package com.microsoft.jenkins.azuread;

import com.azure.core.credential.AccessToken;
import com.azure.core.credential.TokenRequestContext;
import com.azure.identity.ClientSecretCredential;
import com.azure.identity.ClientSecretCredentialBuilder;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.github.scribejava.core.builder.ServiceBuilder;
import com.google.common.base.Supplier;
import com.google.common.base.Suppliers;
import com.microsoft.graph.authentication.TokenCredentialAuthProvider;
import com.microsoft.graph.http.GraphServiceException;
import com.microsoft.graph.httpcore.HttpClients;
import com.microsoft.graph.models.Group;
import com.microsoft.graph.options.HeaderOption;
import com.microsoft.graph.options.Option;
import com.microsoft.graph.options.QueryOption;
import com.microsoft.graph.requests.GraphServiceClient;
import com.microsoft.graph.requests.GroupCollectionPage;
import com.microsoft.jenkins.azuread.Utils;
import com.microsoft.jenkins.azuread.scribe.AzureApi;
import com.microsoft.jenkins.azuread.scribe.AzureOAuthService;
import com.microsoft.jenkins.azuread.utils.UUIDValidator;
import com.thoughtworks.xstream.converters.Converter;
import com.thoughtworks.xstream.converters.MarshallingContext;
import com.thoughtworks.xstream.converters.UnmarshallingContext;
import com.thoughtworks.xstream.io.HierarchicalStreamReader;
import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.Extension;
import hudson.ProxyConfiguration;
import hudson.Util;
import hudson.model.Descriptor;
import hudson.model.User;
import hudson.security.GroupDetails;
import hudson.security.SecurityRealm;
import hudson.security.UserMayOrMayNotExistException2;
import hudson.security.csrf.CrumbExclusion;
import hudson.tasks.Mailer;
import hudson.util.FormValidation;
import hudson.util.ListBoxModel;
import hudson.util.Secret;
import io.jenkins.plugins.azuresdk.HttpClientRetriever;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import jenkins.model.Jenkins;
import jenkins.security.SecurityListener;
import jenkins.util.JenkinsJVM;
import okhttp3.Credentials;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.commons.lang3.StringUtils;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.Header;
import org.kohsuke.stapler.HttpRedirect;
import org.kohsuke.stapler.HttpResponse;
import org.kohsuke.stapler.HttpResponses;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.StaplerRequest;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

/* loaded from: input_file:com/microsoft/jenkins/azuread/AzureSecurityRealm.class */
public class AzureSecurityRealm extends SecurityRealm {
    private static final String REFERER_ATTRIBUTE;
    private static final String TIMESTAMP_ATTRIBUTE;
    private static final String NONCE_ATTRIBUTE;
    private static final Logger LOGGER;
    private static final int NONCE_LENGTH = 10;
    public static final String CALLBACK_URL = "/securityRealm/finishLogin";
    private static final String CONVERTER_NODE_CLIENT_ID = "clientid";
    private static final String CONVERTER_NODE_CLIENT_SECRET = "clientsecret";
    private static final String CONVERTER_NODE_TENANT = "tenant";
    private static final String CONVERTER_NODE_CACHE_DURATION = "cacheduration";
    private static final String CONVERTER_NODE_FROM_REQUEST = "fromrequest";
    private static final int CACHE_KEY_LOG_LENGTH = 8;
    private static final int NOT_FOUND = 404;
    public static final String CONVERTER_DISABLE_GRAPH_INTEGRATION = "disableGraphIntegration";
    public static final String CONVERTER_ENVIRONMENT_NAME = "environmentName";
    private Cache<String, AzureAdUser> caches;
    private Secret clientId;
    private Secret clientSecret;
    private Secret tenant;
    private int cacheDuration;
    private boolean singleLogout;
    private boolean disableGraphIntegration;
    static final /* synthetic */ boolean $assertionsDisabled;
    private boolean fromRequest = false;
    private String azureEnvironmentName = AzureEnvironment.AZURE_PUBLIC_CLOUD;
    private final transient Supplier<GraphServiceClient<Request>> cachedAzureClient = Suppliers.memoize(() -> {
        String azureEnvironmentName = getAzureEnvironmentName();
        GraphServiceClient buildClient = GraphServiceClient.builder().httpClient(addProxyToHttpClientIfRequired(HttpClients.createDefault(new TokenCredentialAuthProvider(getClientSecretCredential())).newBuilder()).build()).buildClient();
        if (!azureEnvironmentName.equals(AzureEnvironment.AZURE_PUBLIC_CLOUD)) {
            buildClient.setServiceRoot(AzureEnvironment.getServiceRoot(azureEnvironmentName));
        }
        return buildClient;
    });
    private final Supplier<JwtConsumer> jwtConsumer = Suppliers.memoize(() -> {
        return Utils.JwtUtil.jwt(getClientId(), getTenant());
    });

