package org.apache.river.api.security;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.MalformedURLException;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.AccessController;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Permission;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.UnresolvedPermission;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import java.util.StringTokenizer;
import java.util.concurrent.BlockingQueue;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.LinkedBlockingQueue;
import java.util.concurrent.ThreadFactory;
import java.util.concurrent.ThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.river.api.net.Uri;
import org.apache.river.api.security.DefaultPolicyScanner;
import org.apache.river.api.security.PolicyUtils;
import org.apache.river.impl.Messages;
import org.apache.river.thread.NamedThreadFactory;

/* loaded from: input_file:org/apache/river/api/security/DefaultPolicyParser.class */
public class DefaultPolicyParser implements PolicyParser {
    final ExecutorService logExec;
    private final DefaultPolicyScanner scanner;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/river/api/security/DefaultPolicyParser$PermissionExpander.class */
    public class PermissionExpander implements PolicyUtils.GeneralExpansionHandler {
        private final KeyStore ks;
        private final DefaultPolicyScanner.GrantEntry ge;

        PermissionExpander(DefaultPolicyScanner.GrantEntry grantEntry, KeyStore keyStore) {
            this.ge = grantEntry;
            this.ks = keyStore;
        }

        @Override // org.apache.river.api.security.PolicyUtils.GeneralExpansionHandler
        public String resolve(String str, String str2) throws PolicyUtils.ExpansionFailedException {
            if (!"self".equals(str)) {
                if (!"alias".equals(str)) {
                    throw new PolicyUtils.ExpansionFailedException(Messages.getString("security.145", str));
                }
                try {
                    return pc2str(DefaultPolicyParser.this.getPrincipalByAlias(this.ks, str2));
                } catch (KeyStoreException e) {
                    throw new PolicyUtils.ExpansionFailedException(Messages.getString("security.143", str2), e);
                } catch (CertificateException e2) {
                    throw new PolicyUtils.ExpansionFailedException(Messages.getString("security.143", str2), e2);
                }
            }
            if (this.ge.getPrincipals(null) == null || this.ge.getPrincipals(null).isEmpty()) {
                throw new PolicyUtils.ExpansionFailedException(Messages.getString("security.144"));
            }
            StringBuilder sb = new StringBuilder();
            for (DefaultPolicyScanner.PrincipalEntry principalEntry : this.ge.getPrincipals(null)) {
                if (principalEntry.getKlass() == null) {
                    try {
                        sb.append(pc2str(DefaultPolicyParser.this.getPrincipalByAlias(this.ks, principalEntry.getName())));
                    } catch (KeyStoreException e3) {
                        throw new PolicyUtils.ExpansionFailedException(Messages.getString("security.143", principalEntry.getName()), e3);
                    } catch (CertificateException e4) {
                        throw new PolicyUtils.ExpansionFailedException(Messages.getString("security.143", principalEntry.getName()), e4);
                    }
                } else {
                    sb.append(principalEntry.getKlass()).append(" \"").append(principalEntry.getName()).append("\" ");
                }
            }
            return sb.toString();
        }

        private String pc2str(Principal principal) {
            String name = principal.getClass().getName();
            String name2 = principal.getName();
            return new StringBuilder(name.length() + name2.length() + 5).append(name).append(" \"").append(name2).append("\"").toString();
        }
    }

    public DefaultPolicyParser() {
        this(new DefaultPolicyScanner());
    }

    DefaultPolicyParser(DefaultPolicyScanner defaultPolicyScanner) {
        this.logExec = new ThreadPoolExecutor(0, 1, 1L, TimeUnit.SECONDS, (BlockingQueue<Runnable>) new LinkedBlockingQueue(), (ThreadFactory) new NamedThreadFactory("JGDMS Policy logger", true));
        this.scanner = defaultPolicyScanner;
    }

    @Override // org.apache.river.api.security.PolicyParser
    public Collection<PermissionGrant> parse(URL url, Properties properties) throws Exception {
        log(Level.FINER, "\nDefaultPolicyParser::parse policy: " + url + "\n");
        boolean canExpandProperties = PolicyUtils.canExpandProperties();
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader((InputStream) AccessController.doPrivileged(new PolicyUtils.URLLoader(url)), "UTF-8"));
        HashSet<DefaultPolicyScanner.GrantEntry> hashSet = new HashSet();
        ArrayList arrayList = new ArrayList();
        try {
            this.scanner.scanStream(bufferedReader, hashSet, arrayList);
            KeyStore initKeyStore = initKeyStore(arrayList, url, properties, canExpandProperties);
            HashSet hashSet2 = new HashSet();
            for (DefaultPolicyScanner.GrantEntry grantEntry : hashSet) {
                try {
                    PermissionGrant resolveGrant = resolveGrant(grantEntry, initKeyStore, properties, canExpandProperties);
                    if (!resolveGrant.isVoid()) {
                        hashSet2.add(resolveGrant);
                    }
                } catch (Exception e) {
                    if (e instanceof SecurityException) {
                        throw ((SecurityException) e);
                    }
                    log(Level.CONFIG, "security.1A9", new Object[]{grantEntry}, e);
                }
            }
            log(Level.FINEST, hashSet2.toString());
            return hashSet2;
        } finally {
            bufferedReader.close();
        }
    }

