package org.jenkinsci.plugins;

import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.Nullable;
import hudson.model.AbstractItem;
import hudson.model.AbstractProject;
import hudson.model.Item;
import hudson.plugins.git.GitSCM;
import hudson.plugins.git.UserRemoteConfig;
import hudson.scm.SCM;
import hudson.security.ACL;
import hudson.security.Permission;
import java.net.URI;
import java.util.LinkedList;
import java.util.List;
import java.util.logging.Logger;
import jenkins.branch.MultiBranchProject;
import jenkins.model.Jenkins;
import jenkins.scm.api.SCMSource;
import org.acegisecurity.Authentication;
import org.jenkinsci.plugins.github_branch_source.GitHubSCMSource;
import org.jenkinsci.plugins.workflow.job.WorkflowJob;
import org.jenkinsci.plugins.workflow.multibranch.BranchJobProperty;
import org.kohsuke.stapler.Stapler;
import org.kohsuke.stapler.StaplerRequest;

/* loaded from: input_file:org/jenkinsci/plugins/GithubRequireOrganizationMembershipACL.class */
public class GithubRequireOrganizationMembershipACL extends ACL {
    private static final Logger log = Logger.getLogger(GithubRequireOrganizationMembershipACL.class.getName());
    private final List<String> organizationNameList;
    private final List<String> adminUserNameList;
    private final String agentUserName;
    private final boolean authenticatedUserReadPermission;
    private final boolean useRepositoryPermissions;
    private final boolean authenticatedUserCreateJobPermission;
    private final boolean allowGithubWebHookPermission;
    private final boolean allowCcTrayPermission;
    private final boolean allowAnonymousReadPermission;
    private final boolean allowAnonymousJobStatusPermission;
    private final AbstractItem item;

    public boolean hasPermission(@NonNull Authentication authentication, @NonNull Permission permission) {
        String repositoryName;
        if (authentication instanceof GithubAuthenticationToken) {
            if (!authentication.isAuthenticated()) {
                return false;
            }
            GithubAuthenticationToken githubAuthenticationToken = (GithubAuthenticationToken) authentication;
            String name = authentication.getName();
            if (this.adminUserNameList.contains(name)) {
                log.finest("Granting Admin rights to user " + name);
                return true;
            }
            if (this.authenticatedUserCreateJobPermission && permission.equals(Item.CREATE)) {
                return true;
            }
            if (name.equalsIgnoreCase(this.agentUserName) && checkAgentUserPermission(permission)) {
                return true;
            }
            if (checkReadPermission(permission)) {
                if (this.authenticatedUserReadPermission) {
                    log.finest("Granting Authenticated User read permission to user " + name);
                    return true;
                }
                if (isInWhitelistedOrgs(githubAuthenticationToken)) {
                    log.finest("Granting READ rights to user " + name + " as a member of whitelisted organization");
                    return true;
                }
            } else if (testBuildPermission(permission) && isInWhitelistedOrgs(githubAuthenticationToken)) {
                log.finest("Granting BUILD rights to user " + name + " as a member of whitelisted organization");
                return true;
            }
            if (!this.useRepositoryPermissions || this.item == null || (repositoryName = getRepositoryName()) == null) {
                return false;
            }
            return githubAuthenticationToken.hasRepositoryPermission(repositoryName, permission);
        }
        String name2 = authentication.getName();
        if (name2 == null) {
            throw new IllegalArgumentException("Authentication must have a valid name");
        }
        if (name2.equals(SYSTEM.getPrincipal())) {
            log.finest("Granting Full rights to SYSTEM user.");
            return true;
        }
        if (name2.equalsIgnoreCase(this.agentUserName) && checkAgentUserPermission(permission)) {
            return true;
        }
        if (!name2.equals("anonymous")) {
            if (!this.adminUserNameList.contains(name2)) {
                return false;
            }
            log.finest("Granting Admin rights to user " + authentication.getName());
            return true;
        }
        if (checkJobStatusPermission(permission) && this.allowAnonymousJobStatusPermission) {
            return true;
        }
        if (!checkReadPermission(permission)) {
            return false;
        }
        if (this.allowAnonymousReadPermission) {
            return true;
        }
        if (this.allowGithubWebHookPermission && (currentUriPathEquals("github-webhook") || currentUriPathEquals("github-webhook/"))) {
            log.finest("Granting READ access for github-webhook url: " + requestURI());
            return true;
        }
        if (this.allowCcTrayPermission && currentUriPathEndsWithSegment("cc.xml")) {
            log.finest("Granting READ access for cctray url: " + requestURI());
            return true;
        }
        log.finer("Denying anonymous READ permission to url: " + requestURI());
        return false;
    }

    @NonNull
    private boolean isInWhitelistedOrgs(@NonNull GithubAuthenticationToken githubAuthenticationToken) {
        return githubAuthenticationToken.isMemberOfAnyOrganizationInList(this.organizationNameList);
    }

    private boolean currentUriPathEquals(String str) {
        String rootUrl = Jenkins.get().getRootUrl();
        if (rootUrl == null) {
            throw new IllegalStateException("Could not determine Jenkins URL");
        }
        String requestURI = requestURI();
        if (requestURI == null) {
            return false;
        }
        return URI.create(requestURI).getPath().equals(URI.create(rootUrl).getPath() + str);
    }

    private boolean currentUriPathEndsWithSegment(String str) {
        String requestURI = requestURI();
        if (requestURI != null) {
            return requestURI.substring(requestURI.lastIndexOf(47) + 1).equals(str);
        }
        return false;
    }

