package org.elasticsearch.entitlement.runtime.policy;

import java.io.File;
import java.io.IOException;
import java.lang.StackWalker;
import java.net.HttpURLConnection;
import java.net.JarURLConnection;
import java.net.MalformedURLException;
import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLConnection;
import java.nio.file.LinkOption;
import java.nio.file.NoSuchFileException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.function.Supplier;
import java.util.stream.Stream;
import org.elasticsearch.core.PathUtils;
import org.elasticsearch.core.Strings;
import org.elasticsearch.core.SuppressForbidden;
import org.elasticsearch.entitlement.instrumentation.InstrumentationService;
import org.elasticsearch.entitlement.runtime.api.NotEntitledException;
import org.elasticsearch.entitlement.runtime.policy.PathLookup;
import org.elasticsearch.entitlement.runtime.policy.PolicyManager;
import org.elasticsearch.entitlement.runtime.policy.entitlements.CreateClassLoaderEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.Entitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.ExitVMEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.InboundNetworkEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.LoadNativeLibrariesEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.ManageThreadsEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.OutboundNetworkEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.ReadStoreAttributesEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.SetHttpsConnectionPropertiesEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.WriteSystemPropertiesEntitlement;

@SuppressForbidden(reason = "Explicitly checking APIs that are forbidden")
/* loaded from: input_file:org/elasticsearch/entitlement/runtime/policy/PolicyCheckerImpl.class */
public class PolicyCheckerImpl implements PolicyChecker {
    static final Class<?> DEFAULT_FILESYSTEM_CLASS;
    protected final Set<Package> suppressFailureLogPackages;
    protected final Module entitlementsModule;
    private final PolicyManager policyManager;
    private final PathLookup pathLookup;
    private static final Set<String> NETWORK_PROTOCOLS;
    private static final List<String> ADDITIONAL_NETWORK_URL_CONNECT_CLASS_NAMES;
    static final /* synthetic */ boolean $assertionsDisabled;

    public PolicyCheckerImpl(Set<Package> set, Module module, PolicyManager policyManager, PathLookup pathLookup) {
        this.suppressFailureLogPackages = set;
        this.entitlementsModule = module;
        this.policyManager = policyManager;
        this.pathLookup = pathLookup;
    }

    private static boolean isPathOnDefaultFilesystem(Path path) {
        Class<?> cls = path.getFileSystem().getClass();
        if (path.getFileSystem().getClass() == DEFAULT_FILESYSTEM_CLASS) {
            return true;
        }
        PolicyManager.generalLogger.trace(() -> {
            return Strings.format("File entitlement trivially allowed: path [%s] is for a different FileSystem class [%s], default is [%s]", new Object[]{path.toString(), cls.getName(), DEFAULT_FILESYSTEM_CLASS.getName()});
        });
        return false;
    }

    private static String getModuleName(Class<?> cls) {
        String name = cls.getModule().getName();
        return name == null ? PolicyManager.ALL_UNNAMED : name;
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkStartProcess(Class<?> cls) {
        neverEntitled(cls, () -> {
            return "start process";
        });
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkWriteStoreAttributes(Class<?> cls) {
        neverEntitled(cls, () -> {
            return "change file store attributes";
        });
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkReadStoreAttributes(Class<?> cls) {
        checkEntitlementPresent(cls, ReadStoreAttributesEntitlement.class);
    }

    private void neverEntitled(Class<?> cls, Supplier<String> supplier) {
        Class<?> requestingClass = requestingClass(cls);
        if (this.policyManager.isTriviallyAllowed(requestingClass)) {
            return;
        }
        PolicyManager.ModuleEntitlements entitlements = this.policyManager.getEntitlements(requestingClass);
        notEntitled(Strings.format("component [%s], module [%s], class [%s], operation [%s]", new Object[]{entitlements.componentName(), getModuleName(requestingClass), requestingClass, supplier.get()}), cls, entitlements);
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkExitVM(Class<?> cls) {
        checkEntitlementPresent(cls, ExitVMEntitlement.class);
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkCreateClassLoader(Class<?> cls) {
        checkEntitlementPresent(cls, CreateClassLoaderEntitlement.class);
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkSetHttpsConnectionProperties(Class<?> cls) {
        checkEntitlementPresent(cls, SetHttpsConnectionPropertiesEntitlement.class);
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkChangeJVMGlobalState(Class<?> cls) {
        neverEntitled(cls, () -> {
            return walkStackForCheckMethodName().orElse("change JVM global state");
        });
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkLoggingFileHandler(Class<?> cls) {
        neverEntitled(cls, () -> {
            return walkStackForCheckMethodName().orElse("create logging file handler");
        });
    }

