package hudson.security;

import com.google.common.annotations.VisibleForTesting;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.model.User;
import java.security.MessageDigest;
import java.util.Arrays;
import java.util.Date;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import jenkins.model.Jenkins;
import jenkins.security.HMACConfidentialKey;
import jenkins.security.ImpersonatingUserDetailsService2;
import jenkins.security.seed.UserSeedProperty;
import jenkins.util.SystemProperties;
import org.apache.tools.ant.taskdefs.condition.Os;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.codec.Utf8;
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
import org.springframework.security.web.authentication.rememberme.InvalidCookieException;
import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices;

@Restricted({NoExternalUse.class})
/* loaded from: input_file:WEB-INF/lib/jenkins-core-2.407-rc33753.a_2fb_32de079c.jar:hudson/security/TokenBasedRememberMeServices2.class */
public class TokenBasedRememberMeServices2 extends AbstractRememberMeServices {
    private static final Logger LOGGER = Logger.getLogger(TokenBasedRememberMeServices2.class.getName());

    @SuppressFBWarnings(value = {"MS_SHOULD_BE_FINAL"}, justification = "for script console")
    public static boolean SKIP_TOO_FAR_EXPIRATION_DATE_CHECK = SystemProperties.getBoolean(TokenBasedRememberMeServices2.class.getName() + ".skipTooFarExpirationDateCheck");
    private static final HMACConfidentialKey MAC = new HMACConfidentialKey(TokenBasedRememberMeServices.class, Os.FAMILY_MAC);

    public TokenBasedRememberMeServices2(UserDetailsService userDetailsService) {
        super(Jenkins.get().getSecretKey(), new ImpersonatingUserDetailsService2(userDetailsService));
    }

    protected String makeTokenSignature(long j, String str) {
        String seed;
        if (UserSeedProperty.DISABLE_USER_SEED) {
            seed = "no-seed";
        } else {
            UserSeedProperty userSeedProperty = (UserSeedProperty) User.getById(str, true).getProperty(UserSeedProperty.class);
            if (userSeedProperty == null) {
                return "no-prop";
            }
            seed = userSeedProperty.getSeed();
        }
        return MAC.mac(String.join(":", str, Long.toString(j), seed, getKey()));
    }

    @Override // org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
    public void onLoginSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) {
        if (!rememberMeRequested(httpServletRequest, getParameter())) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("Did not send remember-me cookie (principal did not set parameter '" + getParameter() + "')");
                return;
            }
            return;
        }
        Jenkins instanceOrNull = Jenkins.getInstanceOrNull();
        if (instanceOrNull != null && instanceOrNull.isDisableRememberMe()) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("Did not send remember-me cookie because 'Remember Me' is disabled in security configuration (principal did set parameter '" + getParameter() + "')");
                return;
            }
            return;
        }
        long currentTimeMillis = System.currentTimeMillis() + TimeUnit.SECONDS.toMillis(getTokenValiditySeconds());
        String name = authentication.getName();
        setCookie(new String[]{name, Long.toString(currentTimeMillis), makeTokenSignature(currentTimeMillis, name)}, calculateLoginLifetime(httpServletRequest, authentication), httpServletRequest, httpServletResponse);
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Added remember-me cookie for user '" + name + "', expiry: '" + new Date(currentTimeMillis) + "'");
        }
    }

    protected int calculateLoginLifetime(HttpServletRequest httpServletRequest, Authentication authentication) {
        return getTokenValiditySeconds();
    }

    @Override // org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
    protected UserDetails processAutoLoginCookie(String[] strArr, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Jenkins instanceOrNull = Jenkins.getInstanceOrNull();
        if (instanceOrNull == null) {
            throw new InvalidCookieException("Jenkins is not yet running");
        }
        if (instanceOrNull.isDisableRememberMe()) {
            cancelCookie(httpServletRequest, httpServletResponse);
            throw new InvalidCookieException("rememberMe is disabled");
        }
        if (strArr.length != 3) {
            throw new InvalidCookieException("Cookie token did not contain 3 tokens, but contained '" + Arrays.asList(strArr) + "'");
        }
        long tokenExpiryTime = getTokenExpiryTime(strArr);
        if (isTokenExpired(tokenExpiryTime)) {
            throw new InvalidCookieException("Cookie token[1] has expired (expired on '" + new Date(tokenExpiryTime) + "'; current time is '" + new Date() + "')");
        }
        UserDetails loadUserByUsername = getUserDetailsService().loadUserByUsername(strArr[0]);
        Objects.requireNonNull(loadUserByUsername, "UserDetailsService " + getUserDetailsService() + " returned null for username " + strArr[0] + ". This is an interface contract violation");
        String makeTokenSignature = makeTokenSignature(tokenExpiryTime, loadUserByUsername.getUsername());
        if (equals(makeTokenSignature, strArr[2])) {
            return loadUserByUsername;
        }
        throw new InvalidCookieException("Cookie token[2] contained signature '" + strArr[2] + "' but expected '" + makeTokenSignature + "'");
    }

    private long getTokenExpiryTime(String[] strArr) {
        try {
            return Long.parseLong(strArr[1]);
        } catch (NumberFormatException e) {
            throw new InvalidCookieException("Cookie token[1] did not contain a valid number (contained '" + strArr[1] + "')");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
    @SuppressFBWarnings(value = {"NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE"}, justification = "TODO needs triage")
    public Authentication createSuccessfulAuthentication(HttpServletRequest httpServletRequest, UserDetails userDetails) {
        Authentication createSuccessfulAuthentication = super.createSuccessfulAuthentication(httpServletRequest, userDetails);
        if (!UserSeedProperty.DISABLE_USER_SEED) {
            httpServletRequest.getSession().setAttribute(UserSeedProperty.USER_SESSION_SEED, ((UserSeedProperty) User.get2(createSuccessfulAuthentication).getProperty(UserSeedProperty.class)).getSeed());
        }
        return createSuccessfulAuthentication;
    }

    protected boolean isTokenExpired(long j) {
        long currentTimeMillis = System.currentTimeMillis();
        long millis = TimeUnit.SECONDS.toMillis(getTokenValiditySeconds()) + currentTimeMillis;
        if (SKIP_TOO_FAR_EXPIRATION_DATE_CHECK || j <= millis) {
            return j < currentTimeMillis;
        }
        LOGGER.log(Level.WARNING, "Attempt to use a cookie with an expiration duration larger than the one configured (delta of: {0} ms)", Long.valueOf(j - millis));
        return true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
    @VisibleForTesting
    public int getTokenValiditySeconds() {
        return super.getTokenValiditySeconds();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
    @VisibleForTesting
    public String getCookieName() {
        return super.getCookieName();
    }

    private static boolean equals(String str, String str2) {
        return MessageDigest.isEqual(bytesUtf8(str), bytesUtf8(str2));
    }

    private static byte[] bytesUtf8(String str) {
        if (str != null) {
            return Utf8.encode(str);
        }
        return null;
    }
}
