package kd.bos.security;

import java.io.BufferedReader;
import java.io.FileDescriptor;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.lang.reflect.Method;
import java.net.InetAddress;
import java.nio.charset.StandardCharsets;
import java.security.Permission;
import java.sql.Driver;
import java.util.HashSet;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Function;
import javax.management.MBeanTrustPermission;

/* loaded from: input_file:kd/bos/security/KDSecurityManager.class */
public final class KDSecurityManager extends SecurityManager {
    private static KDSecurityManager instance;
    private static Function<Class<?>, Boolean> isCustomerClass1;
    private static Function<String, Boolean> isCustomerClass2;
    private static Set<String> ignoreCheckSecurityAccessSet;
    private static final AtomicBoolean initialized = new AtomicBoolean();
    protected static boolean enableSecurity = false;
    private final KDSecurityConfig config = KDSecurityConfig.get();

    public static KDSecurityManager get() {
        if (instance == null) {
            System.err.println("Warning: KDSecurityManager should call initialize first.");
            initialize();
        }
        return instance;
    }

    public static void initialize() {
        if (initialized.compareAndSet(false, true)) {
            try {
                Class.forName(KDCallerInfo.class.getName());
                Class.forName(KDReflection.class.getName());
                Class.forName(KDSecurityConfig.class.getName());
                Class.forName(KDSecurityDataSource.class.getName());
                Class.forName(KDSecurityDriver.class.getName());
                Class.forName(Driver.class.getName());
                ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
                if (contextClassLoader instanceof KDSecurityClassLoader) {
                    enableSecurity = true;
                    ignoreCheckSecurityAccessSet = loadIgnoreCheckSecurityAccess();
                    Method declaredMethod = contextClassLoader.getClass().getDeclaredMethod("initialize", new Class[0]);
                    declaredMethod.setAccessible(true);
                    declaredMethod.invoke(contextClassLoader, new Object[0]);
                    Method declaredMethod2 = contextClassLoader.getClass().getDeclaredMethod("isCustomerClass", Class.class);
                    declaredMethod2.setAccessible(true);
                    isCustomerClass1 = cls -> {
                        try {
                            return (Boolean) declaredMethod2.invoke(contextClassLoader, cls);
                        } catch (Exception e) {
                            throw new RuntimeException(e);
                        }
                    };
                    Method declaredMethod3 = contextClassLoader.getClass().getDeclaredMethod("isCustomerClass", String.class);
                    declaredMethod3.setAccessible(true);
                    isCustomerClass2 = str -> {
                        try {
                            return (Boolean) declaredMethod3.invoke(contextClassLoader, str);
                        } catch (Exception e) {
                            throw new RuntimeException(e);
                        }
                    };
                    Callable<Object> injectDrivers = KDSecurityDriver.injectDrivers();
                    Callable<Object> injectDataSources = KDSecurityDataSource.injectDataSources();
                    injectDrivers.call();
                    injectDataSources.call();
                } else {
                    System.err.println("[KDSecurity-warning] VM arguments is not set: -Djava.system.class.loader=kd.bos.security.KDSecurityClassLoader");
                }
            } catch (Throwable th) {
                System.err.println("安全管理器KDSecurityManager初始化失败，退出系统！");
                th.printStackTrace();
                System.exit(-1);
            }
            instance = new KDSecurityManager();
        }
    }

    private static Set<String> loadIgnoreCheckSecurityAccess() throws IOException {
        HashSet hashSet = new HashSet();
        InputStream resourceAsStream = Thread.currentThread().getClass().getResourceAsStream("/ignore_check_security_access.list");
        Throwable th = null;
        try {
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(resourceAsStream, StandardCharsets.UTF_8));
            Throwable th2 = null;
            while (true) {
                try {
                    try {
                        String readLine = bufferedReader.readLine();
                        if (readLine == null) {
                            break;
                        }
                        String trim = readLine.trim();
                        if (!trim.isEmpty() && !trim.startsWith("#")) {
                            hashSet.add(trim);
                        }
                    } finally {
                    }
                } catch (Throwable th3) {
                    if (bufferedReader != null) {
                        if (th2 != null) {
                            try {
                                bufferedReader.close();
                            } catch (Throwable th4) {
                                th2.addSuppressed(th4);
                            }
                        } else {
                            bufferedReader.close();
                        }
                    }
                    throw th3;
                }
            }
            if (bufferedReader != null) {
                if (0 != 0) {
                    try {
                        bufferedReader.close();
                    } catch (Throwable th5) {
                        th2.addSuppressed(th5);
                    }
                } else {
                    bufferedReader.close();
                }
            }
            return hashSet;
        } finally {
            if (resourceAsStream != null) {
                if (0 != 0) {
                    try {
                        resourceAsStream.close();
                    } catch (Throwable th6) {
                        th.addSuppressed(th6);
                    }
                } else {
                    resourceAsStream.close();
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isCustomerClass(Class<?> cls) {
        return isCustomerClass1 != null && isCustomerClass1.apply(cls).booleanValue();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isCustomerClass(String str) {
        return isCustomerClass2 != null && isCustomerClass2.apply(str).booleanValue();
    }

    private KDSecurityManager() {
        if (enableSecurity) {
            System.setSecurityManager(this);
        }
    }

