package org.geoserver.template;

import com.google.common.base.Splitter;
import freemarker.ext.beans.ClassMemberAccessPolicy;
import freemarker.ext.beans.DefaultMemberAccessPolicy;
import freemarker.ext.beans.MemberAccessPolicy;
import java.io.InputStream;
import java.io.OutputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.lang.reflect.Proxy;
import java.util.List;
import java.util.function.Predicate;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.xml.namespace.QName;
import org.geoserver.catalog.Catalog;
import org.geoserver.platform.GeoServerExtensions;
import org.geoserver.platform.resource.ResourceStore;
import org.geotools.api.coverage.grid.GridCoverageReader;
import org.geotools.api.coverage.grid.GridCoverageWriter;
import org.geotools.api.data.DataAccess;
import org.geotools.util.logging.Logging;

/* loaded from: input_file:org/geoserver/template/GeoServerMemberAccessPolicy.class */
public final class GeoServerMemberAccessPolicy implements MemberAccessPolicy {
    public static final String FREEMARKER_ALLOW_LIST = "GEOSERVER_FREEMARKER_ALLOW_LIST";
    public static final String FREEMARKER_BLOCK_LIST = "GEOSERVER_FREEMARKER_BLOCK_LIST";
    public static final String FREEMARKER_API_EXPOSED = "GEOSERVER_FREEMARKER_API_EXPOSED";
    private final Boolean forceApiExposed;
    private final List<Object> forceAllowList;
    private final Predicate<Class<?>> staticAccess;
    private volatile List<Object> allowList = null;
    private volatile List<Object> blockList = null;
    private volatile Boolean apiExposed;
    private static final Logger LOGGER = Logging.getLogger(GeoServerMemberAccessPolicy.class);
    private static final DefaultMemberAccessPolicy DEFAULT_POLICY = DefaultMemberAccessPolicy.getInstance(TemplateUtils.FM_VERSION);
    private static final List<Object> DEFAULT_ALLOW = List.of("java.", QName.class, "net.opengis.", "org.geoserver.", "org.geotools.", "org.locationtech.jts.geom.");
    private static final List<Object> DEFAULT_BLOCK = List.of(InputStream.class, OutputStream.class, Class.class, ClassLoader.class, InvocationHandler.class, "java.lang.reflect.", "java.security.", Catalog.class, ResourceStore.class, DataAccess.class, GridCoverageReader.class, GridCoverageWriter.class);
    private static final Predicate<Class<?>> DEFAULT_STATIC_ACCESS = cls -> {
        return false;
    };
    public static final GeoServerMemberAccessPolicy DEFAULT_ACCESS = new GeoServerMemberAccessPolicy(null, null, null);
    public static final GeoServerMemberAccessPolicy FULL_ACCESS = new GeoServerMemberAccessPolicy(true, null, null);
    public static final GeoServerMemberAccessPolicy LIMIT_ACCESS = new GeoServerMemberAccessPolicy(false, null, null);

    /* loaded from: input_file:org/geoserver/template/GeoServerMemberAccessPolicy$GeoServerClassMemberAccessPolicy.class */
    private final class GeoServerClassMemberAccessPolicy implements ClassMemberAccessPolicy {
        private final Class<?> contextClass;
        private final boolean isContextClassAllowed;
        private final ClassMemberAccessPolicy defaultPolicy;

        private GeoServerClassMemberAccessPolicy(Class<?> cls) {
            this.contextClass = cls;
            this.isContextClassAllowed = isClassAllowed(cls);
            this.defaultPolicy = GeoServerMemberAccessPolicy.DEFAULT_POLICY.forClass(cls);
        }

        public boolean isConstructorExposed(Constructor<?> constructor) {
            return false;
        }

        public boolean isFieldExposed(Field field) {
            if (!this.defaultPolicy.isFieldExposed(field)) {
                return false;
            }
            boolean z = this.isContextClassAllowed && Modifier.isFinal(field.getModifiers()) && GeoServerMemberAccessPolicy.this.staticAccess.test(this.contextClass) && isClassAllowed(field.getType());
            if (!z) {
                GeoServerMemberAccessPolicy.LOGGER.finer(() -> {
                    return "Blocked access to field " + this.contextClass.getName() + "." + field.getName();
                });
            }
            return z;
        }

        public boolean isMethodExposed(Method method) {
            if (!this.defaultPolicy.isMethodExposed(method)) {
                return false;
            }
            if (method.getParameterCount() == 0 && method.getName().equals("toString")) {
                return true;
            }
            boolean z = false;
            if (isClassAllowed(method.getReturnType())) {
                if (Modifier.isStatic(method.getModifiers())) {
                    z = GeoServerMemberAccessPolicy.this.staticAccess.test(this.contextClass);
                } else {
                    z = this.isContextClassAllowed && checkGetterMethod(method);
                }
            }
            if (!z) {
                GeoServerMemberAccessPolicy.LOGGER.finer(() -> {
                    return "Blocked access to method " + this.contextClass.getName() + "." + method.getName();
                });
            }
            return z;
        }

