package org.springframework.integration.support.converter;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.ObjectStreamClass;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Set;
import org.springframework.beans.DirectFieldAccessor;
import org.springframework.core.ConfigurableObjectInputStream;
import org.springframework.core.convert.converter.Converter;
import org.springframework.core.serializer.DefaultDeserializer;
import org.springframework.core.serializer.Deserializer;
import org.springframework.core.serializer.support.SerializationFailedException;
import org.springframework.lang.Nullable;
import org.springframework.util.Assert;
import org.springframework.util.PatternMatchUtils;

/* loaded from: input_file:WEB-INF/lib/spring-integration-core-6.4.2.jar:org/springframework/integration/support/converter/AllowListDeserializingConverter.class */
public class AllowListDeserializingConverter implements Converter<byte[], Object> {
    private final Deserializer<Object> deserializer;

    @Nullable
    private final ClassLoader defaultDeserializerClassLoader;
    private final boolean usingDefaultDeserializer;
    private final Set<String> allowedPatterns;

    public AllowListDeserializingConverter() {
        this(new DefaultDeserializer());
    }

    public AllowListDeserializingConverter(ClassLoader classLoader) {
        this(new DefaultDeserializer(classLoader));
    }

    public AllowListDeserializingConverter(Deserializer<Object> deserializer) {
        this.allowedPatterns = new LinkedHashSet();
        Assert.notNull(deserializer, "Deserializer must not be null");
        this.deserializer = deserializer;
        if (!(deserializer instanceof DefaultDeserializer)) {
            this.defaultDeserializerClassLoader = null;
            this.usingDefaultDeserializer = false;
        } else {
            ClassLoader classLoader = null;
            try {
                classLoader = (ClassLoader) new DirectFieldAccessor(deserializer).getPropertyValue("classLoader");
            } catch (Exception e) {
            }
            this.defaultDeserializerClassLoader = classLoader;
            this.usingDefaultDeserializer = true;
        }
    }

    public void setAllowedPatterns(String... strArr) {
        this.allowedPatterns.clear();
        Collections.addAll(this.allowedPatterns, strArr);
    }

    public void addAllowedPatterns(String... strArr) {
        Collections.addAll(this.allowedPatterns, strArr);
    }

    @Override // org.springframework.core.convert.converter.Converter
    public Object convert(byte[] bArr) {
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
        try {
            if (this.usingDefaultDeserializer) {
                return deserialize(byteArrayInputStream);
            }
            Object deserialize = this.deserializer.deserialize(byteArrayInputStream);
            checkAllowList(deserialize.getClass());
            return deserialize;
        } catch (Exception e) {
            throw new SerializationFailedException("Failed to deserialize payload. Is the byte array a result of corresponding serialization for " + this.deserializer.getClass().getSimpleName() + "?", e);
        }
    }

    protected Object deserialize(ByteArrayInputStream byteArrayInputStream) throws IOException {
        try {
            return new ConfigurableObjectInputStream(byteArrayInputStream, this.defaultDeserializerClassLoader) { // from class: org.springframework.integration.support.converter.AllowListDeserializingConverter.1
                /* JADX INFO: Access modifiers changed from: protected */
                @Override // org.springframework.core.ConfigurableObjectInputStream, java.io.ObjectInputStream
                public Class<?> resolveClass(ObjectStreamClass objectStreamClass) throws IOException, ClassNotFoundException {
                    Class<?> resolveClass = super.resolveClass(objectStreamClass);
                    AllowListDeserializingConverter.this.checkAllowList(resolveClass);
                    return resolveClass;
                }
            }.readObject();
        } catch (ClassNotFoundException e) {
            throw new IOException("Failed to deserialize object type", e);
        }
    }

    protected void checkAllowList(Class<?> cls) {
        if (this.allowedPatterns.isEmpty() || cls.isArray() || cls.isPrimitive() || cls.equals(String.class) || Number.class.isAssignableFrom(cls)) {
            return;
        }
        String name = cls.getName();
        Iterator<String> it = this.allowedPatterns.iterator();
        while (it.hasNext()) {
            if (PatternMatchUtils.simpleMatch(it.next(), name)) {
                return;
            }
        }
        throw new SecurityException("Attempt to deserialize unauthorized " + String.valueOf(cls));
    }
}
