package org.jenkinsci.plugins.kubernetes.credentials;

import com.cloudbees.plugins.credentials.CredentialsScope;
import com.cloudbees.plugins.credentials.CredentialsStore;
import com.cloudbees.plugins.credentials.impl.BaseStandardCredentials;
import com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl;
import hudson.Extension;
import hudson.util.Secret;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.concurrent.atomic.AtomicReference;
import javax.net.ssl.HostnameVerifier;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.Base64InputStream;
import org.apache.http.HttpHeaders;
import org.apache.http.HttpRequest;
import org.apache.http.HttpResponse;
import org.apache.http.NameValuePair;
import org.apache.http.ProtocolException;
import org.apache.http.client.RedirectStrategy;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.client.utils.URLEncodedUtils;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.protocol.HttpContext;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.TrustStrategy;
import org.kohsuke.stapler.DataBoundConstructor;

/* loaded from: input_file:WEB-INF/lib/kubernetes-credentials.jar:org/jenkinsci/plugins/kubernetes/credentials/OpenShiftBearerTokenCredentialImpl.class */
public class OpenShiftBearerTokenCredentialImpl extends UsernamePasswordCredentialsImpl implements TokenProducer {
    private static final long serialVersionUID = 6031616605797622926L;
    private transient AtomicReference<Token> token;
    private static TrustStrategy ALWAYS = new TrustStrategy() { // from class: org.jenkinsci.plugins.kubernetes.credentials.OpenShiftBearerTokenCredentialImpl.1
        @Override // org.apache.http.ssl.TrustStrategy
        public boolean isTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            return true;
        }
    };
    private static RedirectStrategy NO_REDIRECT = new RedirectStrategy() { // from class: org.jenkinsci.plugins.kubernetes.credentials.OpenShiftBearerTokenCredentialImpl.2
        @Override // org.apache.http.client.RedirectStrategy
        public boolean isRedirected(HttpRequest httpRequest, HttpResponse httpResponse, HttpContext httpContext) throws ProtocolException {
            return false;
        }

        @Override // org.apache.http.client.RedirectStrategy
        public HttpUriRequest getRedirect(HttpRequest httpRequest, HttpResponse httpResponse, HttpContext httpContext) throws ProtocolException {
            return null;
        }
    };

    @Extension
    /* loaded from: input_file:WEB-INF/lib/kubernetes-credentials.jar:org/jenkinsci/plugins/kubernetes/credentials/OpenShiftBearerTokenCredentialImpl$DescriptorImpl.class */
    public static class DescriptorImpl extends BaseStandardCredentials.BaseStandardCredentialsDescriptor {
        public String getDisplayName() {
            return "OpenShift Username and Password";
        }

        public /* bridge */ /* synthetic */ String getCheckIdUrl(CredentialsStore credentialsStore) throws UnsupportedEncodingException {
            return super.getCheckIdUrl(credentialsStore);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/kubernetes-credentials.jar:org/jenkinsci/plugins/kubernetes/credentials/OpenShiftBearerTokenCredentialImpl$Token.class */
    public static class Token {
        String value;
        long expire;

        private Token() {
        }
    }

    @DataBoundConstructor
    public OpenShiftBearerTokenCredentialImpl(CredentialsScope credentialsScope, String str, String str2, String str3, String str4) {
        super(credentialsScope, str, str2, str3, str4);
        this.token = new AtomicReference<>();
    }

    private Object readResolve() {
        this.token = new AtomicReference<>();
        return this;
    }

    @Override // org.jenkinsci.plugins.kubernetes.credentials.TokenProducer
    public String getToken(String str, String str2, boolean z) throws IOException {
        Token token = this.token.get();
        if (token == null || System.currentTimeMillis() > token.expire) {
            token = refreshToken(str, str2, z);
        }
        return token.value;
    }

    private synchronized Token refreshToken(String str, String str2, boolean z) throws IOException {
        try {
            URI uri = new URI(str);
            HttpClientBuilder redirectStrategy = HttpClients.custom().setRedirectStrategy(NO_REDIRECT);
            if (z || str2 != null) {
                SSLContextBuilder sSLContextBuilder = new SSLContextBuilder();
                HostnameVerifier defaultHostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
                try {
                    if (z) {
                        sSLContextBuilder.loadTrustMaterial((KeyStore) null, ALWAYS);
                        defaultHostnameVerifier = NoopHostnameVerifier.INSTANCE;
                    } else if (str2 != null) {
                        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                        keyStore.load(null);
                        keyStore.setCertificateEntry(uri.getHost(), (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new Base64InputStream(new ByteArrayInputStream(str2.getBytes(StandardCharsets.UTF_8)))));
                        sSLContextBuilder.loadTrustMaterial(keyStore, (TrustStrategy) null);
                    }
                    redirectStrategy.setSSLSocketFactory(new SSLConnectionSocketFactory(sSLContextBuilder.build(), defaultHostnameVerifier));
                } catch (IOException e) {
                    e.printStackTrace();
                } catch (KeyManagementException e2) {
                    e2.printStackTrace();
                } catch (KeyStoreException e3) {
                    e3.printStackTrace();
                } catch (NoSuchAlgorithmException e4) {
                    e4.printStackTrace();
                } catch (CertificateException e5) {
                    e5.printStackTrace();
                }
            }
            HttpGet httpGet = new HttpGet(str + "/oauth/authorize?client_id=openshift-challenging-client&response_type=token");
            httpGet.setHeader("Authorization", "Basic " + Base64.encodeBase64String((getUsername() + ':' + Secret.toString(getPassword())).getBytes(StandardCharsets.UTF_8)));
            CloseableHttpResponse execute = redirectStrategy.build().execute((HttpUriRequest) httpGet);
            if (execute.getStatusLine().getStatusCode() != 302) {
                throw new IOException("Failed to get an OAuth access token " + execute.getStatusLine().getStatusCode());
            }
            String value = execute.getFirstHeader(HttpHeaders.LOCATION).getValue();
            List<NameValuePair> parse = URLEncodedUtils.parse(value.substring(value.indexOf(35) + 1), StandardCharsets.UTF_8);
            Token token = new Token();
            for (NameValuePair nameValuePair : parse) {
                if (nameValuePair.getName().equals("access_token")) {
                    token.value = nameValuePair.getValue();
                } else if (nameValuePair.getName().equals("expires_in")) {
                    token.expire = (System.currentTimeMillis() + (Long.parseLong(nameValuePair.getValue()) * 1000)) - 100;
                }
            }
            return token;
        } catch (URISyntaxException e6) {
            throw new IOException("Invalid server URL " + str, e6);
        }
    }
}
