package com.cloudbees.jenkins.plugins.kubernetes_credentials_provider;

import com.cloudbees.plugins.credentials.Credentials;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.CredentialsStore;
import com.cloudbees.plugins.credentials.common.IdCredentials;
import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.Extension;
import hudson.ExtensionList;
import hudson.init.InitMilestone;
import hudson.init.Initializer;
import hudson.init.TermMilestone;
import hudson.init.Terminator;
import hudson.model.AdministrativeMonitor;
import hudson.model.ItemGroup;
import hudson.model.ModelObject;
import hudson.security.ACL;
import hudson.triggers.SafeTimerTask;
import hudson.util.AdministrativeError;
import io.fabric8.kubernetes.api.model.LabelSelector;
import io.fabric8.kubernetes.api.model.Secret;
import io.fabric8.kubernetes.api.model.SecretList;
import io.fabric8.kubernetes.client.Config;
import io.fabric8.kubernetes.client.ConfigBuilder;
import io.fabric8.kubernetes.client.DefaultKubernetesClient;
import io.fabric8.kubernetes.client.KubernetesClient;
import io.fabric8.kubernetes.client.KubernetesClientException;
import io.fabric8.kubernetes.client.Watch;
import io.fabric8.kubernetes.client.Watcher;
import io.fabric8.kubernetes.client.WatcherException;
import io.fabric8.kubernetes.client.dsl.FilterWatchListDeletable;
import java.lang.reflect.InvocationTargetException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import jenkins.model.Jenkins;
import jenkins.util.Timer;
import org.acegisecurity.Authentication;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;

@Extension
/* loaded from: input_file:com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/KubernetesCredentialProvider.class */
public class KubernetesCredentialProvider extends CredentialsProvider implements Watcher<Secret> {

    @CheckForNull
    private KubernetesClient client;

    @CheckForNull
    private Watch watch;
    private static final Logger LOG = Logger.getLogger(KubernetesCredentialProvider.class.getName());
    static final String LABEL_SELECTOR = KubernetesCredentialProvider.class.getName() + ".labelSelector";
    private ConcurrentHashMap<String, IdCredentials> credentials = new ConcurrentHashMap<>();
    private boolean reconnectClientOnException = Boolean.parseBoolean(System.getProperty(KubernetesCredentialProvider.class.getName() + ".reconnectClientOnException", "true"));
    private int reconnectClientDelayMins = Integer.getInteger(KubernetesCredentialProvider.class.getName() + ".reconnectClientDelayMins", 5).intValue();
    private KubernetesCredentialsStore store = new KubernetesCredentialsStore(this);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.cloudbees.jenkins.plugins.kubernetes_credentials_provider.KubernetesCredentialProvider$2, reason: invalid class name */
    /* loaded from: input_file:com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/KubernetesCredentialProvider$2.class */
    public static /* synthetic */ class AnonymousClass2 {
        static final /* synthetic */ int[] $SwitchMap$io$fabric8$kubernetes$client$Watcher$Action = new int[Watcher.Action.values().length];

        static {
            try {
                $SwitchMap$io$fabric8$kubernetes$client$Watcher$Action[Watcher.Action.ADDED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$fabric8$kubernetes$client$Watcher$Action[Watcher.Action.MODIFIED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$io$fabric8$kubernetes$client$Watcher$Action[Watcher.Action.DELETED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$io$fabric8$kubernetes$client$Watcher$Action[Watcher.Action.ERROR.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$io$fabric8$kubernetes$client$Watcher$Action[Watcher.Action.BOOKMARK.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/KubernetesCredentialProvider$WithContextClassLoader.class */
    public static class WithContextClassLoader implements AutoCloseable {
        private final ClassLoader previousClassLoader = Thread.currentThread().getContextClassLoader();

        public WithContextClassLoader(ClassLoader classLoader) {
            Thread.currentThread().setContextClassLoader(classLoader);
        }

        @Override // java.lang.AutoCloseable
        public void close() {
            Thread.currentThread().setContextClassLoader(this.previousClassLoader);
        }
    }

    KubernetesClient getKubernetesClient() {
        if (this.client == null) {
            Config build = new ConfigBuilder().build();
            WithContextClassLoader withContextClassLoader = new WithContextClassLoader(getClass().getClassLoader());
            try {
                this.client = new DefaultKubernetesClient(build);
                withContextClassLoader.close();
            } catch (Throwable th) {
                try {
                    withContextClassLoader.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }
        return this.client;
    }

