package weblogic.ejb.container.internal;

import java.net.URL;
import java.security.AccessController;
import java.security.CodeSource;
import java.security.Permission;
import java.security.Policy;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.jacc.EJBMethodPermission;
import javax.security.jacc.EJBRoleRefPermission;
import javax.security.jacc.PolicyConfiguration;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
import org.apache.tools.ant.types.selectors.SelectorUtils;
import org.eclipse.persistence.jpa.jpql.parser.Expression;
import weblogic.application.ApplicationContext;
import weblogic.diagnostics.debug.DebugLogger;
import weblogic.ejb.container.EJBDebugService;
import weblogic.ejb.container.EJBLogger;
import weblogic.ejb.container.interfaces.DeploymentInfo;
import weblogic.ejb.container.interfaces.MethodInfo;
import weblogic.ejb.container.interfaces.NoSuchRoleException;
import weblogic.ejb.container.interfaces.SecurityRoleMapping;
import weblogic.ejb.container.interfaces.SecurityRoleReference;
import weblogic.j2ee.descriptor.AssemblyDescriptorBean;
import weblogic.j2ee.descriptor.SecurityRoleBean;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.jacc.CommonPolicyContextHandler;
import weblogic.security.jacc.DelegatingPolicyContextHandler;
import weblogic.security.jacc.PolicyContextHandlerData;
import weblogic.security.jacc.PolicyContextManager;
import weblogic.security.jacc.RoleMapper;
import weblogic.security.service.ContextHandler;
import weblogic.utils.StackTraceUtilsClient;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:weblogic/ejb/container/internal/SecurityHelperJACC.class */
public final class SecurityHelperJACC {
    private static final String DONT_REGISTER_UNCOVERED_METHODS = "weblogic.ejb.container.internal.SecurityHelperJACC.dont_register_uncovered_methods";
    private static final boolean dont_register_uncovered_methods;
    private static final DebugLogger debugLogger;
    private final String jaccPolicyContextId;
    private final CodeSource jaccCodeSource;
    private final PolicyConfiguration jaccPolicyConfig;
    private final RoleMapper jaccRoleMapper;
    private HashSet<String> roleNamesSet = new HashSet<>();

