package com.opensymphony.xwork2.ognl;

import com.opensymphony.xwork2.conversion.impl.XWorkConverter;
import com.opensymphony.xwork2.inject.Inject;
import com.opensymphony.xwork2.util.ConfigParseUtil;
import com.opensymphony.xwork2.util.ProxyUtil;
import com.opensymphony.xwork2.validator.validators.ValidatorSupport;
import java.lang.reflect.AccessibleObject;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.Member;
import java.lang.reflect.Modifier;
import java.text.MessageFormat;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import ognl.MemberAccess;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.struts2.StrutsConstants;
import org.apache.struts2.ognl.ProviderAllowlist;
import org.apache.struts2.ognl.ThreadAllowlist;

/* loaded from: input_file:com/opensymphony/xwork2/ognl/SecurityMemberAccess.class */
public class SecurityMemberAccess implements MemberAccess {
    private final ProviderAllowlist providerAllowlist;
    private final ThreadAllowlist threadAllowlist;
    private boolean allowStaticFieldAccess;
    private Set<Pattern> excludeProperties;
    private Set<Pattern> acceptProperties;
    private Set<String> excludedClasses;
    private Set<Pattern> excludedPackageNamePatterns;
    private Set<String> excludedPackageNames;
    private Set<String> excludedPackageExemptClasses;
    private volatile boolean isDevModeInit;
    private boolean isDevMode;
    private Set<String> devModeExcludedClasses;
    private Set<Pattern> devModeExcludedPackageNamePatterns;
    private Set<String> devModeExcludedPackageNames;
    private Set<String> devModeExcludedPackageExemptClasses;
    private boolean enforceAllowlistEnabled;
    private Set<Class<?>> allowlistClasses;
    private Set<String> allowlistPackageNames;
    private boolean disallowProxyObjectAccess;
    private boolean disallowProxyMemberAccess;
    private boolean disallowDefaultPackageAccess;
    private static final Logger LOG = LogManager.getLogger(SecurityMemberAccess.class);
    private static final Set<String> ALLOWLIST_REQUIRED_PACKAGES = Collections.unmodifiableSet(new HashSet(Arrays.asList("com.opensymphony.xwork2.validator.validators", "org.apache.struts2.components", "org.apache.struts2.views.jsp")));
    private static final Set<Class<?>> ALLOWLIST_REQUIRED_CLASSES = Collections.unmodifiableSet(new HashSet(Arrays.asList(Enum.class, String.class, Date.class, HashMap.class, Map.class, Map.Entry.class)));
    private static volatile boolean isDevModeLogged = false;

    @Inject
    public SecurityMemberAccess(@Inject ProviderAllowlist providerAllowlist, @Inject ThreadAllowlist threadAllowlist) {
        this.allowStaticFieldAccess = true;
        this.excludeProperties = Collections.emptySet();
        this.acceptProperties = Collections.emptySet();
        this.excludedClasses = Collections.unmodifiableSet(new HashSet(Collections.singletonList(Object.class.getName())));
        this.excludedPackageNamePatterns = Collections.emptySet();
        this.excludedPackageNames = Collections.emptySet();
        this.excludedPackageExemptClasses = Collections.emptySet();
        this.devModeExcludedClasses = Collections.unmodifiableSet(new HashSet(Collections.singletonList(Object.class.getName())));
        this.devModeExcludedPackageNamePatterns = Collections.emptySet();
        this.devModeExcludedPackageNames = Collections.emptySet();
        this.devModeExcludedPackageExemptClasses = Collections.emptySet();
        this.enforceAllowlistEnabled = false;
        this.allowlistClasses = Collections.emptySet();
        this.allowlistPackageNames = Collections.emptySet();
        this.disallowProxyObjectAccess = false;
        this.disallowProxyMemberAccess = false;
        this.disallowDefaultPackageAccess = false;
        this.providerAllowlist = providerAllowlist;
        this.threadAllowlist = threadAllowlist;
    }

