package org.apache.dubbo.common.utils;

import java.io.IOException;
import java.io.Serializable;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Locale;
import java.util.Set;
import java.util.concurrent.atomic.AtomicLong;
import org.apache.dubbo.common.beanutil.JavaBeanSerializeUtil;
import org.apache.dubbo.common.config.ConfigurationUtils;
import org.apache.dubbo.common.constants.CommonConstants;
import org.apache.dubbo.common.logger.Logger;
import org.apache.dubbo.common.logger.LoggerFactory;

/* loaded from: input_file:org/apache/dubbo/common/utils/SerializeClassChecker.class */
public class SerializeClassChecker {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) SerializeClassChecker.class);
    private static volatile SerializeClassChecker INSTANCE = null;
    private final boolean checkSerializable;
    private final Set<String> CLASS_DESERIALIZE_ALLOWED_SET = new ConcurrentHashSet();
    private final Set<String> CLASS_DESERIALIZE_BLOCKED_SET = new ConcurrentHashSet();
    private final Object CACHE = new Object();
    private final LFUCache<String, Object> CLASS_ALLOW_LFU_CACHE = new LFUCache<>();
    private final LFUCache<String, Object> CLASS_BLOCK_LFU_CACHE = new LFUCache<>();
    private final AtomicLong counter = new AtomicLong(0);
    private final boolean BLOCK_ALL_CLASS_EXCEPT_ALLOW = Boolean.parseBoolean(System.getProperty(CommonConstants.CLASS_DESERIALIZE_BLOCK_ALL, "false"));

    private SerializeClassChecker() {
        try {
            ClassLoader classLoader = ClassUtils.getClassLoader(JavaBeanSerializeUtil.class);
            for (String str : classLoader != null ? IOUtils.readLines(classLoader.getResourceAsStream(CommonConstants.SERIALIZE_BLOCKED_LIST_FILE_PATH)) : IOUtils.readLines(ClassLoader.getSystemResourceAsStream(CommonConstants.SERIALIZE_BLOCKED_LIST_FILE_PATH))) {
                String trim = str.trim();
                if (!StringUtils.isEmpty(trim) && !trim.startsWith("#")) {
                    this.CLASS_DESERIALIZE_BLOCKED_SET.add(trim);
                }
            }
        } catch (IOException e) {
            logger.error("Failed to load blocked class list! Will ignore default blocked list.", e);
        }
        String lowerCase = System.getProperty(CommonConstants.CLASS_DESERIALIZE_ALLOWED_LIST, "").trim().toLowerCase(Locale.ROOT);
        String lowerCase2 = System.getProperty(CommonConstants.CLASS_DESERIALIZE_BLOCKED_LIST, "").trim().toLowerCase(Locale.ROOT);
        if (StringUtils.isNotEmpty(lowerCase)) {
            this.CLASS_DESERIALIZE_ALLOWED_SET.addAll(Arrays.asList(lowerCase.trim().split(",")));
        }
        if (StringUtils.isNotEmpty(lowerCase2)) {
            this.CLASS_DESERIALIZE_BLOCKED_SET.addAll(Arrays.asList(lowerCase2.trim().split(",")));
        }
        this.checkSerializable = Boolean.parseBoolean(ConfigurationUtils.getProperty(CommonConstants.CLASS_DESERIALIZE_CHECK_SERIALIZABLE, CommonConstants.GENERIC_SERIALIZATION_DEFAULT));
    }

    public static SerializeClassChecker getInstance() {
        if (INSTANCE == null) {
            synchronized (SerializeClassChecker.class) {
                if (INSTANCE == null) {
                    INSTANCE = new SerializeClassChecker();
                }
            }
        }
        return INSTANCE;
    }

    @Deprecated
    protected static void clearInstance() {
        INSTANCE = null;
    }

    public void validateClass(String str) {
        String lowerCase = str.toLowerCase(Locale.ROOT);
        if (this.CACHE == this.CLASS_ALLOW_LFU_CACHE.get(lowerCase)) {
            return;
        }
        if (this.CACHE == this.CLASS_BLOCK_LFU_CACHE.get(lowerCase)) {
            error(lowerCase);
        }
        Iterator<String> it = this.CLASS_DESERIALIZE_ALLOWED_SET.iterator();
        while (it.hasNext()) {
            if (lowerCase.startsWith(it.next())) {
                this.CLASS_ALLOW_LFU_CACHE.put(lowerCase, this.CACHE);
                return;
            }
        }
        for (String str2 : this.CLASS_DESERIALIZE_BLOCKED_SET) {
            if (this.BLOCK_ALL_CLASS_EXCEPT_ALLOW || lowerCase.startsWith(str2)) {
                this.CLASS_BLOCK_LFU_CACHE.put(lowerCase, this.CACHE);
                error(lowerCase);
            }
        }
        this.CLASS_ALLOW_LFU_CACHE.put(lowerCase, this.CACHE);
    }

    public void validateClass(Class<?> cls) {
        if (!this.checkSerializable || Serializable.class.isAssignableFrom(cls)) {
            return;
        }
        error(cls.getName());
    }

    private void error(String str) {
        String str2 = "Trigger the safety barrier! Catch not allowed serialize class. Class name: " + str + " . This means currently maybe being attacking by others.If you are sure this is a mistake, please add this class name to `" + CommonConstants.CLASS_DESERIALIZE_ALLOWED_LIST + "` as a system environment property.";
        if (this.counter.incrementAndGet() % 1000 == 0 || this.counter.get() < 100) {
            logger.error(str2);
        }
        throw new IllegalArgumentException(str2);
    }
}
