package jenkins.security.s2m;

import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.Nullable;
import hudson.Extension;
import hudson.model.Computer;
import hudson.model.Executor;
import hudson.model.Queue;
import hudson.model.Run;
import hudson.remoting.ChannelBuilder;
import java.io.File;
import java.io.IOException;
import java.nio.file.Path;
import java.util.Iterator;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import jenkins.ReflectiveFilePathFilter;
import jenkins.model.Jenkins;
import jenkins.security.ChannelConfigurator;
import jenkins.util.SystemProperties;
import net.sf.json.util.JSONUtils;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;

@Restricted({NoExternalUse.class})
/* loaded from: input_file:WEB-INF/lib/jenkins-core-2.319.1-rc31651.dc99e4259b5d.jar:jenkins/security/s2m/RunningBuildFilePathFilter.class */
public class RunningBuildFilePathFilter extends ReflectiveFilePathFilter {
    private static final String FAIL_PROPERTY = RunningBuildFilePathFilter.class.getName() + ".FAIL";
    private static final String SKIP_PROPERTY = RunningBuildFilePathFilter.class.getName() + ".SKIP";
    private static final Logger LOGGER = Logger.getLogger(RunningBuildFilePathFilter.class.getName());
    private final Object context;

    @Extension
    /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.319.1-rc31651.dc99e4259b5d.jar:jenkins/security/s2m/RunningBuildFilePathFilter$ChannelConfiguratorImpl.class */
    public static class ChannelConfiguratorImpl extends ChannelConfigurator {
        @Override // jenkins.security.ChannelConfigurator
        public void onChannelBuilding(ChannelBuilder channelBuilder, @Nullable Object obj) {
            new RunningBuildFilePathFilter(obj).installTo(channelBuilder, 150.0d);
        }
    }

    public RunningBuildFilePathFilter(Object obj) {
        this.context = obj;
    }

    @Override // jenkins.ReflectiveFilePathFilter
    protected boolean op(String str, File file) throws SecurityException {
        if (SystemProperties.getBoolean(SKIP_PROPERTY)) {
            LOGGER.log(Level.FINE, () -> {
                return "Skipping check for '" + str + "' on '" + file + JSONUtils.SINGLE_QUOTE;
            });
            return false;
        }
        try {
            Pattern compile = Pattern.compile(Jenkins.expandVariablesForDirectory(Jenkins.get().getRawBuildsDir(), "(.+)", "\\Q" + Jenkins.get().getRootDir().getCanonicalPath().replace('\\', '/') + "\\E/jobs/(.+)") + "/[0-9]+(/.*)?");
            try {
                String replace = file.getCanonicalPath().replace('\\', '/');
                if (!compile.matcher(replace).matches()) {
                    LOGGER.log(Level.FINE, "Not a build directory, so skipping: " + replace);
                    return false;
                }
                if (!(this.context instanceof Computer)) {
                    LOGGER.warning(() -> {
                        return "Unrecognized context " + this.context + " rejected for " + str + " on " + file;
                    });
                    throw new SecurityException("Failed to discover context of access to build directory");
                }
                Computer computer = (Computer) this.context;
                Path path = file.getAbsoluteFile().toPath();
                Iterator<Executor> it = computer.getExecutors().iterator();
                while (it.hasNext()) {
                    Run<?, ?> findRun = findRun(it.next().getCurrentExecutable());
                    if (findRun != null && path.startsWith(findRun.getRootDir().getAbsoluteFile().toPath())) {
                        return false;
                    }
                }
                String name = computer.getName();
                if (SystemProperties.getBoolean(FAIL_PROPERTY, true)) {
                    LOGGER.log(Level.WARNING, "Rejecting unexpected agent-to-controller file path access: Agent '" + name + "' is attempting to access '" + replace + "' using operation '" + str + "'. Learn more: https://www.jenkins.io/redirect/security-144/");
                    throw new SecurityException("Agent tried to access build directory of a build not currently running on this system. Learn more: https://www.jenkins.io/redirect/security-144/");
                }
                LOGGER.log(Level.WARNING, "Unexpected agent-to-controller file path access: Agent '" + name + "' is accessing '" + replace + "' using operation '" + str + "'. Learn more: https://www.jenkins.io/redirect/security-144/");
                return false;
            } catch (IOException e) {
                LOGGER.log(Level.WARNING, "Failed to obtain canonical path to '" + file + JSONUtils.SINGLE_QUOTE, (Throwable) e);
                throw new SecurityException("Failed to obtain canonical path");
            }
        } catch (IOException e2) {
            LOGGER.log(Level.WARNING, "Failed to obtain canonical path to Jenkins home directory", (Throwable) e2);
            throw new SecurityException("Failed to obtain canonical path");
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    @CheckForNull
    private static Run<?, ?> findRun(@CheckForNull Queue.Executable executable2) {
        if (executable2 == 0) {
            return null;
        }
        return executable2 instanceof Run ? (Run) executable2 : findRun(executable2.getParentExecutable());
    }
}
