package weblogic.management.internal;

import java.beans.BeanDescriptor;
import java.beans.BeanInfo;
import java.beans.FeatureDescriptor;
import java.beans.MethodDescriptor;
import java.beans.PropertyDescriptor;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.PrintStream;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import javax.management.ObjectName;
import org.apache.tools.ant.taskdefs.optional.vss.MSVSSConstants;
import weblogic.common.internal.VersionInfo;
import weblogic.deploy.service.CallbackHandler;
import weblogic.diagnostics.debug.DebugLogger;
import weblogic.health.HealthState;
import weblogic.logging.Loggable;
import weblogic.management.ManagementLogger;
import weblogic.management.NoAccessRuntimeException;
import weblogic.management.configuration.PartitionMBean;
import weblogic.management.configuration.SecureModeMBean;
import weblogic.management.configuration.SecurityConfigurationMBean;
import weblogic.management.provider.ManagementService;
import weblogic.management.provider.beaninfo.BeanInfoAccess;
import weblogic.management.security.RealmMBean;
import weblogic.management.visibility.utils.MBeanNameUtil;
import weblogic.security.SubjectUtils;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.principal.IdentityDomainPrincipal;
import weblogic.security.service.AdminResource;
import weblogic.security.service.ContextElement;
import weblogic.security.service.ContextHandler;
import weblogic.security.service.MBeanResource;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.RoleManager;
import weblogic.security.service.SecurityService;
import weblogic.security.service.SecurityServiceManager;
import weblogic.security.utils.PartitionUtils;
import weblogic.security.utils.ResourceIDDContextWrapper;
import weblogic.utils.Debug;

/* loaded from: input_file:weblogic/management/internal/SecurityHelper.class */
public class SecurityHelper {
    private static final boolean ENABLE_ACL_EXCEPTION = true;
    private static boolean isSecServiceInitialized;
    private static BeanInfoAccess beanInfoAccess;
    private static RoleManager roleManager;
    private static DebugLogger debugLogger = DebugLogger.getDebugLogger("DebugConfigurationRuntime");
    private static final String ADMIN_ROLENAME = "Admin";
    private static final String DEPLOYER_ROLENAME = "Deployer";
    private static final String OPERATOR_ROLENAME = "Operator";
    private static final String MONITOR_ROLENAME = "Monitor";
    private static final String[] SECURE_ROLES = {ADMIN_ROLENAME, DEPLOYER_ROLENAME, OPERATOR_ROLENAME, MONITOR_ROLENAME};
    private static final AuthenticatedSubject KERNEL_ID = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
    private static PrintStream aclPrintStream = null;
    private static AdminResource adminMBeanResource = new AdminResource(CallbackHandler.CONFIGURATION, null, null);
    private static boolean disableACLOnMbeans = Boolean.getBoolean("weblogic.disableMBeanAuthorization");
    private static boolean debugACLs = Boolean.getBoolean("DEBUG_ACLS");

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:weblogic/management/internal/SecurityHelper$IsAccessAllowedPrivilegeAction.class */
    public static class IsAccessAllowedPrivilegeAction implements PrivilegedAction {
        private final AuthenticatedSubject subject;
        private final ObjectName name;
        private final MBeanResource.ActionType action;
        private final String target;
        private final String type;
        private final BeanDescriptor beanDescriptor;
        private final MethodDescriptor methodDescriptor;
        private final PropertyDescriptor propertyDescriptor;
        private final boolean isSecureMode;

        IsAccessAllowedPrivilegeAction(AuthenticatedSubject authenticatedSubject, ObjectName objectName, MBeanResource.ActionType actionType, String str, BeanDescriptor beanDescriptor, MethodDescriptor methodDescriptor, PropertyDescriptor propertyDescriptor, boolean z) {
            this.subject = authenticatedSubject;
            this.name = objectName;
            this.action = actionType;
            this.target = str;
            this.type = this.name.getKeyProperty("Type");
            this.beanDescriptor = beanDescriptor;
            this.methodDescriptor = methodDescriptor;
            this.propertyDescriptor = propertyDescriptor;
            this.isSecureMode = z;
        }

