package weblogic.security.service;

import java.security.AccessController;
import java.util.Map;
import java.util.Vector;
import javax.security.auth.Subject;
import weblogic.common.internal.LogOutputStream;
import weblogic.management.Admin;
import weblogic.management.MBeanHome;
import weblogic.management.security.ProviderMBean;
import weblogic.management.security.RealmMBean;
import weblogic.management.security.authorization.AdjudicatorMBean;
import weblogic.management.security.authorization.AuthorizerMBean;
import weblogic.management.security.authorization.DeployableAuthorizerMBean;
import weblogic.security.SecurityLogger;
import weblogic.security.SubjectUtils;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.internal.ForceDDOnly;
import weblogic.security.service.SecurityService;
import weblogic.security.spi.AdjudicationProvider;
import weblogic.security.spi.Adjudicator;
import weblogic.security.spi.ApplicationLifecycleProviderMixin;
import weblogic.security.spi.AuditSeverity;
import weblogic.security.spi.AuthorizationProvider;
import weblogic.security.spi.DeployableAuthorizationProvider;
import weblogic.security.spi.Direction;
import weblogic.security.spi.InvalidPrincipalException;
import weblogic.security.spi.Resource;
import weblogic.security.spi.Result;

/* loaded from: input_file:weblogic.jar:weblogic/security/service/AuthorizationManager.class */
public class AuthorizationManager implements SecurityService {
    private static final AuthenticatedSubject kernelId = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
    private String realmName;
    private Vector authorizationProviderVector;
    private Vector deployableAtzProviderVector;
    private String[] classNames;
    private Adjudicator adjudicator;
    private RoleManager roleManager;
    private Auditor auditor;
    private boolean initialized;
    private boolean debug;
    private LogOutputStream log;
    private RealmMBean realmMBean;
    private String[] jndiHomeName;
    private String[] localJndiHomeName;
    private String[] adminJndiHomeName;
    private int jndiHomeMinLength;
    private int jndiCommonLength;
    private boolean permitAnonymousAdmin;

    public AuthorizationManager() {
        this.realmName = null;
        this.authorizationProviderVector = null;
        this.deployableAtzProviderVector = null;
        this.classNames = null;
        this.adjudicator = null;
        this.roleManager = null;
        this.auditor = null;
        this.debug = false;
        this.log = null;
        this.realmMBean = null;
        this.jndiHomeMinLength = 0;
        this.jndiCommonLength = 0;
        this.permitAnonymousAdmin = false;
    }

    public AuthorizationManager(String str, ProviderMBean[] providerMBeanArr) {
        this.realmName = null;
        this.authorizationProviderVector = null;
        this.deployableAtzProviderVector = null;
        this.classNames = null;
        this.adjudicator = null;
        this.roleManager = null;
        this.auditor = null;
        this.debug = false;
        this.log = null;
        this.realmMBean = null;
        this.jndiHomeMinLength = 0;
        this.jndiCommonLength = 0;
        this.permitAnonymousAdmin = false;
        this.realmName = str;
        initialize(str, providerMBeanArr);
    }

