package com.atlassian.jira.security;

import com.atlassian.core.util.ClassLoaderUtils;
import com.atlassian.jira.security.filter.DeserializationFilterConfigurator;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.ObjectInputFilter;
import java.util.Collections;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/jira/security/PropertiesBasedDeserializationFilterConfigurator.class */
public class PropertiesBasedDeserializationFilterConfigurator implements DeserializationFilterConfigurator {
    private static final String BLOCKLIST_PROPERTIES_FILE = "deserialization-blocklist.properties";
    private static final Logger log = LoggerFactory.getLogger(PropertiesBasedDeserializationFilterConfigurator.class);

    @Override // com.atlassian.jira.security.filter.DeserializationFilterConfigurator
    public void configureSerialFilter() {
        try {
            ObjectInputFilter.Config.setSerialFilter(new BlocklistDeserializationFilter(getBlockedClassesFromFile()));
            if (getCurrentSerialFilterClass() == null) {
                throw new RuntimeException("BlocklistDeserializationFilter has not been set up, please check: " + "https://confluence.atlassian.com/adminjiraserver/live-monitoring-using-the-jmx-interface-939707304.html");
            }
            log.info("BlocklistDeserializationFilter successfully registered");
        } catch (IllegalStateException e) {
            log.error("Could not to create serial filter because it is already set. The current filter is based on this class: {}", getCurrentSerialFilterClass());
            throw new IllegalStateException("Serial filter can only be set once. Error: " + e.getMessage(), e);
        }
    }

    private Set<String> getBlockedClassesFromFile() {
        try {
            InputStream resourceAsStream = ClassLoaderUtils.getResourceAsStream(BLOCKLIST_PROPERTIES_FILE, getClass());
            try {
                Set<String> readBlockedClasses = readBlockedClasses(resourceAsStream);
                if (resourceAsStream != null) {
                    resourceAsStream.close();
                }
                return readBlockedClasses;
            } finally {
            }
        } catch (IOException e) {
            log.error("Could not load default properties from '{}'. Deserialization filtering is disabled. {}", BLOCKLIST_PROPERTIES_FILE, e);
            return Collections.emptySet();
        }
    }

    private Set<String> readBlockedClasses(InputStream inputStream) {
        return (Set) new BufferedReader(new InputStreamReader(inputStream)).lines().filter(str -> {
            return StringUtils.isNotBlank(str) && !str.startsWith("#");
        }).collect(Collectors.toSet());
    }

    private Class<?> getCurrentSerialFilterClass() {
        ObjectInputFilter serialFilter = ObjectInputFilter.Config.getSerialFilter();
        if (serialFilter == null) {
            return null;
        }
        return serialFilter.getClass();
    }
}
