package com.ibm.ws.security.role;

import com.ibm.ejs.ras.RasHelper;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.AuthorizationTable;
import com.ibm.websphere.security.SecurityProviderException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.common.util.CommonConstants;
import com.ibm.ws.security.config.AdminData;
import com.ibm.ws.security.config.SecurityConfig;
import com.ibm.ws.security.config.SecurityConfigGlobals;
import com.ibm.ws.security.config.SecurityConfigManager;
import com.ibm.ws.security.config.SecurityConfigResource;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.core.AccessContext;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import java.util.HashMap;
import javax.security.auth.Subject;
import org.aspectj.apache.bcel.Constants;
import org.eclipse.jst.j2ee.common.SecurityRole;

/* loaded from: input_file:wasJars/securityimpl.jar:com/ibm/ws/security/role/PluggableAuthorizationTableProxy.class */
public class PluggableAuthorizationTableProxy {
    public static final String SUBJECT_KEY = "AUTHZ_SUBJECT";
    private final boolean _isSAFAuthorization;
    private final AuthorizationTable _authTable;
    private final String _cellName;
    private final String _serverName;
    private static final TraceComponent tc = Tr.register((Class<?>) PluggableAuthorizationTableProxy.class, "Security", AdminConstants.MSG_BUNDLE_NAME);
    private static boolean isSingleDomain = false;
    private static SecurityConfigManager scm = null;
    private static String ADMIN_CACHE_KEY = "admin";
    private static Object lockObject = new Object();
    private static boolean isAdminAuthTableSet = false;
    private static PluggableAuthorizationTableProxy adminAuthTable = null;
    private static boolean isAppAuthTableSet = false;
    private static PluggableAuthorizationTableProxy appAuthTable = null;
    private static HashMap<String, PluggableAuthorizationTableProxy> _cache = new HashMap<>();

