package com.liferay.portal.security.pacl.checker;

import com.liferay.portal.kernel.configuration.Filter;
import com.liferay.portal.kernel.deploy.DeployManagerUtil;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.servlet.ServletContextPool;
import com.liferay.portal.kernel.servlet.WebDirDetector;
import com.liferay.portal.kernel.servlet.taglib.FileAvailabilityUtil;
import com.liferay.portal.kernel.util.ContextPathUtil;
import com.liferay.portal.kernel.util.PathUtil;
import com.liferay.portal.kernel.util.ReleaseInfo;
import com.liferay.portal.kernel.util.ServerDetector;
import com.liferay.portal.kernel.util.StringUtil;
import com.liferay.portal.kernel.util.UniqueList;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.portal.security.lang.PortalSecurityManagerThreadLocal;
import com.liferay.portal.security.pacl.PACLClassUtil;
import com.liferay.portal.servlet.DirectServletRegistryImpl;
import com.liferay.portal.util.PropsUtil;
import com.liferay.portal.util.PropsValues;
import java.io.File;
import java.io.FilePermission;
import java.io.IOException;
import java.net.URLClassLoader;
import java.security.Permission;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.CopyOnWriteArrayList;
import javax.servlet.ServletContext;
import jodd.util.StringPool;
import jodd.util.SystemUtil;
import org.springframework.web.util.WebUtils;
import sun.reflect.Reflection;

/* loaded from: input_file:WEB-INF/lib/portal-impl.jar:com/liferay/portal/security/pacl/checker/FileChecker.class */
public class FileChecker extends BaseChecker {
    private static final String _CLASS_NAME_FILE_PATH = "com.caucho.vfs.FilePath";
    private static final String _CLASS_NAME_METHOD_UTIL = "sun.reflect.misc.MethodUtil";
    private static Log _log = LogFactoryUtil.getLog(FileChecker.class);
    private String[] _defaultReadPathsFromArray;
    private String[] _defaultReadPathsToArray;
    private List<Permission> _deletePermissions;
    private List<Permission> _executePermissions;
    private String _globalSharedLibDir = PropsValues.LIFERAY_LIB_GLOBAL_SHARED_DIR;
    private String _portalDir = PropsValues.LIFERAY_WEB_PORTAL_DIR;
    private List<Permission> _readPermissions;
    private String _rootDir;
    private String _workDir;
    private List<Permission> _writePermissions;

    @Override // com.liferay.portal.security.pacl.checker.Checker
    public void afterPropertiesSet() {
        try {
            this._rootDir = WebDirDetector.getRootDir(getClassLoader());
        } catch (Exception unused) {
        }
        if (_log.isDebugEnabled()) {
            _log.debug("Root directory " + this._rootDir);
        }
        ServletContext servletContext = ServletContextPool.get(getServletContextName());
        if (servletContext != null) {
            this._workDir = ((File) servletContext.getAttribute(WebUtils.TEMP_DIR_CONTEXT_ATTRIBUTE)).getAbsolutePath();
            if (_log.isDebugEnabled()) {
                _log.debug("Work directory " + this._workDir);
            }
        }
        this._defaultReadPathsFromArray = new String[]{"${auto.deploy.installed.dir}", "${catalina.base}", "${com.sun.aas.instanceRoot}", "${com.sun.aas.installRoot}", "${file.separator}", "${java.io.tmpdir}", "${jboss.home.dir}", "${jetty.home}", "${jonas.base}", "${liferay.web.portal.dir}", "${line.separator}", "${org.apache.geronimo.home.dir}", "${path.separator}", "${plugin.servlet.context.name}", "${release.info.version}", "${resin.home}", "${user.dir}", "${user.home}", "${user.name}", "${weblogic.domain.dir}", "${websphere.profile.dir}", "//"};
        String str = "";
        try {
            if (DeployManagerUtil.getDeployManager() != null) {
                str = DeployManagerUtil.getInstalledDir();
            }
        } catch (Exception e) {
            _log.error(e, e);
        }
        this._defaultReadPathsToArray = new String[]{str, System.getProperty("catalina.base"), System.getProperty("com.sun.aas.instanceRoot"), System.getProperty("com.sun.aas.installRoot"), System.getProperty("file.separator"), System.getProperty(SystemUtil.TEMP_DIR), System.getProperty("jboss.home.dir"), System.getProperty("jetty.home"), System.getProperty("jonas.base"), this._portalDir, System.getProperty("line.separator"), System.getProperty("org.apache.geronimo.home.dir"), System.getProperty(SystemUtil.PATH_SEPARATOR), getServletContextName(), ReleaseInfo.getVersion(), System.getProperty("resin.home"), System.getProperty("user.dir"), System.getProperty("user.home"), System.getProperty(SystemUtil.USER_NAME), System.getenv("DOMAIN_HOME"), System.getenv("USER_INSTALL_ROOT"), "/"};
        if (_log.isDebugEnabled()) {
            _log.debug("Default read paths replace with " + StringUtil.merge(this._defaultReadPathsToArray));
        }
        initPermissions();
    }

