package com.sshtools.server.policy;

import com.sshtools.common.Connection;
import com.sshtools.server.SshServerContext;
import com.sshtools.server.sftp.FileSystemUtils;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.net.URL;
import java.security.Permission;
import java.security.Policy;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.ProtectionDomain;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import org.apache.commons.vfs2.FileObject;
import org.apache.commons.vfs2.VFS;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/sshtools/server/policy/PolicyPermissionsProvider.class */
public class PolicyPermissionsProvider extends Policy {
    static final Logger log = LoggerFactory.getLogger(PolicyPermissionsProvider.class);
    private String configurationDir;
    protected static PolicyPermissionsProvider policy;
    public static final String LOGIN_CONTEXT = "loginContext";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/sshtools/server/policy/PolicyPermissionsProvider$NegateException.class */
    public class NegateException extends RuntimeException {
        NegateException() {
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/sshtools/server/policy/PolicyPermissionsProvider$PolicyEntry.class */
    public class PolicyEntry {
        private Pattern subjectPatternObj;
        private Pattern targetPatternObj;
        private String comment;
        private boolean negate;

        public PolicyEntry(String str) {
            this.comment = str;
        }

        public PolicyEntry(String str, String str2) {
            setTargetPattern(str2);
            setSubjectPattern(str);
        }

        public void setSubjectPattern(String str) {
            this.subjectPatternObj = Pattern.compile(str);
        }

        public void setTargetPattern(String str) {
            this.targetPatternObj = Pattern.compile(str);
        }

        public boolean isNegate() {
            return this.negate;
        }

        public void setNegate(boolean z) {
            this.negate = z;
        }

        public boolean matches(Object[] objArr, String str, Object[] objArr2) {
            if (this.comment != null) {
                return false;
            }
            if (PolicyPermissionsProvider.log.isDebugEnabled()) {
                PolicyPermissionsProvider.log.debug("    Looking for match of " + this.subjectPatternObj + " and " + this.targetPatternObj);
            }
            boolean z = false;
            boolean z2 = false;
            int length = objArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Object obj = objArr[i];
                if (PolicyPermissionsProvider.log.isDebugEnabled()) {
                    PolicyPermissionsProvider.log.debug("        subject = " + obj);
                }
                if (this.subjectPatternObj.matcher(obj.toString()).matches()) {
                    z = true;
                    break;
                }
                i++;
            }
            int length2 = objArr2.length;
            int i2 = 0;
            while (true) {
                if (i2 >= length2) {
                    break;
                }
                String str2 = String.valueOf(objArr2[i2].toString()) + ":" + str;
                if (PolicyPermissionsProvider.log.isDebugEnabled()) {
                    PolicyPermissionsProvider.log.debug("        action = " + str2);
                }
                if (this.targetPatternObj.matcher(str2).matches()) {
                    z2 = true;
                    break;
                }
                i2++;
            }
            return z2 && z;
        }

        public String writeable() {
            if (this.comment != null) {
                return this.comment;
            }
            return String.valueOf(this.negate ? "!" : "") + " " + this.subjectPatternObj.pattern() + " = " + this.targetPatternObj.pattern();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/sshtools/server/policy/PolicyPermissionsProvider$ReadOnlyPolicyFile.class */
    public class ReadOnlyPolicyFile {
        FileObject file;
        List<PolicyEntry> entries = new ArrayList();
        int nextInsertIndex = -1;

        ReadOnlyPolicyFile() {
        }

        protected void load(InputStream inputStream) throws IOException {
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
            int i = 0;
            while (true) {
                try {
                    String readLine = bufferedReader.readLine();
                    if (readLine == null) {
                        break;
                    }
                    String trim = readLine.trim();
                    if (trim.startsWith("#") || trim.equals("")) {
                        if (trim.equals("# User defined rules start here")) {
                            this.nextInsertIndex = i + 1;
                        }
                        this.entries.add(new PolicyEntry(trim));
                    } else {
                        boolean z = false;
                        if (trim.startsWith("!")) {
                            z = true;
                            trim = trim.substring(1).trim();
                        }
                        if (this.nextInsertIndex == -1) {
                            this.nextInsertIndex = i;
                        }
                        int indexOf = trim.indexOf(61);
                        if (indexOf == -1) {
                            PolicyPermissionsProvider.log.warn("Invalid entry in policy file.");
                        } else {
                            PolicyEntry policyEntry = new PolicyEntry(trim.substring(0, indexOf).trim(), trim.substring(indexOf + 1).trim());
                            policyEntry.setNegate(z);
                            this.entries.add(policyEntry);
                        }
                    }
                    i++;
                } catch (Throwable th) {
                    bufferedReader.close();
                    throw th;
                }
            }
            bufferedReader.close();
            if (this.nextInsertIndex == -1) {
                this.nextInsertIndex = 0;
            }
        }

