package com.huawei.us.common.file;

import com.huawei.us.common.os.UsOSSafeUtils;
import com.huawei.us.common.resource.SystemConfigUtil;
import com.huawei.us.common.string.UsStringUtils;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.nio.file.FileSystems;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardOpenOption;
import java.nio.file.attribute.AclEntry;
import java.nio.file.attribute.AclEntryPermission;
import java.nio.file.attribute.AclEntryType;
import java.nio.file.attribute.BasicFileAttributes;
import java.nio.file.attribute.FileAttribute;
import java.nio.file.attribute.PosixFileAttributes;
import java.nio.file.attribute.PosixFilePermission;
import java.nio.file.attribute.PosixFilePermissions;
import java.nio.file.attribute.UserPrincipal;
import java.nio.file.attribute.UserPrincipalLookupService;
import java.text.MessageFormat;
import java.text.Normalizer;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/huawei/us/common/file/UsFileSafeUtils.class */
public abstract class UsFileSafeUtils {
    private static final int DEFAULT_SYMLINK_DEPTH = 5;
    private static final String STAT_CMD = "stat -c %a";
    private static UserPrincipal posixRoot;
    private static UserPrincipal posixUser;
    private static UserPrincipal aclSystem;
    private static UserPrincipal aclAdministrators;
    private static UserPrincipal aclUser;
    private static FileAttribute<?> posixFilePermissionsAttribute;
    private static FileAttribute<?> posixDirectoryPermissionsAttribute;
    private static FileAttribute<?> aclFilePermissionsAttribute;
    private static final Logger LOGGER = LoggerFactory.getLogger(UsFileSafeUtils.class);
    private static final List<Integer> SPECIAL_PERMISSIONS = Collections.unmodifiableList(Arrays.asList(1, 2, 3));
    private static final StandardOpenOption[] DEFAULT_INPUT_OPTIONS = {StandardOpenOption.READ};
    private static final StandardOpenOption[] DEFAULT_OUTPUT_OPTIONS = {StandardOpenOption.CREATE, StandardOpenOption.WRITE};
    private static final StandardOpenOption[] DEFAULT_APPENDABLE_OUTPUT_OPTIONS = {StandardOpenOption.CREATE, StandardOpenOption.WRITE, StandardOpenOption.APPEND};
    private static final Set<String> SUPPORTED_FILE_ATTRIBUTE_VIEWS = Collections.unmodifiableSet(FileSystems.getDefault().supportedFileAttributeViews());
    private static final UserPrincipalLookupService LOOKUP_SERVICE = FileSystems.getDefault().getUserPrincipalLookupService();
    private static final String CURRENT_USER_NAME = System.getProperty("user.name");

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/huawei/us/common/file/UsFileSafeUtils$WrapAcl.class */
    public static class WrapAcl {
        private Path path;
        private Set<OpenOption> options;
        private FileAttribute<?> attr;

        private WrapAcl(Path path, Set<OpenOption> set, FileAttribute<?> fileAttribute) {
            this.path = path;
            this.options = set;
            this.attr = fileAttribute;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Path getPath() {
            return this.path;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Set<OpenOption> getOptions() {
            return this.options;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public FileAttribute<?> getAttr() {
            return this.attr;
        }
    }

    public static InputStream getSafeInputStream(File file) throws IOException {
        Objects.requireNonNull(file, "Input file is null!");
        File newFile = newFile(file.getCanonicalPath(), new String[0]);
        if (!isInSecureDir(newFile)) {
            throw new IllegalArgumentException("File is not in secure directory!");
        }
        WrapAcl wrapAcl = getWrapAcl(newFile.toPath(), false, DEFAULT_INPUT_OPTIONS);
        Path path = wrapAcl.getPath();
        if (isRegularFile(path)) {
            return Files.newInputStream(path, (OpenOption[]) wrapAcl.getOptions().toArray(new OpenOption[0]));
        }
        throw new IllegalArgumentException("Can't read from a not regular file " + file.getName());
    }

