package com.ibm.ws.management.authorizer;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ras.RASFormatter;
import com.ibm.websphere.management.AdminContext;
import com.ibm.websphere.management.ObjectNameHelper;
import com.ibm.websphere.management.Session;
import com.ibm.websphere.management.authorizer.AdminAuthorizer;
import com.ibm.websphere.management.configservice.ConfigService;
import com.ibm.websphere.security.WebSphereRuntimePermission;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.management.metadata.ManagedObjectMetadataConstants;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.common.util.AuditConstants;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.role.RoleBasedAuthorizer;
import com.ibm.ws.security.role.RoleBasedConfigurator;
import com.ibm.ws.security.util.Constants;
import com.ibm.ws.workspace.query.WorkSpaceQueryUtil;
import com.ibm.wsspi.management.agent.AdminSubsystemServiceRegistry;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.management.ObjectName;
import javax.security.auth.Subject;

/* loaded from: input_file:wasJars/com.ibm.ws.admin.core.jar:com/ibm/ws/management/authorizer/AdminAuthorizerImpl.class */
public class AdminAuthorizerImpl implements AdminAuthorizer {
    private RoleBasedConfigurator rbc = null;
    private AuthzCache authzCache = null;
    private boolean globalCanCache = false;
    private Session session = null;
    private ConfigService configService = null;
    private String cell = null;
    private String node = null;
    private String server = null;
    private String CELLXML = null;
    private String JDBCPROVIDERTEMPLATE = null;
    private String uuid;
    private static TraceComponent tc = Tr.register((Class<?>) AdminAuthorizerImpl.class, "AdminAuthorizerImpl", "com.ibm.ws.management.authorizer");
    private static WebSphereRuntimePermission adminPermission = new WebSphereRuntimePermission("AdminPermission");
    private static AdminAuthorizerImpl authorizer = null;
    private static String scope = "scope";
    private static ExcludeList excludeList = new ExcludeList();

    public static AdminAuthorizerImpl create() {
        String peek = AdminContext.peek();
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "create:" + peek);
        }
        AdminAuthorizerImpl adminAuthorizerImpl = null;
        if (peek != null) {
            adminAuthorizerImpl = (AdminAuthorizerImpl) AdminSubsystemServiceRegistry.getService(AdminAuthorizer.class.getName());
            if (adminAuthorizerImpl == null) {
                adminAuthorizerImpl = new AdminAuthorizerImpl();
                AdminSubsystemServiceRegistry.addService(AdminAuthorizer.class.getName(), adminAuthorizerImpl);
            }
        } else if (authorizer == null) {
            AdminAuthorizerImpl adminAuthorizerImpl2 = new AdminAuthorizerImpl();
            authorizer = adminAuthorizerImpl2;
            adminAuthorizerImpl = adminAuthorizerImpl2;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "create", adminAuthorizerImpl);
        }
        return adminAuthorizerImpl;
    }

    public static AdminAuthorizer getInstance() {
        return AdminContext.peek() == null ? authorizer : (AdminAuthorizer) AdminSubsystemServiceRegistry.getService(AdminAuthorizer.class.getName());
    }

    private AdminAuthorizerImpl() {
        this.uuid = null;
        this.uuid = AdminContext.peek();
    }

    @Override // com.ibm.websphere.management.authorizer.AdminAuthorizer
    public boolean isFineGrainedAdminSecurity() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isFineGrainedAdminSecurity");
        }
        Collection groups = AuthorizationGroups.getInstance().getGroups();
        if (groups == null || groups.isEmpty()) {
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "isFineGrainedAdminSecurity", new Boolean(false));
            return false;
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "isFineGrainedAdminSecurity", new Boolean(true));
        return true;
    }

