package org.openshift.jenkins.plugins.openshiftlogin;

import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.google.api.client.auth.oauth2.AuthorizationCodeFlow;
import com.google.api.client.auth.oauth2.BearerToken;
import com.google.api.client.auth.oauth2.ClientParametersAuthentication;
import com.google.api.client.auth.oauth2.Credential;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpRequest;
import com.google.api.client.http.HttpRequestFactory;
import com.google.api.client.http.HttpResponse;
import com.google.api.client.http.HttpResponseException;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.util.SecurityUtils;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.EnvVars;
import hudson.Extension;
import hudson.Util;
import hudson.model.Computer;
import hudson.model.Descriptor;
import hudson.model.Hudson;
import hudson.model.Item;
import hudson.model.Run;
import hudson.model.User;
import hudson.model.View;
import hudson.scm.SCM;
import hudson.security.GlobalMatrixAuthorizationStrategy;
import hudson.security.Permission;
import hudson.security.PermissionGroup;
import hudson.security.ProjectMatrixAuthorizationStrategy;
import hudson.security.SecurityRealm;
import hudson.util.FormValidation;
import hudson.util.PluginServletFilter;
import hudson.util.Secret;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;
import java.io.Serializable;
import java.net.Authenticator;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SSLHandshakeException;
import javax.servlet.ServletException;
import jenkins.model.Jenkins;
import jenkins.security.SecurityListener;
import org.acegisecurity.Authentication;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.context.SecurityContextHolder;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.Header;
import org.kohsuke.stapler.HttpRedirect;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.Stapler;
import org.kohsuke.stapler.StaplerRequest;

@SuppressFBWarnings
/* loaded from: input_file:WEB-INF/lib/openshift-login.jar:org/openshift/jenkins/plugins/openshiftlogin/OpenShiftOAuth2SecurityRealm.class */
public class OpenShiftOAuth2SecurityRealm extends SecurityRealm implements Serializable {
    private static final String EMPTY_STRING = "";
    private static final String SCOPE_INFO = "user:info";
    private static final String SCOPE_CHECK_ACCESS = "user:check-access";
    static final String DEFAULT_SVC_ACCT_DIR = "/run/secrets/kubernetes.io/serviceaccount";
    static final String DEFAULT_SVR_PREFIX = "https://kubernetes.default:443";
    static final String NAMESPACE = "namespace";
    private static final String TOKEN = "token";
    private static final String CA_CRT = "ca.crt";
    private static final String FINISH_METHOD = "doFinishLogin";
    private static final String START_METHOD = "doCommenceLogin";
    private static final String DISPLAY_NAME = "Login with OpenShift";
    private static final String LOGIN_URL = "securityRealm/commenceLogin";
    private static final String USER_URI = "/apis/user.openshift.io/v1/users/~";
    private static final String SAR_URI = "/apis/authorization.openshift.io/v1/subjectaccessreviews";
    private static final String CONFIG_MAP_URI = "/api/v1/namespaces/%s/configmaps/openshift-jenkins-login-plugin-config";
    private static final String OAUTH_PROVIDER_URI = "/.well-known/oauth-authorization-server";
    private static final String K8S_HOST_ENV_VAR = "KUBERNETES_SERVICE_HOST";
    private static final String K8S_PORT_ENV_VAR = "KUBERNETES_SERVICE_PORT";
    private static final String LOGOUT = "logout";
    static final String LOGGING_OUT = "loggingOut";
    private static final String HTTPS_SCHEME = "https";
    private static final String HTTP_SCHEME = "http";
    private static final String SCHEME_SEPARATOR = "://";
    private static final String PORT_SEPARATOR = ":";
    public static final String SECURITY_REALM_FINISH_LOGIN = "/securityRealm/finishLogin";
    private static final String HTTPS_PROXY_USER = "https.proxyUser";
    private static final String HTTPS_PROXY_PASSWORD = "https.proxyPassword";
    String redirectUrl;
    static HttpTransport testTransport;
    private static HttpTransport transport;
    private static HttpTransport jvmDefaultKeystoreTransport;
    private final String serviceAccountDirectory;
    private String defaultedServiceAccountDirectory;
    private final String serviceAccountName;
    private String defaultedServiceAccountName;
    private final String serverPrefix;
    private String defaultedServerPrefix;
    private final String redirectURL;
    private String defaultedRedirectURL;
    private final String clientId;
    private String defaultedClientId;
    private final Secret clientSecret;
    private String defaultedClientSecret;
    private String namespace;
    private OpenShiftProviderInfo provider;
    private OpenShiftPermissionFilter filter;
    static final Logger LOGGER = Logger.getLogger(OpenShiftOAuth2SecurityRealm.class.getName());
    private static final Locale DEFAULT_LOCALE_PERMISSION = Locale.US;
    static final HttpTransport HTTP_TRANSPORT = new NetHttpTransport();
    private static final Object USER_UPDATE_LOCK = new Object();
    private static final ArrayList<String> roles = new ArrayList<>(Arrays.asList("admin", "edit", "view"));