    public static OutputStream getSafeOutputStream(File file, boolean z) throws IOException {
        createCanonicalFile(file, z);
        WrapAcl wrapAcl = getWrapAcl(newFile(file.getCanonicalPath(), new String[0]).toPath(), false, z ? DEFAULT_APPENDABLE_OUTPUT_OPTIONS : DEFAULT_OUTPUT_OPTIONS);
        Path path = wrapAcl.getPath();
        if (isRegularFile(path)) {
            return Files.newOutputStream(path, (OpenOption[]) wrapAcl.getOptions().toArray(new OpenOption[0]));
        }
        throw new IllegalArgumentException("Can't output in not regular file " + file.getName());
    }

    public static File newFile(String str, String... strArr) {
        Objects.requireNonNull(str, "Input filePath is null!");
        String normalize = Normalizer.normalize(str, Normalizer.Form.NFC);
        String str2 = (String) Stream.of((Object[]) strArr).filter((v0) -> {
            return Objects.nonNull(v0);
        }).map(str3 -> {
            return Normalizer.normalize(str3, Normalizer.Form.NFC);
        }).collect(Collectors.joining(File.separator));
        if (StringUtils.isNotEmpty(str2)) {
            normalize = str.concat(File.separator).concat(str2);
        }
        return Paths.get(getSafeFilePath(normalize), new String[0]).toFile();
    }

    public static String getSafeFilePath(String str) {
        Objects.requireNonNull(str, "Input filePath is null!");
        if (!UsFileLiteUtils.isSecurityFileName(str) || str.indexOf(0) >= 0) {
            throw new IllegalArgumentException("Not safe file path of " + str);
        }
        return str;
    }

    public static File createCanonicalFile(String str) {
        File newFile = newFile(str, new String[0]);
        createCanonicalFile(newFile, false);
        return newFile;
    }

    public static void createCanonicalFile(File file) {
        Objects.requireNonNull(file, "Input file is null!");
        createCanonicalFile(newFile(file.getPath(), new String[0]), false);
    }

    public static void createCanonicalFile(File file, boolean z) {
        Objects.requireNonNull(file, "Input file is null!");
        createCanonicalFile(newFile(file.getPath(), new String[0]).toPath(), z);
    }

    public static void createCanonicalFile(Path path, boolean z) {
        if (path == null || Files.exists(path, new LinkOption[0])) {
            return;
        }
        Path parent = path.getParent();
        if (parent != null && Files.exists(parent, new LinkOption[0]) && !isSecureDir(parent)) {
            LOGGER.error("File {} is in not secure directory {}!", path.getFileName(), parent.getFileName());
            throw new IllegalArgumentException("File is in not secure directory!");
        }
        if (parent != null && !Files.exists(parent, new LinkOption[0])) {
            createCanonicalDir(parent);
        }
        try {
            WrapAcl wrapAcl = getWrapAcl(path, false, z ? DEFAULT_OUTPUT_OPTIONS : DEFAULT_APPENDABLE_OUTPUT_OPTIONS);
            Files.createFile(wrapAcl.getPath(), wrapAcl.getAttr());
        } catch (IOException e) {
            throw wrapper("Failed to create canonical file!", e);
        }
    }

    public static File createCanonicalDir(String str) {
        File newFile = newFile(str, new String[0]);
        createCanonicalDir(newFile);
        return newFile;
    }

    public static void createCanonicalDir(File file) {
        Objects.requireNonNull(file, "Input directory is null!");
        createCanonicalDir(newFile(file.getPath(), new String[0]).toPath());
    }

    public static void createCanonicalDir(Path path) {
        Path root = path.toAbsolutePath().getRoot();
        if (root == null) {
            return;
        }
        for (int i = 1; i <= path.getNameCount(); i++) {
            Path path2 = Paths.get(root.toString(), path.subpath(0, i).toString());
            Path parent = path2.getParent();
            if (!Files.exists(path2, new LinkOption[0]) && isSecureParent(parent)) {
                createDirectory(path2);
            }
        }
    }

