package weblogic.security;

import java.io.File;
import java.io.IOException;
import java.lang.annotation.Annotation;
import java.nio.file.FileSystems;
import java.nio.file.FileVisitResult;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.SimpleFileVisitor;
import java.nio.file.attribute.BasicFileAttributes;
import java.nio.file.attribute.PosixFilePermission;
import java.nio.file.attribute.UserPrincipal;
import java.security.AccessController;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Set;
import javax.inject.Inject;
import javax.inject.Named;
import org.glassfish.hk2.api.Rank;
import org.glassfish.hk2.runlevel.RunLevel;
import org.jvnet.hk2.annotations.Service;
import weblogic.descriptor.BeanUpdateEvent;
import weblogic.descriptor.BeanUpdateListener;
import weblogic.descriptor.BeanUpdateRejectedException;
import weblogic.management.DomainDir;
import weblogic.management.configuration.DomainMBean;
import weblogic.management.configuration.NetworkAccessPointMBean;
import weblogic.management.configuration.SSLMBean;
import weblogic.management.configuration.SecureModeMBean;
import weblogic.management.configuration.SecurityConfigurationMBean;
import weblogic.management.configuration.ServerMBean;
import weblogic.management.configuration.UnixMachineMBean;
import weblogic.management.internal.DefaultJMXPolicyManager;
import weblogic.management.provider.ManagementService;
import weblogic.management.provider.RuntimeAccess;
import weblogic.management.security.RealmMBean;
import weblogic.management.security.authentication.GroupReaderMBean;
import weblogic.management.security.authentication.PasswordValidatorMBean;
import weblogic.management.security.authentication.UserLockoutManagerMBean;
import weblogic.management.security.authentication.UserReaderMBean;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.providers.audit.DefaultAuditorMBean;
import weblogic.security.service.ConsumptionException;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.SSLConfigChecker;
import weblogic.security.shared.LoggerWrapper;
import weblogic.server.AbstractServerService;
import weblogic.server.GlobalServiceLocator;
import weblogic.server.ServerService;
import weblogic.server.ServiceFailureException;
import weblogic.utils.annotation.Secure;

@Service
@Rank(-100)
@Named
@RunLevel(20)
@Secure
/* loaded from: input_file:weblogic/security/SecureModeValidatorService.class */
public final class SecureModeValidatorService extends AbstractServerService implements BeanUpdateListener {

    @Inject
    @Named("EnableListenersService")
    private ServerService enableListenersServerService;
    private SecurityConfigurationMBean secMbean = null;
    private static final long DEFAULT_LOCKOUT_TH = 5;
    private static final long DEFAULT_LOCKOUT_DURATION_TH = 30;
    private static final String SECURE_AUDITING_LEVEL_ERROR = "ERROR";
    private static final String SECURE_AUDITING_LEVEL_SUCCESS = "SUCCESS";
    private static final String SECURE_AUDITING_LEVEL_CUSTOM = "CUSTOM";
    private static final String SECURE_AUDITING_LEVEL_FAILURE = "FAILURE";
    private static final String CONFIG_FILE = "config.xml";
    private static final String NM_DIR = "nodemanager";
    private static final String NM_PASSWORD_FILE = "nm_password.properties";
    private static final String CONFIG_ARCHIVE_DIR = "configArchive";
    private static final String SAMPLES_DIR = "samples";
    private static final AuthenticatedSubject kernelId = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
    private static LoggerWrapper log = LoggerWrapper.getInstance("SecurityService");
    private static final RuntimeAccess runtimeAccess = (RuntimeAccess) GlobalServiceLocator.getServiceLocator().getService(RuntimeAccess.class, new Annotation[0]);

    public SecureModeValidatorService() {
        if (isDebugEnabled()) {
            log.debug("SecureModeValidatorService init");
        }
        if (runtimeAccess != null) {
            runtimeAccess.getDomain().getSecurityConfiguration().getSecureMode().addBeanUpdateListener(this);
        }
    }

    public void start() throws ServiceFailureException {
        this.secMbean = ManagementService.getRuntimeAccess(kernelId).getDomain().getSecurityConfiguration();
        validate();
        if (isDebugEnabled()) {
            log.debug("finished starting SecureModeValidatorService");
        }
    }

    public void stop() throws ServiceFailureException {
        if (isDebugEnabled()) {
            log.debug("SecureModeValidatorService stop");
        }
    }

    public void halt() throws ServiceFailureException {
        if (isDebugEnabled()) {
            log.debug("SecureModeValidatorService halt");
        }
    }

