package com.microsoft.jenkins.azuread;

import com.microsoft.jenkins.azuread.AuthorizationContainer;
import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.Extension;
import hudson.PluginManager;
import hudson.model.Descriptor;
import hudson.model.User;
import hudson.security.ACL;
import hudson.security.AuthorizationStrategy;
import hudson.security.Permission;
import hudson.security.PermissionAdder;
import hudson.security.PermissionScope;
import hudson.security.SidACL;
import hudson.util.FormValidation;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.model.Jenkins;
import net.sf.json.JSONObject;
import org.acegisecurity.acls.sid.PrincipalSid;
import org.acegisecurity.acls.sid.Sid;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.DoNotUse;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.StaplerRequest;

/* loaded from: input_file:WEB-INF/lib/azure-ad.jar:com/microsoft/jenkins/azuread/GlobalMatrixAuthorizationStrategy.class */
public class GlobalMatrixAuthorizationStrategy extends AuthorizationStrategy implements AuthorizationContainer {
    private final transient SidACL acl = new AclImpl();
    private final Map<Permission, Set<PermissionEntry>> grantedPermissions = new HashMap();
    private final Set<String> groupSids = new HashSet();

    @Restricted({NoExternalUse.class})
    public static final List<Permission> DANGEROUS_PERMISSIONS = Collections.unmodifiableList(Arrays.asList(Jenkins.RUN_SCRIPTS, PluginManager.CONFIGURE_UPDATECENTER, PluginManager.UPLOAD_PLUGINS));

    @Extension
    public static final DescriptorImpl DESCRIPTOR = new DescriptorImpl();
    private static final Logger LOGGER = Logger.getLogger(GlobalMatrixAuthorizationStrategy.class.getName());

    /* loaded from: input_file:WEB-INF/lib/azure-ad.jar:com/microsoft/jenkins/azuread/GlobalMatrixAuthorizationStrategy$AclImpl.class */
    private final class AclImpl extends SidACL {
        private AclImpl() {
        }

        @CheckForNull
        @SuppressFBWarnings(value = {"NP_BOOLEAN_RETURN_NULL"}, justification = "As designed, implements a third state for the ternary logic")
        protected Boolean hasPermission(Sid sid, Permission permission) {
            return GlobalMatrixAuthorizationStrategy.this.hasPermission(toString(sid), permission, sid instanceof PrincipalSid) ? true : null;
        }
    }

    @Restricted({NoExternalUse.class})
    /* loaded from: input_file:WEB-INF/lib/azure-ad.jar:com/microsoft/jenkins/azuread/GlobalMatrixAuthorizationStrategy$ConverterImpl.class */
    public static class ConverterImpl extends AbstractAuthorizationContainerConverter<GlobalMatrixAuthorizationStrategy> {
        @Override // com.microsoft.jenkins.azuread.AbstractAuthorizationContainerConverter
        public boolean canConvert(Class cls) {
            return cls == GlobalMatrixAuthorizationStrategy.class;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // com.microsoft.jenkins.azuread.AbstractAuthorizationContainerConverter
        public GlobalMatrixAuthorizationStrategy create() {
            return new GlobalMatrixAuthorizationStrategy();
        }
    }

    /* loaded from: input_file:WEB-INF/lib/azure-ad.jar:com/microsoft/jenkins/azuread/GlobalMatrixAuthorizationStrategy$DescriptorImpl.class */
    public static class DescriptorImpl extends Descriptor<AuthorizationStrategy> implements AuthorizationContainerDescriptor {
        @Override // com.microsoft.jenkins.azuread.AuthorizationContainerDescriptor
        public PermissionScope getPermissionScope() {
            return PermissionScope.JENKINS;
        }

        @NonNull
        public String getDisplayName() {
            return Messages.GlobalMatrixAuthorizationStrategy_DisplayName();
        }