    private static void createDirectory(Path path) {
        try {
            Files.createDirectory(path, getWrapAcl(path, true, DEFAULT_OUTPUT_OPTIONS).getAttr());
        } catch (IOException e) {
            throw wrapper("Failed to create directory " + path.getFileName(), e);
        }
    }

    private static boolean isSecureParent(Path path) {
        return path == null || (Files.exists(path, new LinkOption[0]) && isSecureDir(path));
    }

    public static boolean isRegularFile(File file) throws IOException {
        if (file != null) {
            return isRegularFile(Paths.get(getSafeFilePath(file.getCanonicalPath()), new String[0]));
        }
        return false;
    }

    public static boolean isRegularFile(Path path) throws IOException {
        if (path != null) {
            return Files.readAttributes(path, BasicFileAttributes.class, LinkOption.NOFOLLOW_LINKS).isRegularFile();
        }
        return false;
    }

    public static boolean isPosix() {
        return SUPPORTED_FILE_ATTRIBUTE_VIEWS.contains("posix");
    }

    public static boolean isAcl() {
        return SUPPORTED_FILE_ATTRIBUTE_VIEWS.contains("acl");
    }

    public static boolean isInSecureDir(String str) {
        return isInSecureDir(newFile(str, new String[0]));
    }

    public static boolean isInSecureDir(File file) {
        if (file == null) {
            return false;
        }
        try {
            Path parent = Paths.get(file.getCanonicalPath(), new String[0]).getParent();
            if (parent != null) {
                if (!isSecureDir(parent, null)) {
                    return false;
                }
            }
            return true;
        } catch (IOException e) {
            throw wrapper("Failed to get canonical path!", e);
        }
    }

    public static boolean isSecureDir(String str) {
        return isSecureDir(newFile(str, new String[0]));
    }

    public static boolean isSecureDir(File file) {
        if (file == null) {
            return false;
        }
        try {
            Path path = Paths.get(file.getCanonicalPath(), new String[0]);
            if (Files.isDirectory(path, new LinkOption[0])) {
                if (isSecureDir(path)) {
                    return true;
                }
            }
            return false;
        } catch (IOException e) {
            throw wrapper("Failed to get canonical path!", e);
        }
    }

    public static boolean isSecureDir(Path path) {
        return isSecureDir(path, null);
    }

    public static boolean isSecureDir(Path path, UserPrincipal userPrincipal) {
        return isSecureDir(path, userPrincipal, DEFAULT_SYMLINK_DEPTH);
    }

    private static boolean isSecureDir(Path path, UserPrincipal userPrincipal, int i) {
        boolean z = true;
        Path absolutePath = path.toAbsolutePath();
        if (isInWhiteList(path)) {
            LOGGER.info("Directory {} or parent directory is in {}!", absolutePath, "file.permission.check.white.list");
            return true;
        }
        if (isPosix()) {
            z = isSecureDirForUnix(absolutePath, userPrincipal, i);
        } else if (isAcl()) {
            z = isSecureDirForWindows(absolutePath, userPrincipal);
        }
        if (!z) {
            LOGGER.error("Directory {} is not secure!", absolutePath);
        }
        return z;
    }

    private static boolean isInWhiteList(Path path) {
        String stringValueByName = SystemConfigUtil.getStringValueByName("file.permission.check.white.list", "");
        if (!StringUtils.isNotEmpty(stringValueByName)) {
            return false;
        }
        return StringUtils.startsWithAny(path.toString() + File.separator, (CharSequence[]) Arrays.stream(UsStringUtils.strToArray(stringValueByName)).map(str -> {
            return str + File.separator;
        }).toArray(i -> {
            return new String[i];
        }));
    }