    /* loaded from: input_file:com/microsoft/jenkins/azuread/AzureSecurityRealm$ConverterImpl.class */
    public static final class ConverterImpl implements Converter {
        public boolean canConvert(Class cls) {
            return cls == AzureSecurityRealm.class;
        }

        public void marshal(Object obj, HierarchicalStreamWriter hierarchicalStreamWriter, MarshallingContext marshallingContext) {
            AzureSecurityRealm azureSecurityRealm = (AzureSecurityRealm) obj;
            hierarchicalStreamWriter.startNode(AzureSecurityRealm.CONVERTER_NODE_CLIENT_ID);
            hierarchicalStreamWriter.setValue(azureSecurityRealm.getClientIdSecret());
            hierarchicalStreamWriter.endNode();
            hierarchicalStreamWriter.startNode(AzureSecurityRealm.CONVERTER_NODE_CLIENT_SECRET);
            hierarchicalStreamWriter.setValue(azureSecurityRealm.getClientSecretSecret());
            hierarchicalStreamWriter.endNode();
            hierarchicalStreamWriter.startNode(AzureSecurityRealm.CONVERTER_NODE_TENANT);
            hierarchicalStreamWriter.setValue(azureSecurityRealm.getTenantSecret());
            hierarchicalStreamWriter.endNode();
            hierarchicalStreamWriter.startNode(AzureSecurityRealm.CONVERTER_NODE_CACHE_DURATION);
            hierarchicalStreamWriter.setValue(String.valueOf(azureSecurityRealm.getCacheDuration()));
            hierarchicalStreamWriter.endNode();
            hierarchicalStreamWriter.startNode(AzureSecurityRealm.CONVERTER_NODE_FROM_REQUEST);
            hierarchicalStreamWriter.setValue(String.valueOf(azureSecurityRealm.isFromRequest()));
            hierarchicalStreamWriter.endNode();
            hierarchicalStreamWriter.startNode(AzureSecurityRealm.CONVERTER_ENVIRONMENT_NAME);
            hierarchicalStreamWriter.setValue(String.valueOf(azureSecurityRealm.getAzureEnvironmentName()));
            hierarchicalStreamWriter.endNode();
            hierarchicalStreamWriter.startNode(AzureSecurityRealm.CONVERTER_DISABLE_GRAPH_INTEGRATION);
            hierarchicalStreamWriter.setValue(String.valueOf(azureSecurityRealm.isDisableGraphIntegration()));
            hierarchicalStreamWriter.endNode();
        }