    public void prepareUpdate(BeanUpdateEvent beanUpdateEvent) throws BeanUpdateRejectedException {
    }

    public void activateUpdate(BeanUpdateEvent beanUpdateEvent) {
        if (ManagementService.getRuntimeAccess(kernelId).isAdminServer()) {
            for (BeanUpdateEvent.PropertyUpdate propertyUpdate : beanUpdateEvent.getUpdateList()) {
                if (propertyUpdate.getPropertyName().equals("RestrictiveJMXPolicies")) {
                    try {
                        DefaultJMXPolicyManager.reset();
                    } catch (ConsumptionException e) {
                        throw new RuntimeException((Throwable) e);
                    }
                }
            }
        }
    }

    public void rollbackUpdate(BeanUpdateEvent beanUpdateEvent) {
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isDebugEnabled() {
        if (log != null) {
            return log.isDebugEnabled();
        }
        return false;
    }

    private void validate() {
        SecureModeMBean secureMode = this.secMbean.getSecureMode();
        if (secureMode.isSecureModeEnabled()) {
            for (RealmMBean realmMBean : this.secMbean.getRealms()) {
                if (secureMode.isWarnOnAuditing()) {
                    validateAuditConfig(realmMBean);
                }
                validateUserPasswordConfig(realmMBean);
                validateUserLockoutConfig(realmMBean);
            }
            if (secureMode.isWarnOnJavaSecurityManager()) {
                checkJavaSecurityManager();
            }
            if (secureMode.isWarnOnInsecureFileSystem()) {
                validateFileSystem();
            }
            validatePortsConfig();
            if (secureMode.isWarnOnInsecureSSL()) {
                new SSLConfigChecker(runtimeAccess.getServer().getSSL(), runtimeAccess.getServer().getNetworkAccessPoints()).checkAndLog();
            }
            validateUsernames();
            validateSamples();
        }
    }

    private boolean validateAuditConfig(RealmMBean realmMBean) {
        String name = realmMBean.getName();
        DefaultAuditorMBean[] auditors = realmMBean.getAuditors();
        if (auditors == null || auditors.length == 0) {
            SecurityLogger.logAuditingNotEnabledInSecureMode(name);
            return false;
        }
        boolean z = true;
        int length = auditors.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            DefaultAuditorMBean defaultAuditorMBean = auditors[i];
            if (defaultAuditorMBean instanceof DefaultAuditorMBean) {
                DefaultAuditorMBean defaultAuditorMBean2 = defaultAuditorMBean;
                String severity = defaultAuditorMBean2.getSeverity();
                if (severity.equals(SECURE_AUDITING_LEVEL_ERROR) || severity.equals(SECURE_AUDITING_LEVEL_SUCCESS) || severity.equals(SECURE_AUDITING_LEVEL_FAILURE) || ((severity.equals("CUSTOM") && !defaultAuditorMBean2.getWarningAuditSeverityEnabled()) || !defaultAuditorMBean2.getErrorAuditSeverityEnabled() || !defaultAuditorMBean2.getFailureAuditSeverityEnabled())) {
                    z = false;
                    SecurityLogger.logAuditingLevelInappropriateInSecureMode(name);
                }
            } else {
                i++;
            }
        }
        return z;
    }

    private boolean validateUserPasswordConfig(RealmMBean realmMBean) {
        boolean z = true;
        String property = System.getProperty("weblogic.management.password");
        if (property != null && !property.trim().isEmpty()) {
            z = false;
            SecurityLogger.logUnEncryptedPasswdInCommandLine();
        }
        PasswordValidatorMBean[] passwordValidators = realmMBean.getPasswordValidators();
        if (passwordValidators == null || passwordValidators.length == 0) {
            z = false;
            SecurityLogger.logNoPasswordValidatorInSecureMode(realmMBean.getName());
        }
        return z;
    }

    private boolean validateUserLockoutConfig(RealmMBean realmMBean) {
        UserLockoutManagerMBean userLockoutManager = realmMBean.getUserLockoutManager();
        boolean isLockoutEnabled = userLockoutManager.isLockoutEnabled();
        long lockoutThreshold = userLockoutManager.getLockoutThreshold();
        long lockoutDuration = userLockoutManager.getLockoutDuration();
        if (isLockoutEnabled && lockoutThreshold <= DEFAULT_LOCKOUT_TH && lockoutDuration >= DEFAULT_LOCKOUT_DURATION_TH) {
            return true;
        }
        SecurityLogger.logLockoutSettingNotSecureInSecureMode(realmMBean.getName());
        return false;
    }

