package org.eclipse.hudson.security;

import com.thoughtworks.xstream.XStream;
import hudson.BulkChange;
import hudson.Functions;
import hudson.Util;
import hudson.XmlFile;
import hudson.markup.MarkupFormatter;
import hudson.markup.RawHtmlMarkupFormatter;
import hudson.model.Descriptor;
import hudson.model.Saveable;
import hudson.model.listeners.SaveableListener;
import hudson.security.ACL;
import hudson.security.AuthorizationStrategy;
import hudson.security.FullControlOnceLoggedInAuthorizationStrategy;
import hudson.security.HudsonFilter;
import hudson.security.LegacySecurityRealm;
import hudson.security.Permission;
import hudson.security.SecurityMode;
import hudson.security.SecurityRealm;
import hudson.util.TextFile;
import hudson.util.XStream2;
import java.io.File;
import java.io.IOException;
import java.security.SecureRandom;
import javax.crypto.SecretKey;
import javax.servlet.ServletException;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerConfigurationException;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import net.sf.json.JSONObject;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.propertyeditors.CustomBooleanEditor;
import org.springframework.security.Authentication;
import org.springframework.security.GrantedAuthority;
import org.springframework.security.GrantedAuthorityImpl;
import org.springframework.security.SpringSecurityException;
import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.providers.anonymous.AnonymousAuthenticationToken;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;

/* loaded from: input_file:WEB-INF/lib/hudson-core-3.1.0.jar:org/eclipse/hudson/security/HudsonSecurityManager.class */
public class HudsonSecurityManager implements Saveable {
    private Boolean useSecurity;
    private transient File hudsonHome;
    private final transient String secretKey;
    private static final XStream XSTREAM = new XStream2();
    public static final Authentication ANONYMOUS = new AnonymousAuthenticationToken("anonymous", "anonymous", new GrantedAuthority[]{new GrantedAuthorityImpl("anonymous")});
    private final transient String securityConfigFileName = "hudson-security.xml";
    private transient Logger logger = LoggerFactory.getLogger(HudsonSecurityManager.class);
    private volatile SecurityRealm securityRealm = SecurityRealm.NO_AUTHENTICATION;
    private volatile AuthorizationStrategy authorizationStrategy = AuthorizationStrategy.UNSECURED;
    private MarkupFormatter markupFormatter = RawHtmlMarkupFormatter.INSTANCE;

    public HudsonSecurityManager(File file) throws IOException {
        this.hudsonHome = file;
        TextFile textFile = new TextFile(new File(file, "secret.key"));
        if (textFile.exists()) {
            this.secretKey = textFile.readTrim();
        } else {
            byte[] bArr = new byte[32];
            new SecureRandom().nextBytes(bArr);
            this.secretKey = Util.toHexString(bArr);
            textFile.write(this.secretKey);
        }
        load();
    }

    public File getHudsonHome() {
        return this.hudsonHome;
    }

    public MarkupFormatter getMarkupFormatter() {
        return this.markupFormatter;
    }

    public void setMarkupFormatter(MarkupFormatter markupFormatter) {
        this.markupFormatter = markupFormatter;
    }

    public ACL getACL() {
        return this.authorizationStrategy.getRootACL();
    }

    public void checkPermission(Permission permission) {
        getACL().checkPermission(permission);
    }

    public boolean hasPermission(Permission permission) {
        return getACL().hasPermission(permission);
    }

    public String getSecretKey() {
        return this.secretKey;
    }

    public SecretKey getSecretKeyAsAES128() {
        return Util.toAes128Key(this.secretKey);
    }

    public boolean isUseSecurity() {
        return (this.securityRealm == SecurityRealm.NO_AUTHENTICATION && this.authorizationStrategy == AuthorizationStrategy.UNSECURED) ? false : true;
    }

    public SecurityMode getSecurity() {
        SecurityRealm securityRealm = this.securityRealm;
        return securityRealm == SecurityRealm.NO_AUTHENTICATION ? SecurityMode.UNSECURED : securityRealm instanceof LegacySecurityRealm ? SecurityMode.LEGACY : SecurityMode.SECURED;
    }

    public SecurityRealm getSecurityRealm() {
        return this.securityRealm;
    }

    public void setSecurityRealm(SecurityRealm securityRealm) {
        if (securityRealm == null) {
            securityRealm = SecurityRealm.NO_AUTHENTICATION;
        }
        this.securityRealm = securityRealm;
        try {
            HudsonFilter hudsonSecurityFilter = HudsonSecurityEntitiesHolder.getHudsonSecurityFilter();
            if (hudsonSecurityFilter == null) {
                this.logger.debug("HudsonFilter has not yet been initialized: Can't perform security setup for now");
            } else {
                this.logger.debug("HudsonFilter has been previously initialized: Setting security up");
                hudsonSecurityFilter.reset(securityRealm);
                this.logger.debug("Security is now fully set up");
            }
        } catch (ServletException e) {
            throw new SpringSecurityException("Failed to configure filter", e) { // from class: org.eclipse.hudson.security.HudsonSecurityManager.1
            };
        }
    }

    public AuthorizationStrategy getAuthorizationStrategy() {
        return this.authorizationStrategy;
    }

    public void setAuthorizationStrategy(AuthorizationStrategy authorizationStrategy) {
        if (authorizationStrategy == null) {
            authorizationStrategy = AuthorizationStrategy.UNSECURED;
        }
        this.authorizationStrategy = authorizationStrategy;
    }

