package weblogic.rmi.extensions.server;

import java.io.IOException;
import java.rmi.RemoteException;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import javax.resource.spi.security.PasswordCredential;
import org.eclipse.persistence.jpa.jpql.parser.Expression;
import weblogic.management.configuration.SecurityConfigurationMBean;
import weblogic.management.provider.ManagementService;
import weblogic.protocol.LocalServerIdentity;
import weblogic.protocol.Protocol;
import weblogic.protocol.ProtocolManager;
import weblogic.protocol.ServerIdentity;
import weblogic.rjvm.RJVM;
import weblogic.rmi.ConnectException;
import weblogic.rmi.extensions.RemoteHelper;
import weblogic.rmi.facades.RmiSecurityFacade;
import weblogic.rmi.spi.EndPoint;
import weblogic.rmi.spi.HostID;
import weblogic.rmi.spi.RMIRuntime;
import weblogic.security.acl.DefaultUserInfoImpl;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.acl.internal.AuthenticatedUser;
import weblogic.security.acl.internal.Security;
import weblogic.security.service.AdminResource;
import weblogic.security.service.AuthorizationManager;
import weblogic.security.service.ContextHandler;
import weblogic.security.service.CredentialManager;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.RemoteResource;
import weblogic.security.service.SecurityService;
import weblogic.security.service.SecurityServiceManager;
import weblogic.security.spi.CredentialMapperV2;
import weblogic.security.utils.ResourceIDDContextWrapper;

/* loaded from: input_file:weblogic/rmi/extensions/server/RemoteDomainSecurityHelper.class */
public final class RemoteDomainSecurityHelper {
    private static final boolean DEBUG = Boolean.getBoolean("weblogic.debug.DebugCrossDomainSecurity");
    private static final AuthenticatedSubject kernelId = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
    private static final String CROSS_DOMAIN_PROTOCOL = "cross-domain-protocol";
    private static final String CROSS_DOMAIN_USER = "cross-domain";
    private static final String CROSS_DOMAIN_ADMIN_RESOURCE = "CrossDomain";
    public static final int ACCEPT_CALL = 0;
    public static final int REJECT_CALL = 1;
    public static final int UNDETERMINABLE = 2;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:weblogic/rmi/extensions/server/RemoteDomainSecurityHelper$SINGLETON.class */
    public static class SINGLETON {
        static SecurityConfigurationMBean secConfig = ManagementService.getRuntimeAccess(RemoteDomainSecurityHelper.kernelId).getDomain().getSecurityConfiguration();
        static String localName = LocalServerIdentity.getIdentity().getDomainName();

        private SINGLETON() {
        }
    }

    private static boolean isCDSEnabled() {
        return SINGLETON.secConfig.isCrossDomainSecurityEnabled();
    }

    public static AuthenticatedSubject getSubject(String str) throws IOException, RemoteException {
        EndPoint findOrCreateEndPointWithSubject;
        if (DEBUG) {
            debug("[RemoteDomainSecurityHelper] getSubject: url= " + str);
        }
        if (isCDSEnabled() && isRemoteDomain(str) && (findOrCreateEndPointWithSubject = findOrCreateEndPointWithSubject(str, RmiSecurityFacade.getAnonymousSubject())) != null) {
            return getSubjectInternal(findOrCreateEndPointWithSubject);
        }
        return null;
    }

