package com.adobe.cq.deserfw.impl;

import com.adobe.cq.deserfw.api.AttachAPIResolver;
import com.adobe.cq.deserfw.impl.intapi.DeserializationFirewallStatus;
import com.adobe.cq.deserfw.impl.util.AgentJarResolver;
import com.adobe.cq.sercheck.util.CannedObject;
import com.adobe.cq.sercheck.util.DeserializationTester;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.OutputStream;
import java.io.PrintWriter;
import java.lang.management.ManagementFactory;
import java.lang.reflect.Method;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nullable;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.ReferencePolicy;
import org.apache.felix.scr.annotations.Service;
import org.apache.sling.commons.osgi.PropertiesUtil;
import org.apache.sling.hc.util.FormattingResultLog;
import org.apache.sling.settings.SlingSettingsService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service({DeserializationFirewallStatus.class})
@Component(immediate = true, metatype = true, label = "Deserialization Firewall Configuration")
@Reference(name = "attachApiResolver", referenceInterface = AttachAPIResolver.class, cardinality = ReferenceCardinality.OPTIONAL_MULTIPLE, policy = ReferencePolicy.DYNAMIC)
/* loaded from: input_file:com/adobe/cq/deserfw/impl/DeserializationFirewallImpl.class */
public class DeserializationFirewallImpl implements DeserializationFirewallStatus {
    private static final String CLASS_ORG_KANTEGA_NOTSOSERIAL_NOT_SO_SERIAL_AGENT = "org.kantega.notsoserial.NotSoSerialAgent";
    private static final String METHOD_IS_LOADED = "isLoaded";
    private static final String CLASS_ORG_KANTEGA_NOTSOSERIAL_OPTIONS = "org.kantega.notsoserial.Options";
    private static final String METHOD_SET_WHITE_LIST = "setWhiteList";
    private static final String METHOD_SET_BLACK_LIST = "setBlackList";
    private static final String METHOD_GET_NOT_SO_SERIAL = "getNotSoSerial";
    private static final String METHOD_GET_INSTANCE = "getInstance";
    private static final String METHOD_SET_DETAIL_WRITER = "setDetailWriter";
    private static final String METHOD_SET_TRACE_WRITER = "setTraceWriter";
    public static final String DYNAMIC_LOADING_FAILED_INFO = "This usually happens when running a JRE (instead of a JDK) or a JVM that doesn't provide the Attach API. Please review the AEM Java Deserialization Firewall documentation for how to load the deserialization agent via JVM command line arguments.";

    @Property(label = "Whitelisted classes or package prefixes", value = {"[", "com.adobe.", "com.day.", "com.google.api.client.auth.oauth2.", "com.scene7.", "java.", "javax.", "oracle.sql.", "org.apache.http.auth", "org.apache.http.impl.auth", "org.apache.jackrabbit.", "org.apache.sling.", "sun.util.calendar.ZoneInfo"}, cardinality = Integer.MAX_VALUE, description = "List of whitelisted classes/package prefixes, or a single empty entry for blacklist only checking")
    public static final String WHITELIST = "firewall.deserialization.whitelist";

    @Property(label = "Blacklisted classes or package prefixes", value = {"org.apache.commons.collections.functors.InvokerTransformer", "org.apache.commons.collections4.functors.InvokerTransformer", "org.apache.commons.collections.functors.InstantiateTransformer", "org.apache.commons.collections4.functors.InstantiateTransformer", "org.apache.xalan.internal.xsltc.trax.TemplatesImpl", "org.codehaus.groovy.runtime.ConvertedClosure", "org.codehaus.groovy.runtime.MethodClosure", "org.springframework.beans.factory.ObjectFactory", "org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider", "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"}, cardinality = Integer.MAX_VALUE, description = "List of blacklisted classes/prefixes")
    public static final String BLACKLIST = "firewall.deserialization.blacklist";
    public static final String CLASS_NAME_ONLY = "class-name-only";
    public static final String FULL_STACK = "full-stack";
    public static final String NONE = "none";

