package jenkins.security.s2m;

import edu.umd.cs.findbugs.annotations.Nullable;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.Extension;
import hudson.PluginManager;
import hudson.remoting.Channel;
import hudson.remoting.ChannelBuilder;
import hudson.remoting.JarURLValidator;
import java.io.IOException;
import java.net.URL;
import java.net.URLClassLoader;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.model.Jenkins;
import jenkins.security.ChannelConfigurator;
import jenkins.util.SystemProperties;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;

@Extension
@Restricted({NoExternalUse.class})
@Deprecated
/* loaded from: input_file:WEB-INF/lib/jenkins-core-2.490.jar:jenkins/security/s2m/JarURLValidatorImpl.class */
public class JarURLValidatorImpl extends ChannelConfigurator implements JarURLValidator {
    public static final Logger LOGGER = Logger.getLogger(JarURLValidatorImpl.class.getName());

    @Override // jenkins.security.ChannelConfigurator
    public void onChannelBuilding(ChannelBuilder channelBuilder, @Nullable Object obj) {
        LOGGER.log(Level.CONFIG, () -> {
            return "Setting up JarURLValidatorImpl for context: " + obj;
        });
        channelBuilder.withProperty(JarURLValidator.class, this);
    }

    @Override // hudson.remoting.JarURLValidator
    public void validate(URL url) throws IOException {
        String str = JarURLValidatorImpl.class.getName() + ".REJECT_ALL";
        if (SystemProperties.getBoolean(str)) {
            LOGGER.log(Level.FINE, () -> {
                return "Rejecting URL due to configuration: " + url;
            });
            throw new IOException("The system property '" + str + "' has been set, so all attempts by agents to load jars from the controller are rejected. Update the agent.jar of the affected agent to a version released in August 2024 or later to prevent this error.");
        }
        String str2 = Channel.class.getName() + ".DISABLE_JAR_URL_VALIDATOR";
        if (SystemProperties.getBoolean(str2)) {
            LOGGER.log(Level.FINE, () -> {
                return "Allowing URL due to configuration: " + url;
            });
        } else if (isAllowedJar(url)) {
            LOGGER.log(Level.FINE, () -> {
                return "Allowing URL: " + url;
            });
        } else {
            LOGGER.log(Level.FINE, () -> {
                return "Rejecting URL: " + url;
            });
            throw new IOException("This URL does not point to a jar file allowed to be requested by agents: " + url + ". Update the agent.jar of the affected agent to a version released in August 2024 or later to prevent this error. Alternatively, set the system property '" + str2 + "' to 'true' if all the code built by Jenkins is as trusted as an administrator.");
        }
    }

    @SuppressFBWarnings(value = {"DMI_COLLECTION_OF_URLS"}, justification = "All URLs point to local files, so no DNS lookup.")
    private static boolean isAllowedJar(URL url) {
        ClassLoader classLoader = Jenkins.get().getPluginManager().uberClassLoader;
        if ((classLoader instanceof PluginManager.UberClassLoader) && ((PluginManager.UberClassLoader) classLoader).isPluginJar(url)) {
            LOGGER.log(Level.FINER, () -> {
                return "Determined to be plugin jar: " + url;
            });
            return true;
        }
        ClassLoader classLoader2 = Jenkins.class.getClassLoader();
        if ((classLoader2 instanceof URLClassLoader) && Set.of((Object[]) ((URLClassLoader) classLoader2).getURLs()).contains(url)) {
            LOGGER.log(Level.FINER, () -> {
                return "Determined to be core jar: " + url;
            });
            return true;
        }
        LOGGER.log(Level.FINER, () -> {
            return "Neither core nor plugin jar: " + url;
        });
        return false;
    }
}
