package org.jenkinsci.plugins;

import com.thoughtworks.xstream.converters.ConversionException;
import com.thoughtworks.xstream.converters.Converter;
import com.thoughtworks.xstream.converters.MarshallingContext;
import com.thoughtworks.xstream.converters.UnmarshallingContext;
import com.thoughtworks.xstream.io.HierarchicalStreamReader;
import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
import hudson.Extension;
import hudson.ProxyConfiguration;
import hudson.Util;
import hudson.model.Descriptor;
import hudson.model.User;
import hudson.model.listeners.ItemListener;
import hudson.security.GroupDetails;
import hudson.security.SecurityRealm;
import hudson.security.UserMayOrMayNotExistException;
import hudson.tasks.Mailer;
import hudson.util.Secret;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.net.InetSocketAddress;
import java.net.Proxy;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.model.Jenkins;
import org.acegisecurity.Authentication;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.AuthenticationManager;
import org.acegisecurity.BadCredentialsException;
import org.acegisecurity.context.SecurityContextHolder;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import org.acegisecurity.userdetails.UserDetails;
import org.acegisecurity.userdetails.UserDetailsService;
import org.acegisecurity.userdetails.UsernameNotFoundException;
import org.apache.commons.httpclient.URIException;
import org.apache.http.HttpHost;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.conn.params.ConnRoutePNames;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.util.EntityUtils;
import org.jfree.util.Log;
import org.kohsuke.github.GHEmail;
import org.kohsuke.github.GHMyself;
import org.kohsuke.github.GHOrganization;
import org.kohsuke.github.GHTeam;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.Header;
import org.kohsuke.stapler.HttpRedirect;
import org.kohsuke.stapler.HttpResponse;
import org.kohsuke.stapler.HttpResponses;
import org.kohsuke.stapler.StaplerRequest;
import org.springframework.dao.DataAccessException;
import org.springframework.dao.DataRetrievalFailureException;

/* loaded from: input_file:WEB-INF/lib/github-oauth.jar:org/jenkinsci/plugins/GithubSecurityRealm.class */
public class GithubSecurityRealm extends SecurityRealm implements UserDetailsService {
    private static final String DEFAULT_WEB_URI = "https://github.com";
    private static final String DEFAULT_API_URI = "https://api.github.com";
    private static final String DEFAULT_ENTERPRISE_API_SUFFIX = "/api/v3";
    private static final String DEFAULT_OAUTH_SCOPES = "read:org,user:email";

    @Deprecated
    private static final String DEFAULT_URI = "https://github.com";
    private String githubWebUri;
    private String githubApiUri;
    private String clientID;
    private Secret clientSecret;
    private String oauthScopes;
    private String[] myScopes;
    private static final Logger LOGGER = Logger.getLogger(GithubSecurityRealm.class.getName());
    private static final String REFERER_ATTRIBUTE = GithubSecurityRealm.class.getName() + ".referer";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.jenkinsci.plugins.GithubSecurityRealm$3, reason: invalid class name */
    /* loaded from: input_file:WEB-INF/lib/github-oauth.jar:org/jenkinsci/plugins/GithubSecurityRealm$3.class */
    public static /* synthetic */ class AnonymousClass3 {
        static final /* synthetic */ int[] $SwitchMap$java$net$Proxy$Type = new int[Proxy.Type.values().length];

        static {
            try {
                $SwitchMap$java$net$Proxy$Type[Proxy.Type.DIRECT.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$java$net$Proxy$Type[Proxy.Type.HTTP.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$java$net$Proxy$Type[Proxy.Type.SOCKS.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* loaded from: input_file:WEB-INF/lib/github-oauth.jar:org/jenkinsci/plugins/GithubSecurityRealm$ConverterImpl.class */
    public static final class ConverterImpl implements Converter {
        public boolean canConvert(Class cls) {
            return cls == GithubSecurityRealm.class;
        }

