package org.geoserver.security.impl;

import java.io.File;
import java.io.Serializable;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.file.InvalidPathException;
import java.nio.file.Paths;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.commons.lang3.StringUtils;
import org.geoserver.catalog.Catalog;
import org.geoserver.catalog.CatalogException;
import org.geoserver.catalog.CatalogInfo;
import org.geoserver.catalog.CoverageStoreInfo;
import org.geoserver.catalog.DataStoreInfo;
import org.geoserver.catalog.HTTPStoreInfo;
import org.geoserver.catalog.ResourcePool;
import org.geoserver.catalog.StoreInfo;
import org.geoserver.catalog.event.AbstractCatalogListener;
import org.geoserver.catalog.event.CatalogBeforeAddEvent;
import org.geoserver.catalog.event.CatalogModifyEvent;
import org.geoserver.security.FileAccessManager;
import org.geotools.api.data.DataAccessFactory;
import org.geotools.util.URLs;
import org.geotools.util.factory.Hints;
import org.geotools.util.logging.Logging;

/* loaded from: input_file:org/geoserver/security/impl/FileSandboxEnforcer.class */
public class FileSandboxEnforcer extends AbstractCatalogListener {
    private static final Logger LOGGER = Logging.getLogger(FileSandboxEnforcer.class);
    private final ResourcePool resourcePool;
    private final FileAccessManager fileAccessManager;

    /* loaded from: input_file:org/geoserver/security/impl/FileSandboxEnforcer$SandboxException.class */
    public static class SandboxException extends CatalogException {
        private final File file;

        public SandboxException(String str, File file) {
            super(str);
            this.file = file;
        }

        public File getFile() {
            return this.file;
        }
    }

    public FileSandboxEnforcer(Catalog catalog) {
        catalog.addListener(this);
        this.resourcePool = catalog.getResourcePool();
        this.fileAccessManager = FileAccessManager.lookupFileAccessManager();
    }

    @Override // org.geoserver.catalog.event.CatalogListener
    public void handlePreAddEvent(CatalogBeforeAddEvent catalogBeforeAddEvent) throws CatalogException {
        CatalogInfo source = catalogBeforeAddEvent.getSource();
        if (source instanceof StoreInfo) {
            if (source instanceof DataStoreInfo) {
                DataStoreInfo dataStoreInfo = (DataStoreInfo) source;
                checkDataStoreParameters(dataStoreInfo, dataStoreInfo.getConnectionParameters());
            } else if (source instanceof CoverageStoreInfo) {
                CoverageStoreInfo coverageStoreInfo = (CoverageStoreInfo) source;
                checkAccess(coverageStoreInfo.getURL(), coverageStoreInfo);
            } else {
                if (!(source instanceof HTTPStoreInfo)) {
                    throw new CatalogException("Unsupported store type: " + source.getClass());
                }
                HTTPStoreInfo hTTPStoreInfo = (HTTPStoreInfo) source;
                checkAccess(hTTPStoreInfo.getCapabilitiesURL(), hTTPStoreInfo);
            }
        }
    }

    @Override // org.geoserver.catalog.event.AbstractCatalogListener, org.geoserver.catalog.event.CatalogListener
    public void handleModifyEvent(CatalogModifyEvent catalogModifyEvent) throws CatalogException {
        CatalogInfo source = catalogModifyEvent.getSource();
        if (source instanceof StoreInfo) {
            if (source instanceof DataStoreInfo) {
                Object newPropertyValue = getNewPropertyValue(catalogModifyEvent, "connectionParameters");
                if (newPropertyValue instanceof Map) {
                    checkDataStoreParameters((DataStoreInfo) source, (Map) newPropertyValue);
                    return;
                }
                return;
            }
            if (source instanceof CoverageStoreInfo) {
                CoverageStoreInfo coverageStoreInfo = (CoverageStoreInfo) source;
                Object newPropertyValue2 = getNewPropertyValue(catalogModifyEvent, "uRL");
                if (newPropertyValue2 instanceof String) {
                    checkAccess((String) newPropertyValue2, coverageStoreInfo);
                }
                if (newPropertyValue2 instanceof URL) {
                    checkAccess(newPropertyValue2.toString(), coverageStoreInfo);
                    return;
                }
                return;
            }
            if (!(source instanceof HTTPStoreInfo)) {
                throw new CatalogException("Unsupported store type: " + source.getClass());
            }
            HTTPStoreInfo hTTPStoreInfo = (HTTPStoreInfo) source;
            String str = (String) getNewPropertyValue(catalogModifyEvent, "capabilitiesURL");
            if (str != null) {
                checkAccess(str, hTTPStoreInfo);
            }
        }
    }