        /* JADX WARN: Failed to find 'out' block for switch in B:5:0x0033. Please report as an issue. */
        public Object unmarshal(HierarchicalStreamReader hierarchicalStreamReader, UnmarshallingContext unmarshallingContext) {
            AzureSecurityRealm azureSecurityRealm = new AzureSecurityRealm();
            while (hierarchicalStreamReader.hasMoreChildren()) {
                hierarchicalStreamReader.moveDown();
                String nodeName = hierarchicalStreamReader.getNodeName();
                String value = hierarchicalStreamReader.getValue();
                boolean z = -1;
                switch (nodeName.hashCode()) {
                    case -877336406:
                        if (nodeName.equals(AzureSecurityRealm.CONVERTER_NODE_TENANT)) {
                            z = 2;
                            break;
                        }
                        break;
                    case -530776517:
                        if (nodeName.equals(AzureSecurityRealm.CONVERTER_NODE_CLIENT_SECRET)) {
                            z = true;
                            break;
                        }
                        break;
                    case -508639323:
                        if (nodeName.equals(AzureSecurityRealm.CONVERTER_NODE_FROM_REQUEST)) {
                            z = 4;
                            break;
                        }
                        break;
                    case 25582358:
                        if (nodeName.equals(AzureSecurityRealm.CONVERTER_NODE_CACHE_DURATION)) {
                            z = 3;
                            break;
                        }
                        break;
                    case 908409382:
                        if (nodeName.equals(AzureSecurityRealm.CONVERTER_NODE_CLIENT_ID)) {
                            z = false;
                            break;
                        }
                        break;
                    case 1527953070:
                        if (nodeName.equals(AzureSecurityRealm.CONVERTER_DISABLE_GRAPH_INTEGRATION)) {
                            z = 6;
                            break;
                        }
                        break;
                    case 1680400190:
                        if (nodeName.equals(AzureSecurityRealm.CONVERTER_ENVIRONMENT_NAME)) {
                            z = 5;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case Constants.DEBUG /* 0 */:
                        azureSecurityRealm.setClientId(value);
                        break;
                    case true:
                        azureSecurityRealm.setClientSecret(value);
                        break;
                    case true:
                        azureSecurityRealm.setTenant(value);
                        break;
                    case true:
                        azureSecurityRealm.setCacheDuration(Integer.parseInt(value));
                        break;
                    case true:
                        azureSecurityRealm.setFromRequest(Boolean.parseBoolean(value));
                        break;
                    case true:
                        azureSecurityRealm.setAzureEnvironmentName(value);
                        break;
                    case true:
                        azureSecurityRealm.setDisableGraphIntegration(Boolean.parseBoolean(value));
                        break;
                }
                hierarchicalStreamReader.moveUp();
            }
            azureSecurityRealm.setCaches(Caffeine.newBuilder().expireAfterWrite(azureSecurityRealm.getCacheDuration(), TimeUnit.SECONDS).build());
            return azureSecurityRealm;
        }
    }

    @Extension
    /* loaded from: input_file:com/microsoft/jenkins/azuread/AzureSecurityRealm$CrumbExempt.class */
    public static final class CrumbExempt extends CrumbExclusion {
        public boolean process(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
            String pathInfo = httpServletRequest.getPathInfo();
            if (pathInfo == null) {
                return false;
            }
            if (!pathInfo.equals(AzureSecurityRealm.CALLBACK_URL) && !pathInfo.endsWith("GraphProxy/v1.0/$batch")) {
                return false;
            }
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return true;
        }
    }

    @Extension
    /* loaded from: input_file:com/microsoft/jenkins/azuread/AzureSecurityRealm$DescriptorImpl.class */
    public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
        @NonNull
        public String getDisplayName() {
            return "Azure Active Directory";
        }

        public DescriptorImpl() {
        }

        public DescriptorImpl(Class<? extends SecurityRealm> cls) {
            super(cls);
        }

        public ListBoxModel doFillAzureEnvironmentNameItems() {
            ListBoxModel listBoxModel = new ListBoxModel();
            listBoxModel.add(AzureEnvironment.AZURE_PUBLIC_CLOUD);
            listBoxModel.add(AzureEnvironment.AZURE_CHINA);
            listBoxModel.add(AzureEnvironment.AZURE_GERMANY);
            listBoxModel.add(AzureEnvironment.AZURE_US_GOVERNMENT_L4);
            listBoxModel.add(AzureEnvironment.AZURE_US_GOVERNMENT_L5);
            return listBoxModel;
        }

        public FormValidation doVerifyConfiguration(@QueryParameter String str, @QueryParameter Secret secret, @QueryParameter String str2, @QueryParameter String str3, @QueryParameter String str4) {
            if (str3.equals("")) {
                return FormValidation.error("Please set a test user principal name or object ID");
            }
            try {
                return FormValidation.ok("Successfully verified, found display name: " + GraphServiceClient.builder().httpClient(AzureSecurityRealm.addProxyToHttpClientIfRequired(HttpClients.createDefault(new TokenCredentialAuthProvider(new ClientSecretCredentialBuilder().clientId(str).clientSecret(secret.getPlainText()).tenantId(str2).httpClient(HttpClientRetriever.get()).authorityHost(AzureEnvironment.getAuthorityHost(str4)).build())).newBuilder()).build()).buildClient().users(str3).buildRequest(new Option[0]).get().displayName);
            } catch (Exception e) {
                return FormValidation.error(e, e.getMessage());
            }
        }
    }

