package org.jenkinsci.plugins;

import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.Nullable;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.model.Item;
import hudson.security.Permission;
import hudson.security.SecurityRealm;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.net.MalformedURLException;
import java.net.Proxy;
import java.net.URL;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.model.Jenkins;
import okhttp3.OkHttpClient;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.GrantedAuthorityImpl;
import org.acegisecurity.providers.AbstractAuthenticationToken;
import org.acegisecurity.userdetails.UsernameNotFoundException;
import org.kohsuke.github.GHMyself;
import org.kohsuke.github.GHOrganization;
import org.kohsuke.github.GHRepository;
import org.kohsuke.github.GHTeam;
import org.kohsuke.github.GHUser;
import org.kohsuke.github.GitHub;
import org.kohsuke.github.GitHubBuilder;
import org.kohsuke.github.RateLimitHandler;
import org.kohsuke.github.extras.okhttp3.OkHttpGitHubConnector;

/* loaded from: input_file:org/jenkinsci/plugins/GithubAuthenticationToken.class */
public class GithubAuthenticationToken extends AbstractAuthenticationToken {
    private static final long serialVersionUID = 2;
    private final String accessToken;
    private final String githubServer;
    private final String userName;
    private transient GitHub gh;
    private transient GHMyself me;
    private transient GithubSecurityRealm myRealm;
    private final List<GrantedAuthority> authorities;
    public static final TimeUnit CACHE_EXPIRY = TimeUnit.HOURS;
    private static final Cache<String, Set<String>> userOrganizationCache = Caffeine.newBuilder().expireAfterWrite(1, CACHE_EXPIRY).build();
    private static final Cache<String, Cache<String, RepoRights>> repositoriesByUserCache = Caffeine.newBuilder().expireAfterWrite(24, CACHE_EXPIRY).build();
    private static final Cache<String, Boolean> repositoriesPublicStatusCache = Caffeine.newBuilder().expireAfterWrite(1, CACHE_EXPIRY).build();
    private static final Cache<String, GithubUser> usersByIdCache = Caffeine.newBuilder().expireAfterWrite(1, CACHE_EXPIRY).build();
    private static final Cache<String, GithubMyself> usersByTokenCache = Caffeine.newBuilder().expireAfterWrite(1, TimeUnit.MINUTES).build();
    private static final Cache<String, Map<String, Set<GHTeam>>> userTeamsCache = Caffeine.newBuilder().expireAfterWrite(1, CACHE_EXPIRY).build();
    private static final GithubUser UNKNOWN_USER = new GithubUser(null);
    private static final GithubMyself UNKNOWN_TOKEN = new GithubMyself(null);
    private static final Logger LOGGER = Logger.getLogger(GithubAuthenticationToken.class.getName());

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/jenkinsci/plugins/GithubAuthenticationToken$GithubMyself.class */
    public static class GithubMyself {
        public final GHMyself me;

        public GithubMyself(GHMyself gHMyself) {
            this.me = gHMyself;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/jenkinsci/plugins/GithubAuthenticationToken$GithubUser.class */
    public static class GithubUser {
        public final GHUser user;

        public GithubUser(GHUser gHUser) {
            this.user = gHUser;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/jenkinsci/plugins/GithubAuthenticationToken$RepoRights.class */
    public static class RepoRights {
        public final boolean hasAdminAccess;
        public final boolean hasPullAccess;
        public final boolean hasPushAccess;
        public final boolean isPrivate;

        public RepoRights(@Nullable GHRepository gHRepository) {
            if (gHRepository != null) {
                this.hasAdminAccess = gHRepository.hasAdminAccess();
                this.hasPullAccess = gHRepository.hasPullAccess();
                this.hasPushAccess = gHRepository.hasPushAccess();
                this.isPrivate = gHRepository.isPrivate();
                return;
            }
            this.hasAdminAccess = false;
            this.hasPullAccess = false;
            this.hasPushAccess = false;
            this.isPrivate = true;
        }

        public boolean hasAdminAccess() {
            return this.hasAdminAccess;
        }

        public boolean hasPullAccess() {
            return this.hasPullAccess;
        }

        public boolean hasPushAccess() {
            return this.hasPushAccess;
        }

        public boolean isPrivate() {
            return this.isPrivate;
        }
    }

    @SuppressFBWarnings({"NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE"})
    public GithubAuthenticationToken(String str, String str2) throws IOException {
        this(str, str2, false);
    }

