package com.microsoft.jenkins.azuread;

import com.github.scribejava.core.builder.ServiceBuilder;
import com.google.common.base.Suppliers;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.collect.ImmutableMap;
import com.microsoft.azure.AzureEnvironment;
import com.microsoft.azure.credentials.ApplicationTokenCredentials;
import com.microsoft.azure.management.Azure;
import com.microsoft.jenkins.azuread.Utils;
import com.microsoft.jenkins.azuread.scribe.AzureApi;
import com.microsoft.jenkins.azuread.scribe.AzureOAuthService;
import com.microsoft.jenkins.azurecommons.core.AzureClientFactory;
import com.thoughtworks.xstream.converters.Converter;
import com.thoughtworks.xstream.converters.MarshallingContext;
import com.thoughtworks.xstream.converters.UnmarshallingContext;
import com.thoughtworks.xstream.io.HierarchicalStreamReader;
import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
import hudson.Extension;
import hudson.model.Descriptor;
import hudson.model.User;
import hudson.security.GroupDetails;
import hudson.security.SecurityRealm;
import hudson.security.UserMayOrMayNotExistException2;
import hudson.security.csrf.CrumbExclusion;
import hudson.util.FormValidation;
import hudson.util.Secret;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import jenkins.model.Jenkins;
import jenkins.security.SecurityListener;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.commons.lang3.StringUtils;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.Header;
import org.kohsuke.stapler.HttpRedirect;
import org.kohsuke.stapler.HttpResponse;
import org.kohsuke.stapler.HttpResponses;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.StaplerRequest;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

/* loaded from: input_file:com/microsoft/jenkins/azuread/AzureSecurityRealm.class */
public class AzureSecurityRealm extends SecurityRealm {
    private static final String REFERER_ATTRIBUTE = AzureSecurityRealm.class.getName() + ".referer";
    private static final String TIMESTAMP_ATTRIBUTE = AzureSecurityRealm.class.getName() + ".beginTime";
    private static final String NONCE_ATTRIBUTE = AzureSecurityRealm.class.getName() + ".nonce";
    private static final Logger LOGGER = Logger.getLogger(AzureSecurityRealm.class.getName());
    private static final int NONCE_LENGTH = 10;
    public static final String CALLBACK_URL = "/securityRealm/finishLogin";
    private static final String CONVERTER_NODE_CLIENT_ID = "clientid";
    private static final String CONVERTER_NODE_CLIENT_SECRET = "clientsecret";
    private static final String CONVERTER_NODE_TENANT = "tenant";
    private static final String CONVERTER_NODE_CACHE_DURATION = "cacheduration";
    private static final String CONVERTER_NODE_FROM_REQUEST = "fromrequest";
    private static final int CACHE_KEY_LOG_LENGTH = 8;
    private Cache<String, AzureAdUser> caches;
    private Secret clientId;
    private Secret clientSecret;
    private Secret tenant;
    private int cacheDuration;
    private boolean fromRequest = false;
    private final AzureAdUsersCache cacheByUsername = AzureAdUsersCache.getInstance();
    private final Supplier<Azure.Authenticated> cachedAzureClient = Suppliers.memoize(() -> {
        return Azure.configure().withUserAgent(AzureClientFactory.getUserAgent("AzureJenkinsAd", AzureSecurityRealm.class.getPackage().getImplementationVersion())).authenticate(new ApplicationTokenCredentials(getClientId(), getTenant(), getClientSecret().getPlainText(), AzureEnvironment.AZURE));
    });
    private final Supplier<JwtConsumer> jwtConsumer = Suppliers.memoize(() -> {
        return Utils.JwtUtil.jwt(getClientId(), getTenant());
    });

    /* loaded from: input_file:com/microsoft/jenkins/azuread/AzureSecurityRealm$ConverterImpl.class */
    public static final class ConverterImpl implements Converter {
        public boolean canConvert(Class cls) {
            return cls == AzureSecurityRealm.class;
        }