    private boolean checkJavaSecurityManager() {
        if (System.getSecurityManager() != null) {
            return true;
        }
        SecurityLogger.logSecurityManagerNotEnabledInSecureMode();
        return false;
    }

    private boolean validatePortsConfig() {
        boolean z = true;
        DomainMBean parent = this.secMbean.getParent();
        for (ServerMBean serverMBean : parent.getServers()) {
            UnixMachineMBean machine = serverMBean.getMachine();
            if (machine instanceof UnixMachineMBean) {
                UnixMachineMBean unixMachineMBean = machine;
                if (!unixMachineMBean.isPostBindUIDEnabled() || !unixMachineMBean.isPostBindGIDEnabled()) {
                    z = validateServerPorts(unixMachineMBean.getName(), serverMBean);
                }
            }
        }
        if (!parent.isAdministrationPortEnabled()) {
            z = false;
            SecurityLogger.logAdministrationPortNotEnabledInSecureMode();
        }
        return z;
    }

    private boolean validateServerPorts(String str, ServerMBean serverMBean) {
        boolean z = true;
        if (serverMBean.isListenPortEnabled() && serverMBean.getListenPort() < 1024) {
            z = false;
            SecurityLogger.logUnixMachinePostBindNotEnabled(str, serverMBean.getListenPort());
        }
        if (serverMBean.isAdministrationPortEnabled() && serverMBean.getAdministrationPort() < 1024) {
            z = false;
            SecurityLogger.logUnixMachinePostBindNotEnabled(str, serverMBean.getAdministrationPort());
        }
        SSLMBean ssl = serverMBean.getSSL();
        if (ssl.isEnabled() && ssl.getListenPort() < 1024) {
            z = false;
            SecurityLogger.logUnixMachinePostBindNotEnabled(str, ssl.getListenPort());
        }
        for (NetworkAccessPointMBean networkAccessPointMBean : serverMBean.getNetworkAccessPoints()) {
            if (networkAccessPointMBean.isEnabled()) {
                int listenPort = networkAccessPointMBean.getListenPort();
                int publicPort = networkAccessPointMBean.getPublicPort();
                if (listenPort != -1 && listenPort < 1024) {
                    z = false;
                    SecurityLogger.logUnixMachinePostBindNotEnabled(str, listenPort);
                }
                if (publicPort != -1 && publicPort < 1024) {
                    z = false;
                    SecurityLogger.logUnixMachinePostBindNotEnabled(str, publicPort);
                }
            }
        }
        return z;
    }

    private void validateFileSystem() {
        if (FileSystems.getDefault().supportedFileAttributeViews().contains("posix")) {
            try {
                String rootDir = DomainDir.getRootDir();
                String[] strArr = {DomainDir.getConfigDir() + File.separator + CONFIG_FILE, DomainDir.getConfigDir() + File.separator + NM_DIR + File.separator + NM_PASSWORD_FILE};
                ArrayList arrayList = new ArrayList(Arrays.asList(DomainDir.getBinDir(), DomainDir.getDiagnosticsDir(), DomainDir.getJDBCDir(), DomainDir.getJMSDir(), rootDir + File.separator + CONFIG_ARCHIVE_DIR, rootDir + File.separator + NM_DIR, DomainDir.getSecurityDir(), DomainDir.getPartitionsDir()));
                for (ServerMBean serverMBean : this.secMbean.getParent().getServers()) {
                    String name = serverMBean.getName();
                    arrayList.add(DomainDir.getBinDirForServer(name));
                    arrayList.add(DomainDir.getLDAPDataDirForServer(name));
                    arrayList.add(DomainDir.getStoreDataDirForServer(name));
                    arrayList.add(DomainDir.getSecurityDirForServer(name));
                    arrayList.add(DomainDir.getLogsDirForServer(name));
                }
                UserPrincipal owner = Files.getOwner(Paths.get(rootDir, new String[0]), LinkOption.NOFOLLOW_LINKS);
                for (String str : strArr) {
                    if (Files.exists(Paths.get(str, new String[0]), LinkOption.NOFOLLOW_LINKS)) {
                        validateFileSecurity(str, owner);
                    }
                }
                Iterator it = arrayList.iterator();
                while (it.hasNext()) {
                    validateDirectorySecurity((String) it.next(), owner);
                }
            } catch (Exception e) {
                if (isDebugEnabled()) {
                    log.debug("SecureModeValidatorService exception validating file system " + e.getClass() + " cause " + e.getCause());
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void validateFileSecurity(String str, UserPrincipal userPrincipal) throws Exception {
        Path path = Paths.get(str, new String[0]);
        try {
            UserPrincipal owner = Files.getOwner(path, LinkOption.NOFOLLOW_LINKS);
            if (!owner.equals(userPrincipal)) {
                SecurityLogger.logFileOwnerInsecureSecureMode(str, owner.getName(), userPrincipal.getName());
            }
            Set<PosixFilePermission> posixFilePermissions = Files.getPosixFilePermissions(path, LinkOption.NOFOLLOW_LINKS);
            if (posixFilePermissions != null && (posixFilePermissions.contains(PosixFilePermission.GROUP_WRITE) || posixFilePermissions.contains(PosixFilePermission.OTHERS_READ) || posixFilePermissions.contains(PosixFilePermission.OTHERS_WRITE) || posixFilePermissions.contains(PosixFilePermission.OTHERS_EXECUTE))) {
                SecurityLogger.logFilePermissionInsecureSecureMode(str);
            }
        } catch (Exception e) {
            if (isDebugEnabled()) {
                log.debug("SecureModeValidatorService exception validating file security " + str + " exception " + e.getClass() + " cause " + e.getCause());
            }
        }
    }

