package org.elasticsearch.entitlement.runtime.policy;

import java.io.File;
import java.io.IOException;
import java.lang.StackWalker;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.module.ModuleFinder;
import java.lang.runtime.ObjectMethods;
import java.nio.file.LinkOption;
import java.nio.file.NoSuchFileException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.CodeSource;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.elasticsearch.core.PathUtils;
import org.elasticsearch.core.Strings;
import org.elasticsearch.core.SuppressForbidden;
import org.elasticsearch.entitlement.bridge.Util;
import org.elasticsearch.entitlement.instrumentation.InstrumentationService;
import org.elasticsearch.entitlement.runtime.api.NotEntitledException;
import org.elasticsearch.entitlement.runtime.policy.FileAccessTree;
import org.elasticsearch.entitlement.runtime.policy.PathLookup;
import org.elasticsearch.entitlement.runtime.policy.entitlements.CreateClassLoaderEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.Entitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.ExitVMEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.InboundNetworkEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.LoadNativeLibrariesEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.ManageThreadsEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.OutboundNetworkEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.ReadStoreAttributesEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.SetHttpsConnectionPropertiesEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.WriteSystemPropertiesEntitlement;
import org.elasticsearch.logging.LogManager;
import org.elasticsearch.logging.Logger;

/* loaded from: input_file:org/elasticsearch/entitlement/runtime/policy/PolicyManager.class */
public class PolicyManager {
    private static final Logger generalLogger;
    static final Class<?> DEFAULT_FILESYSTEM_CLASS;
    static final Set<String> MODULES_EXCLUDED_FROM_SYSTEM_MODULES;
    final Map<Module, ModuleEntitlements> moduleEntitlementsMap = new ConcurrentHashMap();
    private final Map<String, List<Entitlement>> serverEntitlements;
    private final List<Entitlement> apmAgentEntitlements;
    private final Map<String, Map<String, List<Entitlement>>> pluginsEntitlements;
    private final Function<Class<?>, PolicyScope> scopeResolver;
    private final PathLookup pathLookup;
    private final Set<Package> suppressFailureLogPackages;
    public static final String ALL_UNNAMED = "ALL-UNNAMED";
    private static final Set<Module> SYSTEM_LAYER_MODULES;
    public static final Set<Module> SERVER_LAYER_MODULES;
    private final Map<String, Path> sourcePaths;
    private final Module entitlementsModule;
    private final List<FileAccessTree.ExclusivePath> exclusivePaths;
    private static final ConcurrentHashMap<String, Logger> MODULE_LOGGERS;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/elasticsearch/entitlement/runtime/policy/PolicyManager$ComponentKind.class */
    public enum ComponentKind {
        UNKNOWN("(unknown)"),
        SERVER("(server)"),
        APM_AGENT("(APM agent)"),
        PLUGIN(null);

        final String componentName;

        ComponentKind(String str) {
            this.componentName = str;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/entitlement/runtime/policy/PolicyManager$ModuleEntitlements.class */
    public static final class ModuleEntitlements extends Record {
        private final String componentName;
        private final Map<Class<? extends Entitlement>, List<Entitlement>> entitlementsByType;
        private final FileAccessTree fileAccess;
        private final Logger logger;

        ModuleEntitlements(String str, Map<Class<? extends Entitlement>, List<Entitlement>> map, FileAccessTree fileAccessTree, Logger logger) {
            Map<Class<? extends Entitlement>, List<Entitlement>> copyOf = Map.copyOf(map);
            this.componentName = str;
            this.entitlementsByType = copyOf;
            this.fileAccess = fileAccessTree;
            this.logger = logger;
        }

        public boolean hasEntitlement(Class<? extends Entitlement> cls) {
            return this.entitlementsByType.containsKey(cls);
        }

