package com.ibm.ws.collective.security.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.collective.repository.internal.SharedConfigManager;
import com.ibm.ws.collective.security.CollectiveRepositoryAuthorizer;
import com.ibm.ws.collective.security.CollectiveServerCredential;
import com.ibm.ws.collective.utils.RepositoryPathUtility;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.context.SubjectManager;
import java.security.AccessControlException;
import java.util.HashSet;
import java.util.Set;
import javax.security.auth.Subject;
import org.apache.commons.compress.archivers.ArchiveStreamFactory;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(service = {CollectiveRepositoryAuthorizer.class}, configurationPolicy = ConfigurationPolicy.IGNORE, property = {"service.vendor=IBM"})
/* loaded from: input_file:wlp/lib/com.ibm.ws.collective.security_1.0.16.jar:com/ibm/ws/collective/security/internal/CollectiveRepositoryAuthorizerImpl.class */
public class CollectiveRepositoryAuthorizerImpl implements CollectiveRepositoryAuthorizer {
    static final String SYS_WAS_COLLECTIVES_LOCAL_HOSTS = "/sys.was.collectives/local/hosts";
    private SubjectManager subjectManager;
    static final long serialVersionUID = 7731507227052182842L;
    private static final TraceComponent tc = Tr.register(CollectiveRepositoryAuthorizerImpl.class);
    private static final Set<String> readOnlyOps = new HashSet();

    public CollectiveRepositoryAuthorizerImpl() {
        this.subjectManager = null;
        this.subjectManager = new SubjectManager();
    }

    public CollectiveRepositoryAuthorizerImpl(SubjectManager subjectManager) {
        this.subjectManager = null;
        this.subjectManager = subjectManager;
    }

    @Activate
    protected void activate() {
    }

    @Deactivate
    protected void deactivate() {
    }

    private boolean isReadOnly(String str) {
        return readOnlyOps.contains(str);
    }

    private boolean isNodesOwnBranch(String str, String str2, String str3, String str4) {
        boolean z = str.equals(RepositoryPathUtility.buildServerRepositoryPath(str2, str3, str4, false)) || str.startsWith(RepositoryPathUtility.buildServerRepositoryPath(str2, str3, str4, true));
        if (!z) {
            String buildMetadataIdentityPath = RepositoryPathUtility.buildMetadataIdentityPath("server", RepositoryPathUtility.buildEncodedServerTuple(str2, str3, str4));
            z = str.equals(buildMetadataIdentityPath) || str.startsWith(buildMetadataIdentityPath);
        }
        return z;
    }

    private boolean isNonServerMetadataBranch(String str) {
        boolean z = false;
        if (str.toLowerCase().startsWith(RepositoryPathUtility.METADATA_REPOSITORY_PATH) && !str.toLowerCase().startsWith(RepositoryPathUtility.buildMetadataResourcePath("server"))) {
            z = true;
        }
        return z;
    }

    private void throwAccessControlException(String str, String str2, String str3, String str4, String str5) throws AccessControlException {
        AccessControlException accessControlException = new AccessControlException(Tr.formatMessage(tc, "COLLECTIVE_REPOSITORY_MBEAN_MEMBER_ACCESS_DENIED", str, str2, str3, str4, str5));
        accessControlException.fillInStackTrace();
        throw accessControlException;
    }