    @Override // weblogic.security.service.SecurityService
    public void initialize(String str, ProviderMBean[] providerMBeanArr) {
        this.debug = Admin.getInstance().getLocalServer().getServerDebug().getDebugSecurityAtz();
        if (this.debug) {
            this.log = SecurityServiceManager.getSecurityDebugLog();
        }
        if (null == str || !SecurityServiceManager.doesRealmExistInternal(str)) {
            throw new InvalidParameterException(SecurityLogger.getValidRealmNameMustBeSpecifed());
        }
        if (null == providerMBeanArr) {
            throw new InvalidParameterException(SecurityLogger.getNoAuthAndNoAdjMBeans());
        }
        if (providerMBeanArr.length < 1) {
            throw new InvalidParameterException(SecurityLogger.getNeedAtLeastOneAuthMBean());
        }
        if (this.debug) {
            this.log.debug(new StringBuffer().append("AuthorizationManger initializing for realm: ").append(str).toString());
        }
        this.roleManager = (RoleManager) SecurityServiceManager.getSecurityServiceInternal(str, SecurityService.ServiceType.ROLE);
        if (this.roleManager == null) {
            throw new NotYetInitializedException(SecurityLogger.getRoleMgrMustBeInitBeforeAuth());
        }
        this.auditor = (Auditor) SecurityServiceManager.getSecurityServiceInternal(str, SecurityService.ServiceType.AUDIT);
        this.authorizationProviderVector = new Vector();
        this.deployableAtzProviderVector = new Vector();
        for (ProviderMBean providerMBean : providerMBeanArr) {
            if (providerMBean instanceof AuthorizerMBean) {
                AuthorizationProvider authorizationProvider = (AuthorizationProvider) SecurityServiceManager.createSecurityProvider(providerMBean, this.auditor);
                if (authorizationProvider.getAccessDecision() == null) {
                    cleanup();
                    throw new ProviderException(SecurityLogger.getProblemGettingAccessDecision());
                }
                this.authorizationProviderVector.add(authorizationProvider);
                if (providerMBean instanceof DeployableAuthorizerMBean) {
                    if (((DeployableAuthorizerMBean) providerMBean).isPolicyDeploymentEnabled()) {
                        this.deployableAtzProviderVector.add((DeployableAuthorizationProvider) authorizationProvider);
                        if (this.debug) {
                            this.log.debug(new StringBuffer().append("AuthorizationManager initialize added DeployableAuthorizationProvider: ").append(authorizationProvider.getClass().getName()).toString());
                        }
                    } else if (this.debug) {
                        this.log.debug(new StringBuffer().append("AuthorizationManager found DeployableAuthorizationProvider: ").append(authorizationProvider.getClass().getName()).append(" but PolicyDeploymentEnabled is false").toString());
                    }
                } else if (this.debug) {
                    this.log.debug(new StringBuffer().append("AuthorizationManager initialize added AuthorizationProvider: ").append(authorizationProvider.getAccessDecision().getClass().getName()).toString());
                }
            } else {
                if (!(providerMBean instanceof AdjudicatorMBean)) {
                    this.authorizationProviderVector = null;
                    this.deployableAtzProviderVector = null;
                    this.adjudicator = null;
                    throw new InvalidParameterException(SecurityLogger.getOnlyAuthAndAdjPassedToInit());
                }
                this.adjudicator = ((AdjudicationProvider) SecurityServiceManager.createSecurityProvider(providerMBean, this.auditor)).getAdjudicator();
                if (this.adjudicator == null) {
                    this.adjudicator = null;
                    this.authorizationProviderVector = null;
                    this.deployableAtzProviderVector = null;
                    throw new ProviderException(SecurityLogger.getProblemGettingAdjudicator());
                }
                if (this.debug) {
                    this.log.debug(new StringBuffer().append("AuthorizationManager added AdjudicatorProvider: ").append(this.adjudicator.getClass().getName()).toString());
                }
            }
            if (this.realmMBean == null) {
                this.realmMBean = providerMBean.getRealm();
            }
        }
        if (this.deployableAtzProviderVector.isEmpty() && this.debug) {
            this.log.debug("AuthorizationManager initialize found no DeployableAuthorizationProvider with PolicyDeploymentEnabled set to true");
        }
        if (this.authorizationProviderVector.size() <= 0) {
            throw new InvalidParameterException(SecurityLogger.getNoAuthMBean());
        }
        this.classNames = new String[this.authorizationProviderVector.size()];
        for (int i = 0; i < this.authorizationProviderVector.size(); i++) {
            this.classNames[i] = new String(((AuthorizationProvider) this.authorizationProviderVector.elementAt(i)).getAccessDecision().getClass().getName());
        }
        if (this.adjudicator == null && this.authorizationProviderVector.size() > 1) {
            throw new InvalidParameterException(SecurityLogger.getMultipleAuthNoAdjudicator());
        }
        if (this.adjudicator != null) {
            this.adjudicator.initialize(this.classNames);
        } else if (this.debug) {
            this.log.debug("AuthorizationManager will do its own adjudication since no AdjudicatorMBean was passed to it");
        }
        if (this.debug) {
            this.log.debug(new StringBuffer().append("AuthorizationManager.initialize found ").append(this.authorizationProviderVector.size()).append(" AccessDecisions of which ").append(this.deployableAtzProviderVector.size()).append(" are deployable and ").append(this.adjudicator != null ? " 1 " : " no ").append(" adjudicator").toString());
        }
        this.permitAnonymousAdmin = SecurityServiceManager.isAnonymousAdminLookupEnabled();
        if (!this.permitAnonymousAdmin) {
            this.jndiHomeName = MBeanHome.JNDI_NAME.split("\\.");
            this.localJndiHomeName = MBeanHome.LOCAL_JNDI_NAME.split("\\.");
            this.adminJndiHomeName = MBeanHome.ADMIN_JNDI_NAME.split("\\.");
            this.jndiHomeMinLength = this.jndiHomeName.length;
            if (this.localJndiHomeName.length < this.jndiHomeMinLength) {
                this.jndiHomeMinLength = this.localJndiHomeName.length;
            }
            if (this.adminJndiHomeName.length < this.jndiHomeMinLength) {
                this.jndiHomeMinLength = this.adminJndiHomeName.length;
            }
            for (int i2 = 0; i2 < this.jndiHomeMinLength; i2++) {
                if (!this.jndiHomeName[i2].equals(this.localJndiHomeName[i2]) || !this.jndiHomeName[i2].equals(this.adminJndiHomeName[i2])) {
                    this.jndiCommonLength = i2;
                    break;
                }
            }
        }
        this.initialized = true;
    }

