package jenkins.security.s2m;

import hudson.Extension;
import hudson.remoting.ChannelBuilder;
import java.util.Collection;
import java.util.Iterator;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.Nonnull;
import jenkins.security.ChannelConfigurator;
import jenkins.security.Roles;
import jenkins.util.SystemProperties;
import org.jenkinsci.remoting.Role;
import org.jenkinsci.remoting.RoleChecker;
import org.jenkinsci.remoting.RoleSensitive;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.DoNotUse;
import org.kohsuke.accmod.restrictions.NoExternalUse;

@Restricted({NoExternalUse.class})
/* loaded from: input_file:WEB-INF/lib/jenkins-core-2.222.1.jar:jenkins/security/s2m/CallableDirectionChecker.class */
public class CallableDirectionChecker extends RoleChecker {
    private final Object context;
    private static final String BYPASS_PROP = CallableDirectionChecker.class.getName() + ".allow";
    public static boolean BYPASS = SystemProperties.getBoolean(BYPASS_PROP);
    private static final Logger LOGGER = Logger.getLogger(CallableDirectionChecker.class.getName());

    @Extension
    @Restricted({DoNotUse.class})
    /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.222.1.jar:jenkins/security/s2m/CallableDirectionChecker$ChannelConfiguratorImpl.class */
    public static class ChannelConfiguratorImpl extends ChannelConfigurator {
        @Override // jenkins.security.ChannelConfigurator
        public void onChannelBuilding(ChannelBuilder channelBuilder, Object obj) {
            if (!CallableDirectionChecker.BYPASS) {
                channelBuilder.withRemoteClassLoadingAllowed(false);
            }
            channelBuilder.withRoleChecker(new CallableDirectionChecker(obj));
        }
    }

    @Extension(ordinal = AdminFilePathFilter.ORDINAL)
    /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.222.1.jar:jenkins/security/s2m/CallableDirectionChecker$DefaultWhitelist.class */
    public static class DefaultWhitelist extends CallableWhitelist {
        @Override // jenkins.security.s2m.CallableWhitelist
        public boolean isWhitelisted(RoleSensitive roleSensitive, Collection<Role> collection, Object obj) {
            return CallableDirectionChecker.BYPASS;
        }
    }

    private CallableDirectionChecker(Object obj) {
        this.context = obj;
    }

    @Override // org.jenkinsci.remoting.RoleChecker
    public void check(RoleSensitive roleSensitive, @Nonnull Collection<Role> collection) throws SecurityException {
        String name = roleSensitive.getClass().getName();
        if (collection.contains(Roles.MASTER)) {
            LOGGER.log(Level.FINE, "Executing {0} is allowed since it is targeted for the master role", name);
        } else {
            if (!isWhitelisted(roleSensitive, collection)) {
                throw new SecurityException("Sending " + name + " from agent to master is prohibited.\nSee https://jenkins.io/redirect/security-144 for more details");
            }
            LOGGER.log(Level.FINE, "Explicitly allowing {0} to be sent from agent to master", name);
        }
    }

    private boolean isWhitelisted(RoleSensitive roleSensitive, Collection<Role> collection) {
        Iterator<CallableWhitelist> it = CallableWhitelist.all().iterator();
        while (it.hasNext()) {
            if (it.next().isWhitelisted(roleSensitive, collection, this.context)) {
                return true;
            }
        }
        return false;
    }
}