    @SuppressFBWarnings({"NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE"})
    public GithubAuthenticationToken(String str, String str2, boolean z) throws IOException {
        super(new GrantedAuthority[0]);
        this.myRealm = null;
        this.authorities = new ArrayList();
        this.accessToken = str;
        this.githubServer = str2;
        this.me = loadMyself(str);
        if (this.me == null) {
            throw new UsernameNotFoundException("Token not valid");
        }
        setAuthenticated(true);
        this.userName = this.me.getLogin();
        if (z) {
            clearCacheForUser(this.userName);
        }
        this.authorities.add(SecurityRealm.AUTHENTICATED_AUTHORITY);
        Jenkins jenkins = Jenkins.get();
        if (jenkins.getSecurityRealm() instanceof GithubSecurityRealm) {
            if (this.myRealm == null) {
                this.myRealm = jenkins.getSecurityRealm();
            }
            if (this.myRealm.hasScope("read:org") || this.myRealm.hasScope("admin:org") || this.myRealm.hasScope("user") || this.myRealm.hasScope("repo")) {
                Set<String> userOrgs = getUserOrgs();
                Map map = (Map) userTeamsCache.get(this.userName, str3 -> {
                    try {
                        return getGitHub().getMyTeams();
                    } catch (IOException e) {
                        throw new UncheckedIOException("authorization failed for user = " + this.userName, e);
                    }
                });
                for (String str4 : userOrgs) {
                    if (!map.containsKey(str4)) {
                        map.put(str4, Collections.emptySet());
                    }
                }
                for (Map.Entry entry : map.entrySet()) {
                    String str5 = (String) entry.getKey();
                    LOGGER.log(Level.FINE, "Fetch teams for user " + this.userName + " in organization " + str5);
                    this.authorities.add(new GrantedAuthorityImpl(str5));
                    for (GHTeam gHTeam : (Set) entry.getValue()) {
                        this.authorities.add(new GrantedAuthorityImpl(str5 + "*" + (gHTeam.getSlug() == null ? gHTeam.getName() : gHTeam.getSlug())));
                    }
                }
            }
        }
    }

    public static void clearCaches() {
        userOrganizationCache.invalidateAll();
        repositoriesByUserCache.invalidateAll();
        repositoriesPublicStatusCache.invalidateAll();
        usersByIdCache.invalidateAll();
        usersByTokenCache.invalidateAll();
        userTeamsCache.invalidateAll();
    }

    public static void clearCacheForUser(String str) {
        userOrganizationCache.invalidate(str);
        repositoriesByUserCache.invalidate(str);
        usersByIdCache.invalidate(str);
        userTeamsCache.invalidate(str);
    }

    String getAccessToken() {
        return this.accessToken;
    }

    String getGithubServer() {
        return this.githubServer;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public GitHub getGitHub() throws IOException {
        if (this.gh == null) {
            try {
                this.gh = GitHubBuilder.fromEnvironment().withEndpoint(this.githubServer).withOAuthToken(this.accessToken).withRateLimitHandler(RateLimitHandler.FAIL).withConnector(new OkHttpGitHubConnector(new OkHttpClient.Builder().proxy(getProxy(new URL(this.githubServer).getHost())).proxyAuthenticator(new JenkinsProxyAuthenticator(Jenkins.get().getProxy())).build())).build();
            } catch (MalformedURLException e) {
                throw new IOException("Invalid GitHub API URL: " + this.githubServer, e);
            }
        }
        return this.gh;
    }

    @NonNull
    private static Proxy getProxy(@NonNull String str) {
        Jenkins jenkins = Jenkins.get();
        return jenkins.proxy == null ? Proxy.NO_PROXY : jenkins.proxy.createProxy(str);
    }

    public GrantedAuthority[] getAuthorities() {
        return (GrantedAuthority[]) this.authorities.toArray(new GrantedAuthority[0]);
    }

    public Object getCredentials() {
        return "";
    }

    /* renamed from: getPrincipal, reason: merged with bridge method [inline-methods] */
    public String m2getPrincipal() {
        return this.userName;
    }

    public GHMyself getMyself() throws IOException {
        if (this.me == null) {
            this.me = getGitHub().getMyself();
        }
        return this.me;
    }

    @NonNull
    @SuppressFBWarnings({"NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE"})
    private Set<String> getUserOrgs() {
        return (Set) userOrganizationCache.get(this.userName, str -> {
            try {
                return getGitHub().getMyOrganizations().keySet();
            } catch (IOException e) {
                throw new UncheckedIOException("authorization failed for user = " + this.userName, e);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @NonNull
    public boolean isMemberOfAnyOrganizationInList(@NonNull Collection<String> collection) {
        Set<String> userOrgs = getUserOrgs();
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            if (userOrgs.contains(it.next())) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @NonNull
    public boolean hasRepositoryPermission(@NonNull String str, @NonNull Permission permission) {
        Boolean bool;
        LOGGER.log(Level.FINEST, "Checking for permission: " + String.valueOf(permission) + " on repo: " + str + " for user: " + this.userName);
        boolean isReadRelatedPermission = isReadRelatedPermission(permission);
        if (isReadRelatedPermission && (bool = (Boolean) repositoriesPublicStatusCache.getIfPresent(str)) != null && bool.booleanValue()) {
            return true;
        }
        RepoRights loadRepository = loadRepository(str);
        if (loadRepository.hasAdminAccess()) {
            return true;
        }
        if (isReadRelatedPermission) {
            return !loadRepository.isPrivate() || loadRepository.hasPullAccess() || loadRepository.hasPushAccess();
        }
        if (permission.equals(Item.CANCEL) || permission.equals(Item.EXTENDED_READ)) {
            return loadRepository.hasPushAccess();
        }
        return false;
    }