        @Override // java.security.PrivilegedAction
        public Object run() {
            Map roles = SecurityHelper.getRoles(this.subject, this.name, null, null);
            if ((this.action != MBeanResource.ActionType.FIND || !this.isSecureMode || !SecurityHelper.isInRoles(roles, SecurityHelper.SECURE_ROLES)) && !SecurityHelper.isInRole(roles, SecurityHelper.ADMIN_ROLENAME) && this.type != null) {
                Loggable logNoAccessAllowedSubjectLoggable = ManagementLogger.logNoAccessAllowedSubjectLoggable(this.subject.toString(), this.type, this.action.toString(), this.target);
                if (SecurityHelper.debugACLs) {
                    SecurityHelper.dumpAclDebug(this.subject, this.name, this.action, this.target, "");
                }
                BeanDescriptor beanDescriptor = this.beanDescriptor;
                if (beanDescriptor == null) {
                    beanDescriptor = SecurityHelper.getBeanDescriptor(this.type);
                }
                if (this.action == MBeanResource.ActionType.READ) {
                    PropertyDescriptor propertyDescriptor = this.propertyDescriptor;
                    if (propertyDescriptor == null) {
                        propertyDescriptor = SecurityHelper.getPropertyDescriptor(this.type, this.target);
                    }
                    if (propertyDescriptor == null) {
                        if (!this.isSecureMode || SecurityHelper.isInRoles(roles, SecurityHelper.SECURE_ROLES)) {
                            return Boolean.TRUE;
                        }
                        throw new NoAccessRuntimeException(logNoAccessAllowedSubjectLoggable.getMessage());
                    }
                    Boolean bool = (Boolean) propertyDescriptor.getValue("encrypted");
                    Boolean bool2 = (Boolean) propertyDescriptor.getValue("sensitive");
                    if ((bool == null || !bool.booleanValue()) && (bool2 == null || !bool2.booleanValue())) {
                        if (!this.isSecureMode || SecurityHelper.isInRoles(roles, SecurityHelper.SECURE_ROLES)) {
                            return Boolean.TRUE;
                        }
                        throw new NoAccessRuntimeException(logNoAccessAllowedSubjectLoggable.getMessage());
                    }
                    if (SecurityHelper.getDecision(beanDescriptor, propertyDescriptor, this.name, this.subject, this.action, this.isSecureMode)) {
                        return Boolean.TRUE;
                    }
                } else if (this.action == MBeanResource.ActionType.WRITE || this.action == MBeanResource.ActionType.EXECUTE || this.action == MBeanResource.ActionType.REGISTER || this.action == MBeanResource.ActionType.UNREGISTER) {
                    if (this.action == MBeanResource.ActionType.WRITE) {
                        PropertyDescriptor propertyDescriptor2 = this.propertyDescriptor;
                        if (propertyDescriptor2 == null) {
                            propertyDescriptor2 = SecurityHelper.getPropertyDescriptor(this.type, this.target);
                        }
                        if (SecurityHelper.getDecision(beanDescriptor, propertyDescriptor2, this.name, this.subject, this.action, this.isSecureMode)) {
                            return Boolean.TRUE;
                        }
                    } else if (this.action == MBeanResource.ActionType.EXECUTE) {
                        MethodDescriptor methodDescriptor = this.methodDescriptor;
                        if (methodDescriptor == null) {
                            methodDescriptor = SecurityHelper.getMethodDescriptor(this.type, this.target);
                        }
                        if (SecurityHelper.getDecision(beanDescriptor, methodDescriptor, this.name, this.subject, this.action, this.isSecureMode)) {
                            return Boolean.TRUE;
                        }
                    } else if (SecurityHelper.getDecision(beanDescriptor, beanDescriptor, this.name, this.subject, this.action, this.isSecureMode)) {
                        return Boolean.TRUE;
                    }
                }
                throw new NoAccessRuntimeException(logNoAccessAllowedSubjectLoggable.getMessage());
            }
            return Boolean.TRUE;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:weblogic/management/internal/SecurityHelper$JMXMBeanPartitionFinder.class */
    public static class JMXMBeanPartitionFinder implements MBeanPartitionFinder {
        private ObjectName oname;

        private JMXMBeanPartitionFinder(ObjectName objectName) {
            this.oname = objectName;
        }

        @Override // weblogic.management.internal.SecurityHelper.MBeanPartitionFinder
        public String getPartitionName() throws Exception {
            return (String) Class.forName("weblogic.management.mbeanservers.JMXContextUtil").getMethod("getPartitionNameForMBean", ObjectName.class).invoke(null, this.oname);
        }

        @Override // weblogic.management.internal.SecurityHelper.MBeanPartitionFinder
        public ObjectName getObjectName() {
            return this.oname;
        }
    }

    /* loaded from: input_file:weblogic/management/internal/SecurityHelper$MBeanPartitionFinder.class */
    public interface MBeanPartitionFinder {
        String getPartitionName() throws Exception;

        ObjectName getObjectName();
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:weblogic/management/internal/SecurityHelper$Owner.class */
    public enum Owner {
        Domain,
        Partition,
        Context,
        RealmAdministrator
    }

    /* loaded from: input_file:weblogic/management/internal/SecurityHelper$PartitionContextHandler.class */
    public static class PartitionContextHandler implements ContextHandler {
        private final ObjectName objectName;
        private final String[] invoke_keys = {"com.bea.contextelement.jmx.ObjectName"};
        private final String[] keys = this.invoke_keys;

        public PartitionContextHandler(ObjectName objectName) {
            this.objectName = objectName;
        }

        @Override // weblogic.security.service.ContextHandler
        public int size() {
            return this.keys.length;
        }

        @Override // weblogic.security.service.ContextHandler
        public String[] getNames() {
            return this.keys;
        }

        @Override // weblogic.security.service.ContextHandler
        public Object getValue(String str) {
            if ("com.bea.contextelement.jmx.ObjectName".equals(str)) {
                return this.objectName;
            }
            return null;
        }