    public static AuthenticatedSubject getSubject2(String str) throws IOException {
        debug("getSubject2 url = " + str + ", - isCDSEnabled() = " + isCDSEnabled());
        if (!isCDSEnabled()) {
            return null;
        }
        Protocol protocolByName = ProtocolManager.getProtocolByName(str.substring(0, str.indexOf(58)));
        AuthenticatedSubject currentSubject = SecurityServiceManager.getCurrentSubject(kernelId);
        if (!urlProtocolAndThreadQOSMatch(protocolByName, currentSubject)) {
            throw new IOException("Unable to find connection for url " + str + ". subject usedto initiate connection does not match url protocol");
        }
        String convertAdminProtocol = convertAdminProtocol(str);
        EndPoint findEndPoint = RMIRuntime.findEndPoint(convertAdminProtocol);
        if (findEndPoint != null) {
            if (DEBUG) {
                debug("[getSubject2] Found Existing endpoint " + findEndPoint);
                debug("[getSubject2] isRemoteDomain() " + isRemoteDomain(findEndPoint));
            }
            if (isRemoteDomain(findEndPoint)) {
                return getSubjectInternal(findEndPoint);
            }
            return null;
        }
        Protocol protocolByName2 = ProtocolManager.getProtocolByName(convertAdminProtocol.substring(0, convertAdminProtocol.indexOf(58)));
        AuthenticatedSubject authenticatedSubject = currentSubject;
        boolean z = false;
        if (!protocolByName.isSatisfactoryQOS(currentSubject.getQOS())) {
            authenticatedSubject = new AuthenticatedSubject(currentSubject);
            authenticatedSubject.setQOS(protocolByName2.getQOS());
            z = true;
            if (DEBUG) {
                debug("[getSubject2] subject on thread was " + currentSubject + ". It has been reset to " + authenticatedSubject);
            }
        }
        try {
            EndPoint findOrCreateEndPointWithSubject = findOrCreateEndPointWithSubject(convertAdminProtocol, authenticatedSubject);
            if (findOrCreateEndPointWithSubject == null) {
                throw new ConnectException("Unable to get endpoint for url = " + str);
            }
            if (DEBUG) {
                debug("[getSubject2] new endpoint " + findOrCreateEndPointWithSubject);
            }
            if (!isRemoteDomain(findOrCreateEndPointWithSubject)) {
                if (findOrCreateEndPointWithSubject != null && z) {
                    if (DEBUG) {
                        debug("[getSubject2] Invoking disconnect on endpoint " + findOrCreateEndPointWithSubject);
                    }
                    findOrCreateEndPointWithSubject.disconnect("Component generated internal disconnect", true);
                }
                return null;
            }
            AuthenticatedSubject subjectInternal = getSubjectInternal(findOrCreateEndPointWithSubject);
            if (findOrCreateEndPointWithSubject != null && z) {
                if (DEBUG) {
                    debug("[getSubject2] Invoking disconnect on endpoint " + findOrCreateEndPointWithSubject);
                }
                findOrCreateEndPointWithSubject.disconnect("Component generated internal disconnect", true);
            }
            return subjectInternal;
        } catch (Throwable th) {
            if (findEndPoint != null && z) {
                if (DEBUG) {
                    debug("[getSubject2] Invoking disconnect on endpoint " + findEndPoint);
                }
                findEndPoint.disconnect("Component generated internal disconnect", true);
            }
            throw th;
        }
    }

    private static boolean urlProtocolAndThreadQOSMatch(Protocol protocol, AuthenticatedSubject authenticatedSubject) {
        if (DEBUG) {
            debug("[urlProtocolAndThreadQOSMatch protocol] = " + protocol + ", subject.QOS = " + ((int) authenticatedSubject.getQOS()));
        }
        if (protocol.toByte() == 6 && authenticatedSubject.getQOS() == 102) {
            return false;
        }
        return !(protocol.toByte() == 0 || protocol.toByte() == 4) || authenticatedSubject.getQOS() == 101;
    }

    private static String convertAdminProtocol(String str) {
        String str2 = str;
        try {
            int indexOf = str.indexOf(58);
            if ("admin".equals(str.substring(0, indexOf))) {
                str2 = ProtocolManager.getDefaultAdminProtocol().getProtocolName() + str.substring(indexOf);
            }
            return str2;
        } catch (IndexOutOfBoundsException e) {
            throw new AssertionError("unsupported protocol " + str, e);
        }
    }

    public static AuthenticatedSubject getSubject(Object obj) throws RemoteException, IllegalArgumentException {
        if (!isCDSEnabled()) {
            return null;
        }
        AuthenticatedSubject subjectInternal = getSubjectInternal(RemoteHelper.getEndPoint(obj));
        if (DEBUG) {
            debug("getSubject for  " + obj + " returned:" + subjectInternal);
        }
        return subjectInternal;
    }

