package org.elasticsearch.bootstrap;

import java.io.FilePermission;
import java.io.IOException;
import java.lang.reflect.ReflectPermission;
import java.net.NetPermission;
import java.net.SocketPermission;
import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLPermission;
import java.nio.file.DirectoryStream;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import java.security.CodeSource;
import java.security.NoSuchAlgorithmException;
import java.security.Permission;
import java.security.PermissionCollection;
import java.security.Permissions;
import java.security.Policy;
import java.security.ProtectionDomain;
import java.security.SecurityPermission;
import java.security.URIParameter;
import java.security.UnresolvedPermission;
import java.security.cert.Certificate;
import java.sql.SQLPermission;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Properties;
import java.util.PropertyPermission;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import javax.management.MBeanPermission;
import javax.management.MBeanServerPermission;
import javax.management.MBeanTrustPermission;
import javax.management.ObjectName;
import javax.security.auth.AuthPermission;
import javax.security.auth.PrivateCredentialPermission;
import javax.security.auth.kerberos.DelegationPermission;
import javax.security.auth.kerberos.ServicePermission;
import org.apache.logging.log4j.core.jackson.StackTraceElementConstants;
import org.elasticsearch.client.security.user.privileges.Role;
import org.elasticsearch.core.PathUtils;
import org.elasticsearch.core.SuppressForbidden;
import org.elasticsearch.core.internal.io.IOUtils;
import org.elasticsearch.plugins.PluginDescriptor;
import org.elasticsearch.script.ClassPermission;

/* loaded from: input_file:BOOT-INF/lib/elasticsearch-7.17.21.jar:org/elasticsearch/bootstrap/PolicyUtil.class */
public class PolicyUtil {
    static final List<String> ALLOW_ALL_NAMES = org.elasticsearch.core.List.of("ALLOW ALL NAMES SENTINEL");
    private static final PermissionMatcher ALLOWED_PLUGIN_PERMISSIONS;
    private static final PermissionMatcher ALLOWED_MODULE_PERMISSIONS;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:BOOT-INF/lib/elasticsearch-7.17.21.jar:org/elasticsearch/bootstrap/PolicyUtil$PermissionMatcher.class */
    public static class PermissionMatcher implements Predicate<Permission> {
        PermissionCollection namedPermissions;
        Map<String, List<String>> classPermissions;

        PermissionMatcher(PermissionCollection permissionCollection, Map<String, List<String>> map) {
            this.namedPermissions = permissionCollection;
            this.classPermissions = map;
        }

        @Override // java.util.function.Predicate
        public boolean test(Permission permission) {
            if (this.namedPermissions.implies(permission)) {
                return true;
            }
            String canonicalName = permission.getClass().getCanonicalName();
            String name = permission.getName();
            if (permission.getClass().equals(UnresolvedPermission.class)) {
                UnresolvedPermission unresolvedPermission = (UnresolvedPermission) permission;
                canonicalName = unresolvedPermission.getUnresolvedType();
                name = unresolvedPermission.getUnresolvedName();
            }
            List<String> list = this.classPermissions.get(canonicalName);
            return list != null && (list == PolicyUtil.ALLOW_ALL_NAMES || list.contains(name));
        }
    }

    @SuppressForbidden(reason = "create permission for test")
    private static FilePermission createFilePermission(String str, String str2) {
        return new FilePermission(str, str2);
    }

    @SuppressForbidden(reason = "find URL path")
    public static Map<String, URL> getCodebaseJarMap(Set<URL> set) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        for (URL url : set) {
            try {
                String path = PathUtils.get(url.toURI()).getFileName().toString();
                if (path.endsWith(".jar")) {
                    linkedHashMap.put(path, url);
                }
            } catch (URISyntaxException e) {
                throw new RuntimeException(e);
            }
        }
        return linkedHashMap;
    }

