package weblogic.ejb.container.internal;

import java.security.AccessController;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.tools.ant.types.selectors.SelectorUtils;
import org.eclipse.persistence.jpa.jpql.parser.Expression;
import weblogic.diagnostics.debug.DebugLogger;
import weblogic.ejb.container.EJBDebugService;
import weblogic.ejb.container.EJBLogger;
import weblogic.ejb.container.interfaces.DeploymentInfo;
import weblogic.ejb.container.interfaces.MethodInfo;
import weblogic.ejb.container.interfaces.NoSuchRoleException;
import weblogic.ejb.spi.BusinessObject;
import weblogic.ejb20.interfaces.PrincipalNotFoundException;
import weblogic.management.security.DeploymentModel;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.service.AuthorizationManager;
import weblogic.security.service.AuthorizationManagerDeployHandle;
import weblogic.security.service.ContextHandler;
import weblogic.security.service.DeployHandleCreationException;
import weblogic.security.service.EJBResource;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.ResourceCreationException;
import weblogic.security.service.ResourceRemovalException;
import weblogic.security.service.RoleCreationException;
import weblogic.security.service.RoleManager;
import weblogic.security.service.RoleManagerDeployHandle;
import weblogic.security.service.RoleRemovalException;
import weblogic.security.service.SecurityApplicationInfo;
import weblogic.security.service.SecurityService;
import weblogic.security.service.SecurityServiceManager;
import weblogic.security.utils.ESubjectImpl;
import weblogic.security.utils.ResourceIDDContextWrapper;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:weblogic/ejb/container/internal/SecurityHelperWLS.class */
public final class SecurityHelperWLS {
    private static final int SYSTEM_REALM = 0;
    private static final int APP_REALM = 1;
    private static final AuthenticatedSubject KERNEL_ID = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
    private static final DebugLogger debugLogger = EJBDebugService.securityLogger;
    private final String sysRealmName;
    private final String appRealmName;
    private SecurityApplicationInfo securityAppInfo;
    private RoleManager appRoleManager;
    private AuthorizationManager appAuthManager;
    private RoleManager sysRoleManager;
    private AuthorizationManager sysAuthManager;
    private RoleManagerDeployHandle roleMgrHandle;
    private AuthorizationManagerDeployHandle authMgrHandle;
    private boolean fullDelegation;
    private boolean customRoles;
    private EJBResource ejbRoleResource;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SecurityHelperWLS(String str, String str2) {
        this.appRealmName = str;
        this.sysRealmName = str2;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setupApplicationInfo(SecurityApplicationInfo securityApplicationInfo) {
        this.securityAppInfo = securityApplicationInfo;
        String securityDDModel = securityApplicationInfo.getSecurityDDModel();
        this.customRoles = securityDDModel.equals(DeploymentModel.CUSTOM_ROLES) || securityDDModel.equals(DeploymentModel.CUSTOM_ROLES_POLICIES);
        this.fullDelegation = SecurityServiceManager.isFullAuthorizationDelegationRequired(this.appRealmName != null ? this.appRealmName : this.sysRealmName, securityApplicationInfo);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void deployRoles(DeploymentInfo deploymentInfo, Map<String, String[]> map, int i) throws DeployHandleCreationException, NoSuchRoleException, RoleCreationException {
        if (debugLogger.isDebugEnabled()) {
            debug("Deploying Roles for Application Id: '" + deploymentInfo.getApplicationId() + "', Module Id: '" + deploymentInfo.getModuleId() + "'  there are: '" + map.size() + "' roles for the module.");
        }
        RoleManager obtainRM = obtainRM(i);
        this.roleMgrHandle = obtainRM.startDeployRoles(this.securityAppInfo);
        this.ejbRoleResource = createEJBResource(deploymentInfo);
        for (Map.Entry<String, String[]> entry : map.entrySet()) {
            String key = entry.getKey();
            String[] value = entry.getValue();
            try {
                if (SelectorUtils.DEEP_TREE_MATCH.equals(key) && !deploymentInfo.isAnyAuthUserRoleDefinedInDD() && (value == null || value.length == 0)) {
                    if (debugLogger.isDebugEnabled()) {
                        debug("Deploying the ** role  with the 'users' group ");
                    }
                    obtainRM.deployRole(this.roleMgrHandle, this.ejbRoleResource, key, new String[]{ESubjectImpl.USERS_GROUP});
                } else {
                    if (debugLogger.isDebugEnabled()) {
                        debug("Deploying role: " + key + " with principals: " + Arrays.toString(value));
                    }
                    obtainRM.deployRole(this.roleMgrHandle, this.ejbRoleResource, key, value);
                }
            } catch (RoleCreationException e) {
                throw new NoSuchRoleException("registerEjbRolesAndUsers: Exception while attempting to deploy Security Role: " + e.toString());
            }
        }
        obtainRM.endDeployRoles(this.roleMgrHandle);
        if (debugLogger.isDebugEnabled()) {
            debug("Done with role deployment for Application Id: '" + deploymentInfo.getApplicationId() + "', Module Id: '" + deploymentInfo.getModuleId() + Expression.QUOTE);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void unDeployRoles(DeploymentInfo deploymentInfo, int i) {
        createEJBResource(deploymentInfo);
        RoleManager obtainRM = obtainRM(i);
        if (this.roleMgrHandle == null) {
            return;
        }
        try {
            obtainRM.undeployAllRoles(this.roleMgrHandle);
        } catch (RoleRemovalException e) {
            EJBLogger.logFailedToUndeploySecurityRole(deploymentInfo.getApplicationId() + " - " + deploymentInfo.getModuleId(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void beginPolicyRegistration() throws DeployHandleCreationException {
        this.authMgrHandle = obtainAM(1).startDeployPolicies(this.securityAppInfo);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void endPolicyRegistration() throws ResourceCreationException {
        obtainAM(1).endDeployPolicies(this.authMgrHandle);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void deployPolicies(List<MethodDescriptor> list, List<MethodDescriptor> list2, List<MethodDescriptor> list3, SecurityHelper securityHelper, int i) throws PrincipalNotFoundException {
        AuthorizationManager obtainAM = obtainAM(i);
        if (list != null && !deployOptimizedPolicy(list, securityHelper, obtainAM)) {
            Iterator<MethodDescriptor> it = list.iterator();
            while (it.hasNext()) {
                deployPolicy(it.next(), securityHelper, obtainAM);
            }
        }
        if (list2 != null) {
            Iterator<MethodDescriptor> it2 = list2.iterator();
            while (it2.hasNext()) {
                deployPolicy(it2.next(), securityHelper, obtainAM);
            }
        }
        if (list3 != null) {
            Iterator<MethodDescriptor> it3 = list3.iterator();
            while (it3.hasNext()) {
                deployPolicy(it3.next(), securityHelper, obtainAM);
            }
        }
    }

