package weblogic.security.internal;

import java.util.HashSet;
import weblogic.logging.Loggable;
import weblogic.management.configuration.DomainMBean;
import weblogic.management.configuration.SecureModeMBean;
import weblogic.management.configuration.SecurityConfigurationMBean;
import weblogic.management.security.IdentityDomainAwareProviderMBean;
import weblogic.management.security.ProviderMBean;
import weblogic.management.security.RealmMBean;
import weblogic.management.security.authentication.AuthenticationProviderMBean;
import weblogic.management.security.authentication.AuthenticatorMBean;
import weblogic.management.security.authentication.IdentityAsserterMBean;
import weblogic.management.security.authorization.AuthorizerMBean;
import weblogic.management.security.authorization.DeployableAuthorizerMBean;
import weblogic.management.security.authorization.DeployableRoleMapperMBean;
import weblogic.management.security.authorization.PolicyConsumerMBean;
import weblogic.management.security.authorization.PolicyReaderMBean;
import weblogic.management.security.authorization.RoleMapperMBean;
import weblogic.management.security.authorization.RoleReaderMBean;
import weblogic.management.security.credentials.CredentialMapperMBean;
import weblogic.management.security.pk.CertPathBuilderMBean;
import weblogic.management.security.pk.CertPathProviderMBean;
import weblogic.management.security.pk.CertPathValidatorMBean;
import weblogic.management.utils.ErrorCollectionException;
import weblogic.management.utils.NotFoundException;
import weblogic.security.SecurityLogger;
import weblogic.security.service.SecurityServiceManager;
import weblogic.security.utils.SecurityUtils;
import weblogic.server.lifecycle.WebLogicServerRunState;
import weblogic.utils.LocatorUtilities;

/* loaded from: input_file:weblogic/security/internal/RealmValidatorImpl.class */
public class RealmValidatorImpl {
    static final String DEFAULT_AUTHORIZER = "weblogic.security.providers.authorization.DefaultAuthorizationProviderImpl";
    static final String SAML_V1_IA = "weblogic.security.providers.saml.SAMLIdentityAsserterProviderImpl";
    static final String SAML_V2_IA = "weblogic.security.providers.saml.SAMLIdentityAsserterV2ProviderImpl";
    static final String SAML_V1_CREDMAP = "weblogic.security.providers.saml.SAMLCredentialMapperProviderImpl";
    static final String SAML_V2_CREDMAP = "weblogic.security.providers.saml.SAMLCredentialMapperV2ProviderImpl";
    private static final String ADMIN_ROLE = "Admin";
    private static final String ADMIN_IDD_GROUP = "AdminIDDGroup";
    private static final String ADMINISTRATIVE_GROUP = "AdministrativeGroup";
    private static final String WEBLOGIC_SECURITY = "weblogic.security";
    private static final String APP_ROLE_NAME = "IDCSAppRoleName";
    private static final String IN_SECURE_MODE = "InSecureMode";
    private static final String JNDI_POLICY = "type=<jndi>, application=, path={weblogic,management,mbeanservers}, action=lookup";
    private static boolean isBooting = true;