    private Optional<String> walkStackForCheckMethodName() {
        return ((Optional) StackWalker.getInstance().walk(stream -> {
            return stream.map((v0) -> {
                return v0.getMethodName();
            }).dropWhile(Predicate.not(str -> {
                return str.startsWith(InstrumentationService.CHECK_METHOD_PREFIX);
            })).findFirst();
        })).map(this::operationDescription);
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkChangeNetworkHandling(Class<?> cls) {
        checkChangeJVMGlobalState(cls);
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkChangeFilesHandling(Class<?> cls) {
        checkChangeJVMGlobalState(cls);
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    @SuppressForbidden(reason = "Explicitly checking File apis")
    public void checkFileRead(Class<?> cls, File file) {
        checkFileRead(cls, file.toPath());
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkFileRead(Class<?> cls, Path path) {
        try {
            checkFileRead(cls, path, false);
        } catch (NoSuchFileException e) {
            if (!$assertionsDisabled) {
                throw new AssertionError("NoSuchFileException should only be thrown when following links");
            }
            NotEntitledException notEntitledException = new NotEntitledException(e.getMessage());
            notEntitledException.addSuppressed(e);
            throw notEntitledException;
        }
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkFileRead(Class<?> cls, Path path, boolean z) throws NoSuchFileException {
        if (isPathOnDefaultFilesystem(path)) {
            Class<?> requestingClass = requestingClass(cls);
            if (this.policyManager.isTriviallyAllowed(requestingClass)) {
                return;
            }
            PolicyManager.ModuleEntitlements entitlements = this.policyManager.getEntitlements(requestingClass);
            Path path2 = null;
            boolean canRead = entitlements.fileAccess().canRead(path);
            if (canRead && z) {
                try {
                    path2 = path.toRealPath(new LinkOption[0]);
                    if (!path2.equals(path)) {
                        canRead = entitlements.fileAccess().canRead(path2);
                    }
                } catch (NoSuchFileException e) {
                    throw e;
                } catch (IOException e2) {
                    canRead = false;
                }
            }
            if (canRead) {
                return;
            }
            Object[] objArr = new Object[4];
            objArr[0] = entitlements.componentName();
            objArr[1] = getModuleName(requestingClass);
            objArr[2] = requestingClass;
            objArr[3] = path2 == null ? path : Strings.format("%s -> %s", new Object[]{path, path2});
            notEntitled(Strings.format("component [%s], module [%s], class [%s], entitlement [file], operation [read], path [%s]", objArr), cls, entitlements);
        }
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    @SuppressForbidden(reason = "Explicitly checking File apis")
    public void checkFileWrite(Class<?> cls, File file) {
        checkFileWrite(cls, file.toPath());
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkFileWrite(Class<?> cls, Path path) {
        if (isPathOnDefaultFilesystem(path)) {
            Class<?> requestingClass = requestingClass(cls);
            if (this.policyManager.isTriviallyAllowed(requestingClass)) {
                return;
            }
            PolicyManager.ModuleEntitlements entitlements = this.policyManager.getEntitlements(requestingClass);
            if (entitlements.fileAccess().canWrite(path)) {
                return;
            }
            notEntitled(Strings.format("component [%s], module [%s], class [%s], entitlement [file], operation [write], path [%s]", new Object[]{entitlements.componentName(), getModuleName(requestingClass), requestingClass, path}), cls, entitlements);
        }
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    @SuppressForbidden(reason = "Explicitly checking File apis")
    public void checkFileWithZipMode(Class<?> cls, File file, int i) {
        if (!$assertionsDisabled && i != 1 && i != 5) {
            throw new AssertionError();
        }
        if ((i & 4) == 4) {
            checkFileWrite(cls, file);
        } else {
            checkFileRead(cls, file);
        }
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkCreateTempFile(Class<?> cls) {
        checkFileWrite(cls, this.pathLookup.getBaseDirPaths(PathLookup.BaseDir.TEMP).findFirst().get());
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkFileDescriptorRead(Class<?> cls) {
        neverEntitled(cls, () -> {
            return "read file descriptor";
        });
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkFileDescriptorWrite(Class<?> cls) {
        neverEntitled(cls, () -> {
            return "write file descriptor";
        });
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkGetFileAttributeView(Class<?> cls) {
        neverEntitled(cls, () -> {
            return "get file attribute view";
        });
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkLoadingNativeLibraries(Class<?> cls) {
        checkEntitlementPresent(cls, LoadNativeLibrariesEntitlement.class);
    }

