package com.liferay.portal.security.pacl.checker;

import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.messaging.BaseAsyncDestination;
import com.liferay.portal.kernel.servlet.PortalClassLoaderFilter;
import com.liferay.portal.kernel.servlet.PortalClassLoaderServlet;
import com.liferay.portal.kernel.util.JavaDetector;
import com.liferay.portal.kernel.util.PathUtil;
import com.liferay.portal.kernel.util.ServerDetector;
import com.liferay.portal.kernel.util.StringUtil;
import com.liferay.portal.security.lang.PortalSecurityManagerThreadLocal;
import com.liferay.portal.security.pacl.PACLClassLoaderUtil;
import com.liferay.portal.security.pacl.PACLClassUtil;
import com.liferay.portal.util.PropsFiles;
import java.security.Permission;
import java.util.Iterator;
import java.util.Set;
import java.util.TreeSet;
import org.apache.xerces.impl.dv.DatatypeException;
import org.apache.xerces.parsers.AbstractDOMParser;
import org.springframework.beans.CachedIntrospectionResults;
import org.springframework.context.support.AbstractApplicationContext;
import org.springframework.core.LocalVariableTableParameterNameDiscoverer;
import org.springframework.util.ClassUtils;
import sun.reflect.Reflection;

/* loaded from: input_file:WEB-INF/lib/portal-impl.jar:com/liferay/portal/security/pacl/checker/RuntimeChecker.class */
public class RuntimeChecker extends BaseReflectChecker {
    private static final String _CLASS_NAME_API_CLASS_LOADER_SERVICE_IMPL = "com.sun.enterprise.v3.server.APIClassLoaderServiceImpl";
    private static final String _CLASS_NAME_CLASS_DEFINER = "sun.reflect.ClassDefiner$";
    private static final String _CLASS_NAME_DEFAULT_MBEAN_SERVER_INTERCEPTOR = "com.sun.jmx.interceptor.DefaultMBeanServerInterceptor";
    private static final String _CLASS_NAME_ENVIRONMENT_LOCAL = "com.caucho.loader.EnvironmentLocal";
    private static final String _CLASS_NAME_GENERIC_CLASS_LOADER = "weblogic.utils.classloaders.GenericClassLoader";
    private static final String _CLASS_NAME_JDBC_LEAK_PREVENTION = "org.apache.catalina.loader.JdbcLeakPrevention";
    private static final String _CLASS_NAME_MESSAGES = "org.jboss.logging.Messages";
    private static final String _CLASS_NAME_MODULE_IMPL = "org.apache.felix.framework.ModuleImpl";
    private static final String _CLASS_NAME_PROCESS_IMPL = "java.lang.ProcessImpl$";
    private static final String _CLASS_NAME_PROTECTION_CLASS_LOADER = "com.ibm.ws.classloader.ProtectionClassLoader";
    private static final String _CLASS_NAME_SERVICE_CONTROLLER_IMPL = "org.jboss.msc.service.ServiceControllerImpl";
    private static final String _METHOD_NAME_GET_SYSTEM_CLASS_LOADER = "getSystemClassLoader";
    private static Log _log = LogFactoryUtil.getLog(RuntimeChecker.class);
    private Set<String> _classLoaderReferenceIds;

    @Override // com.liferay.portal.security.pacl.checker.Checker
    public void afterPropertiesSet() {
        initClassLoaderReferenceIds();
    }

