package weblogic.security.service;

import java.io.IOException;
import java.security.AccessController;
import java.util.Enumeration;
import java.util.Hashtable;
import java.util.Vector;
import javafx.fxml.FXMLLoader;
import weblogic.cluster.ClusterService;
import weblogic.cluster.ClusterServices;
import weblogic.cluster.MulticastSession;
import weblogic.logging.LogOutputStream;
import weblogic.management.Admin;
import weblogic.management.configuration.ServerMBean;
import weblogic.management.security.RealmMBean;
import weblogic.management.security.authentication.UserLockoutManagerMBean;
import weblogic.security.SecurityLogger;
import weblogic.security.SubjectUtils;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.service.SecurityService;
import weblogic.security.spi.AuditAtnEvent;
import weblogic.security.spi.AuditSeverity;
import weblogic.utils.AssertionError;

/* loaded from: input_file:weblogic.jar:weblogic/security/service/UserLockoutManager.class */
public class UserLockoutManager {
    private long cum_user_lockout_count;
    private long cum_invalid_login_count;
    private long cum_locked_attempts_count;
    private long high_invalid_login_users;
    private long cum_user_unlock_count;
    private long current_lock_count;
    private static Hashtable master_invalid_login = new Hashtable();
    private static Vector unused_cache = new Vector();
    private long unused_cache_size;
    private long timestamp_of_current_check;
    private long lockout_threshold;
    private long lockout_duration;
    private long lockout_duration_min;
    private long lockout_reset_duration;
    private long lockout_gc_threshold;
    private static int sequence_number;
    private static int failure_sequence_number;
    private static int unlock_sequence_number;
    private static String this_server_name;
    private UserLockoutManagerMBean userLockoutManagerMBean;
    private RealmMBean realmMBean;
    private String realmName;
    private boolean lockout_enabled = false;
    private boolean debug = false;
    private LogOutputStream log = null;
    private ClusterServices clusterServices = null;
    private MulticastSession multicastSession = null;
    private Auditor auditor = null;

    /* JADX INFO: Access modifiers changed from: protected */
    public void init(UserLockoutManagerMBean userLockoutManagerMBean) {
        this.userLockoutManagerMBean = userLockoutManagerMBean;
        this.realmMBean = userLockoutManagerMBean.getRealm();
        this.realmName = this.realmMBean.wls_getMBeanTag("displayname");
        this.auditor = (Auditor) SecurityServiceManager.getSecurityServiceInternal(this.realmName, SecurityService.ServiceType.AUDIT);
        ServerMBean localServer = Admin.getInstance().getLocalServer();
        if (localServer != null) {
            this_server_name = localServer.getName();
        }
        this.lockout_enabled = userLockoutManagerMBean.isLockoutEnabled();
        this.lockout_threshold = userLockoutManagerMBean.getLockoutThreshold();
        this.lockout_duration_min = userLockoutManagerMBean.getLockoutDuration();
        this.lockout_duration = this.lockout_duration_min * 60 * 1000;
        this.lockout_reset_duration = userLockoutManagerMBean.getLockoutResetDuration() * 60 * 1000;
        this.lockout_gc_threshold = userLockoutManagerMBean.getLockoutGCThreshold();
        this.unused_cache_size = userLockoutManagerMBean.getLockoutCacheSize();
        this.debug = Admin.getInstance().getLocalServer().getServerDebug().getDebugSecurityUserLockout();
        if (this.debug) {
            this.log = SecurityServiceManager.getSecurityDebugLog();
        }
        if (this.debug) {
            this.log.debug(new StringBuffer().append("UserLockout settings LockoutEnabled=").append(this.lockout_enabled).append(" LockoutThreshold=").append(this.lockout_threshold).append(" LockoutDuration=").append(this.lockout_duration_min).append(" LockoutResetDuration=").append((this.lockout_reset_duration / 60) / 1000).append(" LockoutGCThreshold=").append(this.lockout_gc_threshold).append(" LockoutCacheSize=").append(this.unused_cache_size).append(" Debug=").append(this.debug).toString());
        }
        createMulticastSession();
    }