    public AccessToken getAccessToken() {
        ClientSecretCredential clientSecretCredential = getClientSecretCredential();
        TokenRequestContext tokenRequestContext = new TokenRequestContext();
        tokenRequestContext.setScopes(Collections.singletonList("https://graph.microsoft.com/.default"));
        AccessToken accessToken = (AccessToken) clientSecretCredential.getToken(tokenRequestContext).block();
        if (accessToken == null) {
            throw new IllegalStateException("Access token null when it is required");
        }
        return accessToken;
    }

    private ClientSecretCredential getClientSecretCredential() {
        return new ClientSecretCredentialBuilder().clientId(this.clientId.getPlainText()).clientSecret(this.clientSecret.getPlainText()).tenantId(this.tenant.getPlainText()).authorityHost(AzureEnvironment.getAuthorityHost(getAzureEnvironmentName())).httpClient(HttpClientRetriever.get()).build();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static OkHttpClient.Builder addProxyToHttpClientIfRequired(OkHttpClient.Builder builder) {
        ProxyConfiguration proxy;
        if (JenkinsJVM.isJenkinsJVM() && (proxy = Jenkins.get().getProxy()) != null && StringUtils.isNotBlank(proxy.getName())) {
            builder = builder.proxy(proxy.createProxy("https://graph.microsoft.com"));
            if (StringUtils.isNotBlank(proxy.getUserName())) {
                builder = builder.proxyAuthenticator((route, response) -> {
                    return response.request().newBuilder().header("Authorization", Credentials.basic(proxy.getUserName(), proxy.getSecretPassword().getPlainText())).build();
                });
            }
        }
        return builder;
    }

    public boolean isSingleLogout() {
        return this.singleLogout;
    }

    @DataBoundSetter
    public void setSingleLogout(boolean z) {
        this.singleLogout = z;
    }

    public String getClientIdSecret() {
        return this.clientId.getEncryptedValue();
    }

    public String getClientSecretSecret() {
        return this.clientSecret.getEncryptedValue();
    }

    public String getTenantSecret() {
        return this.tenant.getEncryptedValue();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getCredentialCacheKey() {
        return Util.getDigestOf(this.clientId.getPlainText() + this.clientSecret.getPlainText() + this.tenant.getPlainText() + this.azureEnvironmentName);
    }

    public String getClientId() {
        return this.clientId.getPlainText();
    }

    public String getAzureEnvironmentName() {
        return StringUtils.isBlank(this.azureEnvironmentName) ? AzureEnvironment.AZURE_PUBLIC_CLOUD : this.azureEnvironmentName;
    }

    @DataBoundSetter
    public void setAzureEnvironmentName(String str) {
        this.azureEnvironmentName = str;
    }

    public boolean isDisableGraphIntegration() {
        return this.disableGraphIntegration;
    }

    @DataBoundSetter
    public void setDisableGraphIntegration(boolean z) {
        this.disableGraphIntegration = z;
    }

    public void setClientId(String str) {
        this.clientId = Secret.fromString(str);
    }

    public Secret getClientSecret() {
        return this.clientSecret;
    }

    public void setClientSecret(String str) {
        this.clientSecret = Secret.fromString(str);
    }

    public String getTenant() {
        return this.tenant.getPlainText();
    }

    public void setTenant(String str) {
        this.tenant = Secret.fromString(str);
    }

    public int getCacheDuration() {
        return this.cacheDuration;
    }

    public void setCacheDuration(int i) {
        this.cacheDuration = i;
    }

    public void setCaches(Cache<String, AzureAdUser> cache) {
        this.caches = cache;
    }

    public boolean isFromRequest() {
        return this.fromRequest;
    }

    @DataBoundSetter
    public void setFromRequest(boolean z) {
        this.fromRequest = z;
    }

    public JwtConsumer getJwtConsumer() {
        return (JwtConsumer) this.jwtConsumer.get();
    }

