package com.ibm.ws.collective.security.internal;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.collective.security.CollectiveOperationAuthorizer;
import com.ibm.ws.collective.security.CollectiveServerCredential;
import com.ibm.ws.collective.utils.RepositoryPathUtility;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.context.SubjectManager;
import java.security.AccessControlException;
import java.util.Set;
import javax.security.auth.Subject;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(service = {CollectiveOperationAuthorizer.class}, configurationPolicy = ConfigurationPolicy.IGNORE, property = {"service.vendor=IBM"})
/* loaded from: input_file:wlp/lib/com.ibm.ws.collective.security_1.0.14.jar:com/ibm/ws/collective/security/internal/CollectiveOperationAuthorizerImpl.class */
public class CollectiveOperationAuthorizerImpl implements CollectiveOperationAuthorizer {
    private static final TraceComponent tc = Tr.register(CollectiveOperationAuthorizerImpl.class);
    private SubjectManager subjectManager;
    static final long serialVersionUID = 6987600621102425431L;

    public CollectiveOperationAuthorizerImpl() {
        this.subjectManager = null;
        this.subjectManager = new SubjectManager();
    }

    public CollectiveOperationAuthorizerImpl(SubjectManager subjectManager) {
        this.subjectManager = null;
        this.subjectManager = subjectManager;
    }

    @Activate
    protected void activate() {
    }

    @Deactivate
    protected void deactivate() {
    }

    private void throwAccessControlException(String str, String str2, String str3, String str4) throws AccessControlException {
        throw new AccessControlException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "COLLECTIVE_OPERATION_MEMBER_ACCESS_DENIED", new Object[]{str, str2, str3, str4}, "CWWKX9208E: The collective operation {0} operation cannot be completed. Permission is denied for member identified as host {1} user directory {2} and server name {3}."));
    }

    @Override // com.ibm.ws.collective.security.CollectiveOperationAuthorizer
    public void isAuthorized(String str) throws AccessControlException {
        Subject callerSubject = this.subjectManager.getCallerSubject();
        if (callerSubject == null) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
                Tr.event(tc, "Access granted.  Caller Subject is null: unauthenticated user, the server itself", new Object[0]);
                return;
            }
            return;
        }
        Set privateCredentials = callerSubject.getPrivateCredentials(CollectiveServerCredential.class);
        CollectiveServerCredential collectiveServerCredential = null;
        if (privateCredentials.iterator().hasNext()) {
            collectiveServerCredential = (CollectiveServerCredential) privateCredentials.iterator().next();
        }
        if (privateCredentials.isEmpty() || collectiveServerCredential == null) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
                Tr.event(tc, "Access granted.  Caller Subject is not null, but has no collective server credential: an admin user.", new Object[0]);
                return;
            }
            return;
        }
        boolean isCollectiveController = collectiveServerCredential.isCollectiveController();
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Collective member credential: isCollectiveController = " + isCollectiveController, new Object[0]);
        }
        if (isCollectiveController) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
                Tr.event(tc, "Access granted. Caller Subject is not null and has a private credential of a collective controller.", new Object[0]);
                return;
            }
            return;
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
            Tr.event(tc, "A collective member " + collectiveServerCredential + " is attempting to perform collective operation " + str + ". Permission is denied", new Object[0]);
        }
        throwAccessControlException(str, collectiveServerCredential.getHostName(), RepositoryPathUtility.decodeURLEncodedDir(collectiveServerCredential.getURLEncodedUserDir()), collectiveServerCredential.getServerName());
    }
}
