package io.jenkins.plugins.remoting_security;

import edu.umd.cs.findbugs.annotations.Nullable;
import hudson.Extension;
import hudson.remoting.Callable;
import hudson.remoting.ChannelBuilder;
import io.jenkins.plugins.remoting_security.Tester;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import jenkins.security.ChannelConfigurator;
import org.jenkinsci.remoting.CallableDecorator;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;

@Restricted({NoExternalUse.class})
/* loaded from: input_file:io/jenkins/plugins/remoting_security/ConfigurableCallableBlocker.class */
public class ConfigurableCallableBlocker extends CallableDecorator {
    static final Set<String> SPECIFIC_CALLABLES_TO_ALWAYS_REJECT = new HashSet();
    private static final Logger LOGGER = Logger.getLogger(ConfigurableCallableBlocker.class.getName());

    @Extension
    /* loaded from: input_file:io/jenkins/plugins/remoting_security/ConfigurableCallableBlocker$ChannelConfiguratorImpl.class */
    public static class ChannelConfiguratorImpl extends ChannelConfigurator {
        public void onChannelBuilding(ChannelBuilder channelBuilder, @Nullable Object obj) {
            ConfigurableCallableBlocker.LOGGER.log(Level.FINE, () -> {
                return "Registering " + this + " on: " + channelBuilder + " for context: " + obj;
            });
            channelBuilder.with(new ConfigurableCallableBlocker());
        }
    }

    public <V, T extends Throwable> Callable<V, T> userRequest(Callable<V, T> callable, Callable<V, T> callable2) {
        if (SPECIFIC_CALLABLES_TO_ALWAYS_REJECT.contains(callable.getClass().getName())) {
            LOGGER.log(Level.INFO, () -> {
                return "Rejecting callable " + callable + " of type " + callable.getClass() + " regardless of role checker, see https://www.jenkins.io/redirect/remoting-security-workaround/";
            });
            throw new SecurityException("Custom security configuration prohibits execution of " + callable + " of type " + callable.getClass() + ", see https://www.jenkins.io/redirect/remoting-security-workaround/");
        }
        LOGGER.log(Level.FINEST, () -> {
            return "Not rejecting execution of " + callable + " of type " + callable.getClass();
        });
        return callable2;
    }

    static {
        String property = System.getProperty(ConfigurableCallableBlocker.class.getName() + ".additionalCallablesToAlwaysReject");
        if (property != null) {
            LOGGER.log(Level.INFO, () -> {
                return "Rejecting the following callables regardless of role checker result: " + property;
            });
            SPECIFIC_CALLABLES_TO_ALWAYS_REJECT.addAll((Collection) Arrays.stream(property.split(",")).map((v0) -> {
                return v0.trim();
            }).collect(Collectors.toSet()));
        }
        SPECIFIC_CALLABLES_TO_ALWAYS_REJECT.add("hudson.scm.SubversionSCM$DescriptorImpl$SshPublicKeyCredential$1");
        SPECIFIC_CALLABLES_TO_ALWAYS_REJECT.add("hudson.FilePath$FileCallableWrapper");
        SPECIFIC_CALLABLES_TO_ALWAYS_REJECT.add(Tester.BlockedByDefaultNoOpAgentToControllerCallable.class.getName());
    }
}
