package com.ibm.ws.management.system.smgr;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.management.system.util.JobConstants;
import com.ibm.websphere.security.WebTrustAssociationException;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.management.filetransfer.FileTransferUtils;
import com.ibm.ws.management.system.smgr.util.DataHolderBean;
import com.ibm.ws.management.system.smgr.util.InternalJobConstants;
import com.ibm.ws.management.system.smgr.util.JobMgrHelper;
import com.ibm.ws.management.util.RSAPropagationHelper;
import com.ibm.ws.management.util.SecurityHelper;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.core.SecurityContext;
import com.ibm.ws.security.util.Base64Coder;
import com.ibm.wsspi.security.tai.TAIResult;
import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;
import java.security.PrivilegedExceptionAction;
import java.security.cert.X509Certificate;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Hashtable;
import java.util.Locale;
import java.util.Properties;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:com/ibm/ws/management/system/smgr/JobManagerTAI.class */
public class JobManagerTAI implements TrustAssociationInterceptor {
    private static final TraceComponent tc = Tr.register(JobManagerTAI.class, (String) null, "com.ibm.ws.management.system.smgr.resources.smgr");
    private static final String CLASSNAME = "JobManagerTAI";
    private Properties myProps = null;
    private static long connections;
    private static final String OTIS_REQUEST_URI_PATH = "/otis/OMADMServlet";

    public int initialize(Properties properties) throws WebTrustAssociationFailedException {
        this.myProps = properties;
        return 0;
    }

    public boolean isTargetInterceptor(HttpServletRequest httpServletRequest) throws WebTrustAssociationException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isTargetInterceptor");
        }
        if (tc.isDebugEnabled()) {
            String pathInfo = httpServletRequest.getPathInfo();
            String pathTranslated = httpServletRequest.getPathTranslated();
            String contextPath = httpServletRequest.getContextPath();
            String requestURI = httpServletRequest.getRequestURI();
            StringBuffer requestURL = httpServletRequest.getRequestURL();
            String servletPath = httpServletRequest.getServletPath();
            Tr.debug(tc, "pathInfo: " + pathInfo);
            Tr.debug(tc, "pathTranslated: " + pathTranslated);
            Tr.debug(tc, "contextPath: " + contextPath);
            Tr.debug(tc, "requestURI: " + requestURI);
            Tr.debug(tc, "requestURL: " + ((Object) requestURL));
            Tr.debug(tc, "servletPath: " + servletPath);
        }
        boolean z = false;
        String requestURI2 = httpServletRequest.getRequestURI();
        if (httpServletRequest.getHeader("IBM-WAS-Authorization") != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "requestURI: " + requestURI2 + " has RSA token");
            }
            z = true;
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "requestURI: " + requestURI2 + " does not have RSA token");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isTargetInterceptor:" + z);
        }
        return z;
    }

    /* JADX WARN: Type inference failed for: r0v70, types: [com.ibm.ejs.ras.TraceComponent, long] */
    public TAIResult negotiateValidateandEstablishTrust(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            ?? r0 = tc;
            StringBuilder append = new StringBuilder().append("negotiateValidateandEstablishTrust: ");
            long j = connections + 1;
            connections = r0;
            Tr.entry((TraceComponent) r0, append.append(j).toString());
        }
        TAIResult tAIResult = null;
        String str = null;
        String requestURI = httpServletRequest.getRequestURI();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "requestURI: " + requestURI);
        }
        httpServletResponse.addHeader("JOBMGR_VER", FileTransferUtils.getWasVersion());
        String header = httpServletRequest.getHeader("deviceId");
        if (header != null) {
            String adjustUUID = adjustUUID(header);
            if (!checkForJobs(httpServletRequest, adjustUUID)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "No Job found, return without security processing");
                }
                TAIResult create = TAIResult.create(401);
                httpServletResponse.addHeader("Return-Empty", "No active job for this unmanaged node.");
                return create;
            }
            cacheKerberosData(httpServletRequest, adjustUUID);
        }
        try {
            decodeRSAToken(httpServletRequest.getHeader("IBM-WAS-Authorization"));
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "setting server subject");
            }
            Subject serverSubject = ContextManagerFactory.getInstance().getServerSubject();
            tAIResult = TAIResult.create(200, SubjectHelper.getWSCredentialFromSubject(serverSubject).getSecurityName(), serverSubject);
        } catch (Throwable th) {
            str = th.getMessage();
        }
        if (tAIResult == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Returning 401 challenge with error message: " + str);
            }
            tAIResult = TAIResult.create(401);
            if (str != null) {
                httpServletResponse.addHeader("IBM-WAS-Authorization-Error-Message", Base64Coder.base64Encode(str));
            }
            try {
                byte[] base64Encode = Base64Coder.base64Encode(RSAPropagationHelper.retrieveRSACert());
                String str2 = new String(base64Encode);
                if (base64Encode != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "setting header for RSA cert", base64Encode);
                    }
                    httpServletResponse.addHeader("IBM-WAS-RSA_Public-Cert", str2);
                }
            } catch (Throwable th2) {
                Tr.error(tc, "CWWSY1000E", th2);
                FFDCFilter.processException(th2, "com.ibm.ws.management.system.smgr.JobManagerTAI.negotiateValidateandEstablishTrust", "322", this);
            }
            httpServletResponse.addHeader("WWW-Authenticate", "Basic realm=" + SecurityHelper.getHelper().getRealm());
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "negotiateValidateandEstablishTrust");
        }
        return tAIResult;
    }

    public String getVersion() {
        return "1.0";
    }

    public String getType() {
        return CLASSNAME;
    }

    public void cleanup() {
        RSAPropagationHelper.setAgentUUIDThreadLocal((String) null);
        RSAPropagationHelper.setAgentCertificateThreadLocal((X509Certificate) null);
    }