    @Override // com.liferay.portal.security.pacl.checker.Checker
    public void checkPermission(Permission permission) {
        String name = permission.getName();
        String actions = permission.getActions();
        if (actions.equals("delete")) {
            if (hasDelete(permission)) {
                return;
            }
            throwSecurityException(_log, "Attempted to delete file " + name);
            return;
        }
        if (actions.equals("execute")) {
            if (hasExecute(permission)) {
                return;
            }
            throwSecurityException(_log, "Attempted to execute file " + name);
        } else {
            if (actions.equals("read")) {
                if (!PortalSecurityManagerThreadLocal.isCheckReadFile() || hasRead(permission)) {
                    return;
                }
                throwSecurityException(_log, "Attempted to read file " + name);
                return;
            }
            if (!actions.equals("write") || hasWrite(permission)) {
                return;
            }
            throwSecurityException(_log, "Attempted to write file " + name);
        }
    }

    protected void addCanonicalPath(List<String> list, String str) {
        Iterator<String> it2 = list.iterator();
        while (it2.hasNext()) {
            String next = it2.next();
            if (next.startsWith(str) && next.length() > str.length()) {
                it2.remove();
            } else if (str.startsWith(next)) {
                return;
            }
        }
        String replace = StringUtil.replace(str, StringPool.BACK_SLASH, "/");
        if (replace.endsWith("/")) {
            replace = String.valueOf(replace) + "-";
        }
        list.add(replace);
    }

    protected void addCanonicalPaths(List<String> list, File file) throws IOException {
        addCanonicalPath(list, String.valueOf(file.getCanonicalPath()) + "/");
        for (File file2 : file.listFiles()) {
            if (file2.isDirectory()) {
                addCanonicalPaths(list, file2);
            } else {
                addCanonicalPath(list, String.valueOf(new File(file2.getCanonicalPath()).getParentFile().getPath()) + "/");
            }
        }
    }

    protected void addDefaultReadPaths(List<String> list, String str) {
        for (String str2 : PropsUtil.getArray("portal.security.manager.file.checker.default.read.paths", new Filter(str))) {
            list.add(StringUtil.replace(str2, this._defaultReadPathsFromArray, this._defaultReadPathsToArray));
        }
    }

    protected void addPermission(List<Permission> list, String str, String str2) {
        if (_log.isDebugEnabled()) {
            _log.debug("Allowing " + str2 + " on " + str);
        }
        list.add(new FilePermission(PathUtil.toUnixPath(str), str2));
        list.add(new FilePermission(PathUtil.toWindowsPath(str), str2));
    }

    protected List<Permission> getPermissions(String str, String str2) {
        CopyOnWriteArrayList copyOnWriteArrayList = new CopyOnWriteArrayList();
        String property = getProperty(str);
        if (property != null) {
            String replace = StringUtil.replace(property, this._defaultReadPathsFromArray, this._defaultReadPathsToArray);
            String[] split = StringUtil.split(replace);
            if (replace.contains("${comma}")) {
                for (int i = 0; i < split.length; i++) {
                    split[i] = StringUtil.replace(split[i], "${comma}", ",");
                }
            }
            for (String str3 : split) {
                addPermission(copyOnWriteArrayList, str3, str2);
            }
        }
        ServletContext servletContext = ServletContextPool.get(ContextPathUtil.getContextPath(PropsValues.PORTAL_CTX));
        if (!str2.equals("execute") && this._workDir != null) {
            addPermission(copyOnWriteArrayList, this._workDir, str2);
            addPermission(copyOnWriteArrayList, String.valueOf(this._workDir) + "/-", str2);
            if (servletContext != null) {
                String absolutePath = ((File) servletContext.getAttribute(WebUtils.TEMP_DIR_CONTEXT_ATTRIBUTE)).getAbsolutePath();
                if (_log.isDebugEnabled()) {
                    _log.debug("Temp directory " + absolutePath);
                }
                if (str2.equals("read")) {
                    addPermission(copyOnWriteArrayList, absolutePath, str2);
                }
                addPermission(copyOnWriteArrayList, String.valueOf(absolutePath) + "/-", str2);
            }
        }
        if (!str2.equals("read")) {
            return copyOnWriteArrayList;
        }
        UniqueList uniqueList = new UniqueList();
        try {
            addCanonicalPaths(uniqueList, new File(String.valueOf(System.getProperty(SystemUtil.JAVA_HOME)) + "/lib"));
        } catch (IOException e) {
            _log.error(e, e);
        }
        if (Validator.isNotNull(this._globalSharedLibDir)) {
            uniqueList.add(String.valueOf(this._globalSharedLibDir) + "-");
        }
        if (this._rootDir != null) {
            uniqueList.add(String.valueOf(this._rootDir) + "-");
        }
        addDefaultReadPaths(uniqueList, ServerDetector.getServerId());
        Iterator<String> it2 = uniqueList.iterator();
        while (it2.hasNext()) {
            addPermission(copyOnWriteArrayList, it2.next(), str2);
        }
        return copyOnWriteArrayList;
    }

