package weblogic.security.internal;

import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Arrays;
import weblogic.descriptor.DescriptorUpdateEvent;
import weblogic.descriptor.DescriptorUpdateListener;
import weblogic.descriptor.DescriptorUpdateRejectedException;
import weblogic.management.configuration.DomainMBean;
import weblogic.management.configuration.PartitionMBean;
import weblogic.management.configuration.SecurityConfigurationMBean;
import weblogic.management.security.RealmMBean;
import weblogic.management.security.authentication.AnyIdentityDomainAuthenticatorMBean;
import weblogic.management.security.authentication.AuthenticationProviderMBean;
import weblogic.management.security.authentication.IdentityDomainAuthenticatorMBean;
import weblogic.management.security.authentication.MultiIdentityDomainAuthenticatorMBean;
import weblogic.management.utils.ErrorCollectionException;
import weblogic.nodemanager.server.NMEncryptionHelper;
import weblogic.security.SecurityLogger;
import weblogic.security.SecurityRuntimeAccess;
import weblogic.security.utils.SecurityUtils;
import weblogic.server.AbstractServerService;
import weblogic.utils.LocatorUtilities;

/* loaded from: input_file:weblogic/security/internal/SecurityConfigurationValidator.class */
public final class SecurityConfigurationValidator extends AbstractServerService implements DescriptorUpdateListener {
    private static SecurityConfigurationValidator singleton = null;
    private static final boolean DEBUG = false;
    private String currentNMUser;
    private byte[] currentNMPass;
    private String proposedNMUser;
    private byte[] proposedNMPass;

    private SecurityConfigurationValidator() {
    }

    public static synchronized SecurityConfigurationValidator getInstance() {
        if (singleton == null) {
            singleton = new SecurityConfigurationValidator();
        }
        return singleton;
    }

    private static void p(String str) {
    }

    @Override // weblogic.server.AbstractServerService, weblogic.server.ServerService
    public synchronized void start() {
        ((SecurityRuntimeAccess) AccessController.doPrivileged(new PrivilegedAction<SecurityRuntimeAccess>() { // from class: weblogic.security.internal.SecurityConfigurationValidator.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public SecurityRuntimeAccess run() {
                return (SecurityRuntimeAccess) LocatorUtilities.getService(SecurityRuntimeAccess.class);
            }
        })).getDomain().getDescriptor().addUpdateListener(this);
    }

    @Override // weblogic.descriptor.DescriptorUpdateListener
    public void prepareUpdate(DescriptorUpdateEvent descriptorUpdateEvent) throws DescriptorUpdateRejectedException {
        DomainMBean domainMBean = (DomainMBean) descriptorUpdateEvent.getProposedDescriptor().getRootBean();
        if (domainMBean.getSecurityConfiguration().getDefaultRealm() == null) {
            throw new DescriptorUpdateRejectedException(SecurityLogger.getCannotActivateChangesNoDefaultRealmError());
        }
        RealmMBean[] realms = domainMBean.getSecurityConfiguration().getRealms();
        for (int i = 0; i < realms.length; i++) {
            String name = realms[i].getName();
            for (int i2 = i + 1; i2 < realms.length; i2++) {
                if (name.equals(realms[i2].getName())) {
                    throw new DescriptorUpdateRejectedException(SecurityLogger.getCannotActivateChangesRealmNameExistsError(name));
                }
            }
            try {
                realms[i].validate();
            } catch (ErrorCollectionException e) {
                if (!realms[i].isDefaultRealm()) {
                    throw new DescriptorUpdateRejectedException(SecurityLogger.getCannotActivateChangesImproperlyConfiguredRealmError(name), e);
                }
                throw new DescriptorUpdateRejectedException(SecurityLogger.getCannotActivateChangesImproperlyConfiguredDefaultRealmError(), e);
            }
        }
        validateIDDs(domainMBean);
        DomainMBean domainMBean2 = (DomainMBean) descriptorUpdateEvent.getProposedDescriptor().getRootBean();
        this.proposedNMUser = domainMBean2.getSecurityConfiguration().getNodeManagerUsername();
        this.proposedNMPass = domainMBean2.getSecurityConfiguration().getNodeManagerPassword().getBytes();
        DomainMBean domain = ((SecurityRuntimeAccess) AccessController.doPrivileged(new PrivilegedAction<SecurityRuntimeAccess>() { // from class: weblogic.security.internal.SecurityConfigurationValidator.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public SecurityRuntimeAccess run() {
                return (SecurityRuntimeAccess) LocatorUtilities.getService(SecurityRuntimeAccess.class);
            }
        })).getDomain();
        this.currentNMUser = domain.getSecurityConfiguration().getNodeManagerUsername();
        this.currentNMPass = domain.getSecurityConfiguration().getNodeManagerPassword().getBytes();
        if (this.currentNMUser == null) {
            this.currentNMUser = "";
        }
        if (this.currentNMPass == null) {
            this.currentNMPass = "".getBytes();
        }
    }

