package org.jenkinsci.plugins.scriptsecurity.scripts;

import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.Extension;
import hudson.ExtensionList;
import hudson.Util;
import hudson.XmlFile;
import hudson.model.BallColor;
import hudson.model.PageDecorator;
import hudson.model.RootAction;
import hudson.security.ACL;
import hudson.security.ACLContext;
import hudson.util.FormValidation;
import hudson.util.XStream2;
import java.io.BufferedInputStream;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.DigestInputStream;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
import java.util.Stack;
import java.util.TreeSet;
import java.util.function.Consumer;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import jenkins.model.GlobalConfiguration;
import jenkins.model.GlobalConfigurationCategory;
import jenkins.model.Jenkins;
import jenkins.util.SystemProperties;
import net.sf.json.JSON;
import net.sf.json.JSONArray;
import net.sf.json.JSONObject;
import org.apache.commons.lang.StringUtils;
import org.jenkinsci.Symbol;
import org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException;
import org.jenkinsci.plugins.scriptsecurity.sandbox.Whitelist;
import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.AclAwareWhitelist;
import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.ProxyWhitelist;
import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.bind.JavaScriptMethod;
import org.kohsuke.stapler.verb.POST;

@Extension
@Symbol({"scriptApproval"})
/* loaded from: input_file:org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.class */
public class ScriptApproval extends GlobalConfiguration implements RootAction {

    @SuppressFBWarnings(value = {"MS_SHOULD_BE_FINAL"}, justification = "for script console")
    public static boolean ADMIN_AUTO_APPROVAL_ENABLED = SystemProperties.getBoolean(ScriptApproval.class.getName() + ".ADMIN_AUTO_APPROVAL_ENABLED");

    @SuppressFBWarnings(value = {"MS_SHOULD_BE_FINAL"}, justification = "for script console")
    public static boolean ALLOW_ADMIN_APPROVAL_ENABLED = SystemProperties.getBoolean(ScriptApproval.class.getName() + ".ALLOW_ADMIN_APPROVAL_ENABLED");
    private static final Logger LOG = Logger.getLogger(ScriptApproval.class.getName());
    private static final XStream2 XSTREAM2 = new XStream2();
    static final Hasher DEFAULT_HASHER;
    private TreeSet<String> aclApprovedSignatures;
    private TreeSet<ApprovedClasspathEntry> approvedClasspathEntries;
    private TreeSet<PendingClasspathEntry> pendingClasspathEntries;
    private static final ThreadLocal<Stack<Consumer<RejectedAccessException>>> callbacks;
    private transient Thread convertDeprecatedApprovedClasspathEntriesThread = null;
    private final TreeSet<String> approvedScriptHashes = new TreeSet<>();
    private final TreeSet<String> approvedSignatures = new TreeSet<>();
    private final LinkedHashSet<PendingScript> pendingScripts = new LinkedHashSet<>();
    private final LinkedHashSet<PendingSignature> pendingSignatures = new LinkedHashSet<>();

    @Restricted({NoExternalUse.class})
    /* loaded from: input_file:org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval$ApprovedClasspathEntry.class */
    public static class ApprovedClasspathEntry implements Comparable<ApprovedClasspathEntry> {
        private final String hash;
        private final URL url;

        public ApprovedClasspathEntry(String str, URL url) {
            this.hash = str;
            this.url = url;
        }

        public String getHash() {
            return this.hash;
        }

        public URL getURL() {
            return this.url;
        }

        boolean isClassDirectory() {
            return ClasspathEntry.isClassDirectoryURL(this.url);
        }

        public int hashCode() {
            return this.hash.hashCode();
        }

        public boolean equals(Object obj) {
            return (obj instanceof ApprovedClasspathEntry) && ((ApprovedClasspathEntry) obj).hash.equals(this.hash);
        }

        @Override // java.lang.Comparable
        public int compareTo(ApprovedClasspathEntry approvedClasspathEntry) {
            return this.hash.compareTo(approvedClasspathEntry.hash);
        }
    }

    @Extension
    @Restricted({NoExternalUse.class})
    /* loaded from: input_file:org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval$ApprovedWhitelist.class */
    public static final class ApprovedWhitelist extends ProxyWhitelist {
        public ApprovedWhitelist() {
            super(new Whitelist[0]);
            try {
                reconfigure();
            } catch (IOException e) {
                ScriptApproval.LOG.log(Level.SEVERE, "Malformed signature entry in scriptApproval.xml: '" + e.getMessage() + "'");
            }
        }

        /* JADX WARN: Type inference failed for: r0v6, types: [java.lang.String[], java.lang.String[][]] */
        String[][] reconfigure() throws IOException {
            ?? r0;
            ScriptApproval scriptApproval = ScriptApproval.get();
            synchronized (scriptApproval) {
                reset(Collections.singleton(new AclAwareWhitelist(new StaticWhitelist(scriptApproval.approvedSignatures), new StaticWhitelist(scriptApproval.aclApprovedSignatures))));
                r0 = new String[]{scriptApproval.getApprovedSignatures(), scriptApproval.getAclApprovedSignatures(), scriptApproval.getDangerousApprovedSignatures()};
            }
            return r0;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval$ConversionCheckResult.class */
    public static class ConversionCheckResult {
        final String oldHash;
        final String newHash;
        final boolean approved;
        final boolean converted;

        public ConversionCheckResult(String str, String str2, boolean z, boolean z2) {
            this.oldHash = str;
            this.newHash = str2;
            this.approved = z;
            this.converted = z2;
        }
    }

