package weblogic.connector.security.outbound;

import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Iterator;
import java.util.List;
import java.util.Vector;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NameClassPair;
import javax.naming.NameNotFoundException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.resource.spi.ConnectionRequestInfo;
import javax.resource.spi.ManagedConnectionFactory;
import javax.resource.spi.SecurityException;
import javax.resource.spi.security.GenericCredential;
import javax.resource.spi.security.PasswordCredential;
import javax.security.auth.Subject;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import weblogic.application.utils.ApplicationVersionUtils;
import weblogic.connector.ConnectorLogger;
import weblogic.connector.common.Debug;
import weblogic.connector.extensions.Unshareable;
import weblogic.connector.external.AuthMechInfo;
import weblogic.connector.external.OutboundInfo;
import weblogic.connector.external.RAInfo;
import weblogic.jndi.internal.JNDIImageSourceConstants;
import weblogic.management.scripting.WLSTConstants;
import weblogic.security.SubjectUtils;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.service.AuthorizationManager;
import weblogic.security.service.CredentialManager;
import weblogic.security.service.EISResource;
import weblogic.security.service.SecurityService;
import weblogic.security.service.SecurityServiceManager;

/* loaded from: input_file:weblogic/connector/security/outbound/SecurityContext.class */
public final class SecurityContext {
    public static final String SHARED_APPNAME = "WEBLOGIC_SHAREDAPP";
    private static final String ipAnonymousConnectionsName = "weblogic_ra_anonymous";
    private static final String ipInitialConnectionsName = "weblogic_ra_initial";
    private static final String ipDefaultConnectionsName = "weblogic_ra_default";
    private AuthenticatedSubject currentSubject = null;
    private AuthorizationManager am = null;
    private ConnectionRequestInfo clientInfo;
    private boolean isContainerManaged;
    private boolean shareable;
    private boolean alwaysUnshareable;
    private String poolName;
    private Subject rpSubject;
    private OutboundInfo outboundInfo;
    private EISResource globalEISRes;
    private EISResource poolEISRes;
    private static Context initialContext;

    public SecurityContext(OutboundInfo outboundInfo, String str, String str2, String str3, ManagedConnectionFactory managedConnectionFactory, ConnectionRequestInfo connectionRequestInfo, boolean z, AuthenticatedSubject authenticatedSubject) throws SecurityException {
        initialize(outboundInfo, str, str2, str3, managedConnectionFactory, connectionRequestInfo, z, authenticatedSubject);
    }

    private void initialize(OutboundInfo outboundInfo, String str, String str2, String str3, ManagedConnectionFactory managedConnectionFactory, ConnectionRequestInfo connectionRequestInfo, boolean z, AuthenticatedSubject authenticatedSubject) throws SecurityException {
        this.am = (AuthorizationManager) SecurityServiceManager.getSecurityService(authenticatedSubject, SecurityServiceManager.getDefaultRealmName(), SecurityService.ServiceType.AUTHORIZE);
        this.currentSubject = SecurityServiceManager.getCurrentSubject(authenticatedSubject);
        this.outboundInfo = outboundInfo;
        this.poolName = str3;
        this.clientInfo = connectionRequestInfo;
        this.isContainerManaged = true;
        if (isUnshareableMCF(managedConnectionFactory.getClass())) {
            this.alwaysUnshareable = true;
            setShareable(false);
            if (Debug.isSecurityCtxEnabled()) {
                debug("The MCF has @Unshareable annotation on it, so it doesn't support share.");
            }
        } else {
            setShareable(true);
        }
        this.rpSubject = null;
        this.globalEISRes = getGlobalEISResource(str, str2, outboundInfo.getRAInfo());
        this.poolEISRes = getPoolEISResource(str, str2, outboundInfo);
        if (Debug.isSecurityCtxEnabled()) {
            Debug.securityCtx("For pool '" + str3 + "' initializing SecurityContext with AppName = " + ApplicationVersionUtils.getDisplayName(this.globalEISRes.getApplicationName()) + ", ModuleName = " + this.globalEISRes.getModuleName() + ", EIS Type = " + this.globalEISRes.getType() + ", DestinationId = " + this.poolEISRes.getDestinationId() + ", Global ResourceId = " + this.globalEISRes.toString() + ", Pool ResourceId = " + this.poolEISRes.toString());
        }
        initSubject(managedConnectionFactory, z, authenticatedSubject);
    }

