package weblogic.security.container.jca.jaspic;

import java.lang.annotation.Annotation;
import java.security.Principal;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.login.LoginException;
import javax.security.auth.message.callback.CallerPrincipalCallback;
import javax.security.auth.message.callback.GroupPrincipalCallback;
import javax.security.auth.message.callback.PasswordValidationCallback;
import org.eclipse.persistence.jpa.jpql.parser.Expression;
import weblogic.kernel.KernelStatus;
import weblogic.security.BaseCallbackHandler;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.debug.SecurityDebugLogger;
import weblogic.security.debug.SecurityLogger;
import weblogic.security.jaspic.SecurityServices;
import weblogic.security.jaspic.SecurityServicesImpl;
import weblogic.security.principal.PrincipalFactory;
import weblogic.security.spi.WLSGroup;
import weblogic.security.spi.WLSUser;
import weblogic.security.utils.PartitionUtils;
import weblogic.server.GlobalServiceLocator;

/* loaded from: input_file:weblogic/security/container/jca/jaspic/ConnectorCallbackHandler.class */
public class ConnectorCallbackHandler extends BaseCallbackHandler {
    private boolean callerPrincipalCallbackHandled;
    private boolean groupPrincipalCallbackHandled;
    private boolean passwordValidationCallbackHandled;
    private boolean authenticationResult;
    private LoginException authenticationException;
    private AuthenticatedSubject authenticatedSubject;
    private String authenticatedUsername;
    private String callerPrincipalName;
    private boolean groupsWereNulled;
    private EISPrincipalMapper mapper;
    private boolean virtual;
    private SecurityServices security;
    private SecurityLogger logger;
    private String identityDomain;
    private PrincipalFactory pf;

    /* loaded from: input_file:weblogic/security/container/jca/jaspic/ConnectorCallbackHandler$EISPrincipalMapper.class */
    public interface EISPrincipalMapper {
        String mapCallerPrincipal(String str);

        String mapGroupPrincipal(String str);
    }

    /* loaded from: input_file:weblogic/security/container/jca/jaspic/ConnectorCallbackHandler$JcaCallerPrincipalCallbackStrategy.class */
    private class JcaCallerPrincipalCallbackStrategy implements BaseCallbackHandler.CallbackStrategy {
        private JcaCallerPrincipalCallbackStrategy() {
        }

        @Override // weblogic.security.BaseCallbackHandler.CallbackStrategy
        public boolean mayHandle(Callback callback) {
            return callback instanceof CallerPrincipalCallback;
        }

        @Override // weblogic.security.BaseCallbackHandler.CallbackStrategy
        public void handle(Callback callback) {
            CallerPrincipalCallback callerPrincipalCallback = (CallerPrincipalCallback) callback;
            Subject subject = callerPrincipalCallback.getSubject();
            String name = callerPrincipalCallback.getName();
            ConnectorCallbackHandler.this.callerPrincipalCallbackHandled = true;
            if (ConnectorCallbackHandler.this.logger.isDebugEnabled()) {
                ConnectorCallbackHandler.this.logger.debug("CallerPrincipalCallback: Subject: " + subject + "; Principal: " + callerPrincipalCallback.getPrincipal() + "; Name: " + callerPrincipalCallback.getName());
            }
            if (name == null || name.equals("")) {
                Principal principal = callerPrincipalCallback.getPrincipal();
                if (principal != null) {
                    name = principal.getName();
                }
                if (name != null && name.equals("")) {
                    name = null;
                }
            }
            if (ConnectorCallbackHandler.this.mapper != null) {
                String str = name;
                name = ConnectorCallbackHandler.this.mapper.mapCallerPrincipal(str);
                if (ConnectorCallbackHandler.this.logger.isDebugEnabled()) {
                    ConnectorCallbackHandler.this.logger.debug("CallerPrincipalCallback: mapped EIS username [" + str + "] to WLS caller principal: [" + name + "]");
                }
                if (name != null && name.equals("")) {
                    name = null;
                }
            }
            ConnectorCallbackHandler.this.callerPrincipalName = name;
            if (name == null) {
                ConnectorCallbackHandler.removeAllPrincipals(subject, null);
            } else {
                ConnectorCallbackHandler.removeAllPrincipals(subject, WLSUser.class);
                subject.getPrincipals().add(ConnectorCallbackHandler.this.pf.createWLSUser(name, ConnectorCallbackHandler.this.identityDomain));
            }
        }
    }

