package hudson.security;

import com.thoughtworks.xstream.converters.UnmarshallingContext;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.Extension;
import hudson.ExtensionList;
import hudson.Util;
import hudson.diagnosis.OldDataMonitor;
import hudson.model.Descriptor;
import hudson.model.ManagementLink;
import hudson.model.ModelObject;
import hudson.model.User;
import hudson.model.UserProperty;
import hudson.model.UserPropertyDescriptor;
import hudson.security.FederatedLoginService;
import hudson.security.captcha.CaptchaSupport;
import hudson.util.FormValidation;
import hudson.util.PluginServletFilter;
import hudson.util.Protector;
import hudson.util.Scrambler;
import hudson.util.XStream2;
import j2html.attributes.Attr;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import jenkins.model.Jenkins;
import jenkins.security.SecurityListener;
import jenkins.security.seed.UserSeedProperty;
import jenkins.util.SystemProperties;
import net.sf.json.JSONObject;
import org.jenkinsci.Symbol;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.ForwardToView;
import org.kohsuke.stapler.HttpResponse;
import org.kohsuke.stapler.HttpResponses;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.Stapler;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;
import org.kohsuke.stapler.interceptor.RequirePOST;
import org.mindrot.jbcrypt.BCrypt;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.password.PasswordEncoder;

/* loaded from: input_file:WEB-INF/lib/jenkins-core-2.341-rc32210.ef85dfddf5a_f.jar:hudson/security/HudsonPrivateSecurityRealm.class */
public class HudsonPrivateSecurityRealm extends AbstractPasswordBasedSecurityRealm implements ModelObject, AccessControlled {
    private static final String DEFAULT_ID_REGEX = "^[\\w-]+$";
    private final boolean disableSignup;
    private final boolean enableCaptcha;
    private static String ID_REGEX = System.getProperty(HudsonPrivateSecurityRealm.class.getName() + ".ID_REGEX");
    private static final String FEDERATED_IDENTITY_SESSION_KEY = HudsonPrivateSecurityRealm.class.getName() + ".federatedIdentity";
    private static final Collection<? extends GrantedAuthority> TEST_AUTHORITY = Collections.singleton(AUTHENTICATED_AUTHORITY2);
    static final JBCryptEncoder JBCRYPT_ENCODER = new JBCryptEncoder();
    public static final MultiPasswordEncoder PASSWORD_ENCODER = new MultiPasswordEncoder();
    private static final Filter CREATE_FIRST_USER_FILTER = new Filter() { // from class: hudson.security.HudsonPrivateSecurityRealm.2
        @Override // javax.servlet.Filter
        public void init(FilterConfig filterConfig) throws ServletException {
        }

        @Override // javax.servlet.Filter
        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            if (!httpServletRequest.getRequestURI().equals(httpServletRequest.getContextPath() + "/") && !httpServletRequest.getRequestURI().equals(httpServletRequest.getContextPath() + "/manage")) {
                filterChain.doFilter(servletRequest, servletResponse);
            } else if (needsToCreateFirstUser()) {
                ((HttpServletResponse) servletResponse).sendRedirect("securityRealm/firstUser");
            } else {
                PluginServletFilter.removeFilter(this);
                filterChain.doFilter(servletRequest, servletResponse);
            }
        }

        private boolean needsToCreateFirstUser() {
            return !HudsonPrivateSecurityRealm.access$500() && (Jenkins.get().getSecurityRealm() instanceof HudsonPrivateSecurityRealm);
        }

        @Override // javax.servlet.Filter
        public void destroy() {
        }
    };
    private static final Logger LOGGER = Logger.getLogger(HudsonPrivateSecurityRealm.class.getName());

    @Extension
    @Symbol({"local"})
    /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.341-rc32210.ef85dfddf5a_f.jar:hudson/security/HudsonPrivateSecurityRealm$DescriptorImpl.class */
    public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
        @Override // hudson.model.Descriptor
        public String getDisplayName() {
            return Messages.HudsonPrivateSecurityRealm_DisplayName();
        }

        public FormValidation doCheckAllowsSignup(@QueryParameter boolean z) {
            return z ? FormValidation.warning(Messages.HudsonPrivateSecurityRealm_SignupWarning()) : FormValidation.ok();
        }
    }

