package com.cloudbees.jenkins.plugins.bitbucket.hooks;

import com.cloudbees.jenkins.plugins.bitbucket.api.endpoint.BitbucketEndpoint;
import com.cloudbees.jenkins.plugins.bitbucket.api.endpoint.BitbucketEndpointProvider;
import com.cloudbees.jenkins.plugins.bitbucket.endpoints.BitbucketCloudEndpoint;
import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.Nullable;
import hudson.Extension;
import hudson.model.UnprotectedRootAction;
import hudson.security.csrf.CrumbExclusion;
import hudson.util.HttpResponses;
import hudson.util.Secret;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.scm.api.SCMEvent;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.codec.digest.HmacAlgorithms;
import org.apache.commons.codec.digest.HmacUtils;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.ObjectUtils;
import org.jenkinsci.plugins.plaincredentials.StringCredentials;
import org.kohsuke.stapler.HttpResponse;
import org.kohsuke.stapler.HttpResponses;
import org.kohsuke.stapler.StaplerRequest2;

@Extension
/* loaded from: input_file:com/cloudbees/jenkins/plugins/bitbucket/hooks/BitbucketSCMSourcePushHookReceiver.class */
public class BitbucketSCMSourcePushHookReceiver extends CrumbExclusion implements UnprotectedRootAction {
    private static final Logger LOGGER = Logger.getLogger(BitbucketSCMSourcePushHookReceiver.class.getName());
    private static final String PATH = "bitbucket-scmsource-hook";
    public static final String FULL_PATH = "bitbucket-scmsource-hook/notify";

    public boolean process(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        String pathInfo = httpServletRequest.getPathInfo();
        if (pathInfo == null || !pathInfo.startsWith("/bitbucket-scmsource-hook/notify")) {
            return false;
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
        return true;
    }

    public String getUrlName() {
        return PATH;
    }

    public HttpResponse doNotify(StaplerRequest2 staplerRequest2) throws IOException {
        String originOf = SCMEvent.originOf(staplerRequest2);
        String iOUtils = IOUtils.toString(staplerRequest2.getInputStream(), StandardCharsets.UTF_8);
        String header = staplerRequest2.getHeader("X-Event-Key");
        if (header == null) {
            return HttpResponses.error(400, "X-Event-Key HTTP header not found");
        }
        HookEventType fromString = HookEventType.fromString(header);
        if (fromString == null) {
            LOGGER.info(() -> {
                return "Received unknown Bitbucket hook: " + header + ". Skipping.";
            });
            return HttpResponses.error(400, "X-Event-Key HTTP header invalid: " + header);
        }
        String header2 = staplerRequest2.getHeader("X-Bitbucket-Type");
        String parameter = staplerRequest2.getParameter("server_url");
        BitbucketType bitbucketType = null;
        if (header2 != null) {
            bitbucketType = BitbucketType.fromString(header2);
            LOGGER.log(Level.FINE, "X-Bitbucket-Type header found {0}.", bitbucketType);
        }
        if (parameter == null) {
            LOGGER.log(Level.FINE, "X-Bitbucket-Type header / server_url request parameter not found. Bitbucket Cloud webhook incoming.");
            bitbucketType = BitbucketType.CLOUD;
            parameter = BitbucketCloudEndpoint.SERVER_URL;
        } else if (bitbucketType == null) {
            LOGGER.log(Level.FINE, "server_url request parameter found. Bitbucket Native Server webhook incoming.");
            bitbucketType = BitbucketType.SERVER;
        } else {
            LOGGER.log(Level.FINE, "X-Bitbucket-Type header / server_url request parameter found. Bitbucket Plugin Server webhook incoming.");
        }
        BitbucketEndpoint bitbucketEndpoint = (BitbucketEndpoint) BitbucketEndpointProvider.lookupEndpoint(parameter).orElse(null);
        if (bitbucketEndpoint == null) {
            LOGGER.log(Level.INFO, "No bitbucket endpoint found for {0} to verify the signature of incoming webhook.", parameter);
        } else if (bitbucketEndpoint.isEnableHookSignature()) {
            if (staplerRequest2.getHeader("X-Hub-Signature") == null) {
                return HttpResponses.error(403, "Payload has not be signed, configure the webHook secret in Bitbucket as documented at https://github.com/jenkinsci/bitbucket-branch-source-plugin/blob/master/docs/USER_GUIDE.adoc#webhooks-registering");
            }
            HttpResponses.HttpResponseException checkSignature = checkSignature(staplerRequest2, iOUtils, bitbucketEndpoint);
            if (checkSignature != null) {
                return checkSignature;
            }
        } else if (staplerRequest2.getHeader("X-Hub-Signature") == null) {
            LOGGER.log(Level.FINER, "Signature not configured for bitbucket endpoint {0}.", parameter);
        }
        getHookProcessor(fromString).process(fromString, iOUtils, bitbucketType, originOf, parameter);
        return hudson.util.HttpResponses.ok();
    }

