package org.elasticsearch.bootstrap;

import java.io.IOException;
import java.net.SocketPermission;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.file.AccessMode;
import java.nio.file.DirectoryStream;
import java.nio.file.FileAlreadyExistsException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.NotDirectoryException;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import java.security.NoSuchAlgorithmException;
import java.security.Permissions;
import java.security.Policy;
import java.security.URIParameter;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import org.apache.poi.util.TempFile;
import org.elasticsearch.bootstrap.ElasticsearchUncaughtExceptionHandler;
import org.elasticsearch.cli.Command;
import org.elasticsearch.common.SuppressForbidden;
import org.elasticsearch.common.io.PathUtils;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment;
import org.elasticsearch.http.HttpTransportSettings;
import org.elasticsearch.plugins.PluginInfo;
import org.elasticsearch.plugins.PluginsService;
import org.elasticsearch.secure_sm.SecureSM;
import org.elasticsearch.transport.TcpTransport;
import org.elasticsearch.transport.TransportSettings;
import org.springframework.util.ResourceUtils;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:WEB-INF/lib/elasticsearch-7.0.1.jar:org/elasticsearch/bootstrap/Security.class */
public final class Security {
    private Security() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void configure(Environment environment, boolean z) throws IOException, NoSuchAlgorithmException {
        Policy.setPolicy(new ESPolicy(getCodebaseJarMap(JarHell.parseClassPath()), createPermissions(environment), getPluginPermissions(environment), z));
        System.setSecurityManager(new SecureSM(new String[]{ElasticsearchUncaughtExceptionHandler.PrivilegedHaltAction.class.getName().replace("$", "\\$"), Command.class.getName()}));
        selfTest();
    }

    @SuppressForbidden(reason = "find URL path")
    static Map<String, URL> getCodebaseJarMap(Set<URL> set) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        for (URL url : set) {
            try {
                String path = PathUtils.get(url.toURI()).getFileName().toString();
                if (path.endsWith(ResourceUtils.JAR_FILE_EXTENSION)) {
                    linkedHashMap.put(path, url);
                }
            } catch (URISyntaxException e) {
                throw new RuntimeException(e);
            }
        }
        return linkedHashMap;
    }

    @SuppressForbidden(reason = "proper use of URL")
    static Map<String, Policy> getPluginPermissions(Environment environment) throws IOException, NoSuchAlgorithmException {
        HashMap hashMap = new HashMap();
        LinkedHashSet<Path> linkedHashSet = new LinkedHashSet(PluginsService.findPluginDirs(environment.pluginsFile()));
        linkedHashSet.addAll(PluginsService.findPluginDirs(environment.modulesFile()));
        for (Path path : linkedHashSet) {
            Path resolve = path.resolve(PluginInfo.ES_PLUGIN_POLICY);
            if (Files.exists(resolve, new LinkOption[0])) {
                LinkedHashSet<URL> linkedHashSet2 = new LinkedHashSet();
                DirectoryStream<Path> newDirectoryStream = Files.newDirectoryStream(path, "*.jar");
                try {
                    Iterator<Path> it = newDirectoryStream.iterator();
                    while (it.hasNext()) {
                        URL url = it.next().toRealPath(new LinkOption[0]).toUri().toURL();
                        if (!linkedHashSet2.add(url)) {
                            throw new IllegalStateException("duplicate module/plugin: " + url);
                        }
                    }
                    if (newDirectoryStream != null) {
                        newDirectoryStream.close();
                    }
                    Policy readPolicy = readPolicy(resolve.toUri().toURL(), getCodebaseJarMap(linkedHashSet2));
                    for (URL url2 : linkedHashSet2) {
                        if (hashMap.put(url2.getFile(), readPolicy) != null) {
                            throw new IllegalStateException("per-plugin permissions already granted for jar file: " + url2);
                        }
                    }
                } catch (Throwable th) {
                    if (newDirectoryStream != null) {
                        try {
                            newDirectoryStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            }
        }
        return Collections.unmodifiableMap(hashMap);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @SuppressForbidden(reason = "accesses fully qualified URLs to configure security")
    public static Policy readPolicy(URL url, Map<String, URL> map) {
        try {
            ArrayList arrayList = new ArrayList();
            try {
                for (Map.Entry<String, URL> entry : map.entrySet()) {
                    String key = entry.getKey();
                    URL value = entry.getValue();
                    String str = "codebase." + key;
                    String str2 = "codebase." + key.replaceFirst("-\\d+\\.\\d+.*\\.jar", "");
                    if (!str2.equals(str)) {
                        arrayList.add(str2);
                        String property = System.setProperty(str2, value.toString());
                        if (property != null) {
                            throw new IllegalStateException("codebase property already set: " + str2 + " -> " + property + ", cannot set to " + value.toString());
                        }
                    }
                    arrayList.add(str);
                    String property2 = System.setProperty(str, value.toString());
                    if (property2 != null) {
                        throw new IllegalStateException("codebase property already set: " + str + " -> " + property2 + ", cannot set to " + value.toString());
                    }
                }
                Policy policy = Policy.getInstance("JavaPolicy", new URIParameter(url.toURI()));
                Iterator it = arrayList.iterator();
                while (it.hasNext()) {
                    System.clearProperty((String) it.next());
                }
                return policy;
            } catch (Throwable th) {
                Iterator it2 = arrayList.iterator();
                while (it2.hasNext()) {
                    System.clearProperty((String) it2.next());
                }
                throw th;
            }
        } catch (URISyntaxException | NoSuchAlgorithmException e) {
            throw new IllegalArgumentException("unable to parse policy file `" + url + "`", e);
        }
    }

    static Permissions createPermissions(Environment environment) throws IOException {
        Permissions permissions = new Permissions();
        addClasspathPermissions(permissions);
        addFilePermissions(permissions, environment);
        addBindPermissions(permissions, environment.settings());
        return permissions;
    }