    @Extension
    @Restricted({NoExternalUse.class})
    /* loaded from: input_file:org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval$FormValidationPageDecorator.class */
    public static class FormValidationPageDecorator extends PageDecorator {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval$Hasher.class */
    public enum Hasher {
        SHA512 { // from class: org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.Hasher.1
            final Pattern shaPattern = Pattern.compile("SHA512:[a-fA-F0-9]{128}");

            @Override // org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.Hasher
            String prefix() {
                return "SHA512:";
            }

            @Override // org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.Hasher
            MessageDigest digest() throws NoSuchAlgorithmException {
                return MessageDigest.getInstance("SHA-512");
            }

            @Override // org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.Hasher
            Pattern pattern() {
                return this.shaPattern;
            }
        },
        SHA1 { // from class: org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.Hasher.2
            final Pattern shaPattern = Pattern.compile("[a-fA-F0-9]{40}");

            @Override // org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.Hasher
            String prefix() {
                return "";
            }

            @Override // org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.Hasher
            MessageDigest digest() throws NoSuchAlgorithmException {
                return MessageDigest.getInstance("SHA-1");
            }

            @Override // org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.Hasher
            Pattern pattern() {
                return this.shaPattern;
            }
        };

        String hash(String str, String str2) {
            try {
                MessageDigest digest = digest();
                digest.update(str2.getBytes(StandardCharsets.UTF_8));
                digest.update((byte) 58);
                digest.update(str.getBytes(StandardCharsets.UTF_8));
                return prefix() + Util.toHexString(digest.digest());
            } catch (NoSuchAlgorithmException e) {
                throw new AssertionError(e);
            }
        }

        String hashClasspathEntry(URL url) throws IOException {
            try {
                MessageDigest digest = digest();
                InputStream openStream = url.openStream();
                try {
                    BufferedInputStream bufferedInputStream = new BufferedInputStream(openStream);
                    try {
                        DigestInputStream digestInputStream = new DigestInputStream(bufferedInputStream, digest);
                        try {
                            do {
                            } while (digestInputStream.read(new byte[1024]) != -1);
                            String str = prefix() + Util.toHexString(digest.digest());
                            digestInputStream.close();
                            bufferedInputStream.close();
                            if (openStream != null) {
                                openStream.close();
                            }
                            return str;
                        } catch (Throwable th) {
                            try {
                                digestInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                            throw th;
                        }
                    } catch (Throwable th3) {
                        try {
                            bufferedInputStream.close();
                        } catch (Throwable th4) {
                            th3.addSuppressed(th4);
                        }
                        throw th3;
                    }
                } finally {
                }
            } catch (NoSuchAlgorithmException e) {
                throw new AssertionError(e);
            }
        }

        abstract String prefix();

        abstract MessageDigest digest() throws NoSuchAlgorithmException;

        abstract Pattern pattern();
    }

    @Restricted({NoExternalUse.class})
    /* loaded from: input_file:org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval$PendingClasspathEntry.class */
    public static final class PendingClasspathEntry extends PendingThing implements Comparable<PendingClasspathEntry> {
        private final String hash;
        private final URL url;
        private static final ApprovalContext SEARCH_APPROVAL_CONTEXT = ApprovalContext.create();
        private static URL SEARCH_APPROVAL_URL;

        PendingClasspathEntry(@NonNull String str, @NonNull URL url, @NonNull ApprovalContext approvalContext) {
            super(approvalContext);
            this.hash = str;
            this.url = url;
        }

        @NonNull
        public String getHash() {
            return this.hash;
        }

        @NonNull
        public URL getURL() {
            return this.url;
        }

        public int hashCode() {
            return getHash().hashCode();
        }

        public boolean equals(Object obj) {
            return (obj instanceof PendingClasspathEntry) && ((PendingClasspathEntry) obj).getHash().equals(getHash());
        }

        @Override // java.lang.Comparable
        public int compareTo(PendingClasspathEntry pendingClasspathEntry) {
            return this.hash.compareTo(pendingClasspathEntry.hash);
        }

        @NonNull
        public static PendingClasspathEntry searchKeyFor(@NonNull String str) {
            return new PendingClasspathEntry(str, SEARCH_APPROVAL_URL, SEARCH_APPROVAL_CONTEXT);
        }

        static {
            try {
                SEARCH_APPROVAL_URL = new URL("http://invalid.url/do/not/use");
            } catch (Throwable th) {
                ScriptApproval.LOG.log(Level.WARNING, "Unexpected exception", th);
            }
        }
    }

    @Restricted({NoExternalUse.class})
    /* loaded from: input_file:org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval$PendingScript.class */
    public static final class PendingScript extends PendingThing {
        public final String script;
        private final String language;

        PendingScript(@NonNull String str, @NonNull Language language, @NonNull ApprovalContext approvalContext) {
            super(approvalContext);
            this.script = str;
            this.language = language.getName();
        }

        public String getHash() {
            return ScriptApproval.DEFAULT_HASHER.hash(this.script, this.language);
        }

        public Language getLanguage() {
            Iterator it = ExtensionList.lookup(Language.class).iterator();
            while (it.hasNext()) {
                Language language = (Language) it.next();
                if (language.getName().equals(this.language)) {
                    return language;
                }
            }
            return new Language() { // from class: org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.PendingScript.1
                @Override // org.jenkinsci.plugins.scriptsecurity.scripts.Language
                @NonNull
                public String getName() {
                    return PendingScript.this.language;
                }

