package org.elasticsearch.entitlement.initialization;

import java.lang.instrument.Instrumentation;
import java.lang.reflect.InvocationTargetException;
import java.net.URI;
import java.nio.channels.spi.SelectorProvider;
import java.nio.file.AccessMode;
import java.nio.file.CopyOption;
import java.nio.file.DirectoryStream;
import java.nio.file.FileStore;
import java.nio.file.FileSystems;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.WatchEvent;
import java.nio.file.WatchService;
import java.nio.file.attribute.FileAttribute;
import java.nio.file.spi.FileSystemProvider;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutorService;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import java.util.stream.StreamSupport;
import org.elasticsearch.core.Booleans;
import org.elasticsearch.core.PathUtils;
import org.elasticsearch.core.internal.provider.ProviderLocator;
import org.elasticsearch.entitlement.bootstrap.EntitlementBootstrap;
import org.elasticsearch.entitlement.bridge.EntitlementChecker;
import org.elasticsearch.entitlement.instrumentation.InstrumentationService;
import org.elasticsearch.entitlement.instrumentation.Transformer;
import org.elasticsearch.entitlement.runtime.api.ElasticsearchEntitlementChecker;
import org.elasticsearch.entitlement.runtime.policy.PathLookup;
import org.elasticsearch.entitlement.runtime.policy.Platform;
import org.elasticsearch.entitlement.runtime.policy.Policy;
import org.elasticsearch.entitlement.runtime.policy.PolicyManager;
import org.elasticsearch.entitlement.runtime.policy.PolicyUtils;
import org.elasticsearch.entitlement.runtime.policy.Scope;
import org.elasticsearch.entitlement.runtime.policy.entitlements.CreateClassLoaderEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.ExitVMEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.InboundNetworkEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.LoadNativeLibrariesEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.ManageThreadsEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.OutboundNetworkEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.ReadStoreAttributesEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.SetHttpsConnectionPropertiesEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.WriteSystemPropertiesEntitlement;

/* loaded from: input_file:org/elasticsearch/entitlement/initialization/EntitlementInitialization.class */
public class EntitlementInitialization {
    private static final String AGENTS_PACKAGE_NAME = "co.elastic.apm.agent";
    private static ElasticsearchEntitlementChecker manager;
    private static final Module ENTITLEMENTS_MODULE = PolicyManager.class.getModule();
    private static final InstrumentationService INSTRUMENTATION_SERVICE = (InstrumentationService) new ProviderLocator("entitlement", InstrumentationService.class, "org.elasticsearch.entitlement.instrumentation", Set.of()).get();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/entitlement/initialization/EntitlementInitialization$InstrumentationInfoFactory.class */
    public interface InstrumentationInfoFactory {
        InstrumentationService.InstrumentationInfo of(String str, Class<?>... clsArr) throws ClassNotFoundException, NoSuchMethodException;
    }

    public static EntitlementChecker checker() {
        return manager;
    }

    public static void initialize(Instrumentation instrumentation) throws Exception {
        manager = initChecker();
        Class<?> versionSpecificCheckerClass = getVersionSpecificCheckerClass(EntitlementChecker.class, Runtime.version().feature());
        boolean parseBoolean = Booleans.parseBoolean(System.getProperty("es.entitlements.verify_bytecode", "false"));
        if (parseBoolean) {
            ensureClassesSensitiveToVerificationAreInitialized();
        }
        HashMap hashMap = new HashMap(INSTRUMENTATION_SERVICE.lookupMethods(versionSpecificCheckerClass));
        Stream.of((Object[]) new Stream[]{fileSystemProviderChecks(), fileStoreChecks(), pathChecks(), Stream.of(INSTRUMENTATION_SERVICE.lookupImplementationMethod(SelectorProvider.class, "inheritedChannel", SelectorProvider.provider().getClass(), EntitlementChecker.class, "checkSelectorProviderInheritedChannel", new Class[0]))}).flatMap(Function.identity()).forEach(instrumentationInfo -> {
            hashMap.put(instrumentationInfo.targetMethod(), instrumentationInfo.checkMethod());
        });
        Set set = (Set) hashMap.keySet().stream().map((v0) -> {
            return v0.className();
        }).collect(Collectors.toSet());
        Transformer transformer = new Transformer(INSTRUMENTATION_SERVICE.newInstrumenter(versionSpecificCheckerClass, hashMap), set, parseBoolean);
        instrumentation.addTransformer(transformer, true);
        Class<?>[] findClassesToRetransform = findClassesToRetransform(instrumentation.getAllLoadedClasses(), set);
        try {
            instrumentation.retransformClasses(findClassesToRetransform);
        } catch (VerifyError e) {
            transformer.enableClassVerification();
            for (Class<?> cls : findClassesToRetransform) {
                instrumentation.retransformClasses(new Class[]{cls});
            }
            throw e;
        }
    }

