package org.jenkinsci.plugins.saml;

import com.google.common.base.Preconditions;
import hudson.Extension;
import hudson.Util;
import hudson.model.Descriptor;
import hudson.model.User;
import hudson.security.SecurityRealm;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.model.Jenkins;
import jenkins.security.SecurityListener;
import org.acegisecurity.Authentication;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.AuthenticationManager;
import org.acegisecurity.BadCredentialsException;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.context.SecurityContextHolder;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.Header;
import org.kohsuke.stapler.HttpResponse;
import org.kohsuke.stapler.HttpResponses;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;
import org.opensaml.common.xml.SAMLConstants;
import org.pac4j.core.client.RedirectAction;
import org.pac4j.core.context.J2EContext;
import org.pac4j.core.context.J2ERequestContext;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.exception.RequiresHttpAction;
import org.pac4j.saml.client.Saml2Client;
import org.pac4j.saml.profile.Saml2Profile;

/* loaded from: input_file:WEB-INF/lib/saml.jar:org/jenkinsci/plugins/saml/SamlSecurityRealm.class */
public class SamlSecurityRealm extends SecurityRealm {
    public static final String CONSUMER_SERVICE_URL_PATH = "securityRealm/finishLogin";
    private static final Logger LOG = Logger.getLogger(SamlSecurityRealm.class.getName());
    private static final String REFERER_ATTRIBUTE = SamlSecurityRealm.class.getName() + ".referer";
    private static final String DEFAULT_DISPLAY_NAME_ATTRIBUTE_NAME = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name";
    private static final String DEFAULT_GROUPS_ATTRIBUTE_NAME = "http://schemas.xmlsoap.org/claims/Group";
    private static final int DEFAULT_MAXIMUM_AUTHENTICATION_LIFETIME = 86400;
    private static final String DEFAULT_USERNAME_CASE_CONVERSION = "none";
    private String idpMetadata;
    private String displayNameAttributeName;
    private String groupsAttributeName;
    private int maximumAuthenticationLifetime;
    private String usernameCaseConversion;
    private String usernameAttributeName;
    private SamlEncryptionData encryptionData;

    @Extension
    /* loaded from: input_file:WEB-INF/lib/saml.jar:org/jenkinsci/plugins/saml/SamlSecurityRealm$DescriptorImpl.class */
    public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
        public DescriptorImpl() {
        }

        public DescriptorImpl(Class<? extends SecurityRealm> cls) {
            super(cls);
        }

        public String getDisplayName() {
            return "SAML 2.0";
        }
    }

    @DataBoundConstructor
    public SamlSecurityRealm(String str, String str2, String str3, String str4, Integer num, String str5, SamlEncryptionData samlEncryptionData, String str6) {
        this.encryptionData = null;
        this.idpMetadata = Util.fixEmptyAndTrim(str2);
        this.displayNameAttributeName = DEFAULT_DISPLAY_NAME_ATTRIBUTE_NAME;
        this.groupsAttributeName = DEFAULT_GROUPS_ATTRIBUTE_NAME;
        this.maximumAuthenticationLifetime = 86400;
        this.usernameCaseConversion = DEFAULT_USERNAME_CASE_CONVERSION;
        if (str3 != null && !str3.isEmpty()) {
            this.displayNameAttributeName = str3;
        }
        if (str4 != null && !str4.isEmpty()) {
            this.groupsAttributeName = str4;
        }
        if (num != null && num.intValue() > 0) {
            this.maximumAuthenticationLifetime = num.intValue();
        }
        this.usernameAttributeName = Util.fixEmptyAndTrim(str5);
        this.encryptionData = samlEncryptionData;
        if (str6 == null || str6.isEmpty()) {
            return;
        }
        this.usernameCaseConversion = Util.fixEmptyAndTrim(str6);
    }