    @SuppressForbidden(reason = "accesses fully qualified URLs to configure security")
    public static Policy readPolicy(URL url, Map<String, URL> map) {
        Object put;
        try {
            Properties properties = System.getProperties();
            final HashSet hashSet = new HashSet();
            final HashMap hashMap = new HashMap();
            try {
                System.setProperties(new Properties(properties) { // from class: org.elasticsearch.bootstrap.PolicyUtil.1
                    @Override // java.util.Properties
                    public String getProperty(String str) {
                        if (!str.startsWith("codebase.")) {
                            return super.getProperty(str);
                        }
                        String str2 = (String) hashMap.get(str);
                        if (str2 == null) {
                            hashSet.add(str);
                        }
                        return str2;
                    }
                });
                for (Map.Entry<String, URL> entry : map.entrySet()) {
                    String key = entry.getKey();
                    URL value = entry.getValue();
                    String str = "codebase." + key;
                    String str2 = "codebase." + key.replaceFirst("-\\d+\\.\\d+.*\\.jar", "");
                    if (!str2.equals(str) && (put = hashMap.put(str2, value.toString())) != null) {
                        throw new IllegalStateException("codebase property already set: " + str2 + " -> " + put + ", cannot set to " + value.toString());
                    }
                    Object put2 = hashMap.put(str, value.toString());
                    if (put2 != null) {
                        throw new IllegalStateException("codebase property already set: " + str + " -> " + put2 + ", cannot set to " + value.toString());
                    }
                }
                Policy policy = Policy.getInstance("JavaPolicy", new URIParameter(url.toURI()));
                if (hashSet.isEmpty()) {
                    return policy;
                }
                throw new IllegalArgumentException("Unknown codebases " + hashSet + " in policy file [" + url + "]\nAvailable codebases: " + hashMap.keySet());
            } finally {
                System.setProperties(properties);
            }
        } catch (URISyntaxException | NoSuchAlgorithmException e) {
            throw new IllegalArgumentException("unable to parse policy file `" + url + "`", e);
        }
    }

    static PluginPolicyInfo readPolicyInfo(Path path) throws IOException {
        Path resolve = path.resolve(PluginDescriptor.ES_PLUGIN_POLICY);
        if (!Files.exists(resolve, new LinkOption[0])) {
            return null;
        }
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        DirectoryStream<Path> newDirectoryStream = Files.newDirectoryStream(path, "*.jar");
        try {
            Iterator<Path> it = newDirectoryStream.iterator();
            while (it.hasNext()) {
                URL url = it.next().toRealPath(new LinkOption[0]).toUri().toURL();
                if (!linkedHashSet.add(url)) {
                    throw new IllegalStateException("duplicate module/plugin: " + url);
                }
            }
            if (newDirectoryStream != null) {
                newDirectoryStream.close();
            }
            Path resolve2 = path.resolve("spi");
            if (Files.exists(resolve2, new LinkOption[0])) {
                newDirectoryStream = Files.newDirectoryStream(resolve2, "*.jar");
                try {
                    Iterator<Path> it2 = newDirectoryStream.iterator();
                    while (it2.hasNext()) {
                        URL url2 = it2.next().toRealPath(new LinkOption[0]).toUri().toURL();
                        if (!linkedHashSet.add(url2)) {
                            throw new IllegalStateException("duplicate module/plugin: " + url2);
                        }
                    }
                    if (newDirectoryStream != null) {
                        newDirectoryStream.close();
                    }
                } finally {
                }
            }
            return new PluginPolicyInfo(resolve, linkedHashSet, readPolicy(resolve.toUri().toURL(), getCodebaseJarMap(linkedHashSet)));
        } finally {
        }
    }

    private static void validatePolicyPermissionsForJar(String str, Path path, URL url, Policy policy, PermissionMatcher permissionMatcher, Path path2) throws IOException {
        for (Permission permission : getPolicyPermissions(url, policy, path2)) {
            if (!permissionMatcher.test(permission)) {
                throw new IllegalArgumentException(str + " policy [" + path + "] contains illegal permission " + permission + (url == null ? " in global grant" : " for jar " + url));
            }
        }
    }

    private static void validatePolicyPermissions(String str, PluginPolicyInfo pluginPolicyInfo, PermissionMatcher permissionMatcher, Path path) throws IOException {
        if (pluginPolicyInfo == null) {
            return;
        }
        validatePolicyPermissionsForJar(str, pluginPolicyInfo.file, null, pluginPolicyInfo.policy, permissionMatcher, path);
        Iterator<URL> it = pluginPolicyInfo.jars.iterator();
        while (it.hasNext()) {
            validatePolicyPermissionsForJar(str, pluginPolicyInfo.file, it.next(), pluginPolicyInfo.policy, permissionMatcher, path);
        }
    }

    public static PluginPolicyInfo getPluginPolicyInfo(Path path, Path path2) throws IOException {
        PluginPolicyInfo readPolicyInfo = readPolicyInfo(path);
        validatePolicyPermissions("plugin", readPolicyInfo, ALLOWED_PLUGIN_PERMISSIONS, path2);
        return readPolicyInfo;
    }

    public static PluginPolicyInfo getModulePolicyInfo(Path path, Path path2) throws IOException {
        PluginPolicyInfo readPolicyInfo = readPolicyInfo(path);
        validatePolicyPermissions(StackTraceElementConstants.ATTR_MODULE, readPolicyInfo, ALLOWED_MODULE_PERMISSIONS, path2);
        return readPolicyInfo;
    }