    private void validateDirectorySecurity(String str, final UserPrincipal userPrincipal) throws Exception {
        Path path = Paths.get(str, new String[0]);
        if (Files.exists(path, LinkOption.NOFOLLOW_LINKS)) {
            try {
                Files.walkFileTree(path, new SimpleFileVisitor<Path>() { // from class: weblogic.security.SecureModeValidatorService.1
                    @Override // java.nio.file.SimpleFileVisitor, java.nio.file.FileVisitor
                    public FileVisitResult visitFile(Path path2, BasicFileAttributes basicFileAttributes) throws IOException {
                        try {
                            SecureModeValidatorService.this.validateFileSecurity(path2.toString(), userPrincipal);
                        } catch (Exception e) {
                            if (SecureModeValidatorService.this.isDebugEnabled()) {
                                SecureModeValidatorService.log.debug("SecureModeValidatorService exception validating file security " + path2.toString() + " exception " + e.getClass() + " cause " + e.getCause());
                            }
                        }
                        return FileVisitResult.CONTINUE;
                    }

                    @Override // java.nio.file.SimpleFileVisitor, java.nio.file.FileVisitor
                    public FileVisitResult preVisitDirectory(Path path2, BasicFileAttributes basicFileAttributes) {
                        try {
                            SecureModeValidatorService.this.validateFileSecurity(path2.toString(), userPrincipal);
                        } catch (Exception e) {
                            if (SecureModeValidatorService.this.isDebugEnabled()) {
                                SecureModeValidatorService.log.debug("SecureModeValidatorService exception validating directory security " + path2.toString() + " exception " + e.getClass() + " cause " + e.getCause());
                            }
                        }
                        return FileVisitResult.CONTINUE;
                    }
                });
            } catch (Exception e) {
                throw e;
            }
        }
    }

    private void validateUsernames() {
        try {
            String[] strArr = {"weblogic", "admin", "administrator", "system"};
            for (RealmMBean realmMBean : this.secMbean.getRealms()) {
                for (GroupReaderMBean groupReaderMBean : realmMBean.getAuthenticationProviders()) {
                    if ((groupReaderMBean instanceof UserReaderMBean) && (groupReaderMBean instanceof GroupReaderMBean)) {
                        UserReaderMBean userReaderMBean = (UserReaderMBean) groupReaderMBean;
                        GroupReaderMBean groupReaderMBean2 = groupReaderMBean;
                        for (String str : strArr) {
                            if (userReaderMBean.userExists(str) && groupReaderMBean2.isMember("Administrators", str, true)) {
                                SecurityLogger.logAdminUserInsecureName(str);
                            }
                        }
                    }
                }
            }
        } catch (Exception e) {
            if (isDebugEnabled()) {
                log.debug("SecureModeValidatorService exception validating user names ", e);
            }
        }
    }

    private void validateSamples() {
        try {
            File file = new File(runtimeAccess.getServerRuntime().getWeblogicHome() + File.separator + SAMPLES_DIR);
            if (file.exists() && file.isDirectory()) {
                SecurityLogger.logSamplesInstalledInSecureMode();
            }
        } catch (Exception e) {
            if (isDebugEnabled()) {
                log.debug("SecureModeValidatorService exception validating samples directory ", e);
            }
        }
    }
}
