package com.atlassian.bitbucket.jenkins.internal.jenkins.oauth.servlet;

import com.atlassian.bitbucket.jenkins.internal.applink.oauth.Randomizer;
import com.atlassian.bitbucket.jenkins.internal.applink.oauth.serviceprovider.auth.SecurityModeChecker;
import com.atlassian.bitbucket.jenkins.internal.applink.oauth.serviceprovider.exception.InvalidTokenException;
import com.atlassian.bitbucket.jenkins.internal.applink.oauth.serviceprovider.token.ServiceProviderToken;
import com.atlassian.bitbucket.jenkins.internal.applink.oauth.serviceprovider.token.ServiceProviderTokenStore;
import com.atlassian.bitbucket.jenkins.internal.applink.oauth.util.OAuthProblemUtils;
import com.atlassian.bitbucket.jenkins.internal.provider.JenkinsAuthWrapper;
import hudson.Extension;
import hudson.model.AbstractDescribableImpl;
import hudson.model.Action;
import hudson.model.Descriptor;
import hudson.security.SecurityMode;
import java.io.IOException;
import java.security.Principal;
import java.time.Clock;
import java.util.Map;
import java.util.logging.Logger;
import javax.annotation.CheckForNull;
import javax.annotation.Nullable;
import javax.inject.Inject;
import javax.servlet.ServletException;
import jenkins.model.Jenkins;
import net.oauth.OAuth;
import net.oauth.OAuthMessage;
import net.oauth.OAuthProblemException;
import net.oauth.server.OAuthServlet;
import net.sf.json.JSONObject;
import org.acegisecurity.AccessDeniedException;
import org.acegisecurity.Authentication;
import org.apache.http.HttpStatus;
import org.kohsuke.stapler.HttpResponse;
import org.kohsuke.stapler.HttpResponses;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;

/* loaded from: input_file:WEB-INF/lib/atlassian-bitbucket-server-integration.jar:com/atlassian/bitbucket/jenkins/internal/jenkins/oauth/servlet/AuthorizeConfirmationConfig.class */
public class AuthorizeConfirmationConfig extends AbstractDescribableImpl<AuthorizeConfirmationConfig> implements Action {
    public static final String ACCESS_REQUEST = "read and write";
    public static final String ALLOW_KEY = "authorize";
    public static final String DENY_KEY = "cancel";
    public static final String OAUTH_TOKEN_PARAM = "oauth_token";
    public static final String OAUTH_CALLBACK_PARAM = "oauth_callback";
    private static final String DENIED_STATUS = "denied";
    private static final Logger LOGGER = Logger.getLogger(AuthorizeConfirmationConfig.class.getName());
    private static final int VERIFIER_LENGTH = 6;
    private AuthorizeConfirmationConfigDescriptor descriptor;
    private String callback;
    private ServiceProviderToken serviceProviderToken;

    @Extension
    /* loaded from: input_file:WEB-INF/lib/atlassian-bitbucket-server-integration.jar:com/atlassian/bitbucket/jenkins/internal/jenkins/oauth/servlet/AuthorizeConfirmationConfig$AuthorizeConfirmationConfigDescriptor.class */
    public static class AuthorizeConfirmationConfigDescriptor extends Descriptor<AuthorizeConfirmationConfig> {

        @Inject
        private JenkinsAuthWrapper jenkinsAuthWrapper;

        @Inject
        private Clock clock;

        @Inject
        private Randomizer randomizer;

        @Inject
        private ServiceProviderTokenStore tokenStore;

        @Inject
        private SecurityModeChecker securityChecker;

        AuthorizeConfirmationConfigDescriptor(JenkinsAuthWrapper jenkinsAuthWrapper, ServiceProviderTokenStore serviceProviderTokenStore, Randomizer randomizer, SecurityModeChecker securityModeChecker, Clock clock) {
            this.jenkinsAuthWrapper = jenkinsAuthWrapper;
            this.tokenStore = serviceProviderTokenStore;
            this.randomizer = randomizer;
            this.securityChecker = securityModeChecker;
            this.clock = clock;
        }

        public AuthorizeConfirmationConfigDescriptor() {
        }

        public AuthorizeConfirmationConfig createInstance(@Nullable StaplerRequest staplerRequest) throws Descriptor.FormException {
            if (this.securityChecker.isSecurityEnabled() && !isAuthenticated()) {
                throw new AccessDeniedException("Anonymous Oauth is not supported when security is enabled.");
            }
            try {
                OAuthMessage message = OAuthServlet.getMessage(staplerRequest, null);
                message.requireParameters("oauth_token");
                return new AuthorizeConfirmationConfig(this, message.getToken(), message.getParameter("oauth_callback"));
            } catch (IOException e) {
                throw new Descriptor.FormException(e, e.getMessage());
            } catch (OAuthProblemException e2) {
                throw new Descriptor.FormException(e2, e2.getProblem());
            }
        }