        @Override // weblogic.security.service.ContextHandler
        public ContextElement[] getValues(String[] strArr) {
            ContextElement[] contextElementArr = new ContextElement[strArr.length];
            int i = 0;
            for (int i2 = 0; i2 < strArr.length; i2++) {
                Object value = getValue(strArr[i2]);
                if (value != null) {
                    int i3 = i;
                    i++;
                    contextElementArr[i3] = new ContextElement(strArr[i2], value);
                }
            }
            if (i < strArr.length) {
                contextElementArr = new ContextElement[i];
                System.arraycopy(contextElementArr, 0, contextElementArr, 0, i);
            }
            return contextElementArr;
        }
    }

    public static void checkForAdminRole(ContextHandler contextHandler) {
        checkForRole(ADMIN_ROLENAME, contextHandler);
    }

    public static void checkForAdminRole(ContextHandler contextHandler, String[] strArr) {
        checkForRole(ADMIN_ROLENAME, contextHandler, strArr);
    }

    public static boolean isProtectedAttribute(ObjectName objectName, String str, PropertyDescriptor propertyDescriptor) {
        if (propertyDescriptor != null) {
            Boolean bool = (Boolean) propertyDescriptor.getValue("encrypted");
            if (bool != null && bool.booleanValue()) {
                if (!debugLogger.isDebugEnabled()) {
                    return true;
                }
                debugLogger.debug("SecurityHelper - attribute " + str + " for object " + objectName + " is protected");
                return true;
            }
            Boolean bool2 = (Boolean) propertyDescriptor.getValue("sensitive");
            if (bool2 != null && bool2.booleanValue()) {
                if (!debugLogger.isDebugEnabled()) {
                    return true;
                }
                debugLogger.debug("SecurityHelper - attribute " + str + " for object " + objectName + " is protected");
                return true;
            }
        }
        if (!debugLogger.isDebugEnabled()) {
            return false;
        }
        debugLogger.debug("SecurityHelper - attribute " + str + " for object " + objectName + " is NOT protected");
        return false;
    }

    public static void isAccessAllowed(ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2) throws NoAccessRuntimeException {
        isAccessAllowed(objectName, actionType, str, str2, null, null, null);
    }

    public static void isAccessAllowed(ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2, BeanDescriptor beanDescriptor) throws NoAccessRuntimeException {
        isAccessAllowed(objectName, actionType, str, str2, beanDescriptor, null, null);
    }

    public static void isAccessAllowed(ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2, BeanDescriptor beanDescriptor, PropertyDescriptor propertyDescriptor) throws NoAccessRuntimeException {
        isAccessAllowed(objectName, actionType, str, str2, beanDescriptor, null, propertyDescriptor);
    }

    public static void isAccessAllowed(ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2, BeanDescriptor beanDescriptor, MethodDescriptor methodDescriptor) throws NoAccessRuntimeException {
        isAccessAllowed(objectName, actionType, str, str2, beanDescriptor, methodDescriptor, null);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isAllowed(ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2, PropertyDescriptor propertyDescriptor) {
        try {
            isAccessAllowed(objectName, actionType, str, str2, null, null, propertyDescriptor);
            return true;
        } catch (NoAccessRuntimeException e) {
            return false;
        }
    }

    public static boolean isAllowedAnon(ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2, PropertyDescriptor propertyDescriptor) {
        SecureModeMBean secureMode = ManagementService.getRuntimeAccess(KERNEL_ID).getDomain().getSecurityConfiguration().getSecureMode();
        boolean z = secureMode.isSecureModeEnabled() && secureMode.isRestrictiveJMXPolicies();
        if (actionType != MBeanResource.ActionType.READ || !z) {
            return isAllowed(AuthenticatedSubject.ANON, objectName, actionType, str, str2, propertyDescriptor);
        }
        if (propertyDescriptor == null) {
            return true;
        }
        Boolean bool = (Boolean) propertyDescriptor.getValue("encrypted");
        if (bool != null && bool.booleanValue()) {
            return false;
        }
        Boolean bool2 = (Boolean) propertyDescriptor.getValue("sensitive");
        return bool2 == null || !bool2.booleanValue();
    }

    public static boolean isAllowed(AuthenticatedSubject authenticatedSubject, final ObjectName objectName, final MBeanResource.ActionType actionType, final String str, final String str2, final PropertyDescriptor propertyDescriptor) {
        return ((Boolean) SecurityServiceManager.runAs(KERNEL_ID, authenticatedSubject, new PrivilegedAction() { // from class: weblogic.management.internal.SecurityHelper.1
            @Override // java.security.PrivilegedAction
            public Object run() {
                return new Boolean(SecurityHelper.isAllowed(objectName, actionType, str, str2, propertyDescriptor));
            }
        })).booleanValue();
    }

    private static void isAccessAllowed(ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2, BeanDescriptor beanDescriptor, MethodDescriptor methodDescriptor, PropertyDescriptor propertyDescriptor) throws NoAccessRuntimeException {
        if (disableACLOnMbeans) {
            return;
        }
        SecureModeMBean secureMode = ManagementService.getRuntimeAccess(KERNEL_ID).getDomain().getSecurityConfiguration().getSecureMode();
        boolean z = secureMode.isSecureModeEnabled() && secureMode.isRestrictiveJMXPolicies();
        if (actionType != MBeanResource.ActionType.FIND || z) {
            AuthenticatedSubject currentSubject = SecurityServiceManager.getCurrentSubject(KERNEL_ID);
            if (SecurityServiceManager.isKernelIdentity(currentSubject)) {
                return;
            }
            SecurityServiceManager.runAs(KERNEL_ID, KERNEL_ID, new IsAccessAllowedPrivilegeAction(currentSubject, objectName, actionType, str, beanDescriptor, methodDescriptor, propertyDescriptor, z));
        }
    }