    @Override // com.liferay.portal.security.pacl.checker.Checker
    public void checkPermission(Permission permission) {
        String name = permission.getName();
        if (name.startsWith("accessClassInPackage")) {
            String substring = name.substring(name.indexOf(".") + 1);
            if (hasAccessClassInPackage(substring)) {
                return;
            }
            throwSecurityException(_log, "Attempted to access package " + substring);
            return;
        }
        if (name.equals("accessDeclaredMembers")) {
            if (hasReflect(permission.getName(), permission.getActions())) {
                return;
            }
            throwSecurityException(_log, "Attempted to access declared members");
            return;
        }
        if (name.equals("createClassLoader")) {
            if (!PortalSecurityManagerThreadLocal.isCheckCreateClassLoader() || isJSPCompiler(permission.getName(), permission.getActions()) || hasCreateClassLoader()) {
                return;
            }
            throwSecurityException(_log, "Attempted to create a class loader");
            return;
        }
        if (name.startsWith("getClassLoader")) {
            if (!PortalSecurityManagerThreadLocal.isCheckGetClassLoader() || isJSPCompiler(permission.getName(), permission.getActions()) || hasGetClassLoader(name)) {
                return;
            }
            throwSecurityException(_log, "Attempted to get class loader");
            return;
        }
        if (name.startsWith("getProtectionDomain")) {
            if (hasGetProtectionDomain()) {
                return;
            }
            throwSecurityException(_log, "Attempted to get protection domain");
            return;
        }
        if (name.startsWith("getenv")) {
            String substring2 = name.substring(name.indexOf(".") + 1);
            if (hasGetEnv(substring2)) {
                return;
            }
            throwSecurityException(_log, "Attempted to get environment name " + substring2);
            return;
        }
        if (name.equals("readFileDescriptor")) {
            if (!PortalSecurityManagerThreadLocal.isCheckReadFileDescriptor() || hasReadFileDescriptor()) {
                return;
            }
            throwSecurityException(_log, "Attempted to read file descriptor");
            return;
        }
        if (name.equals("setContextClassLoader")) {
            return;
        }
        if (name.equals("setSecurityManager")) {
            throwSecurityException(_log, "Attempted to set another security manager");
            return;
        }
        if (!name.equals("writeFileDescriptor")) {
            if (_log.isDebugEnabled()) {
                Thread.dumpStack();
            }
            throwSecurityException(_log, "Attempted to " + permission.getName() + " on " + permission.getActions());
        } else {
            if (!PortalSecurityManagerThreadLocal.isCheckWriteFileDescriptor() || hasWriteFileDescriptor()) {
                return;
            }
            throwSecurityException(_log, "Attempted to write file descriptor");
        }
    }

    protected boolean hasAccessClassInPackage(String str) {
        str.startsWith("sun.reflect");
        return true;
    }

    protected boolean hasCreateClassLoader() {
        if (JavaDetector.isIBM()) {
            Class<?> callerClass = Reflection.getCallerClass(9);
            if (callerClass.getName().startsWith(_CLASS_NAME_CLASS_DEFINER) && CheckerUtil.isAccessControllerDoPrivileged(10)) {
                logCreateClassLoader(callerClass, 9);
                return true;
            }
            Class<?> callerClass2 = Reflection.getCallerClass(10);
            if (!callerClass2.getName().startsWith(_CLASS_NAME_CLASS_DEFINER) || !CheckerUtil.isAccessControllerDoPrivileged(11)) {
                return false;
            }
            logCreateClassLoader(callerClass2, 10);
            return true;
        }
        if (JavaDetector.isJDK7()) {
            Class<?> callerClass3 = Reflection.getCallerClass(11);
            if (!callerClass3.getName().startsWith(_CLASS_NAME_CLASS_DEFINER) || !CheckerUtil.isAccessControllerDoPrivileged(12)) {
                return false;
            }
            logCreateClassLoader(callerClass3, 11);
            return true;
        }
        Class<?> callerClass4 = Reflection.getCallerClass(10);
        if (!callerClass4.getName().startsWith(_CLASS_NAME_CLASS_DEFINER) || !CheckerUtil.isAccessControllerDoPrivileged(11)) {
            return false;
        }
        logCreateClassLoader(callerClass4, 10);
        return true;
    }