    @Override // weblogic.security.service.SecurityService
    public void start() {
    }

    @Override // weblogic.security.service.SecurityService
    public void suspend() {
    }

    @Override // weblogic.security.service.SecurityService
    public void shutdown() {
        cleanup();
    }

    public boolean isDeployPolicyIgnored() {
        if (ForceDDOnly.isForceDDOnly()) {
            return false;
        }
        return this.realmMBean.isDeployPolicyIgnored();
    }

    public boolean isAccessAllowed(AuthenticatedSubject authenticatedSubject, Map map, Resource resource, ContextHandler contextHandler, Direction direction) {
        String[] path;
        if (!this.initialized) {
            throw new NotYetInitializedException(SecurityLogger.getCallingIsProtectedBeforeInit());
        }
        if (null == authenticatedSubject || null == resource || null == direction) {
            throw new InvalidParameterException(SecurityLogger.getReqParamNotSuppliedIsAccess());
        }
        if (SecurityServiceManager.isKernelIdentity(authenticatedSubject)) {
            return true;
        }
        AuthenticatedSubject seal = SecurityServiceManager.seal(kernelId, authenticatedSubject);
        if (!this.permitAnonymousAdmin && (resource instanceof JNDIResource) && SubjectUtils.isUserAnonymous(authenticatedSubject) && (path = ((JNDIResource) resource).getPath()) != null && path.length >= this.jndiHomeMinLength) {
            boolean z = true;
            int i = 0;
            while (true) {
                if (i >= this.jndiCommonLength) {
                    break;
                }
                if (!this.jndiHomeName[i].equals(path[i])) {
                    z = false;
                    break;
                }
                i++;
            }
            if (z && (comparePathArrays(this.jndiHomeName, path, this.jndiCommonLength) || comparePathArrays(this.localJndiHomeName, path, this.jndiCommonLength) || comparePathArrays(this.adminJndiHomeName, path, this.jndiCommonLength))) {
                if (!this.debug) {
                    return false;
                }
                this.log.debug("AuthorizationManager.isAccessAllowed returning false on MBeanHome");
                return false;
            }
        }
        Subject subject = seal.getSubject();
        Result[] resultArr = new Result[this.authorizationProviderVector.size()];
        for (int i2 = 0; i2 < this.authorizationProviderVector.size(); i2++) {
            try {
                resultArr[i2] = ((AuthorizationProvider) this.authorizationProviderVector.elementAt(i2)).getAccessDecision().isAccessAllowed(subject, map, resource, contextHandler, direction);
            } catch (Exception e) {
                if (e instanceof InvalidPrincipalException) {
                    SecurityLogger.logInvalidPrincipalError(this.classNames[i2], e);
                } else {
                    SecurityLogger.logAccessDecisionError(this.classNames[i2], e);
                }
                if (this.auditor != null) {
                    this.auditor.writeEvent(new AuditAtzEventImpl(AuditSeverity.ERROR, seal, resource, contextHandler, direction, e));
                }
                if (!this.debug) {
                    return false;
                }
                this.log.debug("AuthorizationManager.isAccessAllowed got an exception returning: false");
                return false;
            }
        }
        boolean adjudicate = this.adjudicator != null ? this.adjudicator.adjudicate(resultArr) : resultArr[0].equals(Result.PERMIT);
        if (this.auditor != null) {
            this.auditor.writeEvent(new AuditAtzEventImpl(adjudicate ? AuditSeverity.SUCCESS : AuditSeverity.FAILURE, seal, resource, contextHandler, direction, null));
        }
        if (this.debug) {
            this.log.debug(new StringBuffer().append("AuthorizationManager.isAccessAllowed returning adjudicated: ").append(adjudicate).toString());
        }
        return adjudicate;
    }