    @Override // java.lang.SecurityManager
    public Class<?>[] getClassContext() {
        return super.getClassContext();
    }

    private void log(String str) {
    }

    @Override // java.lang.SecurityManager
    public void checkAccept(String str, int i) {
    }

    @Override // java.lang.SecurityManager
    public void checkAccess(Thread thread) {
        KDCallerInfo callerClassUntilNot = KDReflection.getCallerClassUntilNot((Class<?>[]) new Class[]{Thread.class});
        if (this.config.allowAccessThread(callerClassUntilNot.getCallerClass())) {
            super.checkAccess(thread);
        } else {
            String str = "限制设置Thread: " + callerClassUntilNot.getCallerClass().getName() + "#" + KDReflection.getCallerMethodName(callerClassUntilNot.getCallStackDepth()) + ", thread = " + thread;
            System.err.println(str);
            throw new SecurityException(str);
        }
    }

    @Override // java.lang.SecurityManager
    public void checkAccess(ThreadGroup threadGroup) {
        KDCallerInfo callerClassUntilNot = KDReflection.getCallerClassUntilNot((Class<?>[]) new Class[]{Thread.class});
        if (this.config.allowAccessThreadGroup(callerClassUntilNot.getCallerClass())) {
            return;
        }
        String str = "限制设置ThreadGroup: " + callerClassUntilNot.getCallerClass().getName() + "#" + KDReflection.getCallerMethodName(callerClassUntilNot.getCallStackDepth()) + ", thread group = " + threadGroup;
        System.err.println(str);
        throw new SecurityException(str);
    }

    @Override // java.lang.SecurityManager
    public void checkAwtEventQueueAccess() {
    }

    @Override // java.lang.SecurityManager
    public void checkConnect(String str, int i) {
    }

    @Override // java.lang.SecurityManager
    public void checkConnect(String str, int i, Object obj) {
    }

    @Override // java.lang.SecurityManager
    public void checkCreateClassLoader() {
        if (KDReflection.isInflationCreateClassLoader()) {
            return;
        }
        KDCallerInfo callerClassUntilNotAssignableFrom = KDReflection.getCallerClassUntilNotAssignableFrom(ClassLoader.class);
        if (!this.config.allowCreateClassLoader(callerClassUntilNotAssignableFrom.getCallerClass())) {
            throw new SecurityException("限制使用系统外ClassLoader: " + callerClassUntilNotAssignableFrom.getCallerClass().getName() + "#" + KDReflection.getCallerMethodName(callerClassUntilNotAssignableFrom.getCallStackDepth()));
        }
    }

    @Override // java.lang.SecurityManager
    public void checkDelete(String str) {
    }

    @Override // java.lang.SecurityManager
    public void checkExec(String str) {
        KDCallerInfo callerClassUntilNot = KDReflection.getCallerClassUntilNot((Class<?>[]) new Class[]{ProcessBuilder.class, Runtime.class});
        if (!this.config.allowExec(callerClassUntilNot.getCallerClass())) {
            throw new SecurityException("限制执行命令: " + callerClassUntilNot.getCallerClass().getName() + "#" + KDReflection.getCallerMethodName(callerClassUntilNot.getCallStackDepth()) + ", cmd = " + str);
        }
    }

    @Override // java.lang.SecurityManager
    public void checkExit(int i) {
        KDCallerInfo callerClassUntilNot = KDReflection.getCallerClassUntilNot((Class<?>[]) new Class[]{Runtime.class, System.class});
        if (!this.config.allowExit(callerClassUntilNot.getCallerClass())) {
            throw new SecurityException("限制执行exit: " + callerClassUntilNot.getCallerClass().getName() + "#" + KDReflection.getCallerMethodName(callerClassUntilNot.getCallStackDepth()) + ", exit status = " + i);
        }
    }

    @Override // java.lang.SecurityManager
    public void checkLink(String str) {
        KDCallerInfo callerClassUntilNot = KDReflection.getCallerClassUntilNot((Class<?>[]) new Class[]{Runtime.class, System.class});
        if (!this.config.allowLoadLibrary(callerClassUntilNot.getCallerClass())) {
            throw new SecurityException("限制执行LoadLibrary: " + callerClassUntilNot.getCallerClass().getName() + "#" + KDReflection.getCallerMethodName(callerClassUntilNot.getCallStackDepth()) + ", lib = " + str);
        }
    }

    @Override // java.lang.SecurityManager
    public void checkListen(int i) {
    }

    @Override // java.lang.SecurityManager
    public void checkMemberAccess(Class<?> cls, int i) {
    }

    @Override // java.lang.SecurityManager
    public void checkMulticast(InetAddress inetAddress) {
    }

    @Override // java.lang.SecurityManager
    public void checkMulticast(InetAddress inetAddress, byte b) {
    }

    @Override // java.lang.SecurityManager
    public void checkPackageAccess(String str) {
    }

    @Override // java.lang.SecurityManager
    public void checkPackageDefinition(String str) {
    }