    /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.341-rc32210.ef85dfddf5a_f.jar:hudson/security/HudsonPrivateSecurityRealm$Details.class */
    public static final class Details extends UserProperty {
        private String passwordHash;

        @Deprecated
        private transient String password;

        /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.341-rc32210.ef85dfddf5a_f.jar:hudson/security/HudsonPrivateSecurityRealm$Details$ConverterImpl.class */
        public static class ConverterImpl extends XStream2.PassthruConverter<Details> {
            public ConverterImpl(XStream2 xStream2) {
                super(xStream2);
            }

            /* JADX INFO: Access modifiers changed from: protected */
            @Override // hudson.util.XStream2.PassthruConverter
            public void callback(Details details, UnmarshallingContext unmarshallingContext) {
                if (details.password == null || details.passwordHash != null) {
                    return;
                }
                details.passwordHash = HudsonPrivateSecurityRealm.PASSWORD_ENCODER.encode(Scrambler.descramble(details.password));
                OldDataMonitor.report(unmarshallingContext, "1.283");
            }
        }

        @Extension
        @Symbol({"password"})
        /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.341-rc32210.ef85dfddf5a_f.jar:hudson/security/HudsonPrivateSecurityRealm$Details$DescriptorImpl.class */
        public static final class DescriptorImpl extends UserPropertyDescriptor {
            @Override // hudson.model.Descriptor
            public String getDisplayName() {
                return Messages.HudsonPrivateSecurityRealm_Details_DisplayName();
            }

            @Override // hudson.model.Descriptor
            /* renamed from: newInstance */
            public UserProperty newInstance2(StaplerRequest staplerRequest, JSONObject jSONObject) throws Descriptor.FormException {
                if (staplerRequest == null) {
                    throw new Descriptor.FormException("Stapler request is missing in the call", "staplerRequest");
                }
                String fixEmpty = Util.fixEmpty(staplerRequest.getParameter("user.password"));
                String fixEmpty2 = Util.fixEmpty(staplerRequest.getParameter("user.password2"));
                if (fixEmpty == null || fixEmpty2 == null) {
                    throw new Descriptor.FormException("Please confirm the password by typing it twice", "user.password2");
                }
                String unprotect = Protector.unprotect(fixEmpty);
                String unprotect2 = Protector.unprotect(fixEmpty2);
                if ((unprotect == null) != (unprotect2 == null)) {
                    throw new Descriptor.FormException("Please confirm the password by typing it twice", "user.password2");
                }
                if (unprotect != null && !MessageDigest.isEqual(unprotect.getBytes(StandardCharsets.UTF_8), unprotect2.getBytes(StandardCharsets.UTF_8))) {
                    throw new Descriptor.FormException("Please confirm the password by typing it twice", "user.password2");
                }
                if (unprotect == null && !fixEmpty.equals(fixEmpty2)) {
                    throw new Descriptor.FormException("Please confirm the password by typing it twice", "user.password2");
                }
                if (unprotect != null) {
                    String str = Stapler.getCurrentRequest().getSession().getId() + ':';
                    if (unprotect.startsWith(str)) {
                        return Details.fromHashedPassword(unprotect.substring(str.length()));
                    }
                }
                UserSeedProperty userSeedProperty = (UserSeedProperty) ((User) Util.getNearestAncestorOfTypeOrThrow(staplerRequest, User.class)).getProperty(UserSeedProperty.class);
                if (userSeedProperty != null) {
                    userSeedProperty.renewSeed();
                }
                return Details.fromPlainPassword(Util.fixNull(fixEmpty));
            }

            @Override // hudson.model.UserPropertyDescriptor
            public boolean isEnabled() {
                return Jenkins.get().getSecurityRealm() instanceof HudsonPrivateSecurityRealm;
            }

            @Override // hudson.model.UserPropertyDescriptor
            public UserProperty newInstance(User user) {
                return null;
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.341-rc32210.ef85dfddf5a_f.jar:hudson/security/HudsonPrivateSecurityRealm$Details$UserDetailsImpl.class */
        public final class UserDetailsImpl implements UserDetails {
            private UserDetailsImpl() {
            }

            @Override // org.springframework.security.core.userdetails.UserDetails
            public Collection<? extends GrantedAuthority> getAuthorities() {
                return Details.this.getAuthorities2();
            }

            @Override // org.springframework.security.core.userdetails.UserDetails
            public String getPassword() {
                return Details.this.getPassword();
            }

