package org.apache.ignite.internal.processors.security;

import java.io.Serializable;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.lang.reflect.Proxy;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.AllPermission;
import java.security.CodeSource;
import java.security.Permissions;
import java.security.PrivilegedActionException;
import java.security.ProtectionDomain;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.UUID;
import java.util.concurrent.Callable;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import org.apache.ignite.IgniteCheckedException;
import org.apache.ignite.IgniteException;
import org.apache.ignite.IgniteSystemProperties;
import org.apache.ignite.cluster.ClusterNode;
import org.apache.ignite.internal.GridInternalWrapper;
import org.apache.ignite.internal.GridKernalContext;
import org.apache.ignite.internal.IgniteNodeAttributes;
import org.apache.ignite.internal.processors.cache.GridCacheContext;
import org.apache.ignite.internal.processors.cache.GridCacheSharedContext;
import org.apache.ignite.internal.processors.security.sandbox.IgniteDomainCombiner;
import org.apache.ignite.internal.processors.security.sandbox.IgniteSandbox;
import org.apache.ignite.internal.util.typedef.F;
import org.apache.ignite.internal.util.typedef.internal.A;
import org.apache.ignite.internal.util.typedef.internal.U;
import org.apache.ignite.marshaller.Marshaller;
import org.apache.ignite.plugin.security.SecurityCredentials;
import org.apache.ignite.plugin.security.SecurityException;
import org.apache.ignite.plugin.security.SecurityPermission;
import org.apache.ignite.spi.IgniteSpiException;
import org.apache.ignite.spi.discovery.DiscoverySpiNodeAuthenticator;
import org.apache.lucene.queryparser.flexible.standard.processors.OpenRangeQueryNodeProcessor;

/* loaded from: input_file:org/apache/ignite/internal/processors/security/SecurityUtils.class */
public class SecurityUtils {
    public static final String MSG_SEC_PROC_CLS_IS_INVALID = "Local node's grid security processor class is not equal to remote node's grid security processor class [locNodeId=%s, rmtNodeId=%s, locCls=%s, rmtCls=%s]";
    public static final String IGNITE_INTERNAL_PACKAGE = "org.apache.ignite.internal";
    private static final int DFLT_SERIALIZE_VERSION;
    private static final ThreadLocal<Integer> SERIALIZE_VERSION;
    public static final Permissions ALL_PERMISSIONS;
    private static final CodeSource CORE_CODE_SOURCE;
    private static final ConcurrentMap<Class<?>, Boolean> SYSTEM_TYPES;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/ignite/internal/processors/security/SecurityUtils$SandboxInvocationHandler.class */
    public static class SandboxInvocationHandler<T> implements InvocationHandler {
        private final IgniteSandbox sandbox;
        private final Object original;

        public SandboxInvocationHandler(IgniteSandbox igniteSandbox, Object obj) {
            this.sandbox = igniteSandbox;
            this.original = obj;
        }

        @Override // java.lang.reflect.InvocationHandler
        public Object invoke(Object obj, Method method, Object[] objArr) throws Throwable {
            try {
                if ((obj instanceof GridInternalWrapper) && GridInternalWrapper.class.getMethod(method.getName(), method.getParameterTypes()) != null) {
                    return method.invoke(this.original, objArr);
                }
            } catch (NoSuchMethodException e) {
            }
            return this.sandbox.execute(() -> {
                try {
                    return method.invoke(this.original, objArr);
                } catch (InvocationTargetException e2) {
                    throw new IgniteException(e2.getTargetException());
                }
            });
        }
    }

    private SecurityUtils() {
    }

    public static boolean isSecurityCompatibilityMode() {
        return IgniteSystemProperties.getBoolean(IgniteSystemProperties.IGNITE_SECURITY_COMPATIBILITY_MODE, false);
    }

    public static void serializeVersion(int i) {
        SERIALIZE_VERSION.set(Integer.valueOf(i));
    }

    public static int serializeVersion() {
        return SERIALIZE_VERSION.get().intValue();
    }

    public static void restoreDefaultSerializeVersion() {
        serializeVersion(DFLT_SERIALIZE_VERSION);
    }

    public static Map<String, Collection<SecurityPermission>> compatibleServicePermissions() {
        HashMap hashMap = new HashMap();
        hashMap.put(OpenRangeQueryNodeProcessor.OPEN_RANGE_TOKEN, Arrays.asList(SecurityPermission.SERVICE_CANCEL, SecurityPermission.SERVICE_DEPLOY, SecurityPermission.SERVICE_INVOKE));
        return hashMap;
    }

    public static SecurityContext nodeSecurityContext(Marshaller marshaller, ClassLoader classLoader, ClusterNode clusterNode) {
        A.notNull(clusterNode, "Cluster node");
        byte[] bArr = (byte[]) clusterNode.attribute(IgniteNodeAttributes.ATTR_SECURITY_SUBJECT_V2);
        if (bArr == null) {
            throw new SecurityException("Security context isn't certain.");
        }
        try {
            return (SecurityContext) U.unmarshal(marshaller, bArr, classLoader);
        } catch (IgniteCheckedException e) {
            throw new SecurityException("Failed to get security context.", e);
        }
    }

    public static SecurityContext remoteSecurityContext(GridKernalContext gridKernalContext) {
        IgniteSecurity security = gridKernalContext.security();
        if (!security.enabled() || security.isDefaultContext()) {
            return null;
        }
        return security.securityContext();
    }

