package io.jenkins.plugins;

import com.google.api.client.auth.oauth2.AuthorizationCodeResponseUrl;
import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.Extension;
import hudson.model.Descriptor;
import hudson.model.Failure;
import hudson.model.User;
import hudson.model.UserProperty;
import hudson.security.SecurityRealm;
import hudson.util.FormValidation;
import hudson.util.Secret;
import io.jenkins.plugins.CasdoorUserProperty;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.UUID;
import javax.servlet.ServletException;
import jenkins.model.Jenkins;
import jenkins.security.SecurityListener;
import org.apache.commons.lang.StringUtils;
import org.casbin.casdoor.config.CasdoorConfig;
import org.casbin.casdoor.entity.CasdoorUser;
import org.casbin.casdoor.exception.CasdoorException;
import org.casbin.casdoor.service.CasdoorAuthService;
import org.casbin.casdoor.util.http.HttpClient;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.Header;
import org.kohsuke.stapler.HttpRedirect;
import org.kohsuke.stapler.HttpResponse;
import org.kohsuke.stapler.HttpResponses;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.Stapler;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

/* loaded from: input_file:WEB-INF/lib/casdoor-auth.jar:io/jenkins/plugins/CasdoorSecurityRealm.class */
public class CasdoorSecurityRealm extends SecurityRealm {
    private static final String REFERER_ATTRIBUTE = CasdoorSecurityRealm.class.getName() + ".referer";
    private static final String logoutRouter = "/api/logout";
    private final String clientId;
    private final Secret clientSecret;
    private final String endpoint;
    private final String jwtCertificate;
    private final String organizationName;
    private final String applicationName;
    private final String scopes;
    private final String groupsFieldName;

    @Extension
    /* loaded from: input_file:WEB-INF/lib/casdoor-auth.jar:io/jenkins/plugins/CasdoorSecurityRealm$DescriptorImpl.class */
    public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
        @NonNull
        public String getDisplayName() {
            return "Casdoor Authentication Plugin";
        }

        public FormValidation doCheckEndpoint(@QueryParameter String str) {
            return (str == null || str.trim().length() == 0) ? FormValidation.error("Casdoor Endpoint is required.") : FormValidation.ok();
        }

        public FormValidation doCheckClientId(@QueryParameter String str) {
            return (str == null || str.trim().length() == 0) ? FormValidation.error("Client Id is required.") : FormValidation.ok();
        }

        public FormValidation doCheckClientSecret(@QueryParameter String str) {
            return (str == null || str.trim().length() == 0) ? FormValidation.error("Client Secret is required.") : FormValidation.ok();
        }

        public FormValidation doCheckJwtPublicKey(@QueryParameter String str) {
            return (str == null || str.trim().length() == 0) ? FormValidation.error("Jwt Public Key is required.") : FormValidation.ok();
        }
    }

    @DataBoundConstructor
    public CasdoorSecurityRealm(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8) {
        this.clientId = str;
        this.clientSecret = Secret.fromString(str2);
        this.endpoint = str3;
        this.jwtCertificate = str4;
        this.organizationName = str5;
        this.applicationName = str6;
        this.scopes = str7;
        this.groupsFieldName = str8;
    }

    public HttpResponse doCommenceLogin(StaplerRequest staplerRequest, StaplerResponse staplerResponse, @Header("Referer") String str) throws IOException {
        staplerRequest.getSession().setAttribute(REFERER_ATTRIBUTE, str);
        String uuid = UUID.randomUUID().toString();
        staplerRequest.getSession().setAttribute("casdoorState", uuid);
        return new HttpRedirect(new CasdoorAuthService(new CasdoorConfig(this.endpoint, this.clientId, this.clientSecret.getPlainText(), this.jwtCertificate, this.organizationName, this.applicationName)).getSigninUrl(redirectUrl(), uuid));
    }

    public HttpResponse doFinishLogin(StaplerRequest staplerRequest) {
        StringBuffer requestURL = staplerRequest.getRequestURL();
        if (staplerRequest.getQueryString() != null) {
            requestURL.append('?').append(staplerRequest.getQueryString());
        }
        AuthorizationCodeResponseUrl authorizationCodeResponseUrl = new AuthorizationCodeResponseUrl(requestURL.toString());
        if (!MessageDigest.isEqual(authorizationCodeResponseUrl.getState().getBytes(StandardCharsets.UTF_8), staplerRequest.getSession().getAttribute("casdoorState").toString().getBytes(StandardCharsets.UTF_8))) {
            return new Failure("Inconsistent state");
        }
        String code = authorizationCodeResponseUrl.getCode();
        return authorizationCodeResponseUrl.getError() != null ? new Failure("Error from provider: " + authorizationCodeResponseUrl.getError() + ". Details: " + authorizationCodeResponseUrl.getErrorDescription()) : code == null ? new Failure("Missing authorization code") : onSuccess(staplerRequest, code);
    }