    private boolean deployOptimizedPolicy(List<MethodDescriptor> list, SecurityHelper securityHelper, AuthorizationManager authorizationManager) throws PrincipalNotFoundException {
        if (list == null || list.isEmpty()) {
            return false;
        }
        ArrayList arrayList = new ArrayList();
        MethodDescriptor methodDescriptor = null;
        for (MethodDescriptor methodDescriptor2 : list) {
            if (methodDescriptor == null) {
                methodDescriptor = methodDescriptor2;
            } else {
                if (!methodDescriptor.getEjbName().equals(methodDescriptor2.getEjbName())) {
                    return false;
                }
                if (methodDescriptor.getMethodInfo().getSecurityRoleNames().equals(methodDescriptor2.getMethodInfo().getSecurityRoleNames())) {
                    continue;
                } else if (methodDescriptor.getMethod().getDeclaringClass() == BusinessObject.class) {
                    arrayList.add(methodDescriptor);
                    methodDescriptor = methodDescriptor2;
                } else {
                    if (methodDescriptor2.getMethod().getDeclaringClass() != BusinessObject.class) {
                        return false;
                    }
                    arrayList.add(methodDescriptor2);
                }
            }
        }
        String applicationName = methodDescriptor.getApplicationName();
        String moduleId = methodDescriptor.getModuleId();
        String ejbName = methodDescriptor.getEjbName();
        EJBResource createEJBResource = createEJBResource(applicationName, moduleId, ejbName);
        for (MethodDescriptor methodDescriptor3 : list) {
            methodDescriptor3.setSecurityHelper(securityHelper);
            methodDescriptor3.setEJBResource(SecurityHelper.createEJBResource(methodDescriptor3));
        }
        if (debugLogger.isDebugEnabled()) {
            debug("Register optimized EJB Role restrictions for application: '" + applicationName + "', moduleId: '" + moduleId + "', ejbName: '" + ejbName);
        }
        MethodInfo methodInfo = methodDescriptor.getMethodInfo();
        deployPolicy(createEJBResource, methodInfo.getSecurityRoleNames(), this.fullDelegation || methodInfo.hasRoles(), methodInfo.getUnchecked(), methodInfo.getIsExcluded(), authorizationManager);
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            deployPolicy((MethodDescriptor) it.next(), securityHelper, authorizationManager);
        }
        return true;
    }

