package weblogic.management.configuration;

import java.lang.reflect.InvocationTargetException;
import java.security.AccessController;
import javax.security.auth.login.LoginException;
import weblogic.kernel.Kernel;
import weblogic.security.SecurityLogger;
import weblogic.security.SecurityService;
import weblogic.security.SubjectUtils;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.net.ConnectionFilter;
import weblogic.security.net.ConnectionFilterRulesListener;
import weblogic.security.service.PrincipalAuthenticator;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.SecurityService;
import weblogic.security.service.SecurityServiceManager;

/* loaded from: input_file:weblogic/management/configuration/SecurityLegalHelper.class */
public final class SecurityLegalHelper {
    private static AuthenticatedSubject kernelId = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());

    public static boolean isLegalFilterRules(SecurityMBean securityMBean, String[] strArr) {
        return isLegalFilterRules(securityMBean.getConnectionFilter(), strArr);
    }

    public static boolean isLegalFilterRules(SecurityConfigurationMBean securityConfigurationMBean, String[] strArr) {
        return isLegalFilterRules(securityConfigurationMBean.getConnectionFilter(), strArr);
    }

    private static boolean isLegalFilterRules(String str, String[] strArr) {
        if (str == null || !SecurityService.getConnectionFilterEnabled()) {
            return true;
        }
        ConnectionFilter connectionFilter = SecurityService.getConnectionFilter();
        try {
            Class<?> cls = Class.forName(str);
            if (ConnectionFilterRulesListener.class.isAssignableFrom(cls)) {
                try {
                    cls.getMethod("checkRules", String[].class).invoke(connectionFilter, strArr);
                } catch (InvocationTargetException e) {
                    Throwable targetException = e.getTargetException();
                    if (!targetException.toString().startsWith("java.text.ParseException")) {
                        throw e;
                    }
                    String message = targetException.getMessage();
                    SecurityLogger.logUpdateFilterWarn(message);
                    throw new IllegalArgumentException(message + "  Rules will not be updated.");
                }
            }
            return true;
        } catch (Throwable th) {
            IllegalArgumentException illegalArgumentException = new IllegalArgumentException("problem with connection filter. Exception:" + th);
            illegalArgumentException.initCause(th);
            throw illegalArgumentException;
        }
    }

    public static void validateSecurity(SecurityMBean securityMBean) throws IllegalArgumentException {
        if (!isLegalFilterRules(securityMBean, securityMBean.getConnectionFilterRules())) {
            throw new IllegalArgumentException("ConnectionFilterRules string is not valid");
        }
    }

    public static void validateSecurityConfiguration(SecurityConfigurationMBean securityConfigurationMBean) throws IllegalArgumentException {
        if (!isLegalFilterRules(securityConfigurationMBean, securityConfigurationMBean.getConnectionFilterRules())) {
            throw new IllegalArgumentException("ConnectionFilterRules string is not valid");
        }
    }

    public static void validatePrincipalName(String str) throws IllegalArgumentException {
        try {
            if (Kernel.isServer()) {
                AuthenticatedSubject currentSubject = SecurityServiceManager.getCurrentSubject(kernelId);
                if (!SubjectUtils.isUserAnAdministrator(currentSubject) && SubjectUtils.isUserAnAdministrator(((PrincipalAuthenticator) SecurityServiceManager.getSecurityService(kernelId, SecurityServiceManager.getDefaultRealmName(), SecurityService.ServiceType.AUTHENTICATION)).impersonateIdentity(str))) {
                    throw new IllegalArgumentException("The principal name : " + str + " has higher privileges than the current user: " + currentSubject + ". Hence the current user cannot set the principal name. Modify the principal name with admin privileged user.");
                }
            }
        } catch (LoginException e) {
            throw new IllegalArgumentException("Invalid principal name: " + str, e);
        } catch (Exception e2) {
            throw new IllegalArgumentException("Invalid principal name: " + str, e2);
        }
    }
}
