package jenkins.security;

import com.google.common.annotations.VisibleForTesting;
import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.Nullable;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.Extension;
import hudson.ExtensionList;
import hudson.Util;
import hudson.model.DirectoryBrowserSupport;
import hudson.model.UnprotectedRootAction;
import hudson.model.User;
import hudson.security.ACL;
import hudson.security.ACLContext;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Arrays;
import java.util.Base64;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import jenkins.model.Jenkins;
import jenkins.util.SystemProperties;
import org.apache.commons.lang.ArrayUtils;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.Stapler;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

@Extension
@Restricted({NoExternalUse.class})
/* loaded from: input_file:WEB-INF/lib/jenkins-core-2.428-rc34314.15a_0759755fd.jar:jenkins/security/ResourceDomainRootAction.class */
public class ResourceDomainRootAction implements UnprotectedRootAction {
    private static final String RESOURCE_DOMAIN_ROOT_ACTION_ERROR = "jenkins.security.ResourceDomainRootAction.error";
    public static final String URL = "static-files";
    private static final Logger LOGGER = Logger.getLogger(ResourceDomainRootAction.class.getName());
    private static HMACConfidentialKey KEY = new HMACConfidentialKey(ResourceDomainRootAction.class, "key");

    @SuppressFBWarnings(value = {"MS_SHOULD_BE_FINAL"}, justification = "for script console")
    public static int VALID_FOR_MINUTES = SystemProperties.getInteger(ResourceDomainRootAction.class.getName() + ".validForMinutes", 30).intValue();

    /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.428-rc34314.15a_0759755fd.jar:jenkins/security/ResourceDomainRootAction$InternalResourceRequest.class */
    private static class InternalResourceRequest {
        private final String authenticationName;
        private final String browserUrl;

        InternalResourceRequest(@NonNull String str, @NonNull String str2) {
            this.browserUrl = str;
            this.authenticationName = str2;
        }

        public void doDynamic(StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws IOException {
            User byId;
            String restOfPath = staplerRequest.getRestOfPath();
            String str = this.browserUrl;
            ResourceDomainRootAction.LOGGER.fine(() -> {
                return "Performing a request as authentication: " + this.authenticationName + " and restOfUrl: " + str + " and restOfPath: " + restOfPath;
            });
            Authentication authentication = Jenkins.ANONYMOUS2;
            if (Util.fixEmpty(this.authenticationName) != null && (byId = User.getById(this.authenticationName, false)) != null) {
                try {
                    authentication = byId.impersonate2();
                    ResourceDomainRootAction.LOGGER.fine(() -> {
                        return "Successfully impersonated " + this.authenticationName;
                    });
                } catch (UsernameNotFoundException e) {
                    ResourceDomainRootAction.LOGGER.log(Level.FINE, "Failed to impersonate " + this.authenticationName, (Throwable) e);
                    staplerResponse.sendError(403, "No such user: " + this.authenticationName);
                    return;
                }
            }
            try {
                ACLContext as2 = ACL.as2(authentication);
                try {
                    try {
                        Stapler.getCurrent().invoke(staplerRequest, staplerResponse, Jenkins.get(), str + ((String) Arrays.stream(restOfPath.split("[/]")).map(Util::rawEncode).collect(Collectors.joining("/"))));
                        if (as2 != null) {
                            as2.close();
                        }
                    } finally {
                    }
                } catch (Exception e2) {
                    for (Throwable cause = e2.getCause(); cause != null; cause = cause.getCause()) {
                        if (cause instanceof AccessDeniedException) {
                            throw ((AccessDeniedException) cause);
                        }
                    }
                    throw e2;
                }
            } catch (AccessDeniedException e3) {
                ResourceDomainRootAction.LOGGER.log(Level.FINE, "Failed permission check for resource URL access", (Throwable) e3);
                staplerResponse.sendError(403, "Failed permission check: " + e3.getMessage());
            } catch (Exception e4) {
                ResourceDomainRootAction.LOGGER.log(Level.FINE, "Something else failed for resource URL access", (Throwable) e4);
                staplerResponse.sendError(404);
            }
        }

        public String toString() {
            return "[" + super.toString() + ", authentication=" + this.authenticationName + "; key=" + this.browserUrl + "]";
        }
    }

    /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.428-rc34314.15a_0759755fd.jar:jenkins/security/ResourceDomainRootAction$Redirection.class */
    private static class Redirection {
        private final String url;

        private Redirection(String str) {
            this.url = str;
        }

        public void doDynamic(StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws IOException {
            staplerResponse.sendRedirect(302, Jenkins.get().getRootUrl() + this.url + staplerRequest.getRestOfPath());
        }
    }

    /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.428-rc34314.15a_0759755fd.jar:jenkins/security/ResourceDomainRootAction$Token.class */
    public static class Token {
        private String path;
        private String username;
        private Instant timestamp;

