package com.baidu.hugegraph.security;

import com.baidu.hugegraph.util.Log;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import java.io.FileDescriptor;
import java.net.InetAddress;
import java.security.Permission;
import java.util.Map;
import java.util.Set;

/* loaded from: input_file:com/baidu/hugegraph/security/HugeSecurityManager.class */
public class HugeSecurityManager extends SecurityManager {
    private static final String USER_DIR = System.getProperty("user.dir");
    private static final String USER_DIR_IDE;
    private static final String GREMLIN_SERVER_WORKER = "gremlin-server-exec";
    private static final String TASK_WORKER = "task-worker";
    private static final Set<String> GREMLIN_EXECUTOR_CLASS;
    private static final Set<String> DENIED_PERMISSIONS;
    private static final Set<String> ACCEPT_CLASS_LOADERS;
    private static final Set<String> CAFFEINE_CLASSES;
    private static final Set<String> WHITE_SYSTEM_PROPERTYS;
    private static final Map<String, Set<String>> ASYNC_TASKS;
    private static final Map<String, Set<String>> BACKEND_SOCKET;
    private static final Map<String, Set<String>> BACKEND_THREAD;
    private static final Set<String> HBASE_CLASSES;
    private static final Set<String> RAFT_CLASSES;

    @Override // java.lang.SecurityManager
    public void checkPermission(Permission permission) {
        if (DENIED_PERMISSIONS.contains(permission.getName()) && callFromGremlin()) {
            throw newSecurityException("Not allowed to access denied permission via Gremlin", new Object[0]);
        }
    }

    @Override // java.lang.SecurityManager
    public void checkPermission(Permission permission, Object obj) {
        if (DENIED_PERMISSIONS.contains(permission.getName()) && callFromGremlin()) {
            throw newSecurityException("Not allowed to access denied permission via Gremlin", new Object[0]);
        }
    }

    @Override // java.lang.SecurityManager
    public void checkCreateClassLoader() {
        if (!callFromAcceptClassLoaders() && callFromGremlin()) {
            throw newSecurityException("Not allowed to create class loader via Gremlin", new Object[0]);
        }
        super.checkCreateClassLoader();
    }

    @Override // java.lang.SecurityManager
    public void checkLink(String str) {
        if (callFromGremlin()) {
            throw newSecurityException("Not allowed to link library via Gremlin", new Object[0]);
        }
        super.checkLink(str);
    }

    @Override // java.lang.SecurityManager
    public void checkAccess(Thread thread) {
        if (callFromGremlin() && !callFromCaffeine() && !callFromAsyncTasks() && !callFromEventHubNotify() && !callFromBackendThread() && !callFromBackendHbase() && !callFromRaft()) {
            throw newSecurityException("Not allowed to access thread via Gremlin", new Object[0]);
        }
        super.checkAccess(thread);
    }

    @Override // java.lang.SecurityManager
    public void checkAccess(ThreadGroup threadGroup) {
        if (callFromGremlin() && !callFromCaffeine() && !callFromAsyncTasks() && !callFromEventHubNotify() && !callFromBackendThread() && !callFromBackendHbase() && !callFromRaft()) {
            throw newSecurityException("Not allowed to access thread group via Gremlin", new Object[0]);
        }
        super.checkAccess(threadGroup);
    }

    @Override // java.lang.SecurityManager
    public void checkExit(int i) {
        if (callFromGremlin()) {
            throw newSecurityException("Not allowed to call System.exit() via Gremlin", new Object[0]);
        }
        super.checkExit(i);
    }

    @Override // java.lang.SecurityManager
    public void checkExec(String str) {
        if (callFromGremlin()) {
            throw newSecurityException("Not allowed to execute command via Gremlin", new Object[0]);
        }
        super.checkExec(str);
    }

    @Override // java.lang.SecurityManager
    public void checkRead(FileDescriptor fileDescriptor) {
        if (callFromGremlin() && !callFromBackendSocket() && !callFromRaft()) {
            throw newSecurityException("Not allowed to read fd via Gremlin", new Object[0]);
        }
        super.checkRead(fileDescriptor);
    }

    @Override // java.lang.SecurityManager
    public void checkRead(String str) {
        if (callFromGremlin() && !callFromCaffeine() && !readGroovyInCurrentDir(str) && !callFromBackendHbase() && !callFromRaft()) {
            throw newSecurityException("Not allowed to read file via Gremlin: %s", str);
        }
        super.checkRead(str);
    }

    @Override // java.lang.SecurityManager
    public void checkRead(String str, Object obj) {
        if (callFromGremlin() && !callFromRaft()) {
            throw newSecurityException("Not allowed to read file via Gremlin: %s", str);
        }
        super.checkRead(str, obj);
    }

    @Override // java.lang.SecurityManager
    public void checkWrite(FileDescriptor fileDescriptor) {
        if (callFromGremlin() && !callFromBackendSocket() && !callFromRaft()) {
            throw newSecurityException("Not allowed to write fd via Gremlin", new Object[0]);
        }
        super.checkWrite(fileDescriptor);
    }

