package io.jenkins.plugins.oidc_provider;

import edu.umd.cs.findbugs.annotations.CheckForNull;
import hudson.Extension;
import hudson.ExtensionList;
import hudson.model.InvisibleAction;
import hudson.model.UnprotectedRootAction;
import hudson.security.ACL;
import hudson.security.ACLContext;
import io.jenkins.plugins.oidc_provider.Issuer;
import java.security.interfaces.RSAPublicKey;
import java.util.Base64;
import java.util.Iterator;
import java.util.logging.Logger;
import net.sf.json.JSONArray;
import net.sf.json.JSONObject;
import org.kohsuke.stapler.HttpResponses;
import org.kohsuke.stapler.StaplerRequest;

@Extension
/* loaded from: input_file:io/jenkins/plugins/oidc_provider/Keys.class */
public final class Keys extends InvisibleAction implements UnprotectedRootAction {
    private static final Logger LOGGER = Logger.getLogger(Keys.class.getName());
    static final String URL_NAME = "oidc";
    static final String WELL_KNOWN_OPENID_CONFIGURATION = "/.well-known/openid-configuration";
    static final String JWKS = "/jwks";

    public String getUrlName() {
        return URL_NAME;
    }

    public JSONObject doDynamic(StaplerRequest staplerRequest) {
        String restOfPath = staplerRequest.getRestOfPath();
        ACLContext as2 = ACL.as2(ACL.SYSTEM2);
        try {
            Issuer findIssuer = findIssuer(restOfPath, WELL_KNOWN_OPENID_CONFIGURATION);
            if (findIssuer != null) {
                JSONObject openidConfiguration = openidConfiguration(findIssuer.url());
                if (as2 != null) {
                    as2.close();
                }
                return openidConfiguration;
            }
            Issuer findIssuer2 = findIssuer(restOfPath, JWKS);
            if (findIssuer2 == null) {
                throw HttpResponses.notFound();
            }
            JSONArray jSONArray = new JSONArray();
            for (IdTokenCredentials idTokenCredentials : findIssuer2.credentials()) {
                if (idTokenCredentials.getIssuer() != null) {
                    LOGGER.fine(() -> {
                        return "declining to serve key for " + idTokenCredentials.getId() + " since it would be served from " + idTokenCredentials.getIssuer();
                    });
                } else {
                    jSONArray.element(key(idTokenCredentials));
                }
            }
            JSONObject accumulate = new JSONObject().accumulate("keys", jSONArray);
            if (as2 != null) {
                as2.close();
            }
            return accumulate;
        } catch (Throwable th) {
            if (as2 != null) {
                try {
                    as2.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static JSONObject openidConfiguration(String str) {
        return new JSONObject().accumulate("issuer", str).accumulate("jwks_uri", str + JWKS).accumulate("response_types_supported", new JSONArray().element("code")).accumulate("subject_types_supported", new JSONArray().element("public")).accumulate("id_token_signing_alg_values_supported", new JSONArray().element("RS256")).accumulate("authorization_endpoint", "https://unimplemented").accumulate("token_endpoint", "https://unimplemented");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static JSONObject key(IdTokenCredentials idTokenCredentials) {
        RSAPublicKey publicKey = idTokenCredentials.publicKey();
        Base64.Encoder withoutPadding = Base64.getUrlEncoder().withoutPadding();
        return new JSONObject().accumulate("kid", idTokenCredentials.getId()).accumulate("kty", "RSA").accumulate("alg", "RS256").accumulate("use", "sig").accumulate("n", withoutPadding.encodeToString(publicKey.getModulus().toByteArray())).accumulate("e", withoutPadding.encodeToString(publicKey.getPublicExponent().toByteArray()));
    }

    @CheckForNull
    private static Issuer findIssuer(String str, String str2) {
        if (!str.endsWith(str2)) {
            return null;
        }
        String substring = str.substring(0, str.length() - str2.length());
        LOGGER.fine(() -> {
            return "looking up issuer for " + substring;
        });
        Iterator it = ExtensionList.lookup(Issuer.Factory.class).iterator();
        while (it.hasNext()) {
            Issuer forUri = ((Issuer.Factory) it.next()).forUri(substring);
            if (forUri != null) {
                if (!forUri.uri().equals(substring)) {
                    LOGGER.warning(() -> {
                        return forUri + " was expected to have URI " + substring;
                    });
                    return null;
                }
                if (forUri.credentials().stream().noneMatch(idTokenCredentials -> {
                    return idTokenCredentials.getIssuer() == null;
                })) {
                    LOGGER.fine(() -> {
                        return "found " + forUri + " but has no credentials with default issuer; not advertising existence of a folder";
                    });
                    return null;
                }
                LOGGER.fine(() -> {
                    return "found " + forUri;
                });
                return forUri;
            }
        }
        return null;
    }
}