                @Override // org.jenkinsci.plugins.scriptsecurity.scripts.Language
                @NonNull
                public String getDisplayName() {
                    return "<missing language: " + PendingScript.this.language + ">";
                }
            };
        }

        public int hashCode() {
            return this.script.hashCode() ^ this.language.hashCode();
        }

        public boolean equals(Object obj) {
            return (obj instanceof PendingScript) && ((PendingScript) obj).language.equals(this.language) && ((PendingScript) obj).script.equals(this.script);
        }
    }

    @Restricted({NoExternalUse.class})
    /* loaded from: input_file:org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval$PendingSignature.class */
    public static final class PendingSignature extends PendingThing {
        public final String signature;
        public final boolean dangerous;

        PendingSignature(@NonNull String str, boolean z, @NonNull ApprovalContext approvalContext) {
            super(approvalContext);
            this.signature = str;
            this.dangerous = z;
        }

        public String getHash() {
            return Integer.toHexString(hashCode());
        }

        public int hashCode() {
            return this.signature.hashCode();
        }

        public boolean equals(Object obj) {
            return (obj instanceof PendingSignature) && ((PendingSignature) obj).signature.equals(this.signature);
        }
    }

    @Restricted({NoExternalUse.class})
    /* loaded from: input_file:org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval$PendingThing.class */
    public static abstract class PendingThing {

        @Deprecated
        private String user;

        @NonNull
        private ApprovalContext context;

        PendingThing(@NonNull ApprovalContext approvalContext) {
            this.context = approvalContext;
        }

        @NonNull
        public ApprovalContext getContext() {
            return this.context;
        }

        private Object readResolve() {
            if (this.user != null) {
                this.context = ApprovalContext.create().withUser(this.user);
                this.user = null;
            }
            return this;
        }
    }

    protected XmlFile getConfigFile() {
        return new XmlFile(XSTREAM2, new File(Jenkins.get().getRootDir(), getUrlName() + ".xml"));
    }

    @NonNull
    public GlobalConfigurationCategory getCategory() {
        return GlobalConfigurationCategory.get(GlobalConfigurationCategory.Security.class);
    }

    @NonNull
    public static ScriptApproval get() {
        ScriptApproval scriptApproval = (ScriptApproval) ExtensionList.lookup(RootAction.class).get(ScriptApproval.class);
        if (scriptApproval == null) {
            throw new IllegalStateException("maybe need to rebuild plugin?");
        }
        return scriptApproval;
    }

    void addApprovedClasspathEntry(ApprovedClasspathEntry approvedClasspathEntry) {
        this.approvedClasspathEntries.add(approvedClasspathEntry);
    }

    public boolean isScriptApproved(@NonNull String str, @NonNull Language language) {
        for (Hasher hasher : Hasher.values()) {
            if (isScriptHashApproved(hasher.hash(str, language.getName()))) {
                return true;
            }
        }
        return false;
    }

    @NonNull
    @Restricted({NoExternalUse.class})
    private synchronized ConversionCheckResult checkAndConvertApprovedScript(@NonNull String str, @NonNull Language language) {
        String hash = DEFAULT_HASHER.hash(str, language.getName());
        if (this.approvedScriptHashes.contains(hash)) {
            return new ConversionCheckResult(hash, hash, true, false);
        }
        for (Hasher hasher : Hasher.values()) {
            if (hasher != DEFAULT_HASHER) {
                String hash2 = hasher.hash(str, language.getName());
                if (this.approvedScriptHashes.contains(hash2)) {
                    LOG.fine("A script is approved with an old hash algorithm. Converting now, this may cause performance issues until all old hashes has been converted or removed.");
                    this.approvedScriptHashes.remove(hash2);
                    this.approvedScriptHashes.add(hash);
                    save();
                    return new ConversionCheckResult(hash2, hash, true, true);
                }
            }
        }
        return new ConversionCheckResult(hash, hash, false, false);
    }

    @NonNull
    @Restricted({NoExternalUse.class})
    private synchronized ConversionCheckResult checkAndConvertApprovedClasspath(@NonNull URL url) throws IOException {
        String hashClasspathEntry = DEFAULT_HASHER.hashClasspathEntry(url);
        ApprovedClasspathEntry approvedClasspathEntry = new ApprovedClasspathEntry(hashClasspathEntry, url);
        if (this.approvedClasspathEntries.contains(approvedClasspathEntry)) {
            return new ConversionCheckResult(hashClasspathEntry, hashClasspathEntry, true, false);
        }
        for (Hasher hasher : Hasher.values()) {
            if (hasher != DEFAULT_HASHER) {
                String hashClasspathEntry2 = hasher.hashClasspathEntry(url);
                ApprovedClasspathEntry approvedClasspathEntry2 = new ApprovedClasspathEntry(hashClasspathEntry2, url);
                if (this.approvedClasspathEntries.contains(approvedClasspathEntry2)) {
                    LOG.fine("A classpath is approved with an old hash algorithm. Converting now, this may cause performance issues until all old hashes has been converted or removed.");
                    this.approvedClasspathEntries.remove(approvedClasspathEntry2);
                    this.approvedClasspathEntries.add(approvedClasspathEntry);
                    save();
                    return new ConversionCheckResult(hashClasspathEntry2, hashClasspathEntry, true, true);
                }
            }
        }
        return new ConversionCheckResult(hashClasspathEntry, hashClasspathEntry, false, false);
    }