    @Extension
    /* loaded from: input_file:WEB-INF/lib/openshift-login.jar:org/openshift/jenkins/plugins/openshiftlogin/OpenShiftOAuth2SecurityRealm$DescriptorImpl.class */
    public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
        public String getDisplayName() {
            return OpenShiftOAuth2SecurityRealm.DISPLAY_NAME;
        }

        private FormValidation paramsWithPodDefaults(@QueryParameter String str) {
            return (str == null || str.length() == 0) ? FormValidation.warning("Unless you specify a value here, the assumption will be that Jenkins is running inside an OpenShift pod, where the value is available.") : FormValidation.ok();
        }

        public FormValidation doCheckServiceAccountDirectory(@QueryParameter String str) throws IOException, ServletException {
            return paramsWithPodDefaults(str);
        }

        public FormValidation doCheckClientId(@QueryParameter String str) throws IOException, ServletException {
            return paramsWithPodDefaults(str);
        }

        public FormValidation doCheckClientSecret(@QueryParameter String str) throws IOException, ServletException {
            return paramsWithPodDefaults(str);
        }

        public FormValidation doCheckServerPrefix(@QueryParameter String str) throws IOException, ServletException {
            return paramsWithPodDefaults(str);
        }

        public FormValidation doCheckRedirectURL(@QueryParameter String str) throws IOException, ServletException {
            return paramsWithPodDefaults(str);
        }

        public FormValidation doCheckServiceAccountName(@QueryParameter String str) throws IOException, ServletException {
            return paramsWithPodDefaults(str);
        }
    }