    /* loaded from: input_file:weblogic/security/container/jca/jaspic/ConnectorCallbackHandler$JcaGroupPrincipalCallbackStrategy.class */
    private class JcaGroupPrincipalCallbackStrategy implements BaseCallbackHandler.CallbackStrategy {
        private JcaGroupPrincipalCallbackStrategy() {
        }

        @Override // weblogic.security.BaseCallbackHandler.CallbackStrategy
        public boolean mayHandle(Callback callback) {
            return callback instanceof GroupPrincipalCallback;
        }

        @Override // weblogic.security.BaseCallbackHandler.CallbackStrategy
        public void handle(Callback callback) {
            GroupPrincipalCallback groupPrincipalCallback = (GroupPrincipalCallback) callback;
            Subject subject = groupPrincipalCallback.getSubject();
            String[] groups = groupPrincipalCallback.getGroups();
            ConnectorCallbackHandler.this.groupPrincipalCallbackHandled = true;
            ConnectorCallbackHandler.this.groupsWereNulled = false;
            if (ConnectorCallbackHandler.this.logger.isDebugEnabled()) {
                ConnectorCallbackHandler.this.logger.debug("GroupPrincipalCallback: Subject:" + subject + "; Groups:" + Arrays.toString(groups));
            }
            if (groups == null) {
                ConnectorCallbackHandler.removeAllPrincipals(subject, WLSGroup.class);
                ConnectorCallbackHandler.this.groupsWereNulled = true;
                return;
            }
            boolean z = false;
            int length = groups.length;
            for (int i = 0; i < length; i++) {
                String str = groups[i];
                if (str != null && str.equals("")) {
                    str = null;
                }
                if (ConnectorCallbackHandler.this.mapper != null) {
                    String str2 = str;
                    str = ConnectorCallbackHandler.this.mapper.mapGroupPrincipal(str2);
                    if (ConnectorCallbackHandler.this.logger.isDebugEnabled()) {
                        ConnectorCallbackHandler.this.logger.debug("GroupPrincipalCallback: mapped EIS group [" + str2 + "] to WLS group principal: [" + str + "]");
                    }
                    if (str != null && str.equals("")) {
                        str = null;
                    }
                }
                if (str != null) {
                    subject.getPrincipals().add(ConnectorCallbackHandler.this.pf.createWLSGroup(str, ConnectorCallbackHandler.this.identityDomain));
                    z = true;
                }
            }
            if (z) {
                return;
            }
            ConnectorCallbackHandler.removeAllPrincipals(subject, WLSGroup.class);
        }
    }

    /* loaded from: input_file:weblogic/security/container/jca/jaspic/ConnectorCallbackHandler$JcaPasswordValidationCallbackStrategy.class */
    private class JcaPasswordValidationCallbackStrategy implements BaseCallbackHandler.CallbackStrategy {
        private JcaPasswordValidationCallbackStrategy() {
        }

        @Override // weblogic.security.BaseCallbackHandler.CallbackStrategy
        public boolean mayHandle(Callback callback) {
            return callback instanceof PasswordValidationCallback;
        }

        private void handleError(String str) {
            ConnectorCallbackHandler.this.authenticatedSubject = null;
            ConnectorCallbackHandler.this.authenticatedUsername = null;
            ConnectorCallbackHandler.this.authenticationResult = false;
            ConnectorCallbackHandler.this.authenticationException = new LoginException(str);
        }