    @Override // java.lang.SecurityManager
    public void checkPrintJobAccess() {
    }

    @Override // java.lang.SecurityManager
    public void checkPropertiesAccess() {
        if (KDReflection.isCustomerClass(KDReflection.getCallerCallerClass())) {
            throw new SecurityException("禁止访问：System.getProperties()");
        }
    }

    @Override // java.lang.SecurityManager
    public void checkPropertyAccess(String str) {
        if (str.startsWith("mc.tenant.") && KDReflection.isCustomerClass(KDReflection.getCallerCallerClass())) {
            throw new SecurityException("禁止访问System.property：mc.tenant.*");
        }
    }

    @Override // java.lang.SecurityManager
    public void checkRead(FileDescriptor fileDescriptor) {
    }

    @Override // java.lang.SecurityManager
    public void checkRead(String str) {
    }

    @Override // java.lang.SecurityManager
    public void checkRead(String str, Object obj) {
    }

    @Override // java.lang.SecurityManager
    public void checkSecurityAccess(String str) {
        if (!str.startsWith("get") && !str.startsWith("putProviderProperty.") && !str.startsWith("insertProvider") && !ignoreCheckSecurityAccessSet.contains(str)) {
            throw new SecurityException("禁止修改安全策略内容: " + str);
        }
    }

    @Override // java.lang.SecurityManager
    public void checkSetFactory() {
    }

    @Override // java.lang.SecurityManager
    public void checkSystemClipboardAccess() {
    }

    @Override // java.lang.SecurityManager
    public boolean checkTopLevelWindow(Object obj) {
        return super.checkTopLevelWindow(obj);
    }

    @Override // java.lang.SecurityManager
    public void checkWrite(FileDescriptor fileDescriptor) {
    }

    @Override // java.lang.SecurityManager
    public void checkWrite(String str) {
    }

    @Override // java.lang.SecurityManager
    public void checkPermission(Permission permission, Object obj) {
        if (permission instanceof MBeanTrustPermission) {
            return;
        }
        super.checkPermission(permission, obj);
    }

    @Override // java.lang.SecurityManager
    public void checkPermission(Permission permission) {
        String name = permission.getName();
        boolean z = -1;
        switch (name.hashCode()) {
            case -2128804701:
                if (name.equals("reflectionFactoryAccess")) {
                    z = 3;
                    break;
                }
                break;
            case -1331529556:
                if (name.equals("stopThread")) {
                    z = 4;
                    break;
                }
                break;
            case -1282477173:
                if (name.equals("setSecurityManager")) {
                    z = true;
                    break;
                }
                break;
            case -579858818:
                if (name.equals("setContextClassLoader")) {
                    z = false;
                    break;
                }
                break;
            case -284818407:
                if (name.equals("readDisplayPixels")) {
                    z = 6;
                    break;
                }
                break;
            case 109327624:
                if (name.equals("setIO")) {
                    z = 5;
                    break;
                }
                break;
            case 1048401476:
                if (name.equals("suppressAccessChecks")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (KDReflection.isCustomerClass(KDReflection.getCallerCallerClass())) {
                    throw new SecurityException("禁止setContextClassLoader" + getClass().getName());
                }
                return;
            case true:
                throw new SecurityException("禁止替换" + getClass().getName());
            case true:
                if (KDReflection.isInflationSuppressAccess()) {
                    return;
                }
                Class<?> callerCallerClass = KDReflection.getCallerCallerClass();
                if (!this.config.allowSuppressAccess(callerCallerClass)) {
                    throw new SecurityException("限制更改访问权限(setAccessible): " + callerCallerClass.getName() + "#" + KDReflection.getCallerCallerMethodName());
                }
                return;
            case true:
                Class<?> callerCallerClass2 = KDReflection.getCallerCallerClass();
                if (!this.config.allowSuppressAccess(callerCallerClass2)) {
                    throw new SecurityException("限制越权访问(ReflectionFactory): " + callerCallerClass2.getName() + "#" + KDReflection.getCallerCallerMethodName());
                }
                return;
            case true:
                Class<?> callerCallerClass3 = KDReflection.getCallerCallerClass();
                if (!this.config.allowSuppressAccess(callerCallerClass3)) {
                    throw new SecurityException("限制stopThread: " + callerCallerClass3.getName() + "#" + KDReflection.getCallerCallerMethodName());
                }
                return;
            case true:
                Class<?> callerCallerClass4 = KDReflection.getCallerCallerClass();
                if (!this.config.allowSuppressAccess(callerCallerClass4)) {
                    throw new SecurityException("限制setIO: " + callerCallerClass4.getName() + "#" + KDReflection.getCallerCallerMethodName());
                }
                return;
            case true:
                Class<?> callerCallerClass5 = KDReflection.getCallerCallerClass();
                if (!this.config.allowSuppressAccess(callerCallerClass5)) {
                    throw new SecurityException("限制readDisplayPixels(robot): " + callerCallerClass5.getName() + "#" + KDReflection.getCallerCallerMethodName());
                }
                return;
            default:
                return;
        }
    }
}
