package org.opensearch.secure_sm.policy;

import java.io.File;
import java.io.FileInputStream;
import java.io.FilePermission;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.net.MalformedURLException;
import java.net.NetPermission;
import java.net.SocketPermission;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.security.AllPermission;
import java.security.CodeSource;
import java.security.Permission;
import java.security.PermissionCollection;
import java.security.Permissions;
import java.security.Policy;
import java.security.ProtectionDomain;
import java.security.SecurityPermission;
import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.PropertyPermission;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Function;

/* loaded from: input_file:org/opensearch/secure_sm/policy/PolicyFile.class */
public class PolicyFile extends Policy {
    public static final Set<String> PERM_CLASSES_TO_SKIP = Set.of("org.opensearch.secure_sm.ThreadContextPermission", "org.opensearch.secure_sm.ThreadPermission", "org.opensearch.SpecialPermission", "org.bouncycastle.crypto.CryptoServicesPermission", "org.opensearch.script.ClassPermission", "javax.security.auth.AuthPermission", "javax.security.auth.kerberos.ServicePermission", "com.sun.tools.attach.AttachPermission");
    private final PolicyInfo policyInfo;
    private final URL url;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/opensearch/secure_sm/policy/PolicyFile$PolicyEntry.class */
    public static final class PolicyEntry extends Record {
        private final CodeSource codeSource;
        private final List<Permission> permissions;

        private PolicyEntry(CodeSource codeSource, List<Permission> list) {
            this.codeSource = codeSource;
            this.permissions = list;
        }

        @Override // java.lang.Record
        public String toString() {
            StringBuilder sb = new StringBuilder();
            sb.append("{").append(this.codeSource).append("\n");
            Iterator<Permission> it = this.permissions.iterator();
            while (it.hasNext()) {
                sb.append("  ").append(it.next()).append("\n");
            }
            sb.append("}\n");
            return sb.toString();
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, PolicyEntry.class), PolicyEntry.class, "codeSource;permissions", "FIELD:Lorg/opensearch/secure_sm/policy/PolicyFile$PolicyEntry;->codeSource:Ljava/security/CodeSource;", "FIELD:Lorg/opensearch/secure_sm/policy/PolicyFile$PolicyEntry;->permissions:Ljava/util/List;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, PolicyEntry.class, Object.class), PolicyEntry.class, "codeSource;permissions", "FIELD:Lorg/opensearch/secure_sm/policy/PolicyFile$PolicyEntry;->codeSource:Ljava/security/CodeSource;", "FIELD:Lorg/opensearch/secure_sm/policy/PolicyFile$PolicyEntry;->permissions:Ljava/util/List;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public CodeSource codeSource() {
            return this.codeSource;
        }

        public List<Permission> permissions() {
            return this.permissions;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/opensearch/secure_sm/policy/PolicyFile$PolicyInfo.class */
    public static class PolicyInfo {
        private final List<PolicyEntry> policyEntries;
        private final Map<ProtectionDomain, PermissionCollection> pdMapping = new ConcurrentHashMap();

        PolicyInfo(List<PolicyEntry> list) {
            this.policyEntries = List.copyOf(list);
        }

        public PermissionCollection getOrCompute(ProtectionDomain protectionDomain, Function<ProtectionDomain, PermissionCollection> function) {
            return this.pdMapping.computeIfAbsent(protectionDomain, protectionDomain2 -> {
                return (PermissionCollection) function.apply(protectionDomain2);
            });
        }
    }

    public PolicyFile(URL url) {
        this.url = url;
        try {
            this.policyInfo = init(url);
        } catch (PolicyInitializationException e) {
            throw new RuntimeException("Failed to initialize policy file", e);
        }
    }