    @Override // com.ibm.websphere.management.authorizer.AdminAuthorizer
    public boolean checkAccess(String str, String str2) {
        String resourceType;
        String convertCfgId;
        String str3 = new String(str);
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, AuditConstants.CHECK_ACCESS, str3 + " : " + str2);
        }
        String str4 = null;
        try {
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.management.authorizer.AdminAuthorizerImpl.checkAccess", "198", this);
        }
        if (runningAsSystem()) {
            return true;
        }
        if ((str3.endsWith(WorkSpaceQueryUtil.SERVER_INDEX_URI) || str3.endsWith(ManagedObjectMetadataConstants.PROP_FILE_NAME)) && str2 == "monitor") {
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, AuditConstants.CHECK_ACCESS, new Boolean(true));
            return true;
        }
        if (str3.indexOf("(templates/clusters/") > 0 || str3.startsWith("templates/clusters/")) {
            int indexOf = str3.indexOf("templates/clusters/") + "templates/clusters/".length();
            int indexOf2 = str3.indexOf("/", indexOf);
            str3 = "cells/" + this.cell + "/clusters/" + (indexOf2 > 0 ? str3.substring(indexOf, indexOf2) : str3.substring(indexOf));
        }
        if (str3.indexOf("cells/") < 0) {
            convertCfgId = str3.startsWith("/") ? "cells/" + this.cell + str3 : "cells/" + this.cell + "/" + str3;
            resourceType = ResourceInstanceRelations.getInstance().getResourceType(str3);
        } else {
            resourceType = ResourceInstanceRelations.getInstance().getResourceType(str3);
            convertCfgId = (resourceType == null || resourceType.equals("BLA") || resourceType.equals(AdminAuthzConstants.CUS) || resourceType.equals(AdminAuthzConstants.ASSET)) ? str3 : ResourceInstanceRelations.getInstance().convertCfgId(str3, resourceType);
        }
        if (canCache()) {
            str4 = createConfigCacheKey(convertCfgId, resourceType, str2);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "cacheKey", str4);
            }
            Boolean checkAccessFromCache = checkAccessFromCache(2, str4);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "result from cache ", checkAccessFromCache);
            }
            if (checkAccessFromCache != null) {
                return checkAccessFromCache.booleanValue();
            }
        }
        List allParentRoles = RoleRelations.getInstance().getAllParentRoles(str2);
        allParentRoles.add(str2);
        if (convertCfgId == null) {
            convertCfgId = "cells/" + this.cell;
        }
        String resourceType2 = ResourceInstanceRelations.getInstance().getResourceType(convertCfgId);
        if (str2.equals("configurator") && resourceType2 != null && (resourceType2.equals("Application") || resourceType2.equals("BLA") || resourceType2.equals(AdminAuthzConstants.CUS) || resourceType2.equals(AdminAuthzConstants.ASSET))) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "adding deployer for " + str3);
            }
            allParentRoles.add("deployer");
        }
        Collections.sort(allParentRoles);
        String[] strArr = (String[]) allParentRoles.toArray(new String[0]);
        if (str3.equals(this.CELLXML) && str2.equals("monitor")) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, AuditConstants.CHECK_ACCESS, new Boolean(true));
            }
            updateAuthzCache(2, str4, new Boolean(true));
            return true;
        }
        if (str3.equals(this.JDBCPROVIDERTEMPLATE) && str2.equals("monitor")) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, AuditConstants.CHECK_ACCESS, new Boolean(true));
            }
            updateAuthzCache(2, str4, new Boolean(true));
            return true;
        }
        if (checkAccess(strArr, Constants.ADMIN_APP)) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, AuditConstants.CHECK_ACCESS, new Boolean(true));
            }
            updateAuthzCache(2, str4, new Boolean(true));
            return true;
        }
        if (str3.endsWith(WorkSpaceQueryUtil.SERVER_INDEX_URI) && str2.equals("configurator")) {
            String[] strArr2 = {"deployer"};
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Checking for celllevel deployer for serverindex.xml file ");
            }
            if (checkAccess(strArr2, Constants.ADMIN_APP)) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, AuditConstants.CHECK_ACCESS, new Boolean(true));
                }
                updateAuthzCache(2, str4, new Boolean(true));
                return true;
            }
        }
        if ((str3.endsWith("admin-authz.xml") || str3.endsWith("authorizationgroup.xml")) && str2.equals("configurator")) {
            String[] strArr3 = {"adminsecuritymanager"};
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Checking for celllevel adminsecuritymanager for admin resources ");
            }
            if (checkAccess(strArr3, Constants.ADMIN_APP)) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, AuditConstants.CHECK_ACCESS, new Boolean(true));
                }
                updateAuthzCache(2, str4, new Boolean(true));
                return true;
            }
        }
        if (!isFineGrainedAdminSecurity()) {
            updateAuthzCache(2, str4, new Boolean(false));
            return false;
        }
        List allResourceGroupNames = resourceType2 != null ? AuthorizationGroups.getInstance().getAllResourceGroupNames(convertCfgId, resourceType2) : null;
        if (allResourceGroupNames != null) {
            boolean z = false;
            ArrayList arrayList = new ArrayList(allResourceGroupNames.size());
            for (int i = 0; i < allResourceGroupNames.size(); i++) {
                String createGroupCacheKey = createGroupCacheKey((String) allResourceGroupNames.get(i), strArr);
                arrayList.add(i, createGroupCacheKey);
                if (canCache()) {
                    Boolean checkAccessFromCache2 = checkAccessFromCache(4, createGroupCacheKey);
                    if (checkAccessFromCache2 == null) {
                        z = true;
                    } else if (checkAccessFromCache2.booleanValue()) {
                        updateAuthzCache(2, str4, new Boolean(true));
                        return true;
                    }
                } else {
                    z = true;
                }
            }
            if (!z) {
                updateAuthzCache(2, str4, new Boolean(false));
                return false;
            }
            for (int i2 = 0; i2 < allResourceGroupNames.size(); i2++) {
                String str5 = (String) allResourceGroupNames.get(i2);
                String str6 = (String) arrayList.get(i2);
                if (checkAccess(strArr, str5)) {
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, AuditConstants.CHECK_ACCESS, new Boolean(true));
                    }
                    updateAuthzCache(4, str6, new Boolean(true));
                    updateAuthzCache(2, str4, new Boolean(true));
                    return true;
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, AuditConstants.CHECK_ACCESS, new Boolean(false));
        }
        updateAuthzCache(2, str4, new Boolean(false));
        return false;
    }