    public boolean isLocked(String str) {
        if (!this.lockout_enabled || master_invalid_login.size() == 0) {
            return false;
        }
        setTimestampOfCurrentCheck();
        if (!master_invalid_login.containsKey(str)) {
            return false;
        }
        InvalidLogin invalidLogin = (InvalidLogin) master_invalid_login.get(str);
        long lockedTimestamp = invalidLogin.getLockedTimestamp();
        if (lockedTimestamp == 0) {
            if (!this.debug) {
                return false;
            }
            this.log.debug(new StringBuffer().append("UserLockout User ").append(str).append(" in realm ").append(this.realmName).append(" is not yet locked").toString());
            return false;
        }
        this.cum_locked_attempts_count++;
        this.cum_invalid_login_count++;
        if (getTimestampOfCurrentCheck() < lockedTimestamp + this.lockout_duration) {
            if (!this.debug) {
                return true;
            }
            this.log.debug(new StringBuffer().append("UserLockout User ").append(str).append(" in realm ").append(this.realmName).append(" is still locked").toString());
            return true;
        }
        clearInvalidLoginRecord(invalidLogin);
        this.cum_user_unlock_count++;
        this.current_lock_count--;
        SecurityLogger.logRealmLockoutExpiredInfo(str, this.realmName);
        if (this.auditor == null) {
            return false;
        }
        this.auditor.writeEvent(new AuditAtnEventImpl(AuditSeverity.SUCCESS, str, AuditAtnEvent.AtnEventType.USERLOCKOUTEXPIRED, null));
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void logFailure(String str) {
        failure_sequence_number++;
        LoginFailureRecord logFailure = logFailure(this_server_name, failure_sequence_number, getTimestampOfCurrentCheck(), str);
        if (logFailure != null) {
            sequence_number++;
            SecurityMessage securityMessage = new SecurityMessage(this.realmName, sequence_number, logFailure);
            if (this.debug) {
                this.log.debug(new StringBuffer().append("UserLockout About to multicast login failure for user ").append(str).append(" ").append(securityMessage.toString()).toString());
            }
            try {
                if (createMulticastSession()) {
                    this.multicastSession.send(securityMessage);
                    if (this.debug) {
                        this.log.debug("UserLockout Sent multicast for login failure");
                    }
                }
            } catch (IOException e) {
                SecurityLogger.logRealmSendingLoginFailure(this.realmName, e.toString());
            }
        }
    }

    protected LoginFailureRecord logFailure(String str, int i, long j, String str2) {
        InvalidLogin invalidLogin;
        if (!this.lockout_enabled) {
            return null;
        }
        if (this.debug) {
            this.log.debug(new StringBuffer().append("UserLockout Login failure for user ").append(str2).append(" in realm ").append(this.realmName).toString());
        }
        if (str.equals(this_server_name)) {
            this.cum_invalid_login_count++;
        }
        if (master_invalid_login.containsKey(str2)) {
            invalidLogin = (InvalidLogin) master_invalid_login.get(str2);
        } else {
            synchronized (this) {
                if (unused_cache.size() > 0) {
                    if (this.debug) {
                        this.log.debug("UserLockout Retrieving unused invalid login from the cache");
                    }
                    invalidLogin = (InvalidLogin) unused_cache.elementAt(0);
                    unused_cache.removeElementAt(0);
                    invalidLogin.setName(str2);
                } else {
                    invalidLogin = new InvalidLogin(str2);
                }
                master_invalid_login.put(invalidLogin.getName(), invalidLogin);
            }
        }
        if (master_invalid_login.size() > getInvalidLoginUsersHighCount()) {
            this.high_invalid_login_users = master_invalid_login.size();
        }
        LoginFailureRecord loginFailureRecord = new LoginFailureRecord(str, this.realmName, i, j, str2);
        invalidLogin.addFailure(loginFailureRecord);
        cleanOutStaleFailureRecords(invalidLogin);
        if (this.debug) {
            this.log.debug(new StringBuffer().append("UserLockout User ").append(str2).append(" has ").append(invalidLogin.getFailureCount()).append(" failures in realm ").append(this.realmName).toString());
        }
        if (invalidLogin.getFailureCount() >= this.lockout_threshold) {
            if (runtimeIsLocked(str2)) {
                this.cum_locked_attempts_count++;
            } else {
                SecurityLogger.logRealmLockingUser(str2, this.realmName, invalidLogin.getFailureCount(), this.lockout_duration_min);
                this.cum_user_lockout_count++;
                this.current_lock_count++;
                invalidLogin.setLockedTimestamp(j);
                if (this.auditor != null) {
                    this.auditor.writeEvent(new AuditAtnEventImpl(AuditSeverity.WARNING, str2, AuditAtnEvent.AtnEventType.USERLOCKED, null));
                }
            }
        }
        garbageCollectInvalidLoginRecords();
        return loginFailureRecord;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void logSuccess(String str) {
        if (unlockLocal(str)) {
            unlock_sequence_number++;
            UnlockUserRecord unlockUserRecord = new UnlockUserRecord(this_server_name, this.realmName, unlock_sequence_number, getTimestampOfCurrentCheck(), str);
            sequence_number++;
            SecurityMessage securityMessage = new SecurityMessage(this.realmName, sequence_number, unlockUserRecord);
            if (this.debug) {
                this.log.debug(new StringBuffer().append("UserLockout About to multicast unlock user: ").append(str).append(" ").append(securityMessage.toString()).toString());
            }
            try {
                if (createMulticastSession()) {
                    this.multicastSession.send(securityMessage);
                    if (this.debug) {
                        this.log.debug(new StringBuffer().append("UserLockout Sent multicast for unlock user in realm ").append(this.realmName).toString());
                    }
                }
            } catch (IOException e) {
                if (str == null) {
                    SecurityLogger.logRealmBroadcastUnlockUserFailure(FXMLLoader.NULL_KEYWORD, this.realmName, e.toString());
                } else {
                    SecurityLogger.logRealmBroadcastUnlockUserFailure(str, this.realmName, e.toString());
                }
            }
        }
    }