        /* renamed from: newInstance, reason: merged with bridge method [inline-methods] */
        public AuthorizationStrategy m797newInstance(StaplerRequest staplerRequest, @NonNull JSONObject jSONObject) throws Descriptor.FormException {
            GlobalMatrixAuthorizationStrategy create = create();
            boolean z = false;
            for (Map.Entry entry : jSONObject.getJSONObject("data").entrySet()) {
                String str = (String) entry.getKey();
                PermissionEntry fromString = PermissionEntry.fromString(str);
                if (fromString == null) {
                    GlobalMatrixAuthorizationStrategy.LOGGER.log(Level.FINE, () -> {
                        return "Failed to parse PermissionEntry from string: " + str;
                    });
                } else {
                    if (!(entry.getValue() instanceof JSONObject)) {
                        throw new Descriptor.FormException("not an object: " + jSONObject, "data");
                    }
                    for (Map.Entry entry2 : ((JSONObject) entry.getValue()).entrySet()) {
                        if (!(entry2.getValue() instanceof Boolean)) {
                            throw new Descriptor.FormException("not an boolean: " + jSONObject, "data");
                        }
                        if (((Boolean) entry2.getValue()).booleanValue()) {
                            Permission fromId = Permission.fromId((String) entry2.getKey());
                            if (fromId == null) {
                                GlobalMatrixAuthorizationStrategy.LOGGER.log(Level.FINE, "Silently skip unknown permission \"{0}\" for sid:\"{1}\", type: {2}", new Object[]{entry2.getKey(), fromString.getSid(), fromString.getType()});
                            } else {
                                if (fromId == Jenkins.ADMINISTER) {
                                    z = true;
                                }
                                create.add(fromId, fromString);
                            }
                        }
                    }
                }
            }
            if (!z) {
                User current = User.current();
                create.add(Jenkins.ADMINISTER, new PermissionEntry(AuthorizationType.USER, current == null ? "anonymous" : current.getId()));
            }
            return create;
        }

        protected GlobalMatrixAuthorizationStrategy create() {
            return new GlobalMatrixAuthorizationStrategy();
        }

        @Restricted({NoExternalUse.class})
        public FormValidation doCheckName(@QueryParameter String str) {
            return doCheckName_(str, Jenkins.get(), Jenkins.ADMINISTER);
        }
    }

    @Extension
    @Restricted({DoNotUse.class})
    /* loaded from: input_file:WEB-INF/lib/azure-ad.jar:com/microsoft/jenkins/azuread/GlobalMatrixAuthorizationStrategy$PermissionAdderImpl.class */
    public static final class PermissionAdderImpl extends PermissionAdder {
        public boolean add(AuthorizationStrategy authorizationStrategy, User user, Permission permission) {
            if (!(authorizationStrategy instanceof GlobalMatrixAuthorizationStrategy)) {
                return false;
            }
            ((GlobalMatrixAuthorizationStrategy) authorizationStrategy).add(permission, PermissionEntry.user(user.getId()));
            try {
                Jenkins.get().save();
                return true;
            } catch (IOException e) {
                GlobalMatrixAuthorizationStrategy.LOGGER.log(Level.WARNING, "Failed to save Jenkins after adding permission for user: " + user.getId(), (Throwable) e);
                return true;
            }
        }
    }

    @Override // com.microsoft.jenkins.azuread.AuthorizationContainer
    public Map<Permission, Set<PermissionEntry>> getGrantedPermissionEntries() {
        return this.grantedPermissions;
    }

    @Override // com.microsoft.jenkins.azuread.AuthorizationContainer
    public Permission getEditingPermission() {
        return Jenkins.ADMINISTER;
    }

    @NonNull
    public ACL getRootACL() {
        return this.acl;
    }

    @Override // 
    @NonNull
    /* renamed from: getGroups, reason: merged with bridge method [inline-methods] */
    public Set<String> mo790getGroups() {
        TreeSet treeSet = new TreeSet(new AuthorizationContainer.IdStrategyComparator());
        treeSet.addAll(this.groupSids);
        return treeSet;
    }

    @Override // com.microsoft.jenkins.azuread.AuthorizationContainer
    public void recordGroup(String str) {
        this.groupSids.add(str);
    }
}