        public <E extends Entitlement> Stream<E> getEntitlements(Class<E> cls) {
            List<Entitlement> list = this.entitlementsByType.get(cls);
            if (list == null) {
                return Stream.empty();
            }
            Stream<Entitlement> stream = list.stream();
            Objects.requireNonNull(cls);
            return (Stream<E>) stream.map((v1) -> {
                return r1.cast(v1);
            });
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, ModuleEntitlements.class), ModuleEntitlements.class, "componentName;entitlementsByType;fileAccess;logger", "FIELD:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$ModuleEntitlements;->componentName:Ljava/lang/String;", "FIELD:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$ModuleEntitlements;->entitlementsByType:Ljava/util/Map;", "FIELD:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$ModuleEntitlements;->fileAccess:Lorg/elasticsearch/entitlement/runtime/policy/FileAccessTree;", "FIELD:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$ModuleEntitlements;->logger:Lorg/elasticsearch/logging/Logger;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, ModuleEntitlements.class), ModuleEntitlements.class, "componentName;entitlementsByType;fileAccess;logger", "FIELD:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$ModuleEntitlements;->componentName:Ljava/lang/String;", "FIELD:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$ModuleEntitlements;->entitlementsByType:Ljava/util/Map;", "FIELD:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$ModuleEntitlements;->fileAccess:Lorg/elasticsearch/entitlement/runtime/policy/FileAccessTree;", "FIELD:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$ModuleEntitlements;->logger:Lorg/elasticsearch/logging/Logger;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, ModuleEntitlements.class, Object.class), ModuleEntitlements.class, "componentName;entitlementsByType;fileAccess;logger", "FIELD:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$ModuleEntitlements;->componentName:Ljava/lang/String;", "FIELD:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$ModuleEntitlements;->entitlementsByType:Ljava/util/Map;", "FIELD:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$ModuleEntitlements;->fileAccess:Lorg/elasticsearch/entitlement/runtime/policy/FileAccessTree;", "FIELD:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$ModuleEntitlements;->logger:Lorg/elasticsearch/logging/Logger;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String componentName() {
            return this.componentName;
        }

        public Map<Class<? extends Entitlement>, List<Entitlement>> entitlementsByType() {
            return this.entitlementsByType;
        }

        public FileAccessTree fileAccess() {
            return this.fileAccess;
        }

        public Logger logger() {
            return this.logger;
        }
    }

    /* loaded from: input_file:org/elasticsearch/entitlement/runtime/policy/PolicyManager$PolicyScope.class */
    public static final class PolicyScope extends Record {
        private final ComponentKind kind;
        private final String componentName;
        private final String moduleName;
        static final /* synthetic */ boolean $assertionsDisabled;

        public PolicyScope(ComponentKind componentKind, String str, String str2) {
            Objects.requireNonNull(componentKind);
            Objects.requireNonNull(str);
            Objects.requireNonNull(str2);
            if (!$assertionsDisabled && componentKind.componentName != null && !componentKind.componentName.equals(str)) {
                throw new AssertionError();
            }
            this.kind = componentKind;
            this.componentName = str;
            this.moduleName = str2;
        }

        public static PolicyScope unknown(String str) {
            return new PolicyScope(ComponentKind.UNKNOWN, ComponentKind.UNKNOWN.componentName, str);
        }

        public static PolicyScope server(String str) {
            return new PolicyScope(ComponentKind.SERVER, ComponentKind.SERVER.componentName, str);
        }

        public static PolicyScope apmAgent(String str) {
            return new PolicyScope(ComponentKind.APM_AGENT, ComponentKind.APM_AGENT.componentName, str);
        }

        public static PolicyScope plugin(String str, String str2) {
            return new PolicyScope(ComponentKind.PLUGIN, str, str2);
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, PolicyScope.class), PolicyScope.class, "kind;componentName;moduleName", "FIELD:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$PolicyScope;->kind:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$ComponentKind;", "FIELD:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$PolicyScope;->componentName:Ljava/lang/String;", "FIELD:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$PolicyScope;->moduleName:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, PolicyScope.class), PolicyScope.class, "kind;componentName;moduleName", "FIELD:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$PolicyScope;->kind:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$ComponentKind;", "FIELD:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$PolicyScope;->componentName:Ljava/lang/String;", "FIELD:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$PolicyScope;->moduleName:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, PolicyScope.class, Object.class), PolicyScope.class, "kind;componentName;moduleName", "FIELD:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$PolicyScope;->kind:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$ComponentKind;", "FIELD:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$PolicyScope;->componentName:Ljava/lang/String;", "FIELD:Lorg/elasticsearch/entitlement/runtime/policy/PolicyManager$PolicyScope;->moduleName:Ljava/lang/String;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public ComponentKind kind() {
            return this.kind;
        }

        public String componentName() {
            return this.componentName;
        }

        public String moduleName() {
            return this.moduleName;
        }

        static {
            $assertionsDisabled = !PolicyManager.class.desiredAssertionStatus();
        }
    }

    private FileAccessTree getDefaultFileAccess(Path path) {
        return FileAccessTree.withoutExclusivePaths(FilesEntitlement.EMPTY, this.pathLookup, path);
    }

