package com.ibm.ws.security.zOS.authz;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.ws.security.auth.PlatformCredential;
import com.ibm.ws.security.auth.zOS.SAFAuthorizationInterface;
import com.ibm.ws.security.common.util.AuditConstants;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.ws.security.zOS.PlatformCredentialManager;
import com.ibm.ws.security.zOS.SAFServiceResult;
import com.ibm.ws.security.zOS.authz.SAFAuthorizationOptions;
import javax.security.auth.Subject;
import org.aspectj.apache.bcel.Constants;

/* loaded from: input_file:wasJars/securityimpl.jar:com/ibm/ws/security/zOS/authz/SAFAuthorizationManager.class */
public final class SAFAuthorizationManager implements SAFAuthorizationInterface {
    private static final TraceComponent tc = Tr.register(SAFAuthorizationManager.class, "Security", AdminConstants.MSG_BUNDLE_NAME);
    private static final SAFAuthorizationManager _instance = new SAFAuthorizationManager();

    public static SAFAuthorizationManager instance() {
        return _instance;
    }

    private SAFAuthorizationManager() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, Constants.CONSTRUCTOR_NAME);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, Constants.CONSTRUCTOR_NAME);
        }
    }

    @Override // com.ibm.ws.security.auth.zOS.SAFAuthorizationInterface
    public boolean isCallerAuthorized(String str, String str2, String str3, boolean z, String str4) throws AuthorizationDeniedException, InactiveClassException, InvalidCredentialException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isCallerAuthorized5", new Object[]{str, str2, str3, Boolean.valueOf(z), str4});
        }
        PlatformCredential platformCredentialFromSubject = getPlatformCredentialFromSubject(getEffectiveSubject());
        if (platformCredentialFromSubject == null) {
            throw new InvalidCredentialException("Subject does not contain a PlatformCredential");
        }
        boolean checkAccess = checkAccess(platformCredentialFromSubject, str, str2, (String) null, getAccessLevel(str3), getLogOption(str4), z);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isCallerAuthorized5", new Boolean(checkAccess));
        }
        return checkAccess;
    }

    @Override // com.ibm.ws.security.auth.zOS.SAFAuthorizationInterface
    public boolean isCallerAuthorized(String str, String str2, String str3) throws AuthorizationDeniedException, InactiveClassException, InvalidCredentialException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isCallerAuthorized3", new Object[]{str, str2, str3});
        }
        boolean isCallerAuthorized = isCallerAuthorized(str, str2, getAccessLevel(str3));
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isCallerAuthorized3", new Boolean(isCallerAuthorized));
        }
        return isCallerAuthorized;
    }

    public boolean isCallerAuthorized(String str, String str2) throws AuthorizationDeniedException, InactiveClassException, InvalidCredentialException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isCallerAuthorized2", new Object[]{str, str2});
        }
        boolean isCallerAuthorized = isCallerAuthorized(str, str2, AccessLevel.READ);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isCallerAuthorized2", new Boolean(isCallerAuthorized));
        }
        return isCallerAuthorized;
    }

    public boolean isCallerAuthorized(String str, String str2, AccessLevel accessLevel) throws AuthorizationDeniedException, InactiveClassException, InvalidCredentialException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isCallerAuthorized3-1", new Object[]{str, str2, accessLevel});
        }
        PlatformCredential platformCredentialFromSubject = getPlatformCredentialFromSubject(getEffectiveSubject());
        if (platformCredentialFromSubject == null) {
            throw new InvalidCredentialException("Subject does not contain a PlatformCredential");
        }
        boolean isAuthorized = isAuthorized(platformCredentialFromSubject, str, str2, accessLevel);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isCallerAuthorized3-1", new Boolean(isAuthorized));
        }
        return isAuthorized;
    }

    public boolean isAuthorized(PlatformCredential platformCredential, String str, String str2) throws AuthorizationDeniedException, InactiveClassException, InvalidCredentialException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isAuthorized", new Object[]{platformCredential, str, str2});
        }
        boolean isAuthorized = isAuthorized(platformCredential, str, str2, AccessLevel.READ);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isAuthorized", new Boolean(isAuthorized));
        }
        return isAuthorized;
    }

    public boolean isAuthorized(PlatformCredential platformCredential, String str, String str2, AccessLevel accessLevel) throws AuthorizationDeniedException, InactiveClassException, InvalidCredentialException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isAuthorized", new Object[]{platformCredential, str, str2, accessLevel});
        }
        boolean checkAccess = checkAccess(platformCredential, str, str2, (String) null, accessLevel, SAFAuthorizationOptions.NOFAIL, false);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isAuthorized", new Boolean(checkAccess));
        }
        return checkAccess;
    }