    @Initializer(after = InitMilestone.PLUGINS_PREPARED, fatal = false)
    @Restricted({NoExternalUse.class})
    public void startWatchingForSecrets() {
        String str = getClass().getName() + ".initialize";
        String str2 = getClass().getName() + ".labelSelector";
        String property = System.getProperty(LABEL_SELECTOR);
        try {
            KubernetesClient kubernetesClient = getKubernetesClient();
            LOG.log(Level.FINER, "Using namespace: {0}", String.valueOf(kubernetesClient.getNamespace()));
            LabelSelector parse = LabelSelectorExpressions.parse(property);
            LOG.log(Level.INFO, "retrieving secrets with selector: {0}, {1}", (Object[]) new String[]{"jenkins.io/credentials-type", Objects.toString(parse)});
            LOG.log(Level.FINER, "retrieving secrets");
            SecretList secretList = (SecretList) ((FilterWatchListDeletable) ((FilterWatchListDeletable) kubernetesClient.secrets().withLabelSelector(parse)).withLabel("jenkins.io/credentials-type")).list();
            ConcurrentHashMap<String, IdCredentials> concurrentHashMap = new ConcurrentHashMap<>();
            for (Secret secret : secretList.getItems()) {
                LOG.log(Level.FINE, "Secret Added - {0}", SecretUtils.getCredentialId(secret));
                addSecret(secret, concurrentHashMap);
            }
            this.credentials = concurrentHashMap;
            LOG.log(Level.FINER, "registering watch");
            try {
                this.watch = ((FilterWatchListDeletable) ((FilterWatchListDeletable) kubernetesClient.secrets().withLabelSelector(parse)).withLabel("jenkins.io/credentials-type")).watch(secretList.getMetadata().getResourceVersion(), this);
            } catch (NoSuchMethodError e) {
                Object withLabel = ((FilterWatchListDeletable) kubernetesClient.secrets().withLabelSelector(parse)).withLabel("jenkins.io/credentials-type");
                try {
                    this.watch = (Watch) withLabel.getClass().getMethod("watch", String.class, Watcher.class).invoke(withLabel, secretList.getMetadata().getResourceVersion(), this);
                } catch (IllegalAccessException | NoSuchMethodException | InvocationTargetException e2) {
                    RuntimeException runtimeException = new RuntimeException(e2);
                    runtimeException.addSuppressed(e);
                    throw runtimeException;
                }
            }
            LOG.log(Level.FINER, "registered watch, retrieving secrets");
            clearAdminMonitors(str, str2);
        } catch (LabelSelectorParseException e3) {
            LOG.log(Level.SEVERE, "Failed to initialise k8s secret provider, secrets from Kubernetes will not be available", (Throwable) e3);
            clearAdminMonitors(str2);
            new AdministrativeError(str2, "Failed to parse Kubernetes secret label selector", "Failed to parse Kubernetes secret <a href=\"https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors\" _target=\"blank\">label selector</a> expression \"<code>" + property + "</code>\". Secrets from Kubernetes will not be available. ", e3);
        } catch (KubernetesClientException e4) {
            LOG.log(Level.SEVERE, "Failed to initialise k8s secret provider, secrets from Kubernetes will not be available", (Throwable) e4);
            if (this.reconnectClientOnException) {
                reconnectLater();
            }
            clearAdminMonitors(str);
            new AdministrativeError(str, "Failed to initialize Kubernetes secret provider", "Credentials from Kubernetes Secrets will not be available.", e4);
        }
    }

    private void reconnectLater() {
        LOG.log(Level.INFO, "Attempting to reconnect Kubernetes client in {0} mins", Integer.valueOf(this.reconnectClientDelayMins));
        Timer.get().schedule((Runnable) new SafeTimerTask() { // from class: com.cloudbees.jenkins.plugins.kubernetes_credentials_provider.KubernetesCredentialProvider.1
            protected void doRun() throws Exception {
                KubernetesCredentialProvider.this.startWatchingForSecrets();
            }
        }, this.reconnectClientDelayMins, TimeUnit.MINUTES);
    }

    private void clearAdminMonitors(String... strArr) {
        List asList = Arrays.asList(strArr);
        ExtensionList all = AdministrativeMonitor.all();
        all.removeAll((List) all.stream().filter(administrativeMonitor -> {
            return asList.contains(administrativeMonitor.id);
        }).collect(Collectors.toList()));
    }