    private String operationDescription(String str) {
        return str.substring(str.indexOf(36));
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkInboundNetworkAccess(Class<?> cls) {
        checkEntitlementPresent(cls, InboundNetworkEntitlement.class);
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkOutboundNetworkAccess(Class<?> cls) {
        checkEntitlementPresent(cls, OutboundNetworkEntitlement.class);
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkAllNetworkAccess(Class<?> cls) {
        Class<?> requestingClass = requestingClass(cls);
        if (this.policyManager.isTriviallyAllowed(requestingClass)) {
            return;
        }
        PolicyManager.ModuleEntitlements entitlements = this.policyManager.getEntitlements(requestingClass);
        checkFlagEntitlement(entitlements, InboundNetworkEntitlement.class, requestingClass, cls);
        checkFlagEntitlement(entitlements, OutboundNetworkEntitlement.class, requestingClass, cls);
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkUnsupportedURLProtocolConnection(Class<?> cls, String str) {
        neverEntitled(cls, () -> {
            return Strings.format("unsupported URL protocol [%s]", new Object[]{str});
        });
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkWriteProperty(Class<?> cls, String str) {
        Class<?> requestingClass = requestingClass(cls);
        if (this.policyManager.isTriviallyAllowed(requestingClass)) {
            return;
        }
        PolicyManager.ModuleEntitlements entitlements = this.policyManager.getEntitlements(requestingClass);
        if (entitlements.getEntitlements(WriteSystemPropertiesEntitlement.class).anyMatch(writeSystemPropertiesEntitlement -> {
            return writeSystemPropertiesEntitlement.properties().contains(str);
        })) {
            entitlements.logger().debug(() -> {
                return Strings.format("Entitled: component [%s], module [%s], class [%s], entitlement [write_system_properties], property [%s]", new Object[]{entitlements.componentName(), getModuleName(requestingClass), requestingClass, str});
            });
        } else {
            notEntitled(Strings.format("component [%s], module [%s], class [%s], entitlement [write_system_properties], property [%s]", new Object[]{entitlements.componentName(), getModuleName(requestingClass), requestingClass, str}), cls, entitlements);
        }
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkManageThreadsEntitlement(Class<?> cls) {
        checkEntitlementPresent(cls, ManageThreadsEntitlement.class);
    }

    Class<?> requestingClass(Class<?> cls) {
        return cls != null ? cls : (Class) ((Optional) StackWalker.getInstance(StackWalker.Option.RETAIN_CLASS_REFERENCE).walk(stream -> {
            return findRequestingFrame(stream).map((v0) -> {
                return v0.getDeclaringClass();
            });
        })).orElse(null);
    }

    Optional<StackWalker.StackFrame> findRequestingFrame(Stream<StackWalker.StackFrame> stream) {
        return stream.filter(stackFrame -> {
            return stackFrame.getDeclaringClass().getModule() != this.entitlementsModule;
        }).skip(1L).findFirst();
    }

    private void checkFlagEntitlement(PolicyManager.ModuleEntitlements moduleEntitlements, Class<? extends Entitlement> cls, Class<?> cls2, Class<?> cls3) {
        if (!moduleEntitlements.hasEntitlement(cls)) {
            notEntitled(Strings.format("component [%s], module [%s], class [%s], entitlement [%s]", new Object[]{moduleEntitlements.componentName(), getModuleName(cls2), cls2, PolicyParser.buildEntitlementNameFromClass(cls)}), cls3, moduleEntitlements);
        }
        moduleEntitlements.logger().debug(() -> {
            return Strings.format("Entitled: component [%s], module [%s], class [%s], entitlement [%s]", new Object[]{moduleEntitlements.componentName(), getModuleName(cls2), cls2, PolicyParser.buildEntitlementNameFromClass(cls)});
        });
    }