    public void validate(RealmMBean realmMBean) throws ErrorCollectionException {
        boolean isIDDDomain = isIDDDomain(realmMBean);
        boolean z = isIDDDomain || isIDDAwareProvidersRequired(realmMBean);
        ErrorCollectionException errorCollectionException = new ErrorCollectionException(SecurityLogger.getInvalidRealmWarning(realmMBean.getName()));
        checkAuthenticationProviders(realmMBean, errorCollectionException);
        checkRoleMappers(realmMBean, errorCollectionException);
        checkAdjudicator(realmMBean, errorCollectionException, checkAuthorizers(realmMBean, errorCollectionException));
        checkCredentialMappers(realmMBean, errorCollectionException);
        checkCertPathProviders(realmMBean, errorCollectionException);
        checkSAMLProviders(realmMBean, errorCollectionException);
        if (z) {
            checkIDDAwareProviders(realmMBean, realmMBean.getAuditors(), errorCollectionException);
            checkIDDAwareProviders(realmMBean, realmMBean.getAuthorizers(), errorCollectionException);
            checkIDDAwareProviders(realmMBean, realmMBean.getCredentialMappers(), errorCollectionException);
            checkIDDAwareProviders(realmMBean, realmMBean.getRoleMappers(), errorCollectionException);
        }
        if (isIDDDomain && !isBooting()) {
            checkRoleMapperPolicies(realmMBean, errorCollectionException);
        }
        SecureModeMBean secureMode = getSecureMode(realmMBean);
        if (secureMode != null && secureMode.isSecureModeEnabled() && !isBooting()) {
            checkAtzPolicies(realmMBean, errorCollectionException);
        }
        if (!errorCollectionException.isEmpty()) {
            throw errorCollectionException;
        }
    }

    private void checkAuthenticationProviders(RealmMBean realmMBean, ErrorCollectionException errorCollectionException) {
        AuthenticationProviderMBean[] authenticationProviders = realmMBean.getAuthenticationProviders();
        checkHaveAuthenticator(realmMBean, authenticationProviders, errorCollectionException);
        checkActiveTypesUnique(realmMBean, authenticationProviders, errorCollectionException);
    }

    private void checkHaveAuthenticator(RealmMBean realmMBean, AuthenticationProviderMBean[] authenticationProviderMBeanArr, ErrorCollectionException errorCollectionException) {
        boolean z = false;
        for (int i = 0; !z && authenticationProviderMBeanArr != null && i < authenticationProviderMBeanArr.length; i++) {
            if (authenticationProviderMBeanArr[i] instanceof AuthenticatorMBean) {
                z = true;
            }
        }
        if (z) {
            return;
        }
        addError(errorCollectionException, SecurityLogger.getInvalidRealmNoAuthenticatorWarning(realmMBean.getName()));
    }

    private void checkActiveTypesUnique(RealmMBean realmMBean, AuthenticationProviderMBean[] authenticationProviderMBeanArr, ErrorCollectionException errorCollectionException) {
        HashSet hashSet = new HashSet();
        for (int i = 0; authenticationProviderMBeanArr != null && i < authenticationProviderMBeanArr.length; i++) {
            if (authenticationProviderMBeanArr[i] instanceof IdentityAsserterMBean) {
                String[] activeTypes = ((IdentityAsserterMBean) authenticationProviderMBeanArr[i]).getActiveTypes();
                for (int i2 = 0; activeTypes != null && i2 < activeTypes.length; i2++) {
                    String str = activeTypes[i2];
                    if (str != null && str.length() > 0) {
                        if (!hashSet.contains(str) || "Authorization".equalsIgnoreCase(str)) {
                            hashSet.add(str);
                        } else {
                            addError(errorCollectionException, SecurityLogger.getInvalidRealmMultipleIdentityAssertersForActiveTokenTypeWarning(realmMBean.getName(), str));
                        }
                    }
                }
            }
        }
    }

    private void checkRoleMappers(RealmMBean realmMBean, ErrorCollectionException errorCollectionException) {
        RoleMapperMBean[] roleMappers = realmMBean.getRoleMappers();
        if (roleMappers == null || roleMappers.length == 0) {
            addError(errorCollectionException, SecurityLogger.getInvalidRealmNoRoleMapperWarning(realmMBean.getName()));
            return;
        }
        boolean z = false;
        boolean z2 = false;
        for (int i = 0; !z2 && i < roleMappers.length; i++) {
            if (roleMappers[i] instanceof DeployableRoleMapperMBean) {
                z = true;
                if (((DeployableRoleMapperMBean) roleMappers[i]).isRoleDeploymentEnabled()) {
                    z2 = true;
                }
            }
        }
        if (!z) {
            if (isBooting()) {
                SecurityLogger.logNoDeployableProviderProperlyConfigured(realmMBean.getName(), "DeployableRoleMapper");
                return;
            } else {
                addError(errorCollectionException, SecurityLogger.getInvalidRealmNoDeployableRoleMapperWarning(realmMBean.getName()));
                return;
            }
        }
        if (z2) {
            return;
        }
        if (isBooting()) {
            SecurityLogger.logNoDeployableProviderProperlyConfigured(realmMBean.getName(), "DeployableRoleMapper");
        } else {
            addError(errorCollectionException, SecurityLogger.getInvalidRealmNoDeployableRoleMapperEnabledWarning(realmMBean.getName()));
        }
    }