    @NonNull
    private boolean isReadRelatedPermission(@NonNull Permission permission) {
        return permission.equals(Item.DISCOVER) || permission.equals(Item.READ) || permission.equals(Item.BUILD) || permission.equals(Item.WORKSPACE);
    }

    @NonNull
    @SuppressFBWarnings({"NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE"})
    private Cache<String, RepoRights> myRepositories() {
        return (Cache) repositoriesByUserCache.get(this.userName, str -> {
            try {
                List<GHRepository> asList = getMyself().listRepositories(100).asList();
                Cache build = Caffeine.newBuilder().expireAfterWrite(1L, CACHE_EXPIRY).build();
                for (GHRepository gHRepository : asList) {
                    RepoRights repoRights = new RepoRights(gHRepository);
                    String fullName = gHRepository.getFullName();
                    build.put(fullName, repoRights);
                    repositoriesPublicStatusCache.put(fullName, Boolean.valueOf(!repoRights.isPrivate()));
                }
                return build;
            } catch (IOException e) {
                throw new UncheckedIOException("authorization failed for user = " + this.userName, e);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nullable
    public GHUser loadUser(@NonNull String str) throws IOException {
        GithubUser githubUser;
        try {
            githubUser = (GithubUser) usersByIdCache.getIfPresent(str);
            if (this.gh != null && githubUser == null && isAuthenticated()) {
                githubUser = new GithubUser(getGitHub().getUser(str));
                usersByIdCache.put(str, githubUser);
            }
        } catch (IOException e) {
            LOGGER.log(Level.FINEST, e.getMessage(), (Throwable) e);
            githubUser = UNKNOWN_USER;
            usersByIdCache.put(str, UNKNOWN_USER);
        }
        if (githubUser != null) {
            return githubUser.user;
        }
        return null;
    }

    private GHMyself loadMyself(@NonNull String str) throws IOException {
        GithubMyself githubMyself;
        try {
            githubMyself = (GithubMyself) usersByTokenCache.getIfPresent(str);
            if (githubMyself == null) {
                GHMyself myself = getGitHub().getMyself();
                githubMyself = new GithubMyself(myself);
                usersByTokenCache.put(str, githubMyself);
                usersByIdCache.put(myself.getLogin(), new GithubUser(myself));
            } else {
                getGitHub();
            }
        } catch (IOException e) {
            LOGGER.log(Level.INFO, e.getMessage(), (Throwable) e);
            githubMyself = UNKNOWN_TOKEN;
            usersByTokenCache.put(str, UNKNOWN_TOKEN);
        }
        return githubMyself.me;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nullable
    public GHOrganization loadOrganization(@NonNull String str) {
        try {
            if (this.gh == null || !isAuthenticated()) {
                return null;
            }
            return getGitHub().getOrganization(str);
        } catch (IOException | RuntimeException e) {
            LOGGER.log(Level.FINEST, e.getMessage(), (Throwable) e);
            return null;
        }
    }

    @NonNull
    @SuppressFBWarnings({"NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE"})
    private RepoRights loadRepository(@NonNull String str) {
        try {
            if (this.gh != null && isAuthenticated() && (this.myRealm.hasScope("repo") || this.myRealm.hasScope("public_repo"))) {
                return (RepoRights) myRepositories().get(str, str2 -> {
                    try {
                        RepoRights repoRights = new RepoRights(getGitHub().getRepository(str));
                        repositoriesPublicStatusCache.put(str, Boolean.valueOf(!repoRights.isPrivate()));
                        return repoRights;
                    } catch (IOException e) {
                        throw new UncheckedIOException(e);
                    }
                });
            }
        } catch (Exception e) {
            LOGGER.log(Level.SEVERE, "an exception was thrown", (Throwable) e);
            LOGGER.log(Level.WARNING, "Looks like a bad GitHub URL OR the Jenkins user {0} does not have access to the repository {1}. May need to add 'repo' or 'public_repo' to the list of oauth scopes requested.", new Object[]{this.userName, str});
        }
        return new RepoRights(null);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nullable
    public GHTeam loadTeam(@NonNull String str, @NonNull String str2) {
        try {
            GHOrganization loadOrganization = loadOrganization(str);
            if (loadOrganization != null) {
                return loadOrganization.getTeamBySlug(str2) != null ? loadOrganization.getTeamBySlug(str2) : loadOrganization.getTeamByName(str2);
            }
            return null;
        } catch (IOException e) {
            LOGGER.log(Level.FINEST, e.getMessage(), (Throwable) e);
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nullable
    public GithubOAuthUserDetails getUserDetails(@NonNull String str) throws IOException {
        GHUser loadUser = loadUser(str);
        if (loadUser != null) {
            return new GithubOAuthUserDetails(loadUser.getLogin(), this);
        }
        return null;
    }
}
