package weblogic.application.internal.flow;

import java.security.AccessController;
import java.util.HashMap;
import java.util.Map;
import weblogic.application.ApplicationContextInternal;
import weblogic.application.SecurityRole;
import weblogic.application.internal.FlowContext;
import weblogic.application.utils.ApplicationVersionUtils;
import weblogic.descriptor.BeanUpdateEvent;
import weblogic.descriptor.BeanUpdateListener;
import weblogic.descriptor.BeanUpdateRejectedException;
import weblogic.descriptor.DescriptorBean;
import weblogic.j2ee.J2EELogger;
import weblogic.j2ee.descriptor.ApplicationBean;
import weblogic.j2ee.descriptor.SecurityRoleBean;
import weblogic.j2ee.descriptor.wl.ApplicationSecurityRoleAssignmentBean;
import weblogic.j2ee.descriptor.wl.SecurityBean;
import weblogic.j2ee.descriptor.wl.WeblogicApplicationBean;
import weblogic.logging.Loggable;
import weblogic.management.DeploymentException;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.service.ApplicationResource;
import weblogic.security.service.DeployHandleCreationException;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.ResourceBase;
import weblogic.security.service.RoleCreationException;
import weblogic.security.service.RoleManager;
import weblogic.security.service.RoleManagerDeployHandle;
import weblogic.security.service.RoleRemovalException;
import weblogic.security.service.SecurityApplicationInfo;
import weblogic.security.service.SecurityApplicationInfoImpl;
import weblogic.security.service.SecurityService;
import weblogic.security.service.SecurityServiceManager;
import weblogic.security.spi.ApplicationInfo;
import weblogic.utils.StringUtils;

/* loaded from: input_file:weblogic/application/internal/flow/SecurityRoleFlow.class */
public final class SecurityRoleFlow extends BaseFlow {
    private RoleManagerDeployHandle handle;
    private RoleManager roleManager;
    private SecurityApplicationInfo secInfo;
    private String realmName;
    private final boolean useJACC;
    private static AuthenticatedSubject kernelId = null;
    private static final SecurityRole NOOP_MAPPING = new SecurityRole(null);

    /* loaded from: input_file:weblogic/application/internal/flow/SecurityRoleFlow$SecurityRoleAssignmentUpdateListener.class */
    private class SecurityRoleAssignmentUpdateListener implements BeanUpdateListener {
        private final ApplicationContextInternal appCtx;
        private final SecurityApplicationInfo secInfo;
        private final RoleManager roleManager;

        private SecurityRoleAssignmentUpdateListener(ApplicationContextInternal applicationContextInternal, SecurityApplicationInfo securityApplicationInfo, RoleManager roleManager) {
            this.appCtx = applicationContextInternal;
            this.secInfo = securityApplicationInfo;
            this.roleManager = roleManager;
        }

        void registerListeners(ApplicationContextInternal applicationContextInternal, SecurityApplicationInfo securityApplicationInfo, RoleManager roleManager) {
            SecurityBean security;
            DescriptorBean[] securityRoleAssignments;
            WeblogicApplicationBean wLApplicationDD = applicationContextInternal.getWLApplicationDD();
            if (wLApplicationDD == null || (security = wLApplicationDD.getSecurity()) == null || (securityRoleAssignments = security.getSecurityRoleAssignments()) == null || securityRoleAssignments.length == 0) {
                return;
            }
            for (DescriptorBean descriptorBean : securityRoleAssignments) {
                descriptorBean.addBeanUpdateListener(new SecurityRoleAssignmentUpdateListener(applicationContextInternal, securityApplicationInfo, roleManager));
            }
        }

        public void prepareUpdate(BeanUpdateEvent beanUpdateEvent) throws BeanUpdateRejectedException {
            if (SecurityRoleFlow.this.isDebugEnabled()) {
                SecurityRoleFlow.this.debug("** prepareUpdate called with event " + beanUpdateEvent);
            }
        }