    ModuleEntitlements defaultEntitlements(String str, Path path, String str2) {
        return new ModuleEntitlements(str, Map.of(), getDefaultFileAccess(path), getLogger(str, str2));
    }

    ModuleEntitlements policyEntitlements(String str, Path path, String str2, List<Entitlement> list) {
        FilesEntitlement filesEntitlement = FilesEntitlement.EMPTY;
        for (Entitlement entitlement : list) {
            if (entitlement instanceof FilesEntitlement) {
                filesEntitlement = (FilesEntitlement) entitlement;
            }
        }
        return new ModuleEntitlements(str, (Map) list.stream().collect(Collectors.groupingBy((v0) -> {
            return v0.getClass();
        })), FileAccessTree.of(str, str2, filesEntitlement, this.pathLookup, path, this.exclusivePaths), getLogger(str, str2));
    }

    private static Set<Module> findSystemLayerModules() {
        Set set = (Set) ModuleFinder.ofSystem().findAll().stream().map((v0) -> {
            return v0.descriptor();
        }).collect(Collectors.toUnmodifiableSet());
        return (Set) Stream.concat(Stream.of(PolicyManager.class.getModule()), ModuleLayer.boot().modules().stream().filter(module -> {
            return set.contains(module.getDescriptor()) && !MODULES_EXCLUDED_FROM_SYSTEM_MODULES.contains(module.getName());
        })).collect(Collectors.toUnmodifiableSet());
    }

    public PolicyManager(Policy policy, List<Entitlement> list, Map<String, Policy> map, Function<Class<?>, PolicyScope> function, Map<String, Path> map2, Module module, PathLookup pathLookup, Set<Package> set) {
        this.serverEntitlements = buildScopeEntitlementsMap((Policy) Objects.requireNonNull(policy));
        this.apmAgentEntitlements = list;
        this.pluginsEntitlements = (Map) ((Map) Objects.requireNonNull(map)).entrySet().stream().collect(Collectors.toUnmodifiableMap((v0) -> {
            return v0.getKey();
        }, entry -> {
            return buildScopeEntitlementsMap((Policy) entry.getValue());
        }));
        this.scopeResolver = function;
        this.sourcePaths = map2;
        this.entitlementsModule = module;
        this.pathLookup = (PathLookup) Objects.requireNonNull(pathLookup);
        this.suppressFailureLogPackages = set;
        ArrayList arrayList = new ArrayList();
        for (Map.Entry<String, List<Entitlement>> entry2 : this.serverEntitlements.entrySet()) {
            validateEntitlementsPerModule(ComponentKind.SERVER.componentName, entry2.getKey(), entry2.getValue(), arrayList);
        }
        validateEntitlementsPerModule(ComponentKind.APM_AGENT.componentName, ALL_UNNAMED, list, arrayList);
        for (Map.Entry<String, Map<String, List<Entitlement>>> entry3 : this.pluginsEntitlements.entrySet()) {
            for (Map.Entry<String, List<Entitlement>> entry4 : entry3.getValue().entrySet()) {
                validateEntitlementsPerModule(entry3.getKey(), entry4.getKey(), entry4.getValue(), arrayList);
            }
        }
        List<FileAccessTree.ExclusivePath> buildExclusivePathList = FileAccessTree.buildExclusivePathList(arrayList, pathLookup, FileAccessTree.DEFAULT_COMPARISON);
        FileAccessTree.validateExclusivePaths(buildExclusivePathList, FileAccessTree.DEFAULT_COMPARISON);
        this.exclusivePaths = buildExclusivePathList;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Map<String, List<Entitlement>> buildScopeEntitlementsMap(Policy policy) {
        return (Map) policy.scopes().stream().collect(Collectors.toUnmodifiableMap((v0) -> {
            return v0.moduleName();
        }, (v0) -> {
            return v0.entitlements();
        }));
    }