        public void write() throws IOException {
            throw new UnsupportedOperationException("Policy file is not writeable.");
        }

        public boolean matches(Object[] objArr, String str, Object[] objArr2) {
            for (PolicyEntry policyEntry : this.entries) {
                if (policyEntry.matches(objArr, str, objArr2)) {
                    if (policyEntry.isNegate()) {
                        throw new NegateException();
                    }
                    return true;
                }
            }
            return false;
        }

        public void grant(String[] strArr, String str, String[] strArr2) {
            StringBuilder sb = new StringBuilder();
            boolean z = false;
            for (String str2 : strArr) {
                if (z) {
                    sb.append("|");
                    z = false;
                }
                if (str2.equals("all")) {
                    sb.append(".*");
                } else {
                    sb.append(str2);
                }
            }
            sb.append(":");
            sb.append(str);
            String sb2 = sb.toString();
            sb.setLength(0);
            boolean z2 = false;
            for (String str3 : strArr2) {
                if (z2) {
                    sb.append("|");
                    z2 = false;
                }
                if (str3.equals("all")) {
                    sb.append(".*");
                } else {
                    sb.append(str3);
                }
            }
            this.entries.add(Math.min(this.nextInsertIndex, this.entries.size()), new PolicyEntry(sb.toString(), sb2));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/sshtools/server/policy/PolicyPermissionsProvider$WriteablePolicyFile.class */
    public class WriteablePolicyFile extends ReadOnlyPolicyFile {
        FileObject file;
        int nextInsertIndex;

        WriteablePolicyFile(FileObject fileObject) throws IOException {
            super();
            this.nextInsertIndex = -1;
            this.file = fileObject;
            load(fileObject);
        }

        protected void load(FileObject fileObject) throws IOException {
            load(fileObject.getContent().getInputStream());
        }

        @Override // com.sshtools.server.policy.PolicyPermissionsProvider.ReadOnlyPolicyFile
        public void write() throws IOException {
            PrintWriter printWriter = new PrintWriter(new OutputStreamWriter(this.file.getContent().getOutputStream()));
            try {
                Iterator<PolicyEntry> it = this.entries.iterator();
                while (it.hasNext()) {
                    printWriter.println(it.next().writeable());
                }
            } finally {
                printWriter.close();
            }
        }
    }

    PolicyPermissionsProvider(String str) {
        this.configurationDir = str;
    }

    public static void installProvider(String str) {
        if (policy == null) {
            PolicyPermissionsProvider policyPermissionsProvider = new PolicyPermissionsProvider(str);
            policy = policyPermissionsProvider;
            Policy.setPolicy(policyPermissionsProvider);
        }
    }

    public static boolean isInstalled() {
        return policy != null;
    }

    private FileObject getConfigurationDirectory() {
        try {
            FileObject resolveFile = VFS.getManager().resolveFile(String.valueOf(FileSystemUtils.addTrailingSlash(this.configurationDir)) + "policy");
            if (!resolveFile.exists()) {
                resolveFile.createFolder();
            }
            return resolveFile;
        } catch (Exception e) {
            throw new Error(e);
        }
    }

    @Override // java.security.Policy
    public boolean implies(ProtectionDomain protectionDomain, Permission permission) {
        boolean z = false;
        try {
            if (log.isDebugEnabled()) {
                log.debug("Check if implied " + permission.getClass().getName() + " for " + permission.getName());
            }
            String[] principalNames = getPrincipalNames(protectionDomain.getPrincipals());
            if (principalNames.length == 0) {
                principalNames = new String[]{"__SYSTEM__"};
            }
            if (0 == 0) {
                Enumeration<URL> resources = getClass().getClassLoader().getResources("META-INF/" + permission.getClass().getName() + "/principals");
                while (true) {
                    if (!resources.hasMoreElements()) {
                        break;
                    }
                    try {
                    } catch (NegateException e) {
                        log.debug("Negating rule");
                        z = false;
                    } catch (Exception e2) {
                        log.warn("Could not read policy file, permissions in this file will be ignored.", e2);
                    }
                    if (check(permission, principalNames, resources.nextElement())) {
                        z = true;
                        break;
                    }
                }
            }
            FileObject resolveFile = getConfigurationDirectory().resolveFile(permission.getClass().getName());
            log.debug("Looking for " + resolveFile.getName().getURI());
            if (resolveFile.exists()) {
                try {
                    if (check(permission, principalNames, resolveFile.resolveFile("principals"))) {
                        z = true;
                    }
                } catch (NegateException e3) {
                    log.debug("Negating rule");
                    z = false;
                } catch (Exception e4) {
                    log.warn("Could not read policy file, permissions in this file will be ignored.", e4);
                }
            }
        } catch (IOException e5) {
            log.error("Failed to resolve policy file.", e5);
            z = false;
        }
        return z;
    }