    private static void decodeRSAToken(String str) throws Throwable {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "decodeRSAToken");
        }
        if ("IBM-WAS-Authorization".equals(str)) {
            throw new Exception("RSA Token's value is for bootstrapping the public certificate:" + str);
        }
        if (str == null) {
            throw new Exception("RSA Token is null");
        }
        byte[] base64Decode = Base64Coder.base64Decode(str.getBytes());
        if (base64Decode == null || base64Decode.length == 0) {
            throw new Exception("unable to decode RSA token");
        }
        WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(SecurityHelper.getHelper().getWSSecurityContext().acceptSecContext(base64Decode).getSubject());
        if (wSCredentialFromSubject == null) {
            throw new Exception("RSA token contains no credential");
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "cred not null");
        }
        String str2 = (String) wSCredentialFromSubject.get("sendingProfileUUID");
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "agentUUID: " + str2);
        }
        if (str2 == null) {
            throw new Exception("agent UUID is null in RSA token");
        }
        if (!JobMgrHelper.agentRegistered(str2)) {
            throw new Exception("Agent " + str2 + " not authorized");
        }
        X509Certificate x509Certificate = (X509Certificate) wSCredentialFromSubject.get("sendingRSACertificate");
        if (x509Certificate == null) {
            throw new Exception("agent RSA certificate is null");
        }
        RSAPropagationHelper.setAgentUUIDThreadLocal(str2);
        RSAPropagationHelper.setAgentCertificateThreadLocal(x509Certificate);
        if (tc.isDebugEnabled()) {
            Tr.exit(tc, "decodeRSAToken: ");
        }
    }

    public String getFormattedCurrentData() {
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, "JobManagerTAI.getFormattedCurrentData()");
        }
        Date date = new Date();
        SimpleDateFormat simpleDateFormat = new SimpleDateFormat(JobConstants.DATE_FORMAT);
        if (tc.isDebugEnabled()) {
            Tr.exit(tc, "JobManagerTAI.getFormattedCurrentData()", simpleDateFormat.format(date));
        }
        return simpleDateFormat.format(date);
    }

    private String adjustUUID(final String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "adjustUUID: " + str);
        }
        String str2 = null;
        try {
            str2 = (String) SecurityContext.runAsSystem(new PrivilegedExceptionAction() { // from class: com.ibm.ws.management.system.smgr.JobManagerTAI.1
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    try {
                        return new AdminJobManager().nlsRefreshUUID(str, Locale.getDefault());
                    } catch (Throwable th) {
                        throw new Exception(th);
                    }
                }
            });
        } catch (Throwable th) {
            FFDCFilter.processException(th, "com.ibm.ws.management.system.smgr.JobManagerTAI.adjust", "464", this);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "adjustUUID - " + str2);
        }
        return str2;
    }

    private boolean checkForJobs(HttpServletRequest httpServletRequest, final String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkForJobs: " + str);
        }
        boolean z = true;
        if (httpServletRequest.getHeader("No-Job-Check") == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Performing available job check");
            }
            try {
                z = ((Boolean) SecurityContext.runAsSystem(new PrivilegedExceptionAction() { // from class: com.ibm.ws.management.system.smgr.JobManagerTAI.2
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws Exception {
                        AdminJobManager adminJobManager = new AdminJobManager();
                        boolean isJobAvailableByStatus = adminJobManager.isJobAvailableByStatus(str, new String[]{"ASYNC_IN_PROGRESS", "DISTRIBUTED"}, Locale.getDefault());
                        if (!isJobAvailableByStatus) {
                            isJobAvailableByStatus = adminJobManager.isJobAvailableWithNoHistory(str, Locale.getDefault());
                        }
                        if (!isJobAvailableByStatus) {
                            isJobAvailableByStatus = adminJobManager.isRecurrJobAvailable(str, Locale.getDefault(), new String[]{JobConstants.PERIOD_TYPE_CONNECT, JobConstants.PERIOD_TYPE_DAILY, JobConstants.PERIOD_TYPE_MONTHLY, JobConstants.PERIOD_TYPE_N_DAYS, JobConstants.PERIOD_TYPE_ONCE, JobConstants.PERIOD_TYPE_WEEKLY, JobConstants.PERIOD_TYPE_YEARLY});
                        }
                        return Boolean.valueOf(isJobAvailableByStatus);
                    }
                })).booleanValue();
            } catch (Throwable th) {
                FFDCFilter.processException(th, "com.ibm.ws.management.system.smgr.JobManagerTAI.checkForJobs", "500", this);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "checkForJobs: " + z);
        }
        return z;
    }

    private void cacheKerberosData(HttpServletRequest httpServletRequest, String str) {
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Setting the device realm information for " + str);
        }
        if (str != null) {
            String header = httpServletRequest.getHeader(InternalJobConstants.DEVICE_REALM);
            String header2 = httpServletRequest.getHeader(InternalJobConstants.DEVICE_SPN);
            Hashtable<String, Object> hashtable = new Hashtable<>();
            boolean z = false;
            if (header != null) {
                hashtable.put(InternalJobConstants.DEVICE_REALM, header);
                z = true;
            }
            if (header2 != null) {
                hashtable.put(InternalJobConstants.DEVICE_SPN, header2);
                z = true;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Store flag is: ", Boolean.valueOf(z));
            }
            if (z) {
                DataHolderBean.getInstance().setData(str, hashtable);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "DeviceRealm is set to:  ", header);
                }
            }
        }
    }

    static {
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "SOURCE CODE INFO:");
        }
        connections = 0L;
    }
}
