package org.jenkinsci.plugins.workflow.cps;

import com.cloudbees.groovy.cps.Continuable;
import com.cloudbees.groovy.cps.Outcome;
import com.cloudbees.plugins.credentials.domains.AntPathMatcher;
import groovy.lang.GroovyShell;
import hudson.Extension;
import hudson.MarkupText;
import hudson.console.ConsoleAnnotationDescriptor;
import hudson.console.ConsoleAnnotator;
import hudson.console.ConsoleNote;
import java.io.IOException;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.CheckForNull;
import jenkins.model.Jenkins;
import org.jenkinsci.Symbol;
import org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException;
import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox;
import org.jenkinsci.plugins.scriptsecurity.scripts.ApprovalContext;
import org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval;
import org.kohsuke.stapler.Stapler;
import org.kohsuke.stapler.StaplerRequest;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:test-dependencies/workflow-cps.hpi:WEB-INF/lib/workflow-cps.jar:org/jenkinsci/plugins/workflow/cps/SandboxContinuable.class */
public class SandboxContinuable extends Continuable {
    private final CpsThread thread;
    private static final Logger LOGGER = Logger.getLogger(SandboxContinuable.class.getName());

    /* loaded from: input_file:test-dependencies/workflow-cps.hpi:WEB-INF/lib/workflow-cps.jar:org/jenkinsci/plugins/workflow/cps/SandboxContinuable$ScriptApprovalNote.class */
    public static final class ScriptApprovalNote extends ConsoleNote {
        private int length;

        @Extension
        @Symbol({"scriptApprovalLink"})
        /* loaded from: input_file:test-dependencies/workflow-cps.hpi:WEB-INF/lib/workflow-cps.jar:org/jenkinsci/plugins/workflow/cps/SandboxContinuable$ScriptApprovalNote$DescriptorImpl.class */
        public static class DescriptorImpl extends ConsoleAnnotationDescriptor {
            public String getDisplayName() {
                return "Script Approval Link";
            }
        }

        public ScriptApprovalNote(int i) {
            this.length = i;
        }

        public ConsoleAnnotator annotate(Object obj, MarkupText markupText, int i) {
            if (!Jenkins.get().hasPermission(Jenkins.RUN_SCRIPTS)) {
                return null;
            }
            String str = AntPathMatcher.DEFAULT_PATH_SEPARATOR + ScriptApproval.get().getUrlName();
            StaplerRequest currentRequest = Stapler.getCurrentRequest();
            markupText.addMarkup(i, i + this.length, "<a href='" + (currentRequest != null ? currentRequest.getContextPath() + str : Jenkins.get().getRootUrl() + str.substring(1)) + "'>", "</a>");
            return null;
        }

        public static String encodeTo(String str) {
            try {
                return new ScriptApprovalNote(str.length()).encode() + str;
            } catch (IOException e) {
                SandboxContinuable.LOGGER.log(Level.WARNING, "Failed to serialize " + ScriptApprovalNote.class, (Throwable) e);
                return str;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SandboxContinuable(Continuable continuable, CpsThread cpsThread) {
        super(continuable);
        this.thread = cpsThread;
    }

    @Override // com.cloudbees.groovy.cps.Continuable
    public Outcome run0(Outcome outcome, List<Class> list) {
        try {
            CpsFlowExecution execution = this.thread.group.getExecution();
            if (execution == null) {
                throw new IllegalStateException("JENKINS-50407: no loaded execution");
            }
            GroovyShell shell = execution.getShell();
            if (shell == null) {
                throw new IllegalStateException("JENKINS-50407: no loaded shell in " + execution);
            }
            GroovyShell trustedShell = execution.getTrustedShell();
            if (trustedShell == null) {
                throw new IllegalStateException("JENKINS-50407: no loaded trustedShell in " + execution);
            }
            return (Outcome) GroovySandbox.runInSandbox(() -> {
                Outcome run0 = super.run0(outcome, list);
                RejectedAccessException findRejectedAccessException = findRejectedAccessException(run0.getAbnormal());
                if (findRejectedAccessException != null) {
                    ScriptApproval.get().accessRejected(findRejectedAccessException, ApprovalContext.create());
                    try {
                        execution.getOwner().getListener().getLogger().println(findRejectedAccessException.getMessage() + ". " + ScriptApprovalNote.encodeTo(Messages.SandboxContinuable_ScriptApprovalLink()));
                    } catch (IOException e) {
                        LOGGER.log(Level.WARNING, (String) null, (Throwable) e);
                    }
                }
                return run0;
            }, new GroovyClassLoaderWhitelist(CpsWhitelist.get(), trustedShell.getClassLoader(), shell.getClassLoader()));
        } catch (RuntimeException e) {
            throw e;
        } catch (Exception e2) {
            throw new AssertionError(e2);
        }
    }

    @CheckForNull
    private static RejectedAccessException findRejectedAccessException(@CheckForNull Throwable th) {
        if (th == null) {
            return null;
        }
        return th instanceof RejectedAccessException ? (RejectedAccessException) th : findRejectedAccessException(th.getCause());
    }
}