    @Override // com.ibm.websphere.management.authorizer.AdminAuthorizer
    public boolean checkAccess(String str, String str2, String str3) {
        return checkAccess(str, null, new String[]{this.node, this.server}, new String[]{"Node", "Server"}, str3);
    }

    @Override // com.ibm.websphere.management.authorizer.AdminAuthorizer
    public boolean checkAccess(ObjectName objectName, String[] strArr, String[] strArr2, String str) {
        return checkAccess(null, objectName, strArr, strArr2, str);
    }

    public boolean checkAccess(String str, ObjectName objectName, String[] strArr, String[] strArr2, String str2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, AuditConstants.CHECK_ACCESS, objectName + RASFormatter.DEFAULT_SEPARATOR + strArr[0] + RASFormatter.DEFAULT_SEPARATOR + strArr2[0] + RASFormatter.DEFAULT_SEPARATOR + str2);
        }
        String str3 = null;
        try {
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.management.authorizer.AdminAuthorizerImpl.checkAccess", "300", this);
        }
        if (runningAsSystem()) {
            return true;
        }
        String mBeanType = str != null ? str : ObjectNameHelper.getMBeanType(objectName);
        String str4 = mBeanType + ":" + str2;
        if (str4.equals("Server:getProcessType")) {
            return isGrantedRoleInAnyGroup("monitor");
        }
        if (excludeList.isExcluded(mBeanType, mBeanType, str2)) {
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, AuditConstants.CHECK_ACCESS, new Boolean(true));
            return true;
        }
        if (canCache()) {
            str3 = createMbeanCacheKey(str4);
            Boolean checkAccessFromCache = checkAccessFromCache(3, str3);
            if (checkAccessFromCache != null) {
                return checkAccessFromCache.booleanValue();
            }
        }
        if (checkAccess(Constants.ADMIN_APP, mBeanType, mBeanType, str2)) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, AuditConstants.CHECK_ACCESS, new Boolean(true));
            }
            updateAuthzCache(3, str3, new Boolean(true));
            return true;
        }
        if (!isFineGrainedAdminSecurity()) {
            updateAuthzCache(3, str3, new Boolean(false));
            return false;
        }
        String str5 = new String();
        for (int i = 0; strArr2 != null && i < strArr2.length; i++) {
            if (strArr2[i].equals("Cluster")) {
                strArr2[i] = "ServerCluster";
            }
        }
        int i2 = 0;
        while (i2 < strArr.length) {
            if (i2 > 0) {
                str5 = str5 + "/";
            }
            str5 = str5 + getResType(strArr2[i2]) + "/" + strArr[i2];
            i2++;
        }
        String str6 = strArr2[i2 - 1];
        if (strArr2.length == 1 && strArr2[0].equals("Server")) {
            str5 = "nodes/" + this.node + "/" + str5;
        }
        String str7 = str5.indexOf("cells/") < 0 ? str5.startsWith("/") ? "cells/" + this.cell + str5 : "cells/" + this.cell + "/" + str5 : null;
        if (strArr2 != null && strArr2.length > 0 && strArr2[0].equals("ResourceURI")) {
            str6 = ResourceInstanceRelations.getInstance().getResourceType(strArr[0]);
            str7 = str6 != null ? ResourceInstanceRelations.getInstance().convertCfgId(strArr[0], str6) : str5;
        }
        if (canCache()) {
            str3 = createMbeanCacheKey(str7, str6, str4);
            Boolean checkAccessFromCache2 = checkAccessFromCache(3, str3);
            if (checkAccessFromCache2 != null) {
                return checkAccessFromCache2.booleanValue();
            }
        }
        List allResourceGroupNames = AuthorizationGroups.getInstance().getAllResourceGroupNames(str7, str6);
        if (allResourceGroupNames != null) {
            boolean z = false;
            ArrayList arrayList = new ArrayList(allResourceGroupNames.size());
            for (int i3 = 0; i3 < allResourceGroupNames.size(); i3++) {
                String createGroupCacheKey = createGroupCacheKey((String) allResourceGroupNames.get(i3), mBeanType, str2);
                arrayList.add(i3, createGroupCacheKey);
                if (canCache()) {
                    Boolean checkAccessFromCache3 = checkAccessFromCache(4, createGroupCacheKey);
                    if (checkAccessFromCache3 == null) {
                        z = true;
                    } else if (checkAccessFromCache3.booleanValue()) {
                        updateAuthzCache(3, str3, new Boolean(true));
                        return true;
                    }
                } else {
                    z = true;
                }
            }
            if (!z) {
                updateAuthzCache(3, str3, new Boolean(false));
                return false;
            }
            for (int i4 = 0; i4 < allResourceGroupNames.size(); i4++) {
                String str8 = (String) allResourceGroupNames.get(i4);
                String str9 = (String) arrayList.get(i4);
                if (checkAccess(str8, mBeanType, mBeanType, str2)) {
                    updateAuthzCache(4, str9, new Boolean(true));
                    updateAuthzCache(3, str3, new Boolean(true));
                    return true;
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, AuditConstants.CHECK_ACCESS, new Boolean(false));
        }
        updateAuthzCache(3, str3, new Boolean(false));
        return false;
    }

