package org.elasticsearch.bootstrap;

import com.atlassian.elasticsearch.shaded.commons.cli.HelpFormatter;
import java.io.FilePermission;
import java.io.IOException;
import java.net.URL;
import java.nio.file.AccessMode;
import java.nio.file.FileAlreadyExistsException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.NotDirectoryException;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import java.security.Permissions;
import java.security.Policy;
import java.util.Collections;
import java.util.IdentityHashMap;
import java.util.Map;
import java.util.regex.Pattern;
import org.elasticsearch.common.SuppressForbidden;
import org.elasticsearch.env.Environment;

/* loaded from: input_file:org/elasticsearch/bootstrap/Security.class */
final class Security {
    private static final Map<Pattern, String> SPECIAL_JARS;

    private Security() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void configure(Environment environment) throws Exception {
        setCodebaseProperties();
        Policy.setPolicy(new ESPolicy(createPermissions(environment)));
        System.setSecurityManager(new SecurityManager() { // from class: org.elasticsearch.bootstrap.Security.1
            @Override // java.lang.SecurityManager
            public void checkExit(int i) {
                throw new SecurityException("exit(" + i + ") not allowed by system policy");
            }
        });
        selfTest();
    }

    @SuppressForbidden(reason = "proper use of URL")
    static void setCodebaseProperties() {
        for (URL url : JarHell.parseClassPath()) {
            for (Map.Entry<Pattern, String> entry : SPECIAL_JARS.entrySet()) {
                if (entry.getKey().matcher(url.getPath()).matches()) {
                    String value = entry.getValue();
                    if (System.getProperty(value) != null) {
                        throw new IllegalStateException("property: " + value + " is unexpectedly set: " + System.getProperty(value));
                    }
                    System.setProperty(value, url.toString());
                }
            }
        }
        for (String str : SPECIAL_JARS.values()) {
            if (System.getProperty(str) == null) {
                System.setProperty(str, "file:/dev/null");
            }
        }
    }

    static Permissions createPermissions(Environment environment) throws IOException {
        Permissions permissions = new Permissions();
        addPath(permissions, "path.home", environment.binFile(), "read,readlink");
        addPath(permissions, "path.home", environment.libFile(), "read,readlink");
        addPath(permissions, "path.plugins", environment.pluginsFile(), "read,readlink");
        addPath(permissions, "path.conf", environment.configFile(), "read,readlink");
        addPath(permissions, "path.scripts", environment.scriptsFile(), "read,readlink");
        addPath(permissions, "java.io.tmpdir", environment.tmpFile(), "read,readlink,write,delete");
        addPath(permissions, "path.logs", environment.logsFile(), "read,readlink,write,delete");
        if (environment.sharedDataFile() != null) {
            addPath(permissions, "path.shared_data", environment.sharedDataFile(), "read,readlink,write,delete");
        }
        for (Path path : environment.dataFiles()) {
            addPath(permissions, "path.data", path, "read,readlink,write,delete");
        }
        for (Path path2 : environment.dataWithClusterFiles()) {
            addPath(permissions, "path.data", path2, "read,readlink,write,delete");
        }
        for (Path path3 : environment.repoFiles()) {
            addPath(permissions, "path.repo", path3, "read,readlink,write,delete");
        }
        if (environment.pidFile() != null) {
            permissions.add(new FilePermission(environment.pidFile().toString(), "delete"));
        }
        return permissions;
    }

    static void addPath(Permissions permissions, String str, Path path, String str2) {
        try {
            ensureDirectoryExists(path);
            permissions.add(new FilePermission(path.toString(), str2));
            permissions.add(new FilePermission(path.toString() + path.getFileSystem().getSeparator() + HelpFormatter.DEFAULT_OPT_PREFIX, str2));
        } catch (IOException e) {
            throw new IllegalStateException("Unable to access '" + str + "' (" + path + ")", e);
        }
    }

    static void ensureDirectoryExists(Path path) throws IOException {
        if (Files.isDirectory(path, new LinkOption[0])) {
            path.getFileSystem().provider().checkAccess(path.toRealPath(new LinkOption[0]), AccessMode.READ);
            return;
        }
        try {
            Files.createDirectories(path, new FileAttribute[0]);
        } catch (FileAlreadyExistsException e) {
            NotDirectoryException notDirectoryException = new NotDirectoryException(path.toString());
            notDirectoryException.addSuppressed(e);
            throw notDirectoryException;
        }
    }

    @SuppressForbidden(reason = "accesses jvm default tempdir as a self-test")
    static void selfTest() throws IOException {
        try {
            try {
                Files.delete(Files.createTempFile(null, null, new FileAttribute[0]));
            } catch (IOException e) {
            }
        } catch (SecurityException e2) {
            throw new SecurityException("Security misconfiguration: cannot access java.io.tmpdir", e2);
        }
    }

    static {
        IdentityHashMap identityHashMap = new IdentityHashMap();
        identityHashMap.put(Pattern.compile(".*lucene-core-.*\\.jar$"), "es.security.jar.lucene.core");
        identityHashMap.put(Pattern.compile(".*jsr166e-.*\\.jar$"), "es.security.jar.twitter.jsr166e");
        identityHashMap.put(Pattern.compile(".*securemock-.*\\.jar$"), "es.security.jar.elasticsearch.securemock");
        SPECIAL_JARS = Collections.unmodifiableMap(identityHashMap);
    }
}
