package com.cloudbees.jenkins.support.configfiles;

import com.cloudbees.jenkins.support.filter.PasswordRedactor;
import com.cloudbees.plugins.credentials.SecretBytes;
import hudson.util.Secret;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.IOException;
import java.io.StringReader;
import java.nio.charset.StandardCharsets;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.sax.SAXSource;
import javax.xml.transform.stream.StreamResult;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang.StringUtils;
import org.xml.sax.Attributes;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
import org.xml.sax.XMLReader;
import org.xml.sax.helpers.XMLFilterImpl;
import org.xml.sax.helpers.XMLReaderFactory;

/* loaded from: input_file:com/cloudbees/jenkins/support/configfiles/SecretHandler.class */
class SecretHandler {
    protected static final String SECRET_MARKER = "#secret#";
    protected static final String XXE_MARKER = "#XXE#";
    public static final String OUTPUT_ENCODING = "UTF-8";
    public static final Pattern SECRET_PATTERN = Pattern.compile(">\\{(.*)\\}<|>(.*)\\=<");
    private static boolean ENABLE_FALLBACK;

    SecretHandler() {
    }

    public static String findSecrets(File file) throws SAXException, IOException, TransformerException {
        XMLFilterImpl xMLFilterImpl = new XMLFilterImpl(XMLReaderFactory.createXMLReader()) { // from class: com.cloudbees.jenkins.support.configfiles.SecretHandler.1
            private String tagName = "";
            private String previousStringTagValue;

            @Override // org.xml.sax.helpers.XMLFilterImpl, org.xml.sax.ContentHandler
            public void startElement(String str, String str2, String str3, Attributes attributes) throws SAXException {
                this.tagName = str3;
                super.startElement(str, str2, str3, attributes);
            }

            @Override // org.xml.sax.helpers.XMLFilterImpl, org.xml.sax.ContentHandler
            public void endElement(String str, String str2, String str3) throws SAXException {
                this.tagName = "";
                super.endElement(str, str2, str3);
            }

            @Override // org.xml.sax.helpers.XMLFilterImpl, org.xml.sax.ContentHandler
            public void characters(char[] cArr, int i, int i2) throws SAXException {
                if (!"".equals(this.tagName)) {
                    String trim = new String(cArr, i, i2).trim();
                    if (!"".equals(trim) && !"{}".equals(trim)) {
                        if (Secret.decrypt(trim) != null || SecretBytes.isSecretBytes(trim)) {
                            cArr = SecretHandler.SECRET_MARKER.toCharArray();
                            i = 0;
                            i2 = cArr.length;
                        } else if (SecretHandler.isJvmArgsWithSecrets(this.tagName, trim)) {
                            cArr = PasswordRedactor.get().redact(trim).toCharArray();
                            i = 0;
                            i2 = cArr.length;
                        } else if ("string".equals(this.tagName)) {
                            if (this.previousStringTagValue != null) {
                                if (PasswordRedactor.get().match(this.previousStringTagValue)) {
                                    cArr = PasswordRedactor.REDACTED.toCharArray();
                                    i = 0;
                                    i2 = cArr.length;
                                }
                                this.previousStringTagValue = null;
                            } else {
                                this.previousStringTagValue = trim;
                            }
                        }
                    }
                }
                super.characters(cArr, i, i2);
            }
        };
        String readFileToString = FileUtils.readFileToString(file);
        Source createSafeSource = createSafeSource(xMLFilterImpl, new InputSource(new StringReader(readFileToString)));
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        StreamResult streamResult = new StreamResult(byteArrayOutputStream);
        TransformerFactory newInstance = TransformerFactory.newInstance();
        newInstance.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
        Transformer newTransformer = newInstance.newTransformer();
        newTransformer.setOutputProperty("omit-xml-declaration", "yes");
        newTransformer.setOutputProperty("encoding", OUTPUT_ENCODING);
        try {
            newTransformer.transform(createSafeSource, streamResult);
            return byteArrayOutputStream.toString(OUTPUT_ENCODING);
        } catch (TransformerException e) {
            if (ENABLE_FALLBACK) {
                return findSecretFallback(readFileToString);
            }
            throw e;
        }
    }

    private static String findSecretFallback(String str) {
        Matcher matcher = SECRET_PATTERN.matcher(str);
        while (matcher.find()) {
            String group = matcher.group();
            if (group.length() > 1) {
                group = group.substring(1, group.length() - 1);
            }
            if (Secret.decrypt(group) != null || SecretBytes.isSecretBytes(group)) {
                str = StringUtils.replace(str, group, SECRET_MARKER);
            }
        }
        return str;
    }

    private static Source createSafeSource(XMLReader xMLReader, InputSource inputSource) {
        try {
            xMLReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
        } catch (SAXException e) {
        }
        try {
            xMLReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
        } catch (SAXException e2) {
        }
        xMLReader.setEntityResolver((str, str2) -> {
            return new InputSource(new ByteArrayInputStream(XXE_MARKER.getBytes(StandardCharsets.US_ASCII)));
        });
        return new SAXSource(xMLReader, inputSource);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isJvmArgsWithSecrets(String str, String str2) {
        return ("jvmOptions".equals(str) || "vmargs".equals(str) || "cmd".equals(str)) && PasswordRedactor.get().match(str2);
    }

    static {
        ENABLE_FALLBACK = !StringUtils.equalsIgnoreCase(System.getProperty("support-core-plugin.SecretHandler.ENABLE_FALLBACK", "TRUE"), "FALSE");
    }
}