    public static synchronized PluggableAuthorizationTableProxy getAuthorizationTableProxy() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getAuthorizationTableProxy");
        }
        SecurityConfigResource securityConfigResource = null;
        boolean z = false;
        boolean z2 = false;
        boolean z3 = false;
        if (isSingleDomain) {
            return adminAuthTable;
        }
        if (scm == null) {
            if (RasHelper.isServer()) {
                scm = SecurityObjectLocator.getSecurityConfigManager();
                isSingleDomain = (scm.isAdminAgent() || scm.isMultiDomainDefined()) ? false : true;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "getAuthorizationTableProxy, SecurityConfigManager instance " + scm);
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unexpected behaviour: executing inside client, this should not happen.");
            }
            if (isSingleDomain) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "isSingleDomain is true, creating one instance");
                }
                adminAuthTable = createInstance(ADMIN_CACHE_KEY);
                return adminAuthTable;
            }
        }
        if (!scm.isAdminAgent()) {
            securityConfigResource = SecurityObjectLocator.peekContext();
            if (securityConfigResource != null) {
                if (securityConfigResource.isAdmin()) {
                    if (isAdminAuthTableSet) {
                        if (SecurityConfigGlobals.enableVerbose && tc.isEntryEnabled()) {
                            Tr.exit(tc, "getAuthorizationTableProxy returning admin PluggableAuthorizationTableProxy, ", adminAuthTable);
                        }
                        return adminAuthTable;
                    }
                    z = true;
                    z3 = true;
                    if (SecurityConfigGlobals.enableVerbose && tc.isDebugEnabled()) {
                        Tr.debug(tc, "getAuthorizationTableProxy admin stack entry, admin PluggableAuthorizationTableProxy global null");
                    }
                } else if (securityConfigResource.isApplication()) {
                    if (isAppAuthTableSet) {
                        if (SecurityConfigGlobals.enableVerbose && tc.isEntryEnabled()) {
                            Tr.exit(tc, "getAuthorizationTableProxy returning application PluggableAuthorizationTableProxy and setting it in current stack entry, ", appAuthTable);
                        }
                        return appAuthTable;
                    }
                    z2 = true;
                    z3 = true;
                    if (SecurityConfigGlobals.enableVerbose && tc.isDebugEnabled()) {
                        Tr.debug(tc, "getAuthorizationTableProxy application stack entry and application PluggableAuthorizationTableProxy global null");
                    }
                } else if (SecurityConfigGlobals.enableVerbose && tc.isDebugEnabled()) {
                    Tr.debug(tc, "getAuthorizationTableProxy did not find valid type in current stack entry");
                }
            } else {
                if (isAdminAuthTableSet) {
                    if (SecurityConfigGlobals.enableVerbose && tc.isEntryEnabled()) {
                        Tr.exit(tc, "getAuthorizationTableProxy returning admin PluggableAuthorizationTableProxy, null stack entry", adminAuthTable);
                    }
                    return adminAuthTable;
                }
                z = true;
                z3 = true;
                if (SecurityConfigGlobals.enableVerbose && tc.isDebugEnabled()) {
                    Tr.debug(tc, "getAuthorizationTableProxy null stack entry, admin PluggableAuthorizationTableProxy global null");
                }
            }
        }
        String domainId = securityConfigResource != null ? scm.getDomainId(securityConfigResource) : scm.getDomainId();
        if (domainId == null) {
            domainId = ADMIN_CACHE_KEY;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "getAuthorizationTableProxy using domainId " + domainId);
        }
        PluggableAuthorizationTableProxy pluggableAuthorizationTableProxy = _cache.get(domainId);
        if (pluggableAuthorizationTableProxy == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "getAuthorizationTableProxy did not find PluggableAuthorizationTableProxy in cache");
            }
            synchronized (lockObject) {
                pluggableAuthorizationTableProxy = _cache.get(domainId);
                if (pluggableAuthorizationTableProxy == null) {
                    pluggableAuthorizationTableProxy = createInstance(domainId);
                    if (pluggableAuthorizationTableProxy != null) {
                        _cache.put(domainId, pluggableAuthorizationTableProxy);
                    }
                }
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "getAuthorizationTableProxy found PluggableAuthorizationTableProxy in cache");
        }
        if (z3) {
            if (z) {
                if (SecurityConfigGlobals.enableVerbose && tc.isDebugEnabled()) {
                    Tr.debug(tc, "getAuthorizationTableProxy setting adminAuthTable global");
                }
                adminAuthTable = pluggableAuthorizationTableProxy;
                isAdminAuthTableSet = true;
            } else if (z2) {
                if (SecurityConfigGlobals.enableVerbose && tc.isDebugEnabled()) {
                    Tr.debug(tc, "getAuthorizationTableProxy setting appAuthTable global");
                }
                appAuthTable = pluggableAuthorizationTableProxy;
                isAppAuthTableSet = true;
            }
        }
        return pluggableAuthorizationTableProxy;
    }

    private static PluggableAuthorizationTableProxy createInstance(String str) {
        Class<?> cls;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createInstance, domainId=" + str);
        }
        PluggableAuthorizationTableProxy pluggableAuthorizationTableProxy = null;
        SecurityConfig securityConfig = SecurityObjectLocator.getSecurityConfig();
        String property = securityConfig.getProperty("com.ibm.websphere.security.authorizationTable");
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Pluggable Authz Table name: " + property);
        }
        if (property != null && property.length() != 0) {
            try {
                try {
                    cls = Class.forName(property);
                } catch (ClassNotFoundException e) {
                    cls = Class.forName(property, true, Thread.currentThread().getContextClassLoader());
                }
                Object newInstance = cls.newInstance();
                boolean equals = CommonConstants.SAF_AUTHZN_IMPL.equals(property);
                if (!equals) {
                    Tr.audit(tc, "security.wsaccessmanager.classloaded", new Object[]{property});
                }
                pluggableAuthorizationTableProxy = new PluggableAuthorizationTableProxy((AuthorizationTable) newInstance, equals);
                _cache.put(str, pluggableAuthorizationTableProxy);
                securityConfig.setBoolean(SecurityConfig.NATIVE_AUTHZ, Boolean.FALSE);
            } catch (ClassNotFoundException e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.core.WSAccessManager.WSAccessManager", "125");
                Tr.error(tc, "security.wsaccessmanager.classnotfound", new Object[]{property});
            } catch (InstantiationException e3) {
                FFDCFilter.processException(e3, "com.ibm.ws.security.core.WSAccessManager.WSAccessManager", "130");
                Tr.error(tc, "security.wsaccessmanager.instantiationerror", new Object[]{property});
            } catch (Exception e4) {
                FFDCFilter.processException(e4, "com.ibm.ws.security.core.WSAccessManager.WSAccessManager", "135");
                Tr.error(tc, "security.wsaccessmanager.classloading", new Object[]{property});
            }
            if (pluggableAuthorizationTableProxy == null) {
                Tr.audit(tc, "security.wsaccessmanager.classloadingaudit", new Object[]{property});
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createInstance", pluggableAuthorizationTableProxy);
        }
        return pluggableAuthorizationTableProxy;
    }