        private boolean checkGetterMethod(Method method) {
            if (GeoServerMemberAccessPolicy.this.isApiExposed()) {
                return true;
            }
            boolean z = false;
            if (method.getParameterCount() == 0) {
                String name = method.getName();
                Class<?> returnType = method.getReturnType();
                if (name.startsWith("get") && name.length() > 3) {
                    z = !returnType.equals(Void.TYPE);
                } else if (name.startsWith("is") && name.length() > 2) {
                    z = returnType.equals(Boolean.TYPE) || returnType.equals(Boolean.class);
                }
            }
            return z;
        }

        private boolean isClassAllowed(Class<?> cls) {
            Class<?> cls2;
            if (cls.equals(Void.TYPE)) {
                return false;
            }
            if (Proxy.isProxyClass(cls)) {
                List list = (List) Stream.of((Object[]) cls.getInterfaces()).filter(cls3 -> {
                    return cls3.getName().startsWith("org.geoserver.");
                }).collect(Collectors.toUnmodifiableList());
                return !list.isEmpty() && list.stream().noneMatch(cls4 -> {
                    return matchesAny(cls4, GeoServerMemberAccessPolicy.this.getBlockList());
                });
            }
            Class<?> cls5 = cls;
            while (true) {
                cls2 = cls5;
                if (!cls2.isArray()) {
                    break;
                }
                cls5 = cls2.getComponentType();
            }
            return cls2.isPrimitive() || (matchesAny(cls2, GeoServerMemberAccessPolicy.this.getAllowList()) && !matchesAny(cls2, GeoServerMemberAccessPolicy.this.getBlockList()));
        }

        private boolean matchesAny(Class<?> cls, List<Object> list) {
            String name = cls.getName();
            return list.stream().anyMatch(obj -> {
                return obj instanceof Class ? ((Class) obj).isAssignableFrom(cls) : name.startsWith((String) obj);
            });
        }
    }

    private GeoServerMemberAccessPolicy(Boolean bool, List<Object> list, Predicate<Class<?>> predicate) {
        this.apiExposed = null;
        this.forceApiExposed = bool;
        this.apiExposed = this.forceApiExposed;
        this.forceAllowList = list != null ? list : List.of();
        this.staticAccess = predicate != null ? predicate : DEFAULT_STATIC_ACCESS;
    }

    public GeoServerMemberAccessPolicy withAllowList(Object... objArr) {
        return new GeoServerMemberAccessPolicy(this.forceApiExposed, List.of(objArr), this.staticAccess);
    }

    public GeoServerMemberAccessPolicy withStaticAccess(Predicate<Class<?>> predicate) {
        return new GeoServerMemberAccessPolicy(this.forceApiExposed, this.forceAllowList, predicate);
    }

    public ClassMemberAccessPolicy forClass(Class<?> cls) {
        return new GeoServerClassMemberAccessPolicy(cls);
    }

    public boolean isToStringAlwaysExposed() {
        return true;
    }

    public synchronized void reset() {
        this.allowList = null;
        this.blockList = null;
        this.apiExposed = this.forceApiExposed;
    }

    private List<Object> getAllowList() {
        if (this.allowList == null) {
            init();
        }
        return this.allowList;
    }

    private List<Object> getBlockList() {
        if (this.blockList == null) {
            init();
        }
        return this.blockList;
    }

    private boolean isApiExposed() {
        if (this.apiExposed == null) {
            init();
        }
        return this.apiExposed.booleanValue();
    }

    private synchronized void init() {
        if (this.allowList == null) {
            List<Object> list = DEFAULT_ALLOW;
            if (!this.forceAllowList.isEmpty()) {
                list = (List) Stream.concat(list.stream(), this.forceAllowList.stream()).collect(Collectors.toUnmodifiableList());
            }
            this.allowList = parseList(FREEMARKER_ALLOW_LIST, list);
        }
        if (this.blockList == null) {
            this.blockList = parseList(FREEMARKER_BLOCK_LIST, DEFAULT_BLOCK);
        }
        if (this.apiExposed == null) {
            this.apiExposed = Boolean.valueOf(Boolean.parseBoolean(GeoServerExtensions.getProperty(FREEMARKER_API_EXPOSED)));
        }
    }

    private static List<Object> parseList(String str, List<Object> list) {
        String property = GeoServerExtensions.getProperty(str);
        if (property == null || property.isBlank()) {
            return list;
        }
        return (List) Stream.concat(list.stream(), Splitter.on(',').trimResults().omitEmptyStrings().splitToStream(property).map(str2 -> {
            try {
                return Class.forName(str2);
            } catch (ClassNotFoundException e) {
                return str2;
            }
        })).collect(Collectors.toUnmodifiableList());
    }
}
