package weblogic.ejb20.internal;

import java.security.AccessController;
import java.security.Principal;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.login.LoginException;
import weblogic.ejb20.EJBLogger;
import weblogic.ejb20.dd.DDConstants;
import weblogic.ejb20.interfaces.MethodInfo;
import weblogic.ejb20.interfaces.NoSuchRoleException;
import weblogic.ejb20.interfaces.PrincipalNotFoundException;
import weblogic.ejb20.interfaces.SecurityRoleMapping;
import weblogic.security.SubjectUtils;
import weblogic.security.WLSPrincipals;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.service.AuthorizationManager;
import weblogic.security.service.ContextHandler;
import weblogic.security.service.EJBResource;
import weblogic.security.service.PrincipalAuthenticator;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.ResourceCreationException;
import weblogic.security.service.ResourceRemovalException;
import weblogic.security.service.RoleCreationException;
import weblogic.security.service.RoleManager;
import weblogic.security.service.RoleRemovalException;
import weblogic.security.service.SecurityService;
import weblogic.security.service.SecurityServiceManager;
import weblogic.security.service.SupplementalPolicyObject;
import weblogic.utils.AssertionError;
import weblogic.utils.Debug;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:weblogic.jar:weblogic/ejb20/internal/SecurityHelper.class */
public final class SecurityHelper {
    static final String SECURITY_VERBOSE_PROP = "weblogic.ejb20.security.verbose";
    static final String SECURITY_DEBUG_PROP = "weblogic.ejb20.security.debug";
    private static final boolean debug;
    private static final boolean verbose;
    static final int SYSTEM_REALM = 0;
    static final int APP_REALM = 1;
    static final int JMS_SEND = 0;
    static final int JMS_RECV = 1;
    private static final AuthenticatedSubject subject;
    private PrincipalAuthenticator appPrincipalAuth;
    private RoleManager appRoleManager;
    private AuthorizationManager appAuthManager;
    private PrincipalAuthenticator sysPrincipalAuth;
    private RoleManager sysRoleManager;
    private AuthorizationManager sysAuthManager;
    private String sysRealmName = getSysRealmName();
    private String appRealmName;
    private EJBResource ejbRoleResource;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SecurityHelper(String str) {
        this.appRealmName = str;
    }

    protected AuthenticatedSubject getSubject() {
        return subject;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthenticatedSubject getSubjectForPrincipal(String str) throws PrincipalNotFoundException {
        return getSubjectForPrincipal(str, 1);
    }

    AuthenticatedSubject getSubjectForPrincipal(String str, int i) throws PrincipalNotFoundException {
        try {
            AuthenticatedSubject impersonateIdentity = obtainPA(i).impersonateIdentity(str);
            if (verbose) {
                Debug.say(new StringBuffer().append(" getSubjectForPrincipal: for Principal: '").append(str).append("', Subject is: '").append(impersonateIdentity.toString()).append("'").toString());
            }
            return impersonateIdentity;
        } catch (LoginException e) {
            throw new PrincipalNotFoundException(e.getMessage());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void registerEjbRolesAndUsers(String str, String str2, SecurityRoleMapping securityRoleMapping) throws NoSuchRoleException {
        registerEjbRolesAndUsers(str, str2, securityRoleMapping, 1);
    }