    AzureOAuthService getOAuthService() {
        return new ServiceBuilder(this.clientId.getPlainText()).apiSecret(this.clientSecret.getPlainText()).responseType("id_token").scope("openid profile email").callback(getRootUrl() + CALLBACK_URL).build(AzureApi.instance(AzureEnvironment.getGraphResource(getAzureEnvironmentName()), getTenant(), AzureEnvironment.getAuthorityHost(getAzureEnvironmentName())));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public GraphServiceClient<Request> getAzureClient() {
        return (GraphServiceClient) this.cachedAzureClient.get();
    }

    private String getRootUrl() {
        Jenkins jenkins = Jenkins.get();
        return StringUtils.stripEnd(isFromRequest() ? jenkins.getRootUrlFromRequest() : jenkins.getRootUrl(), "/");
    }

    @DataBoundConstructor
    public AzureSecurityRealm(String str, String str2, Secret secret, int i) {
        this.clientId = Secret.fromString(str2);
        this.clientSecret = secret;
        this.tenant = Secret.fromString(str);
        this.cacheDuration = i;
        this.caches = Caffeine.newBuilder().expireAfterWrite(i, TimeUnit.SECONDS).build();
    }

    public AzureSecurityRealm() {
        LOGGER.log(Level.FINE, "AzureSecurityRealm()");
    }

    public HttpResponse doCommenceLogin(StaplerRequest staplerRequest, @Header("Referer") String str) {
        staplerRequest.getSession().setAttribute(REFERER_ATTRIBUTE, str);
        AzureOAuthService oAuthService = getOAuthService();
        staplerRequest.getSession().setAttribute(TIMESTAMP_ATTRIBUTE, Long.valueOf(System.currentTimeMillis()));
        String randomAlphanumeric = RandomStringUtils.randomAlphanumeric(NONCE_LENGTH);
        staplerRequest.getSession().setAttribute(NONCE_ATTRIBUTE, randomAlphanumeric);
        HashMap hashMap = new HashMap();
        hashMap.put("nonce", randomAlphanumeric);
        hashMap.put("response_mode", "form_post");
        return new HttpRedirect(oAuthService.getAuthorizationUrl(hashMap));
    }