    @Property(label = "Diagnostic logging", value = {CLASS_NAME_ONLY}, description = "Level of diagnostic information to be added to logging. Options are none, class-name-only, or full-stack")
    public static final String DIAGNOSTICS = "firewall.deserialization.diagnostics";
    private String agentFolderRelativePath = "opt/notsoserial";
    private File agentJarFolder = null;
    private List<AttachAPIResolver> apiResolvers = Collections.synchronizedList(new ArrayList());
    private Class<?> vmClass = null;
    private Object jvm;

    @Reference
    private SlingSettingsService slingSettingsService;
    static final String[] WHITELIST_DEFAULT = {"[", "com.adobe.", "com.day.", "com.google.api.client.auth.oauth2.", "com.scene7.", "java.", "javax.", "oracle.sql.", "org.apache.http.auth", "org.apache.http.impl.auth", "org.apache.jackrabbit.", "org.apache.sling.", "sun.util.calendar.ZoneInfo"};
    static final String[] BLACKLIST_DEFAULT = {"org.apache.commons.collections.functors.InvokerTransformer", "org.apache.commons.collections4.functors.InvokerTransformer", "org.apache.commons.collections.functors.InstantiateTransformer", "org.apache.commons.collections4.functors.InstantiateTransformer", "org.apache.xalan.internal.xsltc.trax.TemplatesImpl", "org.codehaus.groovy.runtime.ConvertedClosure", "org.codehaus.groovy.runtime.MethodClosure", "org.springframework.beans.factory.ObjectFactory", "org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider", "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"};
    private static final Logger log = LoggerFactory.getLogger(DeserializationFirewallImpl.class);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/adobe/cq/deserfw/impl/DeserializationFirewallImpl$LoadingException.class */
    public class LoadingException extends Exception {
        LoadingException(String str) {
            super(str);
        }

        LoadingException(String str, Throwable th) {
            super(str, th);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/adobe/cq/deserfw/impl/DeserializationFirewallImpl$LoggingWriter.class */
    public static class LoggingWriter extends PrintWriter {
        public LoggingWriter() {
            super((OutputStream) System.out, true);
        }

        @Override // java.io.PrintWriter
        public void println(String str) {
            if (str.contains(getClass().getName())) {
                DeserializationFirewallImpl.log.info(str);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/adobe/cq/deserfw/impl/DeserializationFirewallImpl$PrivilegedResolver.class */
    public static final class PrivilegedResolver implements PrivilegedExceptionAction<Class<?>> {
        final AttachAPIResolver resolver;

        PrivilegedResolver(AttachAPIResolver attachAPIResolver) {
            this.resolver = attachAPIResolver;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedExceptionAction
        public Class<?> run() {
            return this.resolver.getAttachAPIClass();
        }
    }

    void setAgentFolderRelativePath(String str) {
        this.agentFolderRelativePath = str;
    }

    public void bindAttachAPIResolver(AttachAPIResolver attachAPIResolver) {
        this.apiResolvers.add(attachAPIResolver);
    }

    public void unbindAttachAPIResolver(AttachAPIResolver attachAPIResolver) {
        this.apiResolvers.remove(attachAPIResolver);
    }

    private Set<String> getConfiguredList(Map<String, Object> map, String str, String[] strArr) {
        HashSet hashSet = new HashSet();
        String[] stringArray = PropertiesUtil.toStringArray(map.get(str), strArr);
        if (stringArray == null) {
            return hashSet;
        }
        for (String str2 : stringArray) {
            if (str2 != null && str2.trim().length() != 0) {
                hashSet.add(str2.trim());
            }
        }
        return hashSet;
    }

