package com.microsoft.jenkins.azuread;

import com.azure.core.credential.AccessToken;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.Extension;
import hudson.model.Action;
import hudson.model.Computer;
import hudson.model.Job;
import hudson.model.RootAction;
import hudson.model.User;
import hudson.security.AccessControlled;
import hudson.security.SecurityRealm;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Collection;
import java.util.Collections;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import jenkins.model.Jenkins;
import jenkins.model.TransientActionFactory;
import okhttp3.MediaType;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.RequestBody;
import okhttp3.Response;
import okhttp3.ResponseBody;
import org.apache.commons.lang3.StringUtils;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.StaplerProxy;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;

@Extension
@Restricted({NoExternalUse.class})
/* loaded from: input_file:com/microsoft/jenkins/azuread/GraphProxy.class */
public class GraphProxy implements RootAction, StaplerProxy {
    private static final OkHttpClient CLIENT = new OkHttpClient();
    private static final int TEN = 10;
    private final Cache<String, AccessToken> tokenCache = Caffeine.newBuilder().expireAfterWrite(10, TimeUnit.MINUTES).build();
    private AccessControlled accessControlled;

    @Extension
    /* loaded from: input_file:com/microsoft/jenkins/azuread/GraphProxy$TransientActionFactoryComputer.class */
    public static class TransientActionFactoryComputer extends TransientActionFactory<Computer> {
        public Class<Computer> type() {
            return Computer.class;
        }

        @NonNull
        public Collection<? extends Action> createFor(@NonNull Computer computer) {
            return Collections.singletonList(new GraphProxy(computer));
        }
    }

    @Extension
    /* loaded from: input_file:com/microsoft/jenkins/azuread/GraphProxy$TransientActionFactoryImpl.class */
    public static class TransientActionFactoryImpl extends TransientActionFactory<Job> {
        public Class<Job> type() {
            return Job.class;
        }

        @NonNull
        public Collection<? extends Action> createFor(@NonNull Job job) {
            return Collections.singletonList(new GraphProxy(job));
        }
    }

    public String getIconFileName() {
        return null;
    }

    public String getDisplayName() {
        return null;
    }

    public String getUrlName() {
        return "GraphProxy";
    }

    public GraphProxy() {
    }

    public GraphProxy(AccessControlled accessControlled) {
        this.accessControlled = accessControlled;
    }

    public Object getTarget() {
        if (this.accessControlled == null) {
            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
            return this;
        }
        if (this.accessControlled instanceof Job) {
            this.accessControlled.checkPermission(Job.CONFIGURE);
        } else if (this.accessControlled instanceof Computer) {
            this.accessControlled.checkPermission(Computer.CONFIGURE);
        } else {
            this.accessControlled.checkPermission(Jenkins.ADMINISTER);
        }
        return this;
    }

    public void doDynamic(StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws IOException {
        proxy(staplerRequest, staplerResponse);
    }

    private void proxy(StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws IOException {
        Response execute = CLIENT.newCall(buildRequest(staplerRequest, getToken(), buildUrl(staplerRequest, getBaseUrl()))).execute();
        Throwable th = null;
        try {
            String header = execute.header("Content-Type", "application/json");
            staplerResponse.setContentType(header);
            staplerResponse.setStatus(execute.code());
            staplerResponse.addHeader("request-id", execute.header("request-id"));
            staplerResponse.addHeader("client-request-id", execute.header("client-request-id"));
            ResponseBody body = execute.body();
            if (body != null) {
                if ("application/json".equals(header)) {
                    staplerResponse.getWriter().write(body.string());
                } else {
                    staplerResponse.getWriter().write(body.byteString().string(StandardCharsets.ISO_8859_1));
                }
            }
            if (execute != null) {
                if (0 == 0) {
                    execute.close();
                    return;
                }
                try {
                    execute.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (execute != null) {
                if (0 != 0) {
                    try {
                        execute.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    execute.close();
                }
            }
            throw th3;
        }
    }

    private String getToken() {
        SecurityRealm securityRealm = Jenkins.get().getSecurityRealm();
        if (!(securityRealm instanceof AzureSecurityRealm)) {
            throw new IllegalStateException("GraphProxy only works when Authentication is set to Azure");
        }
        AzureSecurityRealm azureSecurityRealm = (AzureSecurityRealm) securityRealm;
        AccessToken accessToken = (AccessToken) this.tokenCache.get(azureSecurityRealm.getCredentialCacheKey(), str -> {
            return azureSecurityRealm.getAccessToken();
        });
        if (accessToken == null) {
            throw new IllegalStateException("Access token must not be null here");
        }
        return accessToken.getToken();
    }

    private String getBaseUrl() {
        SecurityRealm securityRealm = Jenkins.get().getSecurityRealm();
        if (securityRealm instanceof AzureSecurityRealm) {
            return ((AzureSecurityRealm) securityRealm).getAzureClient().getServiceRoot();
        }
        throw new IllegalStateException("GraphProxy only works when Authentication is set to Azure");
    }

    private Request buildRequest(StaplerRequest staplerRequest, String str, String str2) throws IOException {
        Request.Builder addHeader = new Request.Builder().url(str2).addHeader("Authorization", "Bearer " + str);
        String header = staplerRequest.getHeader("ConsistencyLevel");
        if (header != null) {
            addHeader.addHeader("ConsistencyLevel", header);
        }
        if (staplerRequest.getMethod().equals("POST")) {
            addHeader.post(RequestBody.create((String) staplerRequest.getReader().lines().collect(Collectors.joining(System.lineSeparator())), MediaType.get(staplerRequest.getHeader("Content-Type"))));
        }
        String header2 = staplerRequest.getHeader("Accept");
        if (header2 != null) {
            addHeader.addHeader("Accept", header2);
        }
        String header3 = staplerRequest.getHeader("If-Match");
        if (header3 != null) {
            addHeader.addHeader("If-Match", header3);
        }
        return addHeader.build();
    }

    private String buildUrl(StaplerRequest staplerRequest, String str) {
        String str2 = str;
        if (staplerRequest.getRestOfPath().startsWith("/beta")) {
            str2 = str.replace("/v1.0", "");
        }
        StringBuilder sb = new StringBuilder(str2);
        String removeStart = StringUtils.removeStart(staplerRequest.getRestOfPath(), "/v1.0");
        if (removeStart.startsWith("/me")) {
            User current = User.current();
            if (current == null) {
                throw new IllegalStateException("User must be logged in here");
            }
            removeStart = removeStart.replace("me", "users/" + current.getId());
        }
        sb.append(removeStart);
        if (staplerRequest.getQueryString() != null) {
            sb.append("?").append(staplerRequest.getQueryString());
        }
        return sb.toString();
    }
}
