package jenkins.security.stapler;

import com.google.common.annotations.VisibleForTesting;
import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.locks.ReadWriteLock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.ServletContext;
import jenkins.model.Jenkins;
import jenkins.util.SystemProperties;
import org.apache.commons.io.IOUtils;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.CancelRequestHandlingException;
import org.kohsuke.stapler.DispatchValidator;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;
import org.kohsuke.stapler.WebApp;

@Restricted({NoExternalUse.class})
/* loaded from: input_file:jenkins/security/stapler/StaplerDispatchValidator.class */
public class StaplerDispatchValidator implements DispatchValidator {
    private static final Logger LOGGER = Logger.getLogger(StaplerDispatchValidator.class.getName());
    private static final String ATTRIBUTE_NAME = StaplerDispatchValidator.class.getName() + ".status";
    private static final String ESCAPE_HATCH = StaplerDispatchValidator.class.getName() + ".disabled";
    public static boolean DISABLED = SystemProperties.getBoolean(ESCAPE_HATCH);
    private final ValidatorCache cache = new ValidatorCache();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:jenkins/security/stapler/StaplerDispatchValidator$ValidatorCache.class */
    public static class ValidatorCache {
        private final Map<String, Validator> validators;
        private final ReadWriteLock lock;

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:jenkins/security/stapler/StaplerDispatchValidator$ValidatorCache$Validator.class */
        public class Validator {
            private final Supplier<Collection<Validator>> parentsSupplier;
            private volatile Collection<Validator> parents;
            private final Set<String> allowed;
            private final Set<String> denied;

            private Validator(@NonNull Supplier<Collection<Validator>> supplier) {
                this.allowed = ConcurrentHashMap.newKeySet();
                this.denied = ConcurrentHashMap.newKeySet();
                this.parentsSupplier = supplier;
            }

            private Validator(@NonNull ValidatorCache validatorCache, @NonNull Supplier<Collection<Validator>> supplier, @NonNull Collection<String> collection, Collection<String> collection2) {
                this(supplier);
                this.allowed.addAll(collection);
                this.denied.addAll(collection2);
            }

            @NonNull
            private Collection<Validator> getParents() {
                if (this.parents == null) {
                    synchronized (this) {
                        if (this.parents == null) {
                            this.parents = this.parentsSupplier.get();
                        }
                    }
                }
                return this.parents;
            }

            /* JADX INFO: Access modifiers changed from: private */
            @CheckForNull
            public Boolean isViewValid(@NonNull String str) {
                if (this.allowed.contains(str)) {
                    return Boolean.TRUE;
                }
                if (this.denied.contains(str)) {
                    return Boolean.FALSE;
                }
                Iterator<Validator> it = getParents().iterator();
                while (it.hasNext()) {
                    Boolean isViewValid = it.next().isViewValid(str);
                    if (isViewValid != null) {
                        return isViewValid;
                    }
                }
                return null;
            }

            /* JADX INFO: Access modifiers changed from: private */
            public void allowView(@NonNull String str) {
                this.allowed.add(str);
            }

            /* JADX INFO: Access modifiers changed from: private */
            public void denyView(@NonNull String str) {
                this.denied.add(str);
            }
        }

        private ValidatorCache() {
            this.validators = new HashMap();
            this.lock = new ReentrantReadWriteLock();
        }

        @NonNull
        private Validator computeIfAbsent(@NonNull String str, @NonNull Function<String, Validator> function) {
            this.lock.readLock().lock();
            try {
                if (this.validators.containsKey(str)) {
                    Validator validator = this.validators.get(str);
                    this.lock.readLock().unlock();
                    return validator;
                }
                this.lock.readLock().unlock();
                this.lock.writeLock().lock();
                try {
                    if (this.validators.containsKey(str)) {
                        Validator validator2 = this.validators.get(str);
                        this.lock.writeLock().unlock();
                        return validator2;
                    }
                    Validator apply = function.apply(str);
                    this.validators.put(str, apply);
                    this.lock.writeLock().unlock();
                    return apply;
                } catch (Throwable th) {
                    this.lock.writeLock().unlock();
                    throw th;
                }
            } catch (Throwable th2) {
                this.lock.readLock().unlock();
                throw th2;
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        @NonNull
        public Validator find(@NonNull Class<?> cls) {
            return computeIfAbsent(cls.getName(), str -> {
                return create((Class<?>) cls);
            });
        }

        @NonNull
        private Validator find(@NonNull String str) {
            return computeIfAbsent(str, this::create);
        }

        @NonNull
        private Collection<Validator> findParents(@NonNull Class<?> cls) {
            ArrayList arrayList = new ArrayList();
            Class<? super Object> superclass = cls.getSuperclass();
            if (superclass != null) {
                arrayList.add(find(superclass));
            }
            for (Class<?> cls2 : cls.getInterfaces()) {
                arrayList.add(find(cls2));
            }
            return arrayList;
        }

        @NonNull
        private Validator create(@NonNull Class<?> cls) {
            HashSet hashSet = new HashSet();
            StaplerViews declaredAnnotation = cls.getDeclaredAnnotation(StaplerViews.class);
            if (declaredAnnotation != null) {
                hashSet.addAll(Arrays.asList(declaredAnnotation.value()));
            }
            HashSet hashSet2 = new HashSet();
            StaplerFragments declaredAnnotation2 = cls.getDeclaredAnnotation(StaplerFragments.class);
            if (declaredAnnotation2 != null) {
                hashSet2.addAll(Arrays.asList(declaredAnnotation2.value()));
            }
            return new Validator(() -> {
                return findParents(cls);
            }, hashSet, hashSet2);
        }