    @Override // java.lang.SecurityManager
    public void checkWrite(String str) {
        if (callFromGremlin() && !callFromRaft()) {
            throw newSecurityException("Not allowed to write file via Gremlin", new Object[0]);
        }
        super.checkWrite(str);
    }

    @Override // java.lang.SecurityManager
    public void checkDelete(String str) {
        if (callFromGremlin()) {
            throw newSecurityException("Not allowed to delete file via Gremlin", new Object[0]);
        }
        super.checkDelete(str);
    }

    @Override // java.lang.SecurityManager
    public void checkListen(int i) {
        if (callFromGremlin()) {
            throw newSecurityException("Not allowed to listen socket via Gremlin", new Object[0]);
        }
        super.checkListen(i);
    }

    @Override // java.lang.SecurityManager
    public void checkAccept(String str, int i) {
        if (callFromGremlin()) {
            throw newSecurityException("Not allowed to accept socket via Gremlin", new Object[0]);
        }
        super.checkAccept(str, i);
    }

    @Override // java.lang.SecurityManager
    public void checkConnect(String str, int i) {
        if (callFromGremlin() && !callFromBackendSocket() && !callFromBackendHbase() && !callFromRaft()) {
            throw newSecurityException("Not allowed to connect socket via Gremlin", new Object[0]);
        }
        super.checkConnect(str, i);
    }

    @Override // java.lang.SecurityManager
    public void checkConnect(String str, int i, Object obj) {
        if (callFromGremlin()) {
            throw newSecurityException("Not allowed to connect socket via Gremlin", new Object[0]);
        }
        super.checkConnect(str, i, obj);
    }

    @Override // java.lang.SecurityManager
    public void checkMulticast(InetAddress inetAddress) {
        if (callFromGremlin()) {
            throw newSecurityException("Not allowed to multicast via Gremlin", new Object[0]);
        }
        super.checkMulticast(inetAddress);
    }

    @Override // java.lang.SecurityManager
    public void checkMulticast(InetAddress inetAddress, byte b) {
        if (callFromGremlin()) {
            throw newSecurityException("Not allowed to multicast via Gremlin", new Object[0]);
        }
        super.checkMulticast(inetAddress, b);
    }

    @Override // java.lang.SecurityManager
    public void checkSetFactory() {
        if (callFromGremlin()) {
            throw newSecurityException("Not allowed to set socket factory via Gremlin", new Object[0]);
        }
        super.checkSetFactory();
    }

    @Override // java.lang.SecurityManager
    public void checkPropertiesAccess() {
        if (callFromGremlin()) {
            throw newSecurityException("Not allowed to access system properties via Gremlin", new Object[0]);
        }
        super.checkPropertiesAccess();
    }

    @Override // java.lang.SecurityManager
    public void checkPropertyAccess(String str) {
        if (!callFromAcceptClassLoaders() && callFromGremlin() && !WHITE_SYSTEM_PROPERTYS.contains(str) && !callFromBackendHbase() && !callFromRaft()) {
            throw newSecurityException("Not allowed to access system property(%s) via Gremlin", str);
        }
        super.checkPropertyAccess(str);
    }

    @Override // java.lang.SecurityManager
    public void checkPrintJobAccess() {
        if (callFromGremlin()) {
            throw newSecurityException("Not allowed to print job via Gremlin", new Object[0]);
        }
        super.checkPrintJobAccess();
    }

    @Override // java.lang.SecurityManager
    public void checkSystemClipboardAccess() {
        if (callFromGremlin()) {
            throw newSecurityException("Not allowed to access system clipboard via Gremlin", new Object[0]);
        }
        super.checkSystemClipboardAccess();
    }

    @Override // java.lang.SecurityManager
    public void checkPackageAccess(String str) {
        super.checkPackageAccess(str);
    }

    @Override // java.lang.SecurityManager
    public void checkPackageDefinition(String str) {
        super.checkPackageDefinition(str);
    }

    @Override // java.lang.SecurityManager
    public void checkSecurityAccess(String str) {
        super.checkSecurityAccess(str);
    }

    @Override // java.lang.SecurityManager
    public void checkMemberAccess(Class<?> cls, int i) {
        super.checkMemberAccess(cls, i);
    }

    @Override // java.lang.SecurityManager
    public boolean checkTopLevelWindow(Object obj) {
        return super.checkTopLevelWindow(obj);
    }

