package weblogic.management.internal;

import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.PrintStream;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import javax.management.InstanceNotFoundException;
import javax.management.MalformedObjectNameException;
import javax.management.ObjectName;
import weblogic.drs.DataIdentifier;
import weblogic.kernel.Kernel;
import weblogic.management.Admin;
import weblogic.management.NoAccessRuntimeException;
import weblogic.management.WebLogicObjectName;
import weblogic.management.configuration.DeploymentMBean;
import weblogic.management.info.ExtendedAttributeInfo;
import weblogic.management.info.ExtendedInfo;
import weblogic.management.runtime.DeployerRuntimeMBean;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.service.AdminResource;
import weblogic.security.service.MBeanResource;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.RoleManager;
import weblogic.security.service.SecurityService;
import weblogic.security.service.SecurityServiceManager;
import weblogic.security.utils.KeyStoreConstants;
import weblogic.utils.Debug;
import weblogic.utils.StringUtils;

/* loaded from: input_file:weblogic.jar:weblogic/management/internal/SecurityHelper.class */
public class SecurityHelper {
    private static final String ADMIN_ROLENAME = "Admin";
    private static final String DEPLOYER_ROLENAME = "Deployer";
    private static final String OPERATOR_ROLENAME = "Operator";
    private static final String MONITOR_ROLENAME = "Monitor";
    private static final boolean ENABLE_ACL_EXCEPTION = true;
    private static boolean isSecServiceInitialized;
    private static RoleManager roleManager;
    private static Map protectedAttributeList;
    static Class class$weblogic$management$tools$Info;
    private static final Set DEPLOYER_ACTIONS = new HashSet(Arrays.asList("Application", "ApplicationConfig", "ConnectorComponent", "ConnectorComponentConfig", DeployerRuntimeMBean.DEPLOYER_NAME, "DeploymentTaskRuntime", "EJBComponent", "EJBComponentConfig", "WebAppComponent", "WebAppComponentConfig", "WebServiceComponent", "WebServiceComponentConfig", "WebServer", "WebServerConfig", "JDBCConnectionPool", "JDBCConnectionPoolConfig", "JDBCDataSourceFactory", "JDBCDataSourceFactoryConfig", "JDBCMultiPool", "JDBCMultipoolConfig", "JDBCDataSource", "JDBCDataSourceConfig", "JDBCTxDataSource", "JDBCTxDataSourceConfig", "JDBCPoolComponent", "JDBCPoolComponentConfig", "JMSBridgeDestination", "JMSBridgeDestinationConfig", "JMSConnectionConsumer", "JMSConnectionConsumerConfig", "JMSConnectionFactory", "JMSConnectionFactoryConfig", "JMSDestination", "JMSDestinationConfig", "JMSDistributedDestination", "JMSDistributedDestinationConfig", "JMSDistributedDestinationMember", "JMSDistributedDestinationMemberConfig", "JMSDistributedTopic", "JMSDistributedTopicConfig", "JMSDistributedTopicMember", "JMSDistributedTopicMemberConfig", "JMSDistributedQueue", "JMSDistributedQueueConfig", "JMSDistributedQueueMember", "JMSDistributedQueueMemberConfig", "JMSFileStore", "JMSFileStoreConfig", "JMSDestinationKey", "JMSDestinationKeyConfig", "JMSServer", "JMSServerConfig", "JMSStore", "JMSStoreConfig", "JMSSessionPool", "JMSSessionPoolConfig", "JMSTemplate", "JMSTemplateConfig", "JMSQueue", "JMSQueueConfig", "JMSTopic", "JMSTopicConfig", "JMSJDBCStore", "JMSJDBCStoreConfig", "WTCServer", "WTCServerConfig", "WTCBridgeGlobal", "WTCBridgeGlobalConfig", "WTCResources", "WTCResourcesConfig", "WTCExport", "WTCExportConfig", "WTCImport", "WTCImportConfig", "WTCLocalTuxDom", "WTCLocalTuxDomConfig", "WTCRemoteTuxDom", "WTCRemoteTuxDomConfig", "WTCPassword", "WTCPasswordConfig", "WTCtBridgeGlobal", "WTCtBridgeGlobalConfig", "WTCtBridgeRedirect", "WTCtBridgeRedirectConfig", "EJBDescriptor", "ConnectorDescriptor", "WebDescriptor", new