package io.jenkins.plugins.remoting_security;

import edu.umd.cs.findbugs.annotations.Nullable;
import hudson.Extension;
import hudson.remoting.Callable;
import hudson.remoting.ChannelBuilder;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import jenkins.security.ChannelConfigurator;
import org.jenkinsci.remoting.CallableDecorator;
import org.jenkinsci.remoting.Role;
import org.jenkinsci.remoting.RoleChecker;
import org.jenkinsci.remoting.RoleSensitive;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;

@Restricted({NoExternalUse.class})
/* loaded from: input_file:io/jenkins/plugins/remoting_security/RequiredRoleCheck.class */
public class RequiredRoleCheck extends CallableDecorator {
    private static boolean CALLABLES_CAN_IGNORE_ROLECHECKER = Boolean.getBoolean(RequiredRoleCheck.class.getName() + ".allCallablesCanIgnoreRoleChecker");
    static final Set<String> SPECIFIC_CALLABLES_CAN_IGNORE_ROLECHECKER = new HashSet();
    private static final Logger LOGGER = Logger.getLogger(RequiredRoleCheck.class.getName());

    @Extension
    /* loaded from: input_file:io/jenkins/plugins/remoting_security/RequiredRoleCheck$ChannelConfiguratorImpl.class */
    public static class ChannelConfiguratorImpl extends ChannelConfigurator {
        public void onChannelBuilding(ChannelBuilder channelBuilder, @Nullable Object obj) {
            RequiredRoleCheck.LOGGER.log(Level.FINE, () -> {
                return "Registering " + this + " on: " + channelBuilder + " for context: " + obj;
            });
            channelBuilder.with(new RequiredRoleCheck());
        }
    }

    /* loaded from: input_file:io/jenkins/plugins/remoting_security/RequiredRoleCheck$RequiredRoleCheckerWrapper.class */
    private static class RequiredRoleCheckerWrapper extends RoleChecker {
        private boolean checked;

        private RequiredRoleCheckerWrapper() {
        }

        public void check(RoleSensitive roleSensitive, Role... roleArr) throws SecurityException {
            this.checked = true;
        }

        public void check(RoleSensitive roleSensitive, Role role) throws SecurityException {
            this.checked = true;
        }

        public void check(RoleSensitive roleSensitive, Collection<Role> collection) throws SecurityException {
            this.checked = true;
        }

        public boolean isChecked() {
            return this.checked;
        }
    }

    private static boolean isCallableProhibitedByRequiredRoleCheck(Callable<?, ?> callable) {
        if (CALLABLES_CAN_IGNORE_ROLECHECKER) {
            LOGGER.log(Level.FINE, () -> {
                return "Allowing all callables to ignore RoleChecker";
            });
            return false;
        }
        if (callable.getClass().getName().startsWith("hudson.remoting.RemoteInvocationHandler")) {
            LOGGER.log(Level.FINEST, () -> {
                return "Callable " + callable.getClass().getName() + " is an RPCRequest";
            });
            return false;
        }
        if (!SPECIFIC_CALLABLES_CAN_IGNORE_ROLECHECKER.contains(callable.getClass().getName())) {
            return true;
        }
        LOGGER.log(Level.FINER, () -> {
            return "Callable " + callable.getClass().getName() + " is allowed through override";
        });
        return false;
    }

    public <V, T extends Throwable> Callable<V, T> userRequest(Callable<V, T> callable, Callable<V, T> callable2) {
        try {
            RequiredRoleCheckerWrapper requiredRoleCheckerWrapper = new RequiredRoleCheckerWrapper();
            callable2.checkRoles(requiredRoleCheckerWrapper);
            if (requiredRoleCheckerWrapper.isChecked()) {
                LOGGER.log(Level.FINEST, () -> {
                    return "Callable " + callable2.getClass().getName() + " checked roles";
                });
            } else if (isCallableProhibitedByRequiredRoleCheck(callable2)) {
                LOGGER.log(Level.INFO, () -> {
                    return "Rejecting callable " + callable2.getClass().getName() + " for ignoring RoleChecker in #checkRoles, see https://www.jenkins.io/redirect/remoting-security-workaround/";
                });
                throw new SecurityException("Security hardening prohibits the Callable implementation " + callable2.getClass().getName() + " from ignoring RoleChecker, see https://www.jenkins.io/redirect/remoting-security-workaround/");
            }
        } catch (AbstractMethodError e) {
        }
        return callable2;
    }

    static {
        String property = System.getProperty(RequiredRoleCheck.class.getName() + ".specificCallablesCanIgnoreRoleChecker");
        if (property != null) {
            LOGGER.log(Level.INFO, () -> {
                return "Allowing the following callables to bypass role checker requirement: " + property;
            });
            SPECIFIC_CALLABLES_CAN_IGNORE_ROLECHECKER.addAll((Collection) Arrays.stream(property.split(",")).map((v0) -> {
                return v0.trim();
            }).collect(Collectors.toSet()));
        }
        SPECIFIC_CALLABLES_CAN_IGNORE_ROLECHECKER.add("hudson.remoting.Channel$IOSyncer");
        SPECIFIC_CALLABLES_CAN_IGNORE_ROLECHECKER.add("hudson.remoting.Channel$SetMaximumBytecodeLevel");
        SPECIFIC_CALLABLES_CAN_IGNORE_ROLECHECKER.add("hudson.remoting.PingThread$Ping");
    }
}
