package weblogic.management.internal;

import java.beans.BeanDescriptor;
import java.beans.BeanInfo;
import java.beans.MethodDescriptor;
import java.beans.PropertyDescriptor;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.PrintStream;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Map;
import javax.management.ObjectName;
import weblogic.common.internal.VersionInfo;
import weblogic.deploy.service.CallbackHandler;
import weblogic.diagnostics.debug.DebugLogger;
import weblogic.management.ManagementLogger;
import weblogic.management.NoAccessRuntimeException;
import weblogic.management.WebLogicObjectName;
import weblogic.management.provider.ManagementService;
import weblogic.management.provider.beaninfo.BeanInfoAccess;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.service.AdminResource;
import weblogic.security.service.MBeanResource;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.RoleManager;
import weblogic.security.service.SecurityService;
import weblogic.security.service.SecurityServiceManager;
import weblogic.utils.Debug;

/* loaded from: input_file:weblogic/management/internal/SecurityHelper.class */
public class SecurityHelper {
    private static final String ADMIN_ROLENAME = "Admin";
    private static final String DEPLOYER_ROLENAME = "Deployer";
    private static final String OPERATOR_ROLENAME = "Operator";
    private static final String MONITOR_ROLENAME = "Monitor";
    private static final boolean ENABLE_ACL_EXCEPTION = true;
    private static boolean isSecServiceInitialized;
    private static BeanInfoAccess beanInfoAccess;
    private static RoleManager roleManager;
    private static DebugLogger debugLogger = DebugLogger.getDebugLogger("DebugConfigurationRuntime");
    private static final AuthenticatedSubject KERNEL_ID = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
    private static PrintStream aclPrintStream = null;
    private static AdminResource adminMBeanResource = new AdminResource(CallbackHandler.CONFIGURATION, null, null);
    private static boolean disableACLOnMbeans = Boolean.getBoolean("weblogic.disableMBeanAuthorization");
    private static boolean debugACLs = Boolean.getBoolean("DEBUG_ACLS");

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:weblogic/management/internal/SecurityHelper$IsAccessAllowedPrivilegeAction.class */
    public static class IsAccessAllowedPrivilegeAction implements PrivilegedAction {
        private final AuthenticatedSubject subject;
        private final ObjectName name;
        private final MBeanResource.ActionType action;
        private final String target;
        private final String type;
        private final BeanDescriptor beanDescriptor;
        private final MethodDescriptor methodDescriptor;
        private final PropertyDescriptor propertyDescriptor;

        IsAccessAllowedPrivilegeAction(AuthenticatedSubject authenticatedSubject, ObjectName objectName, MBeanResource.ActionType actionType, String str, BeanDescriptor beanDescriptor, MethodDescriptor methodDescriptor, PropertyDescriptor propertyDescriptor) {
            this.subject = authenticatedSubject;
            this.name = objectName;
            this.action = actionType;
            this.target = str;
            this.type = this.name.getKeyProperty("Type");
            this.beanDescriptor = beanDescriptor;
            this.methodDescriptor = methodDescriptor;
            this.propertyDescriptor = propertyDescriptor;
        }

        @Override // java.security.PrivilegedAction
        public Object run() {
            Map roles = SecurityHelper.access$200().getRoles(this.subject, SecurityHelper.adminMBeanResource, null);
            if (SecurityHelper.isInRole(roles, SecurityHelper.ADMIN_ROLENAME)) {
                return Boolean.TRUE;
            }
            if (!(this.name instanceof WebLogicObjectName) && this.type == null) {
                return Boolean.TRUE;
            }
            return wlsRun(roles);
        }

