package org.jenkinsci.plugins.rolestrategy.permissions;

import com.michelin.cio.hudson.plugins.rolestrategy.Role;
import com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy;
import com.synopsys.arc.jenkins.plugins.rolestrategy.RoleType;
import hudson.PluginManager;
import hudson.security.Permission;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.SortedMap;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import jenkins.model.Jenkins;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;

@Restricted({NoExternalUse.class})
/* loaded from: input_file:org/jenkinsci/plugins/rolestrategy/permissions/PermissionHelper.class */
public class PermissionHelper {

    @Restricted({NoExternalUse.class})
    public static final Set<Permission> DANGEROUS_PERMISSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(Jenkins.RUN_SCRIPTS, PluginManager.CONFIGURE_UPDATECENTER, PluginManager.UPLOAD_PLUGINS)));

    private PermissionHelper() {
    }

    @Nonnull
    public static Set<Permission> fromStrings(@CheckForNull Collection<String> collection) throws SecurityException {
        if (collection == null) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet(collection.size());
        for (String str : collection) {
            Permission fromId = Permission.fromId(str);
            if (fromId != null) {
                if (isDangerous(fromId)) {
                    throw new SecurityException("Rejected dangerous permission: " + str);
                }
                hashSet.add(fromId);
            }
        }
        return hashSet;
    }

    public static boolean isDangerous(@Nonnull Permission permission) {
        if (DangerousPermissionHandlingMode.getCurrent() == DangerousPermissionHandlingMode.ENABLED) {
            return false;
        }
        return DANGEROUS_PERMISSIONS.contains(permission);
    }

    public static boolean hasPotentiallyDangerousPermissions(@Nonnull Role role) {
        return !role.hasPermission(Jenkins.ADMINISTER).booleanValue() && role.hasAnyPermission(DANGEROUS_PERMISSIONS).booleanValue();
    }

    @CheckForNull
    public static String reportDangerousPermissions(@Nonnull RoleBasedAuthorizationStrategy roleBasedAuthorizationStrategy) {
        SortedMap<Role, Set<String>> grantedRoles = roleBasedAuthorizationStrategy.getGrantedRoles(RoleType.Global);
        if (grantedRoles != null) {
            return reportDangerousPermissions(grantedRoles.keySet());
        }
        return null;
    }

    @CheckForNull
    public static String reportDangerousPermissions(@Nonnull Iterable<Role> iterable) {
        ArrayList arrayList = new ArrayList();
        for (Role role : iterable) {
            if (hasPotentiallyDangerousPermissions(role)) {
                arrayList.add(role.getName());
            }
        }
        if (arrayList.isEmpty()) {
            return null;
        }
        return "Dangerous roles found: [" + StringUtils.join(arrayList, ",") + "] do not declare Jenkins.ADMINISTER and contain one of the following permissions: " + StringUtils.join(DANGEROUS_PERMISSIONS, ",");
    }

    @CheckForNull
    public static boolean hasDangerousPermissions(@Nonnull RoleBasedAuthorizationStrategy roleBasedAuthorizationStrategy) {
        SortedMap<Role, Set<String>> grantedRoles = roleBasedAuthorizationStrategy.getGrantedRoles(RoleType.Global);
        if (grantedRoles == null) {
            return false;
        }
        return hasDangerousPermissions(grantedRoles.keySet());
    }

    @CheckForNull
    public static boolean hasDangerousPermissions(@Nonnull Iterable<Role> iterable) {
        Iterator<Role> it = iterable.iterator();
        while (it.hasNext()) {
            if (hasPotentiallyDangerousPermissions(it.next())) {
                return true;
            }
        }
        return false;
    }
}