    private void checkDataStoreParameters(DataStoreInfo dataStoreInfo, Map<String, Serializable> map) {
        URL url;
        try {
            Map params = ResourcePool.getParams(map, this.resourcePool.getCatalog().getResourceLoader());
            DataAccessFactory dataStoreFactory = this.resourcePool.getDataStoreFactory(dataStoreInfo);
            if (dataStoreFactory != null) {
                for (DataAccessFactory.Param param : dataStoreFactory.getParametersInfo()) {
                    if (File.class.isAssignableFrom(param.getType())) {
                        File file = (File) param.lookUp(params);
                        if (file != null) {
                            checkAccess(file);
                        }
                    } else if (URL.class.isAssignableFrom(param.getType()) && (url = (URL) param.lookUp(params)) != null && ("file".equals(url.getProtocol()) || url.getProtocol() == null)) {
                        checkAccess(URLs.urlToFile(url));
                    }
                }
            }
        } catch (SandboxException e) {
            throw e;
        } catch (Exception e2) {
            throw new CatalogException("Error checking data store parameters", e2);
        }
    }

    private Object getNewPropertyValue(CatalogModifyEvent catalogModifyEvent, String str) {
        List<String> propertyNames = catalogModifyEvent.getPropertyNames();
        for (int i = 0; i < propertyNames.size(); i++) {
            if (str.equals(propertyNames.get(i))) {
                return catalogModifyEvent.getNewValues().get(i);
            }
        }
        return null;
    }

    private void checkAccess(File file) {
        if (!this.fileAccessManager.checkAccess(file)) {
            throw new SandboxException("Access to " + file + " denied by file sandboxing", file);
        }
    }

    private void checkAccess(String str, CoverageStoreInfo coverageStoreInfo) {
        Object coverageStoreSource = ResourcePool.getCoverageStoreSource(str, null, coverageStoreInfo, new Hints());
        if (coverageStoreSource instanceof File) {
            checkAccess((File) coverageStoreSource);
            return;
        }
        if (coverageStoreSource instanceof URL) {
            URL url = (URL) coverageStoreSource;
            if ("file".equals(url.getProtocol()) || url.getProtocol() == null) {
                checkAccess(URLs.urlToFile(url));
                return;
            }
            return;
        }
        try {
            URI uri = new URI(str);
            if (StringUtils.isEmpty(uri.getScheme()) || "file".equals(uri.getScheme())) {
                checkAccess(new File(str));
            } else {
                LOGGER.log(Level.FINE, "Not a file URI in coverage store, not validating it against the sandbox: {0}", uri);
            }
        } catch (URISyntaxException e) {
            try {
                checkAccess(Paths.get(str, new String[0]).toFile());
            } catch (InvalidPathException e2) {
                LOGGER.log(Level.FINEST, "Not a valid URI/Path in coverage store, not validating it", (Throwable) e2);
            }
        }
    }

    private void checkAccess(String str, HTTPStoreInfo hTTPStoreInfo) {
        try {
            URL url = new URL(str);
            if ("file".equals(url.getProtocol())) {
                checkAccess(URLs.urlToFile(url));
            }
        } catch (MalformedURLException e) {
            LOGGER.log(Level.FINE, "Not a valid URL in HTTP store, not validating it", (Throwable) e);
        }
    }
}