        @NonNull
        private Validator create(@NonNull String str) {
            ClassLoader classLoader = Jenkins.get().pluginManager.uberClassLoader;
            return new Validator(() -> {
                try {
                    return findParents(classLoader.loadClass(str));
                } catch (ClassNotFoundException e) {
                    StaplerDispatchValidator.LOGGER.log(Level.WARNING, e, () -> {
                        return "Could not load class " + str + " to validate views";
                    });
                    return Collections.emptySet();
                }
            });
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void load() {
            try {
                InputStream resourceAsStream = Validator.class.getResourceAsStream("default-views-whitelist.txt");
                Throwable th = null;
                try {
                    loadWhitelist(IOUtils.readLines(resourceAsStream, StandardCharsets.UTF_8));
                    if (resourceAsStream != null) {
                        if (0 != 0) {
                            try {
                                resourceAsStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            resourceAsStream.close();
                        }
                    }
                } finally {
                }
            } catch (IOException e) {
                StaplerDispatchValidator.LOGGER.log(Level.WARNING, "Could not load default views whitelist", (Throwable) e);
            }
            String string = SystemProperties.getString(StaplerDispatchValidator.class.getName() + ".whitelist");
            Path resolve = string != null ? Paths.get(string, new String[0]) : Jenkins.get().getRootDir().toPath().resolve("stapler-views-whitelist.txt");
            if (Files.exists(resolve, new LinkOption[0])) {
                try {
                    loadWhitelist(Files.readAllLines(resolve));
                } catch (IOException e2) {
                    StaplerDispatchValidator.LOGGER.log(Level.WARNING, e2, () -> {
                        return "Could not load user defined whitelist from " + resolve;
                    });
                }
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void loadWhitelist(@NonNull List<String> list) {
            for (String str : list) {
                if (!str.matches("#.*|\\s*")) {
                    String[] split = str.split("\\s+");
                    if (split.length < 2) {
                        StaplerDispatchValidator.LOGGER.warning(() -> {
                            return "Cannot update validator with malformed line: " + str;
                        });
                    } else {
                        Validator find = find(split[0]);
                        for (int i = 1; i < split.length; i++) {
                            String str2 = split[i];
                            if (str2.startsWith("!")) {
                                find.denyView(str2.substring(1));
                            } else {
                                find.allowView(str2);
                            }
                        }
                    }
                }
            }
        }
    }

    @CheckForNull
    private static Boolean setStatus(@NonNull StaplerRequest staplerRequest, @CheckForNull Boolean bool) {
        if (bool == null) {
            return null;
        }
        LOGGER.fine(() -> {
            return "Request dispatch set status to " + bool + " for URL " + staplerRequest.getPathInfo();
        });
        staplerRequest.setAttribute(ATTRIBUTE_NAME, bool);
        return bool;
    }

    @CheckForNull
    private static Boolean computeStatusIfNull(@NonNull StaplerRequest staplerRequest, @NonNull Supplier<Boolean> supplier) {
        Object attribute = staplerRequest.getAttribute(ATTRIBUTE_NAME);
        return attribute instanceof Boolean ? (Boolean) attribute : setStatus(staplerRequest, supplier.get());
    }

    public StaplerDispatchValidator() {
        this.cache.load();
    }

    @CheckForNull
    public Boolean isDispatchAllowed(@NonNull StaplerRequest staplerRequest, @NonNull StaplerResponse staplerResponse) {
        if (DISABLED) {
            return true;
        }
        Boolean computeStatusIfNull = computeStatusIfNull(staplerRequest, () -> {
            return (staplerResponse.getContentType() == null && staplerResponse.getStatus() < 300) ? null : true;
        });
        LOGGER.finer(() -> {
            return staplerRequest.getRequestURI() + " -> " + computeStatusIfNull;
        });
        return computeStatusIfNull;
    }

    @CheckForNull
    public Boolean isDispatchAllowed(@NonNull StaplerRequest staplerRequest, @NonNull StaplerResponse staplerResponse, @NonNull String str, @CheckForNull Object obj) {
        if (DISABLED) {
            return true;
        }
        Boolean computeStatusIfNull = computeStatusIfNull(staplerRequest, () -> {
            if (str.equals("index")) {
                return true;
            }
            if (obj == null) {
                return null;
            }
            return this.cache.find(obj.getClass()).isViewValid(str);
        });
        LOGGER.finer(() -> {
            return "<" + staplerRequest.getRequestURI() + ", " + str + ", " + obj + "> -> " + computeStatusIfNull;
        });
        return computeStatusIfNull;
    }

    public void allowDispatch(@NonNull StaplerRequest staplerRequest, @NonNull StaplerResponse staplerResponse) {
        if (DISABLED) {
            return;
        }
        setStatus(staplerRequest, true);
    }

    public void requireDispatchAllowed(@NonNull StaplerRequest staplerRequest, @NonNull StaplerResponse staplerResponse) throws CancelRequestHandlingException {
        if (DISABLED) {
            return;
        }
        Boolean isDispatchAllowed = isDispatchAllowed(staplerRequest, staplerResponse);
        if (isDispatchAllowed == null || !isDispatchAllowed.booleanValue()) {
            LOGGER.fine(() -> {
                return "Cancelling dispatch for " + staplerRequest.getRequestURI();
            });
            throw new CancelRequestHandlingException();
        }
    }

    @VisibleForTesting
    static StaplerDispatchValidator getInstance(@NonNull ServletContext servletContext) {
        return (StaplerDispatchValidator) WebApp.get(servletContext).getDispatchValidator();
    }

    @VisibleForTesting
    void loadWhitelist(@NonNull InputStream inputStream) throws IOException {
        this.cache.loadWhitelist(IOUtils.readLines(inputStream));
    }
}
