package weblogic.security.service;

import java.lang.annotation.Annotation;
import java.security.AccessController;
import java.security.Principal;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.login.LoginException;
import org.jvnet.hk2.annotations.Service;
import weblogic.deploy.event.DeploymentEventManager;
import weblogic.kernel.Kernel;
import weblogic.management.DeploymentException;
import weblogic.management.configuration.DomainMBean;
import weblogic.management.configuration.SecurityConfigurationMBean;
import weblogic.management.provider.CommandLine;
import weblogic.management.provider.ManagementService;
import weblogic.management.security.RDBMSSecurityStoreMBean;
import weblogic.management.security.RealmMBean;
import weblogic.management.security.authentication.AuthenticationProviderMBean;
import weblogic.security.SecurityInitializationException;
import weblogic.security.SecurityLogger;
import weblogic.security.SubjectUtils;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.acl.internal.AuthenticatedUser;
import weblogic.security.internal.ServerPrincipalValidatorImpl;
import weblogic.security.principal.WLSAbstractPrincipal;
import weblogic.security.principal.WLSKernelIdentity;
import weblogic.security.principal.WLSServerIdentity;
import weblogic.security.providers.authentication.DefaultAuthenticatorMBean;
import weblogic.security.service.SecurityService;
import weblogic.security.spi.WLSGroup;
import weblogic.security.spi.WLSUser;
import weblogic.security.subject.SubjectManager;
import weblogic.security.utils.KeyStoreConfigurationHelper;
import weblogic.security.utils.KeyStoreInfo;
import weblogic.security.utils.MBeanKeyStoreConfiguration;
import weblogic.server.GlobalServiceLocator;
import weblogic.t3.srvr.WebLogicServer;
import weblogic.utils.annotation.Secure;

@Service
@Secure
/* loaded from: input_file:weblogic/security/service/SecurityServiceManagerDelegate2Impl.class */
public final class SecurityServiceManagerDelegate2Impl implements SecurityServiceManagerDelegate2 {
    private static AuthenticatedSubject kernelIdentity = SecurityManager.getKernelIdentity();
    private AuthenticatedSubject serverIdentity;
    private ServerPrincipalValidatorImpl serverValidator;
    private final int NEW_CRED_LEN = 32;
    private SecurityServiceManagerDelegate serviceDelegate = null;
    private boolean permitAnonymousAdmin = false;
    private SecurityConfigurationMBean securityConfigMbean = null;
    private String tdsCred = null;
    private boolean isBooting = true;
    private PrincipalAuthenticator defaultRealmNamePA = null;
    private boolean areWebappFilesCaseInsensitive = false;
    private boolean areWebappFilesCaseInsensitiveSet = false;
    private boolean enforceStrictURLPattern = true;
    private boolean enforceValidBasicAuthCredentials = true;

    private SecurityServiceManagerDelegate getServiceDelegate() {
        return this.serviceDelegate;
    }

    private PrincipalAuthenticator getDefaultRealmPrincipalAuthenticator() {
        return this.defaultRealmNamePA;
    }

    public AuthenticatedSubject getASFromAU(AuthenticatedUser authenticatedUser) {
        AuthenticatedSubject aSFromAUInServer;
        if (authenticatedUser == null) {
            return SubjectUtils.getAnonymousSubject();
        }
        if (authenticatedUser instanceof AuthenticatedSubject) {
            return getASFromWire((AuthenticatedSubject) authenticatedUser);
        }
        if (Kernel.isServer() && (aSFromAUInServer = getASFromAUInServer(authenticatedUser)) != null) {
            return aSFromAUInServer;
        }
        AuthenticatedSubject authenticatedSubject = new AuthenticatedSubject(authenticatedUser);
        authenticatedSubject.getPublicCredentials().add(authenticatedUser);
        return authenticatedSubject;
    }

    public AuthenticatedSubject getSealedSubjectFromWire(AuthenticatedSubject authenticatedSubject, AuthenticatedUser authenticatedUser) {
        AuthenticatedSubject aSFromAU = getASFromAU(authenticatedUser);
        try {
            aSFromAU = seal(authenticatedSubject, aSFromAU);
        } catch (SecurityException e) {
            if (this.securityConfigMbean == null || !this.securityConfigMbean.getDowngradeUntrustedPrincipals()) {
                throw e;
            }
            SecurityLogger.logDowngradingUntrustedIdentity(aSFromAU.toString());
            aSFromAU = SubjectUtils.getAnonymousSubject();
        }
        return aSFromAU;
    }

    public AuthenticatedSubject getASFromAUInServerOrClient(AuthenticatedUser authenticatedUser) {
        if (!Kernel.isServer()) {
            return getASFromAU(authenticatedUser);
        }
        AuthenticatedSubject aSFromAUInServer = getASFromAUInServer(authenticatedUser);
        if (aSFromAUInServer == null) {
            aSFromAUInServer = SubjectUtils.getAnonymousSubject();
        }
        return aSFromAUInServer;
    }