    @DataBoundConstructor
    public OpenShiftOAuth2SecurityRealm(String str, String str2, String str3, String str4, String str5, String str6) throws IOException, GeneralSecurityException {
        HttpTransport httpTransport = HTTP_TRANSPORT;
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.fine(String.format("ctor: incoming args sa dir %s sa name %s svr prefix %s client id %s client secret %s redirectURL %s", str, str2, str3, str4, str5, str6));
        }
        String fixEmpty = Util.fixEmpty(str);
        this.clientId = Util.fixEmpty(str4);
        if (Util.fixEmpty(str5) != null) {
            this.clientSecret = Secret.fromString(str5);
        } else {
            this.clientSecret = null;
        }
        this.defaultedServerPrefix = DEFAULT_SVR_PREFIX;
        this.serverPrefix = Util.fixEmpty(str3);
        this.redirectURL = Util.fixEmpty(str6);
        this.defaultedServiceAccountDirectory = DEFAULT_SVC_ACCT_DIR;
        this.serviceAccountDirectory = fixEmpty;
        this.serviceAccountName = Util.fixEmpty(str2);
        transport = httpTransport;
        jvmDefaultKeystoreTransport = new NetHttpTransport.Builder().build();
        if (testTransport != null) {
            transport = testTransport;
        } else {
            populateDefaults();
        }
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.fine(String.format("ctor: derived default client id %s client secret %s sa dir %s transport %s", this.defaultedClientId, this.defaultedClientSecret, this.defaultedServiceAccountDirectory, httpTransport));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public synchronized void createFilter() {
        if (this.filter == null || !this.filter.initCalled) {
            try {
                this.filter = new OpenShiftPermissionFilter();
                PluginServletFilter.addFilter(this.filter);
            } catch (ServletException e) {
                LOGGER.log(Level.SEVERE, "createFilter", e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean populateDefaults() throws IOException, GeneralSecurityException {
        boolean z;
        boolean z2;
        createFilter();
        boolean z3 = (EnvVars.masterEnvVars.get(K8S_HOST_ENV_VAR) == null || EnvVars.masterEnvVars.get(K8S_PORT_ENV_VAR) == null) ? false : true;
        boolean z4 = z3 || new File(getDefaultedServiceAccountDirectory()).exists();
        FileInputStream fileInputStream = null;
        BufferedReader bufferedReader = null;
        try {
            try {
                this.namespace = new BufferedReader(new FileReader(new File(getDefaultedServiceAccountDirectory(), NAMESPACE))).readLine();
                boolean z5 = z3 && this.namespace != null && this.namespace.length() > 0;
                bufferedReader = new BufferedReader(new FileReader(new File(getDefaultedServiceAccountDirectory(), TOKEN)));
                this.defaultedClientSecret = bufferedReader.readLine();
                z = z5 && this.defaultedClientSecret != null && this.defaultedClientSecret.length() > 0;
                fileInputStream = new FileInputStream(new File(getDefaultedServiceAccountDirectory(), CA_CRT));
                KeyStore defaultKeyStore = SecurityUtils.getDefaultKeyStore();
                try {
                    defaultKeyStore.size();
                } catch (KeyStoreException e) {
                    defaultKeyStore.load(null);
                }
                SecurityUtils.loadKeyStoreFromCertificates(defaultKeyStore, SecurityUtils.getX509CertificateFactory(), fileInputStream);
                transport = new NetHttpTransport.Builder().trustCertificates(defaultKeyStore).build();
                if (fileInputStream != null) {
                    fileInputStream.close();
                }
                if (bufferedReader != null) {
                    bufferedReader.close();
                }
            } catch (FileNotFoundException e2) {
                z = false;
                if (LOGGER.isLoggable(Level.FINE) || z4) {
                    LOGGER.log(Level.FINE, "populatateDefaults", (Throwable) e2);
                }
                if (fileInputStream != null) {
                    fileInputStream.close();
                }
                if (bufferedReader != null) {
                    bufferedReader.close();
                }
            }
            Credential accessToken = new Credential(BearerToken.authorizationHeaderAccessMethod()).setAccessToken(getDefaultedClientSecret().getPlainText());
            try {
                String[] split = getOpenShiftUserInfo(accessToken, transport).getName().split(PORT_SEPARATOR);
                if (split != null && split.length == 4) {
                    this.defaultedServiceAccountName = split[3];
                }
                z2 = z && this.defaultedServiceAccountName != null && this.defaultedServiceAccountName.length() > 0;
                this.defaultedClientId = "system:serviceaccount:" + this.namespace + PORT_SEPARATOR + getDefaultedServiceAccountName();
                this.provider = getOpenShiftOAuthProvider(accessToken, transport);
                if (z4) {
                    LOGGER.info(String.format("OpenShift OAuth: provider: %s", this.provider));
                }
                if (this.provider != null) {
                    this.defaultedRedirectURL = this.provider.issuer;
                    if (useProviderOAuthEndpoint(accessToken)) {
                        transportToUse(accessToken);
                    }
                } else {
                    z2 = false;
                }
            } catch (Throwable th) {
                z2 = false;
                if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.log(Level.FINE, "populateDefaults", th);
                } else if (z4) {
                    LOGGER.log(Level.INFO, "populateDefaults", th);
                }
            }
            if (!z2) {
                boolean z6 = (this.serviceAccountName == null && this.defaultedServiceAccountName == null) ? false : true;
                boolean z7 = (this.clientSecret == null && this.defaultedClientSecret == null) ? false : true;
                boolean z8 = (this.clientId == null && this.defaultedClientId == null) ? false : true;
                boolean z9 = (this.clientSecret == null && this.defaultedClientSecret == null) ? false : true;
                boolean z10 = (this.redirectURL == null && this.defaultedRedirectURL == null) ? false : true;
                if (this.namespace != null && z6 && z7 && z8 && z9 && z10) {
                    z2 = true;
                }
            }
            if (z4) {
                Logger logger = LOGGER;
                Object[] objArr = new Object[14];
                objArr[0] = Boolean.valueOf(z2);
                objArr[1] = this.namespace;
                objArr[2] = this.serviceAccountDirectory;
                objArr[3] = this.defaultedServiceAccountDirectory;
                objArr[4] = this.serviceAccountName;
                objArr[5] = this.defaultedServiceAccountName;
                objArr[6] = this.clientId;
                objArr[7] = this.defaultedClientId;
                objArr[8] = Secret.toString(this.clientSecret).length() > 6 ? Secret.toString(this.clientSecret).substring(0, 5) + "......." : "null";
                objArr[9] = (this.defaultedClientSecret == null || this.defaultedClientSecret.length() <= 6) ? "null" : this.defaultedClientSecret.substring(0, 5) + ".......";
                objArr[10] = this.redirectURL;
                objArr[11] = this.defaultedRedirectURL;
                objArr[12] = this.serverPrefix;
                objArr[13] = this.defaultedServerPrefix;
                logger.info(String.format("OpenShift OAuth returning %s with namespace %s SA dir %s default %s SA name %s default %s client ID %s default %s secret %s default %s redirect %s default %s server %s default %s", objArr));
            }
            return z2;
        } catch (Throwable th2) {
            if (fileInputStream != null) {
                fileInputStream.close();
            }
            if (bufferedReader != null) {
                bufferedReader.close();
            }
            throw th2;
        }
    }

