package jenkins.security;

import hudson.init.InitMilestone;
import hudson.init.Initializer;
import hudson.util.PluginServletFilter;
import java.io.IOException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import java.util.logging.Logger;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;

@Restricted({NoExternalUse.class})
/* loaded from: input_file:WEB-INF/lib/jenkins-core-2.260-rc30416.1911b0c3ad0c.jar:jenkins/security/ResourceDomainFilter.class */
public class ResourceDomainFilter implements Filter {
    private static final Logger LOGGER = Logger.getLogger(ResourceDomainFilter.class.getName());
    private static final Set<String> ALLOWED_PATHS = new HashSet(Arrays.asList("/static-files", "/favicon.ico", "/robots.txt"));
    public static final String ERROR_RESPONSE = "Jenkins serves only static files on this domain.";

    @Initializer(after = InitMilestone.EXTENSIONS_AUGMENTED)
    public static void init() throws ServletException {
        PluginServletFilter.addFilter(new ResourceDomainFilter());
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (servletRequest instanceof HttpServletRequest) {
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
            if (ResourceDomainConfiguration.isResourceRequest(httpServletRequest)) {
                String pathInfo = httpServletRequest.getPathInfo();
                if (!pathInfo.startsWith("/static-files/") && !ALLOWED_PATHS.contains(pathInfo)) {
                    LOGGER.fine(() -> {
                        return "Rejecting request to " + ((Object) httpServletRequest.getRequestURL()) + " from " + httpServletRequest.getRemoteAddr() + " on resource domain";
                    });
                    httpServletResponse.sendError(404, ERROR_RESPONSE);
                    return;
                }
                LOGGER.finer(() -> {
                    return "Accepting request to " + ((Object) httpServletRequest.getRequestURL()) + " from " + httpServletRequest.getRemoteAddr() + " on resource domain";
                });
            }
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override // javax.servlet.Filter
    public void destroy() {
    }
}