    private boolean unlockLocal(String str) {
        if (!this.lockout_enabled || master_invalid_login.size() == 0) {
            return false;
        }
        if (str == null) {
            throw new AssertionError(SecurityLogger.getReceivedANullUserName());
        }
        if (!master_invalid_login.containsKey(str)) {
            return false;
        }
        InvalidLogin invalidLogin = (InvalidLogin) master_invalid_login.get(str);
        if (invalidLogin == null) {
            throw new AssertionError(SecurityLogger.getHashTableHasKeyButCanNotGet());
        }
        long lockedTimestamp = invalidLogin.getLockedTimestamp();
        if (this.debug) {
            this.log.debug(new StringBuffer().append("UserLockout Unlocked user or successful login ").append(str).append(" in realm ").append(this.realmName).append(" cleaning out old invalid login record").toString());
        }
        InvalidLogin invalidLogin2 = (InvalidLogin) master_invalid_login.remove(str);
        invalidLogin2.erase();
        if (unused_cache.size() < this.unused_cache_size) {
            if (this.debug) {
                this.log.debug("UserLockout Putting unused invalid login record in cache");
            }
            unused_cache.addElement(invalidLogin2);
        }
        if (lockedTimestamp != 0) {
            this.cum_user_unlock_count++;
            this.current_lock_count--;
        }
        if (this.auditor == null) {
            return true;
        }
        this.auditor.writeEvent(new AuditAtnEventImpl(AuditSeverity.SUCCESS, str, AuditAtnEvent.AtnEventType.USERUNLOCKED, null));
        return true;
    }

    private void cleanOutStaleFailureRecords(InvalidLogin invalidLogin) {
        if (invalidLogin == null) {
            return;
        }
        Vector failures = invalidLogin.getFailures();
        if (failures == null) {
            throw new AssertionError(SecurityLogger.getInconsistentInvalidLoginRecord());
        }
        if (failures.size() == 0) {
            return;
        }
        for (int i = 0; i < failures.size(); i++) {
            if (getTimestampOfCurrentCheck() - ((LoginFailureRecord) failures.elementAt(i)).timestamp <= this.lockout_reset_duration) {
                return;
            }
            if (this.debug) {
                this.log.debug("UserLockout Discarding stale login failure record");
            }
            failures.removeElementAt(i);
        }
    }