    private int checkAuthorizers(RealmMBean realmMBean, ErrorCollectionException errorCollectionException) {
        AuthorizerMBean[] authorizers = realmMBean.getAuthorizers();
        if (authorizers == null || authorizers.length == 0) {
            addError(errorCollectionException, SecurityLogger.getInvalidRealmNoAuthorizerWarning(realmMBean.getName()));
            return 0;
        }
        boolean z = false;
        boolean z2 = false;
        for (int i = 0; !z2 && i < authorizers.length; i++) {
            if (authorizers[i] instanceof DeployableAuthorizerMBean) {
                z = true;
                if (((DeployableAuthorizerMBean) authorizers[i]).isPolicyDeploymentEnabled()) {
                    z2 = true;
                }
            }
        }
        if (z) {
            if (!z2) {
                if (isBooting()) {
                    SecurityLogger.logNoDeployableProviderProperlyConfigured(realmMBean.getName(), "DeployableAuthorizer");
                } else {
                    addError(errorCollectionException, SecurityLogger.getInvalidRealmNoDeployableAuthorizerEnabledWarning(realmMBean.getName()));
                }
            }
        } else if (isBooting()) {
            SecurityLogger.logNoDeployableProviderProperlyConfigured(realmMBean.getName(), "DeployableAuthorizer");
        } else {
            addError(errorCollectionException, SecurityLogger.getInvalidRealmNoDeployableAuthorizerWarning(realmMBean.getName()));
        }
        if (realmMBean.isDelegateMBeanAuthorization()) {
            boolean z3 = false;
            for (int i2 = 0; !z3 && i2 < authorizers.length; i2++) {
                if (authorizers[i2] instanceof PolicyConsumerMBean) {
                    z3 = true;
                }
            }
            if (!z3) {
                addError(errorCollectionException, SecurityLogger.getInvalidRealmNoMBeanDelegationWarning(realmMBean.getName()));
            }
        }
        return authorizers.length;
    }

    private void checkCredentialMappers(RealmMBean realmMBean, ErrorCollectionException errorCollectionException) {
        CredentialMapperMBean[] credentialMappers = realmMBean.getCredentialMappers();
        if (credentialMappers == null || credentialMappers.length == 0) {
            addError(errorCollectionException, SecurityLogger.getInvalidRealmNoCredentialMapperWarning(realmMBean.getName()));
        }
    }

    private void checkAdjudicator(RealmMBean realmMBean, ErrorCollectionException errorCollectionException, int i) {
        if (realmMBean.getAdjudicator() != null || i <= 1) {
            return;
        }
        addError(errorCollectionException, SecurityLogger.getInvalidRealmNoAdjudicatorWarning(realmMBean.getName()));
    }

    private boolean providerIsA(ProviderMBean providerMBean, String str) {
        if (providerMBean == null) {
            return false;
        }
        return str.equals(providerMBean.getProviderClassName());
    }

    private int providerCount(ProviderMBean[] providerMBeanArr, String str) {
        int i = 0;
        for (int i2 = 0; providerMBeanArr != null && i2 < providerMBeanArr.length; i2++) {
            if (providerIsA(providerMBeanArr[i2], str)) {
                i++;
            }
        }
        return i;
    }