        public void activateUpdate(BeanUpdateEvent beanUpdateEvent) {
            if (SecurityRoleFlow.this.isDebugEnabled()) {
                SecurityRoleFlow.this.debug("** activateUpdate called with event " + beanUpdateEvent);
            }
            ApplicationSecurityRoleAssignmentBean proposedBean = beanUpdateEvent.getProposedBean();
            if (SecurityRoleFlow.this.isDebugEnabled()) {
                SecurityRoleFlow.this.debug("** new principals " + StringUtils.join(proposedBean.getPrincipalNames(), ","));
            }
            try {
                RoleManagerDeployHandle startDeployRoles = this.roleManager.startDeployRoles(this.secInfo);
                try {
                    this.roleManager.deployRole(startDeployRoles, new ApplicationResource(this.appCtx.getApplicationId()), proposedBean.getRoleName(), proposedBean.getPrincipalNames());
                    this.roleManager.endDeployRoles(startDeployRoles);
                } catch (Throwable th) {
                    this.roleManager.endDeployRoles(startDeployRoles);
                    throw th;
                }
            } catch (Exception e) {
                J2EELogger.logCouldNotDeployRoleLoggable(proposedBean.getRoleName(), ApplicationVersionUtils.getDisplayName(this.appCtx.getApplicationId()), e).log();
            }
        }

        public void rollbackUpdate(BeanUpdateEvent beanUpdateEvent) {
            if (SecurityRoleFlow.this.isDebugEnabled()) {
                SecurityRoleFlow.this.debug("** rollbackUpdate called with event " + beanUpdateEvent);
            }
        }
    }

    public SecurityRoleFlow(FlowContext flowContext) {
        super(flowContext);
        this.roleManager = null;
        this.secInfo = null;
        this.realmName = null;
        this.useJACC = flowContext.getSecurityProvider().isJACCEnabled();
    }

    @Override // weblogic.application.internal.flow.BaseFlow, weblogic.application.internal.Flow
    public void prepare() throws DeploymentException {
        if (!this.useJACC && SecurityServiceManager.isSecurityServiceInitialized()) {
            this.realmName = this.appCtx.getApplicationSecurityRealmName();
            if (this.realmName == null) {
                this.realmName = getDefaultRealmName();
                this.appCtx.setApplicationSecurityRealmName(this.realmName);
            }
            checkForRealmNameInDD();
            if (this.roleManager == null) {
                initSecurityService();
            }
            this.secInfo = new SecurityApplicationInfoImpl(this.appCtx.getAppDeploymentMBean(), ApplicationInfo.ComponentType.APPLICATION, this.appCtx.getApplicationName());
            try {
                this.handle = this.roleManager.startDeployRoles(this.secInfo);
                try {
                    deployRoles();
                    this.roleManager.endDeployRoles(this.handle);
                } catch (Throwable th) {
                    this.roleManager.endDeployRoles(this.handle);
                    throw th;
                }
            } catch (RoleCreationException e) {
                throw new DeploymentException(e);
            } catch (DeployHandleCreationException e2) {
                throw new DeploymentException(e2);
            }
        }
    }

    @Override // weblogic.application.internal.flow.BaseFlow, weblogic.application.internal.Flow
    public void unprepare() throws DeploymentException {
        if (!this.useJACC && SecurityServiceManager.isSecurityServiceInitialized()) {
            undeployRoles();
        }
    }

    private void initSecurityService() {
        this.roleManager = SecurityServiceManager.getSecurityService(getKernelID(), this.realmName, SecurityService.ServiceType.ROLE);
    }

    private String[] getSecurityRoleNames() {
        String[] strArr = null;
        ApplicationBean applicationDD = this.appCtx.getApplicationDD();
        SecurityRoleBean[] securityRoles = applicationDD != null ? applicationDD.getSecurityRoles() : null;
        if (securityRoles != null && securityRoles.length != 0) {
            strArr = new String[securityRoles.length];
            for (int i = 0; i < securityRoles.length; i++) {
                strArr[i] = securityRoles[i].getRoleName();
            }
        }
        return strArr;
    }

    private Map getSecurityRoleAssignments() {
        SecurityBean security;
        HashMap hashMap = new HashMap();
        WeblogicApplicationBean wLApplicationDD = this.appCtx.getWLApplicationDD();
        if (wLApplicationDD != null && (security = wLApplicationDD.getSecurity()) != null) {
            ApplicationSecurityRoleAssignmentBean[] securityRoleAssignments = security.getSecurityRoleAssignments();
            if (securityRoleAssignments != null) {
                for (int i = 0; i < securityRoleAssignments.length; i++) {
                    String roleName = securityRoleAssignments[i].getRoleName();
                    String[] principalNames = securityRoleAssignments[i].getPrincipalNames();
                    if (securityRoleAssignments[i].getExternallyDefined() != null) {
                        hashMap.put(roleName, new SecurityRole());
                    } else {
                        hashMap.put(roleName, new SecurityRole(principalNames));
                    }
                }
            }
            return hashMap;
        }
        return hashMap;
    }

    private AuthenticatedSubject getKernelID() {
        if (kernelId == null) {
            kernelId = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
        }
        return kernelId;
    }