    private void garbageCollectInvalidLoginRecords() {
        LoginFailureRecord loginFailureRecord;
        long currentTimeMillis = System.currentTimeMillis();
        int size = master_invalid_login.size();
        if (size == 0 || size < this.lockout_gc_threshold) {
            if (this.debug) {
                this.log.debug("UserLockout InvalidLogin Record GC not needed");
                return;
            }
            return;
        }
        Enumeration elements = master_invalid_login.elements();
        while (elements.hasMoreElements()) {
            InvalidLogin invalidLogin = (InvalidLogin) elements.nextElement();
            if (invalidLogin == null) {
                throw new AssertionError(SecurityLogger.getEnumeratorReturnedNullElement());
            }
            if (invalidLogin.getLockedTimestamp() == 0 && (loginFailureRecord = (LoginFailureRecord) invalidLogin.getLatestFailure()) != null && loginFailureRecord.eventTime() < currentTimeMillis - this.lockout_reset_duration) {
                if (this.debug) {
                    this.log.debug(new StringBuffer().append("UserLockout Garbage collecting InvalidLogin record for user: ").append(invalidLogin.getName()).toString());
                }
                clearInvalidLoginRecord(invalidLogin);
            }
        }
        if (this.debug) {
            this.log.debug(new StringBuffer().append("UserLockout InvalidLogin Record GC done: ").append(size - master_invalid_login.size()).append(" records garbage collected").toString());
        }
    }

    private void clearInvalidLoginRecord(InvalidLogin invalidLogin) {
        InvalidLogin invalidLogin2 = (InvalidLogin) master_invalid_login.remove(invalidLogin.getName());
        invalidLogin2.erase();
        if (unused_cache.size() < this.unused_cache_size) {
            if (this.debug) {
                this.log.debug("UserLockout Putting unused invalid login record in cache");
            }
            unused_cache.addElement(invalidLogin2);
        }
    }

    private long getTimestampOfCurrentCheck() {
        if (this.timestamp_of_current_check == 0) {
            setTimestampOfCurrentCheck();
        }
        return this.timestamp_of_current_check;
    }

    private void setTimestampOfCurrentCheck() {
        this.timestamp_of_current_check = System.currentTimeMillis();
    }

    public void processSecurityMessage(int i, SecurityMulticastRecord securityMulticastRecord) {
        if (!(securityMulticastRecord instanceof LoginFailureRecord) && !(securityMulticastRecord instanceof UnlockUserRecord)) {
            if (this.debug) {
                this.log.debug("User Lockout discarding unknown SecurityMulticaseRecord");
                return;
            }
            return;
        }
        if (securityMulticastRecord.eventOrigin().equals(this_server_name)) {
            if (this.debug) {
                this.log.debug("User Lockout discarding SecurityMulticaseRecord sent by this server");
                return;
            }
            return;
        }
        if (securityMulticastRecord instanceof LoginFailureRecord) {
            LoginFailureRecord loginFailureRecord = (LoginFailureRecord) securityMulticastRecord;
            if (this.debug) {
                this.log.debug(new StringBuffer().append("UserLockout Received a LoginFailureRecord: ").append(loginFailureRecord.toString()).toString());
            }
            logFailure(loginFailureRecord.eventOrigin(), loginFailureRecord.eventSequenceNumber(), loginFailureRecord.eventTime(), loginFailureRecord.userName());
            return;
        }
        if (securityMulticastRecord instanceof UnlockUserRecord) {
            UnlockUserRecord unlockUserRecord = (UnlockUserRecord) securityMulticastRecord;
            if (this.debug) {
                this.log.debug(new StringBuffer().append("UserLockout Received an UnlockUserRecord: ").append(unlockUserRecord.toString()).toString());
            }
            if (unlockLocal(unlockUserRecord.userName()) && this.debug) {
                this.log.debug("UserLockout Locked user has now been unlocked locally");
            }
        }
    }

    public void runtimeClearLockout(String str) {
        AuthenticatedSubject authenticatedSubject;
        AuthorizationManager authorizationManager;
        if (str == null) {
            throw new AssertionError(SecurityLogger.getReceivedANullUserName());
        }
        if (str.equals("")) {
            if (this.debug) {
                this.log.debug("UserLockout clearLockout was passed an empty user name");
            }
        } else if (this.lockout_enabled && (authorizationManager = SecurityServiceManager.getAuthorizationManager((authenticatedSubject = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction())), this.realmName)) != null) {
            AuthenticatedSubject currentSubject = SecurityServiceManager.getCurrentSubject(authenticatedSubject);
            AdminResource adminResource = new AdminResource("UserLockout", this.realmName, "unlockuser");
            if (this.debug) {
                this.log.debug(new StringBuffer().append(" isAccessAllowed:  checking Permission for: '").append(adminResource).append("', currentSubject: '").append(SubjectUtils.displaySubject(currentSubject)).append("'").toString());
            }
            if (authorizationManager.isAccessAllowed(currentSubject, adminResource, null)) {
                logSuccess(str);
                SecurityLogger.logExplicitUserUnlockInfo(str);
            } else {
                if (this.debug) {
                    this.log.debug(new StringBuffer().append(" isAccessAllowed:  currentSubject: ").append(currentSubject).append(" does not have permission to unlock user ").append(str).append(" in realm ").append(this.realmName).toString());
                }
                throw new SecurityException(SecurityLogger.getSubjectDoesNotHavePermissionToUnlock(SubjectUtils.displaySubject(currentSubject), str, this.realmName));
            }
        }
    }

