package org.jenkinsci.plugins.workflow.cps;

import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.Extension;
import hudson.ExtensionList;
import hudson.ExtensionPoint;
import hudson.Main;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.util.SystemProperties;
import org.apache.commons.lang.StringUtils;

/* loaded from: input_file:WEB-INF/lib/workflow-cps.jar:org/jenkinsci/plugins/workflow/cps/GroovySourceFileAllowlist.class */
public abstract class GroovySourceFileAllowlist implements ExtensionPoint {
    private static final Logger LOGGER = Logger.getLogger(GroovySourceFileAllowlist.class.getName());
    private static final String DISABLED_PROPERTY = GroovySourceFileAllowlist.class.getName() + ".DISABLED";

    @SuppressFBWarnings(value = {"MS_SHOULD_BE_FINAL"}, justification = "Non-final for script console access")
    static boolean DISABLED = SystemProperties.getBoolean(DISABLED_PROPERTY);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/workflow-cps.jar:org/jenkinsci/plugins/workflow/cps/GroovySourceFileAllowlist$ClassLoaderImpl.class */
    public static class ClassLoaderImpl extends ClassLoader {
        private static final String LOG_MESSAGE_TEMPLATE = "Preventing {0} from being loaded without sandbox protection in {1}. To allow access to this file, add any suffix of its URL to the system property ‘" + DefaultAllowlist.ALLOWED_SOURCE_FILES_PROPERTY + "’ (use commas to separate multiple files). If you want to allow any Groovy file on the Jenkins classpath to be accessed, you may set the system property ‘" + GroovySourceFileAllowlist.DISABLED_PROPERTY + "’ to true.";
        private final String owner;

        public ClassLoaderImpl(@CheckForNull CpsFlowExecution cpsFlowExecution, ClassLoader classLoader) {
            super(classLoader);
            this.owner = describeOwner(cpsFlowExecution);
        }

        private static String describeOwner(@CheckForNull CpsFlowExecution cpsFlowExecution) {
            if (cpsFlowExecution == null) {
                return "unknown";
            }
            try {
                return cpsFlowExecution.getOwner().getExecutable().toString();
            } catch (IOException e) {
                return "unknown";
            }
        }

        @Override // java.lang.ClassLoader
        public URL getResource(String str) {
            URL resource = super.getResource(str);
            if (GroovySourceFileAllowlist.DISABLED || resource == null || !endsWithIgnoreCase(str, ".groovy") || isAllowed(resource)) {
                return resource;
            }
            GroovySourceFileAllowlist.LOGGER.log(Level.WARNING, LOG_MESSAGE_TEMPLATE, new Object[]{resource, this.owner});
            return null;
        }

        @Override // java.lang.ClassLoader
        public Enumeration<URL> getResources(String str) throws IOException {
            Enumeration<URL> resources = super.getResources(str);
            if (GroovySourceFileAllowlist.DISABLED || !resources.hasMoreElements() || !endsWithIgnoreCase(str, ".groovy")) {
                return resources;
            }
            ArrayList arrayList = new ArrayList();
            while (resources.hasMoreElements()) {
                URL nextElement = resources.nextElement();
                if (isAllowed(nextElement)) {
                    arrayList.add(nextElement);
                } else {
                    GroovySourceFileAllowlist.LOGGER.log(Level.WARNING, LOG_MESSAGE_TEMPLATE, new Object[]{nextElement, this.owner});
                }
            }
            return Collections.enumeration(arrayList);
        }

        private static boolean isAllowed(URL url) {
            String url2 = url.toString();
            Iterator<GroovySourceFileAllowlist> it = GroovySourceFileAllowlist.all().iterator();
            while (it.hasNext()) {
                if (it.next().isAllowed(url2)) {
                    return true;
                }
            }
            return false;
        }

        private static boolean endsWithIgnoreCase(String str, String str2) {
            int length = str2.length();
            return str.regionMatches(true, str.length() - length, str2, 0, length);
        }
    }

    @Extension
    /* loaded from: input_file:WEB-INF/lib/workflow-cps.jar:org/jenkinsci/plugins/workflow/cps/GroovySourceFileAllowlist$DefaultAllowlist.class */
    public static class DefaultAllowlist extends GroovySourceFileAllowlist {
        private static final Logger LOGGER = Logger.getLogger(DefaultAllowlist.class.getName());
        private static final String ALLOWED_SOURCE_FILES_PROPERTY = DefaultAllowlist.class.getCanonicalName() + ".ALLOWED_SOURCE_FILES";
        static final List<String> ALLOWED_SOURCE_FILES = new ArrayList();

        public DefaultAllowlist() throws IOException {
            for (String str : SystemProperties.getString(ALLOWED_SOURCE_FILES_PROPERTY, "").split(",")) {
                String trimToNull = StringUtils.trimToNull(str);
                if (trimToNull != null) {
                    if (trimToNull.endsWith(".groovy")) {
                        ALLOWED_SOURCE_FILES.add(trimToNull);
                        LOGGER.log(Level.INFO, "Allowing Pipelines to access {0}", trimToNull);
                    } else {
                        LOGGER.log(Level.WARNING, "Ignoring invalid Groovy source file: {0}", trimToNull);
                    }
                }
            }
            loadDefaultAllowlist(ALLOWED_SOURCE_FILES);
            if (Main.isUnitTest) {
                ALLOWED_SOURCE_FILES.addAll(Arrays.asList("/org/jenkinsci/plugins/pipeline/modeldefinition/agent/impl/LabelAndOtherFieldAgentScript.groovy", "/org/jenkinsci/plugins/pipeline/modeldefinition/parser/GlobalStageNameTestConditionalScript.groovy", "/org/jenkinsci/plugins/pipeline/modeldefinition/parser/GlobalStepCountTestConditionalScript.groovy"));
            }
        }

        private static void loadDefaultAllowlist(List<String> list) throws IOException {
            InputStream resourceAsStream = GroovySourceFileAllowlist.class.getResourceAsStream("GroovySourceFileAllowlist/default-allowlist");
            try {
                BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(resourceAsStream, StandardCharsets.UTF_8));
                while (true) {
                    try {
                        String readLine = bufferedReader.readLine();
                        if (readLine == null) {
                            break;
                        }
                        String trim = readLine.trim();
                        if (!trim.isEmpty() && !trim.startsWith("#")) {
                            list.add(trim);
                        }
                    } finally {
                    }
                }
                bufferedReader.close();
                if (resourceAsStream != null) {
                    resourceAsStream.close();
                }
            } catch (Throwable th) {
                if (resourceAsStream != null) {
                    try {
                        resourceAsStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }

        @Override // org.jenkinsci.plugins.workflow.cps.GroovySourceFileAllowlist
        public boolean isAllowed(String str) {
            Iterator<String> it = ALLOWED_SOURCE_FILES.iterator();
            while (it.hasNext()) {
                if (str.endsWith(it.next())) {
                    return true;
                }
            }
            return false;
        }
    }

    public abstract boolean isAllowed(String str);

    public static List<GroovySourceFileAllowlist> all() {
        return ExtensionList.lookup(GroovySourceFileAllowlist.class);
    }
}
