package jenkins.security;

import edu.umd.cs.findbugs.annotations.CheckForNull;
import hudson.Extension;
import hudson.ExtensionList;
import hudson.Util;
import hudson.util.FormValidation;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLConnection;
import java.nio.charset.StandardCharsets;
import java.security.interfaces.RSAPublicKey;
import java.util.Base64;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;
import jenkins.diagnostics.RootUrlNotSetMonitor;
import jenkins.model.GlobalConfiguration;
import jenkins.model.Jenkins;
import jenkins.model.JenkinsLocationConfiguration;
import jenkins.model.identity.InstanceIdentityProvider;
import jenkins.util.UrlHelper;
import org.apache.commons.io.IOUtils;
import org.jenkinsci.Symbol;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.Beta;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.Stapler;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.verb.POST;

@Extension(ordinal = 199.0d)
@Restricted({Beta.class})
@Symbol({"resourceRoot"})
/* loaded from: input_file:WEB-INF/lib/jenkins-core-2.324-rc31799.811dd1e09355.jar:jenkins/security/ResourceDomainConfiguration.class */
public final class ResourceDomainConfiguration extends GlobalConfiguration {
    private static final Logger LOGGER = Logger.getLogger(ResourceDomainConfiguration.class.getName());
    private String url;

    @Restricted({NoExternalUse.class})
    public ResourceDomainConfiguration() {
        load();
    }

    @POST
    @Restricted({NoExternalUse.class})
    public FormValidation doCheckUrl(@QueryParameter("url") String str) {
        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
        return checkUrl(str, true);
    }

    private FormValidation checkUrl(String str, boolean z) {
        String url = JenkinsLocationConfiguration.get().getUrl();
        if (((RootUrlNotSetMonitor) ExtensionList.lookupSingleton(RootUrlNotSetMonitor.class)).isActivated() || url == null) {
            return FormValidation.warning(Messages.ResourceDomainConfiguration_NeedsRootURL());
        }
        String fixEmptyAndTrim = Util.fixEmptyAndTrim(str);
        if (fixEmptyAndTrim == null) {
            return FormValidation.ok(Messages.ResourceDomainConfiguration_Empty());
        }
        if (!UrlHelper.isValidRootUrl(fixEmptyAndTrim)) {
            return FormValidation.error(Messages.ResourceDomainConfiguration_Invalid());
        }
        if (!fixEmptyAndTrim.endsWith("/")) {
            fixEmptyAndTrim = fixEmptyAndTrim + '/';
        }
        try {
            String host = new URL(fixEmptyAndTrim).getHost();
            try {
                if (new URL(url).getHost().equals(host)) {
                    return FormValidation.error(Messages.ResourceDomainConfiguration_SameAsJenkinsRoot());
                }
                StaplerRequest currentRequest = Stapler.getCurrentRequest();
                if (currentRequest != null && currentRequest.getHeader("Host").equals(host)) {
                    return FormValidation.error(Messages.ResourceDomainConfiguration_SameAsCurrent());
                }
                if (!z) {
                    return FormValidation.ok();
                }
                try {
                    URLConnection openConnection = new URL(fixEmptyAndTrim + "instance-identity/").openConnection();
                    if (!(openConnection instanceof HttpURLConnection)) {
                        return FormValidation.error(Messages.ResourceDomainConfiguration_Invalid());
                    }
                    HttpURLConnection httpURLConnection = (HttpURLConnection) openConnection;
                    int responseCode = httpURLConnection.getResponseCode();
                    if (responseCode == 200) {
                        String headerField = openConnection.getHeaderField("X-Instance-Identity");
                        if (headerField == null) {
                            return FormValidation.warning(Messages.ResourceDomainConfiguration_NotJenkins());
                        }
                        RSAPublicKey publicKey = InstanceIdentityProvider.RSA.getPublicKey();
                        return publicKey != null ? Base64.getEncoder().encodeToString(publicKey.getEncoded()).equals(headerField) ? FormValidation.ok(Messages.ResourceDomainConfiguration_ThisJenkins()) : FormValidation.warning(Messages.ResourceDomainConfiguration_OtherJenkins()) : FormValidation.warning(Messages.ResourceDomainConfiguration_SomeJenkins());
                    }
                    String responseMessage = httpURLConnection.getResponseMessage();
                    if (responseCode == 404) {
                        String join = String.join("", IOUtils.readLines(httpURLConnection.getErrorStream(), StandardCharsets.UTF_8));
                        if (responseMessage.contains(ResourceDomainFilter.ERROR_RESPONSE) || join.contains(ResourceDomainFilter.ERROR_RESPONSE)) {
                            return FormValidation.ok(Messages.ResourceDomainConfiguration_ResourceResponse());
                        }
                    }
                    return FormValidation.error(Messages.ResourceDomainConfiguration_FailedIdentityCheck(Integer.valueOf(responseCode), responseMessage));
                } catch (MalformedURLException e) {
                    LOGGER.log(Level.FINE, "MalformedURLException occurred during instance identity check for " + fixEmptyAndTrim, (Throwable) e);
                    return FormValidation.error(Messages.ResourceDomainConfiguration_Exception(e.getMessage()));
                } catch (IOException e2) {
                    LOGGER.log(Level.FINE, "IOException occurred during instance identity check for " + fixEmptyAndTrim, (Throwable) e2);
                    return FormValidation.warning(Messages.ResourceDomainConfiguration_IOException(e2.getMessage()));
                }
            } catch (Exception e3) {
                LOGGER.log(Level.CONFIG, "Failed to create URL from the existing Jenkins URL", (Throwable) e3);
                return FormValidation.error(Messages.ResourceDomainConfiguration_InvalidRootURL(e3.getMessage()));
            }
        } catch (MalformedURLException e4) {
            return FormValidation.error(Messages.ResourceDomainConfiguration_Invalid());
        }
    }

    @CheckForNull
    public String getUrl() {
        return this.url;
    }

    public void setUrl(@CheckForNull String str) {
        if (checkUrl(str, false).kind == FormValidation.Kind.OK) {
            String fixEmpty = Util.fixEmpty(str);
            if (fixEmpty != null && !fixEmpty.endsWith("/")) {
                fixEmpty = fixEmpty + "/";
            }
            this.url = fixEmpty;
            save();
        }
    }

    @Restricted({NoExternalUse.class})
    public static boolean isResourceRequest(HttpServletRequest httpServletRequest) {
        if (!isResourceDomainConfigured()) {
            return false;
        }
        try {
            URL url = new URL(get().getUrl());
            if (!url.getHost().equalsIgnoreCase(httpServletRequest.getServerName())) {
                return false;
            }
            int port = url.getPort();
            if (port == -1) {
                port = url.getDefaultPort();
            }
            return httpServletRequest.getServerPort() == port;
        } catch (MalformedURLException e) {
            return false;
        }
    }

    @Restricted({NoExternalUse.class})
    public static boolean isResourceDomainConfigured() {
        String url = get().getUrl();
        return (url == null || url.isEmpty() || Util.nullify(JenkinsLocationConfiguration.get().getUrl()) == null) ? false : true;
    }

    public static ResourceDomainConfiguration get() {
        return (ResourceDomainConfiguration) ExtensionList.lookupSingleton(ResourceDomainConfiguration.class);
    }
}