    @CheckForNull
    private PendingClasspathEntry getPendingClasspathEntry(@NonNull String str) {
        PendingClasspathEntry floor = this.pendingClasspathEntries.floor(PendingClasspathEntry.searchKeyFor(str));
        if (floor == null || !floor.hash.equals(str)) {
            return null;
        }
        return floor;
    }

    void addPendingClasspathEntry(PendingClasspathEntry pendingClasspathEntry) {
        this.pendingClasspathEntries.add(pendingClasspathEntry);
    }

    @DataBoundConstructor
    public ScriptApproval() {
        load();
        if (this.aclApprovedSignatures == null) {
            this.aclApprovedSignatures = new TreeSet<>();
        }
        if (this.approvedClasspathEntries == null) {
            this.approvedClasspathEntries = new TreeSet<>();
        }
        if (this.pendingClasspathEntries == null) {
            this.pendingClasspathEntries = new TreeSet<>();
        }
        boolean z = false;
        int i = 0;
        Iterator<ApprovedClasspathEntry> it = this.approvedClasspathEntries.iterator();
        while (it.hasNext()) {
            ApprovedClasspathEntry next = it.next();
            if (next.isClassDirectory()) {
                it.remove();
                z = true;
            }
            if (!DEFAULT_HASHER.pattern().matcher(next.hash).matches()) {
                i++;
            }
        }
        int countDeprecatedApprovedScriptHashes = countDeprecatedApprovedScriptHashes();
        if (i > 0 || countDeprecatedApprovedScriptHashes > 0) {
            LOG.log(Level.WARNING, "There are {0} deprecated approved script hashes and {1} deprecated approved classpath hashes. They will be rehashed upon next use and that may cause performance issues until all of them are converted or removed.", new Object[]{Integer.valueOf(countDeprecatedApprovedScriptHashes), Integer.valueOf(i)});
        }
        if (z) {
            save();
        }
    }

    @Restricted({NoExternalUse.class})
    public synchronized boolean hasDeprecatedApprovedScriptHashes() {
        return countDeprecatedApprovedScriptHashes() > 0;
    }

    @Restricted({NoExternalUse.class})
    public synchronized int countDeprecatedApprovedScriptHashes() {
        int i = 0;
        Iterator<String> it = this.approvedScriptHashes.iterator();
        while (it.hasNext()) {
            if (!DEFAULT_HASHER.pattern().matcher(it.next()).matches()) {
                i++;
            }
        }
        return i;
    }

    @Restricted({NoExternalUse.class})
    public synchronized int countDeprecatedApprovedClasspathHashes() {
        int i = 0;
        Iterator<ApprovedClasspathEntry> it = this.approvedClasspathEntries.iterator();
        while (it.hasNext()) {
            if (!DEFAULT_HASHER.pattern().matcher(it.next().getHash()).matches()) {
                i++;
            }
        }
        return i;
    }

    @Restricted({NoExternalUse.class})
    public synchronized boolean hasDeprecatedApprovedClasspathHashes() {
        return countDeprecatedApprovedClasspathHashes() > 0;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isEmpty() {
        return this.approvedScriptHashes.isEmpty() && this.approvedSignatures.isEmpty() && this.aclApprovedSignatures.isEmpty() && this.approvedClasspathEntries.isEmpty() && this.pendingScripts.isEmpty() && this.pendingSignatures.isEmpty() && this.pendingClasspathEntries.isEmpty();
    }

    public synchronized String configuring(@NonNull String str, @NonNull Language language, @NonNull ApprovalContext approvalContext, boolean z) {
        ConversionCheckResult checkAndConvertApprovedScript = checkAndConvertApprovedScript(str, language);
        if (!checkAndConvertApprovedScript.approved) {
            if (!Jenkins.get().isUseSecurity() || (ALLOW_ADMIN_APPROVAL_ENABLED && Jenkins.getAuthentication2() != ACL.SYSTEM2 && Jenkins.get().hasPermission(Jenkins.ADMINISTER) && (ADMIN_AUTO_APPROVAL_ENABLED || z))) {
                this.approvedScriptHashes.add(checkAndConvertApprovedScript.newHash);
                removePendingScript(checkAndConvertApprovedScript.newHash);
            } else {
                String key = approvalContext.getKey();
                if (key != null) {
                    this.pendingScripts.removeIf(pendingScript -> {
                        return key.equals(pendingScript.getContext().getKey());
                    });
                }
                this.pendingScripts.add(new PendingScript(str, language, approvalContext));
            }
            save();
        }
        return str;
    }