    private static void validateEntitlementsPerModule(String str, String str2, List<Entitlement> list, List<FileAccessTree.ExclusiveFileEntitlement> list2) {
        HashSet hashSet = new HashSet();
        for (Entitlement entitlement : list) {
            if (hashSet.contains(entitlement.getClass())) {
                throw new IllegalArgumentException("[" + str + "] using module [" + str2 + "] found duplicate entitlement [" + entitlement.getClass().getName() + "]");
            }
            hashSet.add(entitlement.getClass());
            if (entitlement instanceof FilesEntitlement) {
                list2.add(new FileAccessTree.ExclusiveFileEntitlement(str, str2, (FilesEntitlement) entitlement));
            }
        }
    }

    public void checkStartProcess(Class<?> cls) {
        neverEntitled(cls, () -> {
            return "start process";
        });
    }

    public void checkWriteStoreAttributes(Class<?> cls) {
        neverEntitled(cls, () -> {
            return "change file store attributes";
        });
    }

    public void checkReadStoreAttributes(Class<?> cls) {
        checkEntitlementPresent(cls, ReadStoreAttributesEntitlement.class);
    }

    private void neverEntitled(Class<?> cls, Supplier<String> supplier) {
        Class<?> requestingClass = requestingClass(cls);
        if (isTriviallyAllowed(requestingClass)) {
            return;
        }
        ModuleEntitlements entitlements = getEntitlements(requestingClass);
        notEntitled(Strings.format("component [%s], module [%s], class [%s], operation [%s]", new Object[]{entitlements.componentName(), getModuleName(requestingClass), requestingClass, supplier.get()}), cls, entitlements);
    }

    public void checkExitVM(Class<?> cls) {
        checkEntitlementPresent(cls, ExitVMEntitlement.class);
    }

    public void checkCreateClassLoader(Class<?> cls) {
        checkEntitlementPresent(cls, CreateClassLoaderEntitlement.class);
    }

    public void checkSetHttpsConnectionProperties(Class<?> cls) {
        checkEntitlementPresent(cls, SetHttpsConnectionPropertiesEntitlement.class);
    }

    public void checkChangeJVMGlobalState(Class<?> cls) {
        neverEntitled(cls, () -> {
            return walkStackForCheckMethodName().orElse("change JVM global state");
        });
    }

    public void checkLoggingFileHandler(Class<?> cls) {
        neverEntitled(cls, () -> {
            return walkStackForCheckMethodName().orElse("create logging file handler");
        });
    }

    private Optional<String> walkStackForCheckMethodName() {
        return ((Optional) StackWalker.getInstance().walk(stream -> {
            return stream.map((v0) -> {
                return v0.getMethodName();
            }).dropWhile(Predicate.not(str -> {
                return str.startsWith(InstrumentationService.CHECK_METHOD_PREFIX);
            })).findFirst();
        })).map(this::operationDescription);
    }

    public void checkChangeNetworkHandling(Class<?> cls) {
        checkChangeJVMGlobalState(cls);
    }

    public void checkChangeFilesHandling(Class<?> cls) {
        checkChangeJVMGlobalState(cls);
    }

    @SuppressForbidden(reason = "Explicitly checking File apis")
    public void checkFileRead(Class<?> cls, File file) {
        checkFileRead(cls, file.toPath());
    }

    private static boolean isPathOnDefaultFilesystem(Path path) {
        Class<?> cls = path.getFileSystem().getClass();
        if (path.getFileSystem().getClass() == DEFAULT_FILESYSTEM_CLASS) {
            return true;
        }
        generalLogger.trace(() -> {
            return Strings.format("File entitlement trivially allowed: path [%s] is for a different FileSystem class [%s], default is [%s]", new Object[]{path.toString(), cls.getName(), DEFAULT_FILESYSTEM_CLASS.getName()});
        });
        return false;
    }