    @Restricted({NoExternalUse.class})
    @Terminator(after = TermMilestone.STARTED)
    public void stopWatchingForSecrets() {
        if (this.watch != null) {
            this.watch.close();
            this.watch = null;
        }
        if (this.client != null) {
            this.client.close();
            this.client = null;
        }
    }

    public <C extends Credentials> List<C> getCredentials(Class<C> cls, ItemGroup itemGroup, Authentication authentication) {
        LOG.log(Level.FINEST, "getCredentials called with type {0} and authentication {1}", new Object[]{cls.getName(), authentication});
        if (!ACL.SYSTEM.equals(authentication)) {
            return emptyList();
        }
        ArrayList arrayList = new ArrayList();
        for (IdCredentials idCredentials : this.credentials.values()) {
            LOG.log(Level.FINEST, "getCredentials {0} is a possible candidate", idCredentials.getId());
            if (cls.isAssignableFrom(idCredentials.getClass())) {
                LOG.log(Level.FINEST, "getCredentials {0} matches, adding to list", idCredentials.getId());
                arrayList.add(cls.cast(idCredentials));
            } else {
                LOG.log(Level.FINEST, "getCredentials {0} does not match", idCredentials.getId());
            }
        }
        return arrayList;
    }

    @NonNull
    private final <T> List<T> emptyList() {
        return Collections.emptyList();
    }

    private void addSecret(Secret secret) {
        addSecret(secret, this.credentials);
    }

    private void addSecret(Secret secret, Map<String, IdCredentials> map) {
        IdCredentials convertSecret = convertSecret(secret);
        if (convertSecret != null) {
            map.put(SecretUtils.getCredentialId(secret), convertSecret);
        }
    }

    public void eventReceived(Watcher.Action action, Secret secret) {
        String credentialId = SecretUtils.getCredentialId(secret);
        switch (AnonymousClass2.$SwitchMap$io$fabric8$kubernetes$client$Watcher$Action[action.ordinal()]) {
            case 1:
                LOG.log(Level.FINE, "Secret Added - {0}", credentialId);
                addSecret(secret);
                return;
            case 2:
                LOG.log(Level.FINE, "Secret Modified - {0}", credentialId);
                addSecret(secret);
                return;
            case 3:
                LOG.log(Level.FINE, "Secret Deleted - {0}", credentialId);
                this.credentials.remove(credentialId);
                return;
            case 4:
                LOG.log(Level.WARNING, "Action received of type Error. {0}", secret);
                return;
            case 5:
            default:
                return;
        }
    }

    public void onClose(WatcherException watcherException) {
        if (watcherException == null) {
            LOG.log(Level.INFO, "Secrets watcher stopped");
            return;
        }
        LOG.log(Level.WARNING, "Secrets watch stopped unexpectedly", (Throwable) watcherException);
        LOG.log(Level.INFO, "Restating secrets watcher");
        startWatchingForSecrets();
    }

    @CheckForNull
    IdCredentials convertSecret(Secret secret) {
        String str = (String) secret.getMetadata().getLabels().get("jenkins.io/credentials-type");
        SecretToCredentialConverter lookup = SecretToCredentialConverter.lookup(str);
        if (lookup == null) {
            LOG.log(Level.WARNING, "No SecretToCredentialConverter found to convert secrets of type {0}", str);
            return null;
        }
        try {
            return lookup.mo3convert(secret);
        } catch (CredentialsConvertionException e) {
            if (LOG.isLoggable(Level.FINE)) {
                LOG.log(Level.FINE, "Failed to convert Secret '" + SecretUtils.getCredentialId(secret) + "' of type " + str, (Throwable) e);
                return null;
            }
            LOG.log(Level.WARNING, "Failed to convert Secret ''{0}'' of type {1} due to {2}", new Object[]{SecretUtils.getCredentialId(secret), str, e.getMessage()});
            return null;
        }
    }

    public CredentialsStore getStore(ModelObject modelObject) {
        if (modelObject == Jenkins.getInstance()) {
            return this.store;
        }
        return null;
    }

    public String getIconClassName() {
        return "icon-credentials-kubernetes-store";
    }
}