    void registerEjbRolesAndUsers(String str, String str2, SecurityRoleMapping securityRoleMapping, int i) throws NoSuchRoleException {
        Collection<String> securityRoleNames = securityRoleMapping.getSecurityRoleNames();
        if (verbose) {
            Debug.say(new StringBuffer().append("  check for registerEjbRolesAndUsers, appName: '").append(str).append("', ejbComponentName: '").append(str2).append("'  there are: '").append(securityRoleNames.size()).append("' roles in this jar.").toString());
        }
        if (securityRoleNames.size() <= 0) {
            return;
        }
        obtainAM(i);
        RoleManager obtainRM = obtainRM(i);
        this.ejbRoleResource = createEJBResource(str, str2);
        if (verbose) {
            Debug.say(new StringBuffer().append(" registerEjbRolesAndUsers: created EJBResource for appName: '").append(str).append("', ejbComponentName: '").append(str2).append("':  '").append(this.ejbRoleResource).append("'").toString());
        }
        for (String str3 : securityRoleNames) {
            if (securityRoleMapping.isExternallyDefinedRole(str3)) {
                if (verbose) {
                    Debug.say(new StringBuffer().append(" registerEjbRolesAndUsers, role, '").append(str3).append("' is an Externally Defined Role, skipping Role Deployment.").toString());
                }
            } else if (!str3.equalsIgnoreCase(DDConstants.SECURITY_METHOD_PERMISSION_NOT_SPECIFIED_FOR_ANY_ROLE)) {
                if (verbose) {
                    Debug.say(new StringBuffer().append(" registerEjbRolesAndUsers: roleManager.deployRole: register the Users with role '").append(str3).append("', (is not an externally defined role) ").toString());
                }
                String[] strArr = (String[]) securityRoleMapping.getSecurityRolePrincipalNames(str3).toArray(new String[0]);
                if (verbose) {
                    StringBuffer stringBuffer = new StringBuffer();
                    if (strArr.length > 0) {
                        for (String str4 : strArr) {
                            stringBuffer.append(str4).append(", ");
                        }
                    } else {
                        stringBuffer.append("there are no principals");
                    }
                    Debug.say(new StringBuffer().append(" registerEjbRolesAndUsers: roleManager.deployRole: register the Users with role '").append(str3).append("'.  Principals: '").append(stringBuffer.toString()).append("'").toString());
                }
                try {
                    obtainRM.deployRole(this.ejbRoleResource, str3, strArr);
                    if (verbose) {
                        Debug.say(new StringBuffer().append(" roleManager.deployRole: register the Users with role '").append(str3).append("'  DONE.").toString());
                    }
                } catch (RoleCreationException e) {
                    throw new NoSuchRoleException(new StringBuffer().append("registerEjbRolesAndUsers: Exception while attempting to deploy Security Role: ").append(e.toString()).toString());
                }
            } else if (verbose) {
                Debug.say(" skipping role deployment for role 'METHOD_PERM_NOT_SPECIFIED'");
            }
        }
        if (verbose) {
            Debug.say(" registerEjbRolesAndUsers: authManager.deployPolicy:  register the roles with authManager, DONE");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void unRegisterEjbRolesAndUsers(String str, String str2, SecurityRoleMapping securityRoleMapping) {
        unRegisterEjbRolesAndUsers(str, str2, securityRoleMapping, 1);
    }

    void unRegisterEjbRolesAndUsers(String str, String str2, SecurityRoleMapping securityRoleMapping, int i) {
        EJBResource createEJBResource = createEJBResource(str, str2);
        Collection<String> securityRoleNames = securityRoleMapping.getSecurityRoleNames();
        if (securityRoleNames.size() <= 0) {
            return;
        }
        obtainAM(i);
        RoleManager obtainRM = obtainRM(i);
        for (String str3 : securityRoleNames) {
            if (securityRoleMapping.isExternallyDefinedRole(str3)) {
                if (verbose) {
                    Debug.say(new StringBuffer().append(" registerEjbRolesAndUsers, role, '").append(str3).append("' is an Externally Defined Role, skipping Role UnDeployment.").toString());
                }
            } else if (!str3.equalsIgnoreCase(DDConstants.SECURITY_METHOD_PERMISSION_NOT_SPECIFIED_FOR_ANY_ROLE)) {
                try {
                    obtainRM.undeployRole(createEJBResource, str3);
                } catch (RoleRemovalException e) {
                    EJBLogger.logFailedToUndeploySecurityRole(createEJBResource.toString(), e);
                }
            } else if (verbose) {
                Debug.say(" skipping role undeployment for role 'METHOD_PERM_NOT_SPECIFIED'");
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean registerRolesWithMethod(String str, String str2, String str3, MethodInfo methodInfo, MethodDescriptor methodDescriptor) throws PrincipalNotFoundException {
        return registerRolesWithMethod(str, str2, str3, methodInfo, methodDescriptor, 1);
    }