    protected boolean hasGetClassLoader(String str) {
        int indexOf = str.indexOf(".");
        if (indexOf != -1) {
            String substring = str.substring(indexOf + 1);
            if (this._classLoaderReferenceIds.contains(substring)) {
                return true;
            }
            if (!substring.equals(PropsFiles.PORTAL)) {
                return false;
            }
            Class callerClass = Reflection.getCallerClass(7);
            return callerClass == BaseAsyncDestination.class || callerClass == PortalClassLoaderFilter.class || callerClass == PortalClassLoaderServlet.class;
        }
        Class callerClass2 = Reflection.getCallerClass(6);
        Class<?> callerClass3 = Reflection.getCallerClass(7);
        if (_log.isDebugEnabled()) {
            _log.debug(String.valueOf(callerClass3.getName()) + " is attempting to get the class loader via " + callerClass2.getName());
        }
        if (callerClass3 == CachedIntrospectionResults.class || callerClass3 == ClassUtils.class || callerClass3.getEnclosingClass() == LocalVariableTableParameterNameDiscoverer.class) {
            logGetClassLoader(callerClass3, 7);
            return true;
        }
        if (callerClass2 == Class.class) {
            if (isJBossMessages(callerClass3) || isJBossServiceControllerImpl(callerClass3) || isJOnASModuleImpl(callerClass3) || isTomcatJdbcLeakPrevention(callerClass3)) {
                logGetClassLoader(callerClass3, 7);
                return true;
            }
            if (!isWebSphereProtectionClassLoader(callerClass3.getEnclosingClass()) || !CheckerUtil.isAccessControllerDoPrivileged(8)) {
                return false;
            }
            logGetClassLoader(callerClass3, 7);
            return true;
        }
        if (callerClass2 != ClassLoader.class) {
            if (callerClass2 != Thread.class) {
                return false;
            }
            boolean z = false;
            if (PACLClassLoaderUtil.getContextClassLoader() != getPortalClassLoader()) {
                z = true;
            } else if (PACLClassLoaderUtil.getClassLoader(callerClass3) != getClassLoader()) {
                z = true;
            }
            if (!z) {
                return false;
            }
            if (!_log.isInfoEnabled()) {
                return true;
            }
            _log.info("Allowing " + callerClass3.getName() + " to access the context class loader");
            return true;
        }
        Class<?> callerClass4 = Reflection.getCallerClass(8);
        if (isGlassfishAPIClassLoaderServiceImpl(callerClass4.getEnclosingClass()) && CheckerUtil.isAccessControllerDoPrivileged(9)) {
            logGetClassLoader(callerClass4, 8);
            return true;
        }
        if (isResinEnvironmentLocal(callerClass3)) {
            logGetClassLoader(callerClass3, 7);
            return true;
        }
        if (isWebLogicGenericClassLoader(callerClass3.getEnclosingClass()) && CheckerUtil.isAccessControllerDoPrivileged(8)) {
            logGetClassLoader(callerClass3, 7);
            return true;
        }
        if (isXercesSecuritySupport(callerClass3) && CheckerUtil.isAccessControllerDoPrivileged(8)) {
            logGetClassLoader(callerClass4, 8);
            return true;
        }
        StackTraceElement[] stackTrace = Thread.currentThread().getStackTrace();
        if (!(JavaDetector.isIBM() ? stackTrace[7] : stackTrace[6]).getMethodName().equals(_METHOD_NAME_GET_SYSTEM_CLASS_LOADER)) {
            return false;
        }
        if (!_log.isInfoEnabled()) {
            return true;
        }
        _log.info("Allowing " + callerClass3.getName() + " to get the system class loader");
        return true;
    }

    protected boolean hasGetEnv(String str) {
        Class<?> callerClass = Reflection.getCallerClass(7);
        if (callerClass != AbstractApplicationContext.class) {
            return ServerDetector.isWebSphere() && str.equals("USER_INSTALL_ROOT");
        }
        logGetEnv(callerClass, 7, str);
        return true;
    }