            @Override // org.springframework.security.core.userdetails.UserDetails
            public String getUsername() {
                return Details.this.getUsername();
            }

            @Override // org.springframework.security.core.userdetails.UserDetails
            public boolean isAccountNonExpired() {
                return Details.this.isAccountNonExpired();
            }

            @Override // org.springframework.security.core.userdetails.UserDetails
            public boolean isAccountNonLocked() {
                return Details.this.isAccountNonLocked();
            }

            @Override // org.springframework.security.core.userdetails.UserDetails
            public boolean isCredentialsNonExpired() {
                return Details.this.isCredentialsNonExpired();
            }

            @Override // org.springframework.security.core.userdetails.UserDetails
            public boolean isEnabled() {
                return Details.this.isEnabled();
            }

            public boolean equals(Object obj) {
                return (obj instanceof UserDetailsImpl) && ((UserDetailsImpl) obj).getUsername().equals(getUsername());
            }

            public int hashCode() {
                return getUsername().hashCode();
            }
        }

        private Details(String str) {
            this.passwordHash = str;
        }

        static Details fromHashedPassword(String str) {
            return new Details(str);
        }

        static Details fromPlainPassword(String str) {
            return new Details(HudsonPrivateSecurityRealm.PASSWORD_ENCODER.encode(str));
        }

        public Collection<? extends GrantedAuthority> getAuthorities2() {
            return HudsonPrivateSecurityRealm.TEST_AUTHORITY;
        }

        @Deprecated
        public org.acegisecurity.GrantedAuthority[] getAuthorities() {
            return org.acegisecurity.GrantedAuthority.fromSpring(getAuthorities2());
        }

        public String getPassword() {
            return this.passwordHash;
        }

        public boolean isPasswordCorrect(String str) {
            return HudsonPrivateSecurityRealm.PASSWORD_ENCODER.matches(str, getPassword());
        }

        public String getProtectedPassword() {
            return Protector.protect(Stapler.getCurrentRequest().getSession().getId() + ':' + getPassword());
        }

        public String getUsername() {
            return this.user.getId();
        }

        User getUser() {
            return this.user;
        }

        public boolean isAccountNonExpired() {
            return true;
        }

        public boolean isAccountNonLocked() {
            return true;
        }

        public boolean isCredentialsNonExpired() {
            return true;
        }

        public boolean isEnabled() {
            return true;
        }

        UserDetails asUserDetails() {
            return new UserDetailsImpl();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.341-rc32210.ef85dfddf5a_f.jar:hudson/security/HudsonPrivateSecurityRealm$JBCryptEncoder.class */
    public static class JBCryptEncoder implements PasswordEncoder {

        @Restricted({NoExternalUse.class})
        @SuppressFBWarnings(value = {"MS_SHOULD_BE_FINAL"}, justification = "Accessible via System Groovy Scripts")
        private static int MAXIMUM_BCRYPT_LOG_ROUND = SystemProperties.getInteger(HudsonPrivateSecurityRealm.class.getName() + ".maximumBCryptLogRound", 18).intValue();
        private static final Pattern BCRYPT_PATTERN = Pattern.compile("^\\$2a\\$([0-9]{2})\\$.{53}$");

        private JBCryptEncoder() {
        }

        @Override // org.springframework.security.crypto.password.PasswordEncoder
        public String encode(CharSequence charSequence) {
            return BCrypt.hashpw(charSequence.toString(), BCrypt.gensalt());
        }

        @Override // org.springframework.security.crypto.password.PasswordEncoder
        public boolean matches(CharSequence charSequence, String str) {
            return BCrypt.checkpw(charSequence.toString(), str);
        }

        public boolean isHashValid(String str) {
            int parseInt;
            Matcher matcher = BCRYPT_PATTERN.matcher(str);
            return matcher.matches() && (parseInt = Integer.parseInt(matcher.group(1))) > 0 && parseInt <= MAXIMUM_BCRYPT_LOG_ROUND;
        }
    }

    @Extension
    @Symbol({"localUsers"})
    /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.341-rc32210.ef85dfddf5a_f.jar:hudson/security/HudsonPrivateSecurityRealm$ManageUserLinks.class */
    public static final class ManageUserLinks extends ManagementLink {
        @Override // hudson.model.ManagementLink, hudson.model.Action
        public String getIconFileName() {
            if (Jenkins.get().getSecurityRealm() instanceof HudsonPrivateSecurityRealm) {
                return "symbol-people";
            }
            return null;
        }