    private AuthenticatedSubject getASFromAUInServer(AuthenticatedUser authenticatedUser) {
        AuthenticatedSubject authenticatedSubject = null;
        try {
            authenticatedSubject = getDefaultRealmPrincipalAuthenticator().assertIdentity("AuthenticatedUser", authenticatedUser);
        } catch (LoginException e) {
        }
        return authenticatedSubject;
    }

    public AuthenticatedSubject getASFromWire(AuthenticatedSubject authenticatedSubject) {
        Set principals = authenticatedSubject.getPrincipals();
        if (principals.size() == 1) {
            WLSServerIdentity wLSServerIdentity = (Principal) principals.iterator().next();
            if ((wLSServerIdentity instanceof WLSServerIdentity) && this.serverValidator != null) {
                if (authenticatedSubject != null && authenticatedSubject.isSealed()) {
                    return kernelIdentity;
                }
                if (this.serverValidator.validate(wLSServerIdentity)) {
                    seal(kernelIdentity, authenticatedSubject);
                    return kernelIdentity;
                }
                SecurityLogger.logDowngradingUntrustedServerIdentity();
                return SubjectUtils.getAnonymousSubject();
            }
        }
        return authenticatedSubject;
    }

    public AuthenticatedSubject sendASToWire(AuthenticatedSubject authenticatedSubject) {
        return isKernelIdentity(authenticatedSubject) ? getServerID() : authenticatedSubject;
    }

    public AuthenticatedUser convertToAuthenticatedUser(AuthenticatedUser authenticatedUser) {
        return authenticatedUser.getClass().equals(AuthenticatedUser.class) ? authenticatedUser : getAuthenticatedUserFromPrincipals(((AuthenticatedSubject) authenticatedUser).getPrincipals());
    }

    private AuthenticatedUser getAuthenticatedUserFromPrincipals(Set set) {
        WLSServerIdentity wLSServerIdentity = null;
        WLSKernelIdentity wLSKernelIdentity = null;
        WLSUser wLSUser = null;
        Principal principal = null;
        for (Object obj : set) {
            if (obj instanceof WLSServerIdentity) {
                wLSServerIdentity = (WLSServerIdentity) obj;
            } else if (obj instanceof WLSKernelIdentity) {
                wLSKernelIdentity = (WLSKernelIdentity) obj;
            } else if (obj instanceof WLSUser) {
                wLSUser = (WLSUser) obj;
            } else if (!(obj instanceof WLSGroup)) {
                principal = (Principal) obj;
            }
        }
        if ((wLSKernelIdentity != null && SubjectManagerImpl.kernelPrincipal.equals(wLSKernelIdentity)) || (wLSServerIdentity != null && this.serverValidator.validate(wLSServerIdentity))) {
            return certifyUser("system", true);
        }
        if (set.size() == 0) {
            return null;
        }
        if (wLSUser == null) {
            if (principal != null) {
                return certifyUser(principal.getName(), false);
            }
            throw new IllegalArgumentException(SecurityLogger.getPrincipalSetDoesNotContainRAUser());
        }
        if (Kernel.isServer() || !(wLSUser instanceof WLSAbstractPrincipal)) {
            return certifyUser(wLSUser.getName(), false);
        }
        WLSAbstractPrincipal wLSAbstractPrincipal = (WLSAbstractPrincipal) wLSUser;
        return new AuthenticatedUser(wLSAbstractPrincipal.getName(), wLSAbstractPrincipal.getSignature(), wLSAbstractPrincipal.getSalt());
    }

    private AuthenticatedUser certifyUser(String str, boolean z) {
        if (this.securityConfigMbean == null) {
            this.securityConfigMbean = ManagementService.getRuntimeAccess(kernelIdentity).getDomain().getSecurityConfiguration();
        }
        if (this.tdsCred == null) {
            this.tdsCred = this.securityConfigMbean.getCredential();
        }
        return z ? new AuthenticatedUser(str, this.tdsCred, 1L) : new AuthenticatedUser(str, this.tdsCred);
    }

    public AuthenticatedSubject getServerIdentity(AuthenticatedSubject authenticatedSubject) {
        checkKernelIdentity(authenticatedSubject);
        return this.serverIdentity;
    }

    public boolean isTrustedServerIdentity(AuthenticatedSubject authenticatedSubject) {
        WLSServerIdentity onePrincipal = SubjectUtils.getOnePrincipal(authenticatedSubject, WLSServerIdentity.class);
        if (this.serverValidator == null || onePrincipal == null) {
            return false;
        }
        return this.serverValidator.validate(onePrincipal);
    }