    public static void isAccessAllowedCommo(ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2, BeanDescriptor beanDescriptor) throws NoAccessRuntimeException {
        isAccessAllowedCommo(objectName, actionType, str, str2, beanDescriptor, null, null);
    }

    public static void isAccessAllowedCommo(ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2, BeanDescriptor beanDescriptor, PropertyDescriptor propertyDescriptor) throws NoAccessRuntimeException {
        isAccessAllowedCommo(objectName, actionType, str, str2, beanDescriptor, null, propertyDescriptor);
    }

    public static void isAccessAllowedCommo(ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2, BeanDescriptor beanDescriptor, MethodDescriptor methodDescriptor) throws NoAccessRuntimeException {
        isAccessAllowedCommo(objectName, actionType, str, str2, beanDescriptor, methodDescriptor, null);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private static void isAccessAllowedCommo(ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2, BeanDescriptor beanDescriptor, MethodDescriptor methodDescriptor, PropertyDescriptor propertyDescriptor) throws NoAccessRuntimeException {
        if (disableACLOnMbeans) {
            return;
        }
        SecureModeMBean secureMode = ManagementService.getRuntimeAccess(KERNEL_ID).getDomain().getSecurityConfiguration().getSecureMode();
        boolean z = secureMode.isSecureModeEnabled() && secureMode.isRestrictiveJMXPolicies();
        ContextHandler resourceContextHandler = getResourceContextHandler(objectName, (ContextHandler) new JMXContextHandler(objectName), (FeatureDescriptor) beanDescriptor, (FeatureDescriptor) ((actionType == MBeanResource.ActionType.EXECUTE || actionType == MBeanResource.ActionType.REGISTER || actionType == MBeanResource.ActionType.UNREGISTER) ? methodDescriptor : propertyDescriptor), MBeanResource.ActionType.FIND.equals(actionType) ? "find" : "invoke");
        if (actionType == MBeanResource.ActionType.FIND) {
            if (z) {
                checkForRoles(SECURE_ROLES, resourceContextHandler, null);
                return;
            }
            return;
        }
        if (actionType == MBeanResource.ActionType.WRITE) {
            if (propertyDescriptor != 0) {
                checkForAdminRole(resourceContextHandler, (String[]) propertyDescriptor.getValue("rolesExcludedSet"));
                return;
            } else {
                if (z) {
                    checkForRoles(SECURE_ROLES, resourceContextHandler, null);
                    return;
                }
                return;
            }
        }
        if (actionType == MBeanResource.ActionType.UNREGISTER) {
            if (methodDescriptor != null) {
                checkForAdminRole(resourceContextHandler, (String[]) methodDescriptor.getValue("rolesExcluded"));
                return;
            } else {
                if (z) {
                    checkForRoles(SECURE_ROLES, resourceContextHandler, null);
                    return;
                }
                return;
            }
        }
        if (actionType == MBeanResource.ActionType.REGISTER) {
            if (z) {
                checkForRoles(SECURE_ROLES, resourceContextHandler, null);
                return;
            }
            return;
        }
        if (objectName == null) {
            throw new IllegalArgumentException("Object name for an MBean can not be null");
        }
        AuthenticatedSubject currentSubject = SecurityServiceManager.getCurrentSubject(KERNEL_ID);
        if (SecurityServiceManager.isKernelIdentity(currentSubject)) {
            return;
        }
        if (actionType == MBeanResource.ActionType.READ) {
            if (propertyDescriptor == 0) {
                if (z) {
                    checkForRoles(SECURE_ROLES, resourceContextHandler, null);
                    return;
                }
                return;
            }
            Boolean bool = (Boolean) propertyDescriptor.getValue("encrypted");
            if (bool != null && bool.booleanValue()) {
                if (debugLogger.isDebugEnabled()) {
                    debugLogger.debug("SecurityHelper - read encrypted, check for admin, attr = " + str);
                }
                checkForAdminRole(resourceContextHandler, (String[]) propertyDescriptor.getValue("rolesExcludedGet"));
            }
            Boolean bool2 = (Boolean) propertyDescriptor.getValue("sensitive");
            if (bool2 != null && bool2.booleanValue()) {
                if (debugLogger.isDebugEnabled()) {
                    debugLogger.debug("SecurityHelper - read encrypted, check for admin, attr = " + str);
                }
                checkForAdminRole(resourceContextHandler, (String[]) propertyDescriptor.getValue("rolesExcludedGet"));
            }
            if (z) {
                checkForRoles(SECURE_ROLES, resourceContextHandler, null);
                return;
            }
            return;
        }
        if (actionType != MBeanResource.ActionType.EXECUTE) {
            throw new NoAccessRuntimeException(ManagementLogger.logNoAccessAllowedSubjectLoggable(currentSubject.toString(), objectName.toString(), actionType.toString(), str).getMessage());
        }
        if (beanDescriptor != null) {
            if (checkForRoles((String[]) beanDescriptor.getValue("rolesAllowed"), resourceContextHandler, (String[]) beanDescriptor.getValue("rolesExcluded"))) {
                return;
            }
            Boolean bool3 = (Boolean) beanDescriptor.getValue("rolePermitAll");
            if (bool3 != null && bool3.booleanValue()) {
                if (debugLogger.isDebugEnabled()) {
                    debugLogger.debug("SecurityHelper - rolePermitAll found for interface " + str);
                }
                if (z) {
                    checkForRoles(SECURE_ROLES, resourceContextHandler, null);
                    return;
                }
                return;
            }
        }
        if (methodDescriptor == null) {
            checkForAdminRole(resourceContextHandler);
            return;
        }
        String[] strArr = (String[]) methodDescriptor.getValue("rolesExcluded");
        if (checkForRoles((String[]) methodDescriptor.getValue("rolesAllowed"), resourceContextHandler, strArr)) {
            return;
        }
        Boolean bool4 = (Boolean) methodDescriptor.getValue("rolePermitAll");
        if (bool4 == null || !bool4.booleanValue()) {
            checkForAdminRole(resourceContextHandler, strArr);
            return;
        }
        if (debugLogger.isDebugEnabled()) {
            debugLogger.debug("SecurityHelper - rolePermitAll found for method " + str);
        }
        if (z) {
            checkForRoles(SECURE_ROLES, resourceContextHandler, null);
        }
    }