    private boolean deployPolicy(MethodDescriptor methodDescriptor, SecurityHelper securityHelper, AuthorizationManager authorizationManager) throws PrincipalNotFoundException {
        methodDescriptor.setSecurityHelper(securityHelper);
        EJBResource createEJBResource = SecurityHelper.createEJBResource(methodDescriptor);
        methodDescriptor.setEJBResource(createEJBResource);
        MethodInfo methodInfo = methodDescriptor.getMethodInfo();
        if (debugLogger.isDebugEnabled()) {
            debug("Registering EJB Role restrictions for appName: '" + methodDescriptor.getApplicationName() + "', moduleId: '" + methodDescriptor.getModuleId() + "', ejbName: '" + methodDescriptor.getEjbName() + "', methodName: '" + methodInfo.getMethodName() + "', methodInterface: '" + methodInfo.getMethodInterfaceType());
        }
        return deployPolicy(createEJBResource, methodInfo.getSecurityRoleNames(), this.fullDelegation || methodInfo.hasRoles(), methodInfo.getUnchecked(), methodInfo.getIsExcluded(), authorizationManager);
    }

    boolean deployPolicy(EJBResource eJBResource, Set<String> set, boolean z, boolean z2, boolean z3, AuthorizationManager authorizationManager) throws PrincipalNotFoundException {
        try {
            if (!z) {
                try {
                    if (z2) {
                        if (debugLogger.isDebugEnabled()) {
                            debug("Deploying an unchecked policy");
                        }
                        authorizationManager.deployUncheckedPolicy(this.authMgrHandle, eJBResource);
                    } else if (z3) {
                        if (debugLogger.isDebugEnabled()) {
                            debug("Deploying an excluded policy");
                        }
                        authorizationManager.deployExcludedPolicy(this.authMgrHandle, eJBResource);
                    }
                    return false;
                } catch (ResourceCreationException e) {
                    throw new PrincipalNotFoundException("Exception while attempting to deploy Unchecked or Excluded Security Policy:  " + e.toString());
                }
            }
            try {
                if (set.isEmpty()) {
                    if (debugLogger.isDebugEnabled()) {
                        debug("Count of restrictable roles in policy = " + set.size() + ", so skipping authManager.deployPolicy");
                    }
                    try {
                        if (z2) {
                            if (debugLogger.isDebugEnabled()) {
                                debug("Deploying an unchecked policy");
                            }
                            authorizationManager.deployUncheckedPolicy(this.authMgrHandle, eJBResource);
                        } else if (z3) {
                            if (debugLogger.isDebugEnabled()) {
                                debug("Deploying an excluded policy");
                            }
                            authorizationManager.deployExcludedPolicy(this.authMgrHandle, eJBResource);
                        }
                        return true;
                    } catch (ResourceCreationException e2) {
                        throw new PrincipalNotFoundException("Exception while attempting to deploy Unchecked or Excluded Security Policy:  " + e2.toString());
                    }
                }
                authorizationManager.deployPolicy(this.authMgrHandle, eJBResource, (String[]) set.toArray(new String[set.size()]));
                try {
                    if (z2) {
                        if (debugLogger.isDebugEnabled()) {
                            debug("Deploying an unchecked policy");
                        }
                        authorizationManager.deployUncheckedPolicy(this.authMgrHandle, eJBResource);
                    } else if (z3) {
                        if (debugLogger.isDebugEnabled()) {
                            debug("Deploying an excluded policy");
                        }
                        authorizationManager.deployExcludedPolicy(this.authMgrHandle, eJBResource);
                    }
                    if (!debugLogger.isDebugEnabled()) {
                        return true;
                    }
                    debug("Registered EJB Role restrictions with Policy Manager");
                    return true;
                } catch (ResourceCreationException e3) {
                    throw new PrincipalNotFoundException("Exception while attempting to deploy Unchecked or Excluded Security Policy:  " + e3.toString());
                }
            } catch (ResourceCreationException e4) {
                throw new PrincipalNotFoundException("Exception while attempting to deploy Security Policy:  " + e4.toString());
            }
        } catch (Throwable th) {
            try {
                if (z2) {
                    if (debugLogger.isDebugEnabled()) {
                        debug("Deploying an unchecked policy");
                    }
                    authorizationManager.deployUncheckedPolicy(this.authMgrHandle, eJBResource);
                } else if (z3) {
                    if (debugLogger.isDebugEnabled()) {
                        debug("Deploying an excluded policy");
                    }
                    authorizationManager.deployExcludedPolicy(this.authMgrHandle, eJBResource);
                }
                throw th;
            } catch (ResourceCreationException e5) {
                throw new PrincipalNotFoundException("Exception while attempting to deploy Unchecked or Excluded Security Policy:  " + e5.toString());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void unDeployAllPolicies() {
        unDeployAllPolicies(1);
    }