    private static void releaseByGetDomainId() {
        String domainId = scm.getDomainId();
        if (domainId == null) {
            domainId = ADMIN_CACHE_KEY;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "releaseByGetDomainId using domainId " + domainId);
        }
        _cache.remove(domainId);
    }

    public static void releaseInstance() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "releaseInstance");
        }
        if (scm == null) {
            return;
        }
        if (isSingleDomain) {
            scm = null;
            isSingleDomain = false;
            adminAuthTable = null;
            _cache.remove(ADMIN_CACHE_KEY);
        } else if (scm.isAdminAgent()) {
            releaseByGetDomainId();
        } else {
            SecurityConfigResource peekContext = SecurityObjectLocator.peekContext();
            if (peekContext == null) {
                adminAuthTable = null;
                isAdminAuthTableSet = false;
            } else if (peekContext.isAdmin()) {
                adminAuthTable = null;
                isAdminAuthTableSet = false;
            } else if (peekContext.isApplication()) {
                appAuthTable = null;
                isAppAuthTableSet = false;
            }
            releaseByGetDomainId();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "releaseInstance");
        }
    }

    private PluggableAuthorizationTableProxy(AuthorizationTable authorizationTable, boolean z) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, Constants.CONSTRUCTOR_NAME, authorizationTable);
        }
        this._authTable = authorizationTable;
        this._cellName = SecurityObjectLocator.getAdminData().getString(AdminData.CELL_NAME);
        this._serverName = SecurityObjectLocator.getAdminData().getString(AdminData.SHORT_SERVER_NAME);
        this._isSAFAuthorization = z;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, Constants.CONSTRUCTOR_NAME, this);
        }
    }

    public boolean isSAFAuthorizationEnabled() {
        return this._isSAFAuthorization;
    }

    public AuthorizationTable getAuthorizationTable() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getAuthorizationTable");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getAuthorizationTable", this._authTable);
        }
        return this._authTable;
    }

    public boolean isGrantedRole(AccessContext accessContext, SecurityRole securityRole, Subject subject) {
        return isGrantedRole(createAccessContext(accessContext, subject), securityRole.getRoleName(), subject);
    }

    public boolean isGrantedRole(HashMap hashMap, String str, Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isGrantedRole", new Object[]{hashMap, str, subject});
        }
        boolean z = false;
        try {
            z = this._authTable.isGrantedRole(getAccessContext(hashMap, subject), str, SubjectHelper.getPrincipalFromSubject(subject));
        } catch (SecurityProviderException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.core.WSAccessManager.isGrantedRole", "215", this);
            Tr.error(tc, "security.wsaccessmanager.VendorAuthTableError", new Object[]{e});
            Exception exception = e.getException();
            if (exception != null) {
                Tr.error(tc, "security.wsaccessmanager.VendorAuthTableSpecificError", new Object[]{exception});
            }
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.core.WSAccessManager.isGrantedRole", "224", this);
            Tr.error(tc, "security.wsaccessmanager.VendorAuthTableGenericError");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isGrantedRole", new Boolean(z));
        }
        return z;
    }

