package com.ibm.ws.security.authorization.saf.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.InjectedTrace;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.ras.annotation.Trivial;
import com.ibm.websphere.security.WebSphereRuntimePermission;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.security.authorization.AuthorizationService;
import com.ibm.ws.security.authorization.saf.SAFRoleMapper;
import com.ibm.ws.security.context.SubjectManager;
import com.ibm.ws.security.credentials.saf.SAFCredentialsService;
import com.ibm.ws.security.saf.SAFException;
import com.ibm.ws.security.saf.SAFServiceResult;
import com.ibm.ws.zos.jni.NativeMethodManager;
import com.ibm.ws.zos.jni.NativeMethodUtils;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceMap;
import com.ibm.wsspi.security.authorization.saf.AccessLevel;
import com.ibm.wsspi.security.authorization.saf.LogOption;
import com.ibm.wsspi.security.authorization.saf.SAFAuthorizationService;
import com.ibm.wsspi.security.credentials.saf.SAFCredential;
import java.util.Collection;
import java.util.Iterator;
import java.util.Map;
import javax.security.auth.Subject;
import org.apache.bcel.Constants;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentConstants;
import org.osgi.service.component.ComponentContext;

@TraceOptions(traceGroups = {"Security.Authorization"}, traceGroup = "", messageBundle = "com.ibm.ws.security.authorization.saf.internal.resources.SAFAuthorizationMessages", traceExceptionThrow = false, traceExceptionHandling = false)
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:resources/server_runtime/lib/com.ibm.ws.security.authorization.saf_1.0.1.jar:com/ibm/ws/security/authorization/saf/internal/SAFAuthorizationServiceImpl.class */
public class SAFAuthorizationServiceImpl implements AuthorizationService, SAFAuthorizationService {
    private static final TraceComponent tc = Tr.register(SAFAuthorizationServiceImpl.class);
    protected static final String SAF_ROLE_MAPPER_REFERENCE_NAME = "safRoleMapper";
    static final byte[] EJBROLE;
    protected static final String ROLE_MAPPER_KEY = "roleMapper";
    private static final WebSphereRuntimePermission SAF_AUTHZ_PERM;
    static final long serialVersionUID = -6612111100651779197L;
    private NativeMethodManager nativeMethodManager = null;
    private SAFCredentialsService safCredentialsService = null;
    private final ConcurrentServiceReferenceMap<String, SAFRoleMapper> safRoleMappers = new ConcurrentServiceReferenceMap<>(SAF_ROLE_MAPPER_REFERENCE_NAME);
    private String roleMapperName = null;
    private SAFRoleMapper safRoleMapper = null;
    private boolean defaultCredMsgAlreadyIssued = false;

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public SAFAuthorizationServiceImpl() {
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void setNativeMethodManager(NativeMethodManager nativeMethodManager) {
        this.nativeMethodManager = nativeMethodManager;
        this.nativeMethodManager.registerNatives(SAFAuthorizationServiceImpl.class);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void unsetNativeMethodManager(NativeMethodManager nativeMethodManager) {
        if (this.nativeMethodManager == nativeMethodManager) {
            this.nativeMethodManager = null;
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void setSafCredentialsService(SAFCredentialsService sAFCredentialsService) {
        this.safCredentialsService = sAFCredentialsService;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void unsetSafCredentialsService(SAFCredentialsService sAFCredentialsService) {
        if (this.safCredentialsService == sAFCredentialsService) {
            this.safCredentialsService = null;
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void setSafRoleMapper(ServiceReference<SAFRoleMapper> serviceReference) {
        this.safRoleMappers.putReference((String) serviceReference.getProperty(ComponentConstants.COMPONENT_NAME), serviceReference);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void unsetSafRoleMapper(ServiceReference<SAFRoleMapper> serviceReference) {
        String str = (String) serviceReference.getProperty(ComponentConstants.COMPONENT_NAME);
        if (str.equals(this.roleMapperName)) {
            this.safRoleMapper = null;
        }
        this.safRoleMappers.removeReference(str, serviceReference);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void activate(ComponentContext componentContext, Map<String, Object> map) {
        this.safRoleMappers.activate(componentContext);
        updateConfig(map);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void deactivate(ComponentContext componentContext) {
        this.safRoleMappers.deactivate(componentContext);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void modify(Map<String, Object> map) {
        updateConfig(map);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void updateConfig(Map<String, Object> map) {
        this.roleMapperName = (String) map.get(ROLE_MAPPER_KEY);
        this.safRoleMapper = null;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected SAFRoleMapper getRoleMapper() {
        if (this.safRoleMapper == null) {
            this.safRoleMapper = this.safRoleMappers.getServiceWithException(this.roleMapperName);
        }
        return this.safRoleMapper;
    }

    @Override // com.ibm.ws.security.authorization.AuthorizationService
    @FFDCIgnore({SAFException.class})
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public boolean isEveryoneGranted(String str, Collection<String> collection) {
        assertNotNull(str, "resourceName is null");
        assertNotNull(collection, "requiredRoles is null");
        try {
            SAFCredential defaultCredential = this.safCredentialsService.getDefaultCredential();
            this.defaultCredMsgAlreadyIssued = false;
            return checkRoles(defaultCredential, str, collection, LogOption.NOFAIL);
        } catch (SAFException e) {
            if (this.defaultCredMsgAlreadyIssued) {
                return false;
            }
            Tr.warning(tc, "UNABLE_TO_CREATE_DEFAULT_CRED", e.getMessage());
            this.defaultCredMsgAlreadyIssued = true;
            return false;
        }
    }