    @Deprecated
    public SecurityMemberAccess(boolean z) {
        this(null, null);
        useAllowStaticFieldAccess(String.valueOf(z));
    }

    /* JADX WARN: Multi-variable type inference failed */
    public Object setup(Map map, Object obj, Member member, String str) {
        Boolean bool = null;
        if (isAccessible(map, obj, member, str)) {
            AccessibleObject accessibleObject = (AccessibleObject) member;
            if (!accessibleObject.isAccessible()) {
                bool = Boolean.FALSE;
                accessibleObject.setAccessible(true);
            }
        }
        return bool;
    }

    public void restore(Map map, Object obj, Member member, String str, Object obj2) {
        if (obj2 == null) {
            return;
        }
        if (((Boolean) obj2).booleanValue()) {
            throw new IllegalArgumentException(MessageFormat.format("Improper restore state [true] for target [{0}], member [{1}], propertyName [{2}]", obj, member, str));
        }
        ((AccessibleObject) member).setAccessible(false);
    }

    public boolean isAccessible(Map map, Object obj, Member member, String str) {
        LOG.debug("Checking access for [target: {}, member: {}, property: {}]", obj, member, str);
        if (obj != null) {
            if (!Class.class.equals(obj.getClass()) || Class.class.equals(obj)) {
                if (!member.getDeclaringClass().isAssignableFrom(obj.getClass())) {
                    throw new IllegalArgumentException("Member does not exist on target!");
                }
            } else {
                if (!isStatic(member) && !Constructor.class.equals(member.getClass())) {
                    throw new IllegalArgumentException("Member expected to be static or constructor!");
                }
                if (!member.getDeclaringClass().equals(obj)) {
                    throw new IllegalArgumentException("Target class does not match member!");
                }
                obj = null;
            }
        }
        if (!checkProxyObjectAccess(obj)) {
            LOG.warn("Access to proxy is blocked! Target [{}], proxy class [{}]", obj, obj.getClass().getName());
            return false;
        }
        if (!checkProxyMemberAccess(obj, member)) {
            LOG.warn("Access to proxy is blocked! Member class [{}] of target [{}], member [{}]", member.getDeclaringClass(), obj, member);
            return false;
        }
        if (!checkPublicMemberAccess(member)) {
            LOG.warn("Access to non-public [{}] is blocked!", member);
            return false;
        }
        if (!checkStaticFieldAccess(member)) {
            LOG.warn("Access to static field [{}] is blocked!", member);
            return false;
        }
        if (checkStaticMethodAccess(member)) {
            return checkDefaultPackageAccess(obj, member) && checkExclusionList(obj, member) && checkAllowlist(obj, member) && isAcceptableProperty(str);
        }
        LOG.warn("Access to static method [{}] is blocked!", member);
        return false;
    }

    protected boolean checkAllowlist(Object obj, Member member) {
        Object hibernateProxyTarget;
        if (!this.enforceAllowlistEnabled) {
            return true;
        }
        if (!this.disallowProxyObjectAccess && obj != null && ProxyUtil.isProxy(obj) && (hibernateProxyTarget = ProxyUtil.getHibernateProxyTarget(obj)) != obj) {
            logAllowlistHibernateEntity(obj, hibernateProxyTarget);
            obj = hibernateProxyTarget;
            member = ProxyUtil.resolveTargetMember(member, hibernateProxyTarget);
        }
        Class<?> declaringClass = member.getDeclaringClass();
        if (!isClassAllowlisted(declaringClass)) {
            LOG.warn("Declaring class [{}] of member type [{}] is not allowlisted! Add to '{}' or '{}' configuration.", declaringClass, member, StrutsConstants.STRUTS_ALLOWLIST_CLASSES, StrutsConstants.STRUTS_ALLOWLIST_PACKAGE_NAMES);
            return false;
        }
        if (obj == null || obj.getClass() == declaringClass) {
            return true;
        }
        Class<?> cls = obj.getClass();
        if (isClassAllowlisted(cls)) {
            return true;
        }
        LOG.warn("Target class [{}] of target [{}] is not allowlisted! Add to '{}' or '{}' configuration.", cls, obj, StrutsConstants.STRUTS_ALLOWLIST_CLASSES, StrutsConstants.STRUTS_ALLOWLIST_PACKAGE_NAMES);
        return false;
    }

