package org.springframework.security.jackson2;

import com.fasterxml.jackson.annotation.JacksonAnnotation;
import com.fasterxml.jackson.annotation.JsonTypeInfo;
import com.fasterxml.jackson.databind.DatabindContext;
import com.fasterxml.jackson.databind.DeserializationConfig;
import com.fasterxml.jackson.databind.JavaType;
import com.fasterxml.jackson.databind.Module;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.cfg.MapperConfig;
import com.fasterxml.jackson.databind.jsontype.BasicPolymorphicTypeValidator;
import com.fasterxml.jackson.databind.jsontype.NamedType;
import com.fasterxml.jackson.databind.jsontype.PolymorphicTypeValidator;
import com.fasterxml.jackson.databind.jsontype.TypeIdResolver;
import com.fasterxml.jackson.databind.jsontype.TypeResolverBuilder;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.core.annotation.AnnotationUtils;
import org.springframework.core.log.LogMessage;
import org.springframework.util.ClassUtils;

/* loaded from: input_file:org/springframework/security/jackson2/SecurityJackson2Modules.class */
public final class SecurityJackson2Modules {
    private static final Log logger = LogFactory.getLog((Class<?>) SecurityJackson2Modules.class);
    private static final List<String> securityJackson2ModuleClasses = Arrays.asList("org.springframework.security.jackson2.CoreJackson2Module", "org.springframework.security.cas.jackson2.CasJackson2Module", "org.springframework.security.web.jackson2.WebJackson2Module", "org.springframework.security.web.server.jackson2.WebServerJackson2Module");
    private static final String webServletJackson2ModuleClass = "org.springframework.security.web.jackson2.WebServletJackson2Module";
    private static final String oauth2ClientJackson2ModuleClass = "org.springframework.security.oauth2.client.jackson2.OAuth2ClientJackson2Module";
    private static final String javaTimeJackson2ModuleClass = "com.fasterxml.jackson.datatype.jsr310.JavaTimeModule";
    private static final String ldapJackson2ModuleClass = "org.springframework.security.ldap.jackson2.LdapJackson2Module";
    private static final String saml2Jackson2ModuleClass = "org.springframework.security.saml2.jackson2.Saml2Jackson2Module";
    private static final boolean webServletPresent;
    private static final boolean oauth2ClientPresent;
    private static final boolean javaTimeJacksonPresent;
    private static final boolean ldapJacksonPresent;
    private static final boolean saml2JacksonPresent;

    /* loaded from: input_file:org/springframework/security/jackson2/SecurityJackson2Modules$AllowlistTypeIdResolver.class */
    static class AllowlistTypeIdResolver implements TypeIdResolver {
        private static final Set<String> ALLOWLIST_CLASS_NAMES;
        private final TypeIdResolver delegate;

        AllowlistTypeIdResolver(TypeIdResolver typeIdResolver) {
            this.delegate = typeIdResolver;
        }

        public void init(JavaType javaType) {
            this.delegate.init(javaType);
        }

        public String idFromValue(Object obj) {
            return this.delegate.idFromValue(obj);
        }

        public String idFromValueAndType(Object obj, Class<?> cls) {
            return this.delegate.idFromValueAndType(obj, cls);
        }

        public String idFromBaseType() {
            return this.delegate.idFromBaseType();
        }

        public JavaType typeFromId(DatabindContext databindContext, String str) throws IOException {
            DeserializationConfig config = databindContext.getConfig();
            JavaType typeFromId = this.delegate.typeFromId(databindContext, str);
            String name = typeFromId.getRawClass().getName();
            if (isInAllowlist(name)) {
                return typeFromId;
            }
            if (!(config.findMixInClassFor(typeFromId.getRawClass()) != null) && AnnotationUtils.findAnnotation(typeFromId.getRawClass(), JacksonAnnotation.class) == null) {
                throw new IllegalArgumentException("The class with " + str + " and name of " + name + " is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details");
            }
            return typeFromId;
        }

        private boolean isInAllowlist(String str) {
            return ALLOWLIST_CLASS_NAMES.contains(str);
        }

        public String getDescForKnownTypeIds() {
            return this.delegate.getDescForKnownTypeIds();
        }

        public JsonTypeInfo.Id getMechanism() {
            return this.delegate.getMechanism();
        }