    @Override // com.ibm.websphere.management.authorizer.AdminAuthorizer
    public boolean isCallerInRole(String str, String str2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isCallerInRole", str + RASFormatter.DEFAULT_SEPARATOR + str2);
        }
        if (runningAsSystem()) {
            return true;
        }
        String str3 = null;
        RoleBasedAuthorizer roleBasedAuthorizer = null;
        boolean z = false;
        if (str == null) {
            return false;
        }
        if (canCache()) {
            str3 = createUserCacheKey(str, str2);
            Boolean checkAccessFromCache = checkAccessFromCache(1, str3);
            if (checkAccessFromCache != null) {
                return checkAccessFromCache.booleanValue();
            }
        }
        String property = ContextManagerFactory.getInstance().getProperty("com.ibm.websphere.security.authorizationTable", null);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "groupName ", str);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "authzTableName ", property);
        }
        boolean z2 = false;
        if (str.equals(Constants.ADMIN_APP_MERGE) && property != null && property.length() != 0) {
            z2 = true;
        }
        if (z2) {
            boolean checkAllGroups = checkAllGroups(str2);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "isCallerInRole ", new Boolean(checkAllGroups));
            }
            updateAuthzCache(1, str3, new Boolean(checkAllGroups));
            return checkAllGroups;
        }
        try {
            String str4 = str;
            if (!str.startsWith(Constants.ADMIN_APP)) {
                str4 = "admin-authz-" + str;
            }
            if (str4.equals(Constants.ADMIN_APP_MERGE) && !isFineGrainedAdminSecurity()) {
                str4 = Constants.ADMIN_APP;
            }
            roleBasedAuthorizer = this.rbc.getRoleBasedAuthorizer(str4, scope);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.management.authorizer.AdminAuthorizerImpl.isCallerInRole", "327", this);
        }
        if (roleBasedAuthorizer != null) {
            List allParentRoles = getAllParentRoles(str2);
            allParentRoles.add(str2);
            z = roleBasedAuthorizer.isGrantedAnyRole((String[]) allParentRoles.toArray(new String[0]));
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isCallerInRole", new Boolean(z));
        }
        updateAuthzCache(1, str3, new Boolean(z));
        return z;
    }