    public AuthenticatedSubject seal(AuthenticatedSubject authenticatedSubject, AuthenticatedSubject authenticatedSubject2) {
        if (authenticatedSubject2 == null) {
            return null;
        }
        if (!authenticatedSubject2.isSealed() && Kernel.isServer()) {
            checkKernelIdentity(authenticatedSubject);
            if (isKernelIdentity(authenticatedSubject2)) {
                return authenticatedSubject2;
            }
            if (this.isBooting) {
                if (((WebLogicServer) GlobalServiceLocator.getServiceLocator().getService(WebLogicServer.class, new Annotation[0])).getRunState() != 2) {
                    authenticatedSubject2.seal(kernelIdentity);
                    return authenticatedSubject2;
                }
                this.isBooting = false;
            }
            if (!getDefaultRealmPrincipalAuthenticator().validateIdentity(authenticatedSubject2)) {
                throw new SecurityException(SecurityLogger.getInvalidSubject("" + authenticatedSubject2));
            }
            authenticatedSubject2.seal(kernelIdentity);
            Iterator it = authenticatedSubject2.getPrincipals().iterator();
            while (it.hasNext()) {
                if (((Principal) it.next()) instanceof WLSServerIdentity) {
                    return kernelIdentity;
                }
            }
            return authenticatedSubject2;
        }
        return authenticatedSubject2;
    }

    public void initializeConfiguration(AuthenticatedSubject authenticatedSubject) {
        checkKernelIdentity(authenticatedSubject);
        this.securityConfigMbean = ManagementService.getRuntimeAccess(kernelIdentity).getDomain().getSecurityConfiguration();
        if (this.securityConfigMbean == null) {
            throw new SecurityServiceRuntimeException(SecurityLogger.getSecConfigUnavailable());
        }
        this.tdsCred = this.securityConfigMbean.getCredential();
        if (this.tdsCred == null || this.tdsCred.length() == 0) {
            throw new SecurityServiceRuntimeException(SecurityLogger.getSecCredUnavailable());
        }
        String anonymousAdminLookupEnabledString = CommandLine.getCommandLine().getAnonymousAdminLookupEnabledString();
        if (anonymousAdminLookupEnabledString != null) {
            this.permitAnonymousAdmin = new Boolean(anonymousAdminLookupEnabledString).booleanValue();
        } else {
            this.permitAnonymousAdmin = this.securityConfigMbean.isAnonymousAdminLookupEnabled();
        }
        areWebAppFilesCaseInsensitive();
        this.enforceStrictURLPattern = this.securityConfigMbean.getEnforceStrictURLPattern();
        this.enforceValidBasicAuthCredentials = this.securityConfigMbean.getEnforceValidBasicAuthCredentials();
    }

    public void initializeDeploymentCallbacks(AuthenticatedSubject authenticatedSubject) {
        checkKernelIdentity(authenticatedSubject);
        try {
            DeploymentListener deploymentListener = new DeploymentListener();
            DeploymentEventManager.addDeploymentEventListener(deploymentListener, true);
            DeploymentEventManager.addVetoableDeploymentListener(deploymentListener);
        } catch (DeploymentException e) {
            throw new SecurityInitializationException(e.getMessage(), e);
        }
    }

    public void initializeServiceDelegate(AuthenticatedSubject authenticatedSubject, SecurityServiceManagerDelegate securityServiceManagerDelegate) {
        checkKernelIdentity(authenticatedSubject);
        this.serviceDelegate = securityServiceManagerDelegate;
        if (this.defaultRealmNamePA == null) {
            this.defaultRealmNamePA = getServiceDelegate().getSecurityService(authenticatedSubject, getServiceDelegate().getDefaultRealmName(), SecurityService.ServiceType.AUTHENTICATION);
        }
        getServerID();
    }

    private static String convertToNewProperty(String str) {
        return (str == null || str.equals("")) ? "false" : str.equalsIgnoreCase("os") ? "os" : str.equalsIgnoreCase("on") ? "true" : str.equalsIgnoreCase("off") ? "false" : "false";
    }

    private static boolean intrepretWebAppFilesCaseSetting(String str) {
        if (str == null || str.equals("false")) {
            return false;
        }
        if (!str.equals("os")) {
            return str.equals("true");
        }
        String property = System.getProperty("os.name");
        return property != null && property.toLowerCase().indexOf("windows") >= 0;
    }