    public void checkFileRead(Class<?> cls, Path path) {
        try {
            checkFileRead(cls, path, false);
        } catch (NoSuchFileException e) {
            if (!$assertionsDisabled) {
                throw new AssertionError("NoSuchFileException should only be thrown when following links");
            }
            NotEntitledException notEntitledException = new NotEntitledException(e.getMessage());
            notEntitledException.addSuppressed(e);
            throw notEntitledException;
        }
    }

    public void checkFileRead(Class<?> cls, Path path, boolean z) throws NoSuchFileException {
        if (isPathOnDefaultFilesystem(path)) {
            Class<?> requestingClass = requestingClass(cls);
            if (isTriviallyAllowed(requestingClass)) {
                return;
            }
            ModuleEntitlements entitlements = getEntitlements(requestingClass);
            Path path2 = null;
            boolean canRead = entitlements.fileAccess().canRead(path);
            if (canRead && z) {
                try {
                    path2 = path.toRealPath(new LinkOption[0]);
                    if (!path2.equals(path)) {
                        canRead = entitlements.fileAccess().canRead(path2);
                    }
                } catch (NoSuchFileException e) {
                    throw e;
                } catch (IOException e2) {
                    canRead = false;
                }
            }
            if (canRead) {
                return;
            }
            Object[] objArr = new Object[4];
            objArr[0] = entitlements.componentName();
            objArr[1] = getModuleName(requestingClass);
            objArr[2] = requestingClass;
            objArr[3] = path2 == null ? path : Strings.format("%s -> %s", new Object[]{path, path2});
            notEntitled(Strings.format("component [%s], module [%s], class [%s], entitlement [file], operation [read], path [%s]", objArr), cls, entitlements);
        }
    }

    @SuppressForbidden(reason = "Explicitly checking File apis")
    public void checkFileWrite(Class<?> cls, File file) {
        checkFileWrite(cls, file.toPath());
    }

    public void checkFileWrite(Class<?> cls, Path path) {
        if (isPathOnDefaultFilesystem(path)) {
            Class<?> requestingClass = requestingClass(cls);
            if (isTriviallyAllowed(requestingClass)) {
                return;
            }
            ModuleEntitlements entitlements = getEntitlements(requestingClass);
            if (entitlements.fileAccess().canWrite(path)) {
                return;
            }
            notEntitled(Strings.format("component [%s], module [%s], class [%s], entitlement [file], operation [write], path [%s]", new Object[]{entitlements.componentName(), getModuleName(requestingClass), requestingClass, path}), cls, entitlements);
        }
    }

    public void checkCreateTempFile(Class<?> cls) {
        checkFileWrite(cls, this.pathLookup.getBaseDirPaths(PathLookup.BaseDir.TEMP).findFirst().get());
    }

    @SuppressForbidden(reason = "Explicitly checking File apis")
    public void checkFileWithZipMode(Class<?> cls, File file, int i) {
        if (!$assertionsDisabled && i != 1 && i != 5) {
            throw new AssertionError();
        }
        if ((i & 4) == 4) {
            checkFileWrite(cls, file);
        } else {
            checkFileRead(cls, file);
        }
    }

    public void checkFileDescriptorRead(Class<?> cls) {
        neverEntitled(cls, () -> {
            return "read file descriptor";
        });
    }

    public void checkFileDescriptorWrite(Class<?> cls) {
        neverEntitled(cls, () -> {
            return "write file descriptor";
        });
    }

    public void checkGetFileAttributeView(Class<?> cls) {
        neverEntitled(cls, () -> {
            return "get file attribute view";
        });
    }

    public void checkLoadingNativeLibraries(Class<?> cls) {
        checkEntitlementPresent(cls, LoadNativeLibrariesEntitlement.class);
    }

    private String operationDescription(String str) {
        return str.substring(str.indexOf(36));
    }

    public void checkInboundNetworkAccess(Class<?> cls) {
        checkEntitlementPresent(cls, InboundNetworkEntitlement.class);
    }

    public void checkOutboundNetworkAccess(Class<?> cls) {
        checkEntitlementPresent(cls, OutboundNetworkEntitlement.class);
    }