    private void logAllowlistHibernateEntity(Object obj, Object obj2) {
        if (this.isDevMode || LOG.isDebugEnabled()) {
            Object[] objArr = {obj, obj2, StrutsConstants.STRUTS_DISALLOW_PROXY_OBJECT_ACCESS};
            if (this.isDevMode) {
                LOG.warn("Hibernate entity [{}] resolved to [{}] for purpose of OGNL allowlisting. We don't recommend executing OGNL expressions against Hibernate entities, you may disallow this behaviour using the configuration `{}=true`.", objArr);
            } else {
                LOG.debug("Hibernate entity [{}] resolved to [{}] for purpose of OGNL allowlisting. We don't recommend executing OGNL expressions against Hibernate entities, you may disallow this behaviour using the configuration `{}=true`.", objArr);
            }
        }
    }

    protected boolean isClassAllowlisted(Class<?> cls) {
        return this.allowlistClasses.contains(cls) || ALLOWLIST_REQUIRED_CLASSES.contains(cls) || (this.providerAllowlist != null && this.providerAllowlist.getProviderAllowlist().contains(cls)) || ((this.threadAllowlist != null && this.threadAllowlist.getAllowlist().contains(cls)) || isClassBelongsToPackages(cls, ALLOWLIST_REQUIRED_PACKAGES) || isClassBelongsToPackages(cls, this.allowlistPackageNames));
    }

    protected boolean checkExclusionList(Object obj, Member member) {
        useDevModeConfiguration();
        Class<?> declaringClass = member.getDeclaringClass();
        if (isClassExcluded(declaringClass)) {
            LOG.warn("Declaring class of member type [{}] is excluded!", declaringClass);
            return false;
        }
        if (isPackageExcluded(declaringClass)) {
            LOG.warn("Package [{}] of member class [{}] of member [{}] is excluded!", declaringClass.getPackage(), declaringClass, obj);
            return false;
        }
        if (obj == null || obj.getClass() == declaringClass) {
            return true;
        }
        Class<?> cls = obj.getClass();
        if (isClassExcluded(cls)) {
            LOG.warn("Target class [{}] of target [{}] is excluded!", cls, obj);
            return false;
        }
        if (!isPackageExcluded(cls)) {
            return true;
        }
        LOG.warn("Package [{}] of target [{}] is excluded!", cls.getPackage(), member);
        return false;
    }

    protected boolean checkDefaultPackageAccess(Object obj, Member member) {
        if (!this.disallowDefaultPackageAccess) {
            return true;
        }
        Class<?> declaringClass = member.getDeclaringClass();
        if (declaringClass.getPackage() == null || declaringClass.getPackage().getName().isEmpty()) {
            LOG.warn("Class [{}] from the default package is excluded!", declaringClass);
            return false;
        }
        if (obj == null || obj.getClass() == declaringClass) {
            return true;
        }
        Class<?> cls = obj.getClass();
        if (cls.getPackage() != null && !cls.getPackage().getName().isEmpty()) {
            return true;
        }
        LOG.warn("Class [{}] from the default package is excluded!", cls);
        return false;
    }

    protected boolean checkProxyObjectAccess(Object obj) {
        return (this.disallowProxyObjectAccess && ProxyUtil.isProxy(obj)) ? false : true;
    }

    protected boolean checkProxyMemberAccess(Object obj, Member member) {
        return (this.disallowProxyMemberAccess && ProxyUtil.isProxyMember(member, obj)) ? false : true;
    }

    protected boolean checkStaticMethodAccess(Member member) {
        return (member instanceof Field) || !isStatic(member);
    }