    public static boolean isUnshareableMCF(Class cls) {
        boolean isAnnotationPresent = cls.isAnnotationPresent(Unshareable.class);
        if (isAnnotationPresent && Debug.isSecurityCtxEnabled()) {
            Debug.securityCtx("Find Unshareable annotation on MCF class: " + cls);
        }
        return isAnnotationPresent;
    }

    private void initSubject(ManagedConnectionFactory managedConnectionFactory, boolean z, AuthenticatedSubject authenticatedSubject) throws SecurityException {
        Vector credentials = getCredentials(z, authenticatedSubject);
        if (credentials == null || credentials.size() <= 0) {
            if (this.isContainerManaged && Debug.isSecurityCtxEnabled()) {
                Debug.logNoResourcePrincipalFound();
                return;
            }
            return;
        }
        this.rpSubject = new Subject();
        for (int i = 0; i < credentials.size(); i++) {
            Object obj = credentials.get(i);
            if (obj instanceof PasswordCredential) {
                final PasswordCredential passwordCredential = (PasswordCredential) obj;
                passwordCredential.setManagedConnectionFactory(managedConnectionFactory);
                final ResourcePrincipal resourcePrincipal = new ResourcePrincipal(passwordCredential.getUserName(), new String(passwordCredential.getPassword()));
                if (Debug.isSecurityCtxEnabled()) {
                    debug("Adding resource principal Username: " + passwordCredential.getUserName());
                }
                AccessController.doPrivileged(new PrivilegedAction() { // from class: weblogic.connector.security.outbound.SecurityContext.1
                    @Override // java.security.PrivilegedAction
                    public Object run() {
                        SecurityContext.this.rpSubject.getPrincipals().add(resourcePrincipal);
                        SecurityContext.this.rpSubject.getPrivateCredentials().add(passwordCredential);
                        return null;
                    }
                });
            } else if (obj instanceof GenericCredential) {
                final GenericCredential genericCredential = (GenericCredential) obj;
                final ResourcePrincipal resourcePrincipal2 = new ResourcePrincipal(genericCredential.getName(), "");
                if (Debug.isSecurityCtxEnabled()) {
                    debug("Adding resource principal Username: " + genericCredential.getName());
                }
                AccessController.doPrivileged(new PrivilegedAction() { // from class: weblogic.connector.security.outbound.SecurityContext.2
                    @Override // java.security.PrivilegedAction
                    public Object run() {
                        SecurityContext.this.rpSubject.getPrincipals().add(resourcePrincipal2);
                        SecurityContext.this.rpSubject.getPrivateCredentials().add(genericCredential);
                        return null;
                    }
                });
            } else if (obj instanceof GSSCredential) {
                final GSSCredential gSSCredential = (GSSCredential) obj;
                try {
                    String obj2 = gSSCredential.getName().toString();
                    final ResourcePrincipal resourcePrincipal3 = new ResourcePrincipal(obj2, "");
                    if (Debug.isSecurityCtxEnabled()) {
                        debug("Adding resource principal Username: " + obj2);
                    }
                    AccessController.doPrivileged(new PrivilegedAction() { // from class: weblogic.connector.security.outbound.SecurityContext.3
                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            SecurityContext.this.rpSubject.getPrincipals().add(resourcePrincipal3);
                            SecurityContext.this.rpSubject.getPrivateCredentials().add(gSSCredential);
                            return null;
                        }
                    });
                } catch (GSSException e) {
                    throw new SecurityException((Throwable) e);
                }
            } else if (Debug.isSecurityCtxEnabled()) {
                debug("An unsupported credential type was encountered and will be ignored:  " + obj.getClass().getName());
            }
        }
        setSubjectReadOnly(this.rpSubject);
    }