    public static void assertIfNotKernel(AuthenticatedSubject authenticatedSubject) {
        if (authenticatedSubject != KERNEL_ID) {
            throw new AssertionError(ManagementLogger.logNotKernelUserLoggable(authenticatedSubject.toString()).getMessage());
        }
    }

    public static void assertIfNotKernel() {
        AuthenticatedSubject currentSubject = SecurityServiceManager.getCurrentSubject(KERNEL_ID);
        if (!SecurityServiceManager.isKernelIdentity(currentSubject)) {
            throw new AssertionError(ManagementLogger.logNotKernelUserLoggable(currentSubject.toString()).getMessage());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isInRole(Map map, String str) {
        return (map == null || map.get(str) == null) ? false : true;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isInRoles(Map map, String[] strArr) {
        if (map == null) {
            return false;
        }
        for (int i = 0; strArr != null && i < strArr.length; i++) {
            if (map.get(strArr[i]) != null) {
                return true;
            }
        }
        return false;
    }

    private static boolean isInRoleOrInAdmin(Map map, String[] strArr) {
        String[] strArr2;
        if (strArr != null) {
            String[] strArr3 = new String[strArr.length + 1];
            strArr3[0] = ADMIN_ROLENAME;
            System.arraycopy(strArr, 0, strArr3, 1, strArr.length);
            strArr2 = strArr3;
        } else {
            strArr2 = new String[]{ADMIN_ROLENAME};
        }
        for (int i = 0; i < strArr2.length; i++) {
            if (map.get(strArr2[i]) != null) {
                if (!debugLogger.isDebugEnabled()) {
                    return true;
                }
                debugLogger.debug("SecurityHelper - in roleAllowedOnMBean is true, roleAllowedOnMBean " + strArr2[i]);
                return true;
            }
        }
        return false;
    }

    private static RoleManager getRoleManager() {
        if (roleManager != null) {
            return roleManager;
        }
        RoleManager roleManager2 = (RoleManager) SecurityServiceManager.getSecurityService(KERNEL_ID, SecurityServiceManager.getAdministrativeRealmName(), SecurityService.ServiceType.ROLE);
        roleManager = roleManager2;
        return roleManager2;
    }

    static Map getRoles(AuthenticatedSubject authenticatedSubject, ObjectName objectName, FeatureDescriptor featureDescriptor, FeatureDescriptor featureDescriptor2) {
        return getRoleManager().getRoles(authenticatedSubject, adminMBeanResource, getResourceContextHandler(objectName, new JMXContextHandler(objectName), featureDescriptor, featureDescriptor2, (String) null));
    }

    private static void checkForRole(String str, ContextHandler contextHandler) {
        checkForRole(str, contextHandler, null);
    }

    private static void checkForRole(final String str, final ContextHandler contextHandler, final String[] strArr) {
        AuthenticatedSubject currentSubject = SecurityServiceManager.getCurrentSubject(KERNEL_ID);
        if (SecurityServiceManager.isKernelIdentity(currentSubject)) {
            return;
        }
        final AuthenticatedSubject seal = SecurityServiceManager.seal(KERNEL_ID, currentSubject);
        if (!((Boolean) SecurityServiceManager.runAs(KERNEL_ID, KERNEL_ID, new PrivilegedAction() { // from class: weblogic.management.internal.SecurityHelper.2
            @Override // java.security.PrivilegedAction
            public Object run() {
                Map removeExcludedRoles = SecurityHelper.removeExcludedRoles(SecurityHelper.access$200().getRoles(AuthenticatedSubject.this, SecurityHelper.adminMBeanResource, contextHandler), strArr);
                return (removeExcludedRoles == null || (removeExcludedRoles.get(SecurityHelper.ADMIN_ROLENAME) == null && removeExcludedRoles.get(str) == null)) ? Boolean.FALSE : Boolean.TRUE;
            }
        })).booleanValue()) {
            throw new NoAccessRuntimeException(ManagementLogger.logNoAccessForSubjectRoleLoggable(seal.toString(), str).getMessage());
        }
    }