    public String getServiceAccountDirectory() {
        return this.serviceAccountDirectory;
    }

    public String getDefaultedServiceAccountDirectory() {
        return getServiceAccountDirectory() == null ? this.defaultedServiceAccountDirectory : getServiceAccountDirectory();
    }

    public String getServiceAccountName() {
        return this.serviceAccountName;
    }

    public String getDefaultedServiceAccountName() {
        return getServiceAccountName() == null ? this.defaultedServiceAccountName : getServiceAccountName();
    }

    public String getServerPrefix() {
        return this.serverPrefix;
    }

    public String getDefaultedServerPrefix() {
        return getServerPrefix() == null ? this.defaultedServerPrefix : getServerPrefix();
    }

    public String getRedirectURL() {
        return this.redirectURL;
    }

    public String getDefaultedRedirectURL() {
        return getRedirectURL() == null ? this.defaultedRedirectURL : getRedirectURL();
    }

    public String getClientId() {
        return this.clientId;
    }

    public String getDefaultedClientId() {
        return getClientId() == null ? this.defaultedClientId : getClientId();
    }

    public Secret getClientSecret() {
        return this.clientSecret;
    }

    public Secret getDefaultedClientSecret() {
        return getClientSecret() == null ? Secret.fromString(this.defaultedClientSecret) : getClientSecret();
    }

    public String getDefaultedNamespace() {
        return this.namespace;
    }

    public String getLoginUrl() {
        return LOGIN_URL;
    }

    private OpenShiftProviderInfo getOpenShiftOAuthProvider(Credential credential, HttpTransport httpTransport) throws IOException {
        return (OpenShiftProviderInfo) httpTransport.createRequestFactory(new CredentialHttpRequestInitializer(credential)).buildGetRequest(new GenericUrl(getDefaultedServerPrefix() + OAUTH_PROVIDER_URI)).execute().parseAs(OpenShiftProviderInfo.class);
    }

    private HttpTransport transportToUse(Credential credential) {
        initializeHttpsProxyAuthenticator();
        if (this.provider == null) {
            return transport;
        }
        try {
            transport.createRequestFactory(new CredentialHttpRequestInitializer(credential)).buildHeadRequest(new GenericUrl(this.provider.token_endpoint)).execute().getStatusCode();
        } catch (HttpResponseException e) {
            if (e.getStatusCode() == 404) {
                LOGGER.log(Level.INFO, "OpenShift OAuth got an unexpected 404 trying out the issuer's token endpoint", (Throwable) e);
            }
        } catch (SSLHandshakeException e2) {
            LOGGER.info("OpenShift OAuth got an SSL error when accessing the issuer's token endpoint when using the SA certificate");
            try {
                if (jvmDefaultKeystoreTransport == null) {
                    LOGGER.log(Level.INFO, "jvmDefaultKeystoreTransport was not initialized: Forcing initalization");
                    jvmDefaultKeystoreTransport = new NetHttpTransport.Builder().build();
                }
                jvmDefaultKeystoreTransport.createRequestFactory(new CredentialHttpRequestInitializer(credential)).buildHeadRequest(new GenericUrl(this.provider.token_endpoint)).execute().getStatusCode();
                LOGGER.info("OpenShift OAuth was able to complete the SSL handshake when accessing the issuer's token endpoint using the JVMs default keystore");
            } catch (HttpResponseException e3) {
                LOGGER.info("OpenShift OAuth was able to complete the SSL handshake when accessing the issuer's token endpoint using the JVMs default keystore");
                return jvmDefaultKeystoreTransport;
            } catch (Throwable th) {
                LOGGER.log(Level.INFO, "OpenShift OAuth provider token endpoint failed unexpectedly using the JVMs default keystore", th);
                return jvmDefaultKeystoreTransport;
            }
        } catch (Throwable th2) {
            LOGGER.log(Level.INFO, "OpenShift OAuth provider token endpoint failed unexpectedly using this pod's SA's certificate", th2);
        }
        return transport;
    }

    private void initializeHttpsProxyAuthenticator() {
        String property = System.getProperty(HTTPS_PROXY_USER);
        String property2 = System.getProperty(HTTPS_PROXY_PASSWORD);
        LOGGER.log(Level.INFO, "Checking if HTTPS proxy initialization is required ... ");
        if (property == null || property2 == null) {
            return;
        }
        LOGGER.log(Level.FINE, "https.proxyUser or https.proxyPassword found in system properties...");
        LOGGER.log(Level.INFO, "Creating basic authenticator for HTTPS proxy auth");
        Authenticator.setDefault(new BasicAuthenticator(property, property2));
    }