    private void isAuthorizedOnNode(String str, String str2, CollectiveServerCredential collectiveServerCredential) throws AccessControlException {
        String hostName = collectiveServerCredential.getHostName();
        String uRLEncodedUserDir = collectiveServerCredential.getURLEncodedUserDir();
        String decodeURLEncodedDir = RepositoryPathUtility.decodeURLEncodedDir(uRLEncodedUserDir);
        String serverName = collectiveServerCredential.getServerName();
        if (str2 == null || str2.isEmpty()) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
                Tr.event(tc, "Access denied for operation " + str + " by a collective member on node: " + str2, collectiveServerCredential);
            }
            throwAccessControlException(str, str2, hostName, decodeURLEncodedDir, serverName);
        }
        boolean z = false;
        if (!str2.startsWith("/sys.was.") && isReadOnly(str)) {
            z = true;
        } else if (str2.startsWith("/sys.was.system/singleton/")) {
            z = true;
        } else if (str2.startsWith("/sys.was.system/analytics/")) {
            z = true;
        } else if (str2.startsWith(SharedConfigManager.SHARED_CONFIG_REPO_PATH)) {
            z = true;
        } else if (isNodesOwnBranch(str2, hostName, uRLEncodedUserDir, serverName)) {
            z = true;
        } else if (isNonServerMetadataBranch(str2)) {
            z = true;
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
            if (z) {
                Tr.event(tc, "Access granted for operation " + str + " by a collective member on node: " + str2, collectiveServerCredential);
            } else {
                Tr.event(tc, "Access denied for operation " + str + " by a collective member on node: " + str2, collectiveServerCredential);
            }
        }
        if (z) {
            return;
        }
        throwAccessControlException(str, str2, hostName, decodeURLEncodedDir, serverName);
    }

    @Override // com.ibm.ws.collective.security.CollectiveRepositoryAuthorizer
    public void isAuthorized(String str, String str2) throws AccessControlException {
        Subject callerSubject = this.subjectManager.getCallerSubject();
        if (callerSubject == null) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
                Tr.event(tc, "Access granted.  Caller Subject is null: unauthenticated user, the server itself", new Object[0]);
                return;
            }
            return;
        }
        Set privateCredentials = callerSubject.getPrivateCredentials(CollectiveServerCredential.class);
        CollectiveServerCredential collectiveServerCredential = null;
        if (privateCredentials.iterator().hasNext()) {
            collectiveServerCredential = (CollectiveServerCredential) privateCredentials.iterator().next();
        }
        if (privateCredentials.isEmpty() || collectiveServerCredential == null) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
                Tr.event(tc, "Access granted.  Caller Subject is not null, but has no collective server credential: an admin user.", new Object[0]);
                return;
            }
            return;
        }
        boolean isCollectiveController = collectiveServerCredential.isCollectiveController();
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Collective member credential: isCollectiveController = " + isCollectiveController, new Object[0]);
        }
        if (isCollectiveController) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
                Tr.event(tc, "Access granted. Caller Subject is not null and has a private credential of a collective controller.", new Object[0]);
                return;
            }
            return;
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Caller Subject is not null and has a private credential of a collective member and check the permission on the node access.", new Object[0]);
        }
        isAuthorizedOnNode(str, str2, collectiveServerCredential);
    }

    @Override // com.ibm.ws.collective.security.CollectiveRepositoryAuthorizer
    public void isAuthorizedMember() throws AccessControlException {
        Subject callerSubject = this.subjectManager.getCallerSubject();
        if (callerSubject != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Caller Subject is not null", new Object[0]);
            }
            Set privateCredentials = callerSubject.getPrivateCredentials(CollectiveServerCredential.class);
            CollectiveServerCredential collectiveServerCredential = null;
            if (privateCredentials.iterator().hasNext()) {
                collectiveServerCredential = (CollectiveServerCredential) privateCredentials.iterator().next();
            }
            if (collectiveServerCredential != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Caller has a collective server credential (is a controller or member)", new Object[0]);
                }
                if (!collectiveServerCredential.isCollectiveController()) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Caller is not a controller, therefore it is a member", new Object[0]);
                    }
                    if (tc.isEventEnabled()) {
                        Tr.event(tc, "Caller is a member", new Object[0]);
                        return;
                    }
                    return;
                }
            }
        }
        if (tc.isEventEnabled()) {
            Tr.event(tc, "Caller is not a member", new Object[0]);
        }
        AccessControlException accessControlException = new AccessControlException("Caller is not a member");
        accessControlException.fillInStackTrace();
        throw accessControlException;
    }

    static {
        readOnlyOps.add("exists");
        readOnlyOps.add("getData");
        readOnlyOps.add("getDescendantData");
        readOnlyOps.add("getChildren");
        readOnlyOps.add(ArchiveStreamFactory.DUMP);
    }
}