    public static AuthenticatedSubject getSubject(EndPoint endPoint) throws RemoteException {
        if (!isCDSEnabled()) {
            return null;
        }
        AuthenticatedSubject subjectInternal = getSubjectInternal(endPoint);
        if (DEBUG) {
            debug("getSubject for  " + endPoint + " returned:" + subjectInternal);
        }
        return subjectInternal;
    }

    private static AuthenticatedSubject getSubjectInternal(EndPoint endPoint) throws RemoteException {
        String domainName;
        HostID hostID = endPoint.getHostID();
        if (!(hostID instanceof ServerIdentity) || (domainName = ((ServerIdentity) hostID).getDomainName()) == null || isDomainExcluded(domainName)) {
            return null;
        }
        PasswordCredential credentials = getCredentials(domainName);
        if (DEBUG) {
            debug("getCredentials() returned " + credentials);
        }
        if (credentials == null) {
            return null;
        }
        AuthenticatedSubject aSFromAU = SecurityServiceManager.getASFromAU(authenticate(endPoint, credentials));
        if (DEBUG) {
            debug("authenticate returned " + aSFromAU);
        }
        return aSFromAU;
    }

    private static AuthenticatedUser authenticate(EndPoint endPoint, PasswordCredential passwordCredential) throws RemoteException {
        if (passwordCredential == null) {
            return null;
        }
        DefaultUserInfoImpl defaultUserInfoImpl = new DefaultUserInfoImpl(passwordCredential.getUserName(), new String(passwordCredential.getPassword()));
        if (DEBUG) {
            debug(passwordCredential.getUserName() + " - " + new String(passwordCredential.getPassword()));
        }
        return Security.authenticate(defaultUserInfoImpl, (RJVM) endPoint, ProtocolManager.getDefaultProtocol(), null);
    }

    private static PasswordCredential getCredentials(String str) {
        CredentialManager credentialManager = RmiSecurityFacade.getCredentialManager(kernelId, SecurityServiceManager.defaultRealmName);
        AuthenticatedSubject currentSubject = SecurityServiceManager.getCurrentSubject(kernelId);
        if (DEBUG) {
            debug("current subject=" + currentSubject + ", domainName=" + str);
        }
        Object[] credentials = credentialManager.getCredentials(kernelId, CROSS_DOMAIN_USER, new RemoteResource(CROSS_DOMAIN_PROTOCOL, str, null, null, null), (ContextHandler) null, CredentialMapperV2.USER_PASSWORD_TYPE);
        if (DEBUG) {
            debug("got mappings=" + Arrays.toString(credentials));
        }
        if (credentials == null) {
            return null;
        }
        if (DEBUG) {
            debug("got mappings length=" + credentials.length);
        }
        for (Object obj : credentials) {
            if (obj instanceof PasswordCredential) {
                if (DEBUG) {
                    debug("cred=" + obj);
                }
                return (PasswordCredential) obj;
            }
        }
        if (!DEBUG) {
            return null;
        }
        debug("found no password credential !");
        return null;
    }

    public static int acceptRemoteDomainCall(HostID hostID, AuthenticatedSubject authenticatedSubject) {
        if (!isCDSEnabled()) {
            if (!DEBUG) {
                return 2;
            }
            debug("acceptRemoteDomainCall for " + authenticatedSubject + "= No CDS");
            return 2;
        }
        if (!(hostID instanceof ServerIdentity)) {
            if (!DEBUG) {
                return 2;
            }
            debug("acceptRemoteDomainCall for " + authenticatedSubject + "= Not ServerIdentity" + hostID);
            return 2;
        }
        String domainName = ((ServerIdentity) hostID).getDomainName();
        if (domainName == null || LocalServerIdentity.getIdentity().getDomainName().equals(domainName) || isDomainExcluded(domainName)) {
            if (!DEBUG) {
                return 2;
            }
            debug("acceptRemoteDomainCall for " + authenticatedSubject + "= UNDETERMINABLE");
            return 2;
        }
        boolean isAccessAllowed = ((AuthorizationManager) SecurityServiceManager.getSecurityService(kernelId, SecurityServiceManager.getAdministrativeRealmName(), SecurityService.ServiceType.AUTHORIZE)).isAccessAllowed(authenticatedSubject, new AdminResource(CROSS_DOMAIN_ADMIN_RESOURCE, null, null), new ResourceIDDContextWrapper());
        if (DEBUG) {
            debug("acceptRemoteDomainCall for " + authenticatedSubject + "=" + isAccessAllowed);
        }
        return isAccessAllowed ? 0 : 1;
    }