    public boolean checkAccess(PlatformCredential platformCredential, String str, String str2, String str3, AccessLevel accessLevel, SAFAuthorizationOptions.LogOption logOption, boolean z) throws AuthorizationDeniedException, InactiveClassException, InvalidCredentialException {
        return checkAccess(platformCredential, str, str2, str3, accessLevel, logOption, z, true);
    }

    public boolean checkAccess(PlatformCredential platformCredential, String str, String str2, String str3, AccessLevel accessLevel, SAFAuthorizationOptions.LogOption logOption, boolean z, boolean z2) throws AuthorizationDeniedException, InactiveClassException, InvalidCredentialException {
        boolean z3;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, AuditConstants.CHECK_ACCESS, new Object[]{platformCredential, str, str2, str3, accessLevel, logOption, new Boolean(z), new Boolean(z2)});
        }
        SAFServiceResult safServiceResult = SAFServiceResult.getSafServiceResult();
        int ntv_checkAccess = ntv_checkAccess(platformCredential, str, str2, str3, accessLevel.getValue(), logOption.getValue(), z, z2, safServiceResult);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Result", safServiceResult);
        }
        if (ntv_checkAccess != 0) {
            z3 = false;
        } else {
            if (safServiceResult.getSafReturnCode() == 4 && safServiceResult.getReturnCode() == 4) {
                if (isResourceClassActive(str)) {
                    throw new AuthorizationDeniedException("The SAF profile " + str2 + " in the class " + str + " is not defined in the SAF database.");
                }
                String str4 = str + " class is inactive";
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, str4);
                }
                throw new InactiveClassException(str4);
            }
            if (safServiceResult.getSafReturnCode() == 8 && safServiceResult.getReturnCode() == 8) {
                throw new AuthorizationDeniedException("The SAF user " + platformCredential.getUserId() + " does not have " + accessLevel.toString() + " access to the SAF profile " + str2 + ",class " + str + ".");
            }
            z3 = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, AuditConstants.CHECK_ACCESS, new Boolean(z3));
        }
        return z3;
    }

    @Override // com.ibm.ws.security.auth.zOS.SAFAuthorizationInterface
    public boolean isResourceClassActive(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isResourceClassActive", str);
        }
        boolean z = ntv_getClassStatus(str, SAFServiceResult.getSafServiceResult()) == 0;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isResourceClassActive", new Boolean(z));
        }
        return z;
    }

    private Subject getEffectiveSubject() throws InvalidCredentialException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getEffectiveSubject");
        }
        try {
            ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
            Subject invocationSubject = contextManagerFactory.getInvocationSubject();
            if (invocationSubject == null) {
                invocationSubject = contextManagerFactory.getCallerSubject();
            }
            if (invocationSubject == null) {
                invocationSubject = contextManagerFactory.createUnauthenticatedSubject();
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getEffectiveSubject", invocationSubject);
            }
            return invocationSubject;
        } catch (WSSecurityException e) {
            InvalidCredentialException invalidCredentialException = new InvalidCredentialException("Unable to acquire subject for authorization", e);
            if (tc.isDebugEnabled()) {
                Tr.event(tc, "Unable to acquire subject for authorization", invalidCredentialException);
            }
            throw invalidCredentialException;
        }
    }

    private PlatformCredential getPlatformCredentialFromSubject(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getPlatformCredentialFromSubject", subject);
        }
        PlatformCredential platformCredentialFromSubject = PlatformCredentialManager.instance().getPlatformCredentialFromSubject(subject);
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getPlatformCredentialFromSubject", platformCredentialFromSubject);
        }
        return platformCredentialFromSubject;
    }

    private AccessLevel getAccessLevel(String str) {
        return str.equalsIgnoreCase("NO_ACCESS") ? AccessLevel.NO_ACCESS : str.equalsIgnoreCase("READ") ? AccessLevel.READ : str.equalsIgnoreCase("UPDATE") ? AccessLevel.UPDATE : str.equalsIgnoreCase("CONTROL") ? AccessLevel.CONTROL : str.equalsIgnoreCase("ALTER") ? AccessLevel.ALTER : AccessLevel.NO_ACCESS;
    }

    private SAFAuthorizationOptions.LogOption getLogOption(String str) {
        return str.equalsIgnoreCase("NONE") ? SAFAuthorizationOptions.NONE : str.equalsIgnoreCase("ASIS") ? SAFAuthorizationOptions.ASIS : SAFAuthorizationOptions.NOFAIL;
    }

    private static native int ntv_checkAccess(PlatformCredential platformCredential, String str, String str2, String str3, int i, int i2, boolean z, boolean z2, SAFServiceResult sAFServiceResult);

    private static native int ntv_getClassStatus(String str, SAFServiceResult sAFServiceResult);
}