        @Override // hudson.model.ManagementLink, hudson.model.Action
        public String getUrlName() {
            return "securityRealm/";
        }

        @Override // hudson.model.Action, hudson.model.ModelObject
        public String getDisplayName() {
            return Messages.HudsonPrivateSecurityRealm_ManageUserLinks_DisplayName();
        }

        @Override // hudson.model.ManagementLink
        public String getDescription() {
            return Messages.HudsonPrivateSecurityRealm_ManageUserLinks_Description();
        }

        @Override // hudson.model.ManagementLink
        @NonNull
        public ManagementLink.Category getCategory() {
            return ManagementLink.Category.SECURITY;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.341-rc32210.ef85dfddf5a_f.jar:hudson/security/HudsonPrivateSecurityRealm$MultiPasswordEncoder.class */
    public static class MultiPasswordEncoder implements PasswordEncoder {
        private static final String JBCRYPT_HEADER = "#jbcrypt:";

        MultiPasswordEncoder() {
        }

        @Override // org.springframework.security.crypto.password.PasswordEncoder
        public String encode(CharSequence charSequence) {
            return JBCRYPT_HEADER + HudsonPrivateSecurityRealm.JBCRYPT_ENCODER.encode(charSequence);
        }

        @Override // org.springframework.security.crypto.password.PasswordEncoder
        public boolean matches(CharSequence charSequence, String str) {
            if (isPasswordHashed(str)) {
                return HudsonPrivateSecurityRealm.JBCRYPT_ENCODER.matches(charSequence, str.substring(JBCRYPT_HEADER.length()));
            }
            return false;
        }

        public boolean isPasswordHashed(String str) {
            return str != null && str.startsWith(JBCRYPT_HEADER) && HudsonPrivateSecurityRealm.JBCRYPT_ENCODER.isHashValid(str.substring(JBCRYPT_HEADER.length()));
        }
    }

    /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.341-rc32210.ef85dfddf5a_f.jar:hudson/security/HudsonPrivateSecurityRealm$SignupInfo.class */
    public static final class SignupInfo {
        public String username;
        public String password1;
        public String password2;
        public String fullname;
        public String email;
        public String captcha;

        @SuppressFBWarnings(value = {"URF_UNREAD_PUBLIC_OR_PROTECTED_FIELD"}, justification = "read by Stapler")
        public String errorMessage;
        public HashMap<String, String> errors = new HashMap<>();

        public SignupInfo() {
        }

        public SignupInfo(StaplerRequest staplerRequest) {
            staplerRequest.bindParameters(this);
        }

        public SignupInfo(FederatedLoginService.FederatedIdentity federatedIdentity) {
            this.username = federatedIdentity.getNickname();
            this.fullname = federatedIdentity.getFullName();
            this.email = federatedIdentity.getEmailAddress();
        }
    }

    @Deprecated
    public HudsonPrivateSecurityRealm(boolean z) {
        this(z, false, (CaptchaSupport) null);
    }

    @DataBoundConstructor
    public HudsonPrivateSecurityRealm(boolean z, boolean z2, CaptchaSupport captchaSupport) {
        this.disableSignup = !z;
        this.enableCaptcha = z2;
        setCaptchaSupport(captchaSupport);
        if (z || hasSomeUser()) {
            return;
        }
        try {
            PluginServletFilter.addFilter(CREATE_FIRST_USER_FILTER);
        } catch (ServletException e) {
            throw new AssertionError(e);
        }
    }

    @Override // hudson.security.SecurityRealm
    public boolean allowsSignup() {
        return !this.disableSignup;
    }

    @Restricted({NoExternalUse.class})
    public boolean getAllowsSignup() {
        return allowsSignup();
    }

    public boolean isEnableCaptcha() {
        return this.enableCaptcha;
    }

    private static boolean hasSomeUser() {
        Iterator<User> it = User.getAll().iterator();
        while (it.hasNext()) {
            if (it.next().getProperty(Details.class) != null) {
                return true;
            }
        }
        return false;
    }

    @Override // hudson.security.AbstractPasswordBasedSecurityRealm, hudson.security.SecurityRealm
    public GroupDetails loadGroupByGroupname2(String str, boolean z) throws UsernameNotFoundException {
        throw new UsernameNotFoundException(str);
    }