    public void checkAllNetworkAccess(Class<?> cls) {
        Class<?> requestingClass = requestingClass(cls);
        if (isTriviallyAllowed(requestingClass)) {
            return;
        }
        ModuleEntitlements entitlements = getEntitlements(requestingClass);
        checkFlagEntitlement(entitlements, InboundNetworkEntitlement.class, requestingClass, cls);
        checkFlagEntitlement(entitlements, OutboundNetworkEntitlement.class, requestingClass, cls);
    }

    public void checkUnsupportedURLProtocolConnection(Class<?> cls, String str) {
        neverEntitled(cls, () -> {
            return Strings.format("unsupported URL protocol [%s]", new Object[]{str});
        });
    }

    private void checkFlagEntitlement(ModuleEntitlements moduleEntitlements, Class<? extends Entitlement> cls, Class<?> cls2, Class<?> cls3) {
        if (!moduleEntitlements.hasEntitlement(cls)) {
            notEntitled(Strings.format("component [%s], module [%s], class [%s], entitlement [%s]", new Object[]{moduleEntitlements.componentName(), getModuleName(cls2), cls2, PolicyParser.buildEntitlementNameFromClass(cls)}), cls3, moduleEntitlements);
        }
        moduleEntitlements.logger().debug(() -> {
            return Strings.format("Entitled: component [%s], module [%s], class [%s], entitlement [%s]", new Object[]{moduleEntitlements.componentName(), getModuleName(cls2), cls2, PolicyParser.buildEntitlementNameFromClass(cls)});
        });
    }

    public void checkWriteProperty(Class<?> cls, String str) {
        Class<?> requestingClass = requestingClass(cls);
        if (isTriviallyAllowed(requestingClass)) {
            return;
        }
        ModuleEntitlements entitlements = getEntitlements(requestingClass);
        if (entitlements.getEntitlements(WriteSystemPropertiesEntitlement.class).anyMatch(writeSystemPropertiesEntitlement -> {
            return writeSystemPropertiesEntitlement.properties().contains(str);
        })) {
            entitlements.logger().debug(() -> {
                return Strings.format("Entitled: component [%s], module [%s], class [%s], entitlement [write_system_properties], property [%s]", new Object[]{entitlements.componentName(), getModuleName(requestingClass), requestingClass, str});
            });
        } else {
            notEntitled(Strings.format("component [%s], module [%s], class [%s], entitlement [write_system_properties], property [%s]", new Object[]{entitlements.componentName(), getModuleName(requestingClass), requestingClass, str}), cls, entitlements);
        }
    }

    private void notEntitled(String str, Class<?> cls, ModuleEntitlements moduleEntitlements) {
        NotEntitledException notEntitledException = new NotEntitledException(str);
        if (!this.suppressFailureLogPackages.contains(cls.getPackage())) {
            moduleEntitlements.logger().warn("Not entitled: {}", new Object[]{str, notEntitledException});
        }
        throw notEntitledException;
    }

    private static Logger getLogger(String str, String str2) {
        return MODULE_LOGGERS.computeIfAbsent(PolicyManager.class.getName() + ("." + str + "." + (str2 == null ? ALL_UNNAMED : str2)), LogManager::getLogger);
    }

    public void checkManageThreadsEntitlement(Class<?> cls) {
        checkEntitlementPresent(cls, ManageThreadsEntitlement.class);
    }

    private void checkEntitlementPresent(Class<?> cls, Class<? extends Entitlement> cls2) {
        Class<?> requestingClass = requestingClass(cls);
        if (isTriviallyAllowed(requestingClass)) {
            return;
        }
        checkFlagEntitlement(getEntitlements(requestingClass), cls2, requestingClass, cls);
    }