    private static boolean isStatic(Member member) {
        return Modifier.isStatic(member.getModifiers());
    }

    protected boolean checkStaticFieldAccess(Member member) {
        return (!this.allowStaticFieldAccess && (member instanceof Field) && isStatic(member)) ? false : true;
    }

    protected boolean checkPublicMemberAccess(Member member) {
        return Modifier.isPublic(member.getModifiers());
    }

    protected boolean isPackageExcluded(Class<?> cls) {
        return !this.excludedPackageExemptClasses.contains(cls.getName()) && (isExcludedPackageNames(cls) || isExcludedPackageNamePatterns(cls));
    }

    public static String toPackageName(Class<?> cls) {
        return cls.getPackage() == null ? ValidatorSupport.EMPTY_STRING : cls.getPackage().getName();
    }

    protected boolean isExcludedPackageNamePatterns(Class<?> cls) {
        return this.excludedPackageNamePatterns.stream().anyMatch(pattern -> {
            return pattern.matcher(toPackageName(cls)).matches();
        });
    }

    protected boolean isExcludedPackageNames(Class<?> cls) {
        return isClassBelongsToPackages(cls, this.excludedPackageNames);
    }

    public static boolean isClassBelongsToPackages(Class<?> cls, Set<String> set) {
        List asList = Arrays.asList(toPackageName(cls).split("\\."));
        for (int i = 0; i < asList.size(); i++) {
            if (set.contains(String.join(XWorkConverter.PERIOD, asList.subList(0, i + 1)))) {
                return true;
            }
        }
        return false;
    }

    protected boolean isClassExcluded(Class<?> cls) {
        return this.excludedClasses.contains(cls.getName());
    }

    protected boolean isAcceptableProperty(String str) {
        return str == null || (!isExcluded(str) && isAccepted(str));
    }

    protected boolean isAccepted(String str) {
        if (this.acceptProperties.isEmpty()) {
            return true;
        }
        return this.acceptProperties.stream().map(pattern -> {
            return pattern.matcher(str);
        }).anyMatch((v0) -> {
            return v0.matches();
        });
    }

    protected boolean isExcluded(String str) {
        return this.excludeProperties.stream().map(pattern -> {
            return pattern.matcher(str);
        }).anyMatch((v0) -> {
            return v0.matches();
        });
    }

    public void useExcludeProperties(Set<Pattern> set) {
        this.excludeProperties = set;
    }

    public void useAcceptProperties(Set<Pattern> set) {
        this.acceptProperties = set;
    }

    @Inject(value = StrutsConstants.STRUTS_ALLOW_STATIC_FIELD_ACCESS, required = false)
    public void useAllowStaticFieldAccess(String str) {
        this.allowStaticFieldAccess = BooleanUtils.toBoolean(str);
        if (this.allowStaticFieldAccess) {
            return;
        }
        useExcludedClasses(Class.class.getName());
    }

    @Inject(value = StrutsConstants.STRUTS_EXCLUDED_CLASSES, required = false)
    public void useExcludedClasses(String str) {
        this.excludedClasses = ConfigParseUtil.toNewClassesSet(this.excludedClasses, str);
    }

    @Inject(value = StrutsConstants.STRUTS_EXCLUDED_PACKAGE_NAME_PATTERNS, required = false)
    public void useExcludedPackageNamePatterns(String str) {
        this.excludedPackageNamePatterns = ConfigParseUtil.toNewPatternsSet(this.excludedPackageNamePatterns, str);
    }

    @Inject(value = StrutsConstants.STRUTS_EXCLUDED_PACKAGE_NAMES, required = false)
    public void useExcludedPackageNames(String str) {
        this.excludedPackageNames = ConfigParseUtil.toNewPackageNamesSet(this.excludedPackageNames, str);
    }