    boolean registerRolesWithMethod(String str, String str2, String str3, MethodInfo methodInfo, MethodDescriptor methodDescriptor, int i) throws PrincipalNotFoundException {
        Collection<String> securityRoleNames = methodInfo.getAccessControlList().getSecurityRoleNames();
        EJBResource createEJBResource = createEJBResource(str, str2, str3, methodInfo);
        methodDescriptor.setSecurityHelper(this);
        methodDescriptor.setEJBResource(createEJBResource);
        if (!methodInfo.needsSecurityCheck()) {
            return false;
        }
        AuthorizationManager obtainAM = obtainAM(i);
        if (verbose) {
            Debug.say(new StringBuffer().append(" do roleManager.deployRole:  register EJB Role restrictions for appName: '").append(str).append("', ejbComponentName: '").append(str2).append("', ejbName: '").append(str3).append("', methodName: '").append(methodInfo.getMethodName()).append("', methodInterface: '").append(methodInfo.getMethodInterfaceType()).toString());
        }
        int i2 = 0;
        for (String str4 : securityRoleNames) {
            if (verbose) {
                Debug.say(new StringBuffer().append("  next roleName is: '").append(str4).append("'").toString());
            }
            if (!str4.equalsIgnoreCase(DDConstants.SECURITY_METHOD_PERMISSION_NOT_SPECIFIED_FOR_ANY_ROLE)) {
                i2++;
            } else if (verbose) {
                Debug.say(" skipping count of roles in policy for role 'METHOD_PERM_NOT_SPECIFIED'");
            }
        }
        if (i2 <= 0) {
            if (!verbose) {
                return true;
            }
            Debug.say(new StringBuffer().append(" count of restrictable roles in policy = ").append(i2).append(", so skipping authManager.deployPolicy. ").toString());
            return true;
        }
        try {
            obtainAM.deployPolicy(createEJBResource, (String[]) securityRoleNames.toArray(new String[0]));
            if (!verbose) {
                return true;
            }
            Debug.say("authManager.deployPolicy: registered  EJB Role restrictions with Policy Manager");
            return true;
        } catch (ResourceCreationException e) {
            throw new PrincipalNotFoundException(new StringBuffer().append("Exception while attempting to deploy Security Policy:  ").append(e.toString()).toString());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void unsetMethods(List list, String str, String str2, String str3) {
        unsetMethods(list, str, str2, str3, 1);
    }

    void unsetMethods(List list, String str, String str2, String str3, int i) {
        if (list.size() <= 0) {
            return;
        }
        createEJBResource(str, str2);
        AuthorizationManager obtainAM = obtainAM(i);
        Iterator it = list.iterator();
        while (it.hasNext()) {
            EJBResource createEJBResource = createEJBResource(str, str2, str3, (MethodInfo) it.next());
            try {
                obtainAM.undeployPolicy(createEJBResource);
            } catch (ResourceRemovalException e) {
                EJBLogger.logFailedToUndeploySecurityPolicy(createEJBResource.toString(), e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isAccessAllowed(EJBResource eJBResource, ContextHandler contextHandler) {
        return isAccessAllowed(eJBResource, contextHandler, 1);
    }

    boolean isAccessAllowed(EJBResource eJBResource, ContextHandler contextHandler, int i) {
        AuthorizationManager obtainAM = obtainAM(i);
        AuthenticatedSubject currentSubject = getCurrentSubject();
        if (verbose) {
            Debug.say(new StringBuffer().append(" isAccessAllowed:  checking Method Permission for ejb: '").append(eJBResource).append("' with Subject: ").append(currentSubject).toString());
        }
        return obtainAM.isAccessAllowed(currentSubject, eJBResource, contextHandler);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isCallerInRole(EJBResource eJBResource, String str) {
        return isCallerInRole(eJBResource, str, 1);
    }

    boolean isCallerInRole(EJBResource eJBResource, String str, int i) {
        AuthenticatedSubject callerSubject = getCallerSubject();
        Map roles = obtainRM(i).getRoles(callerSubject, eJBResource, null);
        if (roles == null || roles.size() < 1) {
            if (!verbose) {
                return false;
            }
            Debug.say(new StringBuffer().append(" isCallerInRole:  securityRoles for resource; '").append(eJBResource).append("',\n Caller subject: '").append(callerSubject).append(", role name '").append(str).append("' there are no roles mapped to this subject.").append("'  isCallerInRole returns false").toString());
            return false;
        }
        if (verbose) {
            StringBuffer stringBuffer = new StringBuffer();
            Iterator it = roles.keySet().iterator();
            while (it.hasNext()) {
                stringBuffer.append((String) it.next()).append(", ");
            }
            Debug.say(new StringBuffer().append(" isCallerInRole:  check securityRoles for resource; '").append(eJBResource).append("',\n subject: '").append(callerSubject).append(", candidate role name '").append(str).append("'roles mapped to this subject are: '").append(stringBuffer.toString()).append("'").append("'  isCallerInRole returns ").append(SecurityServiceManager.isUserInRole(callerSubject, str, roles)).toString());
        }
        return SecurityServiceManager.isUserInRole(callerSubject, str, roles);
    }