    private static Class<?>[] findClassesToRetransform(Class<?>[] clsArr, Set<String> set) {
        ArrayList arrayList = new ArrayList();
        for (Class<?> cls : clsArr) {
            if (set.contains(cls.getName().replace(".", "/"))) {
                arrayList.add(cls);
            }
        }
        return (Class[]) arrayList.toArray(new Class[0]);
    }

    private static PolicyManager createPolicyManager() {
        EntitlementBootstrap.BootstrapArgs bootstrapArgs = EntitlementBootstrap.bootstrapArgs();
        Map<String, Policy> pluginPolicies = bootstrapArgs.pluginPolicies();
        PathLookup pathLookup = new PathLookup(getUserHome(), bootstrapArgs.configDir(), bootstrapArgs.dataDirs(), bootstrapArgs.sharedRepoDirs(), bootstrapArgs.tempDir(), bootstrapArgs.settingResolver());
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        Collections.addAll(arrayList2, FilesEntitlement.FileData.ofPath(bootstrapArgs.pluginsDir(), FilesEntitlement.Mode.READ), FilesEntitlement.FileData.ofPath(bootstrapArgs.modulesDir(), FilesEntitlement.Mode.READ), FilesEntitlement.FileData.ofPath(bootstrapArgs.configDir(), FilesEntitlement.Mode.READ), FilesEntitlement.FileData.ofPath(bootstrapArgs.logsDir(), FilesEntitlement.Mode.READ_WRITE), FilesEntitlement.FileData.ofPath(bootstrapArgs.libDir(), FilesEntitlement.Mode.READ), FilesEntitlement.FileData.ofRelativePath(Path.of("", new String[0]), FilesEntitlement.BaseDir.DATA, FilesEntitlement.Mode.READ_WRITE), FilesEntitlement.FileData.ofRelativePath(Path.of("", new String[0]), FilesEntitlement.BaseDir.SHARED_REPO, FilesEntitlement.Mode.READ_WRITE), FilesEntitlement.FileData.ofRelativePath(Path.of("operator/settings.json", new String[0]), FilesEntitlement.BaseDir.CONFIG, FilesEntitlement.Mode.READ_WRITE).withExclusive(true), FilesEntitlement.FileData.ofPath(Path.of("/etc/os-release", new String[0]), FilesEntitlement.Mode.READ).withPlatform(Platform.LINUX), FilesEntitlement.FileData.ofPath(Path.of("/etc/system-release", new String[0]), FilesEntitlement.Mode.READ).withPlatform(Platform.LINUX), FilesEntitlement.FileData.ofPath(Path.of("/usr/lib/os-release", new String[0]), FilesEntitlement.Mode.READ).withPlatform(Platform.LINUX), FilesEntitlement.FileData.ofPath(Path.of("/proc/sys/vm/max_map_count", new String[0]), FilesEntitlement.Mode.READ).withPlatform(Platform.LINUX), FilesEntitlement.FileData.ofPath(Path.of("/proc/meminfo", new String[0]), FilesEntitlement.Mode.READ).withPlatform(Platform.LINUX), FilesEntitlement.FileData.ofPath(Path.of("/proc/loadavg", new String[0]), FilesEntitlement.Mode.READ).withPlatform(Platform.LINUX), FilesEntitlement.FileData.ofPath(Path.of("/proc/self/cgroup", new String[0]), FilesEntitlement.Mode.READ).withPlatform(Platform.LINUX), FilesEntitlement.FileData.ofPath(Path.of("/sys/fs/cgroup/", new String[0]), FilesEntitlement.Mode.READ).withPlatform(Platform.LINUX), FilesEntitlement.FileData.ofPath(Path.of("/proc/self/mountinfo", new String[0]), FilesEntitlement.Mode.READ).withPlatform(Platform.LINUX), FilesEntitlement.FileData.ofPath(Path.of("/proc/diskstats", new String[0]), FilesEntitlement.Mode.READ).withPlatform(Platform.LINUX));
        if (bootstrapArgs.pidFile() != null) {
            arrayList2.add(FilesEntitlement.FileData.ofPath(bootstrapArgs.pidFile(), FilesEntitlement.Mode.READ_WRITE));
        }