    private static boolean checkForRoles(final String[] strArr, final ContextHandler contextHandler, final String[] strArr2) {
        final AuthenticatedSubject seal = SecurityServiceManager.seal(KERNEL_ID, SecurityServiceManager.getCurrentSubject(KERNEL_ID));
        return ((Boolean) SecurityServiceManager.runAs(KERNEL_ID, KERNEL_ID, new PrivilegedAction() { // from class: weblogic.management.internal.SecurityHelper.3
            @Override // java.security.PrivilegedAction
            public Object run() {
                Map removeExcludedRoles = SecurityHelper.removeExcludedRoles(SecurityHelper.access$200().getRoles(AuthenticatedSubject.this, SecurityHelper.adminMBeanResource, contextHandler), strArr2);
                if (removeExcludedRoles == null || strArr == null) {
                    return Boolean.FALSE;
                }
                for (int i = 0; i < strArr.length; i++) {
                    if (removeExcludedRoles.get(strArr[i]) != null) {
                        if (SecurityHelper.debugLogger.isDebugEnabled()) {
                            SecurityHelper.debugLogger.debug("SecurityHelper - role found " + strArr[i]);
                        }
                        return Boolean.TRUE;
                    }
                }
                if (SecurityHelper.debugLogger.isDebugEnabled()) {
                    SecurityHelper.debugLogger.debug("SecurityHelper - role not found ");
                }
                return Boolean.FALSE;
            }
        })).booleanValue();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static synchronized void dumpAclDebug(AuthenticatedSubject authenticatedSubject, ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2) {
        try {
            if (aclPrintStream == null) {
                String str3 = ManagementService.getRuntimeAccess(KERNEL_ID).getServerName() + "_debug_acls.txt";
                Debug.say("Opening ACL Log" + str3);
                aclPrintStream = new PrintStream(new FileOutputStream(new File(str3)));
            }
            aclPrintStream.println("START: INVALID MBEAN ACCESS");
            aclPrintStream.println("PRINCIPALS:" + authenticatedSubject.getPrincipals());
            aclPrintStream.println("RESOURCE:" + objectName + "|" + actionType + "|" + str + "|" + str2);
            new Exception().printStackTrace(aclPrintStream);
            aclPrintStream.println("END:INVALID MBEAN ACCESS");
        } catch (FileNotFoundException e) {
            Debug.say("**** UNABLE TO OPEN DEBUG FILE *****");
        }
    }

    private static BeanInfo getBeanInfo(String str) {
        if (beanInfoAccess == null) {
            beanInfoAccess = ManagementService.getBeanInfoAccess();
        }
        String releaseVersion = VersionInfo.theOne().getReleaseVersion();
        BeanInfo beanInfoForInterface = beanInfoAccess.getBeanInfoForInterface(str, false, releaseVersion);
        if (beanInfoForInterface == null && str.indexOf(".") == -1) {
            beanInfoForInterface = beanInfoAccess.getBeanInfoForInterface("weblogic.management.configuration." + str + HealthState.ITEM_MBEAN, false, releaseVersion);
        }
        if (beanInfoForInterface == null && str.indexOf(".") == -1) {
            beanInfoForInterface = beanInfoAccess.getBeanInfoForInterface("weblogic.management.runtime." + str + HealthState.ITEM_MBEAN, true, releaseVersion);
        }
        return beanInfoForInterface;
    }

    public static BeanDescriptor getBeanDescriptor(String str) {
        BeanInfo beanInfo = getBeanInfo(str);
        if (beanInfo != null) {
            return beanInfo.getBeanDescriptor();
        }
        return null;
    }

    public static PropertyDescriptor getPropertyDescriptor(String str, String str2) {
        BeanInfo beanInfo = getBeanInfo(str);
        if (beanInfo == null) {
            return null;
        }
        for (PropertyDescriptor propertyDescriptor : beanInfo.getPropertyDescriptors()) {
            if (str2.equals(propertyDescriptor.getName())) {
                return propertyDescriptor;
            }
        }
        return null;
    }