    private void notEntitled(String str, Class<?> cls, PolicyManager.ModuleEntitlements moduleEntitlements) {
        NotEntitledException notEntitledException = new NotEntitledException(str);
        if (!this.suppressFailureLogPackages.contains(cls.getPackage())) {
            moduleEntitlements.logger().warn("Not entitled: {}", new Object[]{str, notEntitledException});
        }
        throw notEntitledException;
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkEntitlementPresent(Class<?> cls, Class<? extends Entitlement> cls2) {
        Class<?> requestingClass = requestingClass(cls);
        if (this.policyManager.isTriviallyAllowed(requestingClass)) {
            return;
        }
        checkFlagEntitlement(this.policyManager.getEntitlements(requestingClass), cls2, requestingClass, cls);
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkEntitlementForUrl(Class<?> cls, URL url) {
        if (handleNetworkOrFileUrlCheck(cls, url)) {
            return;
        }
        if (!isJarUrl(url)) {
            checkUnsupportedURLProtocolConnection(cls, url.getProtocol());
            return;
        }
        URL extractJarFileUrl = extractJarFileUrl(url);
        if (extractJarFileUrl == null || !handleNetworkOrFileUrlCheck(cls, extractJarFileUrl)) {
            checkUnsupportedURLProtocolConnection(cls, "jar with unsupported inner protocol");
        }
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkEntitlementForURLConnection(Class<?> cls, URLConnection uRLConnection) {
        if (isNetworkUrlConnection(uRLConnection)) {
            checkOutboundNetworkAccess(cls);
            return;
        }
        if (isFileUrlConnection(uRLConnection)) {
            checkURLFileRead(cls, uRLConnection.getURL());
        } else if (uRLConnection instanceof JarURLConnection) {
            checkJarURLAccess(cls, (JarURLConnection) uRLConnection);
        } else {
            checkUnsupportedURLProtocolConnection(cls, uRLConnection.getURL().getProtocol());
        }
    }

    private URL extractJarFileUrl(URL url) {
        String file = url.getFile();
        int indexOf = file.indexOf("!/");
        if (indexOf == -1) {
            return null;
        }
        try {
            return new URL(file.substring(0, indexOf));
        } catch (MalformedURLException e) {
            return null;
        }
    }

    private boolean handleNetworkOrFileUrlCheck(Class<?> cls, URL url) {
        if (isNetworkUrl(url)) {
            checkOutboundNetworkAccess(cls);
            return true;
        }
        if (!isFileUrl(url)) {
            return false;
        }
        checkURLFileRead(cls, url);
        return true;
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkJarURLAccess(Class<?> cls, JarURLConnection jarURLConnection) {
        URL jarFileURL = jarURLConnection.getJarFileURL();
        if (handleNetworkOrFileUrlCheck(cls, jarFileURL)) {
            return;
        }
        checkUnsupportedURLProtocolConnection(cls, jarFileURL.getProtocol());
    }

    private static boolean isNetworkUrl(URL url) {
        return NETWORK_PROTOCOLS.contains(url.getProtocol());
    }

    private static boolean isFileUrl(URL url) {
        return "file".equals(url.getProtocol());
    }

    private static boolean isJarUrl(URL url) {
        return "jar".equals(url.getProtocol());
    }

    private static boolean isNetworkUrlConnection(URLConnection uRLConnection) {
        Class<?> cls = uRLConnection.getClass();
        return HttpURLConnection.class.isAssignableFrom(cls) || ADDITIONAL_NETWORK_URL_CONNECT_CLASS_NAMES.contains(cls.getName());
    }

    private static boolean isFileUrlConnection(URLConnection uRLConnection) {
        return "sun.net.www.protocol.file.FileURLConnection".equals(uRLConnection.getClass().getName());
    }

    @Override // org.elasticsearch.entitlement.runtime.policy.PolicyChecker
    public void checkURLFileRead(Class<?> cls, URL url) {
        try {
            checkFileRead(cls, Paths.get(url.toURI()));
        } catch (URISyntaxException e) {
            throw new RuntimeException(e);
        }
    }

    static {
        $assertionsDisabled = !PolicyCheckerImpl.class.desiredAssertionStatus();
        DEFAULT_FILESYSTEM_CLASS = PathUtils.getDefaultFileSystem().getClass();
        NETWORK_PROTOCOLS = Set.of("http", "https", "ftp", "mailto");
        ADDITIONAL_NETWORK_URL_CONNECT_CLASS_NAMES = List.of("sun.net.www.protocol.ftp.FtpURLConnection", "sun.net.www.protocol.mailto.MailToURLConnection");
    }
}
