package org.jenkinsci.plugins.scriptsecurity.sandbox.groovy;

import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import groovy.lang.Script;
import java.util.concurrent.Callable;
import javax.annotation.Nonnull;
import org.codehaus.groovy.control.CompilerConfiguration;
import org.codehaus.groovy.control.customizers.CompilationCustomizer;
import org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException;
import org.jenkinsci.plugins.scriptsecurity.sandbox.Whitelist;
import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.ProxyWhitelist;
import org.kohsuke.groovy.sandbox.SandboxTransformer;

@SuppressFBWarnings(value = {"RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE"}, justification = "Catch nulls that may slip in for edge cases FindBugs can't predict")
/* loaded from: input_file:WEB-INF/lib/script-security.jar:org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.class */
public class GroovySandbox {
    @Nonnull
    public static CompilerConfiguration createSecureCompilerConfiguration() {
        CompilerConfiguration compilerConfiguration = new CompilerConfiguration();
        compilerConfiguration.addCompilationCustomizers(new CompilationCustomizer[]{new SandboxTransformer()});
        return compilerConfiguration;
    }

    @Nonnull
    @SuppressFBWarnings(value = {"DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED"}, justification = "Should be managed by the caller.")
    public static ClassLoader createSecureClassLoader(ClassLoader classLoader) {
        return new SandboxResolvingClassLoader(classLoader);
    }

    public static void runInSandbox(@Nonnull Runnable runnable, @Nonnull Whitelist whitelist) throws RejectedAccessException {
        SandboxInterceptor sandboxInterceptor = new SandboxInterceptor(whitelist);
        sandboxInterceptor.register();
        try {
            runnable.run();
        } finally {
            sandboxInterceptor.unregister();
        }
    }

    public static <V> V runInSandbox(@Nonnull Callable<V> callable, @Nonnull Whitelist whitelist) throws Exception {
        SandboxInterceptor sandboxInterceptor = new SandboxInterceptor(whitelist);
        sandboxInterceptor.register();
        try {
            V call = callable.call();
            sandboxInterceptor.unregister();
            return call;
        } catch (Throwable th) {
            sandboxInterceptor.unregister();
            throw th;
        }
    }

    @Deprecated
    public static void runInSandbox(@Nonnull final Script script, @Nonnull Whitelist whitelist) throws RejectedAccessException {
        runInSandbox(new Runnable() { // from class: org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.1
            @Override // java.lang.Runnable
            public void run() {
                script.run();
            }
        }, whitelist);
    }

    public static Object run(@Nonnull Script script, @Nonnull Whitelist whitelist) throws RejectedAccessException {
        SandboxInterceptor sandboxInterceptor = new SandboxInterceptor(new ProxyWhitelist(new ClassLoaderWhitelist(script.getClass().getClassLoader()), whitelist));
        sandboxInterceptor.register();
        try {
            Object run = script.run();
            sandboxInterceptor.unregister();
            return run;
        } catch (Throwable th) {
            sandboxInterceptor.unregister();
            throw th;
        }
    }

    private GroovySandbox() {
    }
}