        Collections.addAll(arrayList, new Scope("org.elasticsearch.base", List.of(new CreateClassLoaderEntitlement(), new FilesEntitlement(List.of(FilesEntitlement.FileData.ofRelativePath(Path.of("", new String[0]), FilesEntitlement.BaseDir.SHARED_REPO, FilesEntitlement.Mode.READ_WRITE), FilesEntitlement.FileData.ofRelativePath(Path.of("", new String[0]), FilesEntitlement.BaseDir.DATA, FilesEntitlement.Mode.READ_WRITE))))), new Scope("org.elasticsearch.xcontent", List.of(new CreateClassLoaderEntitlement())), new Scope("org.elasticsearch.server", List.of(new ExitVMEntitlement(), new ReadStoreAttributesEntitlement(), new CreateClassLoaderEntitlement(), new InboundNetworkEntitlement(), new OutboundNetworkEntitlement(), new LoadNativeLibrariesEntitlement(), new ManageThreadsEntitlement(), new FilesEntitlement(arrayList2))), new Scope("java.desktop", List.of(new LoadNativeLibrariesEntitlement())), new Scope("org.apache.httpcomponents.httpclient", List.of(new OutboundNetworkEntitlement())), new Scope("io.netty.transport", List.of(new InboundNetworkEntitlement(), new OutboundNetworkEntitlement())), new Scope("org.apache.lucene.core", List.of(new LoadNativeLibrariesEntitlement(), new ManageThreadsEntitlement(), new FilesEntitlement(List.of(FilesEntitlement.FileData.ofPath(bootstrapArgs.configDir(), FilesEntitlement.Mode.READ), FilesEntitlement.FileData.ofRelativePath(Path.of("", new String[0]), FilesEntitlement.BaseDir.DATA, FilesEntitlement.Mode.READ_WRITE))))), new Scope("org.apache.lucene.misc", List.of(new FilesEntitlement(List.of(FilesEntitlement.FileData.ofRelativePath(Path.of("", new String[0]), FilesEntitlement.BaseDir.DATA, FilesEntitlement.Mode.READ_WRITE))))), new Scope("org.apache.logging.log4j.core", List.of(new ManageThreadsEntitlement(), new FilesEntitlement(List.of(FilesEntitlement.FileData.ofPath(bootstrapArgs.logsDir(), FilesEntitlement.Mode.READ_WRITE))))), new Scope("org.elasticsearch.nativeaccess", List.of(new LoadNativeLibrariesEntitlement(), new FilesEntitlement(List.of(FilesEntitlement.FileData.ofRelativePath(Path.of("", new String[0]), FilesEntitlement.BaseDir.DATA, FilesEntitlement.Mode.READ_WRITE))))));
        if (Booleans.parseBoolean(System.getProperty("org.bouncycastle.fips.approved_only"), false)) {
            String property = System.getProperty("javax.net.ssl.trustStore");
            Collections.addAll(arrayList, new Scope("org.bouncycastle.fips.tls", List.of(new FilesEntitlement(List.of(FilesEntitlement.FileData.ofPath(property != null ? Path.of(property, new String[0]) : Path.of(System.getProperty("java.home"), new String[0]).resolve("lib/security/jssecacerts"), FilesEntitlement.Mode.READ))), new ManageThreadsEntitlement(), new OutboundNetworkEntitlement())), new Scope("org.bouncycastle.fips.core", List.of(new FilesEntitlement(List.of(FilesEntitlement.FileData.ofPath(bootstrapArgs.libDir(), FilesEntitlement.Mode.READ))), new ManageThreadsEntitlement())));
        }
        return new PolicyManager(new Policy("server", bootstrapArgs.serverPolicyPatch() == null ? arrayList : PolicyUtils.mergeScopes(arrayList, bootstrapArgs.serverPolicyPatch().scopes())), List.of(new CreateClassLoaderEntitlement(), new ManageThreadsEntitlement(), new SetHttpsConnectionPropertiesEntitlement(), new OutboundNetworkEntitlement(), new WriteSystemPropertiesEntitlement((Set<String>) Set.of("AsyncProfiler.safemode")), new LoadNativeLibrariesEntitlement(), new FilesEntitlement(List.of(FilesEntitlement.FileData.ofPath(bootstrapArgs.logsDir(), FilesEntitlement.Mode.READ_WRITE), FilesEntitlement.FileData.ofPath(Path.of("/proc/meminfo", new String[0]), FilesEntitlement.Mode.READ), FilesEntitlement.FileData.ofPath(Path.of("/sys/fs/cgroup/", new String[0]), FilesEntitlement.Mode.READ)))), pluginPolicies, EntitlementBootstrap.bootstrapArgs().pluginResolver(), EntitlementBootstrap.bootstrapArgs().sourcePaths(), AGENTS_PACKAGE_NAME, ENTITLEMENTS_MODULE, pathLookup, bootstrapArgs.suppressFailureLogClasses());
    }