    public boolean isAccessAllowed(AuthenticatedSubject authenticatedSubject, Resource resource, ContextHandler contextHandler) {
        if (SecurityServiceManager.isKernelIdentity(authenticatedSubject)) {
            return true;
        }
        Map map = null;
        if (this.roleManager != null) {
            map = this.roleManager.getRoles(authenticatedSubject, resource, contextHandler);
        }
        return isAccessAllowed(authenticatedSubject, map, resource, contextHandler, Direction.ONCE);
    }

    public boolean isProtectedResource(Subject subject, Resource resource) {
        if (!this.initialized) {
            throw new NotYetInitializedException(SecurityLogger.getCallingIsProtectedBeforeInit());
        }
        if (null == subject || null == resource) {
            throw new InvalidParameterException(SecurityLogger.getReqParamNotSuppliedIsProt());
        }
        for (int i = 0; i < this.authorizationProviderVector.size(); i++) {
            try {
                if (((AuthorizationProvider) this.authorizationProviderVector.elementAt(i)).getAccessDecision().isProtectedResource(subject, resource)) {
                    if (!this.debug) {
                        return true;
                    }
                    this.log.debug("AuthorizationManager.isProtectedResource returns: true");
                    return true;
                }
            } catch (Exception e) {
                SecurityLogger.logAccessDecisionError(this.classNames[i], e);
                if (!this.debug) {
                    return true;
                }
                this.log.debug("AuthorizationManager.isProtectedResource got an exception returning: false");
                return true;
            }
        }
        if (!this.debug) {
            return false;
        }
        this.log.debug("AuthorizationManager.isProtectedResource returns: false");
        return false;
    }

    public void deployPolicy(Resource resource, String[] strArr) throws ResourceCreationException {
        deployPolicy(resource, strArr, false);
    }

    public void deployPolicy(Resource resource, String[] strArr, boolean z) throws ResourceCreationException {
        if (!z && isDeployPolicyIgnored()) {
            if (this.debug) {
                this.log.debug("AuthorizationManager will not deploy policy, isDeployPolicyIgnored is true.");
                return;
            }
            return;
        }
        if (this.deployableAtzProviderVector == null || this.deployableAtzProviderVector.isEmpty()) {
            SecurityLogger.logUnableToDeploySecurityInformation(this.realmMBean.wls_getDisplayName(), "DeployableAuthorizationProvider");
            return;
        }
        for (int i = 0; i < this.deployableAtzProviderVector.size(); i++) {
            try {
                ((DeployableAuthorizationProvider) this.deployableAtzProviderVector.elementAt(i)).deployPolicy(resource, strArr);
                if (this.auditor != null) {
                    this.auditor.writeEvent(new AuditPolicyDeployEventImpl(AuditSeverity.SUCCESS, SecurityServiceManager.getCurrentSubject(kernelId), resource, strArr, null));
                }
            } catch (Exception e) {
                if (this.debug) {
                    this.log.debug(new StringBuffer().append("AuthorizationManager.deployPolicy got an exception: ").append(e).toString());
                }
                SecurityLogger.logDeployableAuthorizationProviderError(new String(((DeployableAuthorizationProvider) this.deployableAtzProviderVector.elementAt(i)).getClass().getName()), e);
                if (this.auditor != null) {
                    this.auditor.writeEvent(new AuditPolicyDeployEventImpl(AuditSeverity.FAILURE, SecurityServiceManager.getCurrentSubject(kernelId), resource, strArr, e));
                }
                if (e instanceof weblogic.security.spi.ResourceCreationException) {
                    throw new ResourceCreationException(e);
                }
            }
        }
    }

