package org.apache.geode.cache.query.security;

import java.lang.reflect.Method;
import java.sql.Timestamp;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import org.apache.geode.annotations.Immutable;
import org.apache.geode.cache.Cache;
import org.apache.geode.cache.Region;
import org.apache.geode.cache.query.internal.QRegion;
import org.apache.geode.internal.cache.InternalCache;
import org.apache.geode.internal.security.SecurityService;
import org.apache.geode.internal.security.SecurityServiceFactory;
import org.apache.geode.management.internal.i18n.CliStrings;
import org.apache.geode.security.NotAuthorizedException;
import org.apache.geode.security.ResourcePermission;

/* loaded from: input_file:org/apache/geode/cache/query/security/RestrictedMethodAuthorizer.class */
public final class RestrictedMethodAuthorizer implements MethodInvocationAuthorizer {
    public static final String UNAUTHORIZED_STRING = "Unauthorized access to method: ";

    @Immutable
    static final Set<String> FORBIDDEN_METHODS = Collections.unmodifiableSet(createForbiddenList());

    @Immutable
    static final Map<String, Set<Class>> GEODE_ALLOWED_METHODS = Collections.unmodifiableMap(createGeodeAcceptanceList());

    @Immutable
    static final Map<String, Set<Class>> DEFAULT_ALLOWED_METHODS = Collections.unmodifiableMap(createDefaultAcceptanceList());
    final SecurityService securityService;
    private final Set<String> forbiddenMethods;
    private final Map<String, Set<Class>> allowedMethodsPerClass;
    private final Map<String, Set<Class>> allowedGeodeMethodsPerClass;

    private static Set<String> createForbiddenList() {
        HashSet hashSet = new HashSet();
        hashSet.add("getClass");
        hashSet.add("readObject");
        hashSet.add("readResolve");
        hashSet.add("readObjectNoData");
        hashSet.add("writeObject");
        hashSet.add("writeReplace");
        return hashSet;
    }

    private static Map<String, Set<Class>> createGeodeAcceptanceList() {
        HashMap hashMap = new HashMap();
        HashSet hashSet = new HashSet();
        hashSet.add(Object.class);
        Set unmodifiableSet = Collections.unmodifiableSet(hashSet);
        hashMap.put("equals", unmodifiableSet);
        hashMap.put("toString", unmodifiableSet);
        HashSet hashSet2 = new HashSet();
        hashSet2.add(Region.Entry.class);
        Set unmodifiableSet2 = Collections.unmodifiableSet(hashSet2);
        hashMap.put("getKey", unmodifiableSet2);
        hashMap.put("getValue", unmodifiableSet2);
        HashSet hashSet3 = new HashSet();
        hashSet3.add(Region.class);
        hashSet3.add(QRegion.class);
        Set unmodifiableSet3 = Collections.unmodifiableSet(hashSet3);
        hashMap.put("containsKey", unmodifiableSet3);
        hashMap.put("entrySet", unmodifiableSet3);
        hashMap.put("get", unmodifiableSet3);
        hashMap.put("keySet", unmodifiableSet3);
        hashMap.put("values", unmodifiableSet3);
        hashMap.put("getEntries", unmodifiableSet3);
        hashMap.put("getValues", unmodifiableSet3);
        return hashMap;
    }