    PermissionGrant resolveGrant(DefaultPolicyScanner.GrantEntry grantEntry, KeyStore keyStore, Properties properties, boolean z) throws Exception {
        if (grantEntry == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList(8);
        Certificate[] certificateArr = null;
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        String codebase = grantEntry.getCodebase(null);
        String signers = grantEntry.getSigners();
        if (codebase != null) {
            if (z) {
                try {
                    Iterator<String> it = expandURLs(codebase, properties).iterator();
                    while (it.hasNext()) {
                        arrayList.add(getURI(it.next()));
                    }
                } catch (PolicyUtils.ExpansionFailedException e) {
                    log(Level.CONFIG, "security.1A7", new Object[]{e.getMessage()});
                }
            } else {
                arrayList.add(getURI(codebase));
            }
        }
        String[] strArr = new String[0];
        if (signers != null) {
            if (z) {
                try {
                    signers = PolicyUtils.expand(signers, properties);
                } catch (PolicyUtils.ExpansionFailedException e2) {
                    log(Level.CONFIG, "security.1A6", new Object[]{e2.getMessage()});
                }
            }
            StringTokenizer stringTokenizer = new StringTokenizer(signers, ",");
            ArrayList arrayList2 = new ArrayList(stringTokenizer.countTokens());
            while (stringTokenizer.hasMoreTokens()) {
                arrayList2.add(stringTokenizer.nextToken().trim());
            }
            strArr = (String[]) arrayList2.toArray(new String[arrayList2.size()]);
            certificateArr = resolveSigners(keyStore, strArr);
        }
        if (grantEntry.getPrincipals(null) != null) {
            for (DefaultPolicyScanner.PrincipalEntry principalEntry : grantEntry.getPrincipals(properties)) {
                String name = principalEntry.getName();
                String klass = principalEntry.getKlass();
                if (z) {
                    try {
                        name = PolicyUtils.expand(name, properties);
                    } catch (PolicyUtils.ExpansionFailedException e3) {
                        log(Level.CONFIG, "security.1A4", new Object[]{e3.getMessage()});
                    }
                }
                if (klass == null) {
                    hashSet.add(getPrincipalByAlias(keyStore, name));
                } else {
                    hashSet.add(new UnresolvedPrincipal(klass, name));
                }
            }
        }
        Collection<DefaultPolicyScanner.PermissionEntry> permissions = grantEntry.getPermissions();
        if (permissions != null) {
            for (DefaultPolicyScanner.PermissionEntry permissionEntry : permissions) {
                try {
                    hashSet2.add(resolvePermission(permissionEntry, grantEntry, keyStore, properties, z));
                } catch (PolicyUtils.ExpansionFailedException e4) {
                    log(Level.CONFIG, "security.1A5", new Object[]{permissionEntry.toString(), e4.getMessage()});
                } catch (Exception e5) {
                    if (e5 instanceof SecurityException) {
                        throw ((SecurityException) e5);
                    }
                    log(Level.CONFIG, "security.1A5", new Object[]{permissionEntry.toString(), e5.getMessage()});
                }
            }
        }
        PermissionGrantBuilder newBuilder = PermissionGrantBuilder.newBuilder();
        Iterator it2 = arrayList.iterator();
        while (it2.hasNext()) {
            newBuilder.uri((String) it2.next());
        }
        return newBuilder.certificates(certificateArr, strArr).principals((Principal[]) hashSet.toArray(new Principal[hashSet.size()])).permissions((Permission[]) hashSet2.toArray(new Permission[hashSet2.size()])).context(5).build();
    }

    String getURI(String str) throws MalformedURLException, URISyntaxException {
        if (str == null) {
            return null;
        }
        return Uri.fixWindowsURI(str);
    }

    Segment segment(String str, Properties properties) throws PolicyUtils.ExpansionFailedException {
        String property = properties.getProperty("path.separator");
        Segment segment = new Segment(str, null);
        segment.divideAndReplace("${{", "}}", property, properties);
        segment.divideAndReplace("${", "}", null, properties);
        segment.divideAndReplace("${", "}", null, properties);
        segment.divideAndReplace("${", "}", null, properties);
        return segment;
    }

    Collection<String> expandURLs(String str, Properties properties) throws PolicyUtils.ExpansionFailedException {
        Segment segment = segment(str, properties);
        ArrayList arrayList = new ArrayList();
        while (segment.hasNext()) {
            arrayList.add(segment.next());
        }
        return arrayList;
    }