        @Override // weblogic.security.BaseCallbackHandler.CallbackStrategy
        public void handle(Callback callback) {
            PasswordValidationCallback passwordValidationCallback = (PasswordValidationCallback) callback;
            String username = passwordValidationCallback.getUsername();
            char[] password = passwordValidationCallback.getPassword();
            ConnectorCallbackHandler.this.passwordValidationCallbackHandled = true;
            passwordValidationCallback.setResult(false);
            if (ConnectorCallbackHandler.this.mapper != null) {
                if (ConnectorCallbackHandler.this.logger.isDebugEnabled()) {
                    ConnectorCallbackHandler.this.logger.debug("PasswordValidationCallback: error: cannot use PasswordValidationCallback when EIS caller/group principal mapping in effect");
                }
                handleError("PasswordValidationCallback: error: cannot use PasswordValidationCallback when EIS caller/group principal mapping in effect");
                return;
            }
            if (ConnectorCallbackHandler.this.virtual) {
                if (ConnectorCallbackHandler.this.logger.isDebugEnabled()) {
                    ConnectorCallbackHandler.this.logger.debug("PasswordValidationCallback: error: cannot use PasswordValidationCallback when virtual users enabled");
                }
                handleError("PasswordValidationCallback: error: cannot use PasswordValidationCallback when virtual users enabled");
                return;
            }
            if (username == null || username.equals("")) {
                if (ConnectorCallbackHandler.this.logger.isDebugEnabled()) {
                    ConnectorCallbackHandler.this.logger.debug("PasswordValidationCallback: error: must have valid username: [" + username + "]");
                }
                handleError("PasswordValidationCallback: error: must have valid username: [" + username + "]");
                return;
            }
            if (password == null || password.length == 0) {
                if (ConnectorCallbackHandler.this.logger.isDebugEnabled()) {
                    ConnectorCallbackHandler.this.logger.debug("PasswordValidationCallback: error: must have valid password: [" + (password == null ? null : "len=" + password.length) + "]");
                }
                handleError("PasswordValidationCallback: error: must have valid password: [" + (password == null ? null : "len=" + password.length) + "]");
                return;
            }
            if (ConnectorCallbackHandler.this.logger.isDebugEnabled()) {
                ConnectorCallbackHandler.this.logger.debug("PasswordValidationCallback: will authenticate username: " + username + "; password len: " + password.length);
            }
            try {
                ConnectorCallbackHandler.this.authenticatedSubject = ConnectorCallbackHandler.this.security.authenticate(username, password);
                ConnectorCallbackHandler.this.authenticationResult = true;
                ConnectorCallbackHandler.this.authenticatedUsername = ConnectorCallbackHandler.this.getUsername(ConnectorCallbackHandler.this.authenticatedSubject);
            } catch (LoginException e) {
                ConnectorCallbackHandler.this.authenticatedSubject = null;
                ConnectorCallbackHandler.this.authenticatedUsername = null;
                ConnectorCallbackHandler.this.authenticationResult = false;
                ConnectorCallbackHandler.this.authenticationException = e;
            }
            passwordValidationCallback.setResult(ConnectorCallbackHandler.this.authenticationResult);
            if (ConnectorCallbackHandler.this.logger.isDebugEnabled()) {
                if (!ConnectorCallbackHandler.this.authenticationResult) {
                    ConnectorCallbackHandler.this.logger.debug("PasswordValidationCallback: authenticate failed for username: " + username, ConnectorCallbackHandler.this.authenticationException);
                } else {
                    ConnectorCallbackHandler.this.logger.debug("PasswordValidationCallback: authenticate ok for username: " + username);
                    ConnectorCallbackHandler.this.logger.debug("PasswordValidationCallback: authenticatedSubject is: " + ConnectorCallbackHandler.this.authenticatedSubject);
                }
            }
        }
    }

    public ConnectorCallbackHandler(EISPrincipalMapper eISPrincipalMapper, boolean z) {
        this(eISPrincipalMapper, z, (SecurityServices) GlobalServiceLocator.getServiceLocator().getService(SecurityServicesImpl.class, new Annotation[0]), new SecurityDebugLogger(SecurityLogger.AUTHN), null, true);
    }

    ConnectorCallbackHandler(EISPrincipalMapper eISPrincipalMapper, boolean z, SecurityServices securityServices, SecurityLogger securityLogger, String str, boolean z2) {
        this.callerPrincipalCallbackHandled = false;
        this.groupPrincipalCallbackHandled = false;
        this.passwordValidationCallbackHandled = false;
        this.authenticationResult = false;
        this.authenticationException = null;
        this.authenticatedSubject = null;
        this.authenticatedUsername = null;
        this.callerPrincipalName = null;
        this.groupsWereNulled = false;
        this.mapper = null;
        this.virtual = false;
        this.security = null;
        this.logger = null;
        this.identityDomain = null;
        this.pf = PrincipalFactory.getInstance();
        this.mapper = eISPrincipalMapper;
        this.virtual = z;
        this.security = securityServices;
        this.logger = securityLogger;
        this.identityDomain = z2 ? getIdentityDomain() : str;
        addCallbackStrategies(new JcaCallerPrincipalCallbackStrategy(), new JcaGroupPrincipalCallbackStrategy(), new JcaPasswordValidationCallbackStrategy());
    }