    private void logUsingAppManagedSecurity() {
        if (Debug.isSecurityCtxEnabled()) {
            Debug.securityCtx(" For pool '" + this.poolName + " ': establishing Security Context for Application Managed client");
            if (this.clientInfo == null) {
                Debug.logNoConnectionRequestInfo();
            }
        }
    }

    private void checkResourceReference() throws NamingException {
        try {
            Object lookup = getInitialContext().lookup("java:/comp/env/wls-connector-resref");
            if (lookup == null && Debug.isSecurityCtxEnabled()) {
                Debug.securityCtx("For pool '" + this.poolName + "' SecurityContext.checkResourceReference() returned null entry for java:/comp/env/wls-connector-resref of calling component");
            } else if (lookup != null) {
                processResourceReference((Context) lookup);
            }
        } catch (NameNotFoundException e) {
            if (Debug.isSecurityCtxEnabled()) {
                Debug.securityCtx("For pool '" + this.poolName + "' SecurityContext.checkResourceReference() couldn't find java:/comp/env/wls-connector-resref for calling component");
            }
        }
    }

    private boolean processResourceReference(Context context) throws NamingException {
        boolean z = false;
        NamingEnumeration list = context.list("");
        while (true) {
            if (!list.hasMore() || z) {
                break;
            }
            NameClassPair nameClassPair = (NameClassPair) list.next();
            if (nameClassPair.getClassName().endsWith("NamingNode")) {
                z = processResourceReference((Context) context.lookup(nameClassPair.getName()));
                if (z) {
                    break;
                }
            } else if (nameClassPair.getName().endsWith(WLSTConstants.JNDI_TREE)) {
                String name = nameClassPair.getName();
                if (Debug.isSecurityCtxEnabled()) {
                    debug("Found JNDI entry \"" + name + "\" in wls-connector-resref context -- looking it up...");
                }
                String obj = context.lookup(name).toString();
                if (Debug.isSecurityCtxEnabled()) {
                    debug("Lookup of \"" + name + "\" yields: \"" + obj + "\", comparing with \"" + this.outboundInfo.getJndiName() + JNDIImageSourceConstants.DOUBLE_QUOTES);
                }
                if (obj != null && obj.equalsIgnoreCase(this.outboundInfo.getJndiName())) {
                    if (Debug.isSecurityCtxEnabled()) {
                        debug("Found matching entry with jndiName: " + obj);
                    }
                    String lookupResAttr = lookupResAttr(name, context, "Auth");
                    if (lookupResAttr != null) {
                        this.isContainerManaged = !lookupResAttr.equalsIgnoreCase("Application");
                        if (Debug.isSecurityCtxEnabled()) {
                            Debug.logRequestedSecurityType(obj, lookupResAttr);
                        }
                    }
                    String lookupResAttr2 = lookupResAttr(name, context, "SharingScope");
                    if (lookupResAttr2 != null) {
                        boolean equalsIgnoreCase = lookupResAttr2.equalsIgnoreCase("Shareable");
                        if (equalsIgnoreCase && this.alwaysUnshareable) {
                            String str = context.getNameInNamespace() + "/" + name;
                            ConnectorLogger.logShareableRefToUnshareableMCF(obj, getResRefName(str) == null ? "UNKNOWN" : getResRefName(str), getCallerName(str) == null ? "UNKNOWN" : getCallerName(str));
                            equalsIgnoreCase = false;
                            lookupResAttr2 = "Unshareable";
                        }
                        setShareable(equalsIgnoreCase);
                        if (Debug.isSecurityCtxEnabled()) {
                            Debug.logRequestedSharingScope(obj, lookupResAttr2);
                        }
                    } else if (this.alwaysUnshareable) {
                        String str2 = context.getNameInNamespace() + "/" + name;
                        ConnectorLogger.logUnknownShareableRefToUnshareableMCF(obj, getResRefName(str2) == null ? "UNKNOWN" : getResRefName(str2), getCallerName(str2) == null ? "UNKNOWN" : getCallerName(str2));
                        setShareable(false);
                    } else {
                        setShareable(true);
                    }
                    z = true;
                } else if (Debug.isSecurityCtxEnabled()) {
                    debug("Skipping non-matching JNDIName");
                }
            } else if (Debug.isSecurityCtxEnabled()) {
                debug("Skipping non-JNDI Entry in context");
            }
        }
        return z;
    }