    private void checkCertPathProviders(RealmMBean realmMBean, ErrorCollectionException errorCollectionException) {
        CertPathProviderMBean[] certPathProviders = realmMBean.getCertPathProviders();
        if (certPathProviders == null || certPathProviders.length < 1) {
            addError(errorCollectionException, SecurityLogger.getInvalidRealmNoCertPathProvidersWarning(realmMBean.getName()));
        }
        CertPathBuilderMBean certPathBuilder = realmMBean.getCertPathBuilder();
        if (certPathBuilder == null) {
            addError(errorCollectionException, SecurityLogger.getInvalidRealmNoCertPathBuilderWarning(realmMBean.getName()));
            return;
        }
        if (certPathBuilder.getRealm() == null || !certPathBuilder.getRealm().getName().equals(realmMBean.getName())) {
            addError(errorCollectionException, SecurityLogger.getInvalidRealmIllegalCertPathBuilderWarning(realmMBean.getName()));
        }
        boolean z = false;
        for (int i = 0; !z && certPathProviders != null && i < certPathProviders.length; i++) {
            if (certPathProviders[i] instanceof CertPathValidatorMBean) {
                z = true;
            }
        }
        if (z) {
            return;
        }
        addError(errorCollectionException, SecurityLogger.getInvalidRealmNoCertPathValidatorWarning(realmMBean.getName()));
    }

    private void checkSAMLProviders(RealmMBean realmMBean, ErrorCollectionException errorCollectionException) {
        AuthenticationProviderMBean[] authenticationProviders = realmMBean.getAuthenticationProviders();
        int providerCount = providerCount(authenticationProviders, SAML_V1_IA);
        int providerCount2 = providerCount(authenticationProviders, SAML_V2_IA);
        CredentialMapperMBean[] credentialMappers = realmMBean.getCredentialMappers();
        int providerCount3 = providerCount(credentialMappers, SAML_V1_CREDMAP);
        int providerCount4 = providerCount(credentialMappers, SAML_V2_CREDMAP);
        if (providerCount == 0 && providerCount2 == 0 && providerCount3 == 0 && providerCount4 == 0) {
            return;
        }
        if (providerCount > 1 || providerCount2 > 1 || providerCount3 > 1 || providerCount4 > 1) {
            addError(errorCollectionException, SecurityLogger.getInvalidRealmSAMLConfigWarning(realmMBean.getName()));
            return;
        }
        if ((providerCount <= 0 || providerCount2 <= 0) && ((providerCount3 <= 0 || providerCount4 <= 0) && ((providerCount <= 0 || providerCount4 <= 0) && (providerCount2 <= 0 || providerCount3 <= 0)))) {
            return;
        }
        addError(errorCollectionException, SecurityLogger.getInvalidRealmSAMLConfigWarning(realmMBean.getName()));
    }

    private void addError(ErrorCollectionException errorCollectionException, String str) {
        errorCollectionException.add(new Exception(str));
    }

    private static synchronized boolean isBooting() {
        if (!isBooting) {
            return false;
        }
        if (((WebLogicServerRunState) LocatorUtilities.getService(WebLogicServerRunState.class)).getRunState() != 2) {
            return true;
        }
        isBooting = false;
        return false;
    }

    private DomainMBean getDomain(RealmMBean realmMBean) {
        if (!(realmMBean.getParentBean() instanceof SecurityConfigurationMBean)) {
            return null;
        }
        SecurityConfigurationMBean securityConfigurationMBean = (SecurityConfigurationMBean) realmMBean.getParentBean();
        if (securityConfigurationMBean.getParentBean() instanceof DomainMBean) {
            return (DomainMBean) securityConfigurationMBean.getParentBean();
        }
        return null;
    }

    private SecureModeMBean getSecureMode(RealmMBean realmMBean) {
        if (realmMBean.getParentBean() instanceof SecurityConfigurationMBean) {
            return ((SecurityConfigurationMBean) realmMBean.getParentBean()).getSecureMode();
        }
        return null;
    }