Pair("Server", "lookupServerRuntime"), new Pair("Server", "lookupServerLifeCycleRuntime"), new Pair("ServerConfig", "lookupServerLifeCycleRuntime"), new Pair("Server", "sendNotification"), new Pair("ServerConfig", "sendNotification"), new Pair("Server", "addDeployment"), new Pair("ServerConfig", "addDeployment"), new Pair("Server", "removeDeployment"), new Pair("ServerConfig", "removeDeployment")));
    private static final Set OPERATOR_ACTIONS = new HashSet(Arrays.asList("ServerLifeCycleRuntime", "ServerLifeCycleTaskRuntime", "ServerStart", "NodeManagerRuntime", "NodeManagerConfig", new Pair("Server", "start"), new Pair("Server", "suspend"), new Pair("Server", "lookupServerRuntime"), new Pair("Server", "lookupServerLifeCycleRuntime"), new Pair("Server", "suspend"), new Pair("Server", "ExpectedToRun"), new Pair("Server", "sendNotification"), new Pair("ServerRuntime", "stop"), new Pair("ServerRuntime", "start"), new Pair("ServerRuntime", "resume"), new Pair("ServerRuntime", "shutdown"), new Pair("ServerRuntime", "forceShutdown"), new Pair("ServerConfig", "lookupServerLifeCycleRuntime"), new Pair("ServerConfig", "ExpectedToRun"), new Pair("ServerConfig", "sendNotification"), new Pair("Machine", "lookupNodeManagerRuntime"), new Pair("Server", KeyStoreConstants.JAVA_STANDARD_TRUST_KEYSTORE_PASSPHRASE_BOOT_PROP)));
    private static final Set EVERYONE_ALLOWED_ACTIONS = new HashSet(Arrays.asList("userExists", "BulkQueryState", new Pair("ConnectorComponent", "findOrCreateConnectorDescriptor"), new Pair("EJBComponent", "findOrCreateEJBDescriptor"), new Pair("WebAppComponent", "findOrCreateWebDescriptor"), new Pair("Application", "getInputStream"), new Pair("SecurityConfiguration", "findDefaultRealm"), new Pair("SecurityConfiguration", "findRealm"), new Pair("SecurityConfiguration", "findRealms"), new Pair("SecurityConfigurationConfig", "findDefaultRealm"), new Pair("Application", "findInputStream"), new Pair("JTARuntime", "getTransactionsOlderThan"), new Pair("JDBCConnectionPoolRuntime", "shrink"), new Pair("JDBCConnectionPoolRuntime", "reset"), new Pair(BootStrapConstants.DEFAULT_REPOSITORY_TYPE, "saveDomain")));
    private static final Set MONITOR_ACTIONS = new HashSet(Arrays.asList(new Pair("NodeManagerRuntime", "register"), new Pair("NodeManagerRuntime", "getStateForAll"), new Pair("Machine", "lookupNodeManagerRuntime"), new Pair("Server", "lookupServerRuntime"), new Pair("Server", "lookupServerLifeCycleRuntime")));
    private static final AuthenticatedSubject KERNEL_ID = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
    private static PrintStream aclPrintStream = null;
    private static AdminResource adminMBeanResource = new AdminResource(DataIdentifier.CONFIGURATION, null, null);
    private static boolean disableACLOnMbeans = Boolean.getBoolean("weblogic.disableMBeanAuthorization");
    private static boolean debugACLs = Boolean.getBoolean("DEBUG_ACLS");

