package org.jenkinsci.plugins.scriptsecurity.sandbox.groovy;

import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import groovy.grape.GrabAnnotationTransformation;
import groovy.lang.Binding;
import groovy.lang.GroovyClassLoader;
import groovy.lang.GroovyCodeSource;
import groovy.lang.GroovyObject;
import groovy.lang.GroovyRuntimeException;
import groovy.lang.GroovyShell;
import groovy.lang.MissingPropertyException;
import groovy.lang.Script;
import hudson.ExtensionList;
import hudson.model.RootAction;
import hudson.model.TaskListener;
import hudson.util.FormValidation;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.CodeSource;
import java.security.cert.Certificate;
import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.concurrent.Callable;
import java.util.logging.Level;
import java.util.logging.Logger;
import net.bytebuddy.utility.JavaConstant;
import org.apache.commons.text.lookup.StringLookupFactory;
import org.codehaus.groovy.control.CompilationFailedException;
import org.codehaus.groovy.control.CompilationUnit;
import org.codehaus.groovy.control.CompilerConfiguration;
import org.codehaus.groovy.control.customizers.CompilationCustomizer;
import org.codehaus.groovy.runtime.InvokerHelper;
import org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException;
import org.jenkinsci.plugins.scriptsecurity.sandbox.Whitelist;
import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.ProxyWhitelist;
import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist;
import org.jenkinsci.plugins.scriptsecurity.scripts.ApprovalContext;
import org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval;
import org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApprovalNote;
import org.kohsuke.groovy.sandbox.SandboxTransformer;
import org.kohsuke.groovy.sandbox.impl.Checker;

/* loaded from: input_file:test-dependencies/script-security.hpi:WEB-INF/lib/script-security.jar:org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.class */
public final class GroovySandbox {
    public static final Logger LOGGER = Logger.getLogger(GroovySandbox.class.getName());

    @CheckForNull
    private Whitelist whitelist;

    @CheckForNull
    private ApprovalContext context;

    @CheckForNull
    private TaskListener listener;

    @FunctionalInterface
    /* loaded from: input_file:test-dependencies/script-security.hpi:WEB-INF/lib/script-security.jar:org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox$Scope.class */
    public interface Scope extends AutoCloseable {
        default Script parse(GroovyShell groovyShell, GroovyCodeSource groovyCodeSource) {
            return GroovySandbox.checkedCreateScript(groovyShell.getClassLoader().parseClass(groovyCodeSource, false), groovyShell.getContext());
        }

        @Override // java.lang.AutoCloseable
        void close();
    }

    public GroovySandbox withWhitelist(@CheckForNull Whitelist whitelist) {
        this.whitelist = whitelist;
        return this;
    }

    public GroovySandbox withApprovalContext(@CheckForNull ApprovalContext approvalContext) {
        this.context = approvalContext;
        return this;
    }

    public GroovySandbox withTaskListener(@CheckForNull TaskListener taskListener) {
        this.listener = taskListener;
        return this;
    }

    @NonNull
    private Whitelist whitelist() {
        return this.whitelist != null ? this.whitelist : Whitelist.all();
    }

    public Scope enter() {
        SandboxInterceptor sandboxInterceptor = new SandboxInterceptor(whitelist());
        ApprovalContext create = this.context != null ? this.context : ApprovalContext.create();
        sandboxInterceptor.register();
        ScriptApproval.pushRegistrationCallback(rejectedAccessException -> {
            if (ExtensionList.lookup(RootAction.class).get(ScriptApproval.class) == null) {
                return;
            }
            if (!StaticWhitelist.isPermanentlyBlacklisted(rejectedAccessException.getSignature())) {
                ScriptApproval.get().accessRejected(rejectedAccessException, create);
            }
            if (this.listener != null) {
                ScriptApprovalNote.print(this.listener, rejectedAccessException);
            }
        });
        return () -> {
            sandboxInterceptor.unregister();
            ScriptApproval.popRegistrationCallback();
        };
    }