        public void marshal(Object obj, HierarchicalStreamWriter hierarchicalStreamWriter, MarshallingContext marshallingContext) {
            AzureSecurityRealm azureSecurityRealm = (AzureSecurityRealm) obj;
            hierarchicalStreamWriter.startNode(AzureSecurityRealm.CONVERTER_NODE_CLIENT_ID);
            hierarchicalStreamWriter.setValue(azureSecurityRealm.getClientIdSecret());
            hierarchicalStreamWriter.endNode();
            hierarchicalStreamWriter.startNode(AzureSecurityRealm.CONVERTER_NODE_CLIENT_SECRET);
            hierarchicalStreamWriter.setValue(azureSecurityRealm.getClientSecretSecret());
            hierarchicalStreamWriter.endNode();
            hierarchicalStreamWriter.startNode(AzureSecurityRealm.CONVERTER_NODE_TENANT);
            hierarchicalStreamWriter.setValue(azureSecurityRealm.getTenantSecret());
            hierarchicalStreamWriter.endNode();
            hierarchicalStreamWriter.startNode(AzureSecurityRealm.CONVERTER_NODE_CACHE_DURATION);
            hierarchicalStreamWriter.setValue(String.valueOf(azureSecurityRealm.getCacheDuration()));
            hierarchicalStreamWriter.endNode();
            hierarchicalStreamWriter.startNode(AzureSecurityRealm.CONVERTER_NODE_FROM_REQUEST);
            hierarchicalStreamWriter.setValue(String.valueOf(azureSecurityRealm.isFromRequest()));
            hierarchicalStreamWriter.endNode();
        }

        /* JADX WARN: Failed to find 'out' block for switch in B:5:0x0033. Please report as an issue. */
        public Object unmarshal(HierarchicalStreamReader hierarchicalStreamReader, UnmarshallingContext unmarshallingContext) {
            AzureSecurityRealm azureSecurityRealm = new AzureSecurityRealm();
            while (hierarchicalStreamReader.hasMoreChildren()) {
                hierarchicalStreamReader.moveDown();
                String nodeName = hierarchicalStreamReader.getNodeName();
                String value = hierarchicalStreamReader.getValue();
                boolean z = -1;
                switch (nodeName.hashCode()) {
                    case -877336406:
                        if (nodeName.equals(AzureSecurityRealm.CONVERTER_NODE_TENANT)) {
                            z = 2;
                            break;
                        }
                        break;
                    case -530776517:
                        if (nodeName.equals(AzureSecurityRealm.CONVERTER_NODE_CLIENT_SECRET)) {
                            z = true;
                            break;
                        }
                        break;
                    case -508639323:
                        if (nodeName.equals(AzureSecurityRealm.CONVERTER_NODE_FROM_REQUEST)) {
                            z = 4;
                            break;
                        }
                        break;
                    case 25582358:
                        if (nodeName.equals(AzureSecurityRealm.CONVERTER_NODE_CACHE_DURATION)) {
                            z = 3;
                            break;
                        }
                        break;
                    case 908409382:
                        if (nodeName.equals(AzureSecurityRealm.CONVERTER_NODE_CLIENT_ID)) {
                            z = false;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case Constants.DEBUG /* 0 */:
                        azureSecurityRealm.setClientId(value);
                        break;
                    case true:
                        azureSecurityRealm.setClientSecret(value);
                        break;
                    case true:
                        azureSecurityRealm.setTenant(value);
                        break;
                    case true:
                        azureSecurityRealm.setCacheDuration(Integer.parseInt(value));
                        break;
                    case true:
                        azureSecurityRealm.setFromRequest(Boolean.parseBoolean(value));
                        break;
                }
                hierarchicalStreamReader.moveUp();
            }
            azureSecurityRealm.setCaches(CacheBuilder.newBuilder().expireAfterWrite(azureSecurityRealm.getCacheDuration(), TimeUnit.SECONDS).build());
            return azureSecurityRealm;
        }
    }

    @Extension
    /* loaded from: input_file:com/microsoft/jenkins/azuread/AzureSecurityRealm$CrumbExempt.class */
    public static final class CrumbExempt extends CrumbExclusion {
        public boolean process(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
            String pathInfo = httpServletRequest.getPathInfo();
            if (pathInfo == null || !pathInfo.equals(AzureSecurityRealm.CALLBACK_URL)) {
                return false;
            }
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return true;
        }
    }