    protected boolean hasDelete(Permission permission) {
        Iterator<Permission> it2 = this._deletePermissions.iterator();
        while (it2.hasNext()) {
            if (it2.next().implies(permission)) {
                return true;
            }
        }
        if (!ServerDetector.isResin()) {
            return false;
        }
        int i = 7;
        while (true) {
            Class callerClass = Reflection.getCallerClass(i);
            if (callerClass == null) {
                return false;
            }
            if (callerClass.getName().equals(_CLASS_NAME_FILE_PATH)) {
                return PACLClassUtil.getClassLocation(callerClass).contains(PathUtil.toUnixPath(String.valueOf(System.getProperty("resin.home")) + "/lib/resin.jar!/"));
            }
            i++;
        }
    }

    protected boolean hasExecute(Permission permission) {
        Iterator<Permission> it2 = this._executePermissions.iterator();
        while (it2.hasNext()) {
            if (it2.next().implies(permission)) {
                return true;
            }
        }
        return false;
    }

    protected boolean hasRead(Permission permission) {
        Iterator<Permission> it2 = this._readPermissions.iterator();
        while (it2.hasNext()) {
            if (it2.next().implies(permission)) {
                return true;
            }
        }
        if (isJSPCompiler(permission.getName(), "read")) {
            return true;
        }
        int i = 7;
        while (true) {
            Class callerClass = Reflection.getCallerClass(i);
            if (callerClass == null) {
                return false;
            }
            if (callerClass == DirectServletRegistryImpl.class || callerClass == FileAvailabilityUtil.class) {
                return true;
            }
            if (ClassLoader.class.isAssignableFrom(callerClass) && !callerClass.getName().equals(_CLASS_NAME_METHOD_UTIL)) {
                return true;
            }
            if (ServerDetector.isGlassfish()) {
                Class<?> enclosingClass = callerClass.getEnclosingClass();
                if (enclosingClass != null && enclosingClass.getEnclosingClass() == URLClassLoader.class && CheckerUtil.isAccessControllerDoPrivileged(i + 1)) {
                    return true;
                }
            } else if (ServerDetector.isResin() && callerClass.getName().equals(_CLASS_NAME_FILE_PATH)) {
                return PACLClassUtil.getClassLocation(callerClass).contains(PathUtil.toUnixPath(String.valueOf(System.getProperty("resin.home")) + "/lib/resin.jar!/"));
            }
            i++;
        }
    }

    protected boolean hasWrite(Permission permission) {
        Iterator<Permission> it2 = this._writePermissions.iterator();
        while (it2.hasNext()) {
            if (it2.next().implies(permission)) {
                return true;
            }
        }
        if (!ServerDetector.isResin()) {
            return ServerDetector.isWebSphere() && isJSPCompiler(permission.getName(), "write");
        }
        int i = 7;
        while (true) {
            Class callerClass = Reflection.getCallerClass(i);
            if (callerClass == null) {
                return false;
            }
            if (callerClass.getName().equals(_CLASS_NAME_FILE_PATH)) {
                return PACLClassUtil.getClassLocation(callerClass).contains(PathUtil.toUnixPath(String.valueOf(System.getProperty("resin.home")) + "/lib/resin.jar!/"));
            }
            i++;
        }
    }

    protected void initPermissions() {
        this._deletePermissions = getPermissions("security-manager-files-delete", "delete");
        this._executePermissions = getPermissions("security-manager-files-execute", "execute");
        this._readPermissions = getPermissions("security-manager-files-read", "read");
        this._writePermissions = getPermissions("security-manager-files-write", "write");
    }
}