    @Override // com.ibm.websphere.management.authorizer.AdminAuthorizer
    public boolean isCallerInRole(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isCallerInRole", str);
        }
        String str2 = null;
        if (runningAsSystem()) {
            return true;
        }
        String str3 = null;
        String str4 = str;
        if (canCache()) {
            str2 = createUserCacheKey(str);
            Boolean checkAccessFromCache = checkAccessFromCache(1, str2);
            if (checkAccessFromCache != null) {
                return checkAccessFromCache.booleanValue();
            }
        }
        int indexOf = str.indexOf(58);
        if (indexOf > 0) {
            boolean checkAccess = checkAccess(str.substring(0, indexOf), str.substring(indexOf + 1));
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "isCallerInRole", new Boolean(checkAccess));
            }
            updateAuthzCache(1, str2, new Boolean(checkAccess));
            return checkAccess;
        }
        int indexOf2 = str.indexOf("-");
        if (indexOf2 > 0) {
            str3 = str.substring(0, indexOf2);
            str4 = str.substring(indexOf2 + 1);
        }
        if (str3 == null || str3.equals("Any")) {
            String property = ContextManagerFactory.getInstance().getProperty("com.ibm.websphere.security.authorizationTable", null);
            if (property != null && property.length() > 0) {
                boolean checkAllGroups = checkAllGroups(str4);
                updateAuthzCache(1, str2, new Boolean(checkAllGroups));
                return checkAllGroups;
            }
            String str5 = Constants.ADMIN_APP_MERGE;
            if (!isFineGrainedAdminSecurity()) {
                str5 = Constants.ADMIN_APP;
            }
            boolean isCallerInRole = isCallerInRole(str5, str4);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "isCallerInRole", new Boolean(isCallerInRole));
            }
            updateAuthzCache(1, str2, new Boolean(isCallerInRole));
            return isCallerInRole;
        }
        if (isCallerInRole(Constants.ADMIN_APP, str4)) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "isCallerInRole", new Boolean(true));
            }
            updateAuthzCache(1, str2, new Boolean(true));
            return true;
        }
        List allParentResources = ResourceRelations.getInstance().getAllParentResources(str3);
        allParentResources.add(str3);
        for (AuthorizationGroup authorizationGroup : AuthorizationGroups.getInstance().getGroups()) {
            if (groupContainsResourceTypes(allParentResources, authorizationGroup) && isCallerInRole(authorizationGroup.getGroupName(), str4)) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "isCallerInRole", new Boolean(true));
                }
                updateAuthzCache(1, str2, new Boolean(true));
                return true;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isCallerInRole", new Boolean(false));
        }
        updateAuthzCache(1, str2, new Boolean(false));
        return false;
    }

    private boolean groupContainsResourceTypes(List list, AuthorizationGroup authorizationGroup) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "groupContainsResourceTypes", new Object[]{list, authorizationGroup});
        }
        boolean z = false;
        int i = 0;
        while (true) {
            if (list == null || i >= list.size()) {
                break;
            }
            if (authorizationGroup.hasResourceType((String) list.get(i))) {
                z = true;
                break;
            }
            i++;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "groupContainsResourceTypes", new Boolean(z));
        }
        return z;
    }

    @Override // com.ibm.websphere.management.authorizer.AdminAuthorizer
    public List getAllParentRoles(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getAllParentRoles", str);
        }
        List allParentRoles = RoleRelations.getInstance().getAllParentRoles(str);
        if (allParentRoles == null) {
            allParentRoles = new ArrayList();
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "parent roles are");
            Iterator it = allParentRoles.iterator();
            while (it.hasNext()) {
                Tr.debug(tc, "role=", (String) it.next());
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getAllParentRoles");
        }
        return allParentRoles;
    }

    @Override // com.ibm.websphere.management.authorizer.AdminAuthorizer
    public List getParentRoles(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getParentRoles", str);
        }
        List parentRoles = RoleRelations.getInstance().getParentRoles(str);
        if (parentRoles == null) {
            parentRoles = new ArrayList();
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "parent roles are");
            Iterator it = parentRoles.iterator();
            while (it.hasNext()) {
                Tr.debug(tc, "role=", (String) it.next());
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getParentRoles");
        }
        return parentRoles;
    }

    public void setRoleBasedConfigurator(RoleBasedConfigurator roleBasedConfigurator) {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(adminPermission);
        }
        this.rbc = roleBasedConfigurator;
    }

    public RoleBasedConfigurator getRoleBasedConfigurator() {
        return this.rbc;
    }

    private boolean checkAccess(String str, String str2, String str3, String str4) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, AuditConstants.CHECK_ACCESS, "Group = " + str + " resource = " + str3);
        }
        RoleBasedAuthorizer roleBasedAuthorizer = null;
        boolean z = false;
        if (str == null) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, AuditConstants.CHECK_ACCESS, new Boolean(false));
            }
            return false;
        }
        try {
            String str5 = str;
            if (!str.startsWith(Constants.ADMIN_APP)) {
                str5 = "admin-authz-" + str;
            }
            roleBasedAuthorizer = this.rbc.getRoleBasedAuthorizer(str5, scope);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.management.authorizer.AdminAuthorizerImpl.checkAccess", "467", this);
        }
        if (roleBasedAuthorizer != null) {
            z = roleBasedAuthorizer.checkAccess(str2, str3, str4);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, AuditConstants.CHECK_ACCESS, new Boolean(z));
        }
        return z;
    }