    private static Path getUserHome() {
        String property = System.getProperty("user.home");
        if (property == null) {
            throw new IllegalStateException("user.home system property is required");
        }
        return PathUtils.get(property, new String[0]);
    }

    private static Stream<InstrumentationService.InstrumentationInfo> fileSystemProviderChecks() throws ClassNotFoundException, NoSuchMethodException {
        final Class<?> cls = FileSystems.getDefault().provider().getClass();
        InstrumentationInfoFactory instrumentationInfoFactory = new InstrumentationInfoFactory() { // from class: org.elasticsearch.entitlement.initialization.EntitlementInitialization.1
            @Override // org.elasticsearch.entitlement.initialization.EntitlementInitialization.InstrumentationInfoFactory
            public InstrumentationService.InstrumentationInfo of(String str, Class<?>... clsArr) throws ClassNotFoundException, NoSuchMethodException {
                return EntitlementInitialization.INSTRUMENTATION_SERVICE.lookupImplementationMethod(FileSystemProvider.class, str, cls, EntitlementChecker.class, "check" + Character.toUpperCase(str.charAt(0)) + str.substring(1), clsArr);
            }
        };
        Stream<InstrumentationService.InstrumentationInfo> of = Stream.of((Object[]) new InstrumentationService.InstrumentationInfo[]{instrumentationInfoFactory.of("newFileSystem", URI.class, Map.class), instrumentationInfoFactory.of("newFileSystem", Path.class, Map.class), instrumentationInfoFactory.of("newInputStream", Path.class, OpenOption[].class), instrumentationInfoFactory.of("newOutputStream", Path.class, OpenOption[].class), instrumentationInfoFactory.of("newFileChannel", Path.class, Set.class, FileAttribute[].class), instrumentationInfoFactory.of("newAsynchronousFileChannel", Path.class, Set.class, ExecutorService.class, FileAttribute[].class), instrumentationInfoFactory.of("newByteChannel", Path.class, Set.class, FileAttribute[].class), instrumentationInfoFactory.of("newDirectoryStream", Path.class, DirectoryStream.Filter.class), instrumentationInfoFactory.of("createDirectory", Path.class, FileAttribute[].class), instrumentationInfoFactory.of("createSymbolicLink", Path.class, Path.class, FileAttribute[].class), instrumentationInfoFactory.of("createLink", Path.class, Path.class), instrumentationInfoFactory.of("delete", Path.class), instrumentationInfoFactory.of("deleteIfExists", Path.class), instrumentationInfoFactory.of("readSymbolicLink", Path.class), instrumentationInfoFactory.of("copy", Path.class, Path.class, CopyOption[].class), instrumentationInfoFactory.of("move", Path.class, Path.class, CopyOption[].class), instrumentationInfoFactory.of("isSameFile", Path.class, Path.class), instrumentationInfoFactory.of("isHidden", Path.class), instrumentationInfoFactory.of("getFileStore", Path.class), instrumentationInfoFactory.of("checkAccess", Path.class, AccessMode[].class), instrumentationInfoFactory.of("getFileAttributeView", Path.class, Class.class, LinkOption[].class), instrumentationInfoFactory.of("readAttributes", Path.class, Class.class, LinkOption[].class), instrumentationInfoFactory.of("readAttributes", Path.class, String.class, LinkOption[].class), instrumentationInfoFactory.of("setAttribute", Path.class, String.class, Object.class, LinkOption[].class)});
        if (Runtime.version().feature() < 20) {
            return of;
        }
        Class<?> versionSpecificCheckerClass = getVersionSpecificCheckerClass(EntitlementChecker.class, 20);
        return Stream.concat(of, Stream.of((Object[]) new InstrumentationService.InstrumentationInfo[]{INSTRUMENTATION_SERVICE.lookupImplementationMethod(FileSystemProvider.class, "readAttributesIfExists", cls, versionSpecificCheckerClass, "checkReadAttributesIfExists", Path.class, Class.class, LinkOption[].class), INSTRUMENTATION_SERVICE.lookupImplementationMethod(FileSystemProvider.class, "exists", cls, versionSpecificCheckerClass, "checkExists", Path.class, LinkOption[].class)}));
    }

