package org.conjur.jenkins.jwtauth.impl;

import hudson.model.AbstractItem;
import hudson.model.ItemGroup;
import hudson.model.Job;
import hudson.model.ModelObject;
import hudson.model.Run;
import hudson.model.User;
import java.time.Instant;
import java.time.ZoneId;
import java.time.format.DateTimeFormatter;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Queue;
import java.util.UUID;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.model.GlobalConfiguration;
import jenkins.model.Jenkins;
import org.conjur.jenkins.configuration.GlobalConjurConfiguration;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.lang.JoseException;
import org.json.JSONArray;
import org.json.JSONObject;

/* loaded from: input_file:org/conjur/jenkins/jwtauth/impl/JwtToken.class */
public class JwtToken {
    private static final Logger LOGGER = Logger.getLogger(JwtToken.class.getName());
    private static int DEFAULT_NOT_BEFORE_IN_SEC = 30;
    public static final DateTimeFormatter ID_FORMAT = DateTimeFormatter.ofPattern("MMddkkmmss").withZone(ZoneId.systemDefault());
    private static Queue<JwtRsaDigitalSignatureKey> keysQueue = new LinkedList();
    public final JSONObject claim = new JSONObject();

    public String sign() {
        LOGGER.log(Level.FINE, "Signing Token");
        try {
            JsonWebSignature jsonWebSignature = new JsonWebSignature();
            JwtRsaDigitalSignatureKey currentSigningKey = getCurrentSigningKey(this);
            jsonWebSignature.setPayload(this.claim.toString());
            jsonWebSignature.setKey(currentSigningKey.toSigningKey());
            jsonWebSignature.setKeyIdHeaderValue(currentSigningKey.getId());
            jsonWebSignature.setAlgorithmHeaderValue("RS256");
            jsonWebSignature.setHeader("typ", "JWT");
            LOGGER.log(Level.FINEST, "Return: " + jsonWebSignature.getCompactSerialization());
            return jsonWebSignature.getCompactSerialization();
        } catch (JoseException e) {
            String str = "Failed to sign JWT token: " + e.getMessage();
            LOGGER.log(Level.SEVERE, "Failed to sign JWT token", e);
            throw new RuntimeException(str, e);
        }
    }

    public static String getToken(Object obj) {
        return getToken("SecretRetrieval", obj);
    }

    public static String getToken(String str, Object obj) {
        LOGGER.log(Level.FINE, "***** Getting Token");
        GlobalConjurConfiguration globalConjurConfiguration = (GlobalConjurConfiguration) GlobalConfiguration.all().get(GlobalConjurConfiguration.class);
        LOGGER.log(Level.FINE, "**** GlobalConjurConfiguration ==> " + globalConjurConfiguration);
        if (globalConjurConfiguration == null || !globalConjurConfiguration.getEnableJWKS().booleanValue()) {
            LOGGER.log(Level.FINE, "No JWT Authentication");
            return null;
        }
        String name = Jenkins.getAuthentication().getName();
        User user = User.get(name, false, Collections.emptyMap());
        String str2 = null;
        if (user != null) {
            str2 = user.getFullName();
            name = user.getId();
        }
        JwtToken jwtToken = new JwtToken();
        jwtToken.claim.put("jti", UUID.randomUUID().toString().replace("-", ""));
        jwtToken.claim.put("aud", globalConjurConfiguration.getJwtAudience());
        jwtToken.claim.put("iss", "conjur-jwt");
        jwtToken.claim.put("sub", name);
        jwtToken.claim.put("name", str2);
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        jwtToken.claim.put("iat", currentTimeMillis);
        jwtToken.claim.put("exp", currentTimeMillis + GlobalConjurConfiguration.get().getTokenDurarionInSeconds());
        jwtToken.claim.put("nbf", currentTimeMillis - DEFAULT_NOT_BEFORE_IN_SEC);
        LOGGER.log(Level.FINE, "Context => " + obj);
        Job job = (ModelObject) obj;
        if (job instanceof Run) {
            Run run = (Run) job;
            jwtToken.claim.put("jenkins_build_number", run.getNumber());
            job = run.getParent();
        }
        if (job instanceof AbstractItem) {
            if (job instanceof Job) {
                jwtToken.claim.put("jenkins_pronoun", job.getPronoun());
            }
            ItemGroup itemGroup = (AbstractItem) job;
            jwtToken.claim.put("jenkins_full_name", itemGroup.getFullName());
            jwtToken.claim.put("jenkins_name", itemGroup.getName());
            jwtToken.claim.put("jenkins_task_noun", itemGroup.getTaskNoun());
            if (itemGroup instanceof ItemGroup) {
                jwtToken.claim.put("jenkins_url_child_prefix", itemGroup.getUrlChildPrefix());
            }
            if (itemGroup instanceof Job) {
                jwtToken.claim.put("jenkins_job_buildir", ((Job) itemGroup).getBuildDir().getAbsolutePath());
            }
            ItemGroup parent = itemGroup.getParent();
            if (parent != null && (parent instanceof AbstractItem)) {
                ItemGroup itemGroup2 = (AbstractItem) parent;
                jwtToken.claim.put("jenkins_parent_full_name", itemGroup2.getFullName());
                jwtToken.claim.put("jenkins_parent_name", itemGroup2.getName());
                jwtToken.claim.put("jenkins_parent_task_noun", itemGroup2.getTaskNoun());
                if (itemGroup2 instanceof ItemGroup) {
                    jwtToken.claim.put("jenkins_parent_url_child_prefix", itemGroup2.getUrlChildPrefix());
                }
                if (itemGroup2 instanceof Job) {
                    jwtToken.claim.put("jenkins_parent_pronoun", ((Job) itemGroup2).getPronoun());
                }
            }
            List<String> asList = Arrays.asList(globalConjurConfiguration.getIdentityFormatFieldsFromToken().split(","));
            String identityFieldsSeparator = globalConjurConfiguration.getIdentityFieldsSeparator();
            StringBuffer stringBuffer = new StringBuffer();
            for (String str3 : asList) {
                if (jwtToken.claim.has(str3)) {
                    String string = jwtToken.claim.getString(str3);
                    if (stringBuffer.length() != 0) {
                        stringBuffer.append(identityFieldsSeparator);
                    }
                    stringBuffer.append(string);
                }
            }
            if (stringBuffer.length() > 0) {
                jwtToken.claim.put(globalConjurConfiguration.getidentityFieldName(), stringBuffer);
            }
        }
        return jwtToken.sign();
    }