    public synchronized void doConfigSubmit(StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws IOException, ServletException, Descriptor.FormException {
        BulkChange bulkChange = new BulkChange(this);
        try {
            checkPermission(Permission.HUDSON_ADMINISTER);
            JSONObject submittedForm = staplerRequest.getSubmittedForm();
            if (submittedForm.has("use_security")) {
                this.useSecurity = true;
                JSONObject jSONObject = submittedForm.getJSONObject("use_security");
                setSecurityRealm(SecurityRealm.all().newInstanceFromRadioList(jSONObject, "realm"));
                setAuthorizationStrategy(AuthorizationStrategy.all().newInstanceFromRadioList(jSONObject, "authorization"));
                if (jSONObject.has("markupFormatter")) {
                    this.markupFormatter = (MarkupFormatter) staplerRequest.bindJSON(MarkupFormatter.class, jSONObject.getJSONObject("markupFormatter"));
                }
            } else {
                this.useSecurity = null;
                setSecurityRealm(SecurityRealm.NO_AUTHENTICATION);
                this.authorizationStrategy = AuthorizationStrategy.UNSECURED;
            }
            staplerResponse.sendRedirect(Functions.getRequestRootPath(staplerRequest) + '/');
            bulkChange.commit();
        } catch (Throwable th) {
            bulkChange.commit();
            throw th;
        }
    }

    public void doLogout(StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws IOException, ServletException {
        this.securityRealm.doLogout(staplerRequest, staplerResponse);
    }

    protected final XmlFile getConfigFile() {
        return new XmlFile(XSTREAM, new File(this.hudsonHome, "hudson-security.xml"));
    }

    @Override // hudson.model.Saveable
    public synchronized void save() throws IOException {
        if (BulkChange.contains(this)) {
            return;
        }
        getConfigFile().write(this);
        SaveableListener.fireOnChange(this, getConfigFile());
    }

    private void load() {
        this.logger.info("Loading Security ..");
        XmlFile configFile = getConfigFile();
        try {
            if (configFile.exists()) {
                configFile.unmarshal(this);
            } else if (extractSecurityConfig()) {
                configFile.unmarshal(this);
            }
        } catch (IOException e) {
            this.logger.error("Failed to load " + configFile, (Throwable) e);
        }
        if (this.authorizationStrategy == null) {
            if (this.useSecurity == null || !this.useSecurity.booleanValue()) {
                this.authorizationStrategy = AuthorizationStrategy.UNSECURED;
            } else {
                this.authorizationStrategy = new FullControlOnceLoggedInAuthorizationStrategy();
            }
        }
        if (this.securityRealm != null) {
            setSecurityRealm(this.securityRealm);
        } else if (this.useSecurity == null || !this.useSecurity.booleanValue()) {
            setSecurityRealm(SecurityRealm.NO_AUTHENTICATION);
        } else {
            setSecurityRealm(new LegacySecurityRealm());
        }
        if (this.useSecurity == null || this.useSecurity.booleanValue()) {
            return;
        }
        this.authorizationStrategy = AuthorizationStrategy.UNSECURED;
        setSecurityRealm(SecurityRealm.NO_AUTHENTICATION);
    }

    public static void grantFullControl() {
        SecurityContextHolder.getContext().setAuthentication(ACL.SYSTEM);
    }

    public static void resetFullControl() {
        SecurityContextHolder.clearContext();
    }

    public static Authentication getAuthentication() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            authentication = ANONYMOUS;
        }
        return authentication;
    }

    private boolean extractSecurityConfig() {
        try {
            File file = new File(this.hudsonHome, "config.xml");
            if (!file.exists()) {
                return false;
            }
            Document parseXmlFile = parseXmlFile(file);
            if (!isSecuritySet(parseXmlFile)) {
                return false;
            }
            Document newDocument = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
            Element createElement = newDocument.createElement("hudsonSecurityManager");
            newDocument.appendChild(createElement);
            moveElement(parseXmlFile, newDocument, createElement, "useSecurity");
            moveElement(parseXmlFile, newDocument, createElement, "markupFormatter");
            moveElement(parseXmlFile, newDocument, createElement, "authorizationStrategy");
            moveElement(parseXmlFile, newDocument, createElement, "securityRealm");
            File file2 = new File(this.hudsonHome, "hudson-security.xml");
            file2.createNewFile();
            writeXmlFile(newDocument, file2);
            writeXmlFile(parseXmlFile, file);
            return true;
        } catch (Exception e) {
            e.printStackTrace();
            return false;
        }
    }

    private void moveElement(Document document, Document document2, Element element, String str) {
        NodeList elementsByTagName = document.getElementsByTagName(str);
        if (elementsByTagName == null || elementsByTagName.getLength() <= 0) {
            return;
        }
        Element element2 = (Element) elementsByTagName.item(0);
        element.appendChild(document2.importNode(element2, true));
        element2.getParentNode().removeChild(element2);
    }

    private Document parseXmlFile(File file) throws ParserConfigurationException, SAXException, IOException {
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setValidating(false);
        return newInstance.newDocumentBuilder().parse(file);
    }

    private void writeXmlFile(Document document, File file) throws TransformerConfigurationException, TransformerException {
        DOMSource dOMSource = new DOMSource(document);
        StreamResult streamResult = new StreamResult(file);
        Transformer newTransformer = TransformerFactory.newInstance().newTransformer();
        newTransformer.setOutputProperty("indent", CustomBooleanEditor.VALUE_YES);
        newTransformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "2");
        newTransformer.transform(dOMSource, streamResult);
    }

    private boolean isSecuritySet(Document document) {
        NodeList elementsByTagName = document.getElementsByTagName("useSecurity");
        return elementsByTagName != null && elementsByTagName.getLength() > 0;
    }

    static {
        XSTREAM.alias("hudsonSecurityManager", HudsonSecurityManager.class);
    }
}
