package io.jenkins.plugins.jwt_auth;

import hudson.Extension;
import hudson.Util;
import hudson.model.Descriptor;
import hudson.model.User;
import hudson.security.ChainedServletFilter;
import hudson.security.SecurityRealm;
import hudson.tasks.Mailer;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Hashtable;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import jenkins.model.Jenkins;
import org.apache.commons.lang.StringUtils;
import org.jose4j.jwk.HttpsJwks;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver;
import org.kohsuke.stapler.DataBoundConstructor;
import org.springframework.lang.NonNull;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

/* loaded from: input_file:WEB-INF/lib/jwt-auth.jar:io/jenkins/plugins/jwt_auth/JwtAuthSecurityRealm.class */
public class JwtAuthSecurityRealm extends SecurityRealm {
    private static final Logger LOGGER = Logger.getLogger(JwtAuthSecurityRealm.class.getName());
    public transient Hashtable<String, List<GrantedAuthority>> userToGroupsCache;
    public transient HttpsJwksVerificationKeyResolver jwksResolver;
    private final String headerName;
    private final String userClaimName;
    private final String groupsClaimName;
    private final String groupsClaimSeparator;
    private final String acceptedIssuer;
    private final String acceptedAudience;
    private final String jwksUrl;
    private final int leewaySeconds;
    private final boolean allowVerificationFailures;
    private final String emailClaimName;
    private final String fullNameClaim;

    @Extension
    /* loaded from: input_file:WEB-INF/lib/jwt-auth.jar:io/jenkins/plugins/jwt_auth/JwtAuthSecurityRealm$DescriptorImpl.class */
    public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
        public String getHelpFile() {
            return "/plugin/jwt-auth/help/help-security-realm.html";
        }

        @NonNull
        public String getDisplayName() {
            return "JWT Header Authentication Plugin";
        }

        public String getDefaultHeaderName() {
            return "Authorization";
        }

        public String getDefaultUsernameClaimName() {
            return "email";
        }

        public String getDefaultGroupsClaimName() {
            return "groups";
        }

        public String getDefaultEmailClaimName() {
            return "";
        }

        public String getDefaultFullNameClaim() {
            return "";
        }

        public DescriptorImpl() {
        }

        public DescriptorImpl(Class<? extends SecurityRealm> cls) {
            super(cls);
        }
    }

    @DataBoundConstructor
    public JwtAuthSecurityRealm(String str, String str2, String str3, String str4, String str5, String str6, String str7, int i, boolean z, String str8, String str9) {
        this.headerName = Util.fixEmptyAndTrim(str);
        this.userClaimName = Util.fixEmptyAndTrim(str2);
        this.groupsClaimName = Util.fixEmptyAndTrim(str3);
        this.groupsClaimSeparator = Util.fixEmpty(str4);
        this.acceptedIssuer = Util.fixEmptyAndTrim(str5);
        this.acceptedAudience = Util.fixEmptyAndTrim(str6);
        this.jwksUrl = Util.fixEmpty(str7);
        this.leewaySeconds = i;
        this.allowVerificationFailures = z;
        this.emailClaimName = Util.fixEmptyAndTrim(str8);
        this.fullNameClaim = Util.fixEmptyAndTrim(str9);
    }

    public SecurityRealm.SecurityComponents createSecurityComponents() {
        return new SecurityRealm.SecurityComponents();
    }

    public UserDetails loadUserByUsername2(String str) throws UsernameNotFoundException {
        if (this.userToGroupsCache.containsKey(str)) {
            return new JwtAuthUserDetails(str, this.userToGroupsCache.get(str));
        }
        throw new UsernameNotFoundException(str + " could not be found");
    }

    public boolean allowsSignup() {
        return false;
    }

    public boolean canLogOut() {
        return false;
    }

    public Filter createFilter(FilterConfig filterConfig) {
        return new ChainedServletFilter(new Filter[]{super.createFilter(filterConfig), new Filter() { // from class: io.jenkins.plugins.jwt_auth.JwtAuthSecurityRealm.1
            public void init(FilterConfig filterConfig2) throws ServletException {
            }

            public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
                SecurityContextHolder.getContext().setAuthentication(getAuthFromToken(servletRequest));
                filterChain.doFilter(servletRequest, servletResponse);
            }