    public static String getCallerName(String str) {
        String substring;
        int indexOf;
        if (str == null) {
            return null;
        }
        if (str.indexOf("/webapp/") < 0) {
            if (str.indexOf("/ejb/") < 0 || (indexOf = (substring = str.substring(str.indexOf("/ejb/") + 5)).indexOf("/")) <= 0) {
                return null;
            }
            return substring.substring(0, indexOf);
        }
        String substring2 = str.substring(str.indexOf("/webapp/") + 8);
        int indexOf2 = substring2.indexOf("/");
        if (indexOf2 > 0) {
            return substring2.substring(0, indexOf2);
        }
        return null;
    }

    public static String getResRefName(String str) {
        if (str == null || str.indexOf("/wls-connector-resref/") < 0) {
            return null;
        }
        String substring = str.substring(str.indexOf("/wls-connector-resref/") + "/wls-connector-resref/".length());
        return substring.endsWith(WLSTConstants.JNDI_TREE) ? substring.substring(0, substring.lastIndexOf(WLSTConstants.JNDI_TREE)) : substring;
    }

    private String lookupResAttr(String str, Context context, String str2) {
        Object obj = null;
        String str3 = null;
        String str4 = str.substring(0, str.length() - 4) + str2;
        if (Debug.isSecurityCtxEnabled()) {
            debug("Now looking up: \"" + str4 + "\" ...");
        }
        try {
            obj = context.lookup(str4);
        } catch (NamingException e) {
        }
        if (obj != null) {
            str3 = obj.toString();
        }
        return str3;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void debug(String str) {
        Debug.securityCtx("For pool '" + this.poolName + "' " + str);
    }

    private void setShareable(boolean z) {
        if (Debug.isSecurityCtxEnabled()) {
            Debug.println(this, ".setShareable() setting shareable to " + z);
        }
        this.shareable = z;
    }

    private void setSubjectReadOnly(final Subject subject) {
        AccessController.doPrivileged(new PrivilegedAction() { // from class: weblogic.connector.security.outbound.SecurityContext.4
            @Override // java.security.PrivilegedAction
            public Object run() {
                try {
                    subject.setReadOnly();
                    return null;
                } catch (SecurityException e) {
                    SecurityContext.this.debug("WARNING:  Failed to modify Subject to be read-only:  " + e);
                    return null;
                }
            }
        });
    }

    public static EISResource getGlobalEISResource(String str, String str2, RAInfo rAInfo) {
        String str3 = "";
        if (str == null || str.length() == 0) {
            str = SHARED_APPNAME;
        }
        if (rAInfo != null && rAInfo.getEisType() != null) {
            str3 = rAInfo.getEisType();
        }
        return new EISResource(str, str2, str3);
    }

    public static EISResource getPoolEISResource(String str, String str2, OutboundInfo outboundInfo) {
        String str3 = "";
        String str4 = "";
        if (str == null || str.length() == 0) {
            str = SHARED_APPNAME;
        }
        if (outboundInfo != null && outboundInfo.getEisType() != null) {
            str3 = outboundInfo.getEisType();
        }
        if (outboundInfo != null && outboundInfo.getKey() != null) {
            str4 = outboundInfo.getKey();
        }
        return new EISResource(str, str2, str3, str4);
    }