    private static boolean isSecureDirForWindows(Path path, UserPrincipal userPrincipal) {
        Path root = path.getRoot();
        if (root == null) {
            return true;
        }
        if (userPrincipal == null) {
            userPrincipal = aclUser;
        }
        if (aclAdministrators == null || aclSystem == null || userPrincipal == null) {
            LOGGER.error("administrators is null or system is null or user is null!");
            return false;
        }
        for (int i = 1; i <= path.getNameCount(); i++) {
            try {
                UserPrincipal owner = Files.getOwner(Paths.get(root.toString(), path.subpath(0, i).toString()), new LinkOption[0]);
                if (!userPrincipal.equals(owner) && !owner.equals(aclAdministrators) && !owner.equals(aclSystem)) {
                    LOGGER.error("Owner {} is not administrator {} or system {} or user {}!", new Object[]{owner.getName(), aclAdministrators.getName(), aclSystem.getName(), userPrincipal.getName()});
                    return false;
                }
            } catch (IOException e) {
                LOGGER.error("Failed to check user principal cause by {}!", ExceptionUtils.getRootCauseMessage(e));
                return false;
            }
        }
        return true;
    }

    private static boolean isSecureDirForUnix(Path path, UserPrincipal userPrincipal, int i) {
        if (i <= 0) {
            LOGGER.error("symlinkDepth <= 0 ");
            return false;
        }
        Path root = path.getRoot();
        if (root == null) {
            return true;
        }
        if (userPrincipal == null) {
            userPrincipal = posixUser;
        }
        if (posixRoot == null || userPrincipal == null) {
            LOGGER.error("root is null or user is null!");
            return false;
        }
        for (int i2 = 1; i2 <= path.getNameCount(); i2++) {
            try {
                if (!isPartialPathSecure(Paths.get(root.toString(), path.subpath(0, i2).toString()), posixRoot, userPrincipal, i)) {
                    return false;
                }
            } catch (IOException e) {
                LOGGER.error("Failed to check user principal cause by {}!", ExceptionUtils.getRootCauseMessage(e));
                return false;
            }
        }
        return true;
    }

    private static boolean isPartialPathSecure(Path path, UserPrincipal userPrincipal, UserPrincipal userPrincipal2, int i) throws IOException {
        if (Files.isSymbolicLink(path)) {
            return isSecureDirForUnix(Files.readSymbolicLink(path), userPrincipal2, i - 1);
        }
        UserPrincipal owner = Files.getOwner(path, new LinkOption[0]);
        if (!userPrincipal2.equals(owner) && !userPrincipal.equals(owner)) {
            LOGGER.error("Owner {} is not root {} or user {}!", new Object[]{owner.getName(), userPrincipal.getName(), userPrincipal2.getName()});
            return false;
        }
        Set<PosixFilePermission> permissions = ((PosixFileAttributes) Files.readAttributes(path, PosixFileAttributes.class, new LinkOption[0])).permissions();
        if ((!permissions.contains(PosixFilePermission.GROUP_WRITE) && !permissions.contains(PosixFilePermission.OTHERS_WRITE)) || isSpecialPermissionDirectory(path)) {
            return true;
        }
        LOGGER.error("Permission contains group write or others write!");
        return false;
    }

    private static boolean isSpecialPermissionDirectory(Path path) throws IOException {
        String runtimeTrimExec = UsOSSafeUtils.runtimeTrimExec(new String[]{STAT_CMD, Normalizer.normalize(path.toFile().getCanonicalPath(), Normalizer.Form.NFC)});
        if (!runtimeTrimExec.matches("\\d+")) {
            return false;
        }
        int parseInt = Integer.parseInt(runtimeTrimExec) / 1000;
        String normalize = Normalizer.normalize(Objects.toString(path.getFileName(), "null"), Normalizer.Form.NFC);
        String normalize2 = Normalizer.normalize(runtimeTrimExec, Normalizer.Form.NFC);
        if (SPECIAL_PERMISSIONS.contains(Integer.valueOf(parseInt))) {
            LOGGER.info("Detected valid special directory [{}] with permission {}!", normalize, normalize2);
            return true;
        }
        LOGGER.error("Detected invalid special directory [{}] with permission {}!", normalize, normalize2);
        return false;
    }