    @Deprecated
    public String configuring(@NonNull String str, @NonNull Language language, @NonNull ApprovalContext approvalContext) {
        return configuring(str, language, approvalContext, false);
    }

    public synchronized String using(@NonNull String str, @NonNull Language language) throws UnapprovedUsageException {
        if (str.length() == 0) {
            return str;
        }
        ConversionCheckResult checkAndConvertApprovedScript = checkAndConvertApprovedScript(str, language);
        if (checkAndConvertApprovedScript.approved) {
            return str;
        }
        throw new UnapprovedUsageException(checkAndConvertApprovedScript.newHash);
    }

    synchronized boolean isScriptHashApproved(String str) {
        return this.approvedScriptHashes.contains(str);
    }

    public synchronized void configuring(@NonNull ClasspathEntry classpathEntry, @NonNull ApprovalContext approvalContext) {
        if (classpathEntry.isClassDirectory()) {
            LOG.log(Level.WARNING, "Classpath {0} is a class directory, which are not allowed. Ignored in configuration, use will be rejected", classpathEntry.getURL());
            return;
        }
        URL url = classpathEntry.getURL();
        try {
            ConversionCheckResult checkAndConvertApprovedClasspath = checkAndConvertApprovedClasspath(url);
            if (checkAndConvertApprovedClasspath.approved) {
                return;
            }
            boolean z = false;
            PendingClasspathEntry pendingClasspathEntry = new PendingClasspathEntry(checkAndConvertApprovedClasspath.newHash, url, approvalContext);
            if (!Jenkins.get().isUseSecurity() || (Jenkins.getAuthentication2() != ACL.SYSTEM2 && Jenkins.get().hasPermission(Jenkins.ADMINISTER) && (ADMIN_AUTO_APPROVAL_ENABLED || classpathEntry.isShouldBeApproved() || !StringUtils.equals(classpathEntry.getOldPath(), classpathEntry.getPath())))) {
                LOG.log(Level.FINE, "Classpath entry {0} ({1}) is approved as configured with ADMINISTER permission.", new Object[]{url, checkAndConvertApprovedClasspath.newHash});
                ApprovedClasspathEntry approvedClasspathEntry = new ApprovedClasspathEntry(checkAndConvertApprovedClasspath.newHash, url);
                this.pendingClasspathEntries.remove(pendingClasspathEntry);
                this.approvedClasspathEntries.add(approvedClasspathEntry);
                z = true;
            } else if (this.pendingClasspathEntries.add(pendingClasspathEntry)) {
                LOG.log(Level.FINE, "{0} ({1}) is pending", new Object[]{url, checkAndConvertApprovedClasspath.newHash});
                z = true;
            }
            if (z) {
                save();
            }
        } catch (IOException e) {
            LOG.log(Level.WARNING, (String) null, (Throwable) e);
        }
    }

    public synchronized FormValidation checking(@NonNull ClasspathEntry classpathEntry) {
        return classpathEntry.isClassDirectory() ? FormValidation.error(Messages.ClasspathEntry_path_noDirsAllowed()) : FormValidation.ok();
    }

    public synchronized void using(@NonNull ClasspathEntry classpathEntry) throws IOException, UnapprovedClasspathException {
        URL url = classpathEntry.getURL();
        if (classpathEntry.isClassDirectory()) {
            LOG.log(Level.WARNING, "Classpath {0} is a class directory, which are not allowed.", url);
            throw new UnapprovedClasspathException("classpath entry %s is a class directory, which are not allowed.", url, "");
        }
        ConversionCheckResult checkAndConvertApprovedClasspath = checkAndConvertApprovedClasspath(url);
        if (checkAndConvertApprovedClasspath.approved) {
            LOG.log(Level.FINER, "{0} ({1}) had been approved", new Object[]{url, checkAndConvertApprovedClasspath.newHash});
            return;
        }
        if (this.pendingClasspathEntries.add(new PendingClasspathEntry(checkAndConvertApprovedClasspath.newHash, url, ApprovalContext.create()))) {
            LOG.log(Level.FINE, "{0} ({1}) is pending.", new Object[]{url, checkAndConvertApprovedClasspath.newHash});
            save();
        }
        throw new UnapprovedClasspathException(url, checkAndConvertApprovedClasspath.newHash);
    }

    public synchronized FormValidation checking(@NonNull String str, @NonNull Language language, boolean z) {
        if (StringUtils.isEmpty(str)) {
            return FormValidation.ok();
        }
        ConversionCheckResult checkAndConvertApprovedScript = checkAndConvertApprovedScript(str, language);
        if (checkAndConvertApprovedScript.approved) {
            return FormValidation.okWithMarkup("The script is already approved");
        }
        if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
            return FormValidation.warningWithMarkup("A Jenkins administrator will need to approve this script before it can be used");
        }
        if ((ALLOW_ADMIN_APPROVAL_ENABLED && (z || ADMIN_AUTO_APPROVAL_ENABLED)) || !Jenkins.get().isUseSecurity()) {
            return FormValidation.okWithMarkup("The script has not yet been approved, but it will be approved on save.");
        }
        return FormValidation.okWithMarkup("The script is not approved and will not be approved on save. Either modify the script to match an already approved script, approve it explicitly on the <a target='blank' href='" + Jenkins.get().getRootUrl() + get().getUrlName() + "'>Script Approval Configuration</a> page after save, or approve this version of the script. " + ("<a class='jenkins-button script-approval-approve-link' data-base-url='" + Jenkins.get().getRootUrl() + get().getUrlName() + "' data-hash='" + checkAndConvertApprovedScript.newHash + "'>Approve script</a>"));
    }

    @POST
    @Restricted({NoExternalUse.class})
    public synchronized void doApproveScriptHash(@QueryParameter(required = true) String str) throws IOException {
        approveScript(str);
    }