    private PrincipalAuthenticator obtainPA(int i) {
        switch (i) {
            case 0:
                if (this.sysPrincipalAuth != null) {
                    return this.sysPrincipalAuth;
                }
                this.sysPrincipalAuth = (PrincipalAuthenticator) SecurityServiceManager.getSecurityService(subject, this.sysRealmName, SecurityService.ServiceType.AUTHENTICATION);
                return this.sysPrincipalAuth;
            case 1:
                if (this.appPrincipalAuth != null) {
                    return this.appPrincipalAuth;
                }
                this.appPrincipalAuth = (PrincipalAuthenticator) SecurityServiceManager.getSecurityService(subject, this.appRealmName, SecurityService.ServiceType.AUTHENTICATION);
                return this.appPrincipalAuth;
            default:
                throw new AssertionError(new StringBuffer().append("  weblogic.ejb.internal.SecurityHelper.obtainPA, unknown realm type: ").append(i).toString());
        }
    }

    private RoleManager obtainRM(int i) {
        switch (i) {
            case 0:
                if (this.sysRoleManager != null) {
                    return this.sysRoleManager;
                }
                this.sysRoleManager = (RoleManager) SecurityServiceManager.getSecurityService(subject, this.sysRealmName, SecurityService.ServiceType.ROLE);
                return this.sysRoleManager;
            case 1:
                if (this.appRoleManager != null) {
                    return this.appRoleManager;
                }
                this.appRoleManager = (RoleManager) SecurityServiceManager.getSecurityService(subject, this.appRealmName, SecurityService.ServiceType.ROLE);
                return this.appRoleManager;
            default:
                throw new AssertionError(new StringBuffer().append("  weblogic.ejb.internal.SecurityHelper.obtainRM, unknown realm type: ").append(i).toString());
        }
    }

    private AuthorizationManager obtainAM(int i) {
        switch (i) {
            case 0:
                if (this.sysAuthManager != null) {
                    return this.sysAuthManager;
                }
                this.sysAuthManager = (AuthorizationManager) SecurityServiceManager.getSecurityService(subject, this.sysRealmName, SecurityService.ServiceType.AUTHORIZE);
                return this.sysAuthManager;
            case 1:
                if (this.appAuthManager != null) {
                    return this.appAuthManager;
                }
                this.appAuthManager = (AuthorizationManager) SecurityServiceManager.getSecurityService(subject, this.appRealmName, SecurityService.ServiceType.AUTHORIZE);
                return this.appAuthManager;
            default:
                throw new AssertionError(new StringBuffer().append("  weblogic.ejb.internal.SecurityHelper.obtainAM, unknown realm type: ").append(i).toString());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean fullyDelegateSecurityCheck(String str) {
        return SecurityServiceManager.isFullAuthorizationDelegationRequired(str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static AuthenticatedSubject getAnonymousUser() {
        return SubjectUtils.getAnonymousSubject();
    }

    static Principal getAnonymousUserPrincipal() {
        return WLSPrincipals.getAnonymousUserPrincipal();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Principal getPrincipalFromSubject(AuthenticatedSubject authenticatedSubject) {
        Principal userPrincipal;
        if (authenticatedSubject != null && (userPrincipal = SubjectUtils.getUserPrincipal(authenticatedSubject)) != null) {
            return userPrincipal;
        }
        return getAnonymousUserPrincipal();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Principal getCurrentPrincipal() {
        return getPrincipalFromSubject(getCurrentSubject());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static AuthenticatedSubject getCurrentSubject() {
        return SecurityServiceManager.getCurrentSubject(subject);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void pushRunAsSubject(AuthenticatedSubject authenticatedSubject) {
        if (verbose) {
            Debug.say(new StringBuffer().append("pushRunAsSubject to push: '").append(authenticatedSubject.toString()).append("' ").append("', ").append(" currentSubject is: '").append(getCurrentSubject()).append("' ").append("' ").toString());
        }
        SecurityServiceManager.pushSubject(subject, authenticatedSubject);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void popRunAsSubject() {
        if (verbose) {
            Debug.say(new StringBuffer().append("\n popRunAsSubject,  subject before pop is: '").append(getCurrentSubject()).append("'").toString());
        }
        SecurityServiceManager.popSubject(subject);
        if (verbose) {
            Debug.say(new StringBuffer().append("\n popRunAsSubject,  subject after  pop is: '").append(getCurrentSubject()).append("'").toString());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean pushSpecificRunAsMaybe(AuthenticatedSubject authenticatedSubject, AuthenticatedSubject authenticatedSubject2) {
        if (authenticatedSubject != null) {
            pushRunAsSubject(authenticatedSubject);
            return true;
        }
        if (authenticatedSubject2 != null) {
            pushRunAsSubject(authenticatedSubject2);
            return true;
        }
        if (!SecurityServiceManager.isKernelIdentity(getCurrentSubject())) {
            return false;
        }
        pushRunAsSubject(getAnonymousUser());
        return true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Principal getCallerPrincipal() throws PrincipalNotFoundException {
        Principal principalFromSubject = getPrincipalFromSubject(getCallerSubject());
        if (principalFromSubject == null) {
            throw new PrincipalNotFoundException(EJBLogger.logmissingCallerPrincipalLoggable("getCallerPrincipal").getMessage());
        }
        return principalFromSubject;
    }