    @Extension
    /* loaded from: input_file:com/microsoft/jenkins/azuread/AzureSecurityRealm$DescriptorImpl.class */
    public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
        public String getDisplayName() {
            return "Azure Active Directory";
        }

        public DescriptorImpl() {
        }

        public DescriptorImpl(Class<? extends SecurityRealm> cls) {
            super(cls);
        }

        public FormValidation doVerifyConfiguration(@QueryParameter String str, @QueryParameter Secret secret, @QueryParameter String str2) throws IOException, ExecutionException {
            try {
                Azure.authenticate(new ApplicationTokenCredentials(str, str2, secret.getPlainText(), AzureEnvironment.AZURE)).subscriptions().list();
                return FormValidation.ok("Successfully verified");
            } catch (Exception e) {
                return FormValidation.error(e.getMessage());
            }
        }
    }

    public String getClientIdSecret() {
        return this.clientId.getEncryptedValue();
    }

    public String getClientSecretSecret() {
        return this.clientSecret.getEncryptedValue();
    }

    public String getTenantSecret() {
        return this.tenant.getEncryptedValue();
    }

    public String getClientId() {
        return this.clientId.getPlainText();
    }

    public void setClientId(String str) {
        this.clientId = Secret.fromString(str);
    }

    public Secret getClientSecret() {
        return this.clientSecret;
    }

    public void setClientSecret(String str) {
        this.clientSecret = Secret.fromString(str);
    }

    public String getTenant() {
        return this.tenant.getPlainText();
    }

    public void setTenant(String str) {
        this.tenant = Secret.fromString(str);
    }

    public int getCacheDuration() {
        return this.cacheDuration;
    }

    public void setCacheDuration(int i) {
        this.cacheDuration = i;
    }

    public void setCaches(Cache<String, AzureAdUser> cache) {
        this.caches = cache;
    }

    public boolean isFromRequest() {
        return this.fromRequest;
    }

    @DataBoundSetter
    public void setFromRequest(boolean z) {
        this.fromRequest = z;
    }

    public JwtConsumer getJwtConsumer() {
        return this.jwtConsumer.get();
    }

    AzureOAuthService getOAuthService() {
        return new ServiceBuilder(this.clientId.getPlainText()).apiSecret(this.clientSecret.getPlainText()).responseType("id_token").scope("openid profile email").callback(getRootUrl() + CALLBACK_URL).build(AzureApi.instance(Constants.DEFAULT_GRAPH_ENDPOINT, getTenant()));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Azure.Authenticated getAzureClient() {
        return this.cachedAzureClient.get();
    }

    private String getRootUrl() {
        Jenkins jenkins = Jenkins.get();
        return StringUtils.stripEnd(isFromRequest() ? jenkins.getRootUrlFromRequest() : jenkins.getRootUrl(), "/");
    }

    @DataBoundConstructor
    public AzureSecurityRealm(String str, String str2, Secret secret, int i) {
        this.clientId = Secret.fromString(str2);
        this.clientSecret = secret;
        this.tenant = Secret.fromString(str);
        this.cacheDuration = i;
        this.caches = CacheBuilder.newBuilder().expireAfterWrite(i, TimeUnit.SECONDS).build();
    }

    public AzureSecurityRealm() {
        LOGGER.log(Level.FINE, "AzureSecurityRealm()");
    }

    public HttpResponse doCommenceLogin(StaplerRequest staplerRequest, @Header("Referer") String str) {
        staplerRequest.getSession().setAttribute(REFERER_ATTRIBUTE, str);
        AzureOAuthService oAuthService = getOAuthService();
        staplerRequest.getSession().setAttribute(TIMESTAMP_ATTRIBUTE, Long.valueOf(System.currentTimeMillis()));
        String randomAlphanumeric = RandomStringUtils.randomAlphanumeric(NONCE_LENGTH);
        staplerRequest.getSession().setAttribute(NONCE_ATTRIBUTE, randomAlphanumeric);
        return new HttpRedirect(oAuthService.getAuthorizationUrl(ImmutableMap.of("nonce", randomAlphanumeric, "response_mode", "form_post")));
    }