        private Object wlsRun(Map map) {
            String str = "Access not allowed for subject: " + this.subject + ", on ResourceType: " + (this.type != null ? this.type : this.name.toString()) + " Action: " + this.action + ", Target: " + this.target;
            if (this.action == MBeanResource.ActionType.READ) {
                PropertyDescriptor propertyDescriptor = this.propertyDescriptor;
                if (propertyDescriptor == null) {
                    propertyDescriptor = SecurityHelper.getPropertyDescriptor(this.type, this.target);
                }
                if (propertyDescriptor == null) {
                    throw new NoAccessRuntimeException(str);
                }
                Boolean bool = (Boolean) propertyDescriptor.getValue("encrypted");
                Boolean bool2 = (Boolean) propertyDescriptor.getValue("sensitive");
                if ((bool == null || !bool.booleanValue()) && (bool2 == null || !bool2.booleanValue())) {
                    if (SecurityHelper.debugLogger.isDebugEnabled()) {
                        SecurityHelper.debugLogger.debug("SecurityHelper - read non-encrypted attr, attr = " + this.target);
                    }
                    return Boolean.TRUE;
                }
                if (SecurityHelper.isInRole(map, (String[]) propertyDescriptor.getValue("rolesAllowedGet"))) {
                    return Boolean.TRUE;
                }
                Boolean bool3 = (Boolean) propertyDescriptor.getValue("rolePermitAllGet");
                if (bool3 == null || !bool3.booleanValue()) {
                    throw new NoAccessRuntimeException(str);
                }
                if (SecurityHelper.debugLogger.isDebugEnabled()) {
                    SecurityHelper.debugLogger.debug("SecurityHelper - rolePermitAll found for get " + this.target);
                }
                return Boolean.TRUE;
            }
            if (this.action != MBeanResource.ActionType.WRITE && this.action != MBeanResource.ActionType.EXECUTE && this.action != MBeanResource.ActionType.REGISTER && this.action != MBeanResource.ActionType.UNREGISTER) {
                throw new NoAccessRuntimeException("Uknown ActionType: " + this.action + " found");
            }
            BeanDescriptor beanDescriptor = this.beanDescriptor;
            if (beanDescriptor == null) {
                beanDescriptor = SecurityHelper.getBeanDescriptor(this.type);
            }
            if (beanDescriptor != null) {
                if (SecurityHelper.isInRole(map, (String[]) beanDescriptor.getValue("rolesAllowed"))) {
                    return Boolean.TRUE;
                }
                Boolean bool4 = (Boolean) beanDescriptor.getValue("rolePermitAll");
                if (bool4 != null && bool4.booleanValue()) {
                    if (SecurityHelper.debugLogger.isDebugEnabled()) {
                        SecurityHelper.debugLogger.debug("SecurityHelper - rolePermitAll found for interface ");
                    }
                    return Boolean.TRUE;
                }
            }
            if (this.action == MBeanResource.ActionType.WRITE) {
                PropertyDescriptor propertyDescriptor2 = this.propertyDescriptor;
                if (propertyDescriptor2 == null) {
                    propertyDescriptor2 = SecurityHelper.getPropertyDescriptor(this.type, this.target);
                }
                if (propertyDescriptor2 != null) {
                    if (SecurityHelper.isInRole(map, (String[]) propertyDescriptor2.getValue("rolesAllowedSet"))) {
                        return Boolean.TRUE;
                    }
                    Boolean bool5 = (Boolean) propertyDescriptor2.getValue("rolePermitAllSet");
                    if (bool5 != null && bool5.booleanValue()) {
                        if (SecurityHelper.debugLogger.isDebugEnabled()) {
                            SecurityHelper.debugLogger.debug("SecurityHelper - rolePermitAllSet found for set " + this.target);
                        }
                        return Boolean.TRUE;
                    }
                }
                throw new NoAccessRuntimeException(str);
            }
            if (this.action == MBeanResource.ActionType.EXECUTE) {
                MethodDescriptor methodDescriptor = this.methodDescriptor;
                if (methodDescriptor == null) {
                    methodDescriptor = SecurityHelper.getMethodDescriptor(this.type, this.target);
                }
                if (methodDescriptor != null) {
                    if (SecurityHelper.isInRole(map, (String[]) methodDescriptor.getValue("rolesAllowed"))) {
                        return Boolean.TRUE;
                    }
                    Boolean bool6 = (Boolean) methodDescriptor.getValue("rolePermitAll");
                    if (bool6 != null && bool6.booleanValue()) {
                        if (SecurityHelper.debugLogger.isDebugEnabled()) {
                            SecurityHelper.debugLogger.debug("SecurityHelper - rolePermitAll found for invoke " + this.target);
                        }
                        return Boolean.TRUE;
                    }
                }
            }
            if (SecurityHelper.debugACLs) {
                SecurityHelper.dumpAclDebug(this.subject, this.name, this.action, this.target, "");
            }
            throw new NoAccessRuntimeException(str);
        }
    }