    @SuppressForbidden(reason = "accesses fully qualified URLs to configure security")
    static void addClasspathPermissions(Permissions permissions) throws IOException {
        Iterator<URL> it = JarHell.parseClassPath().iterator();
        while (it.hasNext()) {
            try {
                Path path = PathUtils.get(it.next().toURI());
                if (Files.isDirectory(path, new LinkOption[0])) {
                    FilePermissionUtils.addDirectoryPath(permissions, "class.path", path, "read,readlink");
                } else {
                    FilePermissionUtils.addSingleFilePath(permissions, path, "read,readlink");
                }
            } catch (URISyntaxException e) {
                throw new RuntimeException(e);
            }
        }
    }

    static void addFilePermissions(Permissions permissions, Environment environment) throws IOException {
        FilePermissionUtils.addDirectoryPath(permissions, Environment.PATH_HOME_SETTING.getKey(), environment.binFile(), "read,readlink");
        FilePermissionUtils.addDirectoryPath(permissions, Environment.PATH_HOME_SETTING.getKey(), environment.libFile(), "read,readlink");
        FilePermissionUtils.addDirectoryPath(permissions, Environment.PATH_HOME_SETTING.getKey(), environment.modulesFile(), "read,readlink");
        FilePermissionUtils.addDirectoryPath(permissions, Environment.PATH_HOME_SETTING.getKey(), environment.pluginsFile(), "read,readlink");
        FilePermissionUtils.addDirectoryPath(permissions, "path.conf'", environment.configFile(), "read,readlink");
        FilePermissionUtils.addDirectoryPath(permissions, TempFile.JAVA_IO_TMPDIR, environment.tmpFile(), "read,readlink,write,delete");
        FilePermissionUtils.addDirectoryPath(permissions, Environment.PATH_LOGS_SETTING.getKey(), environment.logsFile(), "read,readlink,write,delete");
        if (environment.sharedDataFile() != null) {
            FilePermissionUtils.addDirectoryPath(permissions, Environment.PATH_SHARED_DATA_SETTING.getKey(), environment.sharedDataFile(), "read,readlink,write,delete");
        }
        HashSet hashSet = new HashSet();
        for (Path path : environment.dataFiles()) {
            FilePermissionUtils.addDirectoryPath(permissions, Environment.PATH_DATA_SETTING.getKey(), path, "read,readlink,write,delete");
            try {
                Path realPath = path.toRealPath(new LinkOption[0]);
                if (!hashSet.add(realPath)) {
                    throw new IllegalStateException("path [" + realPath + "] is duplicated by [" + path + "]");
                }
            } catch (IOException e) {
                throw new IllegalStateException("unable to access [" + path + "]", e);
            }
        }
        for (Path path2 : environment.repoFiles()) {
            FilePermissionUtils.addDirectoryPath(permissions, Environment.PATH_REPO_SETTING.getKey(), path2, "read,readlink,write,delete");
        }
        if (environment.pidFile() != null) {
            FilePermissionUtils.addSingleFilePath(permissions, environment.pidFile(), "delete");
        }
    }

    private static void addBindPermissions(Permissions permissions, Settings settings) {
        addSocketPermissionForHttp(permissions, settings);
        addSocketPermissionForTransportProfiles(permissions, settings);
    }

    private static void addSocketPermissionForHttp(Permissions permissions, Settings settings) {
        addSocketPermissionForPortRange(permissions, HttpTransportSettings.SETTING_HTTP_PORT.get(settings).getPortRangeString());
    }

    private static void addSocketPermissionForTransportProfiles(Permissions permissions, Settings settings) {
        Set<TcpTransport.ProfileSettings> profileSettings = TcpTransport.getProfileSettings(settings);
        HashSet hashSet = new HashSet();
        for (TcpTransport.ProfileSettings profileSettings2 : profileSettings) {
            if (hashSet.add(profileSettings2.portOrRange)) {
                addSocketPermissionForPortRange(permissions, profileSettings2.portOrRange);
            }
        }
    }

    private static void addSocketPermissionForTransport(Permissions permissions, Settings settings) {
        addSocketPermissionForPortRange(permissions, TransportSettings.PORT.get(settings));
    }

    private static void addSocketPermissionForPortRange(Permissions permissions, String str) {
        permissions.add(new SocketPermission("*:" + str, "listen,resolve"));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void ensureDirectoryExists(Path path) throws IOException {
        if (Files.isDirectory(path, new LinkOption[0])) {
            path.getFileSystem().provider().checkAccess(path.toRealPath(new LinkOption[0]), AccessMode.READ);
            return;
        }
        try {
            Files.createDirectories(path, new FileAttribute[0]);
        } catch (FileAlreadyExistsException e) {
            NotDirectoryException notDirectoryException = new NotDirectoryException(path.toString());
            notDirectoryException.addSuppressed(e);
            throw notDirectoryException;
        }
    }

    @SuppressForbidden(reason = "accesses jvm default tempdir as a self-test")
    static void selfTest() throws IOException {
        try {
            try {
                Files.delete(Files.createTempFile(null, null, new FileAttribute[0]));
            } catch (IOException e) {
            }
        } catch (SecurityException e2) {
            throw new SecurityException("Security misconfiguration: cannot access java.io.tmpdir", e2);
        }
    }
}