            private Authentication getAuthFromToken(ServletRequest servletRequest) {
                String claimValueAsString;
                String claimValueAsString2;
                if (!(servletRequest instanceof HttpServletRequest)) {
                    return Jenkins.ANONYMOUS2;
                }
                String header = ((HttpServletRequest) servletRequest).getHeader(JwtAuthSecurityRealm.this.headerName);
                if (header == null || header.isEmpty()) {
                    return Jenkins.ANONYMOUS2;
                }
                String trim = header.replace("Bearer", "").replace("bearer", "").trim();
                JwtClaims jwtClaims = null;
                Object obj = null;
                Object obj2 = null;
                try {
                    JwtConsumerBuilder jwtConsumerBuilder = new JwtConsumerBuilder();
                    jwtConsumerBuilder.setAllowedClockSkewInSeconds(JwtAuthSecurityRealm.this.leewaySeconds);
                    if (JwtAuthSecurityRealm.this.jwksUrl != null && !JwtAuthSecurityRealm.this.jwksUrl.isEmpty() && JwtAuthSecurityRealm.this.jwksResolver == null) {
                        JwtAuthSecurityRealm.this.jwksResolver = new HttpsJwksVerificationKeyResolver(new HttpsJwks(JwtAuthSecurityRealm.this.jwksUrl));
                    }
                    if (JwtAuthSecurityRealm.this.jwksResolver != null) {
                        jwtConsumerBuilder.setVerificationKeyResolver(JwtAuthSecurityRealm.this.jwksResolver);
                    } else {
                        jwtConsumerBuilder.setDisableRequireSignature();
                        jwtConsumerBuilder.setSkipSignatureVerification();
                    }
                    if (JwtAuthSecurityRealm.this.acceptedIssuer != null && !JwtAuthSecurityRealm.this.acceptedIssuer.isEmpty()) {
                        jwtConsumerBuilder.setExpectedIssuers(true, Util.tokenize(JwtAuthSecurityRealm.this.acceptedIssuer, ","));
                    }
                    if (JwtAuthSecurityRealm.this.acceptedAudience == null || JwtAuthSecurityRealm.this.acceptedAudience.isEmpty()) {
                        jwtConsumerBuilder.setSkipDefaultAudienceValidation();
                    } else {
                        jwtConsumerBuilder.setExpectedAudience(true, Util.tokenize(JwtAuthSecurityRealm.this.acceptedAudience, ","));
                    }
                    try {
                        jwtClaims = jwtConsumerBuilder.build().processToClaims(trim);
                    } catch (Throwable th) {
                        if (!JwtAuthSecurityRealm.this.allowVerificationFailures) {
                            throw th;
                        }
                        JwtAuthSecurityRealm.LOGGER.log(Level.SEVERE, "Verification error, but it is allowed by configuration", th);
                        jwtConsumerBuilder.setSkipAllValidators();
                        jwtClaims = jwtConsumerBuilder.build().processToClaims(trim);
                    }
                    String claimValueAsString3 = jwtClaims.getClaimValueAsString(JwtAuthSecurityRealm.this.userClaimName);
                    List<String> stringListClaimValue = jwtClaims.isClaimValueStringList(JwtAuthSecurityRealm.this.groupsClaimName) ? jwtClaims.getStringListClaimValue(JwtAuthSecurityRealm.this.groupsClaimName) : Arrays.asList(StringUtils.split(jwtClaims.getClaimValueAsString(JwtAuthSecurityRealm.this.groupsClaimName), JwtAuthSecurityRealm.this.groupsClaimSeparator));
                    if (stringListClaimValue == null) {
                        JwtAuthSecurityRealm.LOGGER.log(Level.WARNING, "Unable to read groups from claim '" + JwtAuthSecurityRealm.this.groupsClaimName + "'. Consider checking if it's a list or string and configure a correct separator.");
                        stringListClaimValue = new ArrayList();
                    }
                    List<GrantedAuthority> grantedGroups = JwtAuthSecurityRealm.this.getGrantedGroups(stringListClaimValue);
                    if (JwtAuthSecurityRealm.this.userToGroupsCache == null) {
                        JwtAuthSecurityRealm.this.userToGroupsCache = new Hashtable<>();
                    }
                    JwtAuthSecurityRealm.this.userToGroupsCache.put(claimValueAsString3, grantedGroups);
                    if (null != JwtAuthSecurityRealm.this.fullNameClaim || null != JwtAuthSecurityRealm.this.emailClaimName) {
                        boolean z = false;
                        User byId = User.getById(claimValueAsString3, true);
                        if (JwtAuthSecurityRealm.this.fullNameClaim != null && (claimValueAsString2 = jwtClaims.getClaimValueAsString(JwtAuthSecurityRealm.this.fullNameClaim)) != null && !byId.getFullName().equals(claimValueAsString2)) {
                            byId.setFullName(claimValueAsString2);
                            z = true;
                        }
                        if (JwtAuthSecurityRealm.this.emailClaimName != null && (claimValueAsString = jwtClaims.getClaimValueAsString(JwtAuthSecurityRealm.this.emailClaimName)) != null && !claimValueAsString.equals(byId.getProperty(Mailer.UserProperty.class).getAddress())) {
                            byId.addProperty(new Mailer.UserProperty(claimValueAsString));
                            z = true;
                        }
                        if (z) {
                            byId.save();
                        }
                    }
                    return new JwtAuthAuthenticationToken(claimValueAsString3, grantedGroups);
                } catch (Throwable th2) {
                    StringBuilder sb = new StringBuilder("Could not decode the JWT");
                    if (jwtClaims != null) {
                        sb.append("\njwtClaims = ").append(jwtClaims.toString());
                    }
                    if (0 != 0) {
                        sb.append("\nusername (").append(JwtAuthSecurityRealm.this.userClaimName).append(") = '").append((String) null).append("'");
                    }
                    sb.append("\ngroupsIsAList = ").append(false);
                    sb.append("\ngroupsClaimSeparator = '").append(JwtAuthSecurityRealm.this.groupsClaimSeparator).append("'");
                    if (0 != 0) {
                        sb.append("\ngroupsListAsString (").append(JwtAuthSecurityRealm.this.groupsClaimName).append(") = '").append((String) null).append("'");
                    }
                    if (0 != 0) {
                        sb.append("\ngroups (").append(JwtAuthSecurityRealm.this.groupsClaimName).append(") = ").append(obj.toString());
                    }
                    if (0 != 0) {
                        sb.append("\ngrantedGroups = ").append(obj2.toString());
                    }
                    JwtAuthSecurityRealm.LOGGER.log(Level.SEVERE, sb.toString(), th2);
                    return Jenkins.ANONYMOUS2;
                }
            }