    public boolean isGrantedAnyRole(AccessContext accessContext, SecurityRole[] securityRoleArr, Subject subject) {
        return isGrantedAnyRole(createAccessContext(accessContext, subject), getRoleNamesFromRoles(securityRoleArr), subject);
    }

    public boolean isGrantedAnyRole(HashMap hashMap, String[] strArr, Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isGrantedAnyRole", new Object[]{hashMap, strArr, subject});
        }
        boolean z = false;
        try {
            z = this._authTable.isGrantedAnyRole(getAccessContext(hashMap, subject), strArr, SubjectHelper.getPrincipalFromSubject(subject));
        } catch (SecurityProviderException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.core.WSAccessManager.isGrantedRole", "271", this);
            Tr.error(tc, "security.wsaccessmanager.VendorAuthTableError", new Object[]{e});
            Exception exception = e.getException();
            if (exception != null) {
                Tr.error(tc, "security.wsaccessmanager.VendorAuthTableSpecificError", new Object[]{exception});
            }
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.core.WSAccessManager.isGrantedRole", "280", this);
            Tr.error(tc, "security.wsaccessmanager.VendorAuthTableGenericError");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isGrantedAnyRole", new Boolean(z));
        }
        return z;
    }

    public boolean isEveryoneGranted(AccessContext accessContext, SecurityRole[] securityRoleArr) {
        return isEveryoneGranted(createAccessContext(accessContext, null), getRoleNamesFromRoles(securityRoleArr));
    }

    public boolean isEveryoneGranted(HashMap hashMap, String[] strArr) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isEveryoneGranted", new Object[]{hashMap, strArr});
        }
        boolean z = false;
        try {
            z = this._authTable.isEveryoneGranted(hashMap, strArr);
        } catch (SecurityProviderException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.core.WSAccessManager.isGrantedRole", "323", this);
            Tr.error(tc, "security.wsaccessmanager.VendorAuthTableError", new Object[]{e});
            Exception exception = e.getException();
            if (exception != null) {
                Tr.error(tc, "security.wsaccessmanager.VendorAuthTableSpecificError", new Object[]{exception});
            }
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.core.WSAccessManager.isGrantedRole", "332", this);
            Tr.error(tc, "security.wsaccessmanager.VendorAuthTableGenericError");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isEveryoneGranted", new Boolean(z));
        }
        return z;
    }

    private HashMap createAccessContext(AccessContext accessContext, Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createAccessContext", new Object[]{accessContext, subject});
        }
        HashMap hashMap = new HashMap(4);
        hashMap.put("SERVER_NAME", this._serverName);
        hashMap.put("CELL_NAME", this._cellName);
        hashMap.put(AuthorizationTable.APP_NAME, accessContext.getEnterpriseAppName());
        if (this._isSAFAuthorization && subject != null) {
            hashMap.put(SUBJECT_KEY, subject);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createAccessContext", hashMap);
        }
        return hashMap;
    }

    private HashMap getAccessContext(HashMap hashMap, Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getAccessContext", new Object[]{hashMap, subject});
        }
        HashMap hashMap2 = hashMap;
        if (this._isSAFAuthorization && subject != null && hashMap != null) {
            hashMap2 = (HashMap) hashMap.clone();
            hashMap2.put(SUBJECT_KEY, subject);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getAccessContext", hashMap2);
        }
        return hashMap2;
    }

    private String[] getRoleNamesFromRoles(SecurityRole[] securityRoleArr) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRoleNamesFromRoles", securityRoleArr);
        }
        String[] strArr = securityRoleArr != null ? new String[securityRoleArr.length] : new String[0];
        for (int i = 0; i < strArr.length; i++) {
            strArr[i] = securityRoleArr[i].getRoleName();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getRoleNamesFromRoles", strArr);
        }
        return strArr;
    }
}