    @Deprecated
    public synchronized FormValidation checking(@NonNull String str, @NonNull Language language) {
        return checking(str, language, false);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public synchronized boolean isClasspathEntryApproved(URL url) {
        try {
            return checkAndConvertApprovedClasspath(url).approved;
        } catch (IOException e) {
            return false;
        }
    }

    public synchronized String preapprove(@NonNull String str, @NonNull Language language) {
        this.approvedScriptHashes.add(DEFAULT_HASHER.hash(str, language.getName()));
        return str;
    }

    public synchronized void preapproveAll() {
        Iterator<PendingScript> it = this.pendingScripts.iterator();
        while (it.hasNext()) {
            this.approvedScriptHashes.add(it.next().getHash());
        }
        this.pendingScripts.clear();
    }

    @Deprecated
    public synchronized RejectedAccessException accessRejected(@NonNull RejectedAccessException rejectedAccessException, @NonNull ApprovalContext approvalContext) {
        String signature = rejectedAccessException.getSignature();
        if (signature != null && this.pendingSignatures.add(new PendingSignature(signature, rejectedAccessException.isDangerous(), approvalContext))) {
            save();
        }
        return rejectedAccessException;
    }

    @Restricted({NoExternalUse.class})
    public static void maybeRegister(@NonNull RejectedAccessException rejectedAccessException) {
        Iterator<Consumer<RejectedAccessException>> it = callbacks.get().iterator();
        while (it.hasNext()) {
            it.next().accept(rejectedAccessException);
        }
    }

    @Restricted({NoExternalUse.class})
    public static void pushRegistrationCallback(Consumer<RejectedAccessException> consumer) {
        callbacks.get().push(consumer);
    }

    @Restricted({NoExternalUse.class})
    public static void popRegistrationCallback() {
        callbacks.get().pop();
    }

    @DataBoundSetter
    public synchronized void setApprovedSignatures(String[] strArr) throws IOException {
        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
        this.approvedSignatures.clear();
        ArrayList arrayList = new ArrayList(strArr.length);
        for (String str : strArr) {
            try {
                StaticWhitelist.parse(str);
                arrayList.add(str);
            } catch (IOException e) {
                LOG.warning("Ignoring malformed signature: " + str + " (Occurred exception: " + String.valueOf(e) + ")");
            }
        }
        this.approvedSignatures.addAll(arrayList);
        save();
        reconfigure();
    }

    @Restricted({NoExternalUse.class})
    public synchronized String[] getApprovedSignatures() {
        return (String[]) this.approvedSignatures.toArray(new String[this.approvedSignatures.size()]);
    }

    @Restricted({NoExternalUse.class})
    public synchronized String[] getDangerousApprovedSignatures() {
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = this.approvedSignatures.iterator();
        while (it.hasNext()) {
            String next = it.next();
            if (StaticWhitelist.isBlacklisted(next)) {
                arrayList.add(next);
            }
        }
        return (String[]) arrayList.toArray(new String[arrayList.size()]);
    }

    @Restricted({NoExternalUse.class})
    public synchronized String[] getAclApprovedSignatures() {
        return (String[]) this.aclApprovedSignatures.toArray(new String[this.aclApprovedSignatures.size()]);
    }

    @DataBoundSetter
    public synchronized void setApprovedScriptHashes(String[] strArr) throws IOException {
        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
        this.approvedScriptHashes.clear();
        for (String str : strArr) {
            if (StringUtils.isNotEmpty(str)) {
                if (DEFAULT_HASHER.pattern().matcher(str).matches()) {
                    this.approvedScriptHashes.add(str);
                } else {
                    boolean z = false;
                    Hasher[] values = Hasher.values();
                    int length = values.length;
                    int i = 0;
                    while (true) {
                        if (i >= length) {
                            break;
                        }
                        Hasher hasher = values[i];
                        if (hasher != DEFAULT_HASHER && hasher.pattern().matcher(str).matches()) {
                            z = true;
                            break;
                        }
                        i++;
                    }
                    if (z) {
                        LOG.warning(() -> {
                            return "Adding deprecated script hash that will be converted on next use: " + str;
                        });
                        this.approvedScriptHashes.add(str);
                    } else {
                        LOG.warning(() -> {
                            return "Ignoring malformed script hash: " + str;
                        });
                    }
                }
            }
        }
        save();
        reconfigure();
    }

    @Restricted({NoExternalUse.class})
    public synchronized String[] getApprovedScriptHashes() {
        return (String[]) this.approvedScriptHashes.toArray(new String[this.approvedScriptHashes.size()]);
    }

    public String getIconFileName() {
        return null;
    }

    public String getUrlName() {
        return "scriptApproval";
    }

    @Restricted({NoExternalUse.class})
    public Set<PendingScript> getPendingScripts() {
        return this.pendingScripts;
    }

    @Restricted({NoExternalUse.class})
    @JavaScriptMethod
    public void approveScript(String str) throws IOException {
        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
        synchronized (this) {
            this.approvedScriptHashes.add(str);
            removePendingScript(str);
            save();
        }
        ACLContext as2 = ACL.as2(ACL.SYSTEM2);
        try {
            Iterator it = ExtensionList.lookup(ApprovalListener.class).iterator();
            while (it.hasNext()) {
                ((ApprovalListener) it.next()).onApproved(str);
            }
            if (as2 != null) {
                as2.close();
            }
        } catch (Throwable th) {
            if (as2 != null) {
                try {
                    as2.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Restricted({NoExternalUse.class})
    @JavaScriptMethod
    public synchronized void denyScript(String str) throws IOException {
        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
        this.approvedScriptHashes.remove(str);
        removePendingScript(str);
        save();
    }

    synchronized void removePendingScript(String str) {
        Iterator<PendingScript> it = this.pendingScripts.iterator();
        while (it.hasNext()) {
            if (it.next().getHash().equals(str)) {
                it.remove();
                return;
            }
        }
    }