            public void destroy() {
            }
        }});
    }

    /* JADX INFO: Access modifiers changed from: private */
    public List<GrantedAuthority> getGrantedGroups(List<String> list) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(SecurityRealm.AUTHENTICATED_AUTHORITY2);
        list.forEach(str -> {
            try {
                arrayList.add(new SimpleGrantedAuthority(str));
            } catch (RuntimeException e) {
                throw new IllegalArgumentException("Unable to transform group name '" + str + "' to " + GrantedAuthority.class.getSimpleName(), e);
            }
        });
        return arrayList;
    }

    /* renamed from: getDescriptor, reason: merged with bridge method [inline-methods] */
    public DescriptorImpl m1getDescriptor() {
        return (DescriptorImpl) super.getDescriptor();
    }

    public String getHeaderName() {
        return this.headerName;
    }

    public String getUserClaimName() {
        return this.userClaimName;
    }

    public String getGroupsClaimName() {
        return this.groupsClaimName;
    }

    public String getGroupsClaimSeparator() {
        return this.groupsClaimSeparator;
    }

    public String getAcceptedIssuer() {
        return this.acceptedIssuer;
    }

    public String getAcceptedAudience() {
        return this.acceptedAudience;
    }

    public String getJwksUrl() {
        return this.jwksUrl;
    }

    public int getLeewaySeconds() {
        return this.leewaySeconds;
    }

    public boolean isAllowVerificationFailures() {
        return this.allowVerificationFailures;
    }

    public String getEmailClaimName() {
        return this.emailClaimName;
    }

    public String getFullNameClaim() {
        return this.fullNameClaim;
    }
}