    public void undeployPolicy(Resource resource) throws ResourceRemovalException {
        if (isDeployPolicyIgnored()) {
            if (this.debug) {
                this.log.debug("AuthorizationManager will not undeploy policy, isDeployPolicyIgnored is true.");
                return;
            }
            return;
        }
        if (this.deployableAtzProviderVector == null || this.deployableAtzProviderVector.isEmpty()) {
            SecurityLogger.logUnableToUndeploySecurityInformation(this.realmMBean.wls_getDisplayName(), "DeployableAuthorizationProvider");
            return;
        }
        for (int i = 0; i < this.deployableAtzProviderVector.size(); i++) {
            try {
                ((DeployableAuthorizationProvider) this.deployableAtzProviderVector.elementAt(i)).undeployPolicy(resource);
                if (this.auditor != null) {
                    this.auditor.writeEvent(new AuditPolicyUndeployEventImpl(AuditSeverity.SUCCESS, SecurityServiceManager.getCurrentSubject(kernelId), resource, null));
                }
            } catch (Exception e) {
                if (this.debug) {
                    this.log.debug(new StringBuffer().append("AuthorizationManager.undeployPolicy got an exception: ").append(e).toString());
                }
                SecurityLogger.logDeployableAuthorizationProviderError(new String(((DeployableAuthorizationProvider) this.deployableAtzProviderVector.elementAt(i)).getClass().getName()), e);
                if (this.auditor != null) {
                    this.auditor.writeEvent(new AuditPolicyUndeployEventImpl(AuditSeverity.FAILURE, SecurityServiceManager.getCurrentSubject(kernelId), resource, e));
                }
                if (e instanceof weblogic.security.spi.ResourceRemovalException) {
                    throw new ResourceRemovalException(e);
                }
            }
        }
    }

    public void applicationDeleted(String str, int i, String str2) {
        for (int i2 = 0; i2 < this.deployableAtzProviderVector.size(); i2++) {
            DeployableAuthorizationProvider deployableAuthorizationProvider = (DeployableAuthorizationProvider) this.deployableAtzProviderVector.elementAt(i2);
            if (deployableAuthorizationProvider instanceof ApplicationLifecycleProviderMixin) {
                try {
                    ((ApplicationLifecycleProviderMixin) deployableAuthorizationProvider).applicationDeleted(str, i, str2);
                } catch (Exception e) {
                    if (this.debug) {
                        this.log.debug(new StringBuffer().append("AuthorizationManager.applicationDeleted got an exception: ").append(e).toString());
                    }
                }
            }
        }
    }

    public void applicationDeployBegun(String str, int i, String str2) {
        if (isDeployPolicyIgnored()) {
            return;
        }
        for (int i2 = 0; i2 < this.deployableAtzProviderVector.size(); i2++) {
            DeployableAuthorizationProvider deployableAuthorizationProvider = (DeployableAuthorizationProvider) this.deployableAtzProviderVector.elementAt(i2);
            if (deployableAuthorizationProvider instanceof ApplicationLifecycleProviderMixin) {
                try {
                    ((ApplicationLifecycleProviderMixin) deployableAuthorizationProvider).applicationDeployBegun(str, i, str2);
                } catch (Exception e) {
                    if (this.debug) {
                        this.log.debug(new StringBuffer().append("AuthorizationManager.applicationDeployBegun got an exception: ").append(e).toString());
                    }
                }
            }
        }
    }

    public void applicationDeployEnded(String str, int i, String str2) {
        if (isDeployPolicyIgnored()) {
            return;
        }
        for (int i2 = 0; i2 < this.deployableAtzProviderVector.size(); i2++) {
            DeployableAuthorizationProvider deployableAuthorizationProvider = (DeployableAuthorizationProvider) this.deployableAtzProviderVector.elementAt(i2);
            if (deployableAuthorizationProvider instanceof ApplicationLifecycleProviderMixin) {
                try {
                    ((ApplicationLifecycleProviderMixin) deployableAuthorizationProvider).applicationDeployEnded(str, i, str2);
                } catch (Exception e) {
                    if (this.debug) {
                        this.log.debug(new StringBuffer().append("AuthorizationManager.applicationDeployEnded got an exception: ").append(e).toString());
                    }
                }
            }
        }
    }

    private void cleanup() {
        if (this.authorizationProviderVector.size() == 0) {
            return;
        }
        for (int i = 0; i < this.authorizationProviderVector.size(); i++) {
            ((AuthorizationProvider) this.authorizationProviderVector.elementAt(i)).shutdown();
        }
        this.authorizationProviderVector.clear();
        this.authorizationProviderVector = null;
        if (this.deployableAtzProviderVector != null) {
            this.deployableAtzProviderVector.clear();
            this.deployableAtzProviderVector = null;
        }
        if (this.classNames != null) {
            for (int i2 = 0; i2 < this.classNames.length; i2++) {
                this.classNames[i2] = null;
            }
        }
        this.classNames = null;
        this.adjudicator = null;
    }

    private boolean comparePathArrays(String[] strArr, String[] strArr2, int i) {
        if (strArr2.length < strArr.length) {
            return false;
        }
        for (int i2 = i; i2 < strArr.length; i2++) {
            if (!strArr2[i2].equals(strArr[i2])) {
                return false;
            }
        }
        return true;
    }
}