    @Override // hudson.security.AbstractPasswordBasedSecurityRealm, hudson.security.SecurityRealm
    public UserDetails loadUserByUsername2(String str) throws UsernameNotFoundException {
        return load(str).asUserDetails();
    }

    @Restricted({NoExternalUse.class})
    public Details load(String str) throws UsernameNotFoundException {
        User byId = User.getById(str, false);
        Details details = byId != null ? (Details) byId.getProperty(Details.class) : null;
        if (details == null) {
            throw new UsernameNotFoundException("Password is not set: " + str);
        }
        if (details.getUser() == null) {
            throw new AssertionError();
        }
        return details;
    }

    @Override // hudson.security.AbstractPasswordBasedSecurityRealm
    protected UserDetails authenticate2(String str, String str2) throws AuthenticationException {
        Details load = load(str);
        if (load.isPasswordCorrect(str2)) {
            return load.asUserDetails();
        }
        throw new BadCredentialsException("Bad credentials");
    }

    @Override // hudson.security.SecurityRealm
    public HttpResponse commenceSignup(final FederatedLoginService.FederatedIdentity federatedIdentity) {
        Stapler.getCurrentRequest().getSession().setAttribute(FEDERATED_IDENTITY_SESSION_KEY, federatedIdentity);
        return new ForwardToView(this, "signupWithFederatedIdentity.jelly") { // from class: hudson.security.HudsonPrivateSecurityRealm.1
            @Override // org.kohsuke.stapler.ForwardToView, org.kohsuke.stapler.HttpResponse
            public void generateResponse(StaplerRequest staplerRequest, StaplerResponse staplerResponse, Object obj) throws IOException, ServletException {
                SignupInfo signupInfo = new SignupInfo(federatedIdentity);
                signupInfo.errorMessage = Messages.HudsonPrivateSecurityRealm_WouldYouLikeToSignUp(federatedIdentity.getPronoun(), federatedIdentity.getIdentifier());
                staplerRequest.setAttribute(Attr.DATA, signupInfo);
                super.generateResponse(staplerRequest, staplerResponse, obj);
            }
        };
    }

    @RequirePOST
    public User doCreateAccountWithFederatedIdentity(StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws IOException, ServletException {
        User _doCreateAccount = _doCreateAccount(staplerRequest, staplerResponse, "signupWithFederatedIdentity.jelly");
        if (_doCreateAccount != null) {
            ((FederatedLoginService.FederatedIdentity) staplerRequest.getSession().getAttribute(FEDERATED_IDENTITY_SESSION_KEY)).addTo(_doCreateAccount);
        }
        return _doCreateAccount;
    }

    @RequirePOST
    public User doCreateAccount(StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws IOException, ServletException {
        return _doCreateAccount(staplerRequest, staplerResponse, "signup.jelly");
    }

    private User _doCreateAccount(StaplerRequest staplerRequest, StaplerResponse staplerResponse, String str) throws ServletException, IOException {
        if (!allowsSignup()) {
            throw HttpResponses.errorWithoutStack(401, "User sign up is prohibited");
        }
        boolean z = !hasSomeUser();
        User createAccount = createAccount(staplerRequest, staplerResponse, this.enableCaptcha, str);
        if (createAccount != null) {
            if (z) {
                tryToMakeAdmin(createAccount);
            }
            loginAndTakeBack(staplerRequest, staplerResponse, createAccount);
        }
        return createAccount;
    }

    private void loginAndTakeBack(StaplerRequest staplerRequest, StaplerResponse staplerResponse, User user) throws ServletException, IOException {
        HttpSession session = staplerRequest.getSession(false);
        if (session != null) {
            session.invalidate();
        }
        staplerRequest.getSession(true);
        SecurityContextHolder.getContext().setAuthentication(getSecurityComponents().manager2.authenticate(new UsernamePasswordAuthenticationToken(user.getId(), staplerRequest.getParameter("password1"))));
        SecurityListener.fireLoggedIn(user.getId());
        staplerRequest.getView(this, "success.jelly").forward(staplerRequest, staplerResponse);
    }

    @RequirePOST
    public void doCreateAccountByAdmin(StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws IOException, ServletException {
        createAccountByAdmin(staplerRequest, staplerResponse, "addUser.jelly", ".");
    }