    public static boolean isRemoteDomain(String str) throws IOException, RemoteException {
        if (DEBUG) {
            debug("[RemoteDomainSecurityHelper] isRemoteDomain: url= " + str);
        }
        if (str == null || str.length() == 0) {
            return false;
        }
        return isRemoteDomain(findOrCreateEndPointWithSubject(str, RmiSecurityFacade.getAnonymousSubject()));
    }

    private static EndPoint findOrCreateEndPointWithSubject(String str, AuthenticatedSubject authenticatedSubject) throws IOException {
        final String convertAdminProtocol = convertAdminProtocol(str);
        if (DEBUG) {
            debug("[RemoteDomainSecurityHelper] findOrCreateEndPointWithSubject: url= " + str);
        }
        if (DEBUG) {
            debug("[RemoteDomainSecurityHelper] findOrCreateEndPointWithSubject: modifiedURL= " + convertAdminProtocol);
        }
        if (DEBUG) {
            debug("[RemoteDomainSecurityHelper] findOrCreateEndPointWithSubject: subject to use = " + authenticatedSubject);
        }
        EndPoint endPoint = null;
        if (RMIRuntime.supportServerURL(convertAdminProtocol)) {
            try {
                endPoint = (EndPoint) SecurityServiceManager.runAs(kernelId, authenticatedSubject, new PrivilegedExceptionAction() { // from class: weblogic.rmi.extensions.server.RemoteDomainSecurityHelper.1
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws IOException {
                        return RMIRuntime.findOrCreateEndPoint(convertAdminProtocol);
                    }
                });
            } catch (PrivilegedActionException e) {
                Exception exception = e.getException();
                if (exception instanceof IOException) {
                    throw ((IOException) exception);
                }
                if (exception instanceof RuntimeException) {
                    throw ((RuntimeException) exception);
                }
                throw new AssertionError("Unpredicted PrivilegedActionException is thrown", e);
            }
        }
        if (DEBUG) {
            debug("[RemoteDomainSecurityHelper] findOrCreateEndPointWithSubject: url= " + convertAdminProtocol + " endPoint==" + endPoint);
        }
        return endPoint;
    }

    public static boolean isRemoteDomain(EndPoint endPoint) {
        if (endPoint == null) {
            return false;
        }
        HostID hostID = endPoint.getHostID();
        if (!(hostID instanceof ServerIdentity)) {
            return false;
        }
        String domainName = ((ServerIdentity) hostID).getDomainName();
        if (domainName == null || SINGLETON.localName.equals(domainName)) {
            if (!DEBUG) {
                return false;
            }
            debug("[RemoteDomainSecurityHelper] isRemoteDomain: FALSE remote domainName= " + domainName + "==" + SINGLETON.localName);
            return false;
        }
        if (!DEBUG) {
            return true;
        }
        debug("[RemoteDomainSecurityHelper] isRemoteDomain: TRUE remote domainName= " + domainName + Expression.NOT_EQUAL + SINGLETON.localName);
        return true;
    }

    private static boolean isDomainExcluded(String str) {
        String[] excludedDomainNames;
        if (str == null || (excludedDomainNames = SINGLETON.secConfig.getExcludedDomainNames()) == null) {
            return false;
        }
        for (String str2 : excludedDomainNames) {
            if (str.equals(str2)) {
                return true;
            }
        }
        return false;
    }

    private static void debug(String str) {
        if (DEBUG) {
            System.out.println("[RemoteDomainSecurityHelper] " + str);
        }
    }
}
