package org.neo4j.kernel.impl.security;

import java.io.IOException;
import java.net.InetAddress;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.util.Locale;
import java.util.function.Supplier;
import org.neo4j.cloud.storage.SchemeFileSystemAbstraction;
import org.neo4j.configuration.Config;
import org.neo4j.configuration.GraphDatabaseSettings;
import org.neo4j.csv.reader.CharReadable;
import org.neo4j.csv.reader.Readables;
import org.neo4j.graphdb.security.URLAccessValidationError;
import org.neo4j.internal.kernel.api.security.SecurityAuthorizationHandler;
import org.neo4j.internal.kernel.api.security.SecurityContext;
import org.neo4j.io.fs.DefaultFileSystemAbstraction;

/* loaded from: input_file:org/neo4j/kernel/impl/security/FileURIAccessRule.class */
public class FileURIAccessRule implements AccessRule<URI> {
    private final Supplier<SchemeFileSystemAbstraction> schemeSystemSupplier;
    private final Config config;

    public FileURIAccessRule(Config config) {
        this(() -> {
            return new SchemeFileSystemAbstraction(new DefaultFileSystemAbstraction(), config);
        }, config);
    }

    public FileURIAccessRule(Supplier<SchemeFileSystemAbstraction> supplier, Config config) {
        this.schemeSystemSupplier = supplier;
        this.config = config;
    }

    public URI validate(URI uri, SecurityAuthorizationHandler securityAuthorizationHandler, SecurityContext securityContext) throws URLAccessValidationError {
        boolean isFileLikeScheme = isFileLikeScheme(uri);
        if (isFileLikeScheme && uri.getAuthority() != null && !uri.getAuthority().isEmpty()) {
            throw new URLAccessValidationError("file URL may not contain an authority section (i.e. it should be 'file:///')");
        }
        if (uri.getQuery() != null && !uri.getQuery().isEmpty()) {
            throw new URLAccessValidationError("file URL may not contain a query component");
        }
        if (!((Boolean) this.config.get(GraphDatabaseSettings.allow_file_urls)).booleanValue()) {
            throw new URLAccessValidationError("configuration property '" + GraphDatabaseSettings.allow_file_urls.name() + "' is false");
        }
        URI normalizeURI = isFileLikeScheme ? normalizeURI(uri) : uri.normalize();
        securityAuthorizationHandler.assertLoadAllowed(securityContext, normalizeURI, (InetAddress) null);
        return normalizeURI;
    }

    @Override // org.neo4j.kernel.impl.security.AccessRule
    public CharReadable getReader(URI uri, SecurityAuthorizationHandler securityAuthorizationHandler, SecurityContext securityContext) throws URLAccessValidationError, IOException {
        String lowerCase = uri.getScheme().toLowerCase(Locale.ROOT);
        SchemeFileSystemAbstraction schemeFileSystemAbstraction = this.schemeSystemSupplier.get();
        try {
            if (!schemeFileSystemAbstraction.resolvableSchemes().contains(lowerCase)) {
                throw new URLAccessValidationError("Invalid URL '" + uri + "': unknown protocol: " + lowerCase);
            }
            if (!schemeFileSystemAbstraction.canResolve(uri)) {
                throw new URLAccessValidationError("loading resources via protocol '" + lowerCase + "' is not permitted");
            }
            CharReadable files = Readables.files(StandardCharsets.UTF_8, new Path[]{schemeFileSystemAbstraction.resolve(validate(uri, securityAuthorizationHandler, securityContext))});
            if (schemeFileSystemAbstraction != null) {
                schemeFileSystemAbstraction.close();
            }
            return files;
        } catch (Throwable th) {
            if (schemeFileSystemAbstraction != null) {
                try {
                    schemeFileSystemAbstraction.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private boolean isFileLikeScheme(URI uri) {
        String scheme = uri.getScheme();
        return scheme == null || "file".equalsIgnoreCase(scheme);
    }

    private URI normalizeURI(URI uri) throws URLAccessValidationError {
        if (!this.config.isExplicitlySet(GraphDatabaseSettings.load_csv_file_url_root)) {
            return uri;
        }
        Path absolutePath = ((Path) this.config.get(GraphDatabaseSettings.load_csv_file_url_root)).normalize().toAbsolutePath();
        Path of = Path.of(uri.normalize());
        Path absolutePath2 = absolutePath.resolve(of.getRoot().relativize(of)).normalize().toAbsolutePath();
        if (absolutePath2.startsWith(absolutePath)) {
            return absolutePath2.toUri();
        }
        throw new URLAccessValidationError("file URL points outside configured import directory");
    }
}
