package hudson.security;

import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.model.Item;
import hudson.model.ItemGroup;
import hudson.model.TopLevelItemDescriptor;
import hudson.model.User;
import hudson.model.View;
import hudson.model.ViewDescriptor;
import hudson.model.ViewGroup;
import hudson.remoting.Callable;
import java.util.LinkedHashSet;
import java.util.function.BiFunction;
import java.util.stream.Collectors;
import jenkins.model.Jenkins;
import jenkins.security.NonSerializableSecurityContext;
import org.acegisecurity.AccessDeniedException;
import org.acegisecurity.Authentication;
import org.acegisecurity.acls.sid.PrincipalSid;
import org.acegisecurity.acls.sid.Sid;
import org.acegisecurity.context.SecurityContext;
import org.acegisecurity.context.SecurityContextHolder;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import org.acegisecurity.providers.anonymous.AnonymousAuthenticationToken;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;

/* loaded from: input_file:WEB-INF/lib/jenkins-core-2.259-rc30400.b74467446c78.jar:hudson/security/ACL.class */
public abstract class ACL {
    public static final Sid EVERYONE = new Sid() { // from class: hudson.security.ACL.2
        public String toString() {
            return "EVERYONE";
        }
    };

    @Restricted({NoExternalUse.class})
    public static final String ANONYMOUS_USERNAME = "anonymous";
    public static final Sid ANONYMOUS = new PrincipalSid(ANONYMOUS_USERNAME);
    protected static final Sid[] AUTOMATIC_SIDS = {EVERYONE, ANONYMOUS};

    @Restricted({NoExternalUse.class})
    public static final String SYSTEM_USERNAME = "SYSTEM";
    public static final Authentication SYSTEM = new UsernamePasswordAuthenticationToken(SYSTEM_USERNAME, SYSTEM_USERNAME);

    public final void checkPermission(@NonNull Permission permission) {
        Authentication authentication = Jenkins.getAuthentication();
        if (authentication == SYSTEM || hasPermission(authentication, permission)) {
            return;
        }
        while (!permission.enabled && permission.impliedBy != null) {
            permission = permission.impliedBy;
        }
        throw new AccessDeniedException2(authentication, permission);
    }

    public final void checkAnyPermission(@NonNull Permission... permissionArr) {
        Permission permission;
        if (permissionArr.length == 0) {
            throw new IllegalArgumentException("At least one permission must be provided");
        }
        boolean z = !hasAnyPermission(permissionArr);
        Authentication authentication = Jenkins.getAuthentication();
        if (z) {
            LinkedHashSet linkedHashSet = new LinkedHashSet();
            for (Permission permission2 : permissionArr) {
                while (true) {
                    permission = permission2;
                    if (!permission.enabled && permission.impliedBy != null) {
                        permission2 = permission.impliedBy;
                    }
                }
                linkedHashSet.add(permission);
            }
            String str = (String) linkedHashSet.stream().map(permission3 -> {
                return permission3.group.title + "/" + permission3.name;
            }).collect(Collectors.joining(", "));
            throw new AccessDeniedException(linkedHashSet.size() == 1 ? Messages.AccessDeniedException2_MissingPermission(authentication.getName(), str) : Messages.AccessDeniedException_MissingPermissions(authentication.getName(), str));
        }
    }

    public final boolean hasPermission(@NonNull Permission permission) {
        Authentication authentication = Jenkins.getAuthentication();
        if (authentication == SYSTEM) {
            return true;
        }
        return hasPermission(authentication, permission);
    }

    public final boolean hasAnyPermission(@NonNull Permission... permissionArr) {
        if (permissionArr.length == 0) {
            throw new IllegalArgumentException("At least one permission must be provided");
        }
        if (Jenkins.getAuthentication() == SYSTEM) {
            return true;
        }
        for (Permission permission : permissionArr) {
            if (hasPermission(permission)) {
                return true;
            }
        }
        return false;
    }

    public abstract boolean hasPermission(@NonNull Authentication authentication, @NonNull Permission permission);

    public static ACL lambda(final BiFunction<Authentication, Permission, Boolean> biFunction) {
        return new ACL() { // from class: hudson.security.ACL.1
            @Override // hudson.security.ACL
            public boolean hasPermission(Authentication authentication, Permission permission) {
                return ((Boolean) biFunction.apply(authentication, permission)).booleanValue();
            }
        };
    }

    public final void checkCreatePermission(@NonNull ItemGroup itemGroup, @NonNull TopLevelItemDescriptor topLevelItemDescriptor) {
        Authentication authentication = Jenkins.getAuthentication();
        if (authentication != SYSTEM && !hasCreatePermission(authentication, itemGroup, topLevelItemDescriptor)) {
            throw new AccessDeniedException(Messages.AccessDeniedException2_MissingPermission(authentication.getName(), Item.CREATE.group.title + "/" + Item.CREATE.name + Item.CREATE + "/" + topLevelItemDescriptor.getDisplayName()));
        }
    }

    public boolean hasCreatePermission(@NonNull Authentication authentication, @NonNull ItemGroup itemGroup, @NonNull TopLevelItemDescriptor topLevelItemDescriptor) {
        return true;
    }

    public final void checkCreatePermission(@NonNull ViewGroup viewGroup, @NonNull ViewDescriptor viewDescriptor) {
        Authentication authentication = Jenkins.getAuthentication();
        if (authentication != SYSTEM && !hasCreatePermission(authentication, viewGroup, viewDescriptor)) {
            throw new AccessDeniedException(Messages.AccessDeniedException2_MissingPermission(authentication.getName(), View.CREATE.group.title + "/" + View.CREATE.name + View.CREATE + "/" + viewDescriptor.getDisplayName()));
        }
    }

    public boolean hasCreatePermission(@NonNull Authentication authentication, @NonNull ViewGroup viewGroup, @NonNull ViewDescriptor viewDescriptor) {
        return true;
    }

    @NonNull
    @Deprecated
    public static SecurityContext impersonate(@NonNull Authentication authentication) {
        SecurityContext context = SecurityContextHolder.getContext();
        SecurityContextHolder.setContext(new NonSerializableSecurityContext(authentication));
        return context;
    }

    @Deprecated
    public static void impersonate(@NonNull Authentication authentication, @NonNull Runnable runnable) {
        SecurityContext impersonate = impersonate(authentication);
        try {
            runnable.run();
        } finally {
            SecurityContextHolder.setContext(impersonate);
        }
    }

    @Deprecated
    public static <V, T extends Exception> V impersonate(Authentication authentication, Callable<V, T> callable) throws Exception {
        SecurityContext impersonate = impersonate(authentication);
        try {
            V call = callable.call();
            SecurityContextHolder.setContext(impersonate);
            return call;
        } catch (Throwable th) {
            SecurityContextHolder.setContext(impersonate);
            throw th;
        }
    }

    @NonNull
    public static ACLContext as(@NonNull Authentication authentication) {
        ACLContext aCLContext = new ACLContext(SecurityContextHolder.getContext());
        SecurityContextHolder.setContext(new NonSerializableSecurityContext(authentication));
        return aCLContext;
    }

    @NonNull
    public static ACLContext as(@CheckForNull User user) {
        return as(user == null ? Jenkins.ANONYMOUS : user.impersonate());
    }

    public static boolean isAnonymous(@NonNull Authentication authentication) {
        return authentication instanceof AnonymousAuthenticationToken;
    }
}
