package com.oracle.svm.hosted.jdk;

import com.oracle.svm.core.feature.AutomaticallyRegisteredFeature;
import com.oracle.svm.core.feature.InternalFeature;
import com.oracle.svm.core.jdk.AccessControllerUtil;
import com.oracle.svm.core.util.VMError;
import com.oracle.svm.util.ReflectionUtil;
import java.security.AccessControlContext;
import java.security.DomainCombiner;
import java.security.ProtectionDomain;
import java.util.HashMap;
import java.util.Map;
import jdk.graal.compiler.serviceprovider.JavaVersionUtil;
import org.graalvm.nativeimage.hosted.Feature;

@AutomaticallyRegisteredFeature
/* loaded from: input_file:com/oracle/svm/hosted/jdk/AccessControlContextReplacerFeature.class */
class AccessControlContextReplacerFeature implements InternalFeature {
    static Map<String, AccessControlContext> allowedContexts = new HashMap();

    AccessControlContextReplacerFeature() {
    }

    public boolean isInConfiguration(Feature.IsInConfigurationAccess isInConfigurationAccess) {
        return JavaVersionUtil.JAVA_SPEC == 21;
    }

    static void allowContextIfExists(String str, String str2) {
        try {
            String str3 = str + "." + str2;
            try {
                allowedContexts.put(str3, (AccessControlContext) ReflectionUtil.readStaticField(Class.forName(str), str2));
            } catch (ReflectionUtil.ReflectionUtilError e) {
                throw VMError.shouldNotReachHere("Following field isn't present in JDK" + JavaVersionUtil.JAVA_SPEC + ": " + str3);
            }
        } catch (ReflectiveOperationException e2) {
            throw VMError.shouldNotReachHere("Following class isn't present in JDK" + JavaVersionUtil.JAVA_SPEC + ": " + str);
        }
    }

    public void duringSetup(Feature.DuringSetupAccess duringSetupAccess) {
        allowContextIfExists("java.util.Calendar$CalendarAccessControlContext", "INSTANCE");
        allowContextIfExists("javax.management.monitor.Monitor", "noPermissionsACC");
        allowContextIfExists("java.security.AccessController$AccHolder", "innocuousAcc");
        duringSetupAccess.registerObjectReplacer(AccessControlContextReplacerFeature::replaceAccessControlContext);
    }

    private static boolean isSimpleContext(AccessControlContext accessControlContext) {
        ProtectionDomain[] protectionDomainArr = (ProtectionDomain[]) ReflectionUtil.readField(AccessControlContext.class, "context", accessControlContext);
        AccessControlContext accessControlContext2 = (AccessControlContext) ReflectionUtil.readField(AccessControlContext.class, "privilegedContext", accessControlContext);
        DomainCombiner domainCombiner = (DomainCombiner) ReflectionUtil.readField(AccessControlContext.class, "combiner", accessControlContext);
        AccessControlContext accessControlContext3 = (AccessControlContext) ReflectionUtil.readField(AccessControlContext.class, "parent", accessControlContext);
        ProtectionDomain[] protectionDomainArr2 = (ProtectionDomain[]) ReflectionUtil.readField(AccessControlContext.class, "limitedContext", accessControlContext);
        if (protectionDomainArr != null && protectionDomainArr.length > 0) {
            return checkPD(protectionDomainArr);
        }
        if (domainCombiner != null) {
            return false;
        }
        if (accessControlContext3 != null) {
            return isSimpleContext(accessControlContext3);
        }
        if (protectionDomainArr2 != null && protectionDomainArr2.length > 0) {
            return checkPD(protectionDomainArr2);
        }
        if (accessControlContext2 != null) {
            return isSimpleContext(accessControlContext2);
        }
        return true;
    }

    private static boolean checkPD(ProtectionDomain[] protectionDomainArr) {
        for (ProtectionDomain protectionDomain : protectionDomainArr) {
            if (protectionDomain.getCodeSource() != null || protectionDomain.getPrincipals().length > 0 || protectionDomain.getPermissions() != null) {
                return false;
            }
        }
        return true;
    }

    private static Object replaceAccessControlContext(Object obj) {
        if (!(obj instanceof AccessControlContext) || obj == AccessControllerUtil.DISALLOWED_CONTEXT_MARKER) {
            return obj;
        }
        if (!allowedContexts.containsValue(obj) && !isSimpleContext((AccessControlContext) obj)) {
            return AccessControllerUtil.DISALLOWED_CONTEXT_MARKER;
        }
        return obj;
    }
}