    @Activate
    public void setup(Map<String, Object> map) {
        this.agentJarFolder = new File(this.slingSettingsService.getSlingHomePath(), this.agentFolderRelativePath);
        Set<String> configuredList = getConfiguredList(map, BLACKLIST, BLACKLIST_DEFAULT);
        Set<String> configuredList2 = getConfiguredList(map, WHITELIST, WHITELIST_DEFAULT);
        String propertiesUtil = PropertiesUtil.toString(map.get(DIAGNOSTICS), CLASS_NAME_ONLY);
        boolean isFirewallLoaded = isFirewallLoaded(null);
        if (isFirewallLoaded) {
            log.info("Java Deserialization Agent detected as preloaded.");
        } else if (!dynamicallyLoadAgent()) {
            return;
        }
        configureAgent(configuredList, configuredList2, propertiesUtil);
        if (!isFirewallFunctional(null)) {
            log.warn("Agent not detected as loaded after applying configuration. Your system may be in an unsecure state.");
        }
        if (isFirewallLoaded) {
            return;
        }
        log.info("Java Deserialization Agent dynamically loaded.");
    }

    private void configureAgent(Set<String> set, Set<String> set2, String str) {
        if (!isFirewallLoaded(null)) {
            log.warn("configureAgent called while agent was not noted as loaded");
        }
        try {
            if (this.vmClass == null || !this.vmClass.getName().equals("java.io.ObjectInputFilter")) {
                Class<?> loadClass = ClassLoader.getSystemClassLoader().loadClass(CLASS_ORG_KANTEGA_NOTSOSERIAL_OPTIONS);
                Object invoke = loadClass.getMethod(METHOD_GET_NOT_SO_SERIAL, new Class[0]).invoke(loadClass.getMethod(METHOD_GET_INSTANCE, new Class[0]).invoke(null, new Object[0]), new Object[0]);
                Class<?> cls = invoke.getClass();
                cls.getMethod(METHOD_SET_BLACK_LIST, Set.class).invoke(invoke, set);
                cls.getMethod(METHOD_SET_WHITE_LIST, Set.class).invoke(invoke, set2);
                if (FULL_STACK.equals(str)) {
                    cls.getMethod(METHOD_SET_TRACE_WRITER, PrintWriter.class).invoke(invoke, new LoggingWriter());
                    cls.getMethod(METHOD_SET_DETAIL_WRITER, PrintWriter.class).invoke(invoke, (LoggingWriter) null);
                } else if (CLASS_NAME_ONLY.equals(str)) {
                    cls.getMethod(METHOD_SET_TRACE_WRITER, PrintWriter.class).invoke(invoke, (LoggingWriter) null);
                    cls.getMethod(METHOD_SET_DETAIL_WRITER, PrintWriter.class).invoke(invoke, new LoggingWriter());
                } else {
                    cls.getMethod(METHOD_SET_TRACE_WRITER, PrintWriter.class).invoke(invoke, (LoggingWriter) null);
                    cls.getMethod(METHOD_SET_DETAIL_WRITER, PrintWriter.class).invoke(invoke, (LoggingWriter) null);
                }
            } else {
                FirewallSerialFilter.configureFilter(set, set2);
            }
        } catch (Exception e) {
            log.warn("Unable to configure agent. Agent may remain in it's default configuration. See nested exception", e);
        }
        if (isFirewallFunctional(null)) {
            return;
        }
        log.warn("Agent not detected as loaded after applying configuration. Your system may be in an unsecure state.");
    }

    private File getAgentJarFile() throws LoadingException {
        try {
            return new File(AgentJarResolver.getAgentPath(this.agentJarFolder));
        } catch (IOException e) {
            throw new LoadingException("Exception loading agent jar from " + this.agentJarFolder.getAbsolutePath(), e);
        }
    }