    @Deprecated
    public boolean isAnonymousAdminLookupEnabled() {
        return this.permitAnonymousAdmin;
    }

    public boolean getEnforceStrictURLPattern() {
        return this.enforceStrictURLPattern;
    }

    public boolean getEnforceValidBasicAuthCredentials() {
        return this.enforceValidBasicAuthCredentials;
    }

    public AuthenticatedSubject getCurrentSubjectForWire(AuthenticatedSubject authenticatedSubject) {
        return sendASToWire(SecurityManager.getCurrentSubject(authenticatedSubject));
    }

    public boolean isKernelIdentity(AuthenticatedSubject authenticatedSubject) {
        return authenticatedSubject == kernelIdentity;
    }

    public boolean isServerIdentity(AuthenticatedSubject authenticatedSubject) {
        return authenticatedSubject == this.serverIdentity;
    }

    public void checkKernelIdentity(AuthenticatedSubject authenticatedSubject) {
        if (isKernelIdentity(authenticatedSubject)) {
        } else {
            throw new NotAuthorizedRuntimeException(SecurityLogger.getSubjectIsNotTheKernelIdentity(authenticatedSubject == null ? "<null>" : authenticatedSubject.toString()));
        }
    }

    public boolean isUserInRole(AuthenticatedSubject authenticatedSubject, String str, Map map) {
        return (map == null || map.get(str) == null) ? false : true;
    }

    private AuthenticatedSubject createServerID() {
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("<WLS Server ");
        stringBuffer.append(Kernel.getConfig().getName());
        stringBuffer.append(">");
        WLSServerIdentity wLSServerIdentity = new WLSServerIdentity(stringBuffer.toString());
        AccessController.doPrivileged(PrivilegedActions.getSignPrincipalAction(this.serverValidator, wLSServerIdentity));
        AuthenticatedSubject authenticatedSubject = new AuthenticatedSubject();
        authenticatedSubject.getPrincipals().add(wLSServerIdentity);
        return authenticatedSubject;
    }

    private AuthenticatedSubject getServerID() {
        AuthenticatedSubject authenticatedSubject;
        if (this.serverIdentity != null) {
            return this.serverIdentity;
        }
        synchronized (SubjectManager.getKernelPermission()) {
            if (this.serverIdentity == null) {
                this.serverValidator = new ServerPrincipalValidatorImpl();
                this.serverIdentity = createServerID();
            }
            authenticatedSubject = this.serverIdentity;
        }
        return authenticatedSubject;
    }

    public boolean areWebAppFilesCaseInsensitive() {
        if (this.areWebappFilesCaseInsensitiveSet) {
            return this.areWebappFilesCaseInsensitive;
        }
        String property = System.getProperty("weblogic.security.URLResourceCaseMapping");
        if (Kernel.isServer()) {
            String str = null;
            DomainMBean domain = ManagementService.getRuntimeAccess(kernelIdentity).getDomain();
            if (domain != null) {
                str = domain.getSecurityConfiguration().getWebAppFilesCaseInsensitive();
            }
            this.areWebappFilesCaseInsensitive = intrepretWebAppFilesCaseSetting(str);
            if (property != null) {
                if (this.areWebappFilesCaseInsensitive != intrepretWebAppFilesCaseSetting(convertToNewProperty(property))) {
                    throw new SecurityServiceRuntimeException(SecurityLogger.logWebAppFilesCaseMismatch(property, str));
                }
            }
        } else if (property != null) {
            this.areWebappFilesCaseInsensitive = intrepretWebAppFilesCaseSetting(convertToNewProperty(property));
        }
        this.areWebappFilesCaseInsensitiveSet = true;
        return this.areWebappFilesCaseInsensitive;
    }

    public KeyStoreInfo getServerIdentityKeyStore(AuthenticatedSubject authenticatedSubject) {
        checkKernelIdentity(authenticatedSubject);
        return new KeyStoreConfigurationHelper(MBeanKeyStoreConfiguration.getInstance()).getIdentityKeyStore();
    }

    public KeyStoreInfo[] getServerTrustKeyStores(AuthenticatedSubject authenticatedSubject) {
        checkKernelIdentity(authenticatedSubject);
        return new KeyStoreConfigurationHelper(MBeanKeyStoreConfiguration.getInstance()).getTrustKeyStores();
    }

    public boolean isCaseSensitiveUserNames() {
        return Boolean.getBoolean("caseSensitiveUserNames");
    }

    public boolean isEmbeddedLdapNeeded(AuthenticatedSubject authenticatedSubject) {
        checkKernelIdentity(authenticatedSubject);
        RealmMBean defaultRealm = ManagementService.getRuntimeAccess(kernelIdentity).getDomain().getSecurityConfiguration().getDefaultRealm();
        RDBMSSecurityStoreMBean rDBMSSecurityStore = defaultRealm.getRDBMSSecurityStore();
        AuthenticationProviderMBean[] authenticationProviders = defaultRealm.getAuthenticationProviders();
        if (rDBMSSecurityStore == null) {
            return true;
        }
        for (AuthenticationProviderMBean authenticationProviderMBean : authenticationProviders) {
            if (authenticationProviderMBean instanceof DefaultAuthenticatorMBean) {
                return true;
            }
        }
        return false;
    }
}