    void unDeployAllPolicies(int i) {
        if (this.authMgrHandle == null) {
            return;
        }
        try {
            obtainAM(i).undeployAllPolicies(this.authMgrHandle);
        } catch (ResourceRemovalException e) {
            EJBLogger.logFailedToUndeploySecurityPolicy("All EJBs in Application", e);
        }
    }

    boolean isAccessAllowed(EJBResource eJBResource, ContextHandler contextHandler) {
        return isAccessAllowed(eJBResource, contextHandler, 1);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isAccessAllowed(EJBResource eJBResource, ContextHandler contextHandler, int i) {
        AuthorizationManager obtainAM = obtainAM(i);
        AuthenticatedSubject currentSubject = SecurityHelper.getCurrentSubject();
        if (debugLogger.isDebugEnabled()) {
            debug("Checking Method Permission for ejb: '" + eJBResource + "' with Subject: " + currentSubject);
        }
        return obtainAM.isAccessAllowed(currentSubject, eJBResource, new ResourceIDDContextWrapper(contextHandler));
    }

    boolean isCallerInRole(EJBResource eJBResource, AuthenticatedSubject authenticatedSubject, String str) {
        return isCallerInRole(eJBResource, authenticatedSubject, str, 1);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isCallerInRole(EJBResource eJBResource, AuthenticatedSubject authenticatedSubject, String str, int i) {
        Map roles = obtainRM(i).getRoles(authenticatedSubject, eJBResource, new ResourceIDDContextWrapper());
        if (roles == null || roles.isEmpty()) {
            if (!debugLogger.isDebugEnabled()) {
                return false;
            }
            debug("isCallerInRole:  securityRoles for resource; '" + eJBResource + "', Caller subject: '" + authenticatedSubject + ", role name '" + str + "' there are no roles mapped to this subject.'  isCallerInRole returns false");
            return false;
        }
        if (debugLogger.isDebugEnabled()) {
            StringBuilder sb = new StringBuilder();
            Iterator it = roles.keySet().iterator();
            while (it.hasNext()) {
                sb.append((String) it.next()).append(", ");
            }
            debug("isCallerInRole:  check securityRoles for resource; '" + eJBResource + "', subject: '" + authenticatedSubject + ", candidate role name '" + str + "'roles mapped to this subject are: '" + sb.toString() + "''  isCallerInRole returns " + SecurityServiceManager.isUserInRole(authenticatedSubject, str, roles));
        }
        return SecurityServiceManager.isUserInRole(authenticatedSubject, str, roles);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean fullyDelegateSecurityCheck() {
        return this.fullDelegation;
    }

    private RoleManager obtainRM(int i) {
        switch (i) {
            case 0:
                if (this.sysRoleManager != null) {
                    return this.sysRoleManager;
                }
                this.sysRoleManager = (RoleManager) SecurityServiceManager.getSecurityService(KERNEL_ID, this.sysRealmName, SecurityService.ServiceType.ROLE);
                return this.sysRoleManager;
            case 1:
                if (this.appRoleManager != null) {
                    return this.appRoleManager;
                }
                this.appRoleManager = (RoleManager) SecurityServiceManager.getSecurityService(KERNEL_ID, this.appRealmName, SecurityService.ServiceType.ROLE);
                return this.appRoleManager;
            default:
                throw new IllegalArgumentException("Unknown realm type: " + i);
        }
    }

    private AuthorizationManager obtainAM(int i) {
        switch (i) {
            case 0:
                if (this.sysAuthManager != null) {
                    return this.sysAuthManager;
                }
                this.sysAuthManager = (AuthorizationManager) SecurityServiceManager.getSecurityService(KERNEL_ID, this.sysRealmName, SecurityService.ServiceType.AUTHORIZE);
                return this.sysAuthManager;
            case 1:
                if (this.appAuthManager != null) {
                    return this.appAuthManager;
                }
                this.appAuthManager = (AuthorizationManager) SecurityServiceManager.getSecurityService(KERNEL_ID, this.appRealmName, SecurityService.ServiceType.AUTHORIZE);
                return this.appAuthManager;
            default:
                throw new IllegalArgumentException("Unknown realm type: " + i);
        }
    }

    private EJBResource createEJBResource(DeploymentInfo deploymentInfo) {
        return new EJBResource(deploymentInfo.getApplicationId(), deploymentInfo.getModuleId(), null, null, null, null);
    }

    private EJBResource createEJBResource(String str, String str2, String str3) {
        return new EJBResource(str, str2, str3, null, null, null);
    }

    private static void debug(String str) {
        debugLogger.debug("[SecurityHelperWLS] " + str);
    }
}