        static {
            HashSet hashSet = new HashSet();
            hashSet.add("java.util.ArrayList");
            hashSet.add("java.util.Collections$EmptyList");
            hashSet.add("java.util.Collections$EmptyMap");
            hashSet.add("java.util.Collections$UnmodifiableRandomAccessList");
            hashSet.add("java.util.Collections$SingletonList");
            hashSet.add("java.util.Date");
            hashSet.add("java.time.Instant");
            hashSet.add("java.net.URL");
            hashSet.add("java.util.TreeMap");
            hashSet.add("java.util.HashMap");
            hashSet.add("java.util.LinkedHashMap");
            hashSet.add("org.springframework.security.core.context.SecurityContextImpl");
            hashSet.add("java.util.Arrays$ArrayList");
            ALLOWLIST_CLASS_NAMES = Collections.unmodifiableSet(hashSet);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/springframework/security/jackson2/SecurityJackson2Modules$AllowlistTypeResolverBuilder.class */
    public static class AllowlistTypeResolverBuilder extends ObjectMapper.DefaultTypeResolverBuilder {
        AllowlistTypeResolverBuilder(ObjectMapper.DefaultTyping defaultTyping) {
            super(defaultTyping, BasicPolymorphicTypeValidator.builder().allowIfSubType(Object.class).build());
        }

        protected TypeIdResolver idResolver(MapperConfig<?> mapperConfig, JavaType javaType, PolymorphicTypeValidator polymorphicTypeValidator, Collection<NamedType> collection, boolean z, boolean z2) {
            return new AllowlistTypeIdResolver(super.idResolver(mapperConfig, javaType, polymorphicTypeValidator, collection, z, z2));
        }
    }

    private SecurityJackson2Modules() {
    }

    public static void enableDefaultTyping(ObjectMapper objectMapper) {
        if (objectMapper == null || objectMapper.getDeserializationConfig().getDefaultTyper((JavaType) null) != null) {
            return;
        }
        objectMapper.setDefaultTyping(createAllowlistedDefaultTyping());
    }

    private static Module loadAndGetInstance(String str, ClassLoader classLoader) {
        try {
            Class forName = ClassUtils.forName(str, classLoader);
            if (forName == null) {
                return null;
            }
            logger.debug(LogMessage.format("Loaded module %s, now registering", str));
            return (Module) forName.getConstructor(new Class[0]).newInstance(new Object[0]);
        } catch (Exception e) {
            logger.debug(LogMessage.format("Cannot load module %s", str), e);
            return null;
        }
    }

    public static List<Module> getModules(ClassLoader classLoader) {
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = securityJackson2ModuleClasses.iterator();
        while (it.hasNext()) {
            addToModulesList(classLoader, arrayList, it.next());
        }
        if (webServletPresent) {
            addToModulesList(classLoader, arrayList, webServletJackson2ModuleClass);
        }
        if (oauth2ClientPresent) {
            addToModulesList(classLoader, arrayList, oauth2ClientJackson2ModuleClass);
        }
        if (javaTimeJacksonPresent) {
            addToModulesList(classLoader, arrayList, javaTimeJackson2ModuleClass);
        }
        if (ldapJacksonPresent) {
            addToModulesList(classLoader, arrayList, ldapJackson2ModuleClass);
        }
        if (saml2JacksonPresent) {
            addToModulesList(classLoader, arrayList, saml2Jackson2ModuleClass);
        }
        return arrayList;
    }

    private static void addToModulesList(ClassLoader classLoader, List<Module> list, String str) {
        Module loadAndGetInstance = loadAndGetInstance(str, classLoader);
        if (loadAndGetInstance != null) {
            list.add(loadAndGetInstance);
        }
    }

    private static TypeResolverBuilder<? extends TypeResolverBuilder> createAllowlistedDefaultTyping() {
        return new AllowlistTypeResolverBuilder(ObjectMapper.DefaultTyping.NON_FINAL).init(JsonTypeInfo.Id.CLASS, (TypeIdResolver) null).inclusion(JsonTypeInfo.As.PROPERTY);
    }

    static {
        ClassLoader classLoader = SecurityJackson2Modules.class.getClassLoader();
        webServletPresent = ClassUtils.isPresent("jakarta.servlet.http.Cookie", classLoader);
        oauth2ClientPresent = ClassUtils.isPresent("org.springframework.security.oauth2.client.OAuth2AuthorizedClient", classLoader);
        javaTimeJacksonPresent = ClassUtils.isPresent(javaTimeJackson2ModuleClass, classLoader);
        ldapJacksonPresent = ClassUtils.isPresent(ldapJackson2ModuleClass, classLoader);
        saml2JacksonPresent = ClassUtils.isPresent(saml2Jackson2ModuleClass, classLoader);
    }
}