    public static void checkForAdminRole() {
        checkForRole(ADMIN_ROLENAME);
    }

    public static void checkForDeployerRole() {
        checkForRole(DEPLOYER_ROLENAME);
    }

    public static void checkForOperatorRole() {
        checkForRole(OPERATOR_ROLENAME);
    }

    public static boolean isProtectedAttribute(ObjectName objectName, String str, PropertyDescriptor propertyDescriptor) {
        if (propertyDescriptor != null) {
            Boolean bool = (Boolean) propertyDescriptor.getValue("encrypted");
            if (bool != null && bool.booleanValue()) {
                if (!debugLogger.isDebugEnabled()) {
                    return true;
                }
                debugLogger.debug("SecurityHelper - attribute " + str + " for object " + objectName + " is protected");
                return true;
            }
            Boolean bool2 = (Boolean) propertyDescriptor.getValue("sensitive");
            if (bool2 != null && bool2.booleanValue()) {
                if (!debugLogger.isDebugEnabled()) {
                    return true;
                }
                debugLogger.debug("SecurityHelper - attribute " + str + " for object " + objectName + " is protected");
                return true;
            }
        }
        if (!debugLogger.isDebugEnabled()) {
            return false;
        }
        debugLogger.debug("SecurityHelper - attribute " + str + " for object " + objectName + " is NOT protected");
        return false;
    }

    public static void isAccessAllowed(ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2) throws NoAccessRuntimeException {
        isAccessAllowed(objectName, actionType, str, str2, null, null, null);
    }

    public static void isAccessAllowed(ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2, BeanDescriptor beanDescriptor) throws NoAccessRuntimeException {
        isAccessAllowed(objectName, actionType, str, str2, beanDescriptor, null, null);
    }

    public static void isAccessAllowed(ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2, BeanDescriptor beanDescriptor, PropertyDescriptor propertyDescriptor) throws NoAccessRuntimeException {
        isAccessAllowed(objectName, actionType, str, str2, beanDescriptor, null, propertyDescriptor);
    }

    public static void isAccessAllowed(ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2, BeanDescriptor beanDescriptor, MethodDescriptor methodDescriptor) throws NoAccessRuntimeException {
        isAccessAllowed(objectName, actionType, str, str2, beanDescriptor, methodDescriptor, null);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isAllowed(ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2, PropertyDescriptor propertyDescriptor) {
        try {
            isAccessAllowed(objectName, actionType, str, str2, null, null, propertyDescriptor);
            return true;
        } catch (NoAccessRuntimeException e) {
            return false;
        }
    }

    public static boolean isAllowedAnon(ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2, PropertyDescriptor propertyDescriptor) {
        return isAllowed(AuthenticatedSubject.ANON, objectName, actionType, str, str2, propertyDescriptor);
    }

    public static boolean isAllowed(AuthenticatedSubject authenticatedSubject, final ObjectName objectName, final MBeanResource.ActionType actionType, final String str, final String str2, final PropertyDescriptor propertyDescriptor) {
        return ((Boolean) SecurityServiceManager.runAs(KERNEL_ID, authenticatedSubject, new PrivilegedAction() { // from class: weblogic.management.internal.SecurityHelper.1
            @Override // java.security.PrivilegedAction
            public Object run() {
                return new Boolean(SecurityHelper.isAllowed(objectName, actionType, str, str2, propertyDescriptor));
            }
        })).booleanValue();
    }