    private boolean checkAccess(String[] strArr, String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, AuditConstants.CHECK_ACCESS, str + RASFormatter.DEFAULT_SEPARATOR + arrToStr(strArr));
        }
        RoleBasedAuthorizer roleBasedAuthorizer = null;
        boolean z = false;
        if (str == null) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, AuditConstants.CHECK_ACCESS, new Boolean(false));
            }
            return false;
        }
        try {
            String str2 = str;
            if (!str.startsWith(Constants.ADMIN_APP)) {
                str2 = "admin-authz-" + str;
            }
            roleBasedAuthorizer = this.rbc.getRoleBasedAuthorizer(str2, scope);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.management.authorizer.AdminAuthorizerImpl.checkAccess", "496", this);
        }
        String[] validRoles = getValidRoles(strArr, str);
        if (roleBasedAuthorizer != null) {
            z = roleBasedAuthorizer.isGrantedAnyRole(validRoles);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, AuditConstants.CHECK_ACCESS, new Boolean(z));
        }
        return z;
    }

    public void setCellName(String str) {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(adminPermission);
        }
        this.cell = str;
        this.CELLXML = "cells/" + this.cell + "/cell.xml";
        this.JDBCPROVIDERTEMPLATE = "templates/system/jdbc-resource-provider-templates.xml";
    }

    public void setNodeName(String str) {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(adminPermission);
        }
        this.node = str;
    }

    public void setServerName(String str) {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(adminPermission);
        }
        this.server = str;
    }

    public void setCacheEnabled() {
        this.globalCanCache = true;
    }

    public void setCacheDisabled() {
        this.globalCanCache = false;
    }

    @Override // com.ibm.websphere.management.authorizer.AdminAuthorizer
    public boolean runningAsSystem() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "runningAsSystem");
        }
        try {
            Subject invocationSubject = ContextManagerFactory.getInstance().getInvocationSubject();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "InvocationSubject = ", invocationSubject);
            }
            if (invocationSubject != null && ContextManagerFactory.getInstance().isServerSubject(invocationSubject)) {
                if (!tc.isEntryEnabled()) {
                    return true;
                }
                Tr.exit(tc, "runningAsSystem", new Boolean(true));
                return true;
            }
        } catch (Exception e) {
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "runningAsSystem", new Boolean(false));
        return false;
    }

    @Override // com.ibm.websphere.management.authorizer.AdminAuthorizer
    public boolean isGrantedRoleInAnyGroup(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isGrantedRoleInAnyGroup", str);
        }
        RoleBasedAuthorizer roleBasedAuthorizer = null;
        List allParentRoles = RoleRelations.getInstance().getAllParentRoles(str);
        allParentRoles.add(str);
        String[] strArr = (String[]) allParentRoles.toArray(new String[0]);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "checking for roles ", Constants.ADMIN_APP);
            for (String str2 : strArr) {
                Tr.debug(tc, "role=", str2);
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Checking group ", Constants.ADMIN_APP);
        }
        try {
            roleBasedAuthorizer = this.rbc.getRoleBasedAuthorizer(Constants.ADMIN_APP, scope);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.management.authorizer.AdminAuthorizerImpl.isGrantedRoleInAnyGroup", "617", this);
        }
        boolean isGrantedAnyRole = roleBasedAuthorizer != null ? roleBasedAuthorizer.isGrantedAnyRole(strArr) : false;
        if (isGrantedAnyRole) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "isGrantedRoleInAnyGroup", new Boolean(isGrantedAnyRole));
            }
            return isGrantedAnyRole;
        }
        String[] validRoles = getValidRoles(strArr, null);
        for (String str3 : AuthorizationGroups.getInstance().getGroupNames()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Checking group ", str3);
            }
            try {
                roleBasedAuthorizer = this.rbc.getRoleBasedAuthorizer("admin-authz-" + str3, scope);
            } catch (Exception e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.management.authorizer.AdminAuthorizerImpl.isGrantedRoleInAnyGroup", "636", this);
            }
            if (roleBasedAuthorizer != null) {
                isGrantedAnyRole = roleBasedAuthorizer.isGrantedAnyRole(validRoles);
            }
            if (isGrantedAnyRole) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "isGrantedRoleInAnyGroup", new Boolean(isGrantedAnyRole));
                }
                return isGrantedAnyRole;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isGrantedRoleInAnyGroup", new Boolean(isGrantedAnyRole));
        }
        return isGrantedAnyRole;
    }

    private String getResType(String str) {
        return ResourceInstanceRelations.getInstance().getUniversalResourceType(str);
    }