    ModuleEntitlements getEntitlements(Class<?> cls) {
        return this.moduleEntitlementsMap.computeIfAbsent(cls.getModule(), module -> {
            return computeEntitlements(cls);
        });
    }

    private ModuleEntitlements computeEntitlements(Class<?> cls) {
        PolicyScope apply = this.scopeResolver.apply(cls);
        String componentName = apply.componentName();
        String moduleName = apply.moduleName();
        switch (apply.kind()) {
            case SERVER:
                return getModuleScopeEntitlements(this.serverEntitlements, moduleName, ComponentKind.SERVER.componentName, getComponentPathFromClass(cls));
            case APM_AGENT:
                return policyEntitlements(ComponentKind.APM_AGENT.componentName, getComponentPathFromClass(cls), ALL_UNNAMED, this.apmAgentEntitlements);
            case UNKNOWN:
                return defaultEntitlements(ComponentKind.UNKNOWN.componentName, null, moduleName);
            default:
                if (!$assertionsDisabled && apply.kind() != ComponentKind.PLUGIN) {
                    throw new AssertionError();
                }
                Map<String, List<Entitlement>> map = this.pluginsEntitlements.get(componentName);
                return map == null ? defaultEntitlements(componentName, this.sourcePaths.get(componentName), moduleName) : getModuleScopeEntitlements(map, moduleName, componentName, this.sourcePaths.get(componentName));
        }
    }

    static Path getComponentPathFromClass(Class<?> cls) {
        CodeSource codeSource = cls.getProtectionDomain().getCodeSource();
        if (codeSource == null) {
            return null;
        }
        try {
            return Paths.get(codeSource.getLocation().toURI());
        } catch (Exception e) {
            generalLogger.info("Cannot get component path for [{}]: [{}] cannot be converted to a valid Path", new Object[]{cls.getName(), codeSource.getLocation().toString()});
            return null;
        }
    }

    private ModuleEntitlements getModuleScopeEntitlements(Map<String, List<Entitlement>> map, String str, String str2, Path path) {
        List<Entitlement> list = map.get(str);
        return list == null ? defaultEntitlements(str2, path, str) : policyEntitlements(str2, path, str, list);
    }

    Class<?> requestingClass(Class<?> cls) {
        return cls != null ? cls : (Class) ((Optional) StackWalker.getInstance(StackWalker.Option.RETAIN_CLASS_REFERENCE).walk(stream -> {
            return findRequestingFrame(stream).map((v0) -> {
                return v0.getDeclaringClass();
            });
        })).orElse(null);
    }

    Optional<StackWalker.StackFrame> findRequestingFrame(Stream<StackWalker.StackFrame> stream) {
        return stream.filter(stackFrame -> {
            return stackFrame.getDeclaringClass().getModule() != this.entitlementsModule;
        }).skip(1L).findFirst();
    }

    private static boolean isTriviallyAllowed(Class<?> cls) {
        if (generalLogger.isTraceEnabled()) {
            generalLogger.trace("Stack trace for upcoming trivially-allowed check", new Exception());
        }
        if (cls == null) {
            generalLogger.debug("Entitlement trivially allowed: no caller frames outside the entitlement library");
            return true;
        }
        if (cls == Util.NO_CLASS) {
            generalLogger.debug("Entitlement trivially allowed from outermost frame");
            return true;
        }
        if (SYSTEM_LAYER_MODULES.contains(cls.getModule())) {
            generalLogger.debug("Entitlement trivially allowed from system module [{}]", new Object[]{cls.getModule().getName()});
            return true;
        }
        generalLogger.trace("Entitlement not trivially allowed");
        return false;
    }

    private static String getModuleName(Class<?> cls) {
        String name = cls.getModule().getName();
        return name == null ? ALL_UNNAMED : name;
    }

    public String toString() {
        return "PolicyManager{serverEntitlements=" + String.valueOf(this.serverEntitlements) + ", pluginsEntitlements=" + String.valueOf(this.pluginsEntitlements) + "}";
    }

    static {
        $assertionsDisabled = !PolicyManager.class.desiredAssertionStatus();
        generalLogger = LogManager.getLogger(PolicyManager.class);
        DEFAULT_FILESYSTEM_CLASS = PathUtils.getDefaultFileSystem().getClass();
        MODULES_EXCLUDED_FROM_SYSTEM_MODULES = Set.of("java.desktop");
        SYSTEM_LAYER_MODULES = findSystemLayerModules();
        SERVER_LAYER_MODULES = (Set) ModuleLayer.boot().modules().stream().filter(module -> {
            return !SYSTEM_LAYER_MODULES.contains(module);
        }).collect(Collectors.toUnmodifiableSet());
        MODULE_LOGGERS = new ConcurrentHashMap<>();
    }
}