    public SamlSecurityRealm(String str, String str2, String str3, String str4, Integer num, String str5, SamlEncryptionData samlEncryptionData) {
        this(str, str2, str3, str4, num, str5, samlEncryptionData, DEFAULT_USERNAME_CASE_CONVERSION);
    }

    public boolean allowsSignup() {
        return false;
    }

    public SecurityRealm.SecurityComponents createSecurityComponents() {
        return new SecurityRealm.SecurityComponents(new AuthenticationManager() { // from class: org.jenkinsci.plugins.saml.SamlSecurityRealm.1
            public Authentication authenticate(Authentication authentication) throws AuthenticationException {
                if (authentication instanceof SamlAuthenticationToken) {
                    return authentication;
                }
                throw new BadCredentialsException("Unexpected authentication type: " + authentication);
            }
        }, new SamlUserDetailsService());
    }

    public String getLoginUrl() {
        return "securityRealm/commenceLogin";
    }

    public HttpResponse doCommenceLogin(StaplerRequest staplerRequest, @Header("Referer") String str) {
        LOG.fine("SamlSecurityRealm.doCommenceLogin called. Using consumerServiceUrl " + getConsumerServiceUrl());
        staplerRequest.getSession().setAttribute(REFERER_ATTRIBUTE, str);
        try {
            RedirectAction redirectAction = newClient().getRedirectAction(new J2ERequestContext(staplerRequest), true, false);
            if (redirectAction.getType() == RedirectAction.RedirectType.REDIRECT) {
                return HttpResponses.redirectTo(redirectAction.getLocation());
            }
            if (redirectAction.getType() == RedirectAction.RedirectType.SUCCESS) {
                return HttpResponses.html(redirectAction.getContent());
            }
            throw new IllegalStateException("Received unexpected response type " + redirectAction.getType());
        } catch (RequiresHttpAction e) {
            throw new IllegalStateException(e);
        }
    }

    public HttpResponse doFinishLogin(StaplerRequest staplerRequest, StaplerResponse staplerResponse) {
        LOG.finer("SamlSecurityRealm.doFinishLogin called");
        Saml2Client newClient = newClient();
        J2EContext j2EContext = new J2EContext(staplerRequest, staplerResponse);
        try {
            Saml2Profile userProfile = newClient.getUserProfile((Saml2Client) newClient.getCredentials(j2EContext), (WebContext) j2EContext);
            LOG.finer(userProfile.toString());
            String str = null;
            List list = (List) userProfile.getAttribute(this.displayNameAttributeName);
            if (list != null && !list.isEmpty()) {
                str = (String) list.get(0);
            }
            List list2 = (List) userProfile.getAttribute(this.groupsAttributeName);
            if (list2 == null) {
                list2 = new ArrayList();
            }
            ArrayList arrayList = new ArrayList();
            arrayList.add(AUTHENTICATED_AUTHORITY);
            if (!list2.isEmpty()) {
                Iterator it = list2.iterator();
                while (it.hasNext()) {
                    arrayList.add(new SamlGroupAuthority((String) it.next()));
                }
            }
            String usernameFromProfile = getUsernameFromProfile(userProfile);
            if (this.usernameCaseConversion != null) {
                if (this.usernameCaseConversion.compareTo("lowercase") == 0) {
                    usernameFromProfile = usernameFromProfile.toLowerCase();
                } else if (this.usernameCaseConversion.compareTo("uppercase") == 0) {
                    usernameFromProfile = usernameFromProfile.toUpperCase();
                }
            }
            SamlUserDetails samlUserDetails = new SamlUserDetails(usernameFromProfile, (GrantedAuthority[]) arrayList.toArray(new GrantedAuthority[arrayList.size()]));
            SecurityContextHolder.getContext().setAuthentication(new SamlAuthenticationToken(samlUserDetails));
            SecurityListener.fireAuthenticated(samlUserDetails);
            if (str != null && !str.isEmpty()) {
                User current = User.current();
                if (str.compareTo(current.getFullName()) != 0) {
                    current.setFullName(str);
                    try {
                        current.save();
                    } catch (IOException e) {
                        LOG.log(Level.WARNING, "Unable to save updated user data", (Throwable) e);
                    }
                }
            }
            String str2 = (String) staplerRequest.getSession().getAttribute(REFERER_ATTRIBUTE);
            return HttpResponses.redirectTo(str2 != null ? str2 : baseUrl());
        } catch (RequiresHttpAction e2) {
            throw new IllegalStateException(e2);
        }
    }