    public Object runScript(@NonNull GroovyShell groovyShell, @NonNull String str) {
        Scope enter = new GroovySandbox().withApprovalContext(this.context).withTaskListener(this.listener).withWhitelist(new ProxyWhitelist(new ClassLoaderWhitelist(groovyShell.getClassLoader()), whitelist())).enter();
        String str2 = "Script0.groovy";
        try {
            try {
                Method declaredMethod = groovyShell.getClass().getDeclaredMethod("generateScriptName", new Class[0]);
                declaredMethod.setAccessible(true);
                str2 = (String) declaredMethod.invoke(groovyShell, new Object[0]);
            } catch (ReflectiveOperationException e) {
                LOGGER.log(Level.WARNING, (String) null, (Throwable) e);
            }
            Object run = enter.parse(groovyShell, new GroovyCodeSource(str, str2, "/groovy/shell")).run();
            if (enter != null) {
                enter.close();
            }
            return run;
        } catch (Throwable th) {
            if (enter != null) {
                try {
                    enter.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Script checkedCreateScript(Class<?> cls, Binding binding) {
        Script newScript;
        try {
            if (Script.class.isAssignableFrom(cls)) {
                try {
                    newScript = InvokerHelper.newScript(cls, binding);
                } catch (InvocationTargetException e) {
                    throw e.getCause();
                }
            } else {
                final Script script = (GroovyObject) cls.newInstance();
                newScript = new Script(binding) { // from class: org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.1
                    public Object run() {
                        Object[] objArr = new Object[0];
                        try {
                            Object property = getProperty("args");
                            if (property instanceof String[]) {
                                objArr = (String[]) property;
                            }
                        } catch (MissingPropertyException e2) {
                        }
                        try {
                            Checker.checkedCall(script, false, false, "main", objArr);
                            return null;
                        } catch (Throwable th) {
                            throw new GroovyRuntimeException(th);
                        }
                    }
                };
                for (Map.Entry entry : binding.getVariables().entrySet()) {
                    String obj = entry.getKey().toString();
                    try {
                        Checker.checkedSetProperty(obj.startsWith(JavaConstant.Dynamic.DEFAULT_NAME) ? newScript : script, obj, true, false, 100, entry.getValue());
                    } catch (MissingPropertyException e2) {
                    }
                }
            }
            return newScript;
        } catch (Throwable th) {
            throw new GroovyRuntimeException("Failed to create Script instance for class: " + cls + ". Reason: " + th, th);
        }
    }

    @NonNull
    public static CompilerConfiguration createSecureCompilerConfiguration() {
        CompilerConfiguration createBaseCompilerConfiguration = createBaseCompilerConfiguration();
        createBaseCompilerConfiguration.addCompilationCustomizers(new CompilationCustomizer[]{new SandboxTransformer()});
        return createBaseCompilerConfiguration;
    }

    @NonNull
    public static CompilerConfiguration createBaseCompilerConfiguration() {
        CompilerConfiguration compilerConfiguration = new CompilerConfiguration();
        compilerConfiguration.addCompilationCustomizers(new CompilationCustomizer[]{new RejectASTTransformsCustomizer()});
        compilerConfiguration.setDisabledGlobalASTTransformations(new HashSet(Collections.singletonList(GrabAnnotationTransformation.class.getName())));
        return compilerConfiguration;
    }

    @NonNull
    @SuppressFBWarnings(value = {"DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED"}, justification = "Should be managed by the caller.")
    public static ClassLoader createSecureClassLoader(ClassLoader classLoader) {
        return new SandboxResolvingClassLoader(classLoader);
    }

    @Deprecated
    public static void runInSandbox(@NonNull Runnable runnable, @NonNull Whitelist whitelist) throws RejectedAccessException {
        Scope enter = new GroovySandbox().withWhitelist(whitelist).enter();
        try {
            runnable.run();
            if (enter != null) {
                enter.close();
            }
        } catch (Throwable th) {
            if (enter != null) {
                try {
                    enter.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Deprecated
    public static <V> V runInSandbox(@NonNull Callable<V> callable, @NonNull Whitelist whitelist) throws Exception {
        Scope enter = new GroovySandbox().withWhitelist(whitelist).enter();
        try {
            V call = callable.call();
            if (enter != null) {
                enter.close();
            }
            return call;
        } catch (Throwable th) {
            if (enter != null) {
                try {
                    enter.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Deprecated
    public static Object run(@NonNull Script script, @NonNull Whitelist whitelist) throws RejectedAccessException {
        LOGGER.log(Level.WARNING, (String) null, (Throwable) new IllegalStateException(Messages.GroovySandbox_useOfInsecureRunOverload()));
        Scope enter = new GroovySandbox().withWhitelist(new ProxyWhitelist(new ClassLoaderWhitelist(script.getClass().getClassLoader()), whitelist)).enter();
        try {
            Object run = script.run();
            if (enter != null) {
                enter.close();
            }
            return run;
        } catch (Throwable th) {
            if (enter != null) {
                try {
                    enter.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Deprecated
    public static Object run(@NonNull GroovyShell groovyShell, @NonNull String str, @NonNull Whitelist whitelist) throws RejectedAccessException {
        return new GroovySandbox().withWhitelist(whitelist).runScript(groovyShell, str);
    }

    @NonNull
    public static FormValidation checkScriptForCompilationErrors(String str, GroovyClassLoader groovyClassLoader) {
        try {
            CompilationUnit compilationUnit = new CompilationUnit(createSecureCompilerConfiguration(), new CodeSource(new URL(StringLookupFactory.KEY_FILE, "", "/groovy/shell"), (Certificate[]) null), groovyClassLoader);
            compilationUnit.addSource("Script1", str);
            compilationUnit.compile(5);
            return FormValidation.ok();
        } catch (MalformedURLException | CompilationFailedException e) {
            return FormValidation.error(e.getLocalizedMessage());
        }
    }
}