    protected static JwtRsaDigitalSignatureKey getCurrentSigningKey(JwtToken jwtToken) {
        JwtRsaDigitalSignatureKey jwtRsaDigitalSignatureKey = null;
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        long keyLifetimeInMinutes = GlobalConjurConfiguration.get().getKeyLifetimeInMinutes() * 60;
        Iterator<JwtRsaDigitalSignatureKey> it = keysQueue.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            JwtRsaDigitalSignatureKey next = it.next();
            if (currentTimeMillis - next.getCreationTime() >= keyLifetimeInMinutes) {
                it.remove();
            } else if (next.getCreationTime() + keyLifetimeInMinutes > jwtToken.claim.getLong("exp")) {
                jwtRsaDigitalSignatureKey = next;
                break;
            }
        }
        if (jwtRsaDigitalSignatureKey == null) {
            jwtRsaDigitalSignatureKey = new JwtRsaDigitalSignatureKey(ID_FORMAT.format(Instant.now()));
            keysQueue.add(jwtRsaDigitalSignatureKey);
        }
        return jwtRsaDigitalSignatureKey;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static JSONObject getJwkset() {
        JSONObject jSONObject = new JSONObject();
        JSONArray jSONArray = new JSONArray();
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        long keyLifetimeInMinutes = GlobalConjurConfiguration.get().getKeyLifetimeInMinutes() * 60;
        Iterator<JwtRsaDigitalSignatureKey> it = keysQueue.iterator();
        while (it.hasNext()) {
            JwtRsaDigitalSignatureKey next = it.next();
            if (currentTimeMillis - next.getCreationTime() < keyLifetimeInMinutes) {
                JSONObject jSONObject2 = new JSONObject();
                jSONObject2.put("kty", "RSA");
                jSONObject2.put("alg", "RS256");
                jSONObject2.put("kid", next.getId());
                jSONObject2.put("use", "sig");
                jSONObject2.put("key_ops", (Collection) Collections.singleton("verify"));
                jSONObject2.put("n", Base64.getUrlEncoder().withoutPadding().encodeToString(next.getPublicKey().getModulus().toByteArray()));
                jSONObject2.put("e", Base64.getUrlEncoder().withoutPadding().encodeToString(next.getPublicKey().getPublicExponent().toByteArray()));
                jSONArray.put(jSONObject2);
            } else {
                it.remove();
            }
        }
        jSONObject.put("keys", jSONArray);
        return jSONObject;
    }
}