    private static void isAccessAllowed(ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2, BeanDescriptor beanDescriptor, MethodDescriptor methodDescriptor, PropertyDescriptor propertyDescriptor) throws NoAccessRuntimeException {
        if (disableACLOnMbeans || actionType == MBeanResource.ActionType.FIND) {
            return;
        }
        if (objectName == null) {
            checkForAdminRole();
            return;
        }
        if (actionType == MBeanResource.ActionType.READ) {
            if (propertyDescriptor == null) {
                return;
            }
            Boolean bool = (Boolean) propertyDescriptor.getValue("encrypted");
            Boolean bool2 = (Boolean) propertyDescriptor.getValue("sensitive");
            if ((bool == null || !bool.booleanValue()) && (bool2 == null || !bool2.booleanValue())) {
                return;
            }
        }
        AuthenticatedSubject currentSubject = SecurityServiceManager.getCurrentSubject(KERNEL_ID);
        if (SecurityServiceManager.isKernelIdentity(currentSubject)) {
            return;
        }
        SecurityServiceManager.runAs(KERNEL_ID, KERNEL_ID, new IsAccessAllowedPrivilegeAction(currentSubject, objectName, actionType, str, beanDescriptor, methodDescriptor, propertyDescriptor));
    }

    public static void isAccessAllowedCommo(ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2, BeanDescriptor beanDescriptor) throws NoAccessRuntimeException {
        isAccessAllowedCommo(objectName, actionType, str, str2, beanDescriptor, null, null);
    }

    public static void isAccessAllowedCommo(ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2, BeanDescriptor beanDescriptor, PropertyDescriptor propertyDescriptor) throws NoAccessRuntimeException {
        isAccessAllowedCommo(objectName, actionType, str, str2, beanDescriptor, null, propertyDescriptor);
    }

    public static void isAccessAllowedCommo(ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2, BeanDescriptor beanDescriptor, MethodDescriptor methodDescriptor) throws NoAccessRuntimeException {
        isAccessAllowedCommo(objectName, actionType, str, str2, beanDescriptor, methodDescriptor, null);
    }

    private static void isAccessAllowedCommo(ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2, BeanDescriptor beanDescriptor, MethodDescriptor methodDescriptor, PropertyDescriptor propertyDescriptor) throws NoAccessRuntimeException {
        if (disableACLOnMbeans || actionType == MBeanResource.ActionType.FIND) {
            return;
        }
        if (actionType == MBeanResource.ActionType.WRITE) {
            checkForAdminRole();
            return;
        }
        if (actionType == MBeanResource.ActionType.UNREGISTER) {
            checkForAdminRole();
            return;
        }
        if (actionType == MBeanResource.ActionType.REGISTER) {
            return;
        }
        if (objectName == null) {
            throw new IllegalArgumentException("Object name for an MBean can not be null");
        }
        AuthenticatedSubject currentSubject = SecurityServiceManager.getCurrentSubject(KERNEL_ID);
        if (SecurityServiceManager.isKernelIdentity(currentSubject)) {
            return;
        }
        if (actionType == MBeanResource.ActionType.READ) {
            if (propertyDescriptor == null) {
                return;
            }
            Boolean bool = (Boolean) propertyDescriptor.getValue("encrypted");
            if (bool != null && bool.booleanValue()) {
                if (debugLogger.isDebugEnabled()) {
                    debugLogger.debug("SecurityHelper - read encrypted, check for admin, attr = " + str);
                }
                checkForAdminRole();
            }
            Boolean bool2 = (Boolean) propertyDescriptor.getValue("sensitive");
            if (bool2 == null || !bool2.booleanValue()) {
                return;
            }
            if (debugLogger.isDebugEnabled()) {
                debugLogger.debug("SecurityHelper - read encrypted, check for admin, attr = " + str);
            }
            checkForAdminRole();
            return;
        }
        if (actionType != MBeanResource.ActionType.EXECUTE) {
            throw new NoAccessRuntimeException("Access not allowed for subject: " + currentSubject + ", on Resource" + objectName.toString() + " Action: " + actionType + ", Target: " + str);
        }
        if (beanDescriptor != null) {
            if (checkForRoles((String[]) beanDescriptor.getValue("rolesAllowed"))) {
                return;
            }
            Boolean bool3 = (Boolean) beanDescriptor.getValue("rolePermitAll");
            if (bool3 != null && bool3.booleanValue()) {
                if (debugLogger.isDebugEnabled()) {
                    debugLogger.debug("SecurityHelper - rolePermitAll found for interface " + str);
                    return;
                }
                return;
            }
        }
        if (methodDescriptor != null) {
            if (checkForRoles((String[]) methodDescriptor.getValue("rolesAllowed"))) {
                return;
            }
            Boolean bool4 = (Boolean) methodDescriptor.getValue("rolePermitAll");
            if (bool4 != null && bool4.booleanValue()) {
                if (debugLogger.isDebugEnabled()) {
                    debugLogger.debug("SecurityHelper - rolePermitAll found for method " + str);
                    return;
                }
                return;
            }
        }
        checkForAdminRole();
    }