    private boolean useProviderOAuthEndpoint(Credential credential) {
        if (this.provider == null) {
            return false;
        }
        try {
            HttpResponse execute = transport.createRequestFactory(new CredentialHttpRequestInitializer(credential)).buildGetRequest(new GenericUrl(this.defaultedServerPrefix + "/version")).execute();
            int statusCode = execute.getStatusCode();
            if (statusCode != 200) {
                LOGGER.info("OpenShift OAuth the attempt to get the server version request got an unexpected return code: " + statusCode);
            }
            OpenShiftVersionInfo openShiftVersionInfo = (OpenShiftVersionInfo) execute.parseAs(OpenShiftVersionInfo.class);
            if (openShiftVersionInfo == null || openShiftVersionInfo.major == null || !openShiftVersionInfo.major.equals("1")) {
                LOGGER.info("OpenShift OAuth server is 3.x, specifically " + openShiftVersionInfo.toString());
                return false;
            }
            if (openShiftVersionInfo.minor.length() <= 2) {
                LOGGER.info("OpenShift OAuth the server is 3.x, specifically " + openShiftVersionInfo.toString());
                return false;
            }
            if (Integer.parseInt(openShiftVersionInfo.minor.substring(0, 2)) <= 11) {
                LOGGER.info("OpenShift OAuth the server is 3.x, specifically " + openShiftVersionInfo.toString());
                return false;
            }
            LOGGER.info("OpenShift OAuth server is 4.x, specifically " + openShiftVersionInfo.toString());
            return true;
        } catch (Throwable th) {
            LOGGER.log(Level.INFO, "get version attempt failed", th);
            return false;
        }
    }

    private OpenShiftUserInfo getOpenShiftUserInfo(Credential credential, HttpTransport httpTransport) throws IOException {
        return (OpenShiftUserInfo) httpTransport.createRequestFactory(new CredentialHttpRequestInitializer(credential)).buildGetRequest(new GenericUrl(getDefaultedServerPrefix() + USER_URI)).execute().parseAs(OpenShiftUserInfo.class);
    }

    private String buildSARJson(String str, String str2) throws IOException {
        OpenShiftSubjectAccessReviewRequest openShiftSubjectAccessReviewRequest = new OpenShiftSubjectAccessReviewRequest();
        openShiftSubjectAccessReviewRequest.namespace = str;
        openShiftSubjectAccessReviewRequest.verb = str2;
        return CredentialHttpRequestInitializer.JSON_FACTORY.toString(openShiftSubjectAccessReviewRequest);
    }

    private HttpRequest buildPostSARRequest(HttpRequestFactory httpRequestFactory, GenericUrl genericUrl, String str) throws IOException {
        return httpRequestFactory.buildPostRequest(genericUrl, new SARRequestHttpContent(str));
    }

    private ArrayList<String> postSAR(Credential credential, HttpTransport httpTransport) throws IOException {
        HttpRequestFactory createRequestFactory = httpTransport.createRequestFactory(new CredentialHttpRequestInitializer(credential));
        GenericUrl genericUrl = new GenericUrl(getDefaultedServerPrefix() + SAR_URI);
        ArrayList<String> arrayList = new ArrayList<>();
        Iterator<String> it = roles.iterator();
        while (it.hasNext()) {
            String next = it.next();
            String buildSARJson = buildSARJson(this.namespace, next);
            if (buildSARJson == null) {
                LOGGER.info("DBG json null ... namespace " + this.namespace + " verb " + next);
            }
            HttpRequest buildPostSARRequest = buildPostSARRequest(createRequestFactory, genericUrl, buildSARJson);
            if (buildPostSARRequest == null) {
                LOGGER.info("DBG request null");
            }
            OpenShiftSubjectAccessReviewResponse openShiftSubjectAccessReviewResponse = (OpenShiftSubjectAccessReviewResponse) buildPostSARRequest.execute().parseAs(OpenShiftSubjectAccessReviewResponse.class);
            if (openShiftSubjectAccessReviewResponse != null) {
                if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.fine(String.format("postSAR: response for verb %s hydrated into obj: namespace %s allowed %s reason %s", next, openShiftSubjectAccessReviewResponse.namespace, Boolean.toString(openShiftSubjectAccessReviewResponse.allowed), openShiftSubjectAccessReviewResponse.reason));
                }
                if (openShiftSubjectAccessReviewResponse.allowed && !arrayList.contains(next)) {
                    arrayList.add(next);
                }
            }
        }
        return arrayList;
    }