    public static Set<Permission> getPolicyPermissions(URL url, Policy policy, Path path) throws IOException {
        Path createTempFile = Files.createTempFile(path, "empty", "tmp", new FileAttribute[0]);
        try {
            Policy policy2 = Policy.getInstance("JavaPolicy", new URIParameter(createTempFile.toUri()));
            IOUtils.rm(createTempFile);
            ProtectionDomain protectionDomain = url == null ? PolicyUtil.class.getProtectionDomain() : new ProtectionDomain(new CodeSource(url, (Certificate[]) null), null);
            PermissionCollection permissions = policy.getPermissions(protectionDomain);
            if (permissions == Policy.UNSUPPORTED_EMPTY_COLLECTION) {
                throw new UnsupportedOperationException("JavaPolicy implementation does not support retrieving permissions");
            }
            HashSet hashSet = new HashSet();
            Iterator it = Collections.list(permissions.elements()).iterator();
            while (it.hasNext()) {
                Permission permission = (Permission) it.next();
                if (!policy2.implies(protectionDomain, permission)) {
                    hashSet.add(permission);
                }
            }
            return hashSet;
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    static {
        List of = org.elasticsearch.core.List.of((Object[]) new Permission[]{createFilePermission("<<ALL FILES>>", Role.IndexPrivilegeName.READ), new ReflectPermission("suppressAccessChecks"), new RuntimePermission("createClassLoader"), new RuntimePermission("getClassLoader"), new RuntimePermission("setContextClassLoader"), new RuntimePermission("setFactory"), new RuntimePermission("loadLibrary.*"), new RuntimePermission("accessClassInPackage.*"), new RuntimePermission("accessDeclaredMembers"), new NetPermission("requestPasswordAuthentication"), new NetPermission("getProxySelector"), new NetPermission("getCookieHandler"), new NetPermission("getResponseCache"), new SocketPermission("*", "accept,connect,listen,resolve"), new SecurityPermission("createAccessControlContext"), new SecurityPermission("insertProvider"), new SecurityPermission("putProviderProperty.*"), new SecurityPermission("org.apache.*"), new PropertyPermission("*", "read,write"), new AuthPermission("doAs"), new AuthPermission("doAsPrivileged"), new AuthPermission("getSubject"), new AuthPermission("getSubjectFromDomainCombiner"), new AuthPermission("setReadOnly"), new AuthPermission("modifyPrincipals"), new AuthPermission("modifyPublicCredentials"), new AuthPermission("modifyPrivateCredentials"), new AuthPermission("refreshCredential"), new AuthPermission("destroyCredential"), new AuthPermission("createLoginContext.*"), new AuthPermission("getLoginConfiguration"), new AuthPermission("setLoginConfiguration"), new AuthPermission("createLoginConfiguration.*"), new AuthPermission("refreshLoginConfiguration"), new MBeanPermission("*", "*", ObjectName.WILDCARD, "addNotificationListener,getAttribute,getDomains,getMBeanInfo,getObjectInstance,instantiate,invoke,isInstanceOf,queryMBeans,queryNames,registerMBean,removeNotificationListener,setAttribute,unregisterMBean"), new MBeanServerPermission("*"), new MBeanTrustPermission("register")});
        Map map = (Map) org.elasticsearch.core.Map.of(URLPermission.class, ALLOW_ALL_NAMES, DelegationPermission.class, ALLOW_ALL_NAMES, ServicePermission.class, ALLOW_ALL_NAMES, PrivateCredentialPermission.class, ALLOW_ALL_NAMES, SQLPermission.class, org.elasticsearch.core.List.of("callAbort", "setNetworkTimeout"), ClassPermission.class, ALLOW_ALL_NAMES).entrySet().stream().collect(Collectors.toMap(entry -> {
            return ((Class) entry.getKey()).getCanonicalName();
        }, (v0) -> {
            return v0.getValue();
        }));
        Permissions permissions = new Permissions();
        Objects.requireNonNull(permissions);
        of.forEach(permissions::add);
        permissions.setReadOnly();
        ALLOWED_PLUGIN_PERMISSIONS = new PermissionMatcher(permissions, map);
        List of2 = org.elasticsearch.core.List.of((Object[]) new Permission[]{createFilePermission("<<ALL FILES>>", "read,write"), new RuntimePermission("getFileStoreAttributes"), new RuntimePermission("accessUserInformation"), new AuthPermission("modifyPrivateCredentials")});
        Permissions permissions2 = new Permissions();
        Objects.requireNonNull(permissions2);
        of.forEach(permissions2::add);
        Objects.requireNonNull(permissions2);
        of2.forEach(permissions2::add);
        permissions2.setReadOnly();
        ALLOWED_MODULE_PERMISSIONS = new PermissionMatcher(permissions2, map);
    }
}
