package com.ibm.ws.security.zOS.authz;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.AuthorizationTable;
import com.ibm.websphere.security.SAFRoleMapper;
import com.ibm.websphere.security.SecurityProviderException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.auth.PlatformCredential;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.common.util.CommonConstants;
import com.ibm.ws.security.config.SecurityConfig;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.ws.security.util.AccessController;
import com.ibm.ws.security.util.Constants;
import com.ibm.ws.security.zOS.PlatformCredentialManager;
import com.ibm.ws.security.zOS.authz.SAFAuthorizationOptions;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Properties;
import javax.security.auth.Subject;

/* loaded from: input_file:lib/com.ibm.ws.runtime.jar:com/ibm/ws/security/zOS/authz/SAFAuthorizationTableImpl.class */
public class SAFAuthorizationTableImpl implements AuthorizationTable {
    private static final String SUBJECT_KEY = "AUTHZ_SUBJECT";
    private SAFRoleMapper _roleMapper;
    boolean _suppressMessages;
    boolean _suppressAdminMessages;
    SAFAuthorizationOptions.LogOption _logOption;
    private static final TraceComponent tc = Tr.register((Class<?>) SAFAuthorizationTableImpl.class, "Security", AdminConstants.MSG_BUNDLE_NAME);
    private static boolean _roleClassInactive = false;

    public SAFAuthorizationTableImpl() {
        this._roleMapper = null;
        this._suppressMessages = false;
        this._suppressAdminMessages = true;
        this._logOption = null;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "<init>");
        }
        initialize(SecurityObjectLocator.getSecurityConfig().getProperties());
        this._roleMapper = SAFRoleMapperFactory.getSAFRoleMapper();
        Tr.audit(tc, "security.zos.saf.authz.enabled");
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "<init>", this);
        }
    }

    SAFAuthorizationTableImpl(Properties properties) {
        this._roleMapper = null;
        this._suppressMessages = false;
        this._suppressAdminMessages = true;
        this._logOption = null;
        initialize(properties);
    }

    private void initialize(Properties properties) {
        String property = properties.getProperty("com.ibm.security.SAF.Authz.Log.Option");
        if (property != null && property.length() > 0) {
            if (property.equals(SAFAuthorizationOptions.NONE.toString())) {
                this._logOption = SAFAuthorizationOptions.NONE;
            } else if (property.equals(SAFAuthorizationOptions.ASIS.toString())) {
                this._logOption = SAFAuthorizationOptions.ASIS;
            } else if (property.equals(SAFAuthorizationOptions.NOFAIL.toString())) {
                this._logOption = SAFAuthorizationOptions.NOFAIL;
            }
        }
        this._suppressMessages = Boolean.valueOf(properties.getProperty("com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress")).booleanValue();
        String property2 = properties.getProperty(CommonConstants.SAF_AUTHZN_MESSAGE_SUPPRESSION_ADMIN);
        if ((this._logOption == null || property2 != null) && (property2 == null || Boolean.valueOf(property2).booleanValue())) {
            return;
        }
        this._suppressAdminMessages = false;
    }

    @Override // com.ibm.websphere.security.AuthorizationTable
    public boolean isEveryoneGranted(HashMap hashMap, String[] strArr) throws SecurityProviderException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isEveryoneGranted", new Object[]{hashMap, strArr});
        }
        boolean isRoleClassInactive = isRoleClassInactive();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isEveryoneGranted", new Boolean(isRoleClassInactive));
        }
        return isRoleClassInactive;
    }

    @Override // com.ibm.websphere.security.AuthorizationTable
    public boolean isGrantedRole(HashMap hashMap, String str, Principal principal) throws SecurityProviderException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isGrantedRole", new Object[]{hashMap, str, principal});
        }
        boolean isGrantedAnyRole = isAuditEnabled() ? isGrantedAnyRole(hashMap, new String[]{str}, principal) : isGrantedRoleWithNoAudit(hashMap, str);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isGrantedRole", new Boolean(isGrantedAnyRole));
        }
        return isGrantedAnyRole;
    }

    @Override // com.ibm.websphere.security.AuthorizationTable
    public boolean isGrantedAnyRole(HashMap hashMap, String[] strArr, Principal principal) throws SecurityProviderException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isGrantedAnyRole", new Object[]{hashMap, strArr, principal});
        }
        PlatformCredential platformCredential = getPlatformCredential((Subject) hashMap.get("AUTHZ_SUBJECT"));
        validateRoles(strArr);
        boolean isCredentialInAnyRole = isCredentialInAnyRole(platformCredential, getProfilesFromRoles(hashMap, strArr), this._logOption, isMessageSuppressionNeeded(hashMap));
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isGrantedAnyRole", new Boolean(isCredentialInAnyRole));
        }
        return isCredentialInAnyRole;
    }