    private String getUsernameFromProfile(Saml2Profile saml2Profile) {
        if (this.usernameAttributeName != null) {
            Object attribute = saml2Profile.getAttribute(this.usernameAttributeName);
            if (attribute instanceof String) {
                return (String) attribute;
            }
            if (attribute instanceof List) {
                return (String) ((List) attribute).get(0);
            }
            LOG.log(Level.SEVERE, "Unable to get username from attribute {0} value {1}, Saml Profile {2}", new Object[]{this.usernameAttributeName, attribute, saml2Profile});
            LOG.log(Level.SEVERE, "Falling back to NameId {0}", saml2Profile.getId());
        }
        return saml2Profile.getId();
    }

    public HttpResponse doMetadata(StaplerRequest staplerRequest, StaplerResponse staplerResponse) {
        return HttpResponses.plainText(newClient().printClientMetadata());
    }

    private Saml2Client newClient() {
        Preconditions.checkNotNull(this.idpMetadata);
        Saml2Client saml2Client = new Saml2Client();
        saml2Client.setIdpMetadata(this.idpMetadata);
        saml2Client.setCallbackUrl(getConsumerServiceUrl());
        saml2Client.setDestinationBindingType(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
        if (this.encryptionData != null) {
            saml2Client.setKeystorePath(this.encryptionData.getKeystorePath());
            saml2Client.setKeystorePassword(this.encryptionData.getKeystorePassword());
            saml2Client.setPrivateKeyPassword(this.encryptionData.getPrivateKeyPassword());
        }
        LOG.fine(saml2Client.printClientMetadata());
        saml2Client.setMaximumAuthenticationLifetime(Integer.valueOf(this.maximumAuthenticationLifetime));
        return saml2Client;
    }

    private String baseUrl() {
        return Jenkins.getInstance().getRootUrl();
    }

    private String getConsumerServiceUrl() {
        return baseUrl() + CONSUMER_SERVICE_URL_PATH;
    }

    public String getIdpMetadata() {
        return this.idpMetadata;
    }

    public void setIdpMetadata(String str) {
        this.idpMetadata = str;
    }

    public String getUsernameAttributeName() {
        return this.usernameAttributeName;
    }

    public void setUsernameAttributeName(String str) {
        this.usernameAttributeName = str;
    }

    public String getSpMetadata() {
        return newClient().printClientMetadata();
    }

    public String getDisplayNameAttributeName() {
        return this.displayNameAttributeName;
    }

    public String getGroupsAttributeName() {
        return this.groupsAttributeName;
    }

    public Integer getMaximumAuthenticationLifetime() {
        return Integer.valueOf(this.maximumAuthenticationLifetime);
    }

    public SamlEncryptionData getEncryptionData() {
        return this.encryptionData;
    }

    public String getKeystorePath() {
        if (this.encryptionData != null) {
            return this.encryptionData.getKeystorePath();
        }
        return null;
    }

    public String getKeystorePassword() {
        if (this.encryptionData != null) {
            return this.encryptionData.getKeystorePassword();
        }
        return null;
    }

    public String getPrivateKeyPassword() {
        if (this.encryptionData != null) {
            return this.encryptionData.getPrivateKeyPassword();
        }
        return null;
    }

    public String getUsernameCaseConversion() {
        return this.usernameCaseConversion;
    }

    public void setUsernameCaseConversion(String str) {
        this.usernameCaseConversion = str;
    }
}