    private PolicyInfo init(URL url) throws PolicyInitializationException {
        ArrayList arrayList = new ArrayList();
        try {
            InputStreamReader inputStreamReader = new InputStreamReader(getInputStream(url), StandardCharsets.UTF_8);
            try {
                Iterator<GrantEntry> it = PolicyParser.read(inputStreamReader).iterator();
                while (it.hasNext()) {
                    addGrantEntry(it.next(), arrayList);
                }
                inputStreamReader.close();
                return new PolicyInfo(arrayList);
            } finally {
            }
        } catch (Exception e) {
            throw new PolicyInitializationException("Failed to load policy from: " + String.valueOf(url), e);
        }
    }

    public static InputStream getInputStream(URL url) throws IOException {
        return "file".equals(url.getProtocol()) ? new FileInputStream(URLDecoder.decode(url.getFile().replace('/', File.separatorChar), StandardCharsets.UTF_8)) : url.openStream();
    }

    private CodeSource getCodeSource(GrantEntry grantEntry) throws PolicyInitializationException {
        try {
            return canonicalizeCodebase(new CodeSource(grantEntry.codeBase() != null ? newURL(grantEntry.codeBase()) : null, (Certificate[]) null));
        } catch (Exception e) {
            throw new PolicyInitializationException("Failed to get CodeSource", e);
        }
    }

    private void addGrantEntry(GrantEntry grantEntry, List<PolicyEntry> list) throws PolicyInitializationException {
        CodeSource codeSource = getCodeSource(grantEntry);
        if (codeSource == null) {
            throw new PolicyInitializationException("Null CodeSource for: " + grantEntry.codeBase());
        }
        ArrayList arrayList = new ArrayList();
        for (PermissionEntry permissionEntry : grantEntry.permissionEntries()) {
            PermissionEntry expandPermissionName = expandPermissionName(permissionEntry);
            try {
                Optional<Permission> policyFile = getInstance(expandPermissionName.permission(), expandPermissionName.name(), expandPermissionName.action());
                Objects.requireNonNull(arrayList);
                policyFile.ifPresent((v1) -> {
                    r1.add(v1);
                });
            } catch (ClassNotFoundException e) {
                if (!PERM_CLASSES_TO_SKIP.contains(permissionEntry.permission())) {
                    throw new PolicyInitializationException("Permission class not found: " + permissionEntry.permission(), e);
                }
            }
        }
        list.add(new PolicyEntry(codeSource, arrayList));
    }

    private static PermissionEntry expandPermissionName(PermissionEntry permissionEntry) {
        int indexOf;
        if (permissionEntry.name() == null || !permissionEntry.name().contains("${{")) {
            return permissionEntry;
        }
        int i = 0;
        StringBuilder sb = new StringBuilder();
        while (true) {
            int indexOf2 = permissionEntry.name().indexOf("${{", i);
            if (indexOf2 == -1 || (indexOf = permissionEntry.name().indexOf("}}", indexOf2)) == -1) {
                break;
            }
            sb.append((CharSequence) permissionEntry.name(), i, indexOf2);
            sb.append("${{").append(permissionEntry.name().substring(indexOf2 + 3, indexOf)).append("}}");
            i = indexOf + 2;
        }
        sb.append(permissionEntry.name().substring(i));
        return new PermissionEntry(permissionEntry.permission(), sb.toString(), permissionEntry.action());
    }

    private static final Optional<Permission> getInstance(String str, String str2, String str3) throws ClassNotFoundException {
        return Optional.ofNullable(getKnownPermission(Class.forName(str, false, null), str2, str3));
    }

    private static Permission getKnownPermission(Class<?> cls, String str, String str2) {
        if (cls.equals(FilePermission.class)) {
            return new FilePermission(str, str2);
        }
        if (cls.equals(SocketPermission.class)) {
            return new SocketPermission(str, str2);
        }
        if (cls.equals(RuntimePermission.class)) {
            return new RuntimePermission(str, str2);
        }
        if (cls.equals(PropertyPermission.class)) {
            return new PropertyPermission(str, str2);
        }
        if (cls.equals(NetPermission.class)) {
            return new NetPermission(str, str2);
        }
        if (cls.equals(AllPermission.class)) {
            return new AllPermission();
        }
        if (cls.equals(SecurityPermission.class)) {
            return new SecurityPermission(str, str2);
        }
        return null;
    }