    public AuthenticatedSubject setupExecutionSubject(Subject subject) throws LoginException {
        if (this.passwordValidationCallbackHandled && this.mapper != null) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("setupExecutionSubject: PasswordValidationCallback handled while EIS caller/group principal mapping in effect");
            }
            throw new LoginException("setupExecutionSubject: PasswordValidationCallback handled while EIS caller/group principal mapping in effect");
        }
        if (this.passwordValidationCallbackHandled && this.virtual) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("setupExecutionSubject: PasswordValidationCallback handled while virtual users enabled");
            }
            throw new LoginException("setupExecutionSubject: PasswordValidationCallback handled while virtual users enabled");
        }
        if (this.passwordValidationCallbackHandled && !this.authenticationResult) {
            String str = "setupExecutionSubject: PasswordValidationCallback did not succeed, exception: " + (this.authenticationException == null ? "" : this.authenticationException.toString());
            if (this.logger.isDebugEnabled()) {
                this.logger.debug(str, this.authenticationException);
            }
            throw new LoginException(str);
        }
        if (this.passwordValidationCallbackHandled && !this.callerPrincipalCallbackHandled) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("setupExecutionSubject: PasswordValidationCallback handled but not CallerPrincipalCallback");
            }
            throw new LoginException("setupExecutionSubject: PasswordValidationCallback handled but not CallerPrincipalCallback");
        }
        if (this.passwordValidationCallbackHandled && (this.authenticatedUsername == null || !this.authenticatedUsername.equals(this.callerPrincipalName))) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("setupExecutionSubject: User authenticated by PasswordValidationCallback doesn't match CallerPrincipalCallback principal");
            }
            throw new LoginException("setupExecutionSubject: User authenticated by PasswordValidationCallback doesn't match CallerPrincipalCallback principal");
        }
        if (this.groupPrincipalCallbackHandled && !this.callerPrincipalCallbackHandled) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("setupExecutionSubject: GroupPrincipalCallback handled but not CallerPrincipalCallback");
            }
            throw new LoginException("setupExecutionSubject: GroupPrincipalCallback handled but not CallerPrincipalCallback");
        }
        if (this.callerPrincipalCallbackHandled) {
            if (this.callerPrincipalName != null) {
                int size = subject.getPrincipals(WLSUser.class).size();
                if (size != 1) {
                    String str2 = "setupExecutionSubject: Expected one WLSUser principal, found " + size;
                    if (this.logger.isDebugEnabled()) {
                        this.logger.debug(str2);
                    }
                    throw new LoginException(str2);
                }
            } else if (subject.getPrincipals().size() > 0) {
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("setupExecutionSubject: Found principals in execution Subject after handling anonymous CallerPrincipalCallback");
                }
                throw new LoginException("setupExecutionSubject: Found principals in execution Subject after handling anonymous CallerPrincipalCallback");
            }
        }
        if (!this.callerPrincipalCallbackHandled) {
            if (subject.getPrincipals().size() == 1) {
                Principal next = subject.getPrincipals().iterator().next();
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("setupExecutionContext: Case A: Principal:" + next.getName());
                }
                String name = next.getName();
                if (name != null && name.equals("")) {
                    name = null;
                }
                if (this.mapper != null) {
                    String str3 = name;
                    name = this.mapper.mapCallerPrincipal(str3);
                    if (this.logger.isDebugEnabled()) {
                        this.logger.debug("setupExecutionContext: mapped EIS username [" + str3 + "] to WLS caller principal: [" + name + "]");
                    }
                    if (name != null && name.equals("")) {
                        name = null;
                    }
                }
                removeAllPrincipals(subject, null);
                if (name != null) {
                    subject.getPrincipals().add(this.pf.createWLSUser(name, this.identityDomain));
                }
            } else {
                if (!subject.getPrincipals().isEmpty()) {
                    if (this.logger.isDebugEnabled()) {
                        this.logger.debug("setupExecutionContext: invalid executionSubject with CallerPrincipalCallback not handled");
                    }
                    throw new LoginException("setupExecutionContext: invalid executionSubject with CallerPrincipalCallback not handled");
                }
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("setupExecutionContext: Case B: will set as anonymous");
                }
            }
        }
        AuthenticatedSubject convertToAuthenticatedSubject = convertToAuthenticatedSubject(subject, this.authenticatedSubject);
        if (!this.security.isAdminUser(convertToAuthenticatedSubject)) {
            return convertToAuthenticatedSubject;
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("setupExecutionContext: flown in user cannot be an administrator or have administrative roles");
        }
        throw new LoginException("setupExecutionContext: flown in user cannot be an administrator or have administrative roles");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static <T extends Principal> void removeAllPrincipals(Subject subject, Class<T> cls) {
        if (cls == null) {
            subject.getPrincipals().clear();
        } else {
            subject.getPrincipals().removeAll(subject.getPrincipals(cls));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String getUsername(AuthenticatedSubject authenticatedSubject) {
        return getUsername(authenticatedSubject.getSubject());
    }

