package weblogic.security.service.internal;

import java.security.AccessController;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import weblogic.security.SecurityLogger;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.service.AdminResource;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.RoleManager;
import weblogic.security.service.SecurityServiceManager;
import weblogic.security.utils.ResourceIDDContextWrapper;

/* loaded from: input_file:weblogic/security/service/internal/SubjectRoleDelegateImpl.class */
public class SubjectRoleDelegateImpl implements SubjectRoleDelegate {
    private static final AuthenticatedSubject kernelId = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
    private static final String ADMIN = "Admin";
    private static final String[] ADMIN_ROLE_ARRAY = {ADMIN};

    public boolean isUserAnAdministrator(Subject subject) {
        checkSubjectNonNull(subject);
        return isUserAnAdministrator(AuthenticatedSubject.getFromSubject(subject));
    }

    public boolean isUserAnAdministrator(AuthenticatedSubject authenticatedSubject) {
        return isUserInAdminRoles(authenticatedSubject, ADMIN_ROLE_ARRAY);
    }

    public boolean isAdminPrivilegeEscalation(AuthenticatedSubject authenticatedSubject, AuthenticatedSubject authenticatedSubject2) {
        if (SecurityServiceManager.isKernelIdentity(authenticatedSubject) || isUserAnAdministrator(authenticatedSubject)) {
            return false;
        }
        return checkAdminPrivilegeEscalation(authenticatedSubject, authenticatedSubject2, SecurityServiceManager.getContextSensitiveRealmName());
    }

    public boolean isAdminPrivilegeEscalation(AuthenticatedSubject authenticatedSubject, String str, String str2) {
        if (SecurityServiceManager.isKernelIdentity(authenticatedSubject) || isUserAnAdministrator(authenticatedSubject)) {
            return false;
        }
        String contextSensitiveRealmName = str2 != null ? str2 : SecurityServiceManager.getContextSensitiveRealmName();
        try {
            return checkAdminPrivilegeEscalation(authenticatedSubject, SecurityServiceManager.getPrincipalAuthenticator(kernelId, contextSensitiveRealmName).impersonateIdentity(str), contextSensitiveRealmName);
        } catch (LoginException e) {
            throw new IllegalArgumentException("Invalid principal name: " + str, e);
        } catch (Exception e2) {
            throw new IllegalArgumentException("Invalid principal name: " + str, e2);
        }
    }

    public boolean doesUserHaveAnyAdminRoles(AuthenticatedSubject authenticatedSubject) {
        String administrativeRealmName = SecurityServiceManager.getAdministrativeRealmName();
        return SecurityServiceManager.getAuthorizationManager(kernelId, administrativeRealmName).isAccessAllowed(authenticatedSubject, new AdminResource("AdminChannel", (String) null, (String) null), new ResourceIDDContextWrapper());
    }

    public boolean isUserInAdminRoles(AuthenticatedSubject authenticatedSubject, String[] strArr) {
        checkSubjectNonNull(authenticatedSubject);
        if (SecurityServiceManager.isKernelIdentity(authenticatedSubject)) {
            return true;
        }
        Map roles = SecurityServiceManager.getRoleManager((AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction()), SecurityServiceManager.getAdministrativeRealmName()).getRoles(authenticatedSubject, new AdminResource("Configuration", (String) null, (String) null), new ResourceIDDContextWrapper());
        for (String str : strArr) {
            if (SecurityServiceManager.isUserInRole(authenticatedSubject, str, roles)) {
                return true;
            }
        }
        return false;
    }

    private static void checkSubjectNonNull(Object obj) {
        if (obj == null) {
            throw new AssertionError(SecurityLogger.getIllegalNullSubject());
        }
    }

    private boolean checkAdminPrivilegeEscalation(AuthenticatedSubject authenticatedSubject, AuthenticatedSubject authenticatedSubject2, String str) {
        boolean equals = SecurityServiceManager.getAdministrativeRealmName().equals(str);
        boolean z = false;
        boolean z2 = false;
        boolean z3 = false;
        RoleManager roleManager = SecurityServiceManager.getRoleManager(kernelId, str);
        AdminResource adminResource = new AdminResource("Configuration", (String) null, (String) null);
        if (!equals && SecurityServiceManager.isUserInRole(authenticatedSubject, ADMIN, roleManager.getRoles(authenticatedSubject, adminResource, new ResourceIDDContextWrapper()))) {
            z = true;
        }
        if (SecurityServiceManager.isUserInRole(authenticatedSubject2, ADMIN, roleManager.getRoles(authenticatedSubject2, adminResource, new ResourceIDDContextWrapper()))) {
            z2 = !equals;
            z3 = equals;
        }
        if (!equals) {
            z3 = isUserAnAdministrator(authenticatedSubject2);
        }
        if (z2 || z3) {
            return !z || z3;
        }
        return false;
    }
}