        public void marshal(Object obj, HierarchicalStreamWriter hierarchicalStreamWriter, MarshallingContext marshallingContext) {
            GithubSecurityRealm githubSecurityRealm = (GithubSecurityRealm) obj;
            hierarchicalStreamWriter.startNode("githubWebUri");
            hierarchicalStreamWriter.setValue(githubSecurityRealm.getGithubWebUri());
            hierarchicalStreamWriter.endNode();
            hierarchicalStreamWriter.startNode("githubApiUri");
            hierarchicalStreamWriter.setValue(githubSecurityRealm.getGithubApiUri());
            hierarchicalStreamWriter.endNode();
            hierarchicalStreamWriter.startNode("clientID");
            hierarchicalStreamWriter.setValue(githubSecurityRealm.getClientID());
            hierarchicalStreamWriter.endNode();
            hierarchicalStreamWriter.startNode("clientSecret");
            hierarchicalStreamWriter.setValue(githubSecurityRealm.getClientSecret().getEncryptedValue());
            hierarchicalStreamWriter.endNode();
            hierarchicalStreamWriter.startNode("oauthScopes");
            hierarchicalStreamWriter.setValue(githubSecurityRealm.getOauthScopes());
            hierarchicalStreamWriter.endNode();
        }

        public Object unmarshal(HierarchicalStreamReader hierarchicalStreamReader, UnmarshallingContext unmarshallingContext) {
            GithubSecurityRealm githubSecurityRealm = new GithubSecurityRealm();
            while (hierarchicalStreamReader.hasMoreChildren()) {
                hierarchicalStreamReader.moveDown();
                setValue(githubSecurityRealm, hierarchicalStreamReader.getNodeName(), hierarchicalStreamReader.getValue());
                hierarchicalStreamReader.moveUp();
            }
            if (githubSecurityRealm.getGithubWebUri() == null) {
                githubSecurityRealm.setGithubWebUri("https://github.com");
            }
            if (githubSecurityRealm.getGithubApiUri() == null) {
                githubSecurityRealm.setGithubApiUri(GithubSecurityRealm.DEFAULT_API_URI);
            }
            return githubSecurityRealm;
        }

        private void setValue(GithubSecurityRealm githubSecurityRealm, String str, String str2) {
            if (str.toLowerCase().equals("clientid")) {
                githubSecurityRealm.setClientID(str2);
                return;
            }
            if (str.toLowerCase().equals("clientsecret")) {
                githubSecurityRealm.setClientSecret(str2);
                return;
            }
            if (str.toLowerCase().equals("githubweburi")) {
                githubSecurityRealm.setGithubWebUri(str2);
                return;
            }
            if (str.toLowerCase().equals("githuburi")) {
                githubSecurityRealm.setGithubWebUri(str2);
                githubSecurityRealm.setGithubApiUri(githubSecurityRealm.determineApiUri(str2));
            } else if (str.toLowerCase().equals("githubapiuri")) {
                githubSecurityRealm.setGithubApiUri(str2);
            } else {
                if (!str.toLowerCase().equals("oauthscopes")) {
                    throw new ConversionException("Invalid node value = " + str);
                }
                githubSecurityRealm.setOauthScopes(str2);
            }
        }
    }

    @Extension
    /* loaded from: input_file:WEB-INF/lib/github-oauth.jar:org/jenkinsci/plugins/GithubSecurityRealm$DescriptorImpl.class */
    public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
        public String getHelpFile() {
            return "/plugin/github-oauth/help/help-security-realm.html";
        }

        public String getDisplayName() {
            return "Github Authentication Plugin";
        }

        public String getDefaultGithubWebUri() {
            return "https://github.com";
        }

        public String getDefaultGithubApiUri() {
            return GithubSecurityRealm.DEFAULT_API_URI;
        }

        public String getDefaultOauthScopes() {
            return GithubSecurityRealm.DEFAULT_OAUTH_SCOPES;
        }

        public DescriptorImpl() {
        }

        public DescriptorImpl(Class<? extends SecurityRealm> cls) {
            super(cls);
        }
    }