    @Nullable
    private String requestURI() {
        StaplerRequest currentRequest = Stapler.getCurrentRequest();
        if (currentRequest == null) {
            return null;
        }
        return currentRequest.getOriginalRequestURI();
    }

    private boolean testBuildPermission(@NonNull Permission permission) {
        String id = permission.getId();
        return id.equals("hudson.model.Hudson.Build") || id.equals("hudson.model.Item.Build");
    }

    private boolean checkReadPermission(@NonNull Permission permission) {
        String id = permission.getId();
        return id.equals("hudson.model.Hudson.Read") || id.equals("hudson.model.Item.Workspace") || id.equals("hudson.model.Item.Discover") || id.equals("hudson.model.Item.Read");
    }

    private boolean checkAgentUserPermission(@NonNull Permission permission) {
        String id = permission.getId();
        return id.equals("hudson.model.Hudson.Read") || id.equals("hudson.model.Computer.Create") || id.equals("hudson.model.Computer.Connect") || id.equals("hudson.model.Computer.Configure");
    }

    private boolean checkJobStatusPermission(@NonNull Permission permission) {
        return permission.getId().equals("hudson.model.Item.ViewStatus");
    }

    @Nullable
    private String getRepositoryName() {
        GitHubRepositoryName create;
        String str = null;
        String str2 = null;
        SCM scm = null;
        if (this.item instanceof WorkflowJob) {
            scm = this.item.getProperty(BranchJobProperty.class).getBranch().getScm();
        } else if (this.item instanceof MultiBranchProject) {
            scm = (SCMSource) this.item.getSCMSources().get(0);
        } else if (this.item instanceof AbstractProject) {
            scm = this.item.getScm();
        }
        if (scm instanceof GitHubSCMSource) {
            str2 = ((GitHubSCMSource) scm).getRemote();
        } else if (scm instanceof GitSCM) {
            List userRemoteConfigs = ((GitSCM) scm).getUserRemoteConfigs();
            if (!userRemoteConfigs.isEmpty()) {
                str2 = ((UserRemoteConfig) userRemoteConfigs.get(0)).getUrl();
            }
        }
        if (str2 != null && (create = GitHubRepositoryName.create(str2)) != null) {
            str = create.userName + "/" + create.repositoryName;
        }
        return str;
    }

    public GithubRequireOrganizationMembershipACL(String str, String str2, String str3, boolean z, boolean z2, boolean z3, boolean z4, boolean z5, boolean z6, boolean z7) {
        this.authenticatedUserReadPermission = z;
        this.useRepositoryPermissions = z2;
        this.authenticatedUserCreateJobPermission = z3;
        this.allowGithubWebHookPermission = z4;
        this.allowCcTrayPermission = z5;
        this.allowAnonymousReadPermission = z6;
        this.allowAnonymousJobStatusPermission = z7;
        this.adminUserNameList = new LinkedList();
        this.agentUserName = str2;
        for (String str4 : str.split(",")) {
            this.adminUserNameList.add(str4.trim());
        }
        this.organizationNameList = new LinkedList();
        for (String str5 : str3.split(",")) {
            this.organizationNameList.add(str5.trim());
        }
        this.item = null;
    }

    public GithubRequireOrganizationMembershipACL cloneForProject(AbstractItem abstractItem) {
        return new GithubRequireOrganizationMembershipACL(this.adminUserNameList, this.agentUserName, this.organizationNameList, this.authenticatedUserReadPermission, this.useRepositoryPermissions, this.authenticatedUserCreateJobPermission, this.allowGithubWebHookPermission, this.allowCcTrayPermission, this.allowAnonymousReadPermission, this.allowAnonymousJobStatusPermission, abstractItem);
    }

    public GithubRequireOrganizationMembershipACL(List<String> list, String str, List<String> list2, boolean z, boolean z2, boolean z3, boolean z4, boolean z5, boolean z6, boolean z7, AbstractItem abstractItem) {
        this.adminUserNameList = list;
        this.agentUserName = str;
        this.organizationNameList = list2;
        this.authenticatedUserReadPermission = z;
        this.useRepositoryPermissions = z2;
        this.authenticatedUserCreateJobPermission = z3;
        this.allowGithubWebHookPermission = z4;
        this.allowCcTrayPermission = z5;
        this.allowAnonymousReadPermission = z6;
        this.allowAnonymousJobStatusPermission = z7;
        this.item = abstractItem;
    }

    public List<String> getOrganizationNameList() {
        return this.organizationNameList;
    }

    public List<String> getAdminUserNameList() {
        return this.adminUserNameList;
    }

    public String getAgentUserName() {
        return this.agentUserName;
    }

    public boolean isUseRepositoryPermissions() {
        return this.useRepositoryPermissions;
    }

    public boolean isAuthenticatedUserCreateJobPermission() {
        return this.authenticatedUserCreateJobPermission;
    }

    public boolean isAuthenticatedUserReadPermission() {
        return this.authenticatedUserReadPermission;
    }

    public boolean isAllowGithubWebHookPermission() {
        return this.allowGithubWebHookPermission;
    }

    public boolean isAllowCcTrayPermission() {
        return this.allowCcTrayPermission;
    }

    public boolean isAllowAnonymousReadPermission() {
        return this.allowAnonymousReadPermission;
    }

    public boolean isAllowAnonymousJobStatusPermission() {
        return this.allowAnonymousJobStatusPermission;
    }
}
