package org.openshift.jenkins.plugins.openshiftlogin;

import com.fasterxml.jackson.core.util.MinimalPrettyPrinter;
import com.google.api.client.auth.oauth2.BearerToken;
import com.google.api.client.auth.oauth2.Credential;
import com.google.api.client.http.HttpResponseException;
import com.google.api.client.http.HttpStatusCodes;
import hudson.EnvVars;
import hudson.security.SecurityRealm;
import java.io.IOException;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.logging.Level;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import jenkins.model.Jenkins;
import jenkins.security.SecurityListener;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.context.SecurityContextHolder;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;

/* loaded from: input_file:WEB-INF/lib/openshift-login.jar:org/openshift/jenkins/plugins/openshiftlogin/OpenShiftPermissionFilter.class */
public class OpenShiftPermissionFilter implements Filter {
    private static final String LAST_SELF_SAR_POLL_TIME = "self-sar-time";
    private static final long SELF_SAR_POLL_INTERVAL = 300000;
    private static final String OPENSHIFT_PERMISSIONS_POLL_INTERVAL = "OPENSHIFT_PERMISSIONS_POLL_INTERVAL";
    private static final String OPENSHIFT_ACCESS_VIA_BEARER_TOKEN = "OPENSHIFT_ACCESS_VIA_BEARER_TOKEN";
    private static final int MAX_BEARER_CACHE_ENTRIES = 50;
    private static String NEED_TO_AUTH = "\nYou need to supply credentials that allow you to be authenticated by OpenShift OAuth as a valid user who is assigned either the view, edit, or admin roles in the OpenShift project running this Jenkins instance. \nIf operating from a browser, provide your user credentials when solicited by the OpenShift login page.  Otherwise, supply as a part of any HTTP requests you generate a HTTP Authorization Bearer header\ncontaining a token that correlates to your user credentials.\n";
    transient boolean initCalled = false;
    transient LinkedHashMap<String, BearerCacheEntry> bearerCache = new LinkedHashMap<String, BearerCacheEntry>(MAX_BEARER_CACHE_ENTRIES) { // from class: org.openshift.jenkins.plugins.openshiftlogin.OpenShiftPermissionFilter.1
        @Override // java.util.LinkedHashMap
        protected boolean removeEldestEntry(Map.Entry<String, BearerCacheEntry> entry) {
            return size() > OpenShiftPermissionFilter.MAX_BEARER_CACHE_ENTRIES;
        }
    };

    /* loaded from: input_file:WEB-INF/lib/openshift-login.jar:org/openshift/jenkins/plugins/openshiftlogin/OpenShiftPermissionFilter$BearerCacheEntry.class */
    class BearerCacheEntry {
        long lastCheck;
        UsernamePasswordAuthenticationToken token;

        BearerCacheEntry() {
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        this.initCalled = true;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        String header;
        try {
            boolean oauth = OpenShiftSetOAuth.setOauth(false);
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            long j = 300000;
            String str = (String) EnvVars.masterEnvVars.get(OPENSHIFT_PERMISSIONS_POLL_INTERVAL);
            if (str != null) {
                try {
                    j = Long.parseLong(str);
                } catch (Throwable th) {
                }
            }
            HttpSession session = httpServletRequest.getSession(false);
            if (session != null) {
                OAuthSession oAuthSession = (OAuthSession) session.getAttribute(OAuthSession.SESSION_NAME);
                if (oAuthSession != null && oAuthSession.getCredential() != null) {
                    try {
                        Long l = (Long) session.getAttribute(OAuthSession.SESSION_NAME + LAST_SELF_SAR_POLL_TIME);
                        if (l == null) {
                            l = new Long(System.currentTimeMillis());
                            session.setAttribute(OAuthSession.SESSION_NAME + LAST_SELF_SAR_POLL_TIME, new Long(System.currentTimeMillis()));
                        }
                        if (oauth || System.currentTimeMillis() - l.longValue() > j * 1000) {
                            ((OpenShiftOAuth2SecurityRealm) Jenkins.getInstance().getSecurityRealm()).updateAuthorizationStrategy(oAuthSession.getCredential());
                            session.setAttribute(OAuthSession.SESSION_NAME + LAST_SELF_SAR_POLL_TIME, new Long(System.currentTimeMillis()));
                        }
                    } catch (Throwable th2) {
                        OpenShiftOAuth2SecurityRealm.LOGGER.log(Level.SEVERE, "filter", th2);
                    }
                }
                return;
            }
            if (Jenkins.getInstance().getSecurityRealm() instanceof OpenShiftOAuth2SecurityRealm) {
                try {
                    String str2 = (String) EnvVars.masterEnvVars.get(OPENSHIFT_ACCESS_VIA_BEARER_TOKEN);
                    if ((str2 == null || !str2.equalsIgnoreCase("false")) && (header = httpServletRequest.getHeader("Authorization")) != null && header.length() > 0 && header.startsWith("Bearer")) {
                        String[] split = header.split(MinimalPrettyPrinter.DEFAULT_ROOT_VALUE_SEPARATOR);
                        if (split.length > 1) {
                            String str3 = split[1];
                            BearerCacheEntry bearerCacheEntry = this.bearerCache.get(str3);
                            boolean z = false;
                            if (bearerCacheEntry == null) {
                                bearerCacheEntry = new BearerCacheEntry();
                                this.bearerCache.put(str3, bearerCacheEntry);
                                bearerCacheEntry.lastCheck = 0L;
                                z = true;
                            }
                            if (oauth || z || System.currentTimeMillis() - bearerCacheEntry.lastCheck > j * 1000) {
                                bearerCacheEntry.lastCheck = new Long(System.currentTimeMillis()).longValue();
                                bearerCacheEntry.token = ((OpenShiftOAuth2SecurityRealm) Jenkins.getInstance().getSecurityRealm()).updateAuthorizationStrategy(new Credential(BearerToken.authorizationHeaderAccessMethod()).setAccessToken(str3));
                            } else if (bearerCacheEntry.token != null) {
                                SecurityContextHolder.getContext().setAuthentication(bearerCacheEntry.token);
                                SecurityListener.fireAuthenticated(new OpenShiftUserDetails(bearerCacheEntry.token.getName(), new GrantedAuthority[]{SecurityRealm.AUTHENTICATED_AUTHORITY}));
                            } else {
                                ((HttpServletResponse) servletResponse).sendError(HttpStatusCodes.STATUS_CODE_UNAUTHORIZED, NEED_TO_AUTH);
                            }
                        }
                    }
                } catch (HttpResponseException e) {
                    ((HttpServletResponse) servletResponse).sendError(e.getStatusCode(), e.getMessage() + NEED_TO_AUTH);
                } catch (Throwable th3) {
                    OpenShiftOAuth2SecurityRealm.LOGGER.log(Level.SEVERE, "filter", th3);
                }
            }
            return;
        } finally {
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    public void destroy() {
    }
}