    @Extension
    /* loaded from: input_file:WEB-INF/lib/github-oauth.jar:org/jenkinsci/plugins/GithubSecurityRealm$Migrator.class */
    public static final class Migrator extends ItemListener {
        public void onLoaded() {
            try {
                Jenkins jenkins = Jenkins.getInstance();
                if (jenkins.getSecurityRealm() instanceof GithubSecurityRealm) {
                    GithubSecurityRealm githubSecurityRealm = (GithubSecurityRealm) jenkins.getSecurityRealm();
                    if (githubSecurityRealm.getOauthScopes() == null) {
                        jenkins.setSecurityRealm(new GithubSecurityRealm(githubSecurityRealm.getGithubWebUri(), githubSecurityRealm.getGithubApiUri(), githubSecurityRealm.getClientID(), githubSecurityRealm.getClientSecret().getPlainText()));
                        jenkins.save();
                    }
                }
            } catch (IOException e) {
                GithubSecurityRealm.LOGGER.log(Level.WARNING, "could not migrate GithubSecurityRealm", (Throwable) e);
            }
        }
    }

    @DataBoundConstructor
    public GithubSecurityRealm(String str, String str2, String str3, String str4, String str5) {
        this.githubWebUri = Util.fixEmptyAndTrim(str);
        this.githubApiUri = Util.fixEmptyAndTrim(str2);
        this.clientID = Util.fixEmptyAndTrim(str3);
        setClientSecret(Util.fixEmptyAndTrim(str4));
        this.oauthScopes = Util.fixEmptyAndTrim(str5);
    }

    @Deprecated
    public GithubSecurityRealm(String str, String str2, String str3, String str4) {
        this.githubWebUri = Util.fixEmptyAndTrim(str);
        this.githubApiUri = Util.fixEmptyAndTrim(str2);
        this.clientID = Util.fixEmptyAndTrim(str3);
        setClientSecret(Util.fixEmptyAndTrim(str4));
        this.oauthScopes = DEFAULT_OAUTH_SCOPES;
    }

    @Deprecated
    public GithubSecurityRealm(String str, String str2, String str3) {
        this.githubWebUri = Util.fixEmptyAndTrim(str);
        this.githubApiUri = determineApiUri(this.githubWebUri);
        this.clientID = Util.fixEmptyAndTrim(str2);
        setClientSecret(Util.fixEmptyAndTrim(str3));
        this.oauthScopes = DEFAULT_OAUTH_SCOPES;
    }

    private GithubSecurityRealm() {
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String determineApiUri(String str) {
        return str.equals("https://github.com") ? DEFAULT_API_URI : str + DEFAULT_ENTERPRISE_API_SUFFIX;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void setGithubWebUri(String str) {
        this.githubWebUri = str;
    }

    @Deprecated
    private void setGithubUri(String str) {
        setGithubWebUri(str);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void setClientID(String str) {
        this.clientID = str;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void setClientSecret(String str) {
        this.clientSecret = Secret.fromString(str);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void setOauthScopes(String str) {
        this.oauthScopes = str;
    }

    public boolean hasScope(String str) {
        if (this.myScopes == null) {
            this.myScopes = this.oauthScopes.split(",");
            Arrays.sort(this.myScopes);
        }
        return Arrays.binarySearch(this.myScopes, str) >= 0;
    }

    public String getGithubApiUri() {
        return this.githubApiUri;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void setGithubApiUri(String str) {
        this.githubApiUri = str;
    }

    public String getGithubWebUri() {
        return this.githubWebUri;
    }

    @Deprecated
    public String getGithubUri() {
        return getGithubWebUri();
    }

    public String getClientID() {
        return this.clientID;
    }

    public Secret getClientSecret() {
        return this.clientSecret;
    }

    public String getOauthScopes() {
        return this.oauthScopes;
    }

    public HttpResponse doCommenceLogin(StaplerRequest staplerRequest, @Header("Referer") String str) throws IOException {
        staplerRequest.getSession().setAttribute(REFERER_ATTRIBUTE, str);
        HashSet hashSet = new HashSet();
        Iterator it = Jenkins.getInstance().getExtensionList(GitHubOAuthScope.class).iterator();
        while (it.hasNext()) {
            hashSet.addAll(((GitHubOAuthScope) it.next()).getScopesToRequest());
        }
        return new HttpRedirect(this.githubWebUri + "/login/oauth/authorize?client_id=" + this.clientID + (!hashSet.isEmpty() ? "&scope=" + Util.join(hashSet, ",") : "&scope=" + this.oauthScopes));
    }