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:weblogic.jar:weblogic/management/internal/SecurityHelper$IsAccessAllowedPrivilegeAction.class */
    public static class IsAccessAllowedPrivilegeAction implements PrivilegedAction {
        private final AuthenticatedSubject subject;
        private final ObjectName name;
        private final MBeanResource.ActionType action;
        private final String target;
        private final String type;

        IsAccessAllowedPrivilegeAction(AuthenticatedSubject authenticatedSubject, ObjectName objectName, MBeanResource.ActionType actionType, String str) {
            this.subject = authenticatedSubject;
            this.name = objectName;
            this.action = actionType;
            this.target = str;
            this.type = this.name.getKeyProperty("Type");
        }

        @Override // java.security.PrivilegedAction
        public Object run() {
            if (SecurityHelper.isInRole(SecurityHelper.access$100().getRoles(this.subject, SecurityHelper.adminMBeanResource, null), SecurityHelper.ADMIN_ROLENAME)) {
                return Boolean.TRUE;
            }
            if (this.name instanceof WebLogicObjectName) {
                return wlsRun();
            }
            if (this.type == null) {
                return Boolean.TRUE;
            }
            try {
                return Admin.getInstance().getMBeanHome().getMBeanServer().isInstanceOf(this.name, "weblogic.management.WebLogicMBean") ? wlsRun() : Boolean.TRUE;
            } catch (InstanceNotFoundException e) {
                return Boolean.FALSE;
            }
        }

        private Object wlsRun() {
            Map roles = SecurityHelper.access$100().getRoles(this.subject, SecurityHelper.adminMBeanResource, null);
            String stringBuffer = new StringBuffer().append("Access not allowed for subject: ").append(this.subject).append(", on Resource").append("Type: ").append(this.type != null ? this.type : this.name.toString()).append(" Action: ").append(this.action).append(", Target: ").append(this.target).toString();
            if (this.action == MBeanResource.ActionType.READ) {
                ExtendedInfo adminOrConfigMBeanInfo = TypesHelper.getAdminOrConfigMBeanInfo(this.name.getKeyProperty("Type"));
                if (adminOrConfigMBeanInfo == null) {
                    throw new NoAccessRuntimeException(stringBuffer);
                }
                ExtendedAttributeInfo attributeInfo = Helper.getAttributeInfo(adminOrConfigMBeanInfo, this.target);
                if (attributeInfo.isEncrypted() && SecurityHelper.isInRole(roles, SecurityHelper.DEPLOYER_ROLENAME)) {
                    try {
                        if (Admin.getInstance().getMBeanHome().getMBean(this.name) instanceof DeploymentMBean) {
                            return Boolean.TRUE;
                        }
                    } catch (InstanceNotFoundException e) {
                        return Boolean.FALSE;
                    }
                }
                if (attributeInfo.isEncrypted() || attributeInfo.getProtectionLevel().intValue() == 1 || !(SecurityHelper.isInRole(roles, SecurityHelper.DEPLOYER_ROLENAME) || SecurityHelper.isInRole(roles, SecurityHelper.OPERATOR_ROLENAME) || SecurityHelper.isInRole(roles, SecurityHelper.MONITOR_ROLENAME))) {
                    throw new NoAccessRuntimeException(stringBuffer);
                }
                return Boolean.TRUE;
            }
            if (this.action != MBeanResource.ActionType.WRITE && this.action != MBeanResource.ActionType.EXECUTE && this.action != MBeanResource.ActionType.REGISTER && this.action != MBeanResource.ActionType.UNREGISTER) {
                throw new NoAccessRuntimeException(new StringBuffer().append("Uknown ActionType: ").append(this.action).append(" found").toString());
            }
            Pair pair = new Pair(this.type, this.target);
            if (SecurityHelper.EVERYONE_ALLOWED_ACTIONS.contains(pair) || SecurityHelper.EVERYONE_ALLOWED_ACTIONS.contains(this.target)) {
                return Boolean.TRUE;
            }
            if (SecurityHelper.isInRole(roles, SecurityHelper.DEPLOYER_ROLENAME) && (SecurityHelper.DEPLOYER_ACTIONS.contains(this.type) || SecurityHelper.DEPLOYER_ACTIONS.contains(pair))) {
                return Boolean.TRUE;
            }
            if (this.action == MBeanResource.ActionType.WRITE) {
                throw new NoAccessRuntimeException(stringBuffer);
            }
            if (SecurityHelper.isInRole(roles, SecurityHelper.OPERATOR_ROLENAME) && (SecurityHelper.OPERATOR_ACTIONS.contains(this.type) || SecurityHelper.OPERATOR_ACTIONS.contains(pair))) {
                return Boolean.TRUE;
            }
            if (SecurityHelper.isInRole(roles, SecurityHelper.MONITOR_ROLENAME) && (SecurityHelper.MONITOR_ACTIONS.contains(this.type) || SecurityHelper.MONITOR_ACTIONS.contains(pair))) {
                return Boolean.TRUE;
            }
            if (SecurityHelper.debugACLs) {
                SecurityHelper.dumpAclDebug(this.subject, this.name, this.action, this.target, "");
            }
            throw new NoAccessRuntimeException(stringBuffer);
        }
    }

