package org.jenkinsci.plugins.scriptsecurity.sandbox.groovy;

import groovy.lang.Grab;
import groovy.lang.GrabConfig;
import groovy.lang.GrabExclude;
import groovy.lang.GrabResolver;
import groovy.lang.Grapes;
import groovy.transform.ASTTest;
import groovy.transform.AnnotationCollector;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import org.codehaus.groovy.ast.AnnotatedNode;
import org.codehaus.groovy.ast.AnnotationNode;
import org.codehaus.groovy.ast.ClassCodeVisitorSupport;
import org.codehaus.groovy.ast.ClassNode;
import org.codehaus.groovy.ast.ImportNode;
import org.codehaus.groovy.ast.ModuleNode;
import org.codehaus.groovy.classgen.GeneratorContext;
import org.codehaus.groovy.control.CompilationFailedException;
import org.codehaus.groovy.control.CompilePhase;
import org.codehaus.groovy.control.SourceUnit;
import org.codehaus.groovy.control.customizers.CompilationCustomizer;

/* loaded from: input_file:WEB-INF/lib/script-security.jar:org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/RejectASTTransformsCustomizer.class */
public class RejectASTTransformsCustomizer extends CompilationCustomizer {
    private static final List<String> BLOCKED_TRANSFORMS = Collections.unmodifiableList(Arrays.asList(ASTTest.class.getCanonicalName(), Grab.class.getCanonicalName(), GrabConfig.class.getCanonicalName(), GrabExclude.class.getCanonicalName(), GrabResolver.class.getCanonicalName(), Grapes.class.getCanonicalName(), AnnotationCollector.class.getCanonicalName()));

    /* loaded from: input_file:WEB-INF/lib/script-security.jar:org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/RejectASTTransformsCustomizer$RejectASTTransformsVisitor.class */
    private static class RejectASTTransformsVisitor extends ClassCodeVisitorSupport {
        private SourceUnit source;

        public RejectASTTransformsVisitor(SourceUnit sourceUnit) {
            this.source = sourceUnit;
        }

        protected SourceUnit getSourceUnit() {
            return this.source;
        }

        public void visitImports(ModuleNode moduleNode) {
            if (moduleNode != null) {
                Iterator it = moduleNode.getImports().iterator();
                while (it.hasNext()) {
                    checkImportForBlockedAnnotation((ImportNode) it.next());
                }
                Iterator it2 = moduleNode.getStaticImports().values().iterator();
                while (it2.hasNext()) {
                    checkImportForBlockedAnnotation((ImportNode) it2.next());
                }
            }
            super.visitImports(moduleNode);
        }

        private void checkImportForBlockedAnnotation(ImportNode importNode) {
            if (importNode == null || importNode.getType() == null) {
                return;
            }
            for (String str : RejectASTTransformsCustomizer.getBlockedTransforms()) {
                if (str.equals(importNode.getType().getName()) || str.endsWith("." + importNode.getType().getName())) {
                    throw new SecurityException("Annotation " + importNode.getType().getName() + " cannot be used in the sandbox.");
                }
            }
        }

        public void visitAnnotations(AnnotatedNode annotatedNode) {
            for (AnnotationNode annotationNode : annotatedNode.getAnnotations()) {
                for (String str : RejectASTTransformsCustomizer.getBlockedTransforms()) {
                    if (str.equals(annotationNode.getClassNode().getName()) || str.endsWith("." + annotationNode.getClassNode().getName())) {
                        throw new SecurityException("Annotation " + annotationNode.getClassNode().getName() + " cannot be used in the sandbox.");
                    }
                }
            }
            super.visitAnnotations(annotatedNode);
        }
    }

    public RejectASTTransformsCustomizer() {
        super(CompilePhase.CONVERSION);
    }

    public void call(SourceUnit sourceUnit, GeneratorContext generatorContext, ClassNode classNode) throws CompilationFailedException {
        new RejectASTTransformsVisitor(sourceUnit).visitClass(classNode);
    }

    private static List<String> getBlockedTransforms() {
        ArrayList arrayList = new ArrayList(BLOCKED_TRANSFORMS);
        String property = System.getProperty(RejectASTTransformsCustomizer.class.getName() + ".ADDITIONAL_BLOCKED_TRANSFORMS");
        if (property != null) {
            for (String str : property.split(",")) {
                arrayList.add(str.trim());
            }
        }
        return arrayList;
    }
}