    public boolean isAccessAllowed() {
        boolean isAccessAllowed = this.am.isAccessAllowed(this.currentSubject, this.globalEISRes, null);
        if (!isAccessAllowed) {
            Debug.logAccessDeniedWarning(this.poolName, ApplicationVersionUtils.getDisplayName(this.globalEISRes.getApplicationName()), this.globalEISRes.getModuleName(), this.globalEISRes.getEISName());
        }
        return isAccessAllowed;
    }

    public boolean isContainerManaged() {
        return this.isContainerManaged;
    }

    public boolean isEmptyContext() {
        return this.rpSubject == null && this.clientInfo == null;
    }

    public ConnectionRequestInfo getClientInfo() {
        return this.clientInfo;
    }

    public Subject getSubject() {
        return this.rpSubject;
    }

    public boolean isShareable() {
        if (Debug.isSecurityCtxEnabled()) {
            Debug.println(this, ".isShareable() = " + this.shareable);
        }
        return this.shareable;
    }

    private Vector getInitialCredentials(AuthenticatedSubject authenticatedSubject) {
        if (Debug.isSecurityCtxEnabled()) {
            debug("Looking up credentials for initial connections");
        }
        Vector credentials = getCredentials(ipInitialConnectionsName, authenticatedSubject);
        if (credentials == null || credentials.size() == 0) {
            if (Debug.isSecurityCtxEnabled()) {
                debug("No credentials explicitly provided for initial connections.  Will attempt to find default credentials.");
            }
            credentials = getDefaultCredentials(authenticatedSubject);
        } else if (Debug.isSecurityCtxEnabled()) {
            debug("Using provided credentials for initial connections.");
        }
        return credentials;
    }

    private Vector getAnonymousCredentials(AuthenticatedSubject authenticatedSubject) {
        if (Debug.isSecurityCtxEnabled()) {
            debug("No authenticated user, so looking up anonymous credentials");
        }
        Vector credentials = getCredentials(ipAnonymousConnectionsName, authenticatedSubject);
        if (credentials == null || credentials.size() == 0) {
            if (Debug.isSecurityCtxEnabled()) {
                debug("No credentials provided for anonymous users.  Will try to find default credentials.");
            }
        } else if (Debug.isSecurityCtxEnabled()) {
            debug("Using provided credentials for anonymous users");
        }
        return credentials;
    }

    private Vector getDefaultCredentials(AuthenticatedSubject authenticatedSubject) {
        if (Debug.isSecurityCtxEnabled()) {
            debug("Looking up default credentials");
        }
        Vector credentials = getCredentials(ipDefaultConnectionsName, authenticatedSubject);
        if (Debug.isSecurityCtxEnabled()) {
            if (credentials == null || credentials.size() == 0) {
                debug("No default credentials are provided");
            } else {
                debug("Using provided default credentials");
            }
        }
        return credentials;
    }

    private Vector getNonInitialCredentials(AuthenticatedSubject authenticatedSubject) {
        Vector vector;
        try {
            checkResourceReference();
        } catch (NamingException e) {
            Debug.logContextProcessingError(e);
        }
        if (this.outboundInfo.getResAuth() != null) {
            this.isContainerManaged = this.outboundInfo.getResAuth().equalsIgnoreCase("Container");
        }
        if (this.isContainerManaged) {
            vector = (this.currentSubject == null || this.currentSubject.getPrincipals() == null || this.currentSubject.getPrincipals().size() == 0) ? getAnonymousCredentials(authenticatedSubject) : getCredentials(this.currentSubject, authenticatedSubject);
            if (vector == null || vector.size() == 0) {
                vector = getDefaultCredentials(authenticatedSubject);
            }
        } else {
            vector = null;
            logUsingAppManagedSecurity();
        }
        return vector;
    }

    private Vector getCredentials(boolean z, AuthenticatedSubject authenticatedSubject) {
        return z ? getInitialCredentials(authenticatedSubject) : getNonInitialCredentials(authenticatedSubject);
    }

