package cn.com.duibaboot.ext.autoconfigure.security;

import java.io.FileDescriptor;
import java.net.InetAddress;
import java.security.AccessControlException;
import java.security.Permission;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import javax.annotation.PostConstruct;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.ApplicationListener;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.event.ContextRefreshedEvent;
import org.springframework.core.Ordered;

@EnableConfigurationProperties({SecurityProperties.class})
@Configuration
@ConditionalOnProperty(name = {"duiba.securitymanager.enable"}, havingValue = "true", matchIfMissing = true)
/* loaded from: input_file:cn/com/duibaboot/ext/autoconfigure/security/SecurityManagerAutoConfiguration.class */
public class SecurityManagerAutoConfiguration {
    private static final Logger logger = LoggerFactory.getLogger(SecurityManagerAutoConfiguration.class);
    static Set<String> forbiddenPermNames = new HashSet(10);

    @Autowired
    private SecurityProperties securityProperties;
    private Set<String> whiteShells = new HashSet();

    /* loaded from: input_file:cn/com/duibaboot/ext/autoconfigure/security/SecurityManagerAutoConfiguration$DuibaSecurityManagerConfiguarApplicationListener.class */
    class DuibaSecurityManagerConfiguarApplicationListener implements ApplicationListener<ContextRefreshedEvent>, Ordered {
        private boolean flag = true;

        DuibaSecurityManagerConfiguarApplicationListener() {
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean isInWhiteShellList(String str) {
            return SecurityManagerAutoConfiguration.this.whiteShells.contains(str);
        }

        public void onApplicationEvent(ContextRefreshedEvent contextRefreshedEvent) {
            if (this.flag) {
                if (System.getSecurityManager() == null) {
                    System.setSecurityManager(new SecurityManager() { // from class: cn.com.duibaboot.ext.autoconfigure.security.SecurityManagerAutoConfiguration.DuibaSecurityManagerConfiguarApplicationListener.1
                        @Override // java.lang.SecurityManager
                        public void checkExec(String str) {
                            if (DuibaSecurityManagerConfiguarApplicationListener.this.isInWhiteShellList(str)) {
                                return;
                            }
                            try {
                                super.checkExec(str);
                            } catch (AccessControlException e) {
                                SecurityManagerAutoConfiguration.logger.warn("some one try to execute shell:`{}`, block it", str);
                                throw e;
                            }
                        }

                        @Override // java.lang.SecurityManager
                        public void checkCreateClassLoader() {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkRead(String str) {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkRead(String str, Object obj) {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkWrite(String str) {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkDelete(String str) {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkPackageAccess(String str) {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkAccess(Thread thread) {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkAccess(ThreadGroup threadGroup) {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkMemberAccess(Class<?> cls, int i) {
                            String name = cls.getName();
                            if (name.equals("java.lang.ProcessImpl") || name.equals("java.lang.UNIXProcess") || name.equals("java.lang.ProcessBuilder")) {
                                throw new AccessControlException("not allowed to reflect access class:" + name);
                            }
                        }

                        @Override // java.lang.SecurityManager
                        public void checkPermission(Permission permission) {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkPermission(Permission permission, Object obj) {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkExit(int i) {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkLink(String str) {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkRead(FileDescriptor fileDescriptor) {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkWrite(FileDescriptor fileDescriptor) {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkConnect(String str, int i) {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkConnect(String str, int i, Object obj) {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkListen(int i) {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkAccept(String str, int i) {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkMulticast(InetAddress inetAddress) {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkMulticast(InetAddress inetAddress, byte b) {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkPropertiesAccess() {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkPropertyAccess(String str) {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkPackageDefinition(String str) {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkSetFactory() {
                        }

                        @Override // java.lang.SecurityManager
                        public void checkSecurityAccess(String str) {
                        }
                    });
                }
                this.flag = false;
            }
        }

        public int getOrder() {
            return -10;
        }
    }

    @PostConstruct
    public void init() {
        this.whiteShells.addAll(Arrays.asList("/usr/bin/id", "/bin/id", "id", "/usr/xpg4/bin/id"));
        String[] strArr = {"sh", "bash", "source", "exec", "fork"};
        String[] split = StringUtils.split(this.securityProperties.getWhiteShellList(), ',');
        if (split == null) {
            return;
        }
        for (String str : split) {
            if (isForbiddenShell(str, strArr)) {
                logger.warn("你设置的shell白名单(duiba.securitymanager.whiteShellList)中包含过于危险的shell：`{}`, 已排除.", str);
            } else {
                this.whiteShells.add(str);
            }
        }
    }

    private boolean isForbiddenShell(String str, String[] strArr) {
        for (String str2 : strArr) {
            if (str2.equalsIgnoreCase(str)) {
                return true;
            }
        }
        return false;
    }

    private static boolean conditionalOnMissingClass(String... strArr) {
        boolean z = false;
        for (String str : strArr) {
            try {
                Class.forName(str);
                z = true;
                break;
            } catch (ClassNotFoundException e) {
            }
        }
        return !z;
    }

    @Bean
    public DuibaSecurityManagerConfiguarApplicationListener duibaSecurityManagerConfiguarApplicationListener() {
        return new DuibaSecurityManagerConfiguarApplicationListener();
    }

    static {
        forbiddenPermNames.add("queuePrintJob");
        if (!conditionalOnMissingClass("org.junit.Test", "org.testng.annotations.Test")) {
            logger.warn("侦测到在测试模式, SecurityManager允许权限:[setIO/setSecurityManager],如果使用java -jar运行时（非测试模式）看到这条日志，请确保把junit/testng/spring-test等测试框架设置为testCompile依赖模式（即打的jar包中不要包含junit/testng的jar包）");
        } else {
            forbiddenPermNames.add("setIO");
            forbiddenPermNames.add("setSecurityManager");
        }
    }
}