    public HttpResponse doFinishLogin(StaplerRequest staplerRequest) throws InvalidJwtException, IOException {
        Mailer.UserProperty property;
        try {
            try {
                Long l = (Long) staplerRequest.getSession().getAttribute(TIMESTAMP_ATTRIBUTE);
                String str = (String) staplerRequest.getSession().getAttribute(NONCE_ATTRIBUTE);
                if (str == null) {
                    staplerRequest.getSession().invalidate();
                    HttpResponses.HttpResponseException redirectToContextRoot = HttpResponses.redirectToContextRoot();
                    if (staplerRequest.isRequestedSessionIdValid()) {
                        staplerRequest.getSession().removeAttribute(NONCE_ATTRIBUTE);
                    }
                    return redirectToContextRoot;
                }
                if (l != null) {
                    LOGGER.info("Requesting oauth code time = " + (System.currentTimeMillis() - l.longValue()) + " ms");
                }
                String parameter = staplerRequest.getParameter("id_token");
                if (StringUtils.isBlank(parameter)) {
                    LOGGER.info("No `id_token` found ensure you have enabled it on the 'Authentication' page of the app registration");
                    staplerRequest.getSession().invalidate();
                    HttpResponses.HttpResponseException redirectToContextRoot2 = HttpResponses.redirectToContextRoot();
                    if (staplerRequest.isRequestedSessionIdValid()) {
                        staplerRequest.getSession().removeAttribute(NONCE_ATTRIBUTE);
                    }
                    return redirectToContextRoot2;
                }
                JwtClaims validateIdToken = validateIdToken(str, parameter);
                String str2 = (String) validateIdToken.getClaimValue("preferred_username");
                AzureAdUser azureAdUser = (AzureAdUser) this.caches.get(str2, str3 -> {
                    AzureAdUser createFromJwt = AzureAdUser.createFromJwt(validateIdToken);
                    List<AzureAdGroup> emptyList = Collections.emptyList();
                    if (!isDisableGraphIntegration()) {
                        emptyList = AzureCachePool.get(getAzureClient()).getBelongingGroupsByOid(createFromJwt.getObjectID());
                    }
                    createFromJwt.setAuthorities(emptyList);
                    LOGGER.info(String.format("Fetch user details with sub: %s***", str2.substring(0, CACHE_KEY_LOG_LENGTH)));
                    return createFromJwt;
                });
                if (azureAdUser == null) {
                    throw new IllegalStateException("Should not be possible");
                }
                AzureAuthenticationToken azureAuthenticationToken = new AzureAuthenticationToken(azureAdUser);
                SecurityContextHolder.getContext().setAuthentication(azureAuthenticationToken);
                User current = User.current();
                if (current != null) {
                    current.setDescription(generateDescription(azureAuthenticationToken));
                    current.setFullName(azureAuthenticationToken.getAzureAdUser().getName());
                    if (StringUtils.isNotBlank(azureAuthenticationToken.getAzureAdUser().getEmail()) && ((property = current.getProperty(Mailer.UserProperty.class)) == null || !property.hasExplicitlyConfiguredAddress())) {
                        current.addProperty(new Mailer.UserProperty(azureAuthenticationToken.getAzureAdUser().getEmail()));
                    }
                }
                SecurityListener.fireAuthenticated2(azureAdUser);
                if (staplerRequest.isRequestedSessionIdValid()) {
                    staplerRequest.getSession().removeAttribute(NONCE_ATTRIBUTE);
                }
                String str4 = (String) staplerRequest.getSession().getAttribute(REFERER_ATTRIBUTE);
                return str4 != null ? HttpResponses.redirectTo(str4) : HttpResponses.redirectToContextRoot();
            } catch (Exception e) {
                LOGGER.log(Level.SEVERE, "error", (Throwable) e);
                throw e;
            }
        } catch (Throwable th) {
            if (staplerRequest.isRequestedSessionIdValid()) {
                staplerRequest.getSession().removeAttribute(NONCE_ATTRIBUTE);
            }
            throw th;
        }
    }

    JwtClaims validateIdToken(String str, String str2) throws InvalidJwtException {
        JwtClaims processToClaims = getJwtConsumer().processToClaims(str2);
        String str3 = (String) processToClaims.getClaimValue("nonce");
        if (StringUtils.isAnyEmpty(new CharSequence[]{str, str3}) || !str.equals(str3)) {
            throw new IllegalStateException(String.format("Invalid nonce in the response, expected: %s actual: %s", str, str3));
        }
        return processToClaims;
    }

    protected String getPostLogOutUrl2(StaplerRequest staplerRequest, Authentication authentication) {
        if (authentication instanceof AzureAuthenticationToken) {
            AzureCachePool.invalidateBelongingGroupsByOid(((AzureAuthenticationToken) authentication).getAzureAdUser().getObjectID());
        }
        return this.singleLogout ? getOAuthService().getLogoutUrl() : staplerRequest.getContextPath() + "/azureAdLogout";
    }

    public SecurityRealm.SecurityComponents createSecurityComponents() {
        return new SecurityRealm.SecurityComponents(authentication -> {
            if (authentication instanceof AzureAuthenticationToken) {
                return authentication;
            }
            throw new BadCredentialsException("Unexpected authentication type: " + authentication);
        }, str -> {
            if (str == null) {
                throw new UserMayOrMayNotExistException2("Can't find a user with no username");
            }
            if (isDisableGraphIntegration()) {
                throw new UserMayOrMayNotExistException2("Can't lookup a user if graph integration is disabled");
            }
            AzureAdUser azureAdUser = (AzureAdUser) this.caches.get(str, str -> {
                GraphServiceClient<Request> azureClient = getAzureClient();
                String extractObjectId = ObjId2FullSidMap.extractObjectId(str);
                if (extractObjectId == null) {
                    extractObjectId = str;
                }
                try {
                    com.microsoft.graph.models.User user = azureClient.users(extractObjectId).buildRequest(new Option[0]).get();
                    if ((user != null) && (user.id == null)) {
                        return null;
                    }
                    AzureAdUser azureAdUser2 = (AzureAdUser) Objects.requireNonNull(AzureAdUser.createFromActiveDirectoryUser(user));
                    azureAdUser2.setAuthorities(AzureCachePool.get(azureClient).getBelongingGroupsByOid(azureAdUser2.getObjectID()));
                    return azureAdUser2;
                } catch (GraphServiceException e) {
                    if (e.getResponseCode() == NOT_FOUND) {
                        return null;
                    }
                    throw e;
                }
            });
            if (azureAdUser == null) {
                throw new UsernameNotFoundException("Cannot find user: " + str);
            }
            return azureAdUser;
        });
    }