    /* JADX INFO: Access modifiers changed from: package-private */
    public SecurityHelperJACC(PolicyConfiguration policyConfiguration, String str, URL url, RoleMapper roleMapper) {
        this.jaccPolicyConfig = policyConfiguration;
        this.jaccPolicyContextId = str;
        this.jaccRoleMapper = roleMapper;
        this.jaccCodeSource = new CodeSource(url, (Certificate[]) null);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void pushSecurityContext(ContextHandler contextHandler) {
        PolicyContextManager.setPolicyContext((PolicyContextHandlerData) contextHandler);
        PolicyContextManager.setContextID(this.jaccPolicyContextId);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void popSecurityContext() {
        PolicyContextManager.resetPolicyContext();
        PolicyContextManager.resetContextID();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void deployRoles(DeploymentInfo deploymentInfo, SecurityRoleMapping securityRoleMapping) throws NoSuchRoleException {
        Collection<String> securityRoleNames = securityRoleMapping.getSecurityRoleNames();
        if (debugLogger.isDebugEnabled()) {
            debug("deployRoles(...), Application Id: '" + deploymentInfo.getApplicationId() + "', Module Id: '" + deploymentInfo.getModuleId() + "'  there are: '" + securityRoleNames.size() + "' roles in this jar.");
        }
        if (securityRoleNames.isEmpty()) {
            return;
        }
        HashMap hashMap = new HashMap();
        for (String str : securityRoleNames) {
            if (securityRoleMapping.isExternallyDefinedRole(str)) {
                if (debugLogger.isDebugEnabled()) {
                    debug("skipping deployment of role: " + str + " because it's externally defined");
                }
            } else if (securityRoleMapping.isRoleMappedToPrincipals(str) || SelectorUtils.DEEP_TREE_MATCH.equals(str)) {
                Collection<String> securityRolePrincipalNames = securityRoleMapping.getSecurityRolePrincipalNames(str);
                if (debugLogger.isDebugEnabled()) {
                    debug("deploying role: " + str + " with principals: " + securityRolePrincipalNames);
                }
                hashMap.put(str, securityRolePrincipalNames.toArray(new String[0]));
            } else if (debugLogger.isDebugEnabled()) {
                debug("skipping deployment of role: " + str + " because it's not mapped to any principals");
            }
        }
        if (hashMap.isEmpty()) {
            if (debugLogger.isDebugEnabled()) {
                debug("No Role mapping to add to the RoleMapper for Application Id: '" + deploymentInfo.getApplicationId() + "', Module Id: '" + deploymentInfo.getModuleId() + Expression.QUOTE);
            }
        } else {
            this.jaccRoleMapper.addAppRolesToPrincipalMap(hashMap);
            if (debugLogger.isDebugEnabled()) {
                debug("Role mapping to add to the RoleMapper for Application Id: '" + deploymentInfo.getApplicationId() + "', Module Id: '" + deploymentInfo.getModuleId() + Expression.QUOTE);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setupApplicationInfo(ApplicationContext applicationContext) {
        applicationContext.addJACCPolicyConfiguration(this.jaccPolicyConfig);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void unDeployRoles() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void deployPolicies(List<MethodDescriptor> list, List<MethodDescriptor> list2, List<MethodDescriptor> list3, SecurityHelper securityHelper) throws PolicyContextException {
        if (list != null) {
            Iterator<MethodDescriptor> it = list.iterator();
            while (it.hasNext()) {
                deployPolicy(it.next(), securityHelper);
            }
        }
        if (list2 != null) {
            Iterator<MethodDescriptor> it2 = list2.iterator();
            while (it2.hasNext()) {
                deployPolicy(it2.next(), securityHelper);
            }
        }
        if (list3 != null) {
            Iterator<MethodDescriptor> it3 = list3.iterator();
            while (it3.hasNext()) {
                deployPolicy(it3.next(), securityHelper);
            }
        }
    }