    @Restricted({NoExternalUse.class})
    @JavaScriptMethod
    public synchronized void clearApprovedScripts() throws IOException {
        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
        this.approvedScriptHashes.clear();
        save();
    }

    @Restricted({NoExternalUse.class})
    @JavaScriptMethod
    public synchronized void clearDeprecatedApprovedScripts() throws IOException {
        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
        this.approvedScriptHashes.removeIf(str -> {
            return !DEFAULT_HASHER.pattern().matcher(str).matches();
        });
        save();
    }

    @Restricted({NoExternalUse.class})
    public String getSpinnerIconClassName() {
        return BallColor.GREY_ANIME.getIconClassName();
    }

    @Restricted({NoExternalUse.class})
    @JavaScriptMethod
    public synchronized void convertDeprecatedApprovedClasspathEntries() {
        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
        if (isConvertingDeprecatedApprovedClasspathEntries()) {
            LOG.fine("Background conversion task already running.");
            return;
        }
        List list = (List) this.approvedClasspathEntries.stream().filter(approvedClasspathEntry -> {
            return !DEFAULT_HASHER.pattern().matcher(approvedClasspathEntry.getHash()).matches();
        }).collect(Collectors.toList());
        if (list.isEmpty()) {
            LOG.info("Nothing to convert.");
            return;
        }
        LOG.log(Level.INFO, "Scheduling conversion of {0} deprecated approved classpathentry hashes.", Integer.valueOf(list.size()));
        this.convertDeprecatedApprovedClasspathEntriesThread = new Thread(() -> {
            HashMap hashMap = new HashMap();
            for (int i = 0; i < list.size(); i++) {
                URL url = ((ApprovedClasspathEntry) list.get(i)).getURL();
                LOG.log(Level.INFO, String.format("Converting %s\t(%d/%d)", url, Integer.valueOf(i + 1), Integer.valueOf(list.size())));
                try {
                    hashMap.put(url.toExternalForm(), new ApprovedClasspathEntry(DEFAULT_HASHER.hashClasspathEntry(url), url));
                } catch (Throwable th) {
                    LOG.log(Level.WARNING, "Failed to convert " + String.valueOf(url), th);
                }
                Thread.yield();
            }
            synchronized (this) {
                this.approvedClasspathEntries.removeIf(approvedClasspathEntry2 -> {
                    return hashMap.containsKey(approvedClasspathEntry2.getURL().toExternalForm());
                });
                this.approvedClasspathEntries.addAll(hashMap.values());
                try {
                    save();
                } catch (Exception e) {
                    LOG.log(Level.WARNING, "Failed to store conversion result.", (Throwable) e);
                }
            }
            LOG.info("Conversion done.");
            synchronized (this) {
                this.convertDeprecatedApprovedClasspathEntriesThread = null;
            }
        }, "Approved Classpaths rehasher");
        this.convertDeprecatedApprovedClasspathEntriesThread.setDaemon(true);
        this.convertDeprecatedApprovedClasspathEntriesThread.start();
        LOG.fine("Background conversion task scheduled.");
    }

    @Restricted({NoExternalUse.class})
    public synchronized boolean isConvertingDeprecatedApprovedClasspathEntries() {
        return this.convertDeprecatedApprovedClasspathEntriesThread != null && this.convertDeprecatedApprovedClasspathEntriesThread.isAlive();
    }

    @Restricted({NoExternalUse.class})
    public Set<PendingSignature> getPendingSignatures() {
        return this.pendingSignatures;
    }

    /* JADX WARN: Type inference failed for: r0v6, types: [java.lang.String[], java.lang.String[][]] */
    private String[][] reconfigure() throws IOException {
        ApprovedWhitelist approvedWhitelist = (ApprovedWhitelist) ExtensionList.lookup(Whitelist.class).get(ApprovedWhitelist.class);
        return approvedWhitelist != null ? approvedWhitelist.reconfigure() : new String[]{new String[0], new String[0], new String[0]};
    }

    @Restricted({NoExternalUse.class})
    @JavaScriptMethod
    public synchronized String[][] approveSignature(String str) throws IOException {
        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
        this.pendingSignatures.remove(new PendingSignature(str, false, ApprovalContext.create()));
        this.approvedSignatures.add(str);
        save();
        return reconfigure();
    }

    @Restricted({NoExternalUse.class})
    @JavaScriptMethod
    public synchronized String[][] aclApproveSignature(String str) throws IOException {
        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
        this.pendingSignatures.remove(new PendingSignature(str, false, ApprovalContext.create()));
        this.aclApprovedSignatures.add(str);
        save();
        return reconfigure();
    }

    @Restricted({NoExternalUse.class})
    @JavaScriptMethod
    public synchronized void denySignature(String str) throws IOException {
        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
        this.pendingSignatures.remove(new PendingSignature(str, false, ApprovalContext.create()));
        save();
    }

    @Restricted({NoExternalUse.class})
    @JavaScriptMethod
    public synchronized String[][] clearApprovedSignatures() throws IOException {
        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
        this.approvedSignatures.clear();
        this.aclApprovedSignatures.clear();
        save();
        return reconfigure();
    }