    public static MethodDescriptor getMethodDescriptor(String str, String str2) {
        BeanInfo beanInfo = getBeanInfo(str);
        if (beanInfo == null) {
            return null;
        }
        for (MethodDescriptor methodDescriptor : beanInfo.getMethodDescriptors()) {
            if (str2.equals(methodDescriptor.getName())) {
                return methodDescriptor;
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean getDecision(FeatureDescriptor featureDescriptor, FeatureDescriptor featureDescriptor2, ObjectName objectName, AuthenticatedSubject authenticatedSubject, MBeanResource.ActionType actionType, boolean z) {
        if (debugLogger.isDebugEnabled()) {
            debugLogger.debug("Checking for decision for " + objectName.getCanonicalName() + " for action type " + actionType);
        }
        String str = "";
        if (actionType == MBeanResource.ActionType.WRITE) {
            str = "Set";
        } else if (actionType == MBeanResource.ActionType.READ) {
            str = MSVSSConstants.COMMAND_GET;
        }
        Map roles = getRoleManager().getRoles(authenticatedSubject, adminMBeanResource, getResourceContextHandler(objectName, new JMXContextHandler(objectName), featureDescriptor, featureDescriptor2, MSVSSConstants.COMMAND_GET.equals(str) ? "get" : "set"));
        HashSet hashSet = new HashSet();
        if (featureDescriptor != null) {
            roles = removeExcludedRoles(roles, (String[]) featureDescriptor.getValue("rolesExcluded" + str));
            String[] strArr = (String[]) featureDescriptor.getValue("rolesAllowed");
            if (strArr != null) {
                hashSet = new HashSet(Arrays.asList(strArr));
            }
        }
        if (featureDescriptor2 != null) {
            roles = removeExcludedRoles(roles, (String[]) featureDescriptor2.getValue("rolesExcluded" + str));
            String[] strArr2 = (String[]) featureDescriptor2.getValue("rolesAllowed" + str);
            if (strArr2 != null) {
                hashSet.addAll(new HashSet(Arrays.asList(strArr2)));
            }
        }
        Boolean bool = featureDescriptor != null ? (Boolean) featureDescriptor.getValue("rolePermitAll") : null;
        Boolean bool2 = featureDescriptor2 != null ? (Boolean) featureDescriptor2.getValue("rolePermitAll" + str) : null;
        return (bool == null || !bool.booleanValue()) ? (bool2 == null || !bool2.booleanValue()) ? isInRoleOrInAdmin(roles, (String[]) hashSet.toArray(new String[0])) ? Boolean.TRUE.booleanValue() : Boolean.FALSE.booleanValue() : z ? isInRoles(roles, SECURE_ROLES) : Boolean.TRUE.booleanValue() : z ? isInRoles(roles, SECURE_ROLES) : Boolean.TRUE.booleanValue();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Map removeExcludedRoles(Map map, String[] strArr) {
        if (map == null || ((map != null && map.isEmpty()) || strArr == null || (strArr != null && strArr.length == 0))) {
            return map;
        }
        HashMap hashMap = new HashMap();
        for (int i = 0; i < strArr.length; i++) {
            if (map.get(strArr[i]) == null) {
                hashMap.put(strArr[i], map.get(strArr[i]));
            }
        }
        return hashMap;
    }

    public static ContextHandler getResourceContextHandler(ObjectName objectName, ContextHandler contextHandler, FeatureDescriptor featureDescriptor, FeatureDescriptor featureDescriptor2, String str) {
        return getResourceContextHandler(new JMXMBeanPartitionFinder(objectName), contextHandler, featureDescriptor, featureDescriptor2, str);
    }

    public static ContextHandler getResourceContextHandler(MBeanPartitionFinder mBeanPartitionFinder, ContextHandler contextHandler, FeatureDescriptor featureDescriptor, FeatureDescriptor featureDescriptor2, String str) {
        ResourceIDDContextWrapper resourceIDDContextWrapper;
        String str2;
        String str3;
        Owner owner = null;
        Owner owner2 = null;
        if (featureDescriptor != null && (str3 = (String) featureDescriptor.getValue("owner")) != null && !str3.isEmpty()) {
            owner = Owner.valueOf(str3);
        }
        if (featureDescriptor2 != null && (str2 = (String) featureDescriptor2.getValue("owner")) != null && !str2.isEmpty()) {
            owner2 = Owner.valueOf(str2);
        }
        Owner owner3 = owner2 != null ? owner2 : owner;
        if (owner3 == Owner.Domain) {
            resourceIDDContextWrapper = new ResourceIDDContextWrapper(contextHandler, false);
            resourceIDDContextWrapper.setResourceIdentityDomain(PartitionUtils.getAdminIdentityDomain());
        } else if (owner3 == Owner.Partition) {
            resourceIDDContextWrapper = new ResourceIDDContextWrapper(contextHandler, false);
            if (PartitionUtils.getPartitionName() == null || PartitionUtils.getPartitionName().isEmpty()) {
                resourceIDDContextWrapper.setResourceIdentityDomain("");
            } else {
                resourceIDDContextWrapper.setResourcePartition(PartitionUtils.getPartitionName());
            }
        } else if (owner3 == Owner.Context) {
            resourceIDDContextWrapper = new ResourceIDDContextWrapper(contextHandler, true);
        } else if (owner3 != Owner.RealmAdministrator || PartitionUtils.getPartitionName() == null || PartitionUtils.getPartitionName().isEmpty()) {
            resourceIDDContextWrapper = new ResourceIDDContextWrapper(contextHandler, false);
            String str4 = "";
            try {
                str4 = mBeanPartitionFinder.getPartitionName();
            } catch (Exception e) {
                if (debugLogger.isDebugEnabled()) {
                    debugLogger.debug(" exception occured finding the partition name for " + mBeanPartitionFinder.getObjectName() + " " + e.getMessage());
                }
            }
            if (debugLogger.isDebugEnabled()) {
                debugLogger.debug("SecurityHelper Partition name: " + str4);
            }
            if (!isRunAsPartitionResourceOwner(str4, str, featureDescriptor, featureDescriptor2, resourceIDDContextWrapper)) {
                resourceIDDContextWrapper.setResourcePartition(str4);
            }
        } else {
            String realmManagementIdentityDomain = getRealmManagementIdentityDomain(PartitionUtils.getPartitionName(), mBeanPartitionFinder.getObjectName());
            if (realmManagementIdentityDomain != null) {
                resourceIDDContextWrapper = new ResourceIDDContextWrapper(contextHandler, false);
                resourceIDDContextWrapper.setResourceIdentityDomain(realmManagementIdentityDomain);
            } else {
                resourceIDDContextWrapper = new ResourceIDDContextWrapper(contextHandler, false);
                resourceIDDContextWrapper.setResourceIdentityDomain(PartitionUtils.getAdminIdentityDomain());
            }
        }
        return resourceIDDContextWrapper;
    }