    boolean deployPolicy(MethodDescriptor methodDescriptor, SecurityHelper securityHelper) throws PolicyContextException {
        MethodInfo methodInfo = methodDescriptor.getMethodInfo();
        Set<String> securityRoleNames = methodInfo.getSecurityRoleNames();
        EJBMethodPermission createEJBMethodPermission = createEJBMethodPermission(methodDescriptor);
        methodDescriptor.setSecurityHelper(securityHelper);
        methodDescriptor.setEJBMethodPermission(createEJBMethodPermission);
        if (securityRoleNames.isEmpty()) {
            if (debugLogger.isDebugEnabled()) {
                debug(" no policy for " + createEJBMethodPermission);
            }
            if (!dont_register_uncovered_methods && !methodInfo.getIsExcluded()) {
                if (debugLogger.isDebugEnabled()) {
                    debug("  deploying uncovered method as 'unchecked': '" + createEJBMethodPermission + Expression.QUOTE);
                }
                this.jaccPolicyConfig.addToUncheckedPolicy(createEJBMethodPermission);
            }
        } else {
            for (String str : securityRoleNames) {
                if (debugLogger.isDebugEnabled()) {
                    debug("  next roleName is: '" + str + Expression.QUOTE);
                }
                if (debugLogger.isDebugEnabled()) {
                    debug("registerRolesWithMethod, jaccPolicyConfig.addToRole " + str + ", " + createEJBMethodPermission);
                }
                this.jaccPolicyConfig.addToRole(str, createEJBMethodPermission);
            }
        }
        if (methodInfo.getUnchecked()) {
            this.jaccPolicyConfig.addToUncheckedPolicy(createEJBMethodPermission);
        }
        if (!methodInfo.getIsExcluded()) {
            return true;
        }
        this.jaccPolicyConfig.addToExcludedPolicy(createEJBMethodPermission);
        return true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void processUncheckedExcludedMethod(MethodDescriptor methodDescriptor) throws PolicyContextException {
        MethodInfo methodInfo = methodDescriptor.getMethodInfo();
        if (methodInfo.getUnchecked()) {
            this.jaccPolicyConfig.addToUncheckedPolicy(createEJBMethodPermission(methodDescriptor));
        } else if (methodInfo.getIsExcluded()) {
            this.jaccPolicyConfig.addToExcludedPolicy(createEJBMethodPermission(methodDescriptor));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void registerRoleRefs(String str, Map<String, SecurityRoleReference> map, DeploymentInfo deploymentInfo) throws PolicyContextException {
        if (this.roleNamesSet.isEmpty()) {
            AssemblyDescriptorBean assemblyDescriptor = deploymentInfo.getEjbDescriptorBean().getEjbJarBean().getAssemblyDescriptor();
            if (assemblyDescriptor != null) {
                for (SecurityRoleBean securityRoleBean : assemblyDescriptor.getSecurityRoles()) {
                    this.roleNamesSet.add(securityRoleBean.getRoleName());
                }
            }
            this.roleNamesSet.add(SelectorUtils.DEEP_TREE_MATCH);
        }
        HashSet hashSet = new HashSet();
        for (Map.Entry<String, SecurityRoleReference> entry : map.entrySet()) {
            String key = entry.getKey();
            hashSet.add(key);
            this.jaccPolicyConfig.addToRole(entry.getValue().getReferencedRole(), new EJBRoleRefPermission(str, key));
        }
        Iterator<String> it = this.roleNamesSet.iterator();
        while (it.hasNext()) {
            String next = it.next();
            if (!hashSet.contains(next)) {
                this.jaccPolicyConfig.addToRole(next, new EJBRoleRefPermission(str, next));
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void activate() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void deactivate() {
        try {
            this.jaccPolicyConfig.delete();
        } catch (PolicyContextException e) {
            if (debugLogger.isDebugEnabled()) {
                debug("Error occured deleting PolicyConfiguration - " + StackTraceUtilsClient.throwable2StackTrace(e));
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isAccessAllowed(EJBMethodPermission eJBMethodPermission, ContextHandler contextHandler) {
        Principal[] principalArr;
        boolean z;
        AuthenticatedSubject currentSubject = SecurityHelper.getCurrentSubject();
        if (currentSubject != null) {
            principalArr = new Principal[currentSubject.getPrincipals().size()];
            currentSubject.getPrincipals().toArray(principalArr);
        } else {
            principalArr = new Principal[0];
        }
        try {
            z = implies(eJBMethodPermission, new ProtectionDomain(this.jaccCodeSource, null, null, principalArr));
        } catch (SecurityException e) {
            EJBLogger.logStackTrace(e);
            z = false;
        }
        return z;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isCallerInRole(String str, AuthenticatedSubject authenticatedSubject, String str2) {
        try {
            return implies(new EJBRoleRefPermission(str, str2), getProtectionDomainForSubject(authenticatedSubject));
        } catch (SecurityException e) {
            EJBLogger.logStackTrace(e);
            return false;
        }
    }

    private boolean implies(Permission permission, ProtectionDomain protectionDomain) {
        String contextID = PolicyContext.getContextID();
        try {
            setPolicyContext(this.jaccPolicyContextId);
            if (debugLogger.isDebugEnabled()) {
                debug("about to call Policy.getPolicy().implies on ProtectionDomain: " + protectionDomain + ", permission: " + permission);
            }
            boolean implies = Policy.getPolicy().implies(protectionDomain, permission);
            setPolicyContext(contextID);
            return implies;
        } catch (Throwable th) {
            setPolicyContext(contextID);
            throw th;
        }
    }