    private boolean isCredentialInAnyRole(PlatformCredential platformCredential, String[] strArr, SAFAuthorizationOptions.LogOption logOption, boolean z) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isCredentialInAnyRole", new Object[]{platformCredential, strArr, logOption, new Boolean(z)});
        }
        boolean z2 = false;
        SAFAuthorizationManager instance = SAFAuthorizationManager.instance();
        int i = 0;
        while (i < strArr.length && !z2) {
            boolean z3 = i == strArr.length - 1;
            SAFAuthorizationOptions.LogOption logOption2 = logOption;
            if (logOption == null) {
                logOption2 = z3 ? SAFAuthorizationOptions.ASIS : SAFAuthorizationOptions.NOFAIL;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "isLastProfile is " + z3 + ", The log option is null so setting it to: " + logOption2);
                }
            }
            try {
                z2 = instance.checkAccess(platformCredential, "EJBROLE", strArr[i], (String) null, AccessLevel.READ, logOption2, z, true);
            } catch (AuthorizationDeniedException e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "SAF has explicitly denied READ access to the profile " + strArr[i] + " in the resource class  EJBROLE.");
                }
            } catch (InactiveClassException e2) {
                z2 = true;
                setRoleClassInactive();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The resource class EJBROLE has not been activated.  As a result, access will be allowed.", e2);
                }
            } catch (InvalidCredentialException e3) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The Subject associated with the current thread of execution does not contain a valid PlatformCredential.", e3);
                }
            }
            i++;
        }
        if (!z2 && tc.isDebugEnabled()) {
            Tr.debug(tc, "Authorization failed. The SAF user " + platformCredential.getUserId() + " does not have " + AccessLevel.READ.toString() + " access to any of the following SAF profiles in the EJBROLE class: " + Arrays.toString(strArr));
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isCredentialInAnyRole", new Boolean(z2));
        }
        return z2;
    }

    protected String[] getProfilesFromRoles(HashMap hashMap, String[] strArr) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getProfilesFromRoles", new Object[]{hashMap, strArr});
        }
        String[] strArr2 = new String[strArr.length];
        String str = (String) hashMap.get(AuthorizationTable.APP_NAME);
        for (int i = 0; i < strArr.length; i++) {
            strArr2[i] = this._roleMapper.getProfileFromRole(str, strArr[i]);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getProfilesFromRoles", strArr2);
        }
        return strArr2;
    }

    private static synchronized void setRoleClassInactive() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setRoleClassInactive");
        }
        if (!_roleClassInactive) {
            _roleClassInactive = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setRoleClassInactive");
        }
    }

    private static boolean isRoleClassInactive() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isRoleClassInactive");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isRoleClassInactive", new Boolean(_roleClassInactive));
        }
        return _roleClassInactive;
    }

    protected boolean isAuditEnabled() {
        return getSecurityConfig().getPropertyBool(SecurityConfig.ENABLE_AUDIT_FOR_IS_CALLER_IN_ROLE);
    }

    protected SecurityConfig getSecurityConfig() {
        return SecurityObjectLocator.getSecurityConfig();
    }

    protected boolean isGrantedRoleWithNoAudit(HashMap hashMap, String str) throws SecurityProviderException {
        PlatformCredential platformCredential = getPlatformCredential((Subject) hashMap.get("AUTHZ_SUBJECT"));
        String[] strArr = {str};
        validateRoles(strArr);
        return isCredentialInAnyRole(platformCredential, getProfilesFromRoles(hashMap, strArr), SAFAuthorizationOptions.NONE, true);
    }

    private PlatformCredential getPlatformCredential(final Subject subject) throws SecurityProviderException {
        try {
            return (PlatformCredential) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.zOS.authz.SAFAuthorizationTableImpl.1
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
                    Object obj = null;
                    if (wSCredentialFromSubject != null) {
                        obj = wSCredentialFromSubject.get(CommonConstants.PLATFORM_CREDENTIAL);
                    }
                    if (obj == null) {
                        obj = PlatformCredentialManager.instance().createDefaultCredential();
                    }
                    return obj;
                }
            });
        } catch (PrivilegedActionException e) {
            FFDCFilter.processException(e.getException(), CommonConstants.SAF_AUTHZN_IMPL, "431", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unable to acquire credential for authorization", e.getException());
            }
            throw new SecurityProviderException("Unable to acquire credential for authorization", e.getException());
        }
    }

    protected static void validateRoles(String[] strArr) {
        if (strArr == null || strArr.length == 0) {
            throw new IllegalArgumentException("Target role is required");
        }
    }

    protected boolean isMessageSuppressionNeeded(HashMap hashMap) {
        return Constants.ADMIN_APP.equals((String) hashMap.get(AuthorizationTable.APP_NAME)) ? this._suppressAdminMessages : this._suppressMessages;
    }

    public String toString() {
        StringBuffer stringBuffer = new StringBuffer(super.toString());
        stringBuffer.append(";_logOption=").append(this._logOption);
        stringBuffer.append(";_suppressMessages=").append(this._suppressMessages);
        stringBuffer.append(";_roleMapper=").append(this._roleMapper);
        stringBuffer.append(";_roleClassInactive").append(_roleClassInactive);
        return stringBuffer.toString();
    }
}