    protected boolean check(Permission permission, String[] strArr, FileObject fileObject) throws IOException {
        boolean z = false;
        if (fileObject.exists()) {
            if (log.isDebugEnabled()) {
                log.debug("Check policy file " + fileObject);
            }
            if (new WriteablePolicyFile(fileObject).matches(strArr, permission.getName(), permission.getActions().split(","))) {
                z = true;
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("    Matches = " + z);
        }
        return z;
    }

    protected boolean check(Permission permission, String[] strArr, URL url) throws IOException {
        boolean z = false;
        if (log.isDebugEnabled()) {
            log.debug("Check policy file " + url);
        }
        ReadOnlyPolicyFile readOnlyPolicyFile = new ReadOnlyPolicyFile();
        readOnlyPolicyFile.load(url.openStream());
        if (readOnlyPolicyFile.matches(strArr, permission.getName(), permission.getActions().split(","))) {
            z = true;
        }
        if (log.isDebugEnabled()) {
            log.debug("    Matches = " + z);
        }
        return z;
    }

    private static String[] getPrincipalNames(Principal[] principalArr) {
        String[] strArr = new String[principalArr.length];
        for (int i = 0; i < principalArr.length; i++) {
            strArr[i] = principalArr[i].getName();
        }
        return strArr;
    }

    @Override // java.security.Policy
    public void refresh() {
        super.refresh();
    }

    public static boolean checkPermission(final SecurityManager securityManager, final Connection<SshServerContext> connection, final Permission permission) {
        LoginContext loginContext = connection == null ? null : (LoginContext) connection.getIoSession().getAttribute(LOGIN_CONTEXT);
        if (loginContext == null) {
            if (log.isDebugEnabled()) {
                log.debug("No login context, not using doAs() for " + permission.getClass().getName() + " for " + permission.getName());
            }
            return doCheckPermission(securityManager, connection, permission).booleanValue();
        }
        if (log.isDebugEnabled()) {
            log.debug("Running as " + loginContext.getSubject() + " for " + permission.getName());
        }
        return ((Boolean) Subject.doAs(loginContext.getSubject(), new PrivilegedAction<Boolean>() { // from class: com.sshtools.server.policy.PolicyPermissionsProvider.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Boolean run() {
                return PolicyPermissionsProvider.doCheckPermission(securityManager, connection, permission);
            }
        })).booleanValue();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Boolean doCheckPermission(SecurityManager securityManager, Connection<SshServerContext> connection, Permission permission) {
        try {
            if (log.isDebugEnabled()) {
                log.debug("Checking permission " + permission.getClass().getName() + " for " + permission.getName());
            }
            securityManager.checkPermission(permission);
            return true;
        } catch (SecurityException e) {
            log.warn("Rejected " + connection.getUsername() + ". " + e.getMessage());
            return false;
        }
    }

    public void revoke(String str, String[] strArr, String str2, String[] strArr2) throws IOException {
    }

    public void grant(String str, String[] strArr, String str2, String[] strArr2) throws IOException {
        WriteablePolicyFile principalsFile = getPrincipalsFile(str);
        principalsFile.grant(strArr, str2, strArr2);
        principalsFile.write();
    }

    private WriteablePolicyFile getPrincipalsFile(String str) throws IOException {
        FileObject resolveFile = getConfigurationDirectory().resolveFile(str);
        if (!resolveFile.exists()) {
            resolveFile.createFolder();
        }
        FileObject resolveFile2 = resolveFile.resolveFile("principals");
        if (!resolveFile2.exists()) {
            resolveFile2.createFile();
        }
        return new WriteablePolicyFile(resolveFile2);
    }
}