    @Override // weblogic.descriptor.DescriptorUpdateListener
    public void activateUpdate(DescriptorUpdateEvent descriptorUpdateEvent) {
        if (this.proposedNMUser != null || this.proposedNMPass != null) {
            if (this.proposedNMUser == null) {
                this.proposedNMUser = this.currentNMUser;
            }
            if (this.proposedNMPass == null) {
                this.proposedNMPass = this.currentNMPass;
            }
            if (this.proposedNMUser.equals(this.currentNMUser) && Arrays.equals(this.proposedNMPass, this.currentNMPass)) {
                return;
            } else {
                NMEncryptionHelper.updateNMHash(((SecurityRuntimeAccess) AccessController.doPrivileged(new PrivilegedAction<SecurityRuntimeAccess>() { // from class: weblogic.security.internal.SecurityConfigurationValidator.3
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedAction
                    public SecurityRuntimeAccess run() {
                        return (SecurityRuntimeAccess) LocatorUtilities.getService(SecurityRuntimeAccess.class);
                    }
                })).getServer().getRootDirectory(), this.proposedNMUser, this.proposedNMPass);
            }
        }
        this.currentNMUser = null;
        this.proposedNMUser = null;
        this.currentNMPass = null;
        this.proposedNMPass = null;
    }

    @Override // weblogic.descriptor.DescriptorUpdateListener
    public void rollbackUpdate(DescriptorUpdateEvent descriptorUpdateEvent) {
        this.currentNMUser = null;
        this.proposedNMUser = null;
        this.currentNMPass = null;
        this.proposedNMPass = null;
    }

    public static void validateIDDs(DomainMBean domainMBean) throws DescriptorUpdateRejectedException {
        if (SecurityUtils.isIDDDomain(domainMBean)) {
            SecurityConfigurationMBean securityConfiguration = domainMBean.getSecurityConfiguration();
            if ((!securityConfiguration.isIdentityDomainDefaultEnabled() && securityConfiguration.getAdministrativeIdentityDomain() == null) || (securityConfiguration.getAdministrativeIdentityDomain() != null && securityConfiguration.getAdministrativeIdentityDomain().isEmpty())) {
                throw new DescriptorUpdateRejectedException(SecurityLogger.getCannotActivateChangesNoAdminIDDSetError());
            }
            PartitionMBean[] partitions = domainMBean.getPartitions();
            if (partitions != null && partitions.length > 0) {
                for (PartitionMBean partitionMBean : partitions) {
                    String primaryIdentityDomain = partitionMBean.getPrimaryIdentityDomain();
                    if (primaryIdentityDomain == null || primaryIdentityDomain.isEmpty()) {
                        throw new DescriptorUpdateRejectedException(SecurityLogger.getCannotActivateChangesNoPartitionIDDSetError(partitionMBean.getName()));
                    }
                }
            }
            String administrativeIdentityDomain = securityConfiguration.getAdministrativeIdentityDomain();
            RealmMBean defaultRealm = securityConfiguration.getDefaultRealm();
            if (administrativeIdentityDomain != null) {
                validateRealmIDD(administrativeIdentityDomain, defaultRealm);
            }
            for (PartitionMBean partitionMBean2 : partitions) {
                RealmMBean realm = partitionMBean2.getRealm();
                if (realm == null) {
                    realm = defaultRealm;
                }
                validateRealmIDD(partitionMBean2.getPrimaryIdentityDomain(), realm);
            }
        }
    }

    private static void validateRealmIDD(String str, RealmMBean realmMBean) throws DescriptorUpdateRejectedException {
        boolean z = false;
        for (AuthenticationProviderMBean authenticationProviderMBean : realmMBean.getAuthenticationProviders()) {
            if ((authenticationProviderMBean instanceof IdentityDomainAuthenticatorMBean) && ((IdentityDomainAuthenticatorMBean) authenticationProviderMBean).getIdentityDomain() != null && ((IdentityDomainAuthenticatorMBean) authenticationProviderMBean).getIdentityDomain().equals(str)) {
                z = true;
            }
            if (authenticationProviderMBean instanceof MultiIdentityDomainAuthenticatorMBean) {
                MultiIdentityDomainAuthenticatorMBean multiIdentityDomainAuthenticatorMBean = (MultiIdentityDomainAuthenticatorMBean) authenticationProviderMBean;
                if (multiIdentityDomainAuthenticatorMBean.getIdentityDomains() != null && multiIdentityDomainAuthenticatorMBean.getIdentityDomains().length > 0 && Arrays.asList(multiIdentityDomainAuthenticatorMBean.getIdentityDomains()).contains(str)) {
                    z = true;
                }
            }
            if ((authenticationProviderMBean instanceof AnyIdentityDomainAuthenticatorMBean) && ((AnyIdentityDomainAuthenticatorMBean) authenticationProviderMBean).isAnyIdentityDomainEnabled()) {
                z = true;
            }
        }
        if (!z) {
            throw new DescriptorUpdateRejectedException(SecurityLogger.getCannotActivateChangesNoIDDConfiguredError(str));
        }
    }
}