    public static boolean isAccessAllowed(ObjectName objectName, MBeanResource.ActionType actionType, String str) {
        try {
            isAccessAllowed(objectName, actionType, str, "DUMMY");
            return true;
        } catch (NoAccessRuntimeException e) {
            return false;
        }
    }

    public static boolean isAccessAllowed(String str, MBeanResource.ActionType actionType, String str2) {
        try {
            isAccessAllowed(new WebLogicObjectName("DUMMY", str, "DUMMY"), actionType, str2, "DUMMY");
            return true;
        } catch (MalformedObjectNameException e) {
            throw new AssertionError(e);
        } catch (NoAccessRuntimeException e2) {
            return false;
        }
    }

    public static void checkForAdminRole() {
        checkForRole(ADMIN_ROLENAME);
    }

    public static void checkForDeployerRole() {
        checkForRole(DEPLOYER_ROLENAME);
    }

    public static void checkForOperatorRole() {
        checkForRole(OPERATOR_ROLENAME);
    }

    public static void preloadProtectedAttributeList() {
        Class cls;
        protectedAttributeList = new HashMap();
        Properties properties = new Properties();
        try {
            if (class$weblogic$management$tools$Info == null) {
                cls = class$("weblogic.management.tools.Info");
                class$weblogic$management$tools$Info = cls;
            } else {
                cls = class$weblogic$management$tools$Info;
            }
            InputStream resourceAsStream = cls.getResourceAsStream("protectedAttributeNames.properties");
            if (resourceAsStream == null) {
                throw new AssertionError("The protectedAttributeNames.properties file was not properly generated or packaged");
            }
            properties.load(resourceAsStream);
            for (String str : properties.keySet()) {
                try {
                    String property = properties.getProperty(str);
                    int lastIndexOf = str.lastIndexOf(46) + 1;
                    int lastIndexOf2 = str.lastIndexOf("MBean");
                    if (lastIndexOf != -1 && lastIndexOf2 != -1) {
                        protectedAttributeList.put(str.substring(lastIndexOf, lastIndexOf2), new HashSet(Arrays.asList(StringUtils.splitCompletely(property, ","))));
                    }
                } catch (Exception e) {
                    throw new AssertionError("The protectedAttributeNames.properties contains invalid data!");
                }
            }
        } catch (IOException e2) {
            throw new AssertionError("The protectedAttributeNames.properties could not be read.");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void isAccessAllowed(ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2) throws NoAccessRuntimeException {
        if (disableACLOnMbeans) {
            return;
        }
        if (Kernel.isServer()) {
            Admin.getInstance();
            if (Admin.isBooting()) {
                return;
            }
        }
        if (actionType == MBeanResource.ActionType.FIND) {
            return;
        }
        if (actionType == MBeanResource.ActionType.READ) {
            String keyProperty = objectName.getKeyProperty("Type");
            if (keyProperty != null) {
                if (keyProperty.endsWith("Config")) {
                    keyProperty = keyProperty.substring(0, keyProperty.length() - 6);
                }
                Set set = (Set) protectedAttributeList.get(keyProperty);
                if (set == null || !set.contains(str)) {
                    return;
                }
            }
        }
        if (objectName == null) {
            throw new IllegalArgumentException("Object name for an MBean can not be null");
        }
        AuthenticatedSubject currentSubject = SecurityServiceManager.getCurrentSubject(KERNEL_ID);
        if (SecurityServiceManager.isKernelIdentity(currentSubject)) {
            return;
        }
        SecurityServiceManager.runAs(KERNEL_ID, KERNEL_ID, new IsAccessAllowedPrivilegeAction(currentSubject, objectName, actionType, str));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isInRole(Map map, String str) {
        return (map == null || map.get(str) == null) ? false : true;
    }