    @Override // java.security.Policy
    public void refresh() {
        try {
            init(this.url);
        } catch (PolicyInitializationException e) {
            throw new RuntimeException("Failed to refresh policy", e);
        }
    }

    @Override // java.security.Policy
    public boolean implies(ProtectionDomain protectionDomain, Permission permission) {
        PermissionCollection orCompute;
        return (protectionDomain == null || permission == null || (orCompute = this.policyInfo.getOrCompute(protectionDomain, this::getPermissions)) == null || !orCompute.implies(permission)) ? false : true;
    }

    @Override // java.security.Policy
    public PermissionCollection getPermissions(ProtectionDomain protectionDomain) {
        Permissions permissions = new Permissions();
        if (protectionDomain == null) {
            return permissions;
        }
        try {
            getPermissionsForProtectionDomain(permissions, protectionDomain);
            PermissionCollection permissions2 = protectionDomain.getPermissions();
            if (permissions2 != null) {
                synchronized (permissions2) {
                    Enumeration<Permission> elements = permissions2.elements();
                    while (elements.hasMoreElements()) {
                        permissions.add(elements.nextElement());
                    }
                }
            }
            return permissions;
        } catch (PolicyInitializationException e) {
            throw new RuntimeException("Failed to get permissions for domain", e);
        }
    }

    @Override // java.security.Policy
    public PermissionCollection getPermissions(CodeSource codeSource) {
        if (codeSource == null) {
            return new Permissions();
        }
        Permissions permissions = new Permissions();
        try {
            CodeSource canonicalizeCodebase = canonicalizeCodebase(codeSource);
            for (PolicyEntry policyEntry : this.policyInfo.policyEntries) {
                if (policyEntry.codeSource().implies(canonicalizeCodebase)) {
                    Iterator<Permission> it = policyEntry.permissions.iterator();
                    while (it.hasNext()) {
                        permissions.add(it.next());
                    }
                }
            }
            return permissions;
        } catch (PolicyInitializationException e) {
            throw new RuntimeException("Failed to canonicalize CodeSource", e);
        }
    }

    private void getPermissionsForProtectionDomain(Permissions permissions, ProtectionDomain protectionDomain) throws PolicyInitializationException {
        CodeSource codeSource = protectionDomain.getCodeSource();
        if (codeSource == null) {
            return;
        }
        CodeSource canonicalizeCodebase = canonicalizeCodebase(codeSource);
        for (PolicyEntry policyEntry : this.policyInfo.policyEntries) {
            if (policyEntry.codeSource().implies(canonicalizeCodebase)) {
                Iterator<Permission> it = policyEntry.permissions.iterator();
                while (it.hasNext()) {
                    permissions.add(it.next());
                }
            }
        }
    }

    private CodeSource canonicalizeCodebase(CodeSource codeSource) throws PolicyInitializationException {
        URL location = codeSource.getLocation();
        if (location == null) {
            return codeSource;
        }
        try {
            return new CodeSource(canonicalizeUrl(location), codeSource.getCertificates());
        } catch (IOException e) {
            throw new PolicyInitializationException("Failed to canonicalize CodeSource", e);
        }
    }

    private URL canonicalizeUrl(URL url) throws IOException {
        String file;
        int indexOf;
        if ("jar".equals(url.getProtocol()) && (indexOf = (file = url.getFile()).indexOf("!/")) != -1) {
            try {
                url = new URL(file.substring(0, indexOf));
            } catch (MalformedURLException e) {
                throw new IOException("Malformed nested jar URL", e);
            }
        }
        return "file".equals(url.getProtocol()) ? new File(canonicalizePath(url.getPath())).toURI().toURL() : url;
    }

    private String canonicalizePath(String str) throws IOException {
        return str.endsWith("*") ? new File(str.substring(0, str.length() - 1)).getCanonicalPath() + "*" : new File(str).getCanonicalPath();
    }

    private static URL newURL(String str) throws MalformedURLException, URISyntaxException {
        return new URI(str).toURL();
    }
}