    private static Stream<InstrumentationService.InstrumentationInfo> fileStoreChecks() {
        return StreamSupport.stream(FileSystems.getDefault().getFileStores().spliterator(), false).map((v0) -> {
            return v0.getClass();
        }).distinct().flatMap(cls -> {
            InstrumentationInfoFactory instrumentationInfoFactory = new InstrumentationInfoFactory() { // from class: org.elasticsearch.entitlement.initialization.EntitlementInitialization.2
                @Override // org.elasticsearch.entitlement.initialization.EntitlementInitialization.InstrumentationInfoFactory
                public InstrumentationService.InstrumentationInfo of(String str, Class<?>... clsArr) throws ClassNotFoundException, NoSuchMethodException {
                    return EntitlementInitialization.INSTRUMENTATION_SERVICE.lookupImplementationMethod(FileStore.class, str, cls, EntitlementChecker.class, "check" + Character.toUpperCase(str.charAt(0)) + str.substring(1), clsArr);
                }
            };
            try {
                return Stream.of((Object[]) new InstrumentationService.InstrumentationInfo[]{instrumentationInfoFactory.of("getFileStoreAttributeView", Class.class), instrumentationInfoFactory.of("getAttribute", String.class), instrumentationInfoFactory.of("getBlockSize", new Class[0]), instrumentationInfoFactory.of("getTotalSpace", new Class[0]), instrumentationInfoFactory.of("getUnallocatedSpace", new Class[0]), instrumentationInfoFactory.of("getUsableSpace", new Class[0]), instrumentationInfoFactory.of("isReadOnly", new Class[0]), instrumentationInfoFactory.of("name", new Class[0]), instrumentationInfoFactory.of("type", new Class[0])});
            } catch (ClassNotFoundException | NoSuchMethodException e) {
                throw new RuntimeException(e);
            }
        });
    }

    private static Stream<InstrumentationService.InstrumentationInfo> pathChecks() {
        return StreamSupport.stream(FileSystems.getDefault().getRootDirectories().spliterator(), false).map((v0) -> {
            return v0.getClass();
        }).distinct().flatMap(cls -> {
            InstrumentationInfoFactory instrumentationInfoFactory = (str, clsArr) -> {
                return INSTRUMENTATION_SERVICE.lookupImplementationMethod(Path.class, str, cls, EntitlementChecker.class, "checkPath" + Character.toUpperCase(str.charAt(0)) + str.substring(1), clsArr);
            };
            try {
                return Stream.of((Object[]) new InstrumentationService.InstrumentationInfo[]{instrumentationInfoFactory.of("toRealPath", LinkOption[].class), instrumentationInfoFactory.of("register", WatchService.class, WatchEvent.Kind[].class), instrumentationInfoFactory.of("register", WatchService.class, WatchEvent.Kind[].class, WatchEvent.Modifier[].class)});
            } catch (ClassNotFoundException | NoSuchMethodException e) {
                throw new RuntimeException(e);
            }
        });
    }

    private static void ensureClassesSensitiveToVerificationAreInitialized() {
        Iterator it = Set.of("sun.net.www.protocol.http.HttpURLConnection", "sun.nio.ch.SocketChannelImpl", "java.net.ProxySelector").iterator();
        while (it.hasNext()) {
            try {
                Class.forName((String) it.next());
            } catch (ClassNotFoundException e) {
                throw new AssertionError(e);
            }
        }
    }

    private static Class<?> getVersionSpecificCheckerClass(Class<?> cls, int i) {
        String str = cls.getPackageName() + "." + (i < 19 ? "" : i < 23 ? "Java" + i : "Java23") + cls.getSimpleName();
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new AssertionError("entitlement lib cannot find entitlement class " + str, e);
        }
    }

    private static ElasticsearchEntitlementChecker initChecker() {
        try {
            try {
                return (ElasticsearchEntitlementChecker) getVersionSpecificCheckerClass(ElasticsearchEntitlementChecker.class, Runtime.version().feature()).getConstructor(PolicyManager.class).newInstance(createPolicyManager());
            } catch (IllegalAccessException | InstantiationException | InvocationTargetException e) {
                throw new AssertionError(e);
            }
        } catch (NoSuchMethodException e2) {
            throw new AssertionError("entitlement impl is missing no arg constructor", e2);
        }
    }
}