    private static Map<String, Set<Class>> createDefaultAcceptanceList() {
        HashMap hashMap = new HashMap();
        HashSet hashSet = new HashSet();
        hashSet.add(Object.class);
        Set unmodifiableSet = Collections.unmodifiableSet(hashSet);
        hashMap.put("compareTo", unmodifiableSet);
        hashMap.put("equals", unmodifiableSet);
        hashMap.put("toString", unmodifiableSet);
        HashSet hashSet2 = new HashSet();
        hashSet2.add(Boolean.class);
        hashMap.put("booleanValue", Collections.unmodifiableSet(hashSet2));
        HashSet hashSet3 = new HashSet();
        hashSet3.add(Number.class);
        Set unmodifiableSet2 = Collections.unmodifiableSet(hashSet3);
        hashMap.put("byteValue", unmodifiableSet2);
        hashMap.put("doubleValue", unmodifiableSet2);
        hashMap.put("floatValue", unmodifiableSet2);
        hashMap.put("intValue", unmodifiableSet2);
        hashMap.put("longValue", unmodifiableSet2);
        hashMap.put("shortValue", unmodifiableSet2);
        HashSet hashSet4 = new HashSet();
        hashSet4.add(Date.class);
        Set unmodifiableSet3 = Collections.unmodifiableSet(hashSet4);
        hashMap.put("after", unmodifiableSet3);
        hashMap.put("before", unmodifiableSet3);
        hashMap.put("getTime", unmodifiableSet3);
        HashSet hashSet5 = new HashSet();
        hashSet5.add(Timestamp.class);
        hashMap.put("getNanos", Collections.unmodifiableSet(hashSet5));
        HashSet hashSet6 = new HashSet();
        hashSet6.add(String.class);
        Set unmodifiableSet4 = Collections.unmodifiableSet(hashSet6);
        hashMap.put("charAt", unmodifiableSet4);
        hashMap.put("codePointAt", unmodifiableSet4);
        hashMap.put("codePointBefore", unmodifiableSet4);
        hashMap.put("codePointCount", unmodifiableSet4);
        hashMap.put("compareToIgnoreCase", unmodifiableSet4);
        hashMap.put("concat", unmodifiableSet4);
        hashMap.put("contains", unmodifiableSet4);
        hashMap.put("contentEquals", unmodifiableSet4);
        hashMap.put("endsWith", unmodifiableSet4);
        hashMap.put("equalsIgnoreCase", unmodifiableSet4);
        hashMap.put("getBytes", unmodifiableSet4);
        hashMap.put("hashCode", unmodifiableSet4);
        hashMap.put("indexOf", unmodifiableSet4);
        hashMap.put("intern", unmodifiableSet4);
        hashMap.put("isEmpty", unmodifiableSet4);
        hashMap.put("lastIndexOf", unmodifiableSet4);
        hashMap.put("length", unmodifiableSet4);
        hashMap.put(CliStrings.LIST_FUNCTION__MATCHES, unmodifiableSet4);
        hashMap.put("offsetByCodePoints", unmodifiableSet4);
        hashMap.put("regionMatches", unmodifiableSet4);
        hashMap.put("replace", unmodifiableSet4);
        hashMap.put("replaceAll", unmodifiableSet4);
        hashMap.put("replaceFirst", unmodifiableSet4);
        hashMap.put("split", unmodifiableSet4);
        hashMap.put("startsWith", unmodifiableSet4);
        hashMap.put("substring", unmodifiableSet4);
        hashMap.put("toCharArray", unmodifiableSet4);
        hashMap.put("toLowerCase", unmodifiableSet4);
        hashMap.put("toUpperCase", unmodifiableSet4);
        hashMap.put("trim", unmodifiableSet4);
        HashSet hashSet7 = new HashSet();
        hashSet7.add(Map.Entry.class);
        Set unmodifiableSet5 = Collections.unmodifiableSet(hashSet7);
        hashMap.put("getKey", unmodifiableSet5);
        hashMap.put("getValue", unmodifiableSet5);
        HashSet hashSet8 = new HashSet();
        hashSet8.add(Map.class);
        hashSet8.add(QRegion.class);
        Set unmodifiableSet6 = Collections.unmodifiableSet(hashSet8);
        hashMap.put("containsKey", unmodifiableSet6);
        hashMap.put("entrySet", unmodifiableSet6);
        hashMap.put("get", unmodifiableSet6);
        hashMap.put("keySet", unmodifiableSet6);
        hashMap.put("values", unmodifiableSet6);
        hashMap.put("getEntries", unmodifiableSet6);
        hashMap.put("getValues", unmodifiableSet6);
        return hashMap;
    }

    Set<String> getForbiddenMethods() {
        return this.forbiddenMethods;
    }

    Map<String, Set<Class>> getAllowedMethodsPerClass() {
        return this.allowedMethodsPerClass;
    }

    Map<String, Set<Class>> getAllowedGeodeMethodsPerClass() {
        return this.allowedGeodeMethodsPerClass;
    }

    public RestrictedMethodAuthorizer(Cache cache) {
        Objects.requireNonNull(cache, "Cache should be provided to configure the authorizer.");
        if (cache instanceof InternalCache) {
            this.securityService = ((InternalCache) cache).getSecurityService();
        } else {
            Objects.requireNonNull(cache.getDistributedSystem(), "Distributed system properties should be provided to configure the authorizer.");
            this.securityService = SecurityServiceFactory.create(cache.getDistributedSystem().getSecurityProperties());
        }
        this.forbiddenMethods = FORBIDDEN_METHODS;
        this.allowedMethodsPerClass = DEFAULT_ALLOWED_METHODS;
        this.allowedGeodeMethodsPerClass = GEODE_ALLOWED_METHODS;
    }

    private boolean isAllowedByDefault(Method method, Object obj) {
        Set<Class> set = this.allowedMethodsPerClass.get(method.getName());
        if (set == null) {
            return false;
        }
        Iterator<Class> it = set.iterator();
        while (it.hasNext()) {
            if (it.next().isAssignableFrom(obj.getClass())) {
                return true;
            }
        }
        return false;
    }

    private void authorizeRegionAccess(SecurityService securityService, Object obj) {
        if (obj instanceof Region) {
            securityService.authorize(ResourcePermission.Resource.DATA, ResourcePermission.Operation.READ, ((Region) obj).getName());
        }
    }

    public boolean isAllowedGeodeMethod(Method method, Object obj) {
        Set<Class> set = this.allowedGeodeMethodsPerClass.get(method.getName());
        if (set == null) {
            return false;
        }
        Iterator<Class> it = set.iterator();
        while (it.hasNext()) {
            if (it.next().isAssignableFrom(obj.getClass())) {
                try {
                    authorizeRegionAccess(this.securityService, obj);
                    return true;
                } catch (NotAuthorizedException e) {
                    return false;
                }
            }
        }
        return false;
    }

    public boolean isPermanentlyForbiddenMethod(Method method, Object obj) {
        return this.forbiddenMethods.contains(method.getName());
    }

    @Override // org.apache.geode.cache.query.security.MethodInvocationAuthorizer
    public boolean authorize(Method method, Object obj) {
        if (!isAllowedByDefault(method, obj)) {
            return false;
        }
        try {
            authorizeRegionAccess(this.securityService, obj);
            return true;
        } catch (NotAuthorizedException e) {
            return false;
        }
    }
}