    public GroupDetails loadGroupByGroupname2(String str, boolean z) {
        if (isDisableGraphIntegration()) {
            throw new UserMayOrMayNotExistException2("Can't lookup a group if graph integration is disabled");
        }
        GraphServiceClient<Request> azureClient = getAzureClient();
        String extractObjectId = ObjId2FullSidMap.extractObjectId(str);
        if (extractObjectId == null) {
            extractObjectId = str;
        }
        Group loadGroupByDisplayName = UUIDValidator.isValidUUID(extractObjectId) ? azureClient.groups(extractObjectId).buildRequest(new Option[0]).get() : loadGroupByDisplayName(str);
        if (loadGroupByDisplayName == null || loadGroupByDisplayName.id == null) {
            throw new UsernameNotFoundException("Group: " + str + " not found");
        }
        return new AzureAdGroupDetails(loadGroupByDisplayName.id, loadGroupByDisplayName.displayName);
    }

    @CheckForNull
    private Group loadGroupByDisplayName(String str) {
        LinkedList linkedList = new LinkedList();
        String replace = str.replace("'", "''");
        try {
            replace = URLEncoder.encode(replace, StandardCharsets.UTF_8.name());
        } catch (UnsupportedEncodingException e) {
            LOGGER.log(Level.WARNING, "Failed to url encode query, group name was: " + str);
        }
        linkedList.add(new QueryOption("$search", String.format("\"displayName:%s\"", replace)));
        linkedList.add(new HeaderOption("ConsistencyLevel", "eventual"));
        GroupCollectionPage groupCollectionPage = getAzureClient().groups().buildRequest(linkedList).select("id,displayName").get();
        if (!$assertionsDisabled && groupCollectionPage == null) {
            throw new AssertionError();
        }
        List currentPage = groupCollectionPage.getCurrentPage();
        Group group = null;
        if (currentPage.size() > 1) {
            throw new UsernameNotFoundException("Multiple matches found for group display name, this must be unique: " + ((String) currentPage.stream().map(group2 -> {
                return group2.id;
            }).collect(Collectors.joining(","))));
        }
        if (currentPage.size() == 1) {
            group = (Group) currentPage.get(0);
        }
        return group;
    }

    public boolean allowsSignup() {
        return false;
    }

    public String getLoginUrl() {
        return "securityRealm/commenceLogin";
    }

    private String generateDescription(Authentication authentication) {
        if (!(authentication instanceof AzureAuthenticationToken)) {
            return "";
        }
        AzureAdUser azureAdUser = ((AzureAuthenticationToken) authentication).getAzureAdUser();
        return "Azure Active Directory User\n\nUnique Principal Name: " + azureAdUser.getUniqueName() + "\nEmail: " + azureAdUser.getEmail() + "\nObject ID: " + azureAdUser.getObjectID() + "\nTenant ID: " + azureAdUser.getTenantID() + "\nGroups: " + azureAdUser.getGroupOIDs() + "\n";
    }

    static {
        $assertionsDisabled = !AzureSecurityRealm.class.desiredAssertionStatus();
        REFERER_ATTRIBUTE = AzureSecurityRealm.class.getName() + ".referer";
        TIMESTAMP_ATTRIBUTE = AzureSecurityRealm.class.getName() + ".beginTime";
        NONCE_ATTRIBUTE = AzureSecurityRealm.class.getName() + ".nonce";
        LOGGER = Logger.getLogger(AzureSecurityRealm.class.getName());
    }
}