        /* renamed from: newInstance, reason: merged with bridge method [inline-methods] */
        public AuthorizeConfirmationConfig m44newInstance(@Nullable StaplerRequest staplerRequest, JSONObject jSONObject) throws Descriptor.FormException {
            return createInstance(staplerRequest);
        }

        public boolean isAuthenticated() {
            return this.jenkinsAuthWrapper.getAuthentication().isAuthenticated();
        }
    }

    private AuthorizeConfirmationConfig(AuthorizeConfirmationConfigDescriptor authorizeConfirmationConfigDescriptor, String str, String str2) throws OAuthProblemException {
        this.descriptor = authorizeConfirmationConfigDescriptor;
        this.serviceProviderToken = getTokenForAuthorization(str);
        this.callback = str2;
    }

    public HttpResponse doPerformSubmit(StaplerRequest staplerRequest) throws IOException, ServletException {
        JSONObject submittedForm = staplerRequest.getSubmittedForm();
        Map<String, String[]> parameterMap = staplerRequest.getParameterMap();
        Authentication authentication = this.descriptor.jenkinsAuthWrapper.getAuthentication();
        return Jenkins.ANONYMOUS.getPrincipal().equals(authentication.getName()) ? HttpResponses.error(HttpStatus.SC_UNAUTHORIZED, "User not logged in.") : generateVerifierCode(staplerRequest, submittedForm, parameterMap, authentication);
    }

    private HttpResponse generateVerifierCode(StaplerRequest staplerRequest, JSONObject jSONObject, Map<String, String[]> map, Principal principal) throws IOException {
        boolean z;
        if (map.containsKey(ALLOW_KEY)) {
            z = true;
        } else {
            if (!map.containsKey(DENY_KEY)) {
                return HttpResponses.error(HttpStatus.SC_BAD_REQUEST, "Bad Request");
            }
            z = false;
        }
        return generateAndRedirectToCallback(staplerRequest, jSONObject.getString("oauth_token"), jSONObject.getString("oauth_callback"), principal, z);
    }

    private HttpResponse generateAndRedirectToCallback(StaplerRequest staplerRequest, String str, String str2, Principal principal, boolean z) throws IOException {
        try {
            ServiceProviderToken tokenForAuthorization = getTokenForAuthorization(str);
            ServiceProviderToken authorize = z ? tokenForAuthorization.authorize(principal.getName(), m43getDescriptor().randomizer.randomAlphanumericString(6)) : tokenForAuthorization.deny(principal.getName());
            m43getDescriptor().tokenStore.put(authorize);
            String[] strArr = new String[4];
            strArr[0] = "oauth_token";
            strArr[1] = authorize.getToken();
            strArr[2] = OAuth.OAUTH_VERIFIER;
            strArr[3] = authorize.getAuthorization() == ServiceProviderToken.Authorization.AUTHORIZED ? authorize.getVerifier() : DENIED_STATUS;
            return HttpResponses.redirectTo(OAuth.addParameters(str2, strArr));
        } catch (OAuthProblemException e) {
            OAuthProblemUtils.logOAuthProblem(OAuthServlet.getMessage(staplerRequest, null), e, LOGGER);
            return HttpResponses.error(e);
        }
    }

    public String getAccessRequest() {
        return ACCESS_REQUEST;
    }

    public String getAuthenticatedUsername() {
        return this.descriptor.jenkinsAuthWrapper.getAuthentication().getName();
    }

    public String getCallback() {
        return this.callback;
    }

    public String getConsumerName() {
        return this.serviceProviderToken.getConsumer().getName();
    }

    /* renamed from: getDescriptor, reason: merged with bridge method [inline-methods] */
    public AuthorizeConfirmationConfigDescriptor m43getDescriptor() {
        return this.descriptor;
    }

    public String getDisplayName() {
        return "Authorize";
    }

    @CheckForNull
    public String getIconFileName() {
        return null;
    }

    public String getIconUrl() {
        return Jenkins.get().getRootUrl() + "/plugin/atlassian-bitbucket-server-integration/images/bitbucket-to-jenkins.png";
    }

    public String getInstanceName() {
        return "Jenkins";
    }

    public String getToken() {
        return this.serviceProviderToken.getToken();
    }

    public String getUrlName() {
        return ALLOW_KEY;
    }

    public boolean isNoSecurity() {
        return this.descriptor.jenkinsAuthWrapper.getSecurityMode() == SecurityMode.UNSECURED;
    }

    public void doIndex(StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws IOException, ServletException {
        if (this.descriptor.jenkinsAuthWrapper.getSecurityMode() == SecurityMode.UNSECURED) {
            generateAndRedirectToCallback(staplerRequest, staplerRequest.getParameter("oauth_token"), staplerRequest.getParameter("oauth_callback"), Jenkins.ANONYMOUS, true).generateResponse(staplerRequest, staplerResponse, this);
        } else {
            staplerRequest.getView(this, "index.jelly").forward(staplerRequest, staplerResponse);
        }
    }

    private ServiceProviderToken getTokenForAuthorization(String str) throws OAuthProblemException {
        try {
            ServiceProviderToken orElseThrow = m43getDescriptor().tokenStore.get(str).orElseThrow(() -> {
                return new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
            });
            if (orElseThrow.isAccessToken()) {
                throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
            }
            if (orElseThrow.getAuthorization() == ServiceProviderToken.Authorization.AUTHORIZED || orElseThrow.getAuthorization() == ServiceProviderToken.Authorization.DENIED) {
                throw new OAuthProblemException(OAuth.Problems.TOKEN_USED);
            }
            if (orElseThrow.hasExpired(m43getDescriptor().clock)) {
                throw new OAuthProblemException(OAuth.Problems.TOKEN_EXPIRED);
            }
            return orElseThrow;
        } catch (InvalidTokenException e) {
            throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
        }
    }
}
