Immutable
    /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.145-rc27334.008c4350849b.jar:jenkins/security/apitoken/ApiTokenStore$TokenUuidAndPlainValue.class */
    public static class TokenUuidAndPlainValue {
        public final String tokenUuid;
        public final String plainValue;

        private TokenUuidAndPlainValue(String str, String str2) {
            this.tokenUuid = str;
            this.plainValue = str2;
        }
    }

    public ApiTokenStore() {
        init();
    }

    private Object readResolve() {
        init();
        return this;
    }

    private void init() {
        if (this.tokenList == null) {
            this.tokenList = new ArrayList();
        }
    }

    @Nonnull
    @SuppressFBWarnings({"NP_NONNULL_RETURN_VIOLATION"})
    public synchronized Collection<HashedToken> getTokenListSortedByName() {
        return (Collection) this.tokenList.stream().sorted(SORT_BY_LOWERCASED_NAME).collect(Collectors.toList());
    }

    private void addToken(HashedToken hashedToken) {
        this.tokenList.add(hashedToken);
    }

    public synchronized void reconfigure(@Nonnull Map<String, JSONObject> map) {
        this.tokenList.forEach(hashedToken -> {
            JSONObject jSONObject = (JSONObject) map.get(hashedToken.uuid);
            if (jSONObject == null) {
                LOGGER.log(Level.INFO, "No token received for {0}", hashedToken.uuid);
                return;
            }
            String string = jSONObject.getString("tokenName");
            if (StringUtils.isBlank(string)) {
                LOGGER.log(Level.INFO, "Empty name received for {0}, we do not care about it", hashedToken.uuid);
            } else {
                hashedToken.setName(string);
            }
        });
    }

    public synchronized void regenerateTokenFromLegacy(@Nonnull Secret secret) {
        deleteAllLegacyAndGenerateNewOne(secret, false);
    }

    public synchronized void regenerateTokenFromLegacyIfRequired(@Nonnull Secret secret) {
        if (this.tokenList.stream().noneMatch((v0) -> {
            return v0.isLegacy();
        })) {
            deleteAllLegacyAndGenerateNewOne(secret, true);
        }
    }

    private void deleteAllLegacyAndGenerateNewOne(@Nonnull Secret secret, boolean z) {
        deleteAllLegacyTokens();
        addLegacyToken(secret, z);
    }

    private void deleteAllLegacyTokens() {
        this.tokenList.removeIf((v0) -> {
            return v0.isLegacy();
        });
    }

    private void addLegacyToken(@Nonnull Secret secret, boolean z) {
        addToken(HashedToken.buildNewFromLegacy(new HashValue(LEGACY_VERSION, plainSecretToHashInHex(Util.getDigestOf(secret.getPlainText()))), z));
    }

    @Nullable
    public synchronized HashedToken getLegacyToken() {
        return this.tokenList.stream().filter((v0) -> {
            return v0.isLegacy();
        }).findFirst().orElse(null);
    }

    @Nonnull
    public synchronized TokenUuidAndPlainValue generateNewToken(@Nonnull String str) {
        byte[] bArr = new byte[16];
        RANDOM.nextBytes(bArr);
        String hexString = Util.toHexString(bArr);
        String str2 = HASH_VERSION + hexString;
        if (!$assertionsDisabled && str2.length() != 34) {
            throw new AssertionError();
        }
        HashedToken buildNew = HashedToken.buildNew(str, new HashValue(HASH_VERSION, plainSecretToHashInHex(hexString)));
        addToken(buildNew);
        return new TokenUuidAndPlainValue(buildNew.uuid, str2);
    }

    @Nonnull
    @SuppressFBWarnings({"NP_NONNULL_RETURN_VIOLATION"})
    private String plainSecretToHashInHex(@Nonnull String str) {
        return Util.toHexString(plainSecretToHashBytes(str));
    }

    @Nonnull
    private byte[] plainSecretToHashBytes(@Nonnull String str) {
        return hashedBytes(str.getBytes(StandardCharsets.US_ASCII));
    }

    @Nonnull
    private byte[] hashedBytes(byte[] bArr) {
        try {
            return MessageDigest.getInstance("SHA-256").digest(bArr);
        } catch (NoSuchAlgorithmException e) {
            throw new AssertionError("There is no SHA-256 available in this system");
        }
    }

    @CheckForNull
    public synchronized HashedToken findMatchingToken(@Nonnull String str) {
        return searchMatch(isLegacyToken(str) ? str : getHashOfToken(str));
    }

    private boolean isLegacyToken(@Nonnull String str) {
        return str.length() != 34;
    }

    @Nonnull
    private String getHashOfToken(@Nonnull String str) {
        return str.substring(2);
    }

    @CheckForNull
    private HashedToken searchMatch(@Nonnull String str) {
        byte[] plainSecretToHashBytes = plainSecretToHashBytes(str);
        for (HashedToken hashedToken : this.tokenList) {
            if (hashedToken.match(plainSecretToHashBytes)) {
                return hashedToken;
            }
        }
        return null;
    }

    @CheckForNull
    public synchronized HashedToken revokeToken(@Nonnull String str) {
        Iterator<HashedToken> it = this.tokenList.iterator();
        while (it.hasNext()) {
            HashedToken next = it.next();
            if (next.uuid.equals(str)) {
                it.remove();
                return next;
            }
        }
        return null;
    }

    public synchronized boolean renameToken(@Nonnull String str, @Nonnull String str2) {
        for (HashedToken hashedToken : this.tokenList) {
            if (hashedToken.uuid.equals(str)) {
                hashedToken.rename(str2);
                return true;
            }
        }
        LOGGER.log(Level.FINER, "The target token for rename does not exist, for uuid = {0}, with desired name = {1}", new Object[]{str, str2});
        return false;
    }

    static {
        $assertionsDisabled = !ApiTokenStore.class.desiredAssertionStatus();
        LOGGER = Logger.getLogger(ApiTokenStore.class.getName());
        RANDOM = new SecureRandom();
        SORT_BY_LOWERCASED_NAME = Comparator.comparing(hashedToken -> {
            return hashedToken.getName().toLowerCase(Locale.ENGLISH);
        });
    }
}