    @Restricted({NoExternalUse.class})
    public User createAccountByAdmin(StaplerRequest staplerRequest, StaplerResponse staplerResponse, String str, String str2) throws IOException, ServletException {
        checkPermission(Jenkins.ADMINISTER);
        User createAccount = createAccount(staplerRequest, staplerResponse, false, str);
        if (createAccount != null && str2 != null) {
            staplerResponse.sendRedirect(str2);
        }
        return createAccount;
    }

    @Restricted({NoExternalUse.class})
    public User createAccountFromSetupWizard(StaplerRequest staplerRequest) throws IOException, AccountCreationFailedException {
        checkPermission(Jenkins.ADMINISTER);
        SignupInfo validateAccountCreationForm = validateAccountCreationForm(staplerRequest, false);
        if (validateAccountCreationForm.errors.isEmpty()) {
            return createAccount(validateAccountCreationForm);
        }
        throw new AccountCreationFailedException(getErrorMessages(validateAccountCreationForm));
    }

    private String getErrorMessages(SignupInfo signupInfo) {
        StringBuilder sb = new StringBuilder();
        Iterator<String> it = signupInfo.errors.values().iterator();
        while (it.hasNext()) {
            sb.append(it.next()).append(" | ");
        }
        return sb.toString();
    }

    @RequirePOST
    public void doCreateFirstAccount(StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws IOException, ServletException {
        if (hasSomeUser()) {
            staplerResponse.sendError(401, "First user was already created");
            return;
        }
        User createAccount = createAccount(staplerRequest, staplerResponse, false, "firstUser.jelly");
        if (createAccount != null) {
            tryToMakeAdmin(createAccount);
            loginAndTakeBack(staplerRequest, staplerResponse, createAccount);
        }
    }

    private void tryToMakeAdmin(User user) {
        AuthorizationStrategy authorizationStrategy = Jenkins.get().getAuthorizationStrategy();
        Iterator it = ExtensionList.lookup(PermissionAdder.class).iterator();
        while (it.hasNext() && !((PermissionAdder) it.next()).add(authorizationStrategy, user, Jenkins.ADMINISTER)) {
        }
    }

    private User createAccount(StaplerRequest staplerRequest, StaplerResponse staplerResponse, boolean z, String str) throws ServletException, IOException {
        SignupInfo validateAccountCreationForm = validateAccountCreationForm(staplerRequest, z);
        if (validateAccountCreationForm.errors.isEmpty()) {
            return createAccount(validateAccountCreationForm);
        }
        staplerRequest.getView(this, str).forward(staplerRequest, staplerResponse);
        return null;
    }

    @SuppressFBWarnings(value = {"UWF_UNWRITTEN_PUBLIC_OR_PROTECTED_FIELD"}, justification = "written to by Stapler")
    private SignupInfo validateAccountCreationForm(StaplerRequest staplerRequest, boolean z) {
        SignupInfo signupInfo = new SignupInfo(staplerRequest);
        if (z && !validateCaptcha(signupInfo.captcha)) {
            signupInfo.errors.put("captcha", Messages.HudsonPrivateSecurityRealm_CreateAccount_TextNotMatchWordInImage());
        }
        if (signupInfo.username == null || signupInfo.username.length() == 0) {
            signupInfo.errors.put("username", Messages.HudsonPrivateSecurityRealm_CreateAccount_UserNameRequired());
        } else if (containsOnlyAcceptableCharacters(signupInfo.username)) {
            User byId = User.getById(signupInfo.username, false);
            if (null != byId && byId.getProperty(Details.class) != null) {
                signupInfo.errors.put("username", Messages.HudsonPrivateSecurityRealm_CreateAccount_UserNameAlreadyTaken());
            }
        } else if (ID_REGEX == null) {
            signupInfo.errors.put("username", Messages.HudsonPrivateSecurityRealm_CreateAccount_UserNameInvalidCharacters());
        } else {
            signupInfo.errors.put("username", Messages.HudsonPrivateSecurityRealm_CreateAccount_UserNameInvalidCharactersCustom(ID_REGEX));
        }
        if (signupInfo.password1 != null && !signupInfo.password1.equals(signupInfo.password2)) {
            signupInfo.errors.put("password1", Messages.HudsonPrivateSecurityRealm_CreateAccount_PasswordNotMatch());
        }
        if (signupInfo.password1 == null || signupInfo.password1.length() == 0) {
            signupInfo.errors.put("password1", Messages.HudsonPrivateSecurityRealm_CreateAccount_PasswordRequired());
        }
        if (signupInfo.fullname == null || signupInfo.fullname.length() == 0) {
            signupInfo.fullname = signupInfo.username;
        }
        if (isMailerPluginPresent() && (signupInfo.email == null || !signupInfo.email.contains("@"))) {
            signupInfo.errors.put("email", Messages.HudsonPrivateSecurityRealm_CreateAccount_InvalidEmailAddress());
        }
        if (!User.isIdOrFullnameAllowed(signupInfo.username)) {
            signupInfo.errors.put("username", hudson.model.Messages.User_IllegalUsername(signupInfo.username));
        }
        if (!User.isIdOrFullnameAllowed(signupInfo.fullname)) {
            signupInfo.errors.put("fullname", hudson.model.Messages.User_IllegalFullname(signupInfo.fullname));
        }
        staplerRequest.setAttribute(Attr.DATA, signupInfo);
        return signupInfo;
    }