    private Map<String, List<Permission>> getRoleToPermissionMap(HttpTransport httpTransport) {
        HashMap hashMap = new HashMap();
        ArrayList arrayList = new ArrayList(Arrays.asList(Hudson.READ, Item.READ, Item.DISCOVER, CredentialsProvider.VIEW));
        hashMap.put("view", arrayList);
        ArrayList arrayList2 = new ArrayList(arrayList);
        arrayList2.addAll(new ArrayList(Arrays.asList(Item.BUILD, Item.CONFIGURE, Item.CREATE, Item.DELETE, Item.CANCEL, Item.WORKSPACE, SCM.TAG, Jenkins.RUN_SCRIPTS)));
        hashMap.put("edit", arrayList2);
        ArrayList arrayList3 = new ArrayList(arrayList2);
        arrayList3.addAll(new ArrayList(Arrays.asList(Computer.CONFIGURE, Computer.DELETE, Hudson.ADMINISTER, Hudson.READ, Run.DELETE, Run.UPDATE, View.CONFIGURE, View.CREATE, View.DELETE, CredentialsProvider.CREATE, CredentialsProvider.UPDATE, CredentialsProvider.DELETE, CredentialsProvider.MANAGE_DOMAINS)));
        hashMap.put("admin", arrayList3);
        try {
            ConfigMapResponse configMapResponse = (ConfigMapResponse) httpTransport.createRequestFactory(new CredentialHttpRequestInitializer(new Credential(BearerToken.authorizationHeaderAccessMethod()).setAccessToken(getDefaultedClientSecret().getPlainText()))).buildGetRequest(new GenericUrl(getDefaultedServerPrefix() + String.format(CONFIG_MAP_URI, this.namespace))).execute().parseAs(ConfigMapResponse.class);
            if (configMapResponse == null || configMapResponse.data == null || configMapResponse.data.size() == 0) {
                LOGGER.info("OpenShift Jenkins Login Plugin did not see the openshift-jenkins-login-plugin-config config map in namespace " + this.namespace + " so the default permission mapping will be used");
                return hashMap;
            }
            hashMap.clear();
            List all = Permission.getAll();
            for (Map.Entry<String, String> entry : configMapResponse.data.entrySet()) {
                String key = entry.getKey();
                String[] split = key.trim().split("-");
                if (split == null || split.length != 2) {
                    LOGGER.info("OpenShift Jenkins Login Plugin ignore permission string " + key + " since if is not of the form <permGroupId>-<permId>");
                } else {
                    Permission permission = null;
                    Iterator it = all.iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        Permission permission2 = (Permission) it.next();
                        String trim = permission2.group.title.toString(DEFAULT_LOCALE_PERMISSION).trim();
                        String trim2 = split[0].trim();
                        String trim3 = permission2.name.trim();
                        String trim4 = split[1].trim();
                        LOGGER.fine("Permission in system (forced in en_US locale)" + trim + ", Permission Group ID" + trim2);
                        LOGGER.fine("Permission Name " + trim3 + ", Permission ID " + trim4);
                        if (trim.equalsIgnoreCase(trim2) && trim3.equalsIgnoreCase(trim4)) {
                            permission = permission2;
                            LOGGER.info("OpenShift Jenkins Login Plugin matching configured permission " + key + " to Jenkins permission " + permission);
                            break;
                        }
                    }
                    if (permission == null) {
                        LOGGER.warning("OpenShift Jenkins Login Plugin could not find permission " + key + " in Jenkins list of all available permissions");
                    } else {
                        String value = entry.getValue();
                        if (value == null) {
                            LOGGER.warning("No roles specified for permission " + key + " in login plugin config map");
                        } else {
                            String[] split2 = value.split(",");
                            if (split2 == null || split2.length == 0) {
                                LOGGER.warning("No roles specified for permission " + key + " in login plugin config map: " + value);
                            }
                            for (String str : split2) {
                                List list = (List) hashMap.get(str);
                                if (list == null) {
                                    list = new ArrayList();
                                    hashMap.put(str, list);
                                }
                                if (!list.contains(permission)) {
                                    LOGGER.info("OpenShift Jenkins Login Plugin adding permission " + key + " for role " + str);
                                    list.add(permission);
                                }
                            }
                        }
                    }
                }
            }
            roles.clear();
            for (String str2 : hashMap.keySet()) {
                if (!roles.contains(str2)) {
                    roles.add(str2);
                }
            }
            LOGGER.info("OpenShift Jenkins Login Plugin using role list " + roles);
            return hashMap;
        } catch (IOException e) {
            LOGGER.info("OpenShift Jenkins Login Plugin could not find the openshift-jenkins-login-plugin-config config map in namespace " + this.namespace + " so the default permission mapping will be used");
            LOGGER.log(Level.FINE, "getRoleToPermissionMap", (Throwable) e);
            return hashMap;
        }
    }