        @VisibleForTesting
        Token(@NonNull String str, @Nullable String str2, @NonNull Instant instant) {
            this.path = str;
            this.username = Util.fixNull(str2);
            this.timestamp = instant;
        }

        private String encode() {
            long epochMilli = this.timestamp.toEpochMilli();
            int length = this.username.length();
            String str = this.username;
            String str2 = this.path;
            byte[] bytes = (epochMilli + ":" + epochMilli + ":" + length + ":" + str).getBytes(StandardCharsets.UTF_8);
            return Base64.getUrlEncoder().encodeToString(ArrayUtils.addAll(ResourceDomainRootAction.KEY.mac(bytes), bytes));
        }

        private static Token decode(String str) {
            try {
                byte[] decode = Base64.getUrlDecoder().decode(str);
                byte[] copyOf = Arrays.copyOf(decode, 32);
                byte[] copyOfRange = Arrays.copyOfRange(decode, 32, decode.length);
                String str2 = new String(copyOfRange, StandardCharsets.UTF_8);
                if (!ResourceDomainRootAction.KEY.checkMac(copyOfRange, copyOf)) {
                    throw new IllegalArgumentException("Failed mac check for " + str2);
                }
                String[] split = str2.split("[:]", 3);
                String str3 = split[0];
                int parseInt = Integer.parseInt(split[1]);
                String str4 = split[2];
                return new Token(str4.substring(parseInt + 1), str4.substring(0, parseInt), Instant.ofEpochMilli(Long.parseLong(str3)));
            } catch (RuntimeException e) {
                ResourceDomainRootAction.LOGGER.log(Level.FINE, "Failure decoding", (Throwable) e);
                return null;
            }
        }
    }

    @Override // hudson.model.Action
    @CheckForNull
    public String getIconFileName() {
        return null;
    }

    @Override // hudson.model.Action, hudson.model.ModelObject
    @CheckForNull
    public String getDisplayName() {
        return null;
    }

    @Override // hudson.model.Action
    @CheckForNull
    public String getUrlName() {
        return URL;
    }

    public static ResourceDomainRootAction get() {
        return (ResourceDomainRootAction) ExtensionList.lookupSingleton(ResourceDomainRootAction.class);
    }

    public void doIndex(StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws IOException {
        if (ResourceDomainConfiguration.isResourceRequest(staplerRequest)) {
            staplerResponse.sendError(404, ResourceDomainFilter.ERROR_RESPONSE);
        } else {
            staplerRequest.setAttribute(RESOURCE_DOMAIN_ROOT_ACTION_ERROR, true);
            staplerResponse.sendError(404, "Cannot handle requests to this URL unless on Jenkins resource URL.");
        }
    }

    public Object getDynamic(String str, StaplerRequest staplerRequest, StaplerResponse staplerResponse) throws Exception {
        if (!ResourceDomainConfiguration.isResourceRequest(staplerRequest)) {
            staplerRequest.setAttribute(RESOURCE_DOMAIN_ROOT_ACTION_ERROR, true);
            staplerResponse.sendError(404, "Cannot handle requests to this URL unless on Jenkins resource URL.");
            return null;
        }
        Token decode = Token.decode(str);
        if (decode == null) {
            staplerResponse.sendError(404, ResourceDomainFilter.ERROR_RESPONSE);
            return null;
        }
        String str2 = decode.username;
        String str3 = decode.path;
        return (decode.timestamp.plus((long) VALID_FOR_MINUTES, (TemporalUnit) ChronoUnit.MINUTES).isAfter(Instant.now()) && decode.timestamp.isBefore(Instant.now())) ? new InternalResourceRequest(str3, str2) : new Redirection(str3);
    }

    public String getRedirectUrl(@NonNull Token token, @NonNull String str) {
        String resourceRootUrl = getResourceRootUrl();
        if (!str.startsWith("/")) {
            str = "/" + str;
        }
        return resourceRootUrl + getUrlName() + "/" + token.encode() + ((String) Arrays.stream(str.split("[/]")).map(Util::rawEncode).collect(Collectors.joining("/")));
    }

    private static String getResourceRootUrl() {
        return ResourceDomainConfiguration.get().getUrl();
    }

    @CheckForNull
    public Token getToken(@NonNull DirectoryBrowserSupport directoryBrowserSupport, @NonNull StaplerRequest staplerRequest) {
        String originalRestOfPath = staplerRequest.getOriginalRestOfPath();
        String restOfUrl = staplerRequest.getAncestors().get(0).getRestOfUrl();
        String substring = restOfUrl.substring(0, restOfUrl.length() - originalRestOfPath.length());
        LOGGER.fine(() -> {
            return "Determined DBS URL: " + substring + " from restOfUrl: " + restOfUrl + " and restOfPath: " + originalRestOfPath;
        });
        Authentication authentication2 = Jenkins.getAuthentication2();
        String name = authentication2.equals(Jenkins.ANONYMOUS2) ? "" : authentication2.getName();
        try {
            return new Token(substring, name, Instant.now());
        } catch (RuntimeException e) {
            LOGGER.log(Level.WARNING, "Failed to encode token for URL: " + substring + " user: " + name, (Throwable) e);
            return null;
        }
    }
}