    private void setPolicyContext(final String str) {
        String contextID = PolicyContext.getContextID();
        if (contextID == str || !(contextID == null || str == null || !contextID.equals(str))) {
            if (debugLogger.isDebugEnabled()) {
                debug("#### setPolicyContext(): Policy Context ID was the same: " + contextID);
            }
        } else {
            PolicyContext.setContextID(str);
            try {
                AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: weblogic.ejb.container.internal.SecurityHelperJACC.1
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() {
                        PolicyContext.setContextID(str);
                        return null;
                    }
                });
            } catch (PrivilegedActionException e) {
                EJBLogger.logStackTraceAndMessage("Unexpected exception setting policy context id", e.getCause());
            }
        }
    }

    private ProtectionDomain getProtectionDomainForSubject(AuthenticatedSubject authenticatedSubject) {
        Principal[] principalArr;
        if (authenticatedSubject != null) {
            principalArr = new Principal[authenticatedSubject.getPrincipals().size()];
            authenticatedSubject.getPrincipals().toArray(principalArr);
        } else {
            principalArr = new Principal[0];
        }
        return new ProtectionDomain(this.jaccCodeSource, null, null, principalArr);
    }

    private EJBMethodPermission createEJBMethodPermission(MethodDescriptor methodDescriptor) {
        String ejbName = methodDescriptor.getEjbName();
        MethodInfo methodInfo = methodDescriptor.getMethodInfo();
        String[] canonicalMethodParamNames = SecurityHelper.getCanonicalMethodParamNames(methodDescriptor.getMethod());
        if (debugLogger.isDebugEnabled()) {
            StringBuilder sb = new StringBuilder();
            if (canonicalMethodParamNames.length > 0) {
                for (String str : canonicalMethodParamNames) {
                    sb.append(str).append(", ");
                }
            } else {
                sb.append("");
            }
            debug("Creating EJBMethodPermission: ejbName: '" + ejbName + "' methodName: '" + methodInfo.getMethodName() + "' interfaceType: '" + methodInfo.getMethodInterfaceType() + "' methodParams: '" + sb.toString() + Expression.QUOTE);
        }
        short methodDescriptorMethodType = methodInfo.getMethodDescriptorMethodType();
        if (methodDescriptorMethodType == 1) {
            return new EJBMethodPermission(ejbName, "");
        }
        StringBuilder sb2 = new StringBuilder(methodInfo.getMethodName());
        sb2.append(",").append(methodInfo.getMethodInterfaceType());
        if (methodDescriptorMethodType == 2) {
            return new EJBMethodPermission(ejbName, sb2.toString());
        }
        for (int i = 0; i < canonicalMethodParamNames.length; i++) {
            if (i == 0) {
                sb2.append(",");
            }
            sb2.append(canonicalMethodParamNames[i]);
        }
        return new EJBMethodPermission(ejbName, sb2.toString());
    }

    private static void debug(String str) {
        debugLogger.debug("[SecurityHelperJACC] " + str);
    }

    static {
        dont_register_uncovered_methods = System.getProperty(DONT_REGISTER_UNCOVERED_METHODS) != null;
        debugLogger = EJBDebugService.securityLogger;
        CommonPolicyContextHandler commonPolicyContextHandler = new CommonPolicyContextHandler();
        String[] keys = EJBContextHandler.getKeys();
        DelegatingPolicyContextHandler delegatingPolicyContextHandler = new DelegatingPolicyContextHandler(keys);
        try {
            PolicyContext.registerHandler(CommonPolicyContextHandler.SUBJECT_KEY, commonPolicyContextHandler, true);
            for (String str : keys) {
                PolicyContext.registerHandler(str, delegatingPolicyContextHandler, true);
            }
        } catch (PolicyContextException e) {
            EJBLogger.logFailedToRegisterPolicyContextHandlers(e);
        }
    }
}