    public long getLastLoginFailure(String str) {
        LoginFailureRecord loginFailureRecord;
        if (!this.lockout_enabled) {
            return 0L;
        }
        if (str == null) {
            throw new AssertionError(SecurityLogger.getReceivedANullUserName());
        }
        if (str.equals("")) {
            if (!this.debug) {
                return 0L;
            }
            this.log.debug("UserLockout getLastLoginFailure was passed a null or empty user name");
            return 0L;
        }
        if (!master_invalid_login.containsKey(str)) {
            return 0L;
        }
        InvalidLogin invalidLogin = (InvalidLogin) master_invalid_login.get(str);
        if (invalidLogin == null) {
            throw new AssertionError(SecurityLogger.getInconsistentHashTableKeyExists());
        }
        Vector failures = invalidLogin.getFailures();
        if (failures == null) {
            throw new AssertionError(SecurityLogger.getInconsistentInvalidLoginRecord());
        }
        if (failures.size() == 0 || (loginFailureRecord = (LoginFailureRecord) failures.lastElement()) == null) {
            return 0L;
        }
        return loginFailureRecord.timestamp;
    }

    public long getLoginFailureCount(String str) {
        if (!this.lockout_enabled) {
            return 0L;
        }
        if (str == null) {
            throw new AssertionError(SecurityLogger.getReceivedANullUserName());
        }
        if (str.equals("")) {
            if (!this.debug) {
                return 0L;
            }
            this.log.debug("UserLockout getLoginFailureCount was passed a null or empty user name");
            return 0L;
        }
        if (!master_invalid_login.containsKey(str)) {
            return 0L;
        }
        InvalidLogin invalidLogin = (InvalidLogin) master_invalid_login.get(str);
        if (invalidLogin == null) {
            throw new AssertionError(SecurityLogger.getInconsistentHashTableKeyExists());
        }
        if (invalidLogin.getFailures() == null) {
            return 0L;
        }
        return r0.size();
    }

    private boolean createMulticastSession() {
        if (this.multicastSession != null) {
            return true;
        }
        this.clusterServices = ClusterService.getServices();
        if (this.clusterServices == null) {
            if (!this.debug) {
                return false;
            }
            this.log.debug("UserLockout Can't create multicastSession because ClusterServices are unavailable");
            return false;
        }
        this.multicastSession = this.clusterServices.createMulticastSession(null, -1, false);
        if (this.multicastSession != null) {
            return true;
        }
        if (!this.debug) {
            return false;
        }
        this.log.debug("UserLockout Can't create multicastSession even though ClusterServices are available");
        return false;
    }

    public boolean runtimeIsLocked(String str) {
        if (!this.lockout_enabled || master_invalid_login.size() == 0) {
            return false;
        }
        setTimestampOfCurrentCheck();
        return master_invalid_login.containsKey(str) && ((InvalidLogin) master_invalid_login.get(str)).getLockedTimestamp() != 0;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public long getUserLockoutTotalCount() {
        return this.cum_user_lockout_count;
    }

    public long getInvalidLoginAttemptsTotalCount() {
        return this.cum_invalid_login_count;
    }

    public long getLoginAttemptsWhileLockedTotalCount() {
        return this.cum_locked_attempts_count;
    }

    public long getInvalidLoginUsersHighCount() {
        return this.high_invalid_login_users;
    }

    public long getUnlockedUsersTotalCount() {
        return this.cum_user_unlock_count;
    }

    public long getLockedUsersCurrentCount() {
        return this.current_lock_count;
    }

    public boolean isLockedOut(String str) {
        return runtimeIsLocked(str);
    }

    public void clearLockout(String str) {
        runtimeClearLockout(str);
    }
}