    @Restricted({NoExternalUse.class})
    @JavaScriptMethod
    public synchronized String[][] clearDangerousApprovedSignatures() throws IOException {
        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
        Iterator<String> it = this.approvedSignatures.iterator();
        while (it.hasNext()) {
            if (StaticWhitelist.isBlacklisted(it.next())) {
                it.remove();
            }
        }
        Iterator<String> it2 = this.aclApprovedSignatures.iterator();
        while (it2.hasNext()) {
            if (StaticWhitelist.isBlacklisted(it2.next())) {
                it2.remove();
            }
        }
        save();
        return reconfigure();
    }

    @Restricted({NoExternalUse.class})
    public synchronized List<ApprovedClasspathEntry> getApprovedClasspathEntries() {
        ArrayList arrayList = new ArrayList(this.approvedClasspathEntries);
        arrayList.sort(Comparator.comparing(approvedClasspathEntry -> {
            return approvedClasspathEntry.url.toString();
        }));
        return arrayList;
    }

    @Restricted({NoExternalUse.class})
    public synchronized List<PendingClasspathEntry> getPendingClasspathEntries() {
        ArrayList arrayList = new ArrayList(this.pendingClasspathEntries);
        arrayList.sort(Comparator.comparing(pendingClasspathEntry -> {
            return pendingClasspathEntry.url.toString();
        }));
        return arrayList;
    }

    @Restricted({NoExternalUse.class})
    @JavaScriptMethod
    public JSON getClasspathRenderInfo() {
        JSONArray jSONArray = new JSONArray();
        for (PendingClasspathEntry pendingClasspathEntry : getPendingClasspathEntries()) {
            jSONArray.add(new JSONObject().element("hash", pendingClasspathEntry.getHash()).element("path", ClasspathEntry.urlToPath(pendingClasspathEntry.getURL())));
        }
        JSONArray jSONArray2 = new JSONArray();
        for (ApprovedClasspathEntry approvedClasspathEntry : getApprovedClasspathEntries()) {
            jSONArray2.add(new JSONObject().element("hash", approvedClasspathEntry.getHash()).element("path", ClasspathEntry.urlToPath(approvedClasspathEntry.getURL())));
        }
        return new JSONArray().element(jSONArray).element(jSONArray2);
    }

    @Restricted({NoExternalUse.class})
    @JavaScriptMethod
    public JSON approveClasspathEntry(String str) throws IOException {
        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
        URL url = null;
        synchronized (this) {
            PendingClasspathEntry pendingClasspathEntry = getPendingClasspathEntry(str);
            if (pendingClasspathEntry != null) {
                this.pendingClasspathEntries.remove(pendingClasspathEntry);
                url = pendingClasspathEntry.getURL();
                this.approvedClasspathEntries.add(new ApprovedClasspathEntry(str, url));
                save();
            }
        }
        if (url != null) {
            ACLContext as2 = ACL.as2(ACL.SYSTEM2);
            try {
                Iterator it = ExtensionList.lookup(ApprovalListener.class).iterator();
                while (it.hasNext()) {
                    ((ApprovalListener) it.next()).onApprovedClasspathEntry(str, url);
                }
                if (as2 != null) {
                    as2.close();
                }
            } catch (Throwable th) {
                if (as2 != null) {
                    try {
                        as2.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
        return getClasspathRenderInfo();
    }

    @Restricted({NoExternalUse.class})
    @JavaScriptMethod
    public JSON denyClasspathEntry(String str) throws IOException {
        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
        PendingClasspathEntry pendingClasspathEntry = getPendingClasspathEntry(str);
        if (pendingClasspathEntry != null) {
            this.pendingClasspathEntries.remove(pendingClasspathEntry);
            save();
        }
        return getClasspathRenderInfo();
    }

    @Restricted({NoExternalUse.class})
    @JavaScriptMethod
    public JSON denyApprovedClasspathEntry(String str) throws IOException {
        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
        if (this.approvedClasspathEntries.remove(new ApprovedClasspathEntry(str, null))) {
            save();
        }
        return getClasspathRenderInfo();
    }

    @Restricted({NoExternalUse.class})
    @JavaScriptMethod
    public synchronized JSON clearApprovedClasspathEntries() throws IOException {
        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
        this.approvedClasspathEntries.clear();
        save();
        return getClasspathRenderInfo();
    }

    static {
        XSTREAM2.alias("com.cloudbees.hudson.plugins.modeling.scripts.ScriptApproval", ScriptApproval.class);
        XSTREAM2.alias("com.cloudbees.hudson.plugins.modeling.scripts.ScriptApproval$PendingScript", PendingScript.class);
        XSTREAM2.alias("com.cloudbees.hudson.plugins.modeling.scripts.ScriptApproval$PendingSignature", PendingSignature.class);
        XSTREAM2.alias("scriptApproval", ScriptApproval.class);
        XSTREAM2.alias("approvedClasspathEntry", ApprovedClasspathEntry.class);
        XSTREAM2.alias("pendingScript", PendingScript.class);
        XSTREAM2.alias("pendingSignature", PendingSignature.class);
        XSTREAM2.alias("pendingClasspathEntry", PendingClasspathEntry.class);
        DEFAULT_HASHER = Hasher.SHA512;
        callbacks = ThreadLocal.withInitial(Stack::new);
    }
}