    protected boolean hasGetProtectionDomain() {
        Class<?> callerClass = Reflection.getCallerClass(8);
        if (!isDefaultMBeanServerInterceptor(callerClass.getEnclosingClass()) || !CheckerUtil.isAccessControllerDoPrivileged(9)) {
            return false;
        }
        logGetProtectionDomain(callerClass, 8);
        return true;
    }

    protected boolean hasReadFileDescriptor() {
        if (JavaDetector.isJDK7()) {
            Class<?> callerClass = Reflection.getCallerClass(9);
            if (!callerClass.getName().startsWith(_CLASS_NAME_PROCESS_IMPL) || !CheckerUtil.isAccessControllerDoPrivileged(10)) {
                return false;
            }
            logWriteFileDescriptor(callerClass, 9);
            return true;
        }
        Class<?> callerClass2 = Reflection.getCallerClass(8);
        if (!callerClass2.getName().startsWith(_CLASS_NAME_PROCESS_IMPL) || !CheckerUtil.isAccessControllerDoPrivileged(9)) {
            return false;
        }
        logWriteFileDescriptor(callerClass2, 8);
        return true;
    }

    protected boolean hasWriteFileDescriptor() {
        if (JavaDetector.isJDK7()) {
            Class<?> callerClass = Reflection.getCallerClass(9);
            if (!callerClass.getName().startsWith(_CLASS_NAME_PROCESS_IMPL) || !CheckerUtil.isAccessControllerDoPrivileged(10)) {
                return false;
            }
            logWriteFileDescriptor(callerClass, 9);
            return true;
        }
        Class<?> callerClass2 = Reflection.getCallerClass(8);
        if (!callerClass2.getName().startsWith(_CLASS_NAME_PROCESS_IMPL) || !CheckerUtil.isAccessControllerDoPrivileged(9)) {
            return false;
        }
        logWriteFileDescriptor(callerClass2, 8);
        return true;
    }

    protected void initClassLoaderReferenceIds() {
        this._classLoaderReferenceIds = getPropertySet("security-manager-class-loader-reference-ids");
        if (_log.isDebugEnabled()) {
            Iterator it2 = new TreeSet(this._classLoaderReferenceIds).iterator();
            while (it2.hasNext()) {
                _log.debug("Allowing access to class loader for reference " + ((String) it2.next()));
            }
        }
    }

    protected boolean isDefaultMBeanServerInterceptor(Class<?> cls) {
        return cls.getName().equals(_CLASS_NAME_DEFAULT_MBEAN_SERVER_INTERCEPTOR) && PACLClassUtil.getClassLocation(cls).length() <= 0;
    }

    protected boolean isGlassfishAPIClassLoaderServiceImpl(Class<?> cls) {
        Class<?> enclosingClass;
        if (ServerDetector.isGlassfish() && cls != null && (enclosingClass = cls.getEnclosingClass()) != null && enclosingClass.getName().equals(_CLASS_NAME_API_CLASS_LOADER_SERVICE_IMPL)) {
            return PACLClassUtil.getClassLocation(enclosingClass).startsWith("bundle://");
        }
        return false;
    }

    protected boolean isJBossMessages(Class<?> cls) {
        if (ServerDetector.isJBoss() && cls.getName().equals(_CLASS_NAME_MESSAGES)) {
            return PACLClassUtil.getClassLocation(cls).contains("/modules/org/jboss/logging/main/jboss-logging-");
        }
        return false;
    }

    protected boolean isJBossServiceControllerImpl(Class<?> cls) {
        if (ServerDetector.isJBoss() && cls.getName().equals(_CLASS_NAME_SERVICE_CONTROLLER_IMPL)) {
            return PACLClassUtil.getClassLocation(cls).contains("/modules/org/jboss/msc/main/jboss-msc-");
        }
        return false;
    }