    public static void assertIfNotKernel(AuthenticatedSubject authenticatedSubject) {
        if (authenticatedSubject != KERNEL_ID) {
            throw new AssertionError("The internal method that you have invoked is not available unless you are running as Kernel!\nYou are running as: " + authenticatedSubject);
        }
    }

    public static void assertIfNotKernel() {
        AuthenticatedSubject currentSubject = SecurityServiceManager.getCurrentSubject(KERNEL_ID);
        if (!SecurityServiceManager.isKernelIdentity(currentSubject)) {
            throw new AssertionError("The internal method that you have invoked is not available unless you are running as Kernel!\nYou are running as: " + currentSubject);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isInRole(Map map, String str) {
        return (map == null || map.get(str) == null) ? false : true;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isInRole(Map map, String[] strArr) {
        if (map == null || strArr == null) {
            return false;
        }
        for (int i = 0; i < strArr.length; i++) {
            if (map.get(strArr[i]) != null) {
                if (!debugLogger.isDebugEnabled()) {
                    return true;
                }
                debugLogger.debug("SecurityHelper - in role is true, role " + strArr[i]);
                return true;
            }
        }
        return false;
    }

    private static RoleManager getRoleManager() {
        if (roleManager != null) {
            return roleManager;
        }
        RoleManager roleManager2 = (RoleManager) SecurityServiceManager.getSecurityService(KERNEL_ID, SecurityServiceManager.defaultRealmName, SecurityService.ServiceType.ROLE);
        roleManager = roleManager2;
        return roleManager2;
    }

    private static void checkForRole(final String str) {
        AuthenticatedSubject currentSubject = SecurityServiceManager.getCurrentSubject(KERNEL_ID);
        if (SecurityServiceManager.isKernelIdentity(currentSubject)) {
            return;
        }
        final AuthenticatedSubject seal = SecurityServiceManager.seal(KERNEL_ID, currentSubject);
        if (!((Boolean) SecurityServiceManager.runAs(KERNEL_ID, KERNEL_ID, new PrivilegedAction() { // from class: weblogic.management.internal.SecurityHelper.2
            @Override // java.security.PrivilegedAction
            public Object run() {
                Map roles = SecurityHelper.access$200().getRoles(AuthenticatedSubject.this, SecurityHelper.adminMBeanResource, null);
                return (roles == null || (roles.get(SecurityHelper.ADMIN_ROLENAME) == null && roles.get(str) == null)) ? Boolean.FALSE : Boolean.TRUE;
            }
        })).booleanValue()) {
            throw new NoAccessRuntimeException(ManagementLogger.logNoAccessForSubjectRoleLoggable(seal.toString(), str).getMessage());
        }
    }