    private User createAccount(SignupInfo signupInfo) throws IOException {
        if (!signupInfo.errors.isEmpty()) {
            throw new IllegalArgumentException("invalid signup info passed to createAccount(si): " + getErrorMessages(signupInfo));
        }
        User createAccount = createAccount(signupInfo.username, signupInfo.password1);
        createAccount.setFullName(signupInfo.fullname);
        if (isMailerPluginPresent()) {
            try {
                createAccount.addProperty((UserProperty) Jenkins.get().pluginManager.uberClassLoader.loadClass("hudson.tasks.Mailer$UserProperty").getDeclaredConstructor(String.class).newInstance(signupInfo.email));
            } catch (ReflectiveOperationException e) {
                throw new RuntimeException(e);
            }
        }
        createAccount.save();
        return createAccount;
    }

    private boolean containsOnlyAcceptableCharacters(@NonNull String str) {
        return ID_REGEX == null ? str.matches(DEFAULT_ID_REGEX) : str.matches(ID_REGEX);
    }

    @Restricted({NoExternalUse.class})
    public boolean isMailerPluginPresent() {
        try {
            return null != Jenkins.get().pluginManager.uberClassLoader.loadClass("hudson.tasks.Mailer$UserProperty");
        } catch (ClassNotFoundException e) {
            LOGGER.finer("Mailer plugin not present");
            return false;
        }
    }

    public User createAccount(String str, String str2) throws IOException {
        User byId = User.getById(str, true);
        byId.addProperty(Details.fromPlainPassword(str2));
        SecurityListener.fireUserCreated(byId.getId());
        return byId;
    }

    public User createAccountWithHashedPassword(String str, String str2) throws IOException {
        if (!PASSWORD_ENCODER.isPasswordHashed(str2)) {
            throw new IllegalArgumentException("this method should only be called with a pre-hashed password");
        }
        User byId = User.getById(str, true);
        byId.addProperty(Details.fromHashedPassword(str2));
        SecurityListener.fireUserCreated(byId.getId());
        return byId;
    }

    @Override // hudson.model.ModelObject
    public String getDisplayName() {
        return Messages.HudsonPrivateSecurityRealm_DisplayName();
    }

    @Override // hudson.security.AccessControlled
    public ACL getACL() {
        return Jenkins.get().getACL();
    }

    @Override // hudson.security.AccessControlled
    public void checkPermission(Permission permission) {
        Jenkins.get().checkPermission(permission);
    }

    @Override // hudson.security.AccessControlled
    public boolean hasPermission(Permission permission) {
        return Jenkins.get().hasPermission(permission);
    }

    public List<User> getAllUsers() {
        ArrayList arrayList = new ArrayList();
        for (User user : User.getAll()) {
            if (user.getProperty(Details.class) != null) {
                arrayList.add(user);
            }
        }
        Collections.sort(arrayList);
        return arrayList;
    }

    @Restricted({NoExternalUse.class})
    public User getUser(String str) {
        return User.getById(str, User.ALLOW_USER_CREATION_VIA_URL && hasPermission(Jenkins.ADMINISTER));
    }

    static /* synthetic */ boolean access$500() {
        return hasSomeUser();
    }
}