    @Override // java.lang.SecurityManager
    public void checkAwtEventQueueAccess() {
        super.checkAwtEventQueueAccess();
    }

    private static SecurityException newSecurityException(String str, Object... objArr) {
        if (objArr.length > 0) {
            str = String.format(str, objArr);
        }
        Log.logger(HugeSecurityManager.class).warn("SecurityException: {}", str);
        return new SecurityException(str);
    }

    private static boolean readGroovyInCurrentDir(String str) {
        if (str == null) {
            return false;
        }
        if ((USER_DIR == null || !str.startsWith(USER_DIR)) && (USER_DIR_IDE == null || !str.startsWith(USER_DIR_IDE))) {
            return false;
        }
        return str.endsWith(".class") || str.endsWith(".groovy");
    }

    private static boolean callFromGremlin() {
        return callFromWorkerWithClass(GREMLIN_EXECUTOR_CLASS);
    }

    private static boolean callFromAcceptClassLoaders() {
        return callFromWorkerWithClass(ACCEPT_CLASS_LOADERS);
    }

    private static boolean callFromCaffeine() {
        return callFromWorkerWithClass(CAFFEINE_CLASSES);
    }

    private static boolean callFromBackendSocket() {
        return callFromMethods(BACKEND_SOCKET);
    }

    private static boolean callFromBackendThread() {
        return callFromMethods(BACKEND_THREAD);
    }

    private static boolean callFromEventHubNotify() {
        return callFromMethod("com.baidu.hugegraph.event.EventHub", "notify");
    }

    private static boolean callFromAsyncTasks() {
        return callFromMethods(ASYNC_TASKS);
    }

    private static boolean callFromBackendHbase() {
        return callFromWorkerWithClass(HBASE_CLASSES);
    }

    private static boolean callFromRaft() {
        return callFromWorkerWithClass(RAFT_CLASSES);
    }

    private static boolean callFromWorkerWithClass(Set<String> set) {
        Thread currentThread = Thread.currentThread();
        if (!currentThread.getName().startsWith(GREMLIN_SERVER_WORKER) && !currentThread.getName().startsWith("task-worker")) {
            return false;
        }
        for (StackTraceElement stackTraceElement : currentThread.getStackTrace()) {
            if (set.contains(stackTraceElement.getClassName())) {
                return true;
            }
        }
        return false;
    }

    private static boolean callFromMethods(Map<String, Set<String>> map) {
        for (StackTraceElement stackTraceElement : Thread.currentThread().getStackTrace()) {
            Set<String> set = map.get(stackTraceElement.getClassName());
            if (set != null && set.contains(stackTraceElement.getMethodName())) {
                return true;
            }
        }
        return false;
    }

    private static boolean callFromMethod(String str, String str2) {
        for (StackTraceElement stackTraceElement : Thread.currentThread().getStackTrace()) {
            if (str.equals(stackTraceElement.getClassName()) && str2.equals(stackTraceElement.getMethodName())) {
                return true;
            }
        }
        return false;
    }

    static {
        USER_DIR_IDE = USER_DIR.endsWith("hugegraph-dist") ? USER_DIR.substring(0, USER_DIR.length() - 15) : null;
        GREMLIN_EXECUTOR_CLASS = ImmutableSet.of("org.apache.tinkerpop.gremlin.groovy.jsr223.GremlinGroovyScriptEngine");
        DENIED_PERMISSIONS = ImmutableSet.of("setSecurityManager");
        ACCEPT_CLASS_LOADERS = ImmutableSet.of("groovy.lang.GroovyClassLoader", "sun.reflect.DelegatingClassLoader", "org.codehaus.groovy.reflection.SunClassLoader", "org.codehaus.groovy.runtime.callsite.CallSiteClassLoader", "org.apache.hadoop.hbase.util.DynamicClassLoader");
        CAFFEINE_CLASSES = ImmutableSet.of("com.github.benmanes.caffeine.cache.BoundedLocalCache");
        WHITE_SYSTEM_PROPERTYS = ImmutableSet.of("line.separator", "file.separator", "socksProxyHost", "file.encoding");
        ASYNC_TASKS = ImmutableMap.of("com.baidu.hugegraph.backend.tx.SchemaTransaction", ImmutableSet.of("removeVertexLabel", "removeEdgeLabel", "removeIndexLabel", "rebuildIndex"), "com.baidu.hugegraph.backend.tx.GraphIndexTransaction", ImmutableSet.of("asyncRemoveIndexLeft"));
        BACKEND_SOCKET = ImmutableMap.of("com.baidu.hugegraph.backend.store.mysql.MysqlStore", ImmutableSet.of("open", "init", "clear", "opened", "initialized"));
        BACKEND_THREAD = ImmutableMap.of("com.baidu.hugegraph.backend.store.cassandra.CassandraStore", ImmutableSet.of("open", "opened", "init"), "com.datastax.driver.core.AbstractSession", ImmutableSet.of("execute"));
        HBASE_CLASSES = ImmutableSet.of("com.baidu.hugegraph.backend.store.hbase.HbaseStore", "com.baidu.hugegraph.backend.store.hbase.HbaseStore$HbaseSchemaStore", "com.baidu.hugegraph.backend.store.hbase.HbaseStore$HbaseGraphStore", "com.baidu.hugegraph.backend.store.hbase.HbaseSessions$RowIterator");
        RAFT_CLASSES = ImmutableSet.of("com.baidu.hugegraph.backend.store.raft.RaftNode", "com.baidu.hugegraph.backend.store.raft.StoreStateMachine", "com.baidu.hugegraph.backend.store.raft.rpc.RpcForwarder");
    }
}