    private String[] getValidRoles(String[] strArr, String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getValidRoles", new Object[]{arrToStr(strArr), str});
        }
        if (str != null && str.startsWith(Constants.ADMIN_APP)) {
            return strArr;
        }
        ArrayList arrayList = new ArrayList();
        List customRoles = RoleRelations.getInstance().getCustomRoles();
        for (int i = 0; i < strArr.length; i++) {
            boolean z = false;
            Iterator it = customRoles.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (((String) it.next()).equals(strArr[i])) {
                    z = true;
                    break;
                }
            }
            if (!z) {
                arrayList.add(strArr[i]);
            }
        }
        String[] strArr2 = (String[]) arrayList.toArray(new String[0]);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getValidRoles", arrToStr(strArr2));
        }
        return strArr2;
    }

    private String arrToStr(String[] strArr) {
        StringBuffer stringBuffer = new StringBuffer();
        for (int i = 0; i < strArr.length; i++) {
            if (i == 0) {
                stringBuffer.append(strArr[i]);
            } else {
                stringBuffer.append(":");
                stringBuffer.append(strArr[i]);
            }
        }
        return stringBuffer.toString();
    }

    private boolean checkAllGroups(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkAllGroups", str);
        }
        if (isCallerInRole(Constants.ADMIN_APP, str)) {
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "checkAllGroups", new Boolean(true));
            return true;
        }
        Iterator it = AuthorizationGroups.getInstance().getGroups().iterator();
        while (it.hasNext()) {
            if (isCallerInRole(((AuthorizationGroup) it.next()).getGroupName(), str)) {
                if (!tc.isEntryEnabled()) {
                    return true;
                }
                Tr.exit(tc, "checkAllGroups", new Boolean(true));
                return true;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "checkAllGroups", new Boolean(false));
        }
        return false;
    }

    public void setAuthzCache(AuthzCache authzCache) {
        this.authzCache = authzCache;
    }

    private String getCallerId() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getCallerId");
        }
        String str = null;
        try {
            Subject invocationSubject = ContextManagerFactory.getInstance().getInvocationSubject();
            if (invocationSubject != null) {
                WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(invocationSubject);
                if (wSCredentialFromSubject != null) {
                    str = wSCredentialFromSubject.getAccessId();
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "getCallerId", str);
                }
            }
        } catch (Exception e) {
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getCallerId", str);
        }
        return str;
    }

    @Override // com.ibm.websphere.management.authorizer.AdminAuthorizer
    public boolean isGrantedMinimumRolesForMBean(String str, String str2, String str3) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isGrantedMinimumRolesForMBean", new Object[]{str, str2, str3});
        }
        boolean z = false;
        String property = ContextManagerFactory.getInstance().getProperty("com.ibm.websphere.security.authorizationTable", null);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "authzTableName ", property);
        }
        boolean z2 = false;
        if (property != null && property.length() != 0) {
            z2 = true;
        }
        if (!z2) {
            String str4 = Constants.ADMIN_APP_MERGE;
            if (!isFineGrainedAdminSecurity()) {
                str4 = Constants.ADMIN_APP;
            }
            try {
                z = this.rbc.getRoleBasedAuthorizer(str4, scope).checkAccess(str, str2, str3);
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.management.authorizer.AdminAuthorizerImpl.isGrantedMinimumRolesForMBean", "617", this);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "isGrantedMinimumRolesForMBean", new Boolean(z));
            }
            return z;
        }
        try {
            z = this.rbc.getRoleBasedAuthorizer(Constants.ADMIN_APP, scope).checkAccess(str, str2, str3);
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.management.authorizer.AdminAuthorizerImpl.isGrantedMinimumRolesForMBean", "617", this);
        }
        if (z) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "isGrantedMinimumRolesForMBean", new Boolean(z));
            }
            return z;
        }
        Iterator it = AuthorizationGroups.getInstance().getGroups().iterator();
        while (it.hasNext()) {
            try {
                z = this.rbc.getRoleBasedAuthorizer("admin-authz-" + ((AuthorizationGroup) it.next()).getGroupName(), scope).checkAccess(str, str2, str3);
            } catch (Exception e3) {
                FFDCFilter.processException(e3, "com.ibm.ws.management.authorizer.AdminAuthorizerImpl.isGrantedMinimumRolesForMBean", "617", this);
            }
            if (z) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "isGrantedMinimumRolesForMBean", new Boolean(z));
                }
                return z;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isGrantedMinimumRolesForMBean", new Boolean(z));
        }
        return z;
    }