    private static String getRealmManagementIdentityDomain(String str, ObjectName objectName) {
        PartitionMBean lookupPartition = ManagementService.getRuntimeAccess(KERNEL_ID).getDomain().lookupPartition(str);
        SecurityConfigurationMBean securityConfiguration = ManagementService.getRuntimeAccess(KERNEL_ID).getDomain().getSecurityConfiguration();
        String keyProperty = objectName.getKeyProperty("Name");
        if (lookupPartition == null || keyProperty == null) {
            return null;
        }
        RealmMBean realm = lookupPartition.getRealm();
        if (realm == null) {
            realm = securityConfiguration.getDefaultRealm();
        }
        String name = realm.getName();
        if (!MBeanNameUtil.isSecurityMBean(objectName)) {
            if (!MBeanNameUtil.isWLSMBean(objectName)) {
                return null;
            }
            String keyProperty2 = objectName.getKeyProperty(MBeanNameUtil.REALM_RUNTIME_KEY);
            if (keyProperty2 == null && MBeanNameUtil.REALM_RUNTIME_KEY.equals(objectName.getKeyProperty("Type"))) {
                keyProperty2 = keyProperty;
            }
            if (keyProperty2 == null || !keyProperty2.equals(name)) {
                return null;
            }
            return realm.getManagementIdentityDomain();
        }
        if (!keyProperty.startsWith(name) || realm.getManagementIdentityDomain() == null || realm.getManagementIdentityDomain().isEmpty()) {
            return null;
        }
        if (keyProperty.equals(name)) {
            return realm.getManagementIdentityDomain();
        }
        String substring = keyProperty.substring(name.length());
        if (realm.lookupAuditor(substring) == null && realm.lookupAuthenticationProvider(substring) == null && realm.lookupAuthorizer(substring) == null && realm.lookupCredentialMapper(substring) == null && realm.lookupCertPathProvider(substring) == null && realm.lookupPasswordValidator(substring) == null && realm.lookupRoleMapper(substring) == null && ((realm.getAdjudicator() == null || !realm.getAdjudicator().getName().equals(substring)) && (realm.getUserLockoutManager() == null || !realm.getUserLockoutManager().getName().equals(substring)))) {
            return null;
        }
        return realm.getManagementIdentityDomain();
    }

    private static boolean isRunAsPartitionResourceOwner(String str, String str2, FeatureDescriptor featureDescriptor, FeatureDescriptor featureDescriptor2, ResourceIDDContextWrapper resourceIDDContextWrapper) {
        Principal userPrincipal;
        String identityDomain;
        Boolean bool;
        Boolean bool2;
        SecureModeMBean secureMode = ManagementService.getRuntimeAccess(KERNEL_ID).getDomain().getSecurityConfiguration().getSecureMode();
        if (!(secureMode.isSecureModeEnabled() && secureMode.isRestrictiveJMXPolicies()) || !"DOMAIN".equals(str) || PartitionUtils.getAdminIdentityDomain() == null || PartitionUtils.getAdminIdentityDomain().isEmpty()) {
            return false;
        }
        if (!"get".equals(str2) && !"find".equals(str2) && !"invoke".equals(str2)) {
            return false;
        }
        if ("invoke".equals(str2)) {
            boolean z = false;
            if (featureDescriptor != null && (bool2 = (Boolean) featureDescriptor.getValue("rolePermitAll")) != null && bool2.booleanValue()) {
                z = true;
            }
            if (featureDescriptor2 != null && (bool = (Boolean) featureDescriptor2.getValue("rolePermitAll")) != null && bool.booleanValue()) {
                z = true;
            }
            if (!z) {
                return false;
            }
        }
        if (PartitionUtils.getPartitionName() != null && !PartitionUtils.getPartitionName().isEmpty()) {
            resourceIDDContextWrapper.setResourcePartition(PartitionUtils.getPartitionName());
            return true;
        }
        AuthenticatedSubject currentSubject = SecurityServiceManager.getCurrentSubject(KERNEL_ID);
        if (currentSubject == null || (userPrincipal = SubjectUtils.getUserPrincipal(currentSubject)) == null || !(userPrincipal instanceof IdentityDomainPrincipal) || (identityDomain = ((IdentityDomainPrincipal) userPrincipal).getIdentityDomain()) == null || identityDomain.isEmpty()) {
            return false;
        }
        resourceIDDContextWrapper.setResourceIdentityDomain(identityDomain);
        return true;
    }

    static /* synthetic */ RoleManager access$200() {
        return getRoleManager();
    }
}
