package org.jenkinsci.plugins.scriptsecurity.sandbox.groovy;

import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import groovy.grape.GrabAnnotationTransformation;
import groovy.lang.GroovyClassLoader;
import groovy.lang.GroovyShell;
import groovy.lang.Script;
import hudson.util.FormValidation;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.CodeSource;
import java.security.cert.Certificate;
import java.util.Collections;
import java.util.HashSet;
import java.util.concurrent.Callable;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.Nonnull;
import org.codehaus.groovy.control.CompilationFailedException;
import org.codehaus.groovy.control.CompilationUnit;
import org.codehaus.groovy.control.CompilerConfiguration;
import org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException;
import org.jenkinsci.plugins.scriptsecurity.sandbox.Whitelist;
import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.ProxyWhitelist;
import org.kohsuke.groovy.sandbox.SandboxTransformer;

/* loaded from: input_file:WEB-INF/detached-plugins/script-security.hpi:WEB-INF/lib/script-security.jar:org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.class */
public class GroovySandbox {
    public static final Logger LOGGER = Logger.getLogger(GroovySandbox.class.getName());

    @Nonnull
    public static CompilerConfiguration createSecureCompilerConfiguration() {
        CompilerConfiguration createBaseCompilerConfiguration = createBaseCompilerConfiguration();
        createBaseCompilerConfiguration.addCompilationCustomizers(new SandboxTransformer());
        return createBaseCompilerConfiguration;
    }

    @Nonnull
    public static CompilerConfiguration createBaseCompilerConfiguration() {
        CompilerConfiguration compilerConfiguration = new CompilerConfiguration();
        compilerConfiguration.addCompilationCustomizers(new RejectASTTransformsCustomizer());
        compilerConfiguration.setDisabledGlobalASTTransformations(new HashSet(Collections.singletonList(GrabAnnotationTransformation.class.getName())));
        return compilerConfiguration;
    }

    @Nonnull
    @SuppressFBWarnings(value = {"DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED"}, justification = "Should be managed by the caller.")
    public static ClassLoader createSecureClassLoader(ClassLoader classLoader) {
        return new SandboxResolvingClassLoader(classLoader);
    }

    public static void runInSandbox(@Nonnull Runnable runnable, @Nonnull Whitelist whitelist) throws RejectedAccessException {
        SandboxInterceptor sandboxInterceptor = new SandboxInterceptor(whitelist);
        sandboxInterceptor.register();
        try {
            runnable.run();
        } finally {
            sandboxInterceptor.unregister();
        }
    }

    public static <V> V runInSandbox(@Nonnull Callable<V> callable, @Nonnull Whitelist whitelist) throws Exception {
        SandboxInterceptor sandboxInterceptor = new SandboxInterceptor(whitelist);
        sandboxInterceptor.register();
        try {
            V call = callable.call();
            sandboxInterceptor.unregister();
            return call;
        } catch (Throwable th) {
            sandboxInterceptor.unregister();
            throw th;
        }
    }

    @Deprecated
    public static void runInSandbox(@Nonnull final Script script, @Nonnull Whitelist whitelist) throws RejectedAccessException {
        runInSandbox(new Runnable() { // from class: org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.1
            @Override // java.lang.Runnable
            public void run() {
                Script.this.run();
            }
        }, whitelist);
    }

    @Deprecated
    public static Object run(@Nonnull Script script, @Nonnull Whitelist whitelist) throws RejectedAccessException {
        LOGGER.log(Level.WARNING, (String) null, (Throwable) new IllegalStateException(Messages.GroovySandbox_useOfInsecureRunOverload()));
        SandboxInterceptor sandboxInterceptor = new SandboxInterceptor(new ProxyWhitelist(new ClassLoaderWhitelist(script.getClass().getClassLoader()), whitelist));
        sandboxInterceptor.register();
        try {
            Object run = script.run();
            sandboxInterceptor.unregister();
            return run;
        } catch (Throwable th) {
            sandboxInterceptor.unregister();
            throw th;
        }
    }

    public static Object run(@Nonnull final GroovyShell groovyShell, @Nonnull final String str, @Nonnull Whitelist whitelist) throws RejectedAccessException {
        try {
            final Script script = (Script) runInSandbox(new Callable<Script>() { // from class: org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.concurrent.Callable
                public Script call() throws Exception {
                    return GroovyShell.this.parse(str);
                }
            }, whitelist);
            return runInSandbox(new Callable<Object>() { // from class: org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.3
                @Override // java.util.concurrent.Callable
                public Object call() throws Exception {
                    return Script.this.run();
                }
            }, new ProxyWhitelist(new ClassLoaderWhitelist(script.getClass().getClassLoader()), whitelist));
        } catch (RuntimeException e) {
            throw e;
        } catch (Exception e2) {
            throw new AssertionError(e2);
        }
    }

    @Nonnull
    public static FormValidation checkScriptForCompilationErrors(String str, GroovyClassLoader groovyClassLoader) {
        try {
            CompilationUnit compilationUnit = new CompilationUnit(createSecureCompilerConfiguration(), new CodeSource(new URL("file", "", GroovyShell.DEFAULT_CODE_BASE), (Certificate[]) null), groovyClassLoader);
            compilationUnit.addSource("Script1", str);
            compilationUnit.compile(5);
            return FormValidation.ok();
        } catch (MalformedURLException | CompilationFailedException e) {
            return FormValidation.error(e.getLocalizedMessage());
        }
    }

    private GroovySandbox() {
    }
}