    Permission resolvePermission(DefaultPolicyScanner.PermissionEntry permissionEntry, DefaultPolicyScanner.GrantEntry grantEntry, KeyStore keyStore, Properties properties, boolean z) throws Exception {
        String klass = permissionEntry.getKlass();
        String name = permissionEntry.getName();
        String actions = permissionEntry.getActions();
        String signers = permissionEntry.getSigners();
        if (name != null) {
            name = PolicyUtils.expandGeneral(name, new PermissionExpander(grantEntry, keyStore));
        }
        if (z) {
            if (name != null) {
                name = PolicyUtils.expand(name, properties);
            }
            if (actions != null) {
                actions = PolicyUtils.expand(actions, properties);
            }
            if (signers != null) {
                signers = PolicyUtils.expand(signers, properties);
            }
        }
        Certificate[] resolveSigners = signers == null ? null : resolveSigners(keyStore, signers);
        try {
            Class<?> cls = Class.forName(klass);
            if (PolicyUtils.matchSubset(resolveSigners, cls.getSigners())) {
                return PolicyUtils.instantiatePermission(cls, name, actions);
            }
        } catch (ClassNotFoundException e) {
        }
        return new UnresolvedPermission(klass, name, actions, resolveSigners);
    }

    Certificate[] resolveSigners(KeyStore keyStore, String str) throws Exception {
        if (keyStore == null) {
            throw new KeyStoreException(Messages.getString("security.146", str));
        }
        ArrayList arrayList = new ArrayList();
        StringTokenizer stringTokenizer = new StringTokenizer(str, ",");
        while (stringTokenizer.hasMoreTokens()) {
            arrayList.add(keyStore.getCertificate(stringTokenizer.nextToken().trim()));
        }
        return (Certificate[]) arrayList.toArray(new Certificate[arrayList.size()]);
    }

    Certificate[] resolveSigners(KeyStore keyStore, String[] strArr) throws KeyStoreException {
        if (strArr == null || strArr.length == 0) {
            return new Certificate[0];
        }
        ArrayList arrayList = new ArrayList(strArr.length);
        for (String str : strArr) {
            arrayList.add(keyStore.getCertificate(str));
        }
        return (Certificate[]) arrayList.toArray(new Certificate[arrayList.size()]);
    }

    Principal getPrincipalByAlias(KeyStore keyStore, String str) throws KeyStoreException, CertificateException {
        if (keyStore == null) {
            throw new KeyStoreException(Messages.getString("security.147", str));
        }
        Certificate certificate = keyStore.getCertificate(str);
        if (certificate instanceof X509Certificate) {
            return ((X509Certificate) certificate).getSubjectX500Principal();
        }
        throw new CertificateException(Messages.getString("security.148", str, certificate));
    }

    KeyStore initKeyStore(List<DefaultPolicyScanner.KeystoreEntry> list, URL url, Properties properties, boolean z) {
        for (DefaultPolicyScanner.KeystoreEntry keystoreEntry : list) {
            try {
                String url2 = keystoreEntry.getUrl();
                String type = keystoreEntry.getType();
                if (z) {
                    url2 = PolicyUtils.expandURL(url2, properties);
                    if (type != null) {
                        type = PolicyUtils.expand(type, properties);
                    }
                }
                if (type == null || type.length() == 0) {
                    type = KeyStore.getDefaultType();
                }
                KeyStore keyStore = KeyStore.getInstance(type);
                InputStream inputStream = (InputStream) AccessController.doPrivileged(new PolicyUtils.URLLoader(new URL(url, url2)));
                try {
                    keyStore.load(inputStream, null);
                    return keyStore;
                } finally {
                    inputStream.close();
                }
            } catch (IOException e) {
                log(Level.CONFIG, "security.8A", e);
            } catch (KeyStoreException e2) {
                log(Level.CONFIG, "security.8A", e2);
            } catch (NoSuchAlgorithmException e3) {
                log(Level.CONFIG, "security.8A", e3);
            } catch (PrivilegedActionException e4) {
                log(Level.CONFIG, "security.8A", e4);
            } catch (CertificateException e5) {
                log(Level.CONFIG, "security.8A", e5);
            } catch (PolicyUtils.ExpansionFailedException e6) {
                log(Level.CONFIG, "security.8A", e6);
            }
        }
        return null;
    }

    void log(Level level, String str) {
        log(level, str, null, null);
    }

    void log(Level level, String str, Throwable th) {
        log(level, str, null, th);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void log(Level level, String str, Object[] objArr) {
        log(level, str, objArr, null);
    }

    void log(final Level level, final String str, final Object[] objArr, final Throwable th) {
        this.logExec.submit(new Runnable() { // from class: org.apache.river.api.security.DefaultPolicyParser.1
            @Override // java.lang.Runnable
            public void run() {
                Logger logger = Logger.getLogger("net.jini.security.policy");
                if (logger.isLoggable(level)) {
                    logger.log(level, Messages.getString(str, objArr), th);
                }
            }
        });
    }
}
