package org.jenkinsci.plugins.saml;

import com.google.common.base.Preconditions;
import hudson.Extension;
import hudson.Util;
import hudson.model.Descriptor;
import hudson.security.SecurityRealm;
import java.util.logging.Logger;
import jenkins.model.Jenkins;
import jenkins.security.SecurityListener;
import org.acegisecurity.Authentication;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.AuthenticationManager;
import org.acegisecurity.BadCredentialsException;
import org.acegisecurity.context.SecurityContextHolder;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.Header;
import org.kohsuke.stapler.HttpRedirect;
import org.kohsuke.stapler.HttpResponse;
import org.kohsuke.stapler.HttpResponses;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;

/* loaded from: input_file:WEB-INF/lib/saml.jar:org/jenkinsci/plugins/saml/SamlSecurityRealm.class */
public class SamlSecurityRealm extends SecurityRealm {
    private static final Logger LOG = Logger.getLogger(SamlSecurityRealm.class.getName());
    private static final String REFERER_ATTRIBUTE = SamlSecurityRealm.class.getName() + ".referer";
    private static final String CONSUMER_SERVICE_URL_PATH = "securityRealm/finishLogin";
    private String signOnUrl;
    private String certificate;

    @Extension
    /* loaded from: input_file:WEB-INF/lib/saml.jar:org/jenkinsci/plugins/saml/SamlSecurityRealm$DescriptorImpl.class */
    public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
        public DescriptorImpl() {
        }

        public DescriptorImpl(Class<? extends SecurityRealm> cls) {
            super(cls);
        }

        public String getDisplayName() {
            return "SAML 2.0";
        }
    }

    @DataBoundConstructor
    public SamlSecurityRealm(String str, String str2) {
        this.signOnUrl = Util.fixEmptyAndTrim(str);
        this.certificate = Util.fixEmptyAndTrim(str2);
    }

    public boolean allowsSignup() {
        return false;
    }

    public SecurityRealm.SecurityComponents createSecurityComponents() {
        return new SecurityRealm.SecurityComponents(new AuthenticationManager() { // from class: org.jenkinsci.plugins.saml.SamlSecurityRealm.1
            public Authentication authenticate(Authentication authentication) throws AuthenticationException {
                if (authentication instanceof SamlAuthenticationToken) {
                    return authentication;
                }
                throw new BadCredentialsException("Unexpected authentication type: " + authentication);
            }
        });
    }

    public String getLoginUrl() {
        return "securityRealm/commenceLogin";
    }

    public HttpResponse doCommenceLogin(StaplerRequest staplerRequest, @Header("Referer") String str) {
        LOG.fine("SamlSecurityRealm.doCommenceLogin called. Using consumerServiceUrl " + getConsumerServiceUrl());
        staplerRequest.getSession().setAttribute(REFERER_ATTRIBUTE, str);
        return new HttpRedirect(new SamlRequestGenerator().createRequestUrl(this.signOnUrl, getConsumerServiceUrl(), Jenkins.getInstance().getRootUrl()));
    }

    public HttpResponse doFinishLogin(StaplerRequest staplerRequest, StaplerResponse staplerResponse) {
        LOG.finer("SamlSecurityRealm.doFinishLogin called");
        Preconditions.checkNotNull(this.certificate);
        SamlAuthenticationToken handle = new SamlResponseHandler(this.certificate).handle(staplerRequest.getParameter("SAMLResponse"));
        LOG.info("Received SAML response with status code " + handle.getStatusCode() + ", subject " + handle.getSubject() + ", issuer " + handle.getIssuer() + ", audience " + handle.getAudience());
        Preconditions.checkState(handle.getStatusCode().toLowerCase().contains("success"), "Expected success but got " + handle.getStatusCode());
        SecurityContextHolder.getContext().setAuthentication(handle);
        SecurityListener.fireAuthenticated(new SamlUserDetails(handle.getSubject()));
        return HttpResponses.redirectTo((String) staplerRequest.getSession().getAttribute(REFERER_ATTRIBUTE));
    }

    private String getConsumerServiceUrl() {
        return Jenkins.getInstance().getRootUrl() + CONSUMER_SERVICE_URL_PATH;
    }

    public String getSignOnUrl() {
        return this.signOnUrl;
    }

    public void setSignOnUrl(String str) {
        this.signOnUrl = str;
    }

    public String getCertificate() {
        return this.certificate;
    }

    public void setCertificate(String str) {
        this.certificate = str;
    }
}