    protected boolean isJOnASModuleImpl(Class<?> cls) {
        if (ServerDetector.isJOnAS() && cls.getName().equals(_CLASS_NAME_MODULE_IMPL)) {
            return PACLClassUtil.getClassLocation(cls).contains("/lib/bootstrap/felix-launcher.jar!/");
        }
        return false;
    }

    protected boolean isResinEnvironmentLocal(Class<?> cls) {
        if (ServerDetector.isResin() && cls.getName().equals(_CLASS_NAME_ENVIRONMENT_LOCAL)) {
            return PACLClassUtil.getClassLocation(cls).contains(PathUtil.toUnixPath(String.valueOf(System.getProperty("resin.home")) + "/lib/resin.jar!/"));
        }
        return false;
    }

    protected boolean isTomcatJdbcLeakPrevention(Class<?> cls) {
        if (!ServerDetector.isTomcat()) {
            return false;
        }
        String name = cls.getName();
        if (!name.equals(_CLASS_NAME_JDBC_LEAK_PREVENTION)) {
            return false;
        }
        String classLocation = PACLClassUtil.getClassLocation(cls);
        String str = String.valueOf(String.valueOf(PathUtil.toUnixPath(String.valueOf(System.getProperty("catalina.base")) + "/lib/catalina.jar!/")) + StringUtil.replace(name, ".", "/")) + ".class";
        if (_log.isDebugEnabled()) {
            _log.debug("Actual class location " + classLocation);
            _log.debug("Expected class location " + str);
        }
        return classLocation.endsWith(str);
    }

    protected boolean isWebLogicGenericClassLoader(Class<?> cls) {
        if (!ServerDetector.isWebLogic() || cls == null || !cls.getName().equals(_CLASS_NAME_GENERIC_CLASS_LOADER)) {
            return false;
        }
        String classLocation = PACLClassUtil.getClassLocation(cls);
        return classLocation.contains("/modules/com.bea.core.utils.classloaders_") || classLocation.contains("/patch_jars/BUG");
    }

    protected boolean isWebSphereProtectionClassLoader(Class<?> cls) {
        if (ServerDetector.isWebSphere() && cls != null && cls.getName().equals(_CLASS_NAME_PROTECTION_CLASS_LOADER)) {
            return PACLClassUtil.getClassLocation(cls).startsWith("bundleresource://");
        }
        return false;
    }

    protected boolean isXercesSecuritySupport(Class<?> cls) {
        if (cls.getName().contains(".SecuritySupport$")) {
            return cls.getPackage() == AbstractDOMParser.class.getPackage() || cls.getPackage() == DatatypeException.class.getPackage();
        }
        return false;
    }

    protected void logCreateClassLoader(Class<?> cls, int i) {
        if (_log.isInfoEnabled()) {
            _log.info("Allowing frame " + i + " with caller " + cls + " to create a class loader");
        }
    }

    protected void logGetClassLoader(Class<?> cls, int i) {
        if (_log.isInfoEnabled()) {
            _log.info("Allowing frame " + i + " with caller " + cls + " to get the class loader");
        }
    }

    protected void logGetEnv(Class<?> cls, int i, String str) {
        if (_log.isInfoEnabled()) {
            _log.info("Allowing frame " + i + " with caller " + cls + " to get environment " + str);
        }
    }

    protected void logGetProtectionDomain(Class<?> cls, int i) {
        if (_log.isInfoEnabled()) {
            _log.info("Allowing frame " + i + " with caller " + cls + " to get the protection domain");
        }
    }

    protected void logReadFileDescriptor(Class<?> cls, int i) {
        if (_log.isInfoEnabled()) {
            _log.info("Allowing frame " + i + " with caller " + cls + " to read a file descriptor");
        }
    }

    protected void logWriteFileDescriptor(Class<?> cls, int i) {
        if (_log.isInfoEnabled()) {
            _log.info("Allowing frame " + i + " with caller " + cls + " to write a file descriptor");
        }
    }
}