    private boolean dynamicallyLoadAgent() {
        try {
            try {
                String name = ManagementFactory.getRuntimeMXBean().getName();
                if (name.indexOf("@") < 1) {
                    throw new LoadingException("PID not in the expected format {PID}@ in " + name);
                }
                String substring = name.substring(0, name.indexOf("@"));
                configureVMClass();
                if (this.vmClass == null) {
                    throw new LoadingException("Unable to load Attach API");
                }
                if (this.vmClass.getName().equals("java.io.ObjectInputFilter")) {
                    return true;
                }
                try {
                    Method method = this.vmClass.getMethod("attach", String.class);
                    try {
                        Method method2 = this.vmClass.getMethod("loadAgent", String.class);
                        File agentJarFile = getAgentJarFile();
                        if (agentJarFile == null) {
                            throw new LoadingException("Deserialization Agent jar not found under " + this.agentJarFolder.getAbsolutePath());
                        }
                        log.info("Selected agent jar file {}", agentJarFile.getAbsolutePath());
                        this.jvm = method.invoke(null, substring);
                        if (this.jvm == null) {
                            throw new LoadingException("Unable to obtain JVM from attach method");
                        }
                        method2.invoke(this.jvm, agentJarFile.getAbsolutePath());
                        if (isFirewallLoaded(null)) {
                            return true;
                        }
                        throw new LoadingException("Agent not detected as loaded using sample test cases");
                    } catch (NoSuchMethodException e) {
                        throw new LoadingException("Unable to get loadAgent method from Attach API class " + this.vmClass.getCanonicalName());
                    }
                } catch (NoSuchMethodException e2) {
                    throw new LoadingException("Unable to get attach method from Attach API class " + this.vmClass.getCanonicalName());
                }
            } catch (Throwable th) {
                if (th instanceof LoadingException) {
                    throw ((LoadingException) th);
                }
                log.error("Unexpected error loading deserialization agent. See nested exception.", th);
                throw new LoadingException("Unexpected error loading agent");
            }
        } catch (LoadingException e3) {
            log.error(e3.getMessage() + ". Unable to dynamically load deserialization protection agent. " + DYNAMIC_LOADING_FAILED_INFO);
            return false;
        }
    }

    @Override // com.adobe.cq.deserfw.impl.intapi.DeserializationFirewallStatus
    public boolean isFirewallLoaded(@Nullable FormattingResultLog formattingResultLog) {
        try {
            if (this.vmClass != null && this.vmClass.getName().equals("java.io.ObjectInputFilter")) {
                return true;
            }
            Class<?> loadClass = ClassLoader.getSystemClassLoader().loadClass(CLASS_ORG_KANTEGA_NOTSOSERIAL_NOT_SO_SERIAL_AGENT);
            if (loadClass == null) {
                return false;
            }
            try {
                Object invoke = loadClass.getMethod(METHOD_IS_LOADED, new Class[0]).invoke(null, new Object[0]);
                if (invoke == null || !(invoke instanceof Boolean)) {
                    return false;
                }
                return ((Boolean) invoke).booleanValue();
            } catch (NoSuchMethodException e) {
                log.error("Unable to load method {} of class {}", METHOD_IS_LOADED, loadClass.getName());
                if (formattingResultLog == null) {
                    return false;
                }
                formattingResultLog.healthCheckError("Unable to load method {} of class {}", new Object[]{METHOD_IS_LOADED, loadClass.getName()});
                return false;
            }
        } catch (ClassNotFoundException e2) {
            return false;
        } catch (Throwable th) {
            if (formattingResultLog != null) {
                formattingResultLog.healthCheckError("An unexpected problem was raised while testing to see if the agent was loaded", new Object[]{th});
            }
            log.error("An unexpected problem was raised while testing to see if the agent was loaded", th);
            return false;
        }
    }