    public SecurityRealm.SecurityComponents createSecurityComponents() {
        return new SecurityRealm.SecurityComponents(new AnonymousAuthenticationManager());
    }

    protected OAuthSession newOAuthSession(String str, String str2) throws MalformedURLException {
        HttpTransport httpTransport = transport;
        GenericUrl genericUrl = new GenericUrl(getDefaultedServerPrefix() + "/oauth/token");
        String str3 = getDefaultedRedirectURL() + "/oauth/authorize";
        Credential accessToken = new Credential(BearerToken.authorizationHeaderAccessMethod()).setAccessToken(getDefaultedClientSecret().getPlainText());
        if (useProviderOAuthEndpoint(accessToken)) {
            LOGGER.info("OpenShift OAuth using OAuth Provider specified endpoints for this login flow");
            genericUrl = new GenericUrl(this.provider.token_endpoint);
            str3 = this.provider.authorization_endpoint;
            httpTransport = transportToUse(accessToken);
        } else {
            LOGGER.info("OpenShift OAuth using the OpenShift Jenkins Login Plugin default for the OAuth endpoints");
        }
        AuthorizationCodeFlow build = new AuthorizationCodeFlow.Builder(BearerToken.queryParameterAccessMethod(), httpTransport, CredentialHttpRequestInitializer.JSON_FACTORY, genericUrl, new ClientParametersAuthentication(getDefaultedClientId(), getDefaultedClientSecret().getPlainText()), getDefaultedClientId(), str3).setScopes(Arrays.asList(SCOPE_INFO, SCOPE_CHECK_ACCESS)).build();
        String buildOAuthRedirectUrl = buildOAuthRedirectUrl(str2);
        return new BearerTokenOAuthSession(build, str, buildOAuthRedirectUrl, str2, buildOAuthRedirectUrl, build, this);
    }

    public UsernamePasswordAuthenticationToken updateAuthorizationStrategy(Credential credential) throws IOException, GeneralSecurityException {
        populateDefaults();
        OpenShiftUserInfo openShiftUserInfo = getOpenShiftUserInfo(credential, transport);
        Map<String, List<Permission>> roleToPermissionMap = getRoleToPermissionMap(transport);
        ArrayList<String> postSAR = postSAR(credential, transport);
        GrantedAuthority[] grantedAuthorityArr = {SecurityRealm.AUTHENTICATED_AUTHORITY};
        String str = null;
        Iterator<String> it = postSAR.iterator();
        while (it.hasNext()) {
            String next = it.next();
            str = str == null ? "-" + next : str + "-" + next;
        }
        Authentication authentication = null;
        if (str != null) {
            String str2 = openShiftUserInfo.getName() + str;
            authentication = new UsernamePasswordAuthenticationToken(str2, EMPTY_STRING, grantedAuthorityArr);
            SecurityContextHolder.getContext().setAuthentication(authentication);
            User user = User.get(authentication.getName());
            openShiftUserInfo.updateProfile(user);
            user.setFullName(openShiftUserInfo.getName());
            user.save();
            SecurityListener.fireAuthenticated(new OpenShiftUserDetails(authentication.getName(), grantedAuthorityArr));
            synchronized (USER_UPDATE_LOCK) {
                GlobalMatrixAuthorizationStrategy authorizationStrategy = Jenkins.getInstance().getAuthorizationStrategy();
                Set<String> groups = authorizationStrategy.getGroups();
                if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.fine(String.format("updateAuthorizationStrategy: got users %s where this user is %s", groups.toString(), openShiftUserInfo.getName()));
                }
                if (groups.contains(str2)) {
                    LOGGER.info(String.format("OpenShift OAuth: user %s, stored in the matrix as %s, based on OpenShift roles %s already exists in Jenkins", openShiftUserInfo.getName(), str2, postSAR));
                } else {
                    ArrayList arrayList = new ArrayList(PermissionGroup.getAll());
                    if (LOGGER.isLoggable(Level.FINE)) {
                        LOGGER.fine(String.format("updateAuthorizationStrategy: permissions %s", arrayList.toString()));
                    }
                    ProjectMatrixAuthorizationStrategy projectMatrixAuthorizationStrategy = authorizationStrategy instanceof ProjectMatrixAuthorizationStrategy ? new ProjectMatrixAuthorizationStrategy() : new GlobalMatrixAuthorizationStrategy();
                    if (projectMatrixAuthorizationStrategy != null) {
                        for (String str3 : groups) {
                            Iterator it2 = arrayList.iterator();
                            while (it2.hasNext()) {
                                for (Permission permission : ((PermissionGroup) it2.next()).getPermissions()) {
                                    if (authorizationStrategy.hasPermission(str3, permission)) {
                                        projectMatrixAuthorizationStrategy.add(permission, str3);
                                    }
                                }
                            }
                        }
                        LOGGER.info(String.format("OpenShift OAuth: adding permissions for user %s, stored in the matrix as %s, based on OpenShift roles %s", openShiftUserInfo.getName(), str2, postSAR));
                        Iterator<String> it3 = postSAR.iterator();
                        while (it3.hasNext()) {
                            Iterator<Permission> it4 = roleToPermissionMap.get(it3.next()).iterator();
                            while (it4.hasNext()) {
                                projectMatrixAuthorizationStrategy.add(it4.next(), str2);
                            }
                        }
                        Jenkins.getInstance().setAuthorizationStrategy(projectMatrixAuthorizationStrategy);
                        try {
                            Jenkins.getInstance().save();
                        } catch (Throwable th) {
                            LOGGER.log(Level.INFO, "updateAuthorizationStrategy", th);
                        }
                    }
                }
            }
        }
        return authentication;
    }