    private String getUsername(Subject subject) {
        Set principals = subject.getPrincipals(WLSUser.class);
        String str = null;
        if (principals.size() == 1) {
            str = ((WLSUser) principals.iterator().next()).getName();
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("getUsername: returning username '" + str + Expression.QUOTE);
        }
        return str;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private AuthenticatedSubject convertToAuthenticatedSubject(Subject subject, AuthenticatedSubject authenticatedSubject) throws LoginException {
        if (subject.getPrincipals().size() == 0) {
            return new AuthenticatedSubject(subject);
        }
        if (this.virtual) {
            this.security.signPrincipals(subject.getPrincipals());
            return new AuthenticatedSubject(subject);
        }
        Subject subject2 = authenticatedSubject != null ? authenticatedSubject.getSubject() : this.security.impersonate(((WLSUser) subject.getPrincipals(WLSUser.class).iterator().next()).getName()).getSubject();
        Set principals = subject.getPrincipals(WLSUser.class);
        Set<WLSGroup> principals2 = subject.getPrincipals(WLSGroup.class);
        subject.getPrincipals().removeAll(principals);
        subject.getPrincipals().removeAll(principals2);
        Set<Principal> principals3 = subject.getPrincipals();
        if (principals3.size() > 0) {
            this.security.signPrincipals(principals3);
        }
        Set principals4 = subject2.getPrincipals(Principal.class);
        Set principals5 = subject2.getPrincipals(WLSUser.class);
        principals4.removeAll(principals5);
        if (principals.size() != 1 || principals5.size() != 1 || !((WLSUser) principals.iterator().next()).getName().equals(((WLSUser) principals5.iterator().next()).getName())) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("convertToAuthenticatedSubject: execution Subject username doesn't match authenticated/impersonated username");
            }
            throw new LoginException("convertToAuthenticatedSubject: execution Subject username doesn't match authenticated/impersonated username");
        }
        subject.getPrincipals().add(principals5.iterator().next());
        Set principals6 = subject2.getPrincipals(WLSGroup.class);
        principals4.removeAll(principals6);
        if (principals2.size() != 0) {
            for (WLSGroup wLSGroup : principals2) {
                boolean z = false;
                Iterator it = principals6.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    WLSGroup wLSGroup2 = (WLSGroup) it.next();
                    if (wLSGroup.getName().equals(wLSGroup2.getName())) {
                        subject.getPrincipals().add(wLSGroup2);
                        z = true;
                        break;
                    }
                }
                if (!z) {
                    if (this.logger.isDebugEnabled()) {
                        this.logger.debug("convertToAuthenticatedSubject: execution Subject contains groups not found in the authenticated/impersonated Subject");
                    }
                    throw new LoginException("convertToAuthenticatedSubject: execution Subject contains groups not found in the authenticated/impersonated Subject");
                }
            }
        } else if (!this.groupsWereNulled) {
            subject.getPrincipals().addAll(principals6);
        }
        if (principals4.size() > 0) {
            subject.getPrincipals().addAll(principals4);
        }
        Set<Object> publicCredentials = subject2.getPublicCredentials();
        if (publicCredentials.size() > 0) {
            subject.getPublicCredentials().addAll(publicCredentials);
        }
        Set<Object> privateCredentials = subject2.getPrivateCredentials();
        if (privateCredentials.size() > 0) {
            subject.getPrivateCredentials().addAll(privateCredentials);
        }
        return new AuthenticatedSubject(subject);
    }

    private String getIdentityDomain() {
        if (KernelStatus.isServer()) {
            return PartitionUtils.getCurrentIdentityDomain();
        }
        return null;
    }
}