    static AuthenticatedSubject getCallerSubject() {
        return CallerSubjectStack.getCurrentSubject();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void pushCallerPrincipal() {
        AuthenticatedSubject currentSubject = getCurrentSubject();
        if (verbose) {
            Debug.say(new StringBuffer().append("\n pushCallerPrincipal to push Subject: '").append(currentSubject).append("' ").append(" from which we get principal '").append(getPrincipalFromSubject(currentSubject)).append("'").toString());
        }
        CallerSubjectStack.pushSubject(currentSubject);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void popCallerPrincipal() throws PrincipalNotFoundException {
        if (verbose) {
            Debug.say(new StringBuffer().append("\n popCallerPrincipal,  CallerSubject before pop is: '").append(getCallerSubject()).append("'").toString());
        }
        if (CallerSubjectStack.popSubject() == null) {
            throw new PrincipalNotFoundException(EJBLogger.logmissingCallerPrincipalLoggable("popCallerPrincipal").getMessage());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String getDefaultRealmName() {
        return SecurityServiceManager.defaultRealmName;
    }

    static String getSysRealmName() {
        String defaultRealmName = SecurityServiceManager.getDefaultRealmName();
        if (defaultRealmName == null) {
            throw new RuntimeException(" Could not get System Realm Name. ");
        }
        return defaultRealmName;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void registerSupplementalPolicyObject(String[] strArr, String str) {
        SupplementalPolicyObject.setPoliciesFromGrantStatement(subject, strArr, str, SupplementalPolicyObject.EJB_COMPONENT);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void removeSupplementalPolicyObject(String[] strArr) {
        SupplementalPolicyObject.removePolicies(subject, strArr);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static EJBResource createEJBResource(String str, String str2) {
        return new EJBResource(str, str2, null, null, null, null);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static EJBResource createEJBResource(String str, String str2, String str3, MethodInfo methodInfo) {
        if (methodInfo == null) {
            if (verbose) {
                Debug.say(new StringBuffer().append("\n\n ++++++++++  creating EJBResource: appName: '").append(str).append("'                       moduleName: '").append(str2).append("'                        ejbName: '").append(str3).append("'").toString());
            }
            return new EJBResource(str, str2, str3, null, null, null);
        }
        if (verbose) {
            StringBuffer stringBuffer = new StringBuffer();
            String[] methodParams = methodInfo.getMethodParams();
            if (methodParams.length > 0) {
                for (String str4 : methodParams) {
                    stringBuffer.append(str4).append(", ");
                }
            } else {
                stringBuffer.append(" NONE ");
            }
            Debug.say(new StringBuffer().append("\n\n ++++++++++  creating EJBResource: appName: '").append(str).append("'                       moduleName: '").append(str2).append("'                        ejbName: '").append(str3).append("'                     methodName: '").append(methodInfo.getMethodName()).append("'                  interfaceType: '").append(methodInfo.getMethodInterfaceType()).append("'               methodParams:     '").append(stringBuffer.toString()).append("'").toString());
        }
        return new EJBResource(str, str2, str3, methodInfo.getMethodName(), methodInfo.getMethodInterfaceType(), methodInfo.getMethodParams());
    }

    static String legalSecurityParameter(String str) {
        return str == null ? str : str.replace('.', '_');
    }

    private static AuthenticatedSubject obtainSubject() {
        return (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
    }

    static {
        debug = System.getProperty(SECURITY_DEBUG_PROP) != null;
        verbose = System.getProperty(SECURITY_VERBOSE_PROP) != null;
        subject = obtainSubject();
    }
}
