package org.jenkinsci.plugins.scriptsecurity.sandbox.groovy;

import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import groovy.grape.GrabAnnotationTransformation;
import groovy.lang.GroovyClassLoader;
import groovy.lang.GroovyShell;
import groovy.lang.Script;
import hudson.ExtensionList;
import hudson.model.RootAction;
import hudson.model.TaskListener;
import hudson.util.FormValidation;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.CodeSource;
import java.security.cert.Certificate;
import java.util.Collections;
import java.util.HashSet;
import java.util.concurrent.Callable;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import org.codehaus.groovy.control.CompilationFailedException;
import org.codehaus.groovy.control.CompilationUnit;
import org.codehaus.groovy.control.CompilerConfiguration;
import org.codehaus.groovy.control.customizers.CompilationCustomizer;
import org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException;
import org.jenkinsci.plugins.scriptsecurity.sandbox.Whitelist;
import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.ProxyWhitelist;
import org.jenkinsci.plugins.scriptsecurity.scripts.ApprovalContext;
import org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval;
import org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApprovalNote;
import org.kohsuke.groovy.sandbox.SandboxTransformer;

/* loaded from: input_file:WEB-INF/lib/script-security.jar:org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.class */
public final class GroovySandbox {
    public static final Logger LOGGER = Logger.getLogger(GroovySandbox.class.getName());

    @CheckForNull
    private Whitelist whitelist;

    @CheckForNull
    private ApprovalContext context;

    @CheckForNull
    private TaskListener listener;

    @FunctionalInterface
    /* loaded from: input_file:WEB-INF/lib/script-security.jar:org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox$Scope.class */
    public interface Scope extends AutoCloseable {
        @Override // java.lang.AutoCloseable
        void close();
    }

    public GroovySandbox withWhitelist(@CheckForNull Whitelist whitelist) {
        this.whitelist = whitelist;
        return this;
    }

    public GroovySandbox withApprovalContext(@CheckForNull ApprovalContext approvalContext) {
        this.context = approvalContext;
        return this;
    }

    public GroovySandbox withTaskListener(@CheckForNull TaskListener taskListener) {
        this.listener = taskListener;
        return this;
    }

    @Nonnull
    private Whitelist whitelist() {
        return this.whitelist != null ? this.whitelist : Whitelist.all();
    }

    public Scope enter() {
        SandboxInterceptor sandboxInterceptor = new SandboxInterceptor(whitelist());
        ApprovalContext create = this.context != null ? this.context : ApprovalContext.create();
        sandboxInterceptor.register();
        ScriptApproval.pushRegistrationCallback(rejectedAccessException -> {
            if (ExtensionList.lookup(RootAction.class).get(ScriptApproval.class) == null) {
                return;
            }
            ScriptApproval.get().accessRejected(rejectedAccessException, create);
            if (this.listener != null) {
                ScriptApprovalNote.print(this.listener, rejectedAccessException);
            }
        });
        return () -> {
            sandboxInterceptor.unregister();
            ScriptApproval.popRegistrationCallback();
        };
    }

    public Object runScript(@Nonnull GroovyShell groovyShell, @Nonnull String str) {
        Scope enter = enter();
        Throwable th = null;
        try {
            Script parse = groovyShell.parse(str);
            if (enter != null) {
                if (0 != 0) {
                    try {
                        enter.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    enter.close();
                }
            }
            Scope enter2 = new GroovySandbox().withApprovalContext(this.context).withTaskListener(this.listener).withWhitelist(new ProxyWhitelist(new ClassLoaderWhitelist(parse.getClass().getClassLoader()), whitelist())).enter();
            Throwable th3 = null;
            try {
                try {
                    Object run = parse.run();
                    if (enter2 != null) {
                        if (0 != 0) {
                            try {
                                enter2.close();
                            } catch (Throwable th4) {
                                th3.addSuppressed(th4);
                            }
                        } else {
                            enter2.close();
                        }
                    }
                    return run;
                } finally {
                }
            } catch (Throwable th5) {
                if (enter2 != null) {
                    if (th3 != null) {
                        try {
                            enter2.close();
                        } catch (Throwable th6) {
                            th3.addSuppressed(th6);
                        }
                    } else {
                        enter2.close();
                    }
                }
                throw th5;
            }
        } catch (Throwable th7) {
            if (enter != null) {
                if (0 != 0) {
                    try {
                        enter.close();
                    } catch (Throwable th8) {
                        th.addSuppressed(th8);
                    }
                } else {
                    enter.close();
                }
            }
            throw th7;
        }
    }