    private static boolean checkForRoles(final String[] strArr) {
        final AuthenticatedSubject seal = SecurityServiceManager.seal(KERNEL_ID, SecurityServiceManager.getCurrentSubject(KERNEL_ID));
        return ((Boolean) SecurityServiceManager.runAs(KERNEL_ID, KERNEL_ID, new PrivilegedAction() { // from class: weblogic.management.internal.SecurityHelper.3
            @Override // java.security.PrivilegedAction
            public Object run() {
                Map roles = SecurityHelper.access$200().getRoles(AuthenticatedSubject.this, SecurityHelper.adminMBeanResource, null);
                if (roles == null || strArr == null) {
                    return Boolean.FALSE;
                }
                for (int i = 0; i < strArr.length; i++) {
                    if (roles.get(strArr[i]) != null) {
                        if (SecurityHelper.debugLogger.isDebugEnabled()) {
                            SecurityHelper.debugLogger.debug("SecurityHelper - role found " + strArr[i]);
                        }
                        return Boolean.TRUE;
                    }
                }
                if (SecurityHelper.debugLogger.isDebugEnabled()) {
                    SecurityHelper.debugLogger.debug("SecurityHelper - role not found ");
                }
                return Boolean.FALSE;
            }
        })).booleanValue();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static synchronized void dumpAclDebug(AuthenticatedSubject authenticatedSubject, ObjectName objectName, MBeanResource.ActionType actionType, String str, String str2) {
        try {
            if (aclPrintStream == null) {
                String str3 = ManagementService.getRuntimeAccess(KERNEL_ID).getServerName() + "_debug_acls.txt";
                Debug.say("Opening ACL Log" + str3);
                aclPrintStream = new PrintStream(new FileOutputStream(new File(str3)));
            }
            aclPrintStream.println("START: INVALID MBEAN ACCESS");
            aclPrintStream.println("PRINCIPALS:" + authenticatedSubject.getPrincipals());
            aclPrintStream.println("RESOURCE:" + objectName + "|" + actionType + "|" + str + "|" + str2);
            new Exception().printStackTrace(aclPrintStream);
            aclPrintStream.println("END:INVALID MBEAN ACCESS");
        } catch (FileNotFoundException e) {
            Debug.say("**** UNABLE TO OPEN DEBUG FILE *****");
        }
    }

    private static BeanInfo getBeanInfo(String str) {
        if (beanInfoAccess == null) {
            beanInfoAccess = ManagementService.getBeanInfoAccess();
        }
        String releaseVersion = VersionInfo.theOne().getReleaseVersion();
        BeanInfo beanInfoForInterface = beanInfoAccess.getBeanInfoForInterface(str, false, releaseVersion);
        if (beanInfoForInterface == null && str.indexOf(".") == -1) {
            beanInfoForInterface = beanInfoAccess.getBeanInfoForInterface("weblogic.management.configuration." + str + "MBean", false, releaseVersion);
        }
        if (beanInfoForInterface == null && str.indexOf(".") == -1) {
            beanInfoForInterface = beanInfoAccess.getBeanInfoForInterface("weblogic.management.runtime." + str + "MBean", true, releaseVersion);
        }
        return beanInfoForInterface;
    }

    public static BeanDescriptor getBeanDescriptor(String str) {
        BeanInfo beanInfo = getBeanInfo(str);
        if (beanInfo != null) {
            return beanInfo.getBeanDescriptor();
        }
        return null;
    }

    public static PropertyDescriptor getPropertyDescriptor(String str, String str2) {
        BeanInfo beanInfo = getBeanInfo(str);
        if (beanInfo == null) {
            return null;
        }
        for (PropertyDescriptor propertyDescriptor : beanInfo.getPropertyDescriptors()) {
            if (str2.equals(propertyDescriptor.getName())) {
                return propertyDescriptor;
            }
        }
        return null;
    }

    public static MethodDescriptor getMethodDescriptor(String str, String str2) {
        BeanInfo beanInfo = getBeanInfo(str);
        if (beanInfo == null) {
            return null;
        }
        for (MethodDescriptor methodDescriptor : beanInfo.getMethodDescriptors()) {
            if (str2.equals(methodDescriptor.getName())) {
                return methodDescriptor;
            }
        }
        return null;
    }

    static /* synthetic */ RoleManager access$200() {
        return getRoleManager();
    }
}