    private String getDefaultRealmName() {
        return SecurityServiceManager.getDefaultRealmName();
    }

    private void checkForRealmNameInDD() {
        SecurityBean security;
        String realmName;
        WeblogicApplicationBean wLApplicationDD = this.appCtx.getWLApplicationDD();
        if (wLApplicationDD == null || (security = wLApplicationDD.getSecurity()) == null || (realmName = security.getRealmName()) == null) {
            return;
        }
        J2EELogger.logRealmNameInDDIgnoredWarning(realmName);
    }

    private boolean isCompatibilitySecMode() {
        return SecurityServiceManager.getRoleMappingBehavior(this.realmName, this.secInfo) == 0;
    }

    private boolean isApplicationSecMode() {
        return SecurityServiceManager.getRoleMappingBehavior(this.realmName, this.secInfo) == 1;
    }

    private boolean isExternallyDefinedSecMode() {
        return SecurityServiceManager.getRoleMappingBehavior(this.realmName, this.secInfo) == 2;
    }

    private void deployRoles() throws DeploymentException {
        String[] securityRoleNames = getSecurityRoleNames();
        Map securityRoleAssignments = getSecurityRoleAssignments();
        if (securityRoleNames == null && securityRoleAssignments != null) {
            securityRoleNames = (String[]) securityRoleAssignments.keySet().toArray(new String[securityRoleAssignments.size()]);
        }
        if (securityRoleNames == null) {
            return;
        }
        if (!isCompatibilitySecMode()) {
            this.appCtx.setAppLevelRoleMappings(securityRoleAssignments);
        }
        ApplicationResource applicationResource = new ApplicationResource(this.appCtx.getApplicationId());
        if (isCompatibilitySecMode()) {
            deployRolesAllowEmptyRoleMapping(applicationResource, securityRoleNames, securityRoleAssignments);
        } else if (isApplicationSecMode()) {
            deployRolesAllowEmptyRoleMapping(applicationResource, securityRoleNames, securityRoleAssignments);
        } else {
            if (!isExternallyDefinedSecMode()) {
                throw new AssertionError("Unknown security mode");
            }
            deployRolesNoEmptyRoleMapping(applicationResource, securityRoleNames, securityRoleAssignments);
        }
    }

    private void deployRolesAllowEmptyRoleMapping(ResourceBase resourceBase, String[] strArr, Map map) throws DeploymentException {
        deployRoles(resourceBase, strArr, map, true);
    }

    private void deployRolesNoEmptyRoleMapping(ResourceBase resourceBase, String[] strArr, Map map) throws DeploymentException {
        deployRoles(resourceBase, strArr, map, false);
    }

    private void deployRoles(ResourceBase resourceBase, String[] strArr, Map map, boolean z) throws DeploymentException {
        boolean z2 = false;
        boolean z3 = false;
        for (int i = 0; i < strArr.length; i++) {
            if (strArr[i] != null) {
                SecurityRole securityRole = (SecurityRole) map.get(strArr[i]);
                if (securityRole == null) {
                    securityRole = NOOP_MAPPING;
                }
                if (!securityRole.isExternallyDefined()) {
                    String[] principalNames = securityRole.getPrincipalNames();
                    if ("**".equals(strArr[i])) {
                        z2 = true;
                        if (principalNames == null || principalNames.length == 0) {
                            z3 = true;
                        }
                    }
                    if (principalNames == null) {
                        if (z) {
                            principalNames = new String[0];
                        }
                    }
                    deployRole(resourceBase, strArr[i], principalNames);
                }
            }
        }
        if (z2 || !z3) {
            return;
        }
        deployRole(resourceBase, "**", new String[]{"users"});
    }

    private void deployRole(ResourceBase resourceBase, String str, String[] strArr) throws DeploymentException {
        try {
            this.roleManager.deployRole(this.handle, resourceBase, str, strArr);
        } catch (RoleCreationException e) {
            Loggable logCouldNotDeployRoleLoggable = J2EELogger.logCouldNotDeployRoleLoggable(str, ApplicationVersionUtils.getDisplayName(this.appCtx.getApplicationId()), e);
            logCouldNotDeployRoleLoggable.log();
            throw new DeploymentException(logCouldNotDeployRoleLoggable.getMessage());
        }
    }

    private void undeployRoles() throws DeploymentException {
        try {
            this.roleManager.undeployAllRoles(this.handle);
        } catch (RoleRemovalException e) {
            throw new DeploymentException(e);
        }
    }
}