    public static UUID securitySubjectId(GridKernalContext gridKernalContext) {
        IgniteSecurity security = gridKernalContext.security();
        if (security.enabled()) {
            return security.securityContext().subject().id();
        }
        return null;
    }

    public static UUID securitySubjectId(GridCacheContext<?, ?> gridCacheContext) {
        return securitySubjectId(gridCacheContext.kernalContext());
    }

    public static UUID securitySubjectId(GridCacheSharedContext<?, ?> gridCacheSharedContext) {
        return securitySubjectId(gridCacheSharedContext.kernalContext());
    }

    public static OperationSecurityContext withRemoteSecurityContext(GridKernalContext gridKernalContext, SecurityContext securityContext) {
        if (securityContext == null) {
            return null;
        }
        return gridKernalContext.security().withContext(securityContext);
    }

    public static <T, E extends Exception> T doPrivileged(Callable<T> callable) throws Exception {
        try {
            callable.getClass();
            return (T) AccessController.doPrivileged(callable::call);
        } catch (PrivilegedActionException e) {
            throw e.getException();
        }
    }

    public static boolean hasSecurityManager() {
        return System.getSecurityManager() != null;
    }

    public static boolean isSystemType(GridKernalContext gridKernalContext, Object obj, boolean z) {
        Class<?> cls = (z && (obj instanceof GridInternalWrapper)) ? ((GridInternalWrapper) obj).userObject().getClass() : obj.getClass();
        Boolean bool = SYSTEM_TYPES.get(cls);
        if (bool == null) {
            cls.getClass();
            ProtectionDomain protectionDomain = (ProtectionDomain) doPrivileged(cls::getProtectionDomain);
            ConcurrentMap<Class<?>, Boolean> concurrentMap = SYSTEM_TYPES;
            Boolean valueOf = Boolean.valueOf(protectionDomain == null || F.eq(CORE_CODE_SOURCE, protectionDomain.getCodeSource()));
            bool = valueOf;
            concurrentMap.put(cls, valueOf);
        }
        return bool.booleanValue();
    }

    public static boolean isInsideSandbox() {
        if (!IgniteSecurityProcessor.hasSandboxedNodes()) {
            return false;
        }
        AccessControlContext context = AccessController.getContext();
        return ((Boolean) AccessController.doPrivileged(() -> {
            return Boolean.valueOf(context.getDomainCombiner() instanceof IgniteDomainCombiner);
        })).booleanValue();
    }

    public static <T> T sandboxedProxy(GridKernalContext gridKernalContext, Class cls, T t) {
        if (t == null) {
            return null;
        }
        Objects.requireNonNull(gridKernalContext, "Parameter 'ctx' cannot be null.");
        Objects.requireNonNull(cls, "Parameter 'cls' cannot be null.");
        IgniteSandbox sandbox = gridKernalContext.security().sandbox();
        return (!sandbox.enabled() || isSystemType(gridKernalContext, t, true)) ? t : (T) Proxy.newProxyInstance(sandbox.getClass().getClassLoader(), proxyClasses(cls, t), new SandboxInvocationHandler(sandbox, t));
    }

    private static <T> Class[] proxyClasses(Class cls, T t) {
        return t instanceof GridInternalWrapper ? new Class[]{cls, GridInternalWrapper.class} : new Class[]{cls};
    }

    public static Map<String, Object> withSecurityContext(SecurityContext securityContext, Map<String, Object> map, Marshaller marshaller) throws IgniteCheckedException {
        if (!(securityContext instanceof Serializable)) {
            throw new IgniteSpiException("Authentication subject is not serializable.");
        }
        HashMap hashMap = new HashMap(map);
        hashMap.put(IgniteNodeAttributes.ATTR_SECURITY_SUBJECT_V2, U.marshal(marshaller, securityContext));
        return hashMap;
    }

    public static SecurityContext authenticateLocalNode(ClusterNode clusterNode, SecurityCredentials securityCredentials, DiscoverySpiNodeAuthenticator discoverySpiNodeAuthenticator) {
        if (!$assertionsDisabled && discoverySpiNodeAuthenticator == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && securityCredentials == null && clusterNode.attribute(IgniteNodeAttributes.ATTR_AUTHENTICATION_ENABLED) == null) {
            throw new AssertionError();
        }
        SecurityContext authenticateNode = discoverySpiNodeAuthenticator.authenticateNode(clusterNode, securityCredentials);
        if (authenticateNode == null) {
            throw new IgniteSpiException("Authentication failed for local node: " + clusterNode.id());
        }
        return authenticateNode;
    }

    static {
        $assertionsDisabled = !SecurityUtils.class.desiredAssertionStatus();
        DFLT_SERIALIZE_VERSION = isSecurityCompatibilityMode() ? 1 : 2;
        SERIALIZE_VERSION = new ThreadLocal<Integer>() { // from class: org.apache.ignite.internal.processors.security.SecurityUtils.1
            /* JADX INFO: Access modifiers changed from: protected */
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.lang.ThreadLocal
            public Integer initialValue() {
                return Integer.valueOf(SecurityUtils.DFLT_SERIALIZE_VERSION);
            }
        };
        CORE_CODE_SOURCE = SecurityUtils.class.getProtectionDomain().getCodeSource();
        SYSTEM_TYPES = new ConcurrentHashMap();
        ALL_PERMISSIONS = new Permissions();
        ALL_PERMISSIONS.add(new AllPermission());
        ALL_PERMISSIONS.setReadOnly();
    }
}