    public HttpResponse doFinishLogin(StaplerRequest staplerRequest) throws IOException {
        String parameter = staplerRequest.getParameter("code");
        if (parameter == null || parameter.trim().length() == 0) {
            Log.info("doFinishLogin: missing code.");
            return HttpResponses.redirectToContextRoot();
        }
        Log.info("test");
        HttpPost httpPost = new HttpPost(this.githubWebUri + "/login/oauth/access_token?client_id=" + this.clientID + "&client_secret=" + this.clientSecret + "&code=" + parameter);
        DefaultHttpClient defaultHttpClient = new DefaultHttpClient();
        HttpHost proxy = getProxy(httpPost);
        if (proxy != null) {
            defaultHttpClient.getParams().setParameter(ConnRoutePNames.DEFAULT_PROXY, proxy);
        }
        String entityUtils = EntityUtils.toString(defaultHttpClient.execute(httpPost).getEntity());
        defaultHttpClient.getConnectionManager().shutdown();
        String extractToken = extractToken(entityUtils);
        if (extractToken == null || extractToken.trim().length() <= 0) {
            Log.info("Github did not return an access token.");
        } else {
            GithubAuthenticationToken githubAuthenticationToken = new GithubAuthenticationToken(extractToken, getGithubApiUri());
            SecurityContextHolder.getContext().setAuthentication(githubAuthenticationToken);
            GHMyself myself = githubAuthenticationToken.getMyself();
            User current = User.current();
            current.setFullName(myself.getName());
            if (!current.getProperty(Mailer.UserProperty.class).hasExplicitlyConfiguredAddress()) {
                if (hasScope("user") || hasScope("user:email")) {
                    String str = null;
                    for (GHEmail gHEmail : myself.getEmails2()) {
                        if (gHEmail.isPrimary()) {
                            str = gHEmail.getEmail();
                        }
                    }
                    if (str != null) {
                        current.addProperty(new Mailer.UserProperty(str));
                    }
                } else {
                    current.addProperty(new Mailer.UserProperty(githubAuthenticationToken.getGitHub().getMyself().getEmail()));
                }
            }
            fireAuthenticated(new GithubOAuthUserDetails(myself, githubAuthenticationToken.getAuthorities()));
        }
        String str2 = (String) staplerRequest.getSession().getAttribute(REFERER_ATTRIBUTE);
        return str2 != null ? HttpResponses.redirectTo(str2) : HttpResponses.redirectToContextRoot();
    }

    private void fireAuthenticated(UserDetails userDetails) {
        try {
            Class.forName("jenkins.security.SecurityListener").getMethod("fireAuthenticated", UserDetails.class).invoke(null, userDetails);
        } catch (ClassNotFoundException e) {
        } catch (IllegalAccessException e2) {
            throw ((Error) new IllegalAccessError(e2.getMessage()).initCause(e2));
        } catch (NoSuchMethodException e3) {
        } catch (InvocationTargetException e4) {
            LOGGER.log(Level.WARNING, "Failed to invoke fireAuthenticated", (Throwable) e4);
        }
    }

    private HttpHost getProxy(HttpUriRequest httpUriRequest) throws URIException {
        ProxyConfiguration proxyConfiguration = Jenkins.getInstance().proxy;
        if (proxyConfiguration == null) {
            return null;
        }
        Proxy createProxy = proxyConfiguration.createProxy(httpUriRequest.getURI().getHost());
        switch (AnonymousClass3.$SwitchMap$java$net$Proxy$Type[createProxy.type().ordinal()]) {
            case 1:
                return null;
            case 2:
                InetSocketAddress inetSocketAddress = (InetSocketAddress) createProxy.address();
                return new HttpHost(inetSocketAddress.getHostName(), inetSocketAddress.getPort());
            case 3:
            default:
                return null;
        }
    }

    private String extractToken(String str) {
        for (String str2 : str.split("&")) {
            if (str.contains("access_token")) {
                return str2.split("=")[1];
            }
        }
        return null;
    }