    public org.kohsuke.stapler.HttpResponse doCommenceLogin(@QueryParameter String str, @Header("Referer") String str2) throws IOException {
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.entering(OpenShiftOAuth2SecurityRealm.class.getName(), START_METHOD, new Object[]{str, str2});
        }
        try {
            populateDefaults();
            URL url = null;
            URL url2 = null;
            try {
                url = new URL(str);
            } catch (MalformedURLException e) {
            }
            try {
                url2 = new URL(str2);
            } catch (MalformedURLException e2) {
            }
            return newOAuthSession(str, url != null ? str : url2 != null ? str2 : Jenkins.getInstance().getRootUrl()).doCommenceLogin();
        } catch (GeneralSecurityException e3) {
            throw new RuntimeException(e3);
        }
    }

    public String buildOAuthRedirectUrl(String str) throws MalformedURLException {
        if (this.redirectUrl != null) {
            return this.redirectUrl;
        }
        try {
            URL url = new URL(str);
            String protocol = url.getProtocol();
            if (url == null || !(protocol.equalsIgnoreCase("http") || protocol.equalsIgnoreCase(HTTPS_SCHEME))) {
                throw new MalformedURLException("redirect url " + str + " insufficient");
            }
            StaplerRequest currentRequest = Stapler.getCurrentRequest();
            String trim = currentRequest != null ? currentRequest.getContextPath().trim() : EMPTY_STRING;
            String str2 = StringUtils.isNotBlank(trim.trim()) ? trim : EMPTY_STRING;
            int defaultPort = url.getDefaultPort();
            int port = url.getPort();
            String str3 = (port <= 0 || port == defaultPort) ? EMPTY_STRING : PORT_SEPARATOR + port;
            StringBuilder append = new StringBuilder(protocol).append(SCHEME_SEPARATOR).append(url.getHost());
            append.append(str3).append(str2).append(SECURITY_REALM_FINISH_LOGIN);
            return append.toString();
        } catch (MalformedURLException e) {
            throw e;
        }
    }

    public org.kohsuke.stapler.HttpResponse doFinishLogin(StaplerRequest staplerRequest) throws IOException {
        if (LOGGER.isLoggable(Level.FINE)) {
            if (staplerRequest != null) {
                LOGGER.entering(OpenShiftOAuth2SecurityRealm.class.getName(), FINISH_METHOD, new Object[]{staplerRequest.getQueryString(), staplerRequest.getRequestURL()});
            } else {
                LOGGER.entering(OpenShiftOAuth2SecurityRealm.class.getName(), FINISH_METHOD);
            }
        }
        return OAuthSession.getCurrent() != null ? OAuthSession.getCurrent().doFinishLogin(staplerRequest) : new HttpRedirect(Jenkins.getInstance().getRootUrl());
    }

    protected String getPostLogOutUrl(StaplerRequest staplerRequest, Authentication authentication) {
        if (staplerRequest.getRequestURL().toString().contains(LOGOUT)) {
            staplerRequest.getSession().setAttribute(LOGGING_OUT, LOGGING_OUT);
        }
        return staplerRequest.getRequestURL().toString().replace(LOGOUT, EMPTY_STRING);
    }
}
