package weblogic.management.configuration;

import com.bea.security.utils.keystore.KssAccessor;
import java.lang.reflect.InvocationTargetException;
import java.security.AccessController;
import org.jvnet.hk2.annotations.ContractsProvided;
import org.jvnet.hk2.annotations.Service;
import weblogic.kernel.Kernel;
import weblogic.security.SecurityLogger;
import weblogic.security.SubjectUtils;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.net.ConnectionFilter;
import weblogic.security.net.ConnectionFilterRulesListener;
import weblogic.security.net.ConnectionFilterService;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.SecurityServiceManager;
import weblogic.utils.LocatorUtilities;

@ContractsProvided({DomainMBeanValidator.class})
@Service
/* loaded from: input_file:weblogic/management/configuration/SecurityLegalHelper.class */
public final class SecurityLegalHelper implements DomainMBeanValidator {
    private static AuthenticatedSubject kernelId = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());

    public static boolean isLegalFilterRules(SecurityConfigurationMBean securityConfigurationMBean, String[] strArr) {
        return isLegalFilterRules(securityConfigurationMBean.getConnectionFilter(), strArr);
    }

    private static boolean isLegalFilterRules(String str, String[] strArr) {
        if (str == null) {
            return true;
        }
        ConnectionFilterService connectionFilterService = (ConnectionFilterService) LocatorUtilities.getService(ConnectionFilterService.class);
        if (!connectionFilterService.getConnectionFilterEnabled()) {
            return true;
        }
        ConnectionFilter connectionFilter = connectionFilterService.getConnectionFilter();
        try {
            Class<?> cls = Class.forName(str);
            if (ConnectionFilterRulesListener.class.isAssignableFrom(cls)) {
                try {
                    cls.getMethod("checkRules", String[].class).invoke(connectionFilter, strArr);
                } catch (InvocationTargetException e) {
                    Throwable targetException = e.getTargetException();
                    if (!targetException.toString().startsWith("java.text.ParseException")) {
                        throw e;
                    }
                    String message = targetException.getMessage();
                    SecurityLogger.logUpdateFilterWarn(message);
                    throw new IllegalArgumentException(message + "  Rules will not be updated.");
                }
            }
            return true;
        } catch (Throwable th) {
            IllegalArgumentException illegalArgumentException = new IllegalArgumentException("problem with connection filter. Exception:" + th);
            illegalArgumentException.initCause(th);
            throw illegalArgumentException;
        }
    }

    public static void validateSecurityConfiguration(SecurityConfigurationMBean securityConfigurationMBean) throws IllegalArgumentException {
        if (!isLegalFilterRules(securityConfigurationMBean, securityConfigurationMBean.getConnectionFilterRules())) {
            throw new IllegalArgumentException("ConnectionFilterRules string is not valid");
        }
    }

    public static void validatePrincipalName(String str) throws IllegalArgumentException {
        if (Kernel.isServer()) {
            AuthenticatedSubject currentSubject = SecurityServiceManager.getCurrentSubject(kernelId);
            if (SubjectUtils.isAdminPrivilegeEscalation(currentSubject, str, null)) {
                throw new IllegalArgumentException("The principal name : " + str + " has higher privileges than the current user: " + currentSubject + ". Hence the current user cannot set the principal name. Modify the principal name with admin privileged user.");
            }
        }
    }

    public static void validateUseKSSForDemo(boolean z) {
        if (z && Kernel.isServer() && !KssAccessor.isKssAvailable()) {
            throw new IllegalArgumentException("Unable to use KSS for Demo Key Stores, KSS is unavailable.");
        }
    }

    @Override // weblogic.management.configuration.DomainMBeanValidator
    public void validate(DomainMBean domainMBean) {
    }

    public static void validateSecureMode(SecureModeMBean secureModeMBean) throws IllegalArgumentException {
        DomainMBean domainMBean = (DomainMBean) secureModeMBean.getParentBean().getParentBean();
        if (secureModeMBean.isSecureModeEnabled() && !domainMBean.isProductionModeEnabled()) {
            throw new IllegalArgumentException("Your domain must be in production mode to enable secure mode");
        }
    }
}
