package jenkins.security;

import hudson.Extension;
import hudson.Util;
import hudson.model.DirectoryBrowserSupport;
import hudson.model.UnprotectedRootAction;
import hudson.model.User;
import hudson.security.ACL;
import hudson.security.ACLContext;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Date;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import jenkins.model.Jenkins;
import jenkins.util.SystemProperties;
import org.acegisecurity.AccessDeniedException;
import org.acegisecurity.Authentication;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.Stapler;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;
import org.springframework.aop.framework.autoproxy.target.QuickTargetSourceCreator;

@Extension
@Restricted({NoExternalUse.class})
/* loaded from: input_file:WEB-INF/lib/jenkins-core-2.199-rc28766.41919ee78292.jar:jenkins/security/ResourceDomainRootAction.class */
public class ResourceDomainRootAction implements UnprotectedRootAction {
    private static final Logger LOGGER = Logger.getLogger(ResourceDomainRootAction.class.getName());
    private static HMACConfidentialKey KEY = new HMACConfidentialKey(ResourceDomainRootAction.class, "key");

    @Restricted({NoExternalUse.class})
    public static int VALID_FOR_MINUTES = SystemProperties.getInteger(ResourceDomainRootAction.class.getName() + ".validForMinutes", 30).intValue();

    /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.199-rc28766.41919ee78292.jar:jenkins/security/ResourceDomainRootAction$InternalResourceRequest.class */
    private static class InternalResourceRequest {
        private final String authenticationName;
        private final String browserUrl;

        InternalResourceRequest(@Nonnull String str, String str2) {
            this.browserUrl = str;
            this.authenticationName = str2;
        }

        public void doDynamic(StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws IOException {
            User byId;
            String restOfPath = staplerRequest.getRestOfPath();
            if (restOfPath.isEmpty()) {
                staplerResponse.sendRedirect(302, Jenkins.get().getRootUrl() + this.browserUrl);
                return;
            }
            Jenkins jenkins2 = Jenkins.get();
            String str = this.browserUrl;
            if (ResourceDomainRootAction.LOGGER.isLoggable(Level.FINE)) {
                ResourceDomainRootAction.LOGGER.log(Level.FINE, "Performing a request as authentication: " + this.authenticationName + " to object: " + jenkins2 + " and restOfUrl: " + str + " and restOfPath: " + restOfPath);
            }
            Authentication authentication = Jenkins.ANONYMOUS;
            if (this.authenticationName != null && (byId = User.getById(this.authenticationName, false)) != null) {
                authentication = byId.impersonate();
            }
            try {
                ACLContext as = ACL.as(authentication);
                Throwable th = null;
                try {
                    Stapler.getCurrent().invoke(staplerRequest, staplerResponse, jenkins2, str + restOfPath);
                    if (as != null) {
                        if (0 != 0) {
                            try {
                                as.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            as.close();
                        }
                    }
                } catch (Throwable th3) {
                    if (as != null) {
                        if (0 != 0) {
                            try {
                                as.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            as.close();
                        }
                    }
                    throw th3;
                }
            } catch (AccessDeniedException e) {
                ResourceDomainRootAction.LOGGER.log(Level.INFO, "Failed permission check for resource URL access", (Throwable) e);
                staplerResponse.sendError(403, "Failed permission check: " + e.getMessage());
            } catch (Exception e2) {
                ResourceDomainRootAction.LOGGER.log(Level.INFO, "Something else failed for resource URL access", (Throwable) e2);
                staplerResponse.sendError(404, "Failed: " + e2.getMessage());
            }
        }

        public String toString() {
            return "[" + super.toString() + ", authentication=" + this.authenticationName + "; key=" + this.browserUrl + "]";
        }
    }

    /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.199-rc28766.41919ee78292.jar:jenkins/security/ResourceDomainRootAction$Redirection.class */
    private static class Redirection {
        private final String url;

        public Redirection(String str) {
            this.url = str;
        }

        public void doDynamic(StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws IOException {
            staplerResponse.sendRedirect(302, Jenkins.get().getRootUrl() + this.url + staplerRequest.getRestOfPath());
        }
    }

    @Override // hudson.model.Action
    @CheckForNull
    public String getIconFileName() {
        return null;
    }

    @Override // hudson.model.Action, hudson.model.ModelObject
    @CheckForNull
    public String getDisplayName() {
        return null;
    }

    @Override // hudson.model.Action
    @CheckForNull
    public String getUrlName() {
        return "static-files";
    }

    public void doIndex(StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws IOException {
        if (ResourceDomainConfiguration.isResourceRequest(staplerRequest)) {
            staplerResponse.sendError(404, "Jenkins serves only static files on this domain.");
        } else {
            staplerResponse.sendError(404, "Cannot handle requests to this URL unless on Jenkins resource URL.");
        }
    }

    public Object getDynamic(String str, StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws Exception {
        if (!ResourceDomainConfiguration.isResourceRequest(staplerRequest)) {
            staplerResponse.sendError(404, "Cannot handle requests to this URL unless on Jenkins resource URL.");
            return null;
        }
        String decode = decode(str);
        if (decode == null) {
            staplerResponse.sendError(404, "Jenkins serves only static files on this domain.");
            return null;
        }
        String[] split = decode.split(QuickTargetSourceCreator.PREFIX_COMMONS_POOL, 3);
        String fixEmpty = Util.fixEmpty(split[0]);
        String str2 = split[1];
        String str3 = split[2];
        long time = new Date().getTime() - Long.parseLong(str2);
        return (time < 0 || time >= TimeUnit.MINUTES.toMillis((long) VALID_FOR_MINUTES)) ? new Redirection(str3) : new InternalResourceRequest(str3, fixEmpty);
    }

    public String getRedirectUrl(String str, String str2) {
        String resourceRootUrl = getResourceRootUrl();
        if (!resourceRootUrl.endsWith("/")) {
            resourceRootUrl = resourceRootUrl + "/";
        }
        if (!str2.startsWith("/")) {
            str2 = "/" + str2;
        }
        return resourceRootUrl + getUrlName() + "/" + str + str2;
    }

    private static String getResourceRootUrl() {
        return ResourceDomainConfiguration.get().getResourceRootUrl();
    }

    public String register(DirectoryBrowserSupport directoryBrowserSupport, StaplerRequest staplerRequest) {
        String restOfPath = staplerRequest.getRestOfPath();
        String restOfUrl = staplerRequest.getAncestors().get(0).getRestOfUrl();
        String substring = restOfUrl.substring(0, restOfUrl.length() - restOfPath.length());
        Authentication authentication = Jenkins.getAuthentication();
        String str = (authentication == Jenkins.ANONYMOUS ? "" : authentication.getName()) + QuickTargetSourceCreator.PREFIX_COMMONS_POOL + new Date().getTime() + QuickTargetSourceCreator.PREFIX_COMMONS_POOL + substring;
        try {
            return encode(str);
        } catch (Exception e) {
            LOGGER.log(Level.WARNING, "Failed to encode " + str, (Throwable) e);
            return null;
        }
    }

    private String encode(String str) {
        return KEY.mac(str) + Util.toHexString(str.getBytes(StandardCharsets.UTF_8));
    }

    private String decode(String str) {
        try {
            String substring = str.substring(0, 64);
            String str2 = new String(Util.fromHexString(str.substring(64)), StandardCharsets.UTF_8);
            if (KEY.checkMac(str2, substring)) {
                return str2;
            }
            throw new IllegalArgumentException("Failed mac check for " + str2);
        } catch (Exception e) {
            LOGGER.log(Level.FINE, "Failure decoding", (Throwable) e);
            return null;
        }
    }
}