    @Override // com.ibm.websphere.management.authorizer.AdminAuthorizer
    public boolean isGrantedRole(String[] strArr, Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isGrantedRole", new Object[]{strArr, subject});
        }
        String property = ContextManagerFactory.getInstance().getProperty("com.ibm.websphere.security.authorizationTable", null);
        if (property != null && property.length() > 0) {
            return checkAllGroups(strArr, subject);
        }
        try {
            String str = Constants.ADMIN_APP_MERGE;
            if (!isFineGrainedAdminSecurity()) {
                str = Constants.ADMIN_APP;
            }
            if (this.rbc.getRoleBasedAuthorizer(str, scope).isGrantedRole(strArr, subject)) {
                if (!tc.isEntryEnabled()) {
                    return true;
                }
                Tr.exit(tc, "checkAllGroups", new Boolean(true));
                return true;
            }
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "isGrantedRole", new Boolean(false));
            return false;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.management.authorizer.AdminAuthorizerImpl.isGrantedRole", "327", this);
            return false;
        }
    }

    private boolean checkAllGroups(String[] strArr, Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkAllGroups", strArr);
        }
        try {
            if (this.rbc.getRoleBasedAuthorizer(Constants.ADMIN_APP, scope).isGrantedRole(strArr, subject)) {
                if (!tc.isEntryEnabled()) {
                    return true;
                }
                Tr.exit(tc, "checkAllGroups", new Boolean(true));
                return true;
            }
            Iterator it = AuthorizationGroups.getInstance().getGroups().iterator();
            while (it.hasNext()) {
                try {
                    if (this.rbc.getRoleBasedAuthorizer("admin-authz-" + ((AuthorizationGroup) it.next()).getGroupName(), scope).isGrantedRole(strArr, subject)) {
                        if (!tc.isEntryEnabled()) {
                            return true;
                        }
                        Tr.exit(tc, "checkAllGroups", new Boolean(true));
                        return true;
                    }
                } catch (Exception e) {
                    FFDCFilter.processException(e, "com.ibm.ws.management.authorizer.AdminAuthorizerImpl.checkAllGroups", "327", this);
                    return false;
                }
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "checkAllGroups", new Boolean(false));
            }
            return false;
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.management.authorizer.AdminAuthorizerImpl.checkAllGroups", "327", this);
            return false;
        }
    }

    private boolean canCache() {
        return this.globalCanCache;
    }

    private void updateAuthzCache(int i, String str, Boolean bool) {
        if (canCache()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "caching ", new Object[]{str, bool});
            }
            this.authzCache.addEntry(i, str, bool);
        }
    }

    private Boolean checkAccessFromCache(int i, String str) {
        if (!canCache()) {
            return null;
        }
        Boolean bool = (Boolean) this.authzCache.getEntry(i, str);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "result from cache ", new Object[]{str, bool});
        }
        return bool;
    }

    private String createConfigCacheKey(String str, String str2, String str3) {
        return createConfigCacheKey(str, str2, str3, getCallerId());
    }

    private String createConfigCacheKey(String str, String str2, String str3, String str4) {
        StringBuffer stringBuffer = str2 != null ? new StringBuffer(str2) : new StringBuffer("Cell");
        stringBuffer.append(":").append(str).append(":").append(str3).append(":").append(str4);
        return stringBuffer.toString();
    }

    private String createMbeanCacheKey(String str) {
        String callerId = getCallerId();
        StringBuffer stringBuffer = new StringBuffer(str);
        stringBuffer.append(":").append(callerId);
        return stringBuffer.toString();
    }

    private String createUserCacheKey(String str) {
        String callerId = getCallerId();
        StringBuffer stringBuffer = new StringBuffer(str);
        stringBuffer.append(":").append(callerId);
        return stringBuffer.toString();
    }

    private String createUserCacheKey(String str, String str2) {
        String callerId = getCallerId();
        StringBuffer stringBuffer = new StringBuffer(str);
        stringBuffer.append(":").append(str2).append(":").append(callerId);
        return stringBuffer.toString();
    }

    private String createGroupCacheKey(String str, String[] strArr) {
        String callerId = getCallerId();
        StringBuffer stringBuffer = new StringBuffer(str);
        for (String str2 : strArr) {
            stringBuffer.append(":");
            stringBuffer.append(str2);
        }
        stringBuffer.append(":").append(callerId);
        return stringBuffer.toString();
    }

    private String createGroupCacheKey(String str, String str2, String str3) {
        String callerId = getCallerId();
        StringBuffer stringBuffer = new StringBuffer(str);
        stringBuffer.append(":").append(callerId).append(":").append(str2).append(":").append(str3);
        return stringBuffer.toString();
    }

    private String createMbeanCacheKey(String str, String str2, String str3) {
        String callerId = getCallerId();
        StringBuffer stringBuffer = new StringBuffer(str2);
        stringBuffer.append(":").append(str).append(":").append(str3).append(":").append(callerId);
        return stringBuffer.toString();
    }
}