    private boolean isIDDDomain(RealmMBean realmMBean) {
        return SecurityUtils.isIDDDomain(getDomain(realmMBean));
    }

    private boolean isIDDAwareProvidersRequired(RealmMBean realmMBean) {
        return getDomain(realmMBean).getSecurityConfiguration().isIdentityDomainAwareProvidersRequired();
    }

    private void checkRoleMapperPolicies(RealmMBean realmMBean, ErrorCollectionException errorCollectionException) {
        if (SecurityServiceManager.doesRealmExist(realmMBean.getName())) {
            RoleMapperMBean[] roleMappers = realmMBean.getRoleMappers();
            for (int i = 0; roleMappers != null && i < roleMappers.length; i++) {
                RoleMapperMBean roleMapperMBean = roleMappers[i];
                if ((roleMapperMBean instanceof RoleReaderMBean) && roleMapperMBean.getProviderClassName().startsWith(WEBLOGIC_SECURITY) && (roleMapperMBean instanceof IdentityDomainAwareProviderMBean)) {
                    try {
                        String roleExpression = ((RoleReaderMBean) roleMapperMBean).getRoleExpression("", ADMIN_ROLE);
                        if (roleExpression != null && !roleExpression.contains(ADMIN_IDD_GROUP) && !roleExpression.contains(ADMINISTRATIVE_GROUP) && !roleExpression.contains(APP_ROLE_NAME)) {
                            Loggable logPartitionsRequireNewRealmLoggable = SecurityLogger.logPartitionsRequireNewRealmLoggable(realmMBean.getName());
                            logPartitionsRequireNewRealmLoggable.log();
                            throw new IllegalArgumentException(logPartitionsRequireNewRealmLoggable.getMessage());
                            break;
                        }
                    } catch (NotFoundException e) {
                    }
                }
            }
        }
    }

    private void checkIDDAwareProviders(RealmMBean realmMBean, ProviderMBean[] providerMBeanArr, ErrorCollectionException errorCollectionException) {
        for (int i = 0; i < providerMBeanArr.length; i++) {
            if (!(providerMBeanArr[i] instanceof IdentityDomainAwareProviderMBean)) {
                if (isBooting()) {
                    SecurityLogger.logNotIDDAwareProvider(realmMBean.getName(), providerMBeanArr[i].getName());
                } else {
                    addError(errorCollectionException, SecurityLogger.getInvalidRealmProviderNotIDDAwareWarning(realmMBean.getName(), providerMBeanArr[i].getName()));
                }
            }
        }
    }

    private void checkAtzPolicies(RealmMBean realmMBean, ErrorCollectionException errorCollectionException) {
        if (SecurityServiceManager.doesRealmExist(realmMBean.getName())) {
            AuthorizerMBean[] authorizers = realmMBean.getAuthorizers();
            for (int i = 0; authorizers != null && i < authorizers.length; i++) {
                AuthorizerMBean authorizerMBean = authorizers[i];
                if ((authorizerMBean instanceof PolicyReaderMBean) && authorizerMBean.getProviderClassName().startsWith(WEBLOGIC_SECURITY)) {
                    try {
                        String policyExpression = ((PolicyReaderMBean) authorizerMBean).getPolicyExpression(JNDI_POLICY);
                        if (policyExpression != null && !policyExpression.contains(IN_SECURE_MODE)) {
                            Loggable logSecureModeRequiresNewRealmLoggable = SecurityLogger.logSecureModeRequiresNewRealmLoggable(realmMBean.getName());
                            logSecureModeRequiresNewRealmLoggable.log();
                            throw new IllegalArgumentException(logSecureModeRequiresNewRealmLoggable.getMessage());
                            break;
                        }
                    } catch (NotFoundException e) {
                    }
                }
            }
        }
    }
}