    @Nullable
    private HttpResponses.HttpResponseException checkSignature(@NonNull StaplerRequest2 staplerRequest2, @NonNull String str, @NonNull BitbucketEndpoint bitbucketEndpoint) {
        LOGGER.log(Level.FINE, "Payload endpoint host {0}, request endpoint host {1}", new Object[]{bitbucketEndpoint, staplerRequest2.getRemoteAddr()});
        StringCredentials hookSignatureCredentials = bitbucketEndpoint.hookSignatureCredentials();
        if (hookSignatureCredentials == null) {
            String header = staplerRequest2.getHeader("X-Hook-UUID");
            String str2 = (String) ObjectUtils.firstNonNull(new String[]{staplerRequest2.getHeader("X-Request-UUID"), staplerRequest2.getHeader("X-Request-Id")});
            String hookSignatureCredentialsId = bitbucketEndpoint.getHookSignatureCredentialsId();
            LOGGER.log(Level.WARNING, "No credentials {0} found to verify the signature of incoming webhook {1} request {2}", new Object[]{hookSignatureCredentialsId, header, str2});
            return hudson.util.HttpResponses.error(403, "No credentials " + hookSignatureCredentialsId + " found in Jenkins to verify the signature");
        }
        String header2 = staplerRequest2.getHeader("X-Hub-Signature");
        String trimToNull = StringUtils.trimToNull(StringUtils.substringBefore(header2, "="));
        String trimToNull2 = StringUtils.trimToNull(StringUtils.substringAfter(header2, "="));
        HmacAlgorithms algorithm = getAlgorithm(trimToNull);
        if (algorithm == null) {
            return hudson.util.HttpResponses.error(403, "Signature " + trimToNull + " not supported");
        }
        try {
            if (MessageDigest.isEqual(Hex.decodeHex(trimToNull2), new HmacUtils(algorithm, Secret.toString(hookSignatureCredentials.getSecret()).getBytes(StandardCharsets.UTF_8)).hmac(str))) {
                return null;
            }
            return hudson.util.HttpResponses.error(403, "Signature verification failed");
        } catch (IllegalArgumentException e) {
            return hudson.util.HttpResponses.error(400, "Signature method not supported: " + algorithm);
        } catch (DecoderException e2) {
            return hudson.util.HttpResponses.error(400, "Hex signature can not be decoded: " + trimToNull2);
        }
    }

    @CheckForNull
    private HmacAlgorithms getAlgorithm(String str) {
        String lowerCase = StringUtils.lowerCase(str);
        boolean z = -1;
        switch (lowerCase.hashCode()) {
            case -903629273:
                if (lowerCase.equals("sha256")) {
                    z = true;
                    break;
                }
                break;
            case -903628221:
                if (lowerCase.equals("sha384")) {
                    z = 2;
                    break;
                }
                break;
            case -903626518:
                if (lowerCase.equals("sha512")) {
                    z = 3;
                    break;
                }
                break;
            case 3528965:
                if (lowerCase.equals("sha1")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return HmacAlgorithms.HMAC_SHA_1;
            case true:
                return HmacAlgorithms.HMAC_SHA_256;
            case true:
                return HmacAlgorithms.HMAC_SHA_384;
            case true:
                return HmacAlgorithms.HMAC_SHA_512;
            default:
                return null;
        }
    }

    HookProcessor getHookProcessor(HookEventType hookEventType) {
        return hookEventType.getProcessor();
    }

    public String getIconFileName() {
        return null;
    }

    public String getDisplayName() {
        return null;
    }
}