    private Vector getCredentials(String str, AuthenticatedSubject authenticatedSubject) {
        return getTheCredentials(str, authenticatedSubject);
    }

    private Vector getCredentials(AuthenticatedSubject authenticatedSubject, AuthenticatedSubject authenticatedSubject2) {
        return getTheCredentials(authenticatedSubject, authenticatedSubject2);
    }

    private Vector getTheCredentials(Object obj, AuthenticatedSubject authenticatedSubject) {
        Vector vector = null;
        if (obj == null) {
            return null;
        }
        if (getCredentialTypes() == null) {
            if (!Debug.isSecurityCtxEnabled()) {
                return null;
            }
            debug("No credential types have been specified. Therefore no credentials can be attempted to be found.");
            return null;
        }
        CredentialManager credentialManager = (CredentialManager) SecurityServiceManager.getSecurityService(authenticatedSubject, SecurityServiceManager.getDefaultRealmName(), SecurityService.ServiceType.CREDENTIALMANAGER);
        if (credentialManager != null) {
            if (Debug.isSecurityCtxEnabled()) {
                debug("Looking up credentials for initiating principal:  " + getUserName(obj));
            }
            if (obj instanceof String) {
                vector = credentialManager.getCredentials(authenticatedSubject, (String) obj, this.poolEISRes, getCredentialTypes());
                if (vector == null || vector.size() == 0) {
                    if (Debug.isSecurityCtxEnabled()) {
                        debug("Matching credentials not found for the pool, checking global mappings");
                    }
                    vector = credentialManager.getCredentials(authenticatedSubject, (String) obj, this.globalEISRes, getCredentialTypes());
                }
            } else if (obj instanceof AuthenticatedSubject) {
                vector = credentialManager.getCredentials(authenticatedSubject, (AuthenticatedSubject) obj, this.poolEISRes, getCredentialTypes());
                if (vector == null || vector.size() == 0) {
                    if (Debug.isSecurityCtxEnabled()) {
                        debug("Matching credentials not found for the pool, checking global mappings");
                    }
                    vector = credentialManager.getCredentials(authenticatedSubject, (AuthenticatedSubject) obj, this.globalEISRes, getCredentialTypes());
                }
            }
            if (Debug.isSecurityCtxEnabled()) {
                if (vector == null || vector.size() == 0) {
                    debug("No credentials explicitly provided for initiating principal: " + getUserName(obj) + ".  Will attempt to find default.");
                } else {
                    debug("Using provided credentials for initiating principal:  " + getUserName(obj));
                }
            }
        } else if (Debug.isSecurityCtxEnabled()) {
            debug("No Credential Manager configured.  Server will not be able to provide any credentials.");
        }
        return vector;
    }

    private String getUserName(Object obj) {
        return obj instanceof String ? (String) obj : obj instanceof AuthenticatedSubject ? SubjectUtils.getUsername((AuthenticatedSubject) obj) : obj.toString();
    }

    private String[] getCredentialTypes() {
        List authenticationMechanisms = this.outboundInfo.getAuthenticationMechanisms();
        if (authenticationMechanisms == null || authenticationMechanisms.size() == 0) {
            if (!Debug.isSecurityCtxEnabled()) {
                return null;
            }
            debug("No authentication mechanisms were specified. Therefore no credential types can be attempted to be found.");
            return null;
        }
        String[] strArr = new String[authenticationMechanisms.size()];
        Iterator it = authenticationMechanisms.iterator();
        int i = 0;
        while (it.hasNext()) {
            strArr[i] = ((AuthMechInfo) it.next()).getType();
            if (strArr[i].equalsIgnoreCase("BasicPassword")) {
                strArr[i] = "weblogic.UserPassword";
            }
            i++;
        }
        return strArr;
    }

    private static Context getInitialContext() throws NamingException {
        if (initialContext == null) {
            initialContext = new InitialContext();
        }
        return initialContext;
    }
}