    @Override // com.adobe.cq.deserfw.impl.intapi.DeserializationFirewallStatus
    public boolean isFirewallFunctional(@Nullable FormattingResultLog formattingResultLog) {
        try {
            for (CannedObject cannedObject : CannedObject.TEST_CASES) {
                ObjectInputStream objectInputStream = new ObjectInputStream(new ByteArrayInputStream(cannedObject.data));
                try {
                    try {
                        new DeserializationTester().readObjectFrom(objectInputStream);
                        if (cannedObject.deserializationShouldFail) {
                            if (formattingResultLog != null) {
                                formattingResultLog.healthCheckError("Deserialization of {} should have failed, however it was successful", new Object[]{cannedObject.className});
                            }
                            return false;
                        }
                        objectInputStream.close();
                    } finally {
                        objectInputStream.close();
                    }
                } catch (Exception e) {
                    if (cannedObject.deserializationShouldFail && (UnsupportedOperationException.class.getName().equals(e.getClass().getName()) || (this.vmClass != null && this.vmClass.getName().equals("java.io.ObjectInputFilter")))) {
                        objectInputStream.close();
                        return true;
                    }
                    if (!(e instanceof ClassNotFoundException)) {
                        throw e;
                    }
                    if (formattingResultLog != null) {
                        formattingResultLog.healthCheckError("Deserialization of {} should have failed, however it was successful", new Object[]{cannedObject.className});
                    }
                    objectInputStream.close();
                    return false;
                }
            }
            return false;
        } catch (Exception e2) {
            log.warn("Unexpected exception while testing agent capabilities", e2);
            if (formattingResultLog == null) {
                return false;
            }
            formattingResultLog.healthCheckError("Unexpected exception while testing agent capabilities", new Object[]{e2});
            return false;
        }
    }

    @Override // com.adobe.cq.deserfw.impl.intapi.DeserializationFirewallStatus
    public boolean isVMClassReady(@Nullable FormattingResultLog formattingResultLog) {
        if (this.vmClass != null) {
            formattingResultLog.info("VM Class {} is prepared", new Object[]{this.vmClass.getName()});
            return true;
        }
        if (isFirewallLoaded(formattingResultLog)) {
            formattingResultLog.info("Agent preloaded. VM Class not required", new Object[0]);
            return true;
        }
        if (formattingResultLog == null) {
            return false;
        }
        StringBuilder sb = new StringBuilder("{");
        for (int i = 0; i < this.apiResolvers.size(); i++) {
            sb.append(this.apiResolvers.get(i).getClass().getName());
            if (i + 1 < this.apiResolvers.size()) {
                sb.append(",");
            }
        }
        sb.append("}");
        formattingResultLog.healthCheckError("VM Class could not be found using resolvers: {}", new Object[]{sb.toString()});
        return false;
    }

    private void configureVMClass() {
        if (this.vmClass != null) {
            return;
        }
        if (this.apiResolvers.isEmpty()) {
            log.error("No AttachAPIResolver services found, cannot attach the agent");
            return;
        }
        for (AttachAPIResolver attachAPIResolver : this.apiResolvers) {
            try {
                log.debug("Trying AttachAPIResolver: {}", attachAPIResolver);
                this.vmClass = (Class) AccessController.doPrivileged(new PrivilegedResolver(attachAPIResolver));
            } catch (PrivilegedActionException e) {
                log.warn("Unexpected exception during doPrivileged", e);
            }
            if (this.vmClass != null) {
                log.info("Using {} provided by {}", this.vmClass, attachAPIResolver);
                return;
            }
        }
    }

    @Deactivate
    public void teardown() {
        if (this.jvm != null) {
            try {
                if (this.vmClass != null) {
                    try {
                        this.vmClass.getMethod("detach", new Class[0]).invoke(this.jvm, new Object[0]);
                        this.jvm = null;
                        this.vmClass = null;
                    } catch (NoSuchMethodException e) {
                        log.warn("Unable to get detach method, Deserialization Firewall not unloaded");
                        return;
                    }
                }
            } catch (Exception e2) {
                log.warn("Unable to detatch JVM, Deserialization Firewall not unloaded", e2);
                return;
            }
        }
        if (this.vmClass != null && this.vmClass.getName().equals("java.io.ObjectInputFilter")) {
            FirewallSerialFilter.unsetFilter();
        }
        this.jvm = null;
        this.vmClass = null;
    }

    protected void bindSlingSettingsService(SlingSettingsService slingSettingsService) {
        this.slingSettingsService = slingSettingsService;
    }

    protected void unbindSlingSettingsService(SlingSettingsService slingSettingsService) {
        if (this.slingSettingsService == slingSettingsService) {
            this.slingSettingsService = null;
        }
    }
}
