package io.jenkins.blueocean.auth.jwt.impl;

import edu.umd.cs.findbugs.annotations.CheckForNull;
import hudson.Extension;
import hudson.model.User;
import io.jenkins.blueocean.auth.jwt.JwtAuthenticationStore;
import io.jenkins.blueocean.auth.jwt.JwtAuthenticationStoreFactory;
import io.jenkins.blueocean.auth.jwt.JwtSigningKeyProvider;
import io.jenkins.blueocean.auth.jwt.JwtTokenVerifier;
import io.jenkins.blueocean.auth.jwt.SigningPublicKey;
import io.jenkins.blueocean.commons.ServiceException;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import jenkins.model.Jenkins;
import org.jose4j.jws.AlgorithmIdentifiers;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.lang.JoseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;

@Extension(ordinal = -9999.0d)
/* loaded from: input_file:WEB-INF/lib/blueocean-jwt.jar:io/jenkins/blueocean/auth/jwt/impl/JwtTokenVerifierImpl.class */
public class JwtTokenVerifierImpl extends JwtTokenVerifier {
    private static final Logger logger = LoggerFactory.getLogger(JwtTokenVerifierImpl.class);

    /* loaded from: input_file:WEB-INF/lib/blueocean-jwt.jar:io/jenkins/blueocean/auth/jwt/impl/JwtTokenVerifierImpl$JwtAuthentication.class */
    public static class JwtAuthentication extends AbstractAuthenticationToken {
        private final String name;

        public JwtAuthentication(String str) {
            super(extractGrantedAuthority(str));
            this.name = str;
            super.setAuthenticated(true);
        }

        private static Collection<? extends GrantedAuthority> extractGrantedAuthority(String str) {
            User user = User.get(str, false, Collections.emptyMap());
            if (user == null) {
                throw new ServiceException.UnauthorizedException("Invalid JWT token: subject " + str + " not found");
            }
            return Jenkins.get().getSecurityRealm().loadUserByUsername2(user.getId()).getAuthorities();
        }

        public Object getCredentials() {
            return "";
        }

        public Object getPrincipal() {
            return this.name;
        }

        public String getName() {
            return this.name;
        }
    }

    @Override // io.jenkins.blueocean.auth.jwt.JwtTokenVerifier
    public Authentication verify(HttpServletRequest httpServletRequest) {
        return validate(httpServletRequest);
    }

    @CheckForNull
    private Authentication validate(HttpServletRequest httpServletRequest) {
        String substring;
        JsonWebStructure parse;
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null || !header.startsWith("Bearer ") || (parse = parse((substring = header.substring("Bearer ".length())))) == null) {
            return null;
        }
        try {
            String algorithmHeaderValue = parse.getAlgorithmHeaderValue();
            if (algorithmHeaderValue == null || !algorithmHeaderValue.equals(AlgorithmIdentifiers.RSA_USING_SHA256)) {
                logger.error(String.format("Invalid JWT token: unsupported algorithm in header, found %s, expected %s", algorithmHeaderValue, AlgorithmIdentifiers.RSA_USING_SHA256));
                throw new ServiceException.UnauthorizedException("Invalid JWT token");
            }
            String keyIdHeaderValue = parse.getKeyIdHeaderValue();
            if (keyIdHeaderValue == null) {
                logger.error("Invalid JWT token: missing kid");
                throw new ServiceException.UnauthorizedException("Invalid JWT token");
            }
            SigningPublicKey publicKey = JwtSigningKeyProvider.toPublicKey(keyIdHeaderValue);
            if (publicKey == null) {
                throw new ServiceException.UnexpectedErrorException("Invalid kid=" + keyIdHeaderValue);
            }
            try {
                JwtClaims jwtClaims = new JwtConsumerBuilder().setRequireExpirationTime().setRequireJwtId().setAllowedClockSkewInSeconds(30).setRequireSubject().setVerificationKey(publicKey.getKey()).build().process(substring).getJwtClaims();
                if (jwtClaims.getSubject().equals("anonymous")) {
                    return Jenkins.ANONYMOUS2;
                }
                Authentication authentication = getJwtStore(jwtClaims.getClaimsMap()).getAuthentication(jwtClaims.getClaimsMap());
                if (jwtClaims.getExpirationTime().isBefore(NumericDate.now())) {
                    throw new ServiceException.UnauthorizedException("Invalid JWT token: expired");
                }
                return authentication;
            } catch (MalformedClaimException e) {
                logger.error(String.format("Error reading sub header for token %s", parse.getPayload()), e);
                throw new ServiceException.UnauthorizedException("Invalid JWT token: malformed claim");
            } catch (InvalidJwtException e2) {
                logger.error("Invalid JWT token: " + e2.getMessage(), e2);
                throw new ServiceException.UnauthorizedException("Invalid JWT token");
            }
        } catch (JoseException e3) {
            logger.error("Error parsing JWT token: " + e3.getMessage(), e3);
            throw new ServiceException.UnauthorizedException("Invalid JWT Token: " + e3.getMessage());
        }
    }

    private JsonWebStructure parse(String str) {
        try {
            return JsonWebStructure.fromCompactSerialization(str);
        } catch (JoseException e) {
            return null;
        }
    }

    private static JwtAuthenticationStore getJwtStore(Map<String, Object> map) {
        JwtAuthenticationStore jwtAuthenticationStore = null;
        Iterator it = JwtAuthenticationStoreFactory.all().iterator();
        while (it.hasNext()) {
            JwtAuthenticationStoreFactory jwtAuthenticationStoreFactory = (JwtAuthenticationStoreFactory) it.next();
            if (jwtAuthenticationStoreFactory instanceof SimpleJwtAuthenticationStore) {
                jwtAuthenticationStore = jwtAuthenticationStoreFactory.getJwtAuthenticationStore(map);
            } else {
                JwtAuthenticationStore jwtAuthenticationStore2 = jwtAuthenticationStoreFactory.getJwtAuthenticationStore(map);
                if (jwtAuthenticationStore2 != null) {
                    return jwtAuthenticationStore2;
                }
            }
        }
        return jwtAuthenticationStore;
    }
}