    private static WrapAcl getWrapAcl(Path path, boolean z, StandardOpenOption... standardOpenOptionArr) {
        Set set = (Set) Stream.of((Object[]) standardOpenOptionArr).collect(Collectors.toSet());
        if (isPosix()) {
            return new WrapAcl(path, set, z ? posixDirectoryPermissionsAttribute : posixFilePermissionsAttribute);
        }
        if (isAcl()) {
            return new WrapAcl(path, set, aclFilePermissionsAttribute);
        }
        LOGGER.error("Failed to get warp acl!");
        throw new IllegalArgumentException("Failed to get warp acl for file " + path.getFileName());
    }

    private static <E extends Exception> IllegalArgumentException wrapper(String str, E e) throws IllegalArgumentException {
        if (e != null) {
            LOGGER.error(MessageFormat.format("Wrapper Exception: {0} -> Cause By {1}", str, ExceptionUtils.getRootCauseMessage(e)));
        }
        LOGGER.error(str);
        return new IllegalArgumentException(str);
    }

    private static void initPosixCommonAttributes() {
        try {
            posixRoot = LOOKUP_SERVICE.lookupPrincipalByName("root");
            posixUser = LOOKUP_SERVICE.lookupPrincipalByName(CURRENT_USER_NAME);
            posixFilePermissionsAttribute = PosixFilePermissions.asFileAttribute(new HashSet(Arrays.asList(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE)));
            posixDirectoryPermissionsAttribute = PosixFilePermissions.asFileAttribute(new HashSet(Arrays.asList(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE, PosixFilePermission.OWNER_EXECUTE)));
        } catch (IOException e) {
            LOGGER.error("Failed to lookup principal for root or user {} cause by {}!", CURRENT_USER_NAME, e.getMessage());
        }
    }

    private static void initAclCommonAttributes() {
        try {
            aclUser = LOOKUP_SERVICE.lookupPrincipalByName(CURRENT_USER_NAME);
            aclAdministrators = LOOKUP_SERVICE.lookupPrincipalByGroupName("administrators");
            aclSystem = LOOKUP_SERVICE.lookupPrincipalByGroupName("system");
            final AclEntry build = AclEntry.newBuilder().setType(AclEntryType.ALLOW).setPrincipal(aclUser).setPermissions(EnumSet.allOf(AclEntryPermission.class)).build();
            final AclEntry build2 = AclEntry.newBuilder().setType(AclEntryType.ALLOW).setPrincipal(aclAdministrators).setPermissions(EnumSet.allOf(AclEntryPermission.class)).build();
            final AclEntry build3 = AclEntry.newBuilder().setType(AclEntryType.ALLOW).setPrincipal(aclSystem).setPermissions(EnumSet.allOf(AclEntryPermission.class)).build();
            aclFilePermissionsAttribute = new FileAttribute<List<AclEntry>>() { // from class: com.huawei.us.common.file.UsFileSafeUtils.1
                @Override // java.nio.file.attribute.FileAttribute
                public String name() {
                    return "acl:acl";
                }

                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.nio.file.attribute.FileAttribute
                public List<AclEntry> value() {
                    ArrayList arrayList = new ArrayList();
                    arrayList.add(build);
                    arrayList.add(build2);
                    arrayList.add(build3);
                    return arrayList;
                }
            };
        } catch (IOException e) {
            LOGGER.error("Failed to lookup principal for administrators or system or user {} cause by {}!", CURRENT_USER_NAME, e.getMessage());
        }
    }

    static {
        if (isPosix()) {
            initPosixCommonAttributes();
        }
        if (isAcl()) {
            initAclCommonAttributes();
        }
    }
}