    @Inject(value = StrutsConstants.STRUTS_EXCLUDED_PACKAGE_EXEMPT_CLASSES, required = false)
    public void useExcludedPackageExemptClasses(String str) {
        this.excludedPackageExemptClasses = ConfigParseUtil.toClassesSet(str);
    }

    @Inject(value = StrutsConstants.STRUTS_ALLOWLIST_ENABLE, required = false)
    public void useEnforceAllowlistEnabled(String str) {
        this.enforceAllowlistEnabled = BooleanUtils.toBoolean(str);
    }

    @Inject(value = StrutsConstants.STRUTS_ALLOWLIST_CLASSES, required = false)
    public void useAllowlistClasses(String str) {
        this.allowlistClasses = ConfigParseUtil.toClassObjectsSet(str);
    }

    @Inject(value = StrutsConstants.STRUTS_ALLOWLIST_PACKAGE_NAMES, required = false)
    public void useAllowlistPackageNames(String str) {
        this.allowlistPackageNames = ConfigParseUtil.toPackageNamesSet(str);
    }

    @Inject(value = StrutsConstants.STRUTS_DISALLOW_PROXY_OBJECT_ACCESS, required = false)
    public void useDisallowProxyObjectAccess(String str) {
        this.disallowProxyObjectAccess = BooleanUtils.toBoolean(str);
    }

    @Inject(value = StrutsConstants.STRUTS_DISALLOW_PROXY_MEMBER_ACCESS, required = false)
    public void useDisallowProxyMemberAccess(String str) {
        this.disallowProxyMemberAccess = BooleanUtils.toBoolean(str);
    }

    @Inject(value = StrutsConstants.STRUTS_DISALLOW_DEFAULT_PACKAGE_ACCESS, required = false)
    public void useDisallowDefaultPackageAccess(String str) {
        this.disallowDefaultPackageAccess = BooleanUtils.toBoolean(str);
    }

    @Inject(StrutsConstants.STRUTS_DEVMODE)
    protected void useDevMode(String str) {
        this.isDevMode = BooleanUtils.toBoolean(str);
    }

    @Inject(value = StrutsConstants.STRUTS_DEV_MODE_EXCLUDED_CLASSES, required = false)
    public void useDevModeExcludedClasses(String str) {
        this.devModeExcludedClasses = ConfigParseUtil.toNewClassesSet(this.devModeExcludedClasses, str);
    }

    @Inject(value = StrutsConstants.STRUTS_DEV_MODE_EXCLUDED_PACKAGE_NAME_PATTERNS, required = false)
    public void useDevModeExcludedPackageNamePatterns(String str) {
        this.devModeExcludedPackageNamePatterns = ConfigParseUtil.toNewPatternsSet(this.devModeExcludedPackageNamePatterns, str);
    }

    @Inject(value = StrutsConstants.STRUTS_DEV_MODE_EXCLUDED_PACKAGE_NAMES, required = false)
    public void useDevModeExcludedPackageNames(String str) {
        this.devModeExcludedPackageNames = ConfigParseUtil.toNewPackageNamesSet(this.devModeExcludedPackageNames, str);
    }

    @Inject(value = StrutsConstants.STRUTS_DEV_MODE_EXCLUDED_PACKAGE_EXEMPT_CLASSES, required = false)
    public void useDevModeExcludedPackageExemptClasses(String str) {
        this.devModeExcludedPackageExemptClasses = ConfigParseUtil.toClassesSet(str);
    }

    private void useDevModeConfiguration() {
        if (!this.isDevMode || this.isDevModeInit) {
            return;
        }
        this.isDevModeInit = true;
        if (!isDevModeLogged) {
            LOG.warn("Working in devMode, using devMode excluded classes and packages!");
            isDevModeLogged = true;
        }
        this.excludedClasses = this.devModeExcludedClasses;
        this.excludedPackageNamePatterns = this.devModeExcludedPackageNamePatterns;
        this.excludedPackageNames = this.devModeExcludedPackageNames;
        this.excludedPackageExemptClasses = this.devModeExcludedPackageExemptClasses;
    }
}