    public boolean allowsSignup() {
        return false;
    }

    public SecurityRealm.SecurityComponents createSecurityComponents() {
        return new SecurityRealm.SecurityComponents(new AuthenticationManager() { // from class: org.jenkinsci.plugins.GithubSecurityRealm.1
            public Authentication authenticate(Authentication authentication) throws AuthenticationException {
                if (authentication instanceof GithubAuthenticationToken) {
                    return authentication;
                }
                if (!(authentication instanceof UsernamePasswordAuthenticationToken)) {
                    throw new BadCredentialsException("Unexpected authentication type: " + authentication);
                }
                try {
                    GithubAuthenticationToken githubAuthenticationToken = new GithubAuthenticationToken(((UsernamePasswordAuthenticationToken) authentication).getCredentials().toString(), GithubSecurityRealm.this.getGithubApiUri());
                    SecurityContextHolder.getContext().setAuthentication(githubAuthenticationToken);
                    return githubAuthenticationToken;
                } catch (IOException e) {
                    throw new RuntimeException(e);
                }
            }
        }, new UserDetailsService() { // from class: org.jenkinsci.plugins.GithubSecurityRealm.2
            public UserDetails loadUserByUsername(String str) throws UsernameNotFoundException, DataAccessException {
                return GithubSecurityRealm.this.loadUserByUsername(str);
            }
        });
    }

    public String getLoginUrl() {
        return "securityRealm/commenceLogin";
    }

    /* renamed from: getDescriptor, reason: merged with bridge method [inline-methods] */
    public DescriptorImpl m57getDescriptor() {
        return (DescriptorImpl) super.getDescriptor();
    }

    public UserDetails loadUserByUsername(String str) throws UsernameNotFoundException, DataAccessException {
        GithubAuthenticationToken authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            throw new UserMayOrMayNotExistException("Could not get auth token.");
        }
        try {
            GithubOAuthUserDetails userDetails = authentication.getUserDetails(str);
            if (userDetails == null) {
                throw new UsernameNotFoundException("Unknown user: " + str);
            }
            if (authentication.loadOrganization(str) != null) {
                throw new UsernameNotFoundException("user(" + str + ") is also an organization");
            }
            return userDetails;
        } catch (Error e) {
            throw new DataRetrievalFailureException("loadUserByUsername (username=" + str + ")", e);
        }
    }

    public boolean equals(Object obj) {
        if (!(obj instanceof GithubSecurityRealm)) {
            return false;
        }
        GithubSecurityRealm githubSecurityRealm = (GithubSecurityRealm) obj;
        return getGithubWebUri().equals(githubSecurityRealm.getGithubWebUri()) && getGithubApiUri().equals(githubSecurityRealm.getGithubApiUri()) && getClientID().equals(githubSecurityRealm.getClientID()) && getClientSecret().equals(githubSecurityRealm.getClientSecret()) && getOauthScopes().equals(githubSecurityRealm.getOauthScopes());
    }

    public GroupDetails loadGroupByGroupname(String str) throws UsernameNotFoundException, DataAccessException {
        GithubAuthenticationToken authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            throw new UsernameNotFoundException("No known group: " + str);
        }
        try {
            int indexOf = str.indexOf("*");
            if (indexOf <= -1 || str.length() <= indexOf + 1) {
                GHOrganization loadOrganization = authentication.loadOrganization(str);
                if (loadOrganization == null) {
                    throw new UsernameNotFoundException("Unknown GitHub organization: " + str);
                }
                return new GithubOAuthGroupDetails(loadOrganization);
            }
            String substring = str.substring(0, indexOf);
            String substring2 = str.substring(indexOf + 1);
            LOGGER.config(String.format("Lookup for team %s in organization %s", substring2, substring));
            GHTeam loadTeam = authentication.loadTeam(substring, substring2);
            if (loadTeam == null) {
                throw new UsernameNotFoundException("Unknown GitHub team: " + substring2 + " in organization " + substring);
            }
            return new GithubOAuthGroupDetails(loadTeam);
        } catch (Error e) {
            throw new DataRetrievalFailureException("loadGroupByGroupname (groupname=" + str + ")", e);
        }
    }
}