    public HttpResponse doFinishLogin(StaplerRequest staplerRequest) throws InvalidJwtException, MalformedClaimException, ExecutionException {
        try {
            try {
                Long l = (Long) staplerRequest.getSession().getAttribute(TIMESTAMP_ATTRIBUTE);
                String str = (String) staplerRequest.getSession().getAttribute(NONCE_ATTRIBUTE);
                if (l != null) {
                    LOGGER.info("Requesting oauth code time = " + (System.currentTimeMillis() - l.longValue()) + " ms");
                }
                String parameter = staplerRequest.getParameter("id_token");
                if (StringUtils.isBlank(parameter)) {
                    throw new IllegalStateException("Can't extract id_token");
                }
                JwtClaims validateIdToken = validateIdToken(str, parameter);
                String str2 = (String) validateIdToken.getClaimValue("sub");
                AzureAdUser azureAdUser = (AzureAdUser) this.caches.get(str2, () -> {
                    AzureAdUser createFromJwt = AzureAdUser.createFromJwt(validateIdToken);
                    createFromJwt.setAuthorities(AzureCachePool.get(getAzureClient()).getBelongingGroupsByOid(createFromJwt.getObjectID()));
                    LOGGER.info(String.format("Fetch user details with sub: %s***", str2.substring(0, CACHE_KEY_LOG_LENGTH)));
                    return createFromJwt;
                });
                this.cacheByUsername.put(azureAdUser);
                AzureAuthenticationToken azureAuthenticationToken = new AzureAuthenticationToken(azureAdUser);
                SecurityContextHolder.getContext().setAuthentication(azureAuthenticationToken);
                User current = User.current();
                if (current != null) {
                    current.setDescription(generateDescription(azureAuthenticationToken));
                    current.setFullName(azureAuthenticationToken.getAzureAdUser().getName());
                }
                SecurityListener.fireAuthenticated2(azureAdUser);
                if (staplerRequest.isRequestedSessionIdValid()) {
                    staplerRequest.getSession().removeAttribute(NONCE_ATTRIBUTE);
                }
                String str3 = (String) staplerRequest.getSession().getAttribute(REFERER_ATTRIBUTE);
                return str3 != null ? HttpResponses.redirectTo(str3) : HttpResponses.redirectToContextRoot();
            } catch (Exception e) {
                LOGGER.log(Level.SEVERE, "error", (Throwable) e);
                throw e;
            }
        } catch (Throwable th) {
            if (staplerRequest.isRequestedSessionIdValid()) {
                staplerRequest.getSession().removeAttribute(NONCE_ATTRIBUTE);
            }
            throw th;
        }
    }

    JwtClaims validateIdToken(String str, String str2) throws InvalidJwtException {
        JwtClaims processToClaims = getJwtConsumer().processToClaims(str2);
        String str3 = (String) processToClaims.getClaimValue("nonce");
        if (StringUtils.isAnyEmpty(new CharSequence[]{str, str3}) || !str.equals(str3)) {
            throw new IllegalStateException("Invalid nonce in the response");
        }
        return processToClaims;
    }

    protected String getPostLogOutUrl2(StaplerRequest staplerRequest, Authentication authentication) {
        if (authentication instanceof AzureAuthenticationToken) {
            AzureCachePool.invalidateBelongingGroupsByOid(((AzureAuthenticationToken) authentication).getAzureAdUser().getObjectID());
        }
        return getOAuthService().getLogoutUrl();
    }

    public SecurityRealm.SecurityComponents createSecurityComponents() {
        return new SecurityRealm.SecurityComponents(authentication -> {
            if (authentication instanceof AzureAuthenticationToken) {
                return authentication;
            }
            throw new IllegalStateException("Unexpected authentication type: " + authentication);
        }, str -> {
            AzureAdUser azureAdUser = this.cacheByUsername.get(str);
            if (azureAdUser != null) {
                return azureAdUser;
            }
            throw new UserMayOrMayNotExistException2("Cannot verify users in this context");
        });
    }

    public GroupDetails loadGroupByGroupname2(String str, boolean z) {
        throw new UsernameNotFoundException("groups not supported");
    }

    public boolean allowsSignup() {
        return false;
    }

    public String getLoginUrl() {
        return "securityRealm/commenceLogin";
    }

    private String generateDescription(Authentication authentication) {
        if (!(authentication instanceof AzureAuthenticationToken)) {
            return "";
        }
        AzureAdUser azureAdUser = ((AzureAuthenticationToken) authentication).getAzureAdUser();
        return "Azure Active Directory User\n\nGiven Name: " + azureAdUser.getGivenName() + "\nFamily Name: " + azureAdUser.getFamilyName() + "\nUnique Principal Name: " + azureAdUser.getUniqueName() + "\nEmail: " + azureAdUser.getEmail() + "\nObject ID: " + azureAdUser.getObjectID() + "\nTenant ID: " + azureAdUser.getTenantID() + "\nGroups: " + azureAdUser.getGroupOIDs() + "\n";
    }
}