    @Nonnull
    public static CompilerConfiguration createSecureCompilerConfiguration() {
        CompilerConfiguration createBaseCompilerConfiguration = createBaseCompilerConfiguration();
        createBaseCompilerConfiguration.addCompilationCustomizers(new CompilationCustomizer[]{new SandboxTransformer()});
        return createBaseCompilerConfiguration;
    }

    @Nonnull
    public static CompilerConfiguration createBaseCompilerConfiguration() {
        CompilerConfiguration compilerConfiguration = new CompilerConfiguration();
        compilerConfiguration.addCompilationCustomizers(new CompilationCustomizer[]{new RejectASTTransformsCustomizer()});
        compilerConfiguration.setDisabledGlobalASTTransformations(new HashSet(Collections.singletonList(GrabAnnotationTransformation.class.getName())));
        return compilerConfiguration;
    }

    @Nonnull
    @SuppressFBWarnings(value = {"DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED"}, justification = "Should be managed by the caller.")
    public static ClassLoader createSecureClassLoader(ClassLoader classLoader) {
        return new SandboxResolvingClassLoader(classLoader);
    }

    @Deprecated
    public static void runInSandbox(@Nonnull Runnable runnable, @Nonnull Whitelist whitelist) throws RejectedAccessException {
        Scope enter = new GroovySandbox().withWhitelist(whitelist).enter();
        Throwable th = null;
        try {
            try {
                runnable.run();
                if (enter != null) {
                    if (0 == 0) {
                        enter.close();
                        return;
                    }
                    try {
                        enter.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (enter != null) {
                if (th != null) {
                    try {
                        enter.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    enter.close();
                }
            }
            throw th4;
        }
    }

    @Deprecated
    public static <V> V runInSandbox(@Nonnull Callable<V> callable, @Nonnull Whitelist whitelist) throws Exception {
        Scope enter = new GroovySandbox().withWhitelist(whitelist).enter();
        Throwable th = null;
        try {
            try {
                V call = callable.call();
                if (enter != null) {
                    if (0 != 0) {
                        try {
                            enter.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        enter.close();
                    }
                }
                return call;
            } finally {
            }
        } catch (Throwable th3) {
            if (enter != null) {
                if (th != null) {
                    try {
                        enter.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    enter.close();
                }
            }
            throw th3;
        }
    }

    @Deprecated
    public static void runInSandbox(@Nonnull Script script, @Nonnull Whitelist whitelist) throws RejectedAccessException {
        runInSandbox((Runnable) script.run(), whitelist);
    }

    @Deprecated
    public static Object run(@Nonnull Script script, @Nonnull Whitelist whitelist) throws RejectedAccessException {
        LOGGER.log(Level.WARNING, (String) null, (Throwable) new IllegalStateException(Messages.GroovySandbox_useOfInsecureRunOverload()));
        Scope enter = new GroovySandbox().withWhitelist(new ProxyWhitelist(new ClassLoaderWhitelist(script.getClass().getClassLoader()), whitelist)).enter();
        Throwable th = null;
        try {
            try {
                Object run = script.run();
                if (enter != null) {
                    if (0 != 0) {
                        try {
                            enter.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        enter.close();
                    }
                }
                return run;
            } finally {
            }
        } catch (Throwable th3) {
            if (enter != null) {
                if (th != null) {
                    try {
                        enter.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    enter.close();
                }
            }
            throw th3;
        }
    }

    @Deprecated
    public static Object run(@Nonnull GroovyShell groovyShell, @Nonnull String str, @Nonnull Whitelist whitelist) throws RejectedAccessException {
        return new GroovySandbox().withWhitelist(whitelist).runScript(groovyShell, str);
    }

    @Nonnull
    public static FormValidation checkScriptForCompilationErrors(String str, GroovyClassLoader groovyClassLoader) {
        try {
            CompilationUnit compilationUnit = new CompilationUnit(createSecureCompilerConfiguration(), new CodeSource(new URL("file", "", "/groovy/shell"), (Certificate[]) null), groovyClassLoader);
            compilationUnit.addSource("Script1", str);
            compilationUnit.compile(5);
            return FormValidation.ok();
        } catch (MalformedURLException | CompilationFailedException e) {
            return FormValidation.error(e.getLocalizedMessage());
        }
    }
}