    public void doLogout(StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws ServletException, IOException {
        Stapler.getCurrentRequest().getSession().removeAttribute("casdoorUser");
        HttpClient.postString(this.endpoint + logoutRouter, "");
        super.doLogout(staplerRequest, staplerResponse);
    }

    private HttpResponse onSuccess(StaplerRequest staplerRequest, String str) {
        try {
            CasdoorAuthService casdoorAuthService = new CasdoorAuthService(new CasdoorConfig(this.endpoint, this.clientId, this.clientSecret.getPlainText(), this.jwtCertificate, this.organizationName, this.applicationName));
            CasdoorUser parseJwtToken = casdoorAuthService.parseJwtToken(casdoorAuthService.getOAuthToken(str, this.applicationName));
            Stapler.getCurrentRequest().getSession().setAttribute("casdoorUser", parseJwtToken);
            loginAndSetUserData(parseJwtToken);
            String str2 = (String) staplerRequest.getSession().getAttribute(REFERER_ATTRIBUTE);
            return str2 != null ? HttpResponses.redirectTo(str2) : HttpResponses.redirectToContextRoot();
        } catch (IOException | CasdoorException e) {
            e.printStackTrace();
            return HttpResponses.error(500, e);
        }
    }

    private UsernamePasswordAuthenticationToken loginAndSetUserData(CasdoorUser casdoorUser) throws IOException {
        GrantedAuthority[] determineAuthorities = determineAuthorities(casdoorUser);
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(casdoorUser.getName(), "", Arrays.asList(determineAuthorities));
        SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
        User.getOrCreateByIdOrFullName(usernamePasswordAuthenticationToken.getName()).addProperty(new CasdoorUserProperty(casdoorUser.getName(), determineAuthorities));
        SecurityListener.fireAuthenticated2(new CasdoorUserDetails(casdoorUser.getName(), determineAuthorities));
        return usernamePasswordAuthenticationToken;
    }

    private GrantedAuthority[] determineAuthorities(CasdoorUser casdoorUser) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(SecurityRealm.AUTHENTICATED_AUTHORITY2);
        if (StringUtils.isNotBlank(this.groupsFieldName) && casdoorUser.getProperties().containsKey(this.groupsFieldName)) {
            for (String str : casdoorUser.getProperties().get(this.groupsFieldName).split(",")) {
                arrayList.add(new CasdoorUserProperty.GrantedAuthorityImpl(str));
            }
        }
        return (GrantedAuthority[]) arrayList.toArray(new GrantedAuthority[0]);
    }

    private String redirectUrl() {
        Jenkins instanceOrNull = Jenkins.getInstanceOrNull();
        if (instanceOrNull == null) {
            throw new NullPointerException("Jenkins instance should not be null");
        }
        String rootUrl = instanceOrNull.getRootUrl();
        if (rootUrl == null) {
            throw new NullPointerException("Jenkins root url should not be null");
        }
        return rootUrl + "securityRealm/finishLogin";
    }

    public boolean allowsSignup() {
        return false;
    }

    public String getLoginUrl() {
        return "securityRealm/commenceLogin";
    }

    public String getAuthenticationGatewayUrl() {
        return "securityRealm/escapeHatch";
    }

    public SecurityRealm.SecurityComponents createSecurityComponents() {
        return new SecurityRealm.SecurityComponents(authentication -> {
            if (authentication instanceof AnonymousAuthenticationToken) {
                return authentication;
            }
            throw new BadCredentialsException("Unexpected authentication type: " + authentication);
        }, str -> {
            User user = User.get(str, false, Collections.emptyMap());
            if (user == null) {
                throw new UsernameNotFoundException(str);
            }
            GrantedAuthority[] grantedAuthorityArr = new GrantedAuthority[0];
            for (UserProperty userProperty : user.getAllProperties()) {
                if (userProperty instanceof CasdoorUserProperty) {
                    grantedAuthorityArr = ((CasdoorUserProperty) userProperty).getAuthoritiesAsGrantedAuthorities();
                }
            }
            return new CasdoorUserDetails(str, grantedAuthorityArr);
        });
    }

    public String getClientId() {
        return this.clientId;
    }

    public Secret getClientSecret() {
        return this.clientSecret;
    }

    public String getEndpoint() {
        return this.endpoint;
    }

    public String getJwtCertificate() {
        return this.jwtCertificate;
    }

    public String getOrganizationName() {
        return this.organizationName;
    }

    public String getApplicationName() {
        return this.applicationName;
    }

    public String getScopes() {
        return this.scopes;
    }
}
