package com.amazon.opendistroforelasticsearch.security.support;

import com.amazon.dlic.auth.ldap.LdapUser;
import com.amazon.opendistroforelasticsearch.security.user.User;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.io.BaseEncoding;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InvalidClassException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.ObjectStreamClass;
import java.io.OutputStream;
import java.io.Serializable;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.security.AccessController;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.Strings;
import org.ldaptive.AbstractLdapBean;
import org.ldaptive.LdapAttribute;
import org.ldaptive.LdapEntry;
import org.ldaptive.SearchEntry;

/* loaded from: input_file:com/amazon/opendistroforelasticsearch/security/support/Base64Helper.class */
public class Base64Helper {
    private static final Set<Class<?>> SAFE_CLASSES = ImmutableSet.of(String.class, SocketAddress.class, InetSocketAddress.class, Pattern.class, User.class, SourceFieldsContext.class, new Class[]{LdapUser.class, SearchEntry.class, LdapEntry.class, AbstractLdapBean.class, LdapAttribute.class});
    private static final List<Class<?>> SAFE_ASSIGNABLE_FROM_CLASSES = ImmutableList.of(InetAddress.class, Number.class, Collection.class, Map.class, Enum.class);
    private static final Set<String> SAFE_CLASS_NAMES = Collections.singleton("org.ldaptive.LdapAttribute$LdapAttributeValues");

    /* loaded from: input_file:com/amazon/opendistroforelasticsearch/security/support/Base64Helper$SafeObjectInputStream.class */
    private static final class SafeObjectInputStream extends ObjectInputStream {
        public SafeObjectInputStream(InputStream inputStream) throws IOException {
            super(inputStream);
        }

        @Override // java.io.ObjectInputStream
        protected Class<?> resolveClass(ObjectStreamClass objectStreamClass) throws IOException, ClassNotFoundException {
            Class<?> resolveClass = super.resolveClass(objectStreamClass);
            if (Base64Helper.isSafeClass(resolveClass)) {
                return resolveClass;
            }
            throw new InvalidClassException("Unauthorized deserialization attempt ", resolveClass.getName());
        }
    }

    /* loaded from: input_file:com/amazon/opendistroforelasticsearch/security/support/Base64Helper$SafeObjectOutputStream.class */
    private static final class SafeObjectOutputStream extends ObjectOutputStream {
        private static final boolean useSafeObjectOutputStream = checkSubstitutionPermission();

        private static boolean checkSubstitutionPermission() {
            SecurityManager securityManager = System.getSecurityManager();
            if (securityManager == null) {
                return true;
            }
            try {
                securityManager.checkPermission(new SpecialPermission());
                AccessController.doPrivileged(() -> {
                    AccessController.checkPermission(SUBSTITUTION_PERMISSION);
                    return null;
                });
                return true;
            } catch (SecurityException e) {
                return false;
            }
        }

        static ObjectOutputStream create(ByteArrayOutputStream byteArrayOutputStream) throws IOException {
            try {
                return useSafeObjectOutputStream ? new SafeObjectOutputStream(byteArrayOutputStream) : new ObjectOutputStream(byteArrayOutputStream);
            } catch (SecurityException e) {
                byteArrayOutputStream.reset();
                return new ObjectOutputStream(byteArrayOutputStream);
            }
        }

        private SafeObjectOutputStream(OutputStream outputStream) throws IOException {
            super(outputStream);
            SecurityManager securityManager = System.getSecurityManager();
            if (securityManager != null) {
                securityManager.checkPermission(new SpecialPermission());
            }
            AccessController.doPrivileged(() -> {
                return Boolean.valueOf(enableReplaceObject(true));
            });
        }

        @Override // java.io.ObjectOutputStream
        protected Object replaceObject(Object obj) throws IOException {
            Class<?> cls = obj.getClass();
            if (Base64Helper.isSafeClass(cls)) {
                return obj;
            }
            throw new IOException("Unauthorized serialization attempt " + cls.getName());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isSafeClass(Class<?> cls) {
        return cls.isArray() || SAFE_CLASSES.contains(cls) || SAFE_CLASS_NAMES.contains(cls.getName()) || SAFE_ASSIGNABLE_FROM_CLASSES.stream().anyMatch(cls2 -> {
            return cls2.isAssignableFrom(cls);
        });
    }

    public static String serializeObject(Serializable serializable) {
        Preconditions.checkArgument(serializable != null, "object must not be null");
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            ObjectOutputStream create = SafeObjectOutputStream.create(byteArrayOutputStream);
            try {
                create.writeObject(serializable);
                if (create != null) {
                    create.close();
                }
                return BaseEncoding.base64().encode(byteArrayOutputStream.toByteArray());
            } finally {
            }
        } catch (Exception e) {
            throw new ElasticsearchException("Instance {} of class {} is not serializable", e, new Object[]{serializable, serializable.getClass()});
        }
    }

    public static Serializable deserializeObject(String str) {
        Preconditions.checkArgument(!Strings.isNullOrEmpty(str), "string must not be null or empty");
        try {
            SafeObjectInputStream safeObjectInputStream = new SafeObjectInputStream(new ByteArrayInputStream(BaseEncoding.base64().decode(str)));
            try {
                Serializable serializable = (Serializable) safeObjectInputStream.readObject();
                safeObjectInputStream.close();
                return serializable;
            } finally {
            }
        } catch (Exception e) {
            throw new ElasticsearchException(e);
        }
    }
}