    @Override // com.ibm.ws.security.authorization.AuthorizationService
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public boolean isAuthorized(String str, Collection<String> collection, Subject subject) {
        assertNotNull(str, "resourceName is null");
        assertNotNull(collection, "requiredRoles is null");
        boolean checkRoles = checkRoles(this.safCredentialsService.getSAFCredentialFromSubject(subject), str, collection, null);
        if (!checkRoles) {
            checkRoles = isEveryoneGranted(str, collection);
        }
        return checkRoles;
    }

    @Override // com.ibm.wsspi.security.authorization.saf.SAFAuthorizationService
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public boolean isAuthorized(String str, String str2, AccessLevel accessLevel) {
        securityManagerCheck();
        assertNotNull(str2, "resourceName is null");
        assertNotNull(str, "className is null");
        return isSubjectAuthorized(getEffectiveSubject(), str, str2, accessLevel);
    }

    @Override // com.ibm.wsspi.security.authorization.saf.SAFAuthorizationService
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public boolean isAuthorized(Subject subject, String str, String str2, AccessLevel accessLevel) {
        securityManagerCheck();
        assertNotNull(str2, "resourceName is null");
        assertNotNull(str, "className is null");
        return isSubjectAuthorized(subject, str, str2, accessLevel);
    }

    @Override // com.ibm.wsspi.security.authorization.saf.SAFAuthorizationService
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public boolean isAuthorized(SAFCredential sAFCredential, String str, String str2, AccessLevel accessLevel) {
        securityManagerCheck();
        assertNotNull(str2, "resourceName is null");
        assertNotNull(str, "className is null");
        return isSAFCredentialAuthorized(sAFCredential, str, str2, accessLevel);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private boolean isSubjectAuthorized(Subject subject, String str, String str2, AccessLevel accessLevel) {
        return isSAFCredentialAuthorized(this.safCredentialsService.getSAFCredentialFromSubject(subject), str, str2, accessLevel);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private boolean isSAFCredentialAuthorized(SAFCredential sAFCredential, String str, String str2, AccessLevel accessLevel) {
        return checkAccess(this.safCredentialsService.getSAFCredentialTokenBytes(sAFCredential), NativeMethodUtils.convertToEBCDIC(str), NativeMethodUtils.convertToEBCDIC(str2), accessLevel, LogOption.ASIS);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected boolean checkRoles(SAFCredential sAFCredential, String str, Collection<String> collection, LogOption logOption) {
        if (collection.isEmpty()) {
            return true;
        }
        byte[] sAFCredentialTokenBytes = this.safCredentialsService.getSAFCredentialTokenBytes(sAFCredential);
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            String profileFromRole = getRoleMapper().getProfileFromRole(str, it.next());
            LogOption logOption2 = logOption;
            if (logOption2 == null) {
                logOption2 = it.hasNext() ? LogOption.NOFAIL : LogOption.ASIS;
            }
            if (checkAccess(sAFCredentialTokenBytes, EJBROLE, NativeMethodUtils.convertToEBCDIC(profileFromRole), AccessLevel.READ, logOption2)) {
                return true;
            }
        }
        return false;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected boolean checkAccess(byte[] bArr, byte[] bArr2, byte[] bArr3, AccessLevel accessLevel, LogOption logOption) {
        if (accessLevel == null) {
            accessLevel = AccessLevel.READ;
        }
        SAFServiceResult sAFServiceResult = new SAFServiceResult();
        if (ntv_checkAccess(bArr, bArr3, bArr2, this.safCredentialsService.getProfilePrefixEBCDIC(), accessLevel.value, logOption.value, false, true, sAFServiceResult.getBytes()) == 0) {
            return true;
        }
        if (!sAFServiceResult.isUnexpected()) {
            return false;
        }
        sAFServiceResult.setAuthorizationFields(NativeMethodUtils.convertToASCII(bArr3), NativeMethodUtils.convertToASCII(bArr2), this.safCredentialsService.getProfilePrefix());
        sAFServiceResult.logIfUnexpected();
        return false;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected boolean isSAFClassActive(String str) {
        int ntv_isSAFClassActive = ntv_isSAFClassActive(NativeMethodUtils.convertToEBCDIC(str));
        if (ntv_isSAFClassActive == 1) {
            return true;
        }
        if (ntv_isSAFClassActive == 0) {
            return false;
        }
        throw new RuntimeException("unexpected SAF failure", new SAFException("ntv_isSAFClassActive returned an unexpected rc: " + ntv_isSAFClassActive));
    }

    @Trivial
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void assertNotNull(Object obj, String str) {
        if (obj == null) {
            throw new NullPointerException(str);
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private void securityManagerCheck() {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(SAF_AUTHZ_PERM);
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private Subject getEffectiveSubject() {
        SubjectManager subjectManager = new SubjectManager();
        Subject invocationSubject = subjectManager.getInvocationSubject();
        if (invocationSubject == null) {
            invocationSubject = subjectManager.getCallerSubject();
        }
        return invocationSubject;
    }

    protected native int ntv_isSAFClassActive(byte[] bArr);

    protected native int ntv_checkAccess(byte[] bArr, byte[] bArr2, byte[] bArr3, byte[] bArr4, int i, int i2, boolean z, boolean z2, byte[] bArr5);

    static {
        if (TraceComponent.isAnyTracingEnabled() && tc != null && tc.isEntryEnabled()) {
            Tr.entry(tc, Constants.STATIC_INITIALIZER_NAME, new Object[0]);
        }
        EJBROLE = NativeMethodUtils.convertToEBCDIC("EJBROLE");
        SAF_AUTHZ_PERM = new WebSphereRuntimePermission("safAuthorizationService");
        if (TraceComponent.isAnyTracingEnabled() && tc != null && tc.isEntryEnabled()) {
            Tr.exit(tc, Constants.STATIC_INITIALIZER_NAME);
        }
    }
}
