package io.jenkins.plugins.signpath.SecretRetrieval;

import com.cloudbees.plugins.credentials.CredentialsMatchers;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.CredentialsScope;
import hudson.util.Secret;
import io.jenkins.plugins.signpath.Exceptions.SecretNotFoundException;
import java.util.Arrays;
import java.util.Collections;
import java.util.stream.Collectors;
import jenkins.model.Jenkins;
import org.acegisecurity.Authentication;
import org.jenkinsci.plugins.plaincredentials.StringCredentials;

/* loaded from: input_file:io/jenkins/plugins/signpath/SecretRetrieval/CredentialBasedSecretRetriever.class */
public class CredentialBasedSecretRetriever implements SecretRetriever {
    private final Jenkins jenkins;

    public CredentialBasedSecretRetriever(Jenkins jenkins) {
        this.jenkins = jenkins;
    }

    @Override // io.jenkins.plugins.signpath.SecretRetrieval.SecretRetriever
    public Secret retrieveSecret(String str) throws SecretNotFoundException {
        return retrieveSecret(str, new CredentialsScope[]{CredentialsScope.SYSTEM});
    }

    @Override // io.jenkins.plugins.signpath.SecretRetrieval.SecretRetriever
    public Secret retrieveSecret(String str, CredentialsScope[] credentialsScopeArr) throws SecretNotFoundException {
        StringCredentials firstOrNull = CredentialsMatchers.firstOrNull(CredentialsProvider.lookupCredentials(StringCredentials.class, this.jenkins, (Authentication) null, Collections.emptyList()), CredentialsMatchers.withId(str));
        if (firstOrNull == null) {
            throw new SecretNotFoundException(String.format("The secret '%s' could not be found in the credential store.", str));
        }
        CredentialsScope scope = firstOrNull.getScope();
        if (credentialsScopeArr.length <= 0 || Arrays.asList(credentialsScopeArr).contains(scope)) {
            return firstOrNull.getSecret();
        }
        throw new SecretNotFoundException(String.format("The secret '%s' was configured with scope '%s' but needs to be in scope(s) '%s'.", str, scope == null ? "<null>" : scope.getDisplayName(), (String) Arrays.stream(credentialsScopeArr).map((v0) -> {
            return v0.getDisplayName();
        }).collect(Collectors.joining("' or '"))));
    }
}