    private static RoleManager getRoleManager() {
        if (roleManager != null) {
            return roleManager;
        }
        RoleManager roleManager2 = (RoleManager) SecurityServiceManager.getSecurityService(KERNEL_ID, SecurityServiceManager.defaultRealmName, SecurityService.ServiceType.ROLE);
        roleManager = roleManager2;
        return roleManager2;
    }

    private static void checkForRole(String str) {
        AuthenticatedSubject currentSubject = SecurityServiceManager.getCurrentSubject(KERNEL_ID);
        if (SecurityServiceManager.isKernelIdentity(currentSubject)) {
            return;
        }
        AuthenticatedSubject seal = SecurityServiceManager.seal(KERNEL_ID, currentSubject);
        if (!((Boolean) SecurityServiceManager.runAs(KERNEL_ID, KERNEL_ID, new PrivilegedAction(seal, str) { // from class: weblogic.management.internal.SecurityHelper.1
            private final AuthenticatedSubject val$subject;
            private final String val$roleName;

            {
                this.val$subject = seal;
                this.val$roleName = str;
            }

            @Override // java.security.PrivilegedAction
            public Object run() {
                Map roles = SecurityHelper.access$100().getRoles(this.val$subject, SecurityHelper.adminMBeanResource, null);
                return (roles == null || (roles.get(SecurityHelper.ADMIN_ROLENAME) == null && roles.get(this.val$roleName) == null)) ? Boolean.FALSE : Boolean.TRUE;
            }
        })).booleanValue()) {
            throw new NoAccessRuntimeException(ManagementLogger.logNoAccessForSubjectRoleLoggable(seal.toString(), str).getMessage());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static synchronized void dumpAclDebug(AuthenticatedSubject authenticatedSubject, ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2) {
        try {
            if (aclPrintStream == null) {
                StringBuffer stringBuffer = new StringBuffer();
                Admin.getInstance();
                String stringBuffer2 = stringBuffer.append(Admin.getServerName()).append("_debug_acls.txt").toString();
                Debug.say(new StringBuffer().append("Opening ACL Log").append(stringBuffer2).toString());
                aclPrintStream = new PrintStream(new FileOutputStream(new File(stringBuffer2)));
            }
            aclPrintStream.println("START: INVALID MBEAN ACCESS");
            aclPrintStream.println(new StringBuffer().append("PRINCIPALS:").append(authenticatedSubject.getPrincipals()).toString());
            aclPrintStream.println(new StringBuffer().append("RESOURCE:").append(objectName).append("|").append(actionType).append("|").append(str).append("|").append(str2).toString());
            new Exception().printStackTrace(aclPrintStream);
            aclPrintStream.println("END:INVALID MBEAN ACCESS");
        } catch (FileNotFoundException e) {
            Debug.say("**** UNABLE TO OPEN DEBUG FILE *****");
        }
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }

    static RoleManager access$100() {
        return getRoleManager();
    }

    static {
        preloadProtectedAttributeList();
    }
}
